Evolving Intrusion Evolving Intrusion Detection System for MLDBDetection System for MLDB

Muthukumar NarayananMuthukumar NarayananFinal Presentation for CS401Final Presentation for CS401

11/22/200411/22/2004

OverviewOverview

MotivationMotivation MLDBMLDB Intrusion DetectionIntrusion Detection Problem StatementProblem Statement EA ImplementationEA Implementation ExperimentsExperiments ResultsResults ConclusionConclusion Future WorkFuture Work

MotivationMotivation

Emp_NameEmp_Name Proj_NameProj_Name StatusStatus QualificationQualification

Emp1Emp1

Emp2Emp2

Emp3Emp3

Emp4Emp4

Emp5Emp5

NuclearNuclear

EAEA

Blue HawkBlue Hawk

ConstructionConstruction

Servant ROBOTServant ROBOT

Permanent ResiPermanent Resi

Permanent ResiPermanent Resi

Permanent ResiPermanent Resi

InternationalInternational

InternationalInternational

Engg.Engg.

UMR Comp. SciUMR Comp. Sci

AerospaceAerospace

ArchitectArchitect

ServantServant

Government Info.Government Info.

Medical Info.Medical Info.

Bank Account Info.Bank Account Info.

MLDBMLDB

Multi Layered DatabaseMulti Layered Database Several layers of information.Several layers of information. Lowest layer corresponding to the Lowest layer corresponding to the primitive and most secure information.primitive and most secure information.

Higher layers store more general and Higher layers store more general and less secure information extracted form less secure information extracted form one or more lower layers.one or more lower layers.

Generalization is based on the concept Generalization is based on the concept hierarchieshierarchies

MLDB ExampleMLDB Example

Intrusion DetectionIntrusion Detection

Anomaly DetectionAnomaly Detection Detects insider attacksDetects insider attacks Uses signature of the normal user Uses signature of the normal user activitiesactivities

Misuse DetectionMisuse Detection Detects intrusive activitiesDetects intrusive activities Uses signature of the intrusive Uses signature of the intrusive activitiesactivities

Types of database intrusionsTypes of database intrusions Inferences, SQL injection, Buffer Inferences, SQL injection, Buffer overflow attack, password attack . . .overflow attack, password attack . . .

Inference ExampleInference Example

Name Designation Salary

X1 Account Manager 150,000

X2 Administrative Manager

130,000

X3 Account Manager 120,000

X4 Business Analyst 100,000

X5 Database Engineer 90,000

X6 Database Engineer 140,000

X7 Electrical Engineer

80,000

X8 Programmer 175,000

X9 Programmer 75,000

X10 Electrical Engineer

120,000

X11 Programmer 125,000

1. Select avg(Salary)1. Select avg(Salary)From Employee_details_noFD;From Employee_details_noFD;

2. Select count(Salary)2. Select count(Salary)From Employee_details_noFD;From Employee_details_noFD;

3. Select avg(Salary)3. Select avg(Salary)From Employee_details_noFDFrom Employee_details_noFDWhere Name <> "X8”Where Name <> "X8”

(Result (1)*Result (2)) - (Result (1)*Result (2)) - (Result (3)*(Result (2)-1))(Result (3)*(Result (2)-1))

Problem StatementProblem Statement

Evolve intrusive queries for a given Evolve intrusive queries for a given database relation using Genetic database relation using Genetic Programming approach.Programming approach.

Use them as a rule base for Use them as a rule base for detecting real world intrusionsdetecting real world intrusions

RepresentationRepresentation

SQL query is converted to the SQL query is converted to the corresponding relational algebraic corresponding relational algebraic expression.expression. Select Name from table_1 where Select Name from table_1 where Grade=‘A’ or Grade=‘B’; Grade=‘A’ or Grade=‘B’;

Relational Algebraic expression isRelational Algebraic expression is• ППNameName((σσ(Grade=‘A’ or Grade=‘B’)(Grade=‘A’ or Grade=‘B’)(table_1))(table_1))

The tree is represented based on the The tree is represented based on the Relational Algebraic expressionRelational Algebraic expression

Sample IndividualSample Individual

Fitness EvaluationFitness Evaluation

Secured attribute in the Projection Operation Secured attribute in the Projection Operation (5-10)(5-10)

Statistical information excluding one tupleStatistical information excluding one tuple(8-10)(8-10)

Statistical information based on the attributes Statistical information based on the attributes involved in functional dependency(8-10)involved in functional dependency(8-10)

Using sensitive attributes in the selection Using sensitive attributes in the selection operation(1-5)operation(1-5)

Using Statistical operation on sensitive dataUsing Statistical operation on sensitive data (1-5)(1-5) Secured attribute involved in a value Secured attribute involved in a value

constraint(5-10)constraint(5-10)

RecombinationRecombination

MutationMutation

MutationMutation

Experimental SetupExperimental Setup

Relation {Emp_id, Name, Designation, Relation {Emp_id, Name, Designation, Status, Projects, Deductions, Status, Projects, Deductions, Salary, Net}Salary, Net}

Functional Dependency Functional Dependency Designation -> SalaryDesignation -> Salary

Value constraintsValue constraints Salary-Deductions = NetSalary-Deductions = Net

Protected attributesProtected attributes Net and ProjectsNet and Projects

Initial QueriesInitial Queries

Select status, salary from Select status, salary from MLDB_table where Name = constants; MLDB_table where Name = constants; (9)(9)

Select Net, Name, Deductions, Emp_id Select Net, Name, Deductions, Emp_id from MLDB_tab;e where Deductions > from MLDB_tab;e where Deductions > constants; (22)constants; (22)

ResultsResults

0

20

40

60

80

100

120

0 20 40 60 80 100

2100

4100

6100

8100

Generations

Fitness

Average Fitness

High Fitness

Evolved QueriesEvolved Queries

Select avg(Net), deductions, Select avg(Net), deductions, designation, avg(salary), Net, count designation, avg(salary), Net, count (salary), Projects, avg(deductions), (salary), Projects, avg(deductions), avg(salary) from MLDB_table where avg(salary) from MLDB_table where (Emp_id <> constants OR Salary <> (Emp_id <> constants OR Salary <> constant) AND deductions <> constant constant) AND deductions <> constant AND Emp_id <> constant. (104)AND Emp_id <> constant. (104)

Select Net, Net, Net, Net, Net, Net, Select Net, Net, Net, Net, Net, Net, Net from MLDB_table where . . . Net from MLDB_table where . . . (184)(184)

Evolved QueriesEvolved Queries

Select Salary, Max(Net), Projects, Select Salary, Max(Net), Projects, Emp_id, Name, avg(Salary), Net, Emp_id, Name, avg(Salary), Net, count(Deductions) form MLDB_table count(Deductions) form MLDB_table where Name = constant AND Emp_id <> where Name = constant AND Emp_id <> constants; (74)constants; (74)

selectselect avg(Net), Emp_id, Emp_id avg(Net), Emp_id, Emp_id from MLDB_table where Designation = from MLDB_table where Designation = constant; (22)constant; (22)

Conclusion & Future Work Conclusion & Future Work

Results are NOT complete but Results are NOT complete but satisfactory at this stagesatisfactory at this stage

Modified Fitness EvaluationModified Fitness Evaluation Allow only LEGAL Queries to evolveAllow only LEGAL Queries to evolve Use of various other large database Use of various other large database relationsrelations

Use of more Stochastic based parent Use of more Stochastic based parent and survivor selectionand survivor selection

Comments?Comments?Questions?Questions?