Evolving Intrusion Detection System for MLDB Muthukumar Narayanan Final Presentation for CS401...
-
date post
20-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of Evolving Intrusion Detection System for MLDB Muthukumar Narayanan Final Presentation for CS401...
Evolving Intrusion Evolving Intrusion Detection System for MLDBDetection System for MLDB
Muthukumar NarayananMuthukumar NarayananFinal Presentation for CS401Final Presentation for CS401
11/22/200411/22/2004
OverviewOverview
MotivationMotivation MLDBMLDB Intrusion DetectionIntrusion Detection Problem StatementProblem Statement EA ImplementationEA Implementation ExperimentsExperiments ResultsResults ConclusionConclusion Future WorkFuture Work
MotivationMotivation
Emp_NameEmp_Name Proj_NameProj_Name StatusStatus QualificationQualification
Emp1Emp1
Emp2Emp2
Emp3Emp3
Emp4Emp4
Emp5Emp5
NuclearNuclear
EAEA
Blue HawkBlue Hawk
ConstructionConstruction
Servant ROBOTServant ROBOT
Permanent ResiPermanent Resi
Permanent ResiPermanent Resi
Permanent ResiPermanent Resi
InternationalInternational
InternationalInternational
Engg.Engg.
UMR Comp. SciUMR Comp. Sci
AerospaceAerospace
ArchitectArchitect
ServantServant
Government Info.Government Info.
Medical Info.Medical Info.
Bank Account Info.Bank Account Info.
MLDBMLDB
Multi Layered DatabaseMulti Layered Database Several layers of information.Several layers of information. Lowest layer corresponding to the Lowest layer corresponding to the primitive and most secure information.primitive and most secure information.
Higher layers store more general and Higher layers store more general and less secure information extracted form less secure information extracted form one or more lower layers.one or more lower layers.
Generalization is based on the concept Generalization is based on the concept hierarchieshierarchies
MLDB ExampleMLDB Example
Intrusion DetectionIntrusion Detection
Anomaly DetectionAnomaly Detection Detects insider attacksDetects insider attacks Uses signature of the normal user Uses signature of the normal user activitiesactivities
Misuse DetectionMisuse Detection Detects intrusive activitiesDetects intrusive activities Uses signature of the intrusive Uses signature of the intrusive activitiesactivities
Types of database intrusionsTypes of database intrusions Inferences, SQL injection, Buffer Inferences, SQL injection, Buffer overflow attack, password attack . . .overflow attack, password attack . . .
Inference ExampleInference Example
Name Designation Salary
X1 Account Manager 150,000
X2 Administrative Manager
130,000
X3 Account Manager 120,000
X4 Business Analyst 100,000
X5 Database Engineer 90,000
X6 Database Engineer 140,000
X7 Electrical Engineer
80,000
X8 Programmer 175,000
X9 Programmer 75,000
X10 Electrical Engineer
120,000
X11 Programmer 125,000
1. Select avg(Salary)1. Select avg(Salary)From Employee_details_noFD;From Employee_details_noFD;
2. Select count(Salary)2. Select count(Salary)From Employee_details_noFD;From Employee_details_noFD;
3. Select avg(Salary)3. Select avg(Salary)From Employee_details_noFDFrom Employee_details_noFDWhere Name <> "X8”Where Name <> "X8”
(Result (1)*Result (2)) - (Result (1)*Result (2)) - (Result (3)*(Result (2)-1))(Result (3)*(Result (2)-1))
Problem StatementProblem Statement
Evolve intrusive queries for a given Evolve intrusive queries for a given database relation using Genetic database relation using Genetic Programming approach.Programming approach.
Use them as a rule base for Use them as a rule base for detecting real world intrusionsdetecting real world intrusions
RepresentationRepresentation
SQL query is converted to the SQL query is converted to the corresponding relational algebraic corresponding relational algebraic expression.expression. Select Name from table_1 where Select Name from table_1 where Grade=‘A’ or Grade=‘B’; Grade=‘A’ or Grade=‘B’;
Relational Algebraic expression isRelational Algebraic expression is• ППNameName((σσ(Grade=‘A’ or Grade=‘B’)(Grade=‘A’ or Grade=‘B’)(table_1))(table_1))
The tree is represented based on the The tree is represented based on the Relational Algebraic expressionRelational Algebraic expression
Sample IndividualSample Individual
Fitness EvaluationFitness Evaluation
Secured attribute in the Projection Operation Secured attribute in the Projection Operation (5-10)(5-10)
Statistical information excluding one tupleStatistical information excluding one tuple(8-10)(8-10)
Statistical information based on the attributes Statistical information based on the attributes involved in functional dependency(8-10)involved in functional dependency(8-10)
Using sensitive attributes in the selection Using sensitive attributes in the selection operation(1-5)operation(1-5)
Using Statistical operation on sensitive dataUsing Statistical operation on sensitive data (1-5)(1-5) Secured attribute involved in a value Secured attribute involved in a value
constraint(5-10)constraint(5-10)
RecombinationRecombination
MutationMutation
MutationMutation
Experimental SetupExperimental Setup
Relation {Emp_id, Name, Designation, Relation {Emp_id, Name, Designation, Status, Projects, Deductions, Status, Projects, Deductions, Salary, Net}Salary, Net}
Functional Dependency Functional Dependency Designation -> SalaryDesignation -> Salary
Value constraintsValue constraints Salary-Deductions = NetSalary-Deductions = Net
Protected attributesProtected attributes Net and ProjectsNet and Projects
Initial QueriesInitial Queries
Select status, salary from Select status, salary from MLDB_table where Name = constants; MLDB_table where Name = constants; (9)(9)
Select Net, Name, Deductions, Emp_id Select Net, Name, Deductions, Emp_id from MLDB_tab;e where Deductions > from MLDB_tab;e where Deductions > constants; (22)constants; (22)
ResultsResults
0
20
40
60
80
100
120
0 20 40 60 80 100
2100
4100
6100
8100
Generations
Fitness
Average Fitness
High Fitness
Evolved QueriesEvolved Queries
Select avg(Net), deductions, Select avg(Net), deductions, designation, avg(salary), Net, count designation, avg(salary), Net, count (salary), Projects, avg(deductions), (salary), Projects, avg(deductions), avg(salary) from MLDB_table where avg(salary) from MLDB_table where (Emp_id <> constants OR Salary <> (Emp_id <> constants OR Salary <> constant) AND deductions <> constant constant) AND deductions <> constant AND Emp_id <> constant. (104)AND Emp_id <> constant. (104)
Select Net, Net, Net, Net, Net, Net, Select Net, Net, Net, Net, Net, Net, Net from MLDB_table where . . . Net from MLDB_table where . . . (184)(184)
Evolved QueriesEvolved Queries
Select Salary, Max(Net), Projects, Select Salary, Max(Net), Projects, Emp_id, Name, avg(Salary), Net, Emp_id, Name, avg(Salary), Net, count(Deductions) form MLDB_table count(Deductions) form MLDB_table where Name = constant AND Emp_id <> where Name = constant AND Emp_id <> constants; (74)constants; (74)
selectselect avg(Net), Emp_id, Emp_id avg(Net), Emp_id, Emp_id from MLDB_table where Designation = from MLDB_table where Designation = constant; (22)constant; (22)
Conclusion & Future Work Conclusion & Future Work
Results are NOT complete but Results are NOT complete but satisfactory at this stagesatisfactory at this stage
Modified Fitness EvaluationModified Fitness Evaluation Allow only LEGAL Queries to evolveAllow only LEGAL Queries to evolve Use of various other large database Use of various other large database relationsrelations
Use of more Stochastic based parent Use of more Stochastic based parent and survivor selectionand survivor selection
Comments?Comments?Questions?Questions?