TERM PAPER

Self-Adapting Mechanism for Intrusion Detection

Submitted To:
Ms. Komal Arora

Submitted By:
Sanpreet Singh 11003536

ABSTRACT We present a mechanism for autonomous self-adaptation of a network-based intrusion detection system (IDS). Measurement. Management. . The response of individual system components to these challenges is used to measure and eventually optimize the system performance in terms of accuracy. The self adaptation mechanism is based on the insertion of a small number of challenges. each of which is based on an existing network behavior analysis method. known instances of past legitimate or malicious behavior. The system is composed of a set of cooperating agents. i.e. In this work we show how to choose the challenges in a way such that the IDS attaches more importance to the detection of attacks that cause much damage General terms are used in this topic is : Security.

Host Intrusion Detection Systems Host Intrusion Detection Systems run on individual hosts or devices on the network. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. notify security administrators of important observed events and produce reports.INTRODUCTION An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. It performs an analysis for a passing traffic on the entire subnet. A HIDS monitors the inbound and outbound packets from the device only . Works in a promiscuous mode. Once the attack is identified. Network Intrusion Detection Systems Network Intrusion Detection Systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. and matches the traffic that is passed on the subnets to the library of knows attacks. or abnormal behavior is sensed. however doing so might create a bottleneck that would impair the overall speed of the network. Example of the NIDS would be installing it on the subnet where your firewalls are located in order to see if someone is trying to break into your firewall. IDPSes typically record information related to observed events. Ideally you would scan all inbound and outbound traffic. the alert can be send to the administrator.

and an architecture integrating the process with an existing IDS used as a testbed. self-management and self-optimization techniques that are used inside an Intrusion Detection Systems (IDS) can significantly improve their performance in a highly dynamic environment. When the adaptation techniques are installed improperly. optimally informed attacker. If the critical system files were modified or deleted. The presented architecture integrates the abstract game model into an IDS with self-monitoring capability. Such (hypothetical) attacker with full access to system parameters could dynamically identify the best strategy to play against the system. This paper presents a game theoretical model of adaptation processes inside an agent-based. in order to simulate the worst case. self-optimizing Intrusion Detection System. Optimizing the detection performance against the worst case attacker protects the system from more realistic attacks based on long-term searching and adversarial machine learning approaches.and will alert the user or administrator of suspicious activity is detected. the alert is sent to the administrator to investigate. but are also a potential target for an informed and sophisticated attacker. It takes a snap shot of your existing system files and matches it to the previous snap shot. that are not expected to change their configuration Adaptation. The example of the HIDS can be seen on the mission critical machines. they can allow the attacker to reduce the system performance against one or more critical attacks. .

t strategic attacks on adaptation algorithms. optimally informed attacker. and lower system configuration predictability by the adversary. Indirect online integration provides interesting security properties in IDS. the real traffic background (including any possible attacks) is used in conjunction with simulated hypothetical attacks within the system. in order to simulate the worst case. We have used presented mechanism as a component of the CAMNEP network intrusion detection system which is used to detect the attacks against computer networks by means of Network Behavior Analysis (NBA) techniques.r. as the simulation runs inside the system itself and its results cannot be easily predicted by the attacker.Main Purpose The main purpose is to present an architecture integrating the abstract game model into an IDS with self-monitoring capability. The solution uses the concept of challenges to mix a controlled sample of real and adversarial behavior with actually observed network traffic. Optimizing the detection performance against the worst case attacker protects the system from more realistic attacks based on long-term probing. The major advantage is higher robustness w. These attacks are then mixed with the real traffic on IDS input and the system response to them is used as an input for game definition. In this case. This system processes NetFlow/IPFIX data provided by routers or other network equipment . Such (hypothetical) attacker with full access to system parameters could dynamically identify the best strategy to play against the system.

into the real track. In this paper we show which challenges to choose such that the IDS attaches more importance to the detection of very harmful attacks. This allows us to evaluate the accuracy of the different aggregation functions and eventually select the output of the function that performed best. Main features are:   improved effectiveness. The system is based on a multi-stage cooperation process of agents that use different network behavior analysis methods to classify network ows into malicious and legitimate flows. In the following we show how the expected damage of realized threats. we insert challenges i. The results of the agents are aggregated by different aggregation functions. each of which is represented by an attack tree. if the system is evaluated on challenges that are representative for a certain class of attacks. can be used to find a suitable challenge composition. More precisely. the system is able to process 1Gb/sec of traffic on a single (multicore) PC  minimal configuration upon deployment thanks to the self-adaptation features . The system uses the multi-algorithm and multi-stage approach to optimize the error rate. Thus. To this end.and uses this information to identify malicious traffic by means of collaborative. multi-algorithm anomaly detection. less false positives/false negatives high performance. i. the composition of challenges should reflect the expected damage of known attack classes. This is possible because the accuracy of the IDS is optimized with respect to the used challenges. the detection of real attacks in that class becomes more probable. We employ a self-adaptation procedure that selects the aggregation function which optimally integrates the results of the individual agents.e.e. known malicious and legitimate Flows.

  intuitive and unobtrusive user interface tight integration with open-source nfsen collector .

Conclusions Our work presents an architecture that allows integration of theoretical game model with a wide class of intrusion detection systems and therefore opens the opportunities for their increased use in the production systems. Presented concept of challenge insertion enables the game-theoretical model integration by providing the dynamical measure of the properties of the IDS system .