Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University of New Mexico Albuquerque, NM {steveah, forrest, patrik}@cs.unm.edu http://cs.unm.edu/~steveah/research.html
14
Embed
Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Distributed Network Intrusion Detection
An Immunological Approach
Steven HofmeyrStephanie ForrestPatrik D’haeseleer
Dept. of Computer Science University of New Mexico
• Nonself (proteins) = triples generated during an attack
• Universe = Self Nonself
• Anomaly detection:– Detection system trained on self– Detection system classifies new triples as self (normal) or nonself
(anomalous)
• NSM: a single monolithic detector matching self (positive detection)
How the Immune System Distributes Detection
• Advantages of distributed negative detection:– Localized (no communication costs)– Scalable– Tunable– Robust (no single point of failure)– Negative selection algorithm minimizes false positives
self
Single Detector Multiple Random Detectors
self self
• Immune system: Many small detectors matching nonself (negative detection).
The Negative Selection Algorithm
self self1. Randomly generate a
detector string.
2. Does the detector string match self? NO YES
3. If no, accept
If yes, go to 1.
(regenerate). ACCEPT REJECT
Results in a set of valid detectors self
self
Applying Negative Detection to Network Traffic
• Representation:– SYN packet triples mapped to 49-bit strings
• Generalized detection:– Partial matching with r-contiguous bits rule
0110100101
1110111101 1110111101
0100110100
Match No Match
r = 4
Triple
Detector
• Consequences of Partial Matching:– Advantage: Lightweight (few detectors per host)– Disadvantage: Holes limit detection
Holes
Host 1 Host 3Host 2
• Problem: Holes limit detection for any partial match rule.
• Solution: A different permutation mask for each host.
Overcoming Holes
• Result: In the broadcast network, detection is limited by the intersection of all hole sets.
Total Coverage
Experimental Setup
• UNM CS subnet of 50 machines on a switched segment. – 100 49-bit string detectors per machine
• Training set (self):– Collected over 43 days
– 1 266 000 TCP SYN packets
– 3763 unique binary self strings
• Normal test set (supposedly self):– Collected over 7 days
– 182 629 TCP SYN packets
– 626 unique binary self strings
• Abnormal test set (nonself):– 8 different incidents, 7 real occurrences, 1 synthetic
– Real abnormal behavior includes: massive portscanning, limited probing, address-space probing, local host compromise
– Synthetic: 200 random connections between internal (LAN) hosts
Experimental Results
• Low false positives:– P(false positive per self string) = 0.000304– 55 strings, but only 10 unique– Effectively: under 2 false alarms per day
• High detection rates with few detectors– 100% successful detection: 8 out of 8 abnormal incidents detected– Only 100 detectors per host
• Permutation masks improve detection– Up to an order of magnitude improvement– Overcomes hole limitation
• Normal is reasonably stable.
Title:
Creator:
Preview:This EPS picture was not savedwith a preview included in it.Comment:This EPS picture will print to aPostScript printer, but not toother types of printers.
The Problem of Incomplete Self Sets(Suppose the training set is incomplete)
• Activation threshold:– Detector is not activated on every match.
– Must have exceeded x matches before activation.
– No time horizon.
– Helps with stealth attacks (distributed in time).
– Reduced false positives by an order of magnitude.
• Adaptive activation:– Tune local activation thresholds dynamically.
– Whenever a detector matches its first pattern, the activation threshold for that computer is reduced by 1.
– Has a time horizon (threshold gradually returns to default value).
– Hypothesized to help with distributed coordinated attacks.
Experimental ResultsIntrusions with and without permutation masks
Experimental and Theoretical Results:Permutation Masks Overcome the Hole Limit
Title:
Creator:
Preview:This EPS picture was not savedwith a preview included in it.Comment:This EPS picture will print to aPostScript printer, but not toother types of printers.
Pushing the Immune Metaphor
• The analogy thus far:– Distributed networks and immunology– Combining negative detection and network
intrusion detection– Diversity via permutation masks
• For the future:– Distributed generation of detectors– Dynamic detector sets– Adaptation and memory (misuse detection)