Improving Intrusion Detectors by Crook-Sourcing — Frederico Araujo IBM Research The 35th Computer Security Applications Conference Gbadebo Ayoade, Khaled Al-Naami, Yang Gao, Kevin Hamlen, and Latifur Khan The University of Texas at Dallas The research reported herein was supported in part by ONR award N00014-17-1-2995; NSA award H98230-15-1-0271; AFOSR award FA9550-14-1-0173; NSF FAIN awards DGE-1931800, OAC-1828467, and DGE-1723602; NSF awards DMS-1737978 and MRI-1828467; an IBM faculty award (Research); and an HP grant. Any opinions, recommendations, or conclusions expressed are those of the authors and not necessarily of the aforementioned supporters.
26
Embed
Improving Intrusion Detectors by Crook-Sourcing · Improving Intrusion Detectors by Crook-Sourcing — FredericoAraujo IBM Research The 35th Computer Security Applications Conference
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Improving Intrusion Detectors by Crook-Sourcing
—Frederico AraujoIBM Research
The 35th Computer Security Applications Conference
Gbadebo Ayoade, Khaled Al-Naami, Yang Gao, Kevin Hamlen, and Latifur KhanThe University of Texas at Dallas
The research reported herein was supported in part by ONR award N00014-17-1-2995; NSA award H98230-15-1-0271; AFOSR award FA9550-14-1-0173;NSF FAIN awards DGE-1931800, OAC-1828467, and DGE-1723602; NSF awards DMS-1737978 and MRI-1828467; an IBM faculty award (Research); andan HP grant. Any opinions, recommendations, or conclusions expressed are those of the authors and not necessarily of the aforementioned supporters.
Information Asymmetry(Kasparov vs. Deep Blue, 1997)
2
1997: IBM Deep Blue becomes the first machine to beat a chess grandmaster (Garry Kasparov) under tournament conditions.
After the match, Kasparov complains match was unfair:
“It was difficult to prepare for an opponent with no games. … I couldn’t prepare myself properly for such an event. … You have to
know your opponent!” –Garry Kasparov
In contrast, Deep Blue had trained using every match Kasparov had ever played.
§ ML offers so much promise for powerful, fast intrusion detection– Face and speech recognition, recommendation systems, natural language translation, …
§ Yet, most deployed IDS solutions are still human rule-based with weak AI support... Why?(1) Unbalanced data: Hard to get enough malicious data to properly train ML-based IDSes
(2) Huge feature space: Security-relevant features within the data not known in advance
(3) Encryption opacity: Encrypted traffic is commonplace and hides much of the best data.
(4) False alarms: High false alarm rates lead to very low base detection rates.
The task of identifying attacks is fundamentally different from other application domains where machine learning is applied
Information asymmetry & ML for intrusion detection
5
Main idea:
When an attack is detected, don’t disconnect it!
Keep the attacker talking to harvest threat data.
Apply automated data mining for IDS training.
IDS learns over time with no data collection burden.
Research Question: Does such an IDS actuallylearn concepts useful for thwarting real attacks?
(Spoiler alert: Yes, with surprising effectiveness!)
crook-sourcing —noun. the conscription and manipulation of attackers into performing free penetration testing for improved IDS model training and adaptation.
Detected attacks are missed IDS training opportunities
§ Deceive attackers into performing free penetration testing for IDS model training and adaptation– attackers contribute their TTP patterns to the data streams processed by the
§ Enables (semi-) supervised learning for intrusion detection – improves base detection rates– enables multi-class detection and contextually-richer predictions
§ Overcomes issues related to concept differences between honeypot attacks and those against genuine assets– deceptions are embedded into the actual target of attacks
§ Raw data: 42 GB of (uncompressed) network packets and system events over a period of three weeks
§ Training data: after feature extraction, the training data comprised 1800 normal instances and 1600 attack instances
§ Testing data: 3400 normal and attack instances gathered from monitors deployed at unpatched servers, where the distribution of normal and attack instances varies per experiment
§ Red teaming data: collected over three days, 10 graduate students with basic to advanced offensive security skills, average 45 min sessions.
§ Crook-sourcing yields higher-accuracy detection models– no additional developer effort apart from routine patching activities– effortless labeling of the data
§ Deceive attackers into disclosing their TTP patterns for IDS model evolution– embedded deceptions extract relevant features from attack sessions
§ Enables semi-supervised learning for intrusion detection – Improves base detection rates– Enables multi-class detection and contextually-richer predictions