IDS with Artificial Intelligence

Intrusion Detection System
with Artiﬁcial Intelligence
Mario Castro Ponce

Universidad Pontiﬁcia Comillas de Madrid
FIST Conference - June 2004 edition
Sponsored by: MLP Private Finance

IDS with AI marioc@dsi.icai.upco.es FIST Conference - june 2004 edition– 1/28

Aim of the talk
1. Showing you a different approach to Intrussion
Detection based on Artiﬁcial Intelligence
2. Contact experts in the ﬁeld to exchange ideas and
maybe creating a (pioneer!!!!) working group


Sketch of the talk
What is an IDS?
Architecture of a Vulnerability Detector
Why using A.I.?
Neurons and other animals
Neural-IDS
Fuzzy-Correlator
Conclusions


What is an IDS?
Any hardware, software, or combination of thereof that
monitors a system or network of systems for malicious activity


What is an IDS?

Main functions
Dissuade
Prevent
Documentate


What is an IDS?

Main functions
Dissuade
Prevent
Documentate
Two kinds of IDS
Host based
Network based


Architecture of a Vulnerability Detector
Example: OSSIM

n


Why using AI?
The system manager nightmare: The false positives.


Why using AI?
Then? A.I. for three main reasons
Flexibility (vs threshold deﬁnition)
Adaptability (vs speciﬁc rules)
Pattern recognition (and detection of new patterns)


Why using AI?
Then? A.I. for three main reasons
Flexibility (vs threshold deﬁnition)
Adaptability (vs speciﬁc rules)
Pattern recognition (and detection of new patterns)
Moreover
Fast computing (faster than humans, actually)
Learning abilities.


Neurons and other animals

AI TOOLS

Neural Networks Fuzzy Logic Other...


Artiﬁcial Neural networks
Change of paradigm in computing science:

Many dummy processors with a simple task to do against one
(or few) powerful versatile processors


Neurons and artiﬁcial neurons


Main types of ANN
Multilayer perceptrons

OUTPUT
LAYER
INPUT
LAYER HIDDEN
LAYER

Self-organized maps
Radial basis neural networks
Other


Neural IDS
Designed for DoS and port scan attacks
IDS based on a multilayer perceptron


Neural IDS
Designed for DoS and port scan attacks
IDS based on a multilayer perceptron
Designing the tool
Analysis

Quantification

Topology feed−back

Learning & validation


First scenario: Port scan
Pouring rain analogy
Packets from the same source @IP

21 22 23 25 80

PORT NUMBERS


Second scenario: Denial of Service
Pouring rain analogy

21 22 23 25 80

PORT NUMBERS


Measures
Visually the difference between them is clear. . . but
quantitatively?


Measures
quantitatively?
Measures borrowed from Physics


Measures
quantitatively?

Statistical Mechanics

Order = Low Entropy Disorder = High Entropy


Measures
quantitatively?

Solid State Physics (electronics)

ATOMS

INSULATOR

ATOMS

CONDUCTOR


Measures
quantitatively?


Disorder = High Entropy
21 22 23 25 80
PORT NUMBERS

CONDUCTOR


Measures
quantitatively?


Order = Low Entropy

21 22 23 25 80

PORT NUMBERS

INSULATOR


Measures
quantitatively?
Trafﬁc parameters
Packets per second
Fraction of total packets to a port
Inverse of the total number of packets


Measures
quantitatively?
Trafﬁc parameters
Packets per second
Fraction of total packets to a port
Inverse of the total number of packets
All measures are evaluated within a time window.
Parallel time windows: e.g., 15 sec, 30 sec, 5
minutes, 30 minutes


Topology

ENTROPY

PORT SCAN
IPR

DENIAL OF SERVICE
PACKETS/SEC

FRACTION OF PACKETS
NONE

1/PACKETS


Learning and testing

TYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESS
SEQUENCIAL SCAN 20 100 %
RANDOM SCAN 20 100 %
DoS 20 70 %
DoS 50 80 %
ALL 20 60 %
ALL 50 65 %


Learning and testing

TYPE OF ATTACK LEARNING PATTERNS RATE OF SUCCESS
DoS 20 70 %
DoS 50 80 %
ALL 20 60 %
ALL 50 65 %

Best choice: Specialized neural detectors


Fuzzy Logic
Imitates human perception: Approximate reasoning


Fuzzy Logic
Example: Air cooler
Classical rules:
IF Temperature > 25 THEN Switch-on
IF Temperature < 21 THEN Switch-off
...


Fuzzy Logic
Example: Air cooler
Classical rules:
...
Fuzzy rules:
IF Temperature is high THEN Switch-on
IF Temperature is too low THEN
Switch-off
...


Fuzzy Logic
Example: Air cooler
Classical rules:
...
Fuzzy rules:
IF Temperature is high THEN Switch-on
IF Temperature is too low THEN
Switch-off
...
More soﬁsticated fuzzy rules:
IF Temperature is moderate AND my wife
is very pregnant THEN Switch-on
...


Term sets and grade of membership
Thresholds
More than 3000 packets/sec ⇒ Possible DoS
More than 5000 packets/sec ⇒ DoS!


Term sets:
Thresholds

0
1

IDS with AI marioc@dsi.icai.upco.es
0
¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

1000
¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

low

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

2000

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

VOLUME OF TRAFFIC

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

More than 5000 packets/sec ⇒ DoS!
More than 3000 packets/sec ⇒ Possible DoS
Term sets and grade of membership

FIST Conference - june 2004 edition– 18/28

Fuzzy correlator: Preliminary work
Aim of the research:

Use the ﬂexibility and human language features of Fuzzy
Logic and include them in the OSSIM Correlation Engine


Fuzzy correlator: Preliminary work
Aim of the research:

Use the ﬂexibility and human language features of Fuzzy
Logic and include them in the OSSIM Correlation Engine

Status: Preliminary deﬁnitions and precedures.


More on term sets
Input variable: Volume of trafﬁc

very low low normal high very high
1

0
0 1000 2000 3000 4000 5000


More on term sets (II)
Input variable: Number of visited ports

very low low normal high very high
1

0
0 2 4 6 8 10


More on term sets (III)
Output variable: DoS Attack?
improbable maybe almost sure
1

0
0 0.5 1

Rules (example):

IF traffic is high AND number of
destination ports is low THEN DoS

Evaluating rules gives the required answer
’DoS Attack?’: almost sure


OSSIM Correlation Engine
Characteristics
Depends strongly on timers
All the variants of an attack must be coded
Cannot detect new attacks
Complex sintax


Sample scenario: NETBIOS DCERPC ISystemActivator


Sample scenario: NETBIOS DCERPC ISystemActivator

TIME_OUT
IF destination_ports = 135,445 THEN Generate Alarm with Reliability 1 and wait 60 seconds for next rule

TIME_OUT
AND IF DEST_IP and SRC_IP talk again THEN Alarm, Reliability 3 and wait 60 seconds for next rule

AND IF DEST_PORT and SRC_PORT talk again AND plugin_sid=2123 (CMD.EXE) THEN Alarm TIME_OUT
Reliability 6 and wait 60 seconds for next rule

TIME_OUT
AND FINALLY IF plugin_id=2002 and conection lasts more than 10 THEN Alarm with Reliability 10


Fuzzy Correlator revisited: Objectives
Going beyond the sequential arrival of packets
Integrating different sensors:


SNORT
Anomaly detection:
Abnormal connection to an open port (ﬁrewall)
Thresholds
High trafﬁc at nights or weekends, . . .
Neural-IDS
Other


SNORT
Anomaly detection:
Abnormal connection to an open port (firewall)
Thresholds
High traffic at nights or weekends, . . .
Neural-IDS
Other
Defining rules according to Security Manager’s
experience


Conclusions and open questions
AI techniques are
Flexible
Suitable for pattern recognition
Powerful (Neural-IDS)
Easy to design (human language)


AI techniques are
Flexible
But there is still a lot of work to do. . .


AI techniques are
Flexible
We need more time.
We need more people
Students
Security experts (working group?)
And of course. . .


AI techniques are
Flexible
We need more time
We need more people
Students
Security experts (working group?)
And of course. . . some money to pay it


And that’s all folks. . .


IDS with Artificial Intelligence

More Related Content

What's hot (20)

Viewers also liked (8)

Similar to IDS with Artificial Intelligence (20)

More from Conferencias FIST (20)

Recently uploaded (20)

IDS with Artificial Intelligence