Upload
blue
View
72
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Embeddable Hybrid Intrusion Detection System. Adrian P. Lauf Department of Electrical Engineering and Computer Science Vanderbilt University. Embeddable Intrusion Detection System (IDS). Scenario: - PowerPoint PPT Presentation
Citation preview
EMBEDDABLE HYBRID INTRUSION DETECTION SYSTEM
Adrian P. LaufDepartment of Electrical Engineering and Computer
ScienceVanderbilt University
2
Embeddable Intrusion Detection System (IDS) Scenario:
Identify a malicious agent in networked embedded systems while minimizing computational overhead
Research goals: System-on-a-chip implementation Minimal HW resource overhead Consume low power Provide flexibility for changes in
the system
Method: Develop a system to provide high-level
analysis of interactions in a homogenous device network
Embedded Device Outlook Provide a hybrid detection system while
minimizing performance impacts Reduces memory allocation requirements
HybrIDS performance underscores an efficient management of computational cycles
Balanced computational requirements and accuracy yield embedded application performance
Multiple interface compatibility TCP/UPD network interface (UDP default) Disk-based interface for simulation purposes Serial I/O capability
Java 5 platform yields portable embedded device platform
Optimization for ARM9 development environment
Outline Concept Primitives
Example Scenario System-level abstraction Computational Effort Management and Terminology
Maxima Detection System (MDS) System configuration Algorithmic Detail Performance Assessment
Cross-Correlative Intrusion Detection System (CCIDS) System Configuration Detection Method
Score Analysis Threshold Determination
Hybrid Intrusion Detection System (HybrIDS) Transitioning Methodology HybrIDS performance System-level Implementation
Summary
What is a traditional IDS? Classifies traffic patterns Centralized point of analysis
Observation of data packets Not context-sensitive
Packet analysis is compute intensive
Less effective for ad-hoc networks
6
A Decentralized Approach for Embedded Networks Reduce dependence on a single
system Reduce power consumption
Reduce compute-intensive operations
Allows for group consensus decisions Each unit maintains a model of the
world Reduces chance of tampering
with a centralized system
7
Scenario: Autonomous Aircraft Network A collection of several aircraft (i.e.,
agents) A general mission or goal established
(e.g. reconnaissance) Bidirectional communication between
all agents Inter-node communications can include:
Attitude/position requests Grouping pattern requests Obstacle Avoidance Mission Updates
8
Simplifying by Abstraction
Actions classified by labels Action histories recorded
Each node maintains action histories from its point of view
Abstraction permits context independence Applicable to any system using
predetermined actions
Action 1
Action n-1
Action n
Aircraft 1
1 30 25
Aircraft 2
2 32 20
Aircraft 3
1 50 22
Aircraft 4
12 2 80
Action 1
Action n-1
Action n
020406080
100
Computational Cycle Management Scalability and Embedded Performance Aspects
Reduce computational intensity Allow for node addition with minimal impact on
performance Terminology:
DPC – Data Processing Cycle A computationally intensive cycle Performs IDS analysis
DCC – Data Collection Cycle Minimally computationally intensive Executed for received transaction requests
Number of DCCs per DPC Computed by DPC executed upon
reaching τ DCCs per node (average)
More nodes yield more accurate representation of system Requires fewer data
points Yields earlier transition
)(0 gk
Outline Concept Primitives
Example Scenario System-level abstraction Computational Effort Management and Terminology
Maxima Detection System (MDS) System configuration Algorithmic Detail Performance Assessment
Cross-Correlative Intrusion Detection System (CCIDS) System Configuration Detection Method
Score Analysis Threshold Determination
Hybrid Intrusion Detection System (HybrIDS) Transitioning Methodology HybrIDS performance System-level Implementation
Summary
12
Maxima Detection: Theory Histograms formed for
each connected node Node A will track B, C, and D.
Average system behavior obtained by averaging across observed nodes
Bins correspond to action labels
Data must be normalized to a distribution E.g. Gaussian, Chi2
Σ/(n-1)
Labels
.
.
.
.
.
Node
s
Avg. behavioral PDF for system
13
Maxima Detection Algorithm Resultant vector yields
approximate PDF Find global maximum,
exclude it Identify, mark local maxima Local maximum yields likely
intrusion-motivated behaviors
Reverse-map this label to node with most frequent occurrence
MDS Identification Performance
Deviant Node Pervasion Percentage of nodes in
cluster that are issuing malicious requests
MDS typically detects a deviant node within first iteration
Detected node fluctuates within the space of deviant nodes
Outline Concept Primitives
Example Scenario System-level abstraction Computational Effort Management and Terminology
Maxima Detection System (MDS) System configuration Algorithmic Detail Performance Assessment
Cross-Correlative Intrusion Detection System (CCIDS) System Configuration Detection Method
Score Analysis Threshold Determination
Hybrid Intrusion Detection System (HybrIDS) Transitioning Methodology HybrIDS performance System-level Implementation
Summary
Cross Correlation Cross correlation technique generates
individual profile scores Compared to average score for system
PDF Provides multiple detection capability Induces false positives
False positives typically disappear after future iterations
Resolved by setting proper threshold
17
Detection Method: Cross-correlation
Labels
.
.
.
.
.
Node
s
Σ/(n
-1)
17
= Score
Average PDF
Threshold Setting
Score Analysis Average score
is computed Each score is
compared to the average
Deviance determined by a threshold
0 1 2 3 4 5 6 7 8 9 100
0.050.1
0.150.2
0.250.3
0.350.4
0.450.5
Threshold Bounds Node Number
Scor
e
Mean Score LineSuspected Deviant Node
Threshold Requirements Threshold varies for each scenario
Representative of a percentage deviation required for suspicion of a node
Variability of thresholds is a weakness of CCIDS
Can cause generation of false positives Reduced by selecting proper threshold Minimal baseline threshold is possible –
system may never converge
Required Thresholds for Proper Detection (CCIDS) Threshold drops linearly
dependent on deviant node pervasion
Number of nodes has negligible impact on threshold requirements
0.2 represents 100% deviation in this figure Detects only nodes that
vary significantly 0.02 represents a 10%
deviation More sensitive to smaller
node deviations
Outline Concept Primitives
Example Scenario System-level abstraction Computational Effort Management and Terminology
Maxima Detection System (MDS) System configuration Algorithmic Detail Performance Assessment
Cross-Correlative Intrusion Detection System (CCIDS) System Configuration Detection Method
Score Analysis Threshold Determination
Hybrid Intrusion Detection System (HybrIDS) Transitioning Methodology HybrIDS performance System-level Implementation
Summary
22
Why a hybrid approach?
MDS requires no training data
Can isolate a single anomaly
CCIDS requires training data
Can detect multiple anomalies
More flexible to system changes
MDS CCIDS
Time/DCC Progression
How does HybrIDS Choose?
HybridState objectdetermines if transitionpoint has been reached
If one of the results from CCIDS matches a suspectednode from MDS, a matchis considered found
Transitioning Increasing the deviant
node pervasion requires more tuning cycles
Threshold adjusted once per tuning cycle
Figure represents an average for all node sizes # transition cycles is
independent of node cluster size
How does it perform? HybrIDS Performance Analyzed
HybrIDS can reliably detect deviant nodes upto 22% pervasion
25% pervasion and up removes element of determinacy
Scalability by percentage pervasion
Number of nodes in cluster does not affect scalability concerns
Graph includes total time – MDS, transition and CCIDS cycles
HybrIDS Implementation Implemented in Java 5 (1.5)
Introduces Code Portability ARM9 development board
target 2.73 KB memory footprint for a
35-agent system with 10 behaviors MDS and CCIDS use a shared
data structure Storage footprint less than 46
KB Flexible interface
implementation TCP/UDP for network interface Disk-based access for simulation RS-232/Serial interface possible
Outline Concept Primitives
Example Scenario System-level abstraction Computational Effort Management and Terminology
Maxima Detection System (MDS) System configuration Algorithmic Detail Performance Assessment
Cross-Correlative Intrusion Detection System (CCIDS) System Configuration Detection Method
Score Analysis Threshold Determination
Hybrid Intrusion Detection System (HybrIDS) Transitioning Methodology HybrIDS performance System-level Implementation
Summary
Summary Two-phased approach gives HybrIDS a detection advantage in an abstracted
homogeneous device network MDS provides accurate, single-anomaly detection
Requires no training data CCIDS provides multiple-anomaly detection
Requires training threshold DPC/DCC computational cycle management reduces embedded device load Decentralized approach increases reliability and allows for ad-hoc network
arrangement HybrIDS detection accuracy and determinacy viable through 22% deviant
node pervasion Java implementation and small footprint assures integration ease and
platform cross-compatibility HybrIDS is scalable based on the deviant node pervasion, not the number of
nodes