Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Introduction for Seminar: Intrusion Detection Systems
Mohammad Reza Norouzian
Technische Universität München
Fakultät für Informatik
Lehrstuhl für IT Sicherheit
23.04.2019
• Introductiontoresearcharea• Studentassignments• Grading• Timetable• Presentationguidance• Reportguidance• FAQ
Outline
2Intrusion Detection Systems | Chair for IT Security
What’s an Intrusion?
3Intrusion Detection Systems | Chair for IT Security
• Successful attackis usually (butnot always) associatedwith anaccess control violation
• Abufferoverflow hasbeen exploited, and nowattack code isbeingexecutedinside alegitimate program
• Outsidergained accesstoa protectedresource• Aprogram orfilehasbeen modified• Systemisnot behaving “as itshould”
• The goal of an intrusiondetection system (IDS) is to detect thatbad thingsarehappening (intrusion)
• Just asthey start happening (hopeso)• How isthisdifferent froma firewall?
Intrusion detection styles
4Intrusion Detection Systems | Chair for IT Security
• Misuse detection: precise descriptions of known maliciousbehavior.
• Anomaly detection: have anotionof normal activity andflagdeviations from thatprofile.
IDS
IDSInternal Network
• *Specification-based detection: defining allowed typesofactivity inorder toflaganyotheractivityasforbidden.
TheInternet
AttackerFirewall
• Striking imbalancedeployments:• Almostexclusively only misusedetectorsin use• Detectsignatures (characteristicbytesequences)
• Question:• However, anomaly detection isextremely appealing (intheliteratures)
• Promises to find novel attacks w/oanticipating specifics
• Machine learning works so well inother domains• Butit’s hardto findanymachine learning NIDSin real-worlddeployments, why?
Detection Styles in Actual Deployments
5Intrusion Detection Systems | Chair for IT Security
• Set ofrules defininga behavioral signature likely to beassociatedwith attackof a certain type
• Example: bufferoverflow• A setuid program spawns a shellwith certain arguments• A network packet has lotsof NOPs init• Very longargument to astring function
• Example: SYNflooding (denial ofservice)• LargenumberofSYNpacketswithoutACKscomingback• …oristhissimplyapoornetworkconnection?
• Attacksignaturesareusuallyveryspecificandmaymissvariantsofknownattacks
• Whynotmakesignatures more general?
Misuse Detection (Signature-Based)
6Intrusion Detection Systems | Chair for IT Security
• Originally introducedbyDorothyDenning in 1987• Assumption: attacks exhibit characteristics NOT observed fornormalusage
• Propose: host-based IDS• Host-level system building per-user profiles of activity• E.g., loginfrequency, session duration, resource consumption
• Machinelearning(ML):• Training: trained withreference input to“learn” its specifics
• SupervisedorUnsupervised• Test: deployed onpreviously unseen input forthe actual detectionprocess
Anomaly Detection
7Intrusion Detection Systems | Chair for IT Security
• Define a profile describing “normal”behavior• Works bestfor “small”, well-defined systems single programratherthanhuge multi-userOS
• Profilemay be statistical• Build it manually (this ishard)• Usemachine learning anddatamining techniques
• Log system activities for a while, then “train” IDS to recognize normal andabnormalpatterns
• Risk: attackertrains IDStoaccepthisactivityasnormal - adversariallearning• Daily low-volume port scanmay train IDS to accept port scans
Anomaly Detection Cont’d
8Intrusion Detection Systems | Chair for IT Security
• Examples (for comparison):• Amazon/Netflix – product recommendation• OCR(optical character recognition) systems• Natural language translation• Spamdetection
• Claim: the taskof findingattacksis fundamentally different fromotherapplications
• Making it significantly harderforus toemploy ML
Machine Learning in Other Domains
9Intrusion Detection Systems | Chair for IT Security
• Somewell-known problems:• High false positive rate• Lackof(attack-free) training data• Attackerscantry toevade detection
• Goal:• Using anomaly detection effectivelyin thereal world operationalenvironments (fornetworkintrusion detection)
Machine Learning in Intrusion Detection
10Intrusion Detection Systems | Chair for IT Security
• Outlier Detection• LackofTrainingData• High Cost of Errors• SemanticGap (interpretation of results)• Diversityof NetworkTraffic• So,Whatcouldbethesolutions?
Challenges of Using Machine Learning
11Intrusion Detection Systems | Chair for IT Security
• Pick2papers fromthelist(coursehomepage ),orproposepapers• Thedeadline fortopicselectionis24.04.19
• Firstcome,firstserved
• 1paperusedforaseminarpresentation(20'+10‘discussion)• Writeareportaboutbothpapers(atleastin14pagesLNCSformat)• Whattodeliver:
• 1Presentation
• 1Report(forbothtopics)
Student Assignments
12Intrusion Detection Systems | Chair for IT Security
1
1- https://www.sec.in.tum.de/i20/teaching/ss2019/intrusion-detection-systems
• Seminar- (kindof)simulationofscientificresearch
• Trytobeindependent,butalsoaskquestions
How to do your research
13Intrusion Detection Systems | Chair for IT Security
Read paper Read referenced
papersRead related papers Read related books Ask course
organizers
• Gradingconsistofdifferentparameters:• Report(60%)• Presentation(30%)• Participationanddiscussion(10%)
• Almostneglected!
Grading
14Intrusion Detection Systems | Chair for IT Security
• 29.01.19– Kick-offMeeting
• 23.04.19– Introduction,RulesandDivisionofpapers
• 28.05.19– StudentsPresentation
• 04.06.19– StudentsPresentation• 11.06.19– StudentsPresentation
• 18.06.19– StudentsPresentation
• 25.06.19– StudentsPresentation• 02.07.19– StudentsPresentation
Time Table
15Intrusion Detection Systems | Chair for IT Security
Needstobe:• Correct• Complete• Comprehensible
Presentation
16Intrusion Detection Systems | Chair for IT Security
• Presentinformationfromthepapercorrectly
• Don’tspeculatewithoutareasonorproof
• Don’tclaimsomethingyoucannotexplainwell
Presentation - Correct
17Intrusion Detection Systems | Chair for IT Security
• Explainallkeypointsofthepaper
• Becarefulabouttimeconstraintsanddistribution
• Conveyinformationwithoutleavingoutimportantinsight
Presentation - Complete
18Intrusion Detection Systems | Chair for IT Security
• Speakloudandclear• Thinkabouttheaudience- fellowstudents• Motivatetheaudiencefordiscussion• Don’tfightyouraudience,answerallquestionsfriendly
Presentation - Comprehensible
19Intrusion Detection Systems | Chair for IT Security
• Introductiontothetopic• Presentpaper
• Introduction• MainPoint• Backuparguments• Conclusions (keytakeaways)
Presentation - Structure
20Intrusion Detection Systems | Chair for IT Security
• Readpapers,oratleastabstracts,priortoeachpresentationday• Listencarefully,writedownquestions• Askquestions,comment• Activeparticipationisappreciated!
Presentation - Audience
21Intrusion Detection Systems | Chair for IT Security
• Presentationskills• Generalorganization,useofslides• Language,slidetextandgraphics• Pace,useoftime
• Subject-relatedcompetence• Subjectknowledge• Stayingontopic• Identifying interesting/important points
Presentation - Grading
22Intrusion Detection Systems | Chair for IT Security
Report(Deadline07.07.2019)
23Intrusion Detection Systems | Chair for IT Security
• 14PagesLNCS(minimum)- fitbothpapers,describethemseparately
• Summarizekeypointsofbothpapers- notaneasytask• Useatypicalpaperstructure:
• Abstract->Introduction ->Methodology ->Results->Discussion ->Conclusion
Report
24Intrusion Detection Systems | Chair for IT Security
• Summarizethepaper• Introductiontotheproblem• Howwastheproblemsolved?Methodology• Shortinsightintheresults• Whatistheimpactofthepaper?
Report - Abstract
25Intrusion Detection Systems | Chair for IT Security
• Describethecontext• Whatisthepreexistingwork?• Whatdoesthepreexistingworklack?• Howdoesthispaperclosethegap?
Report - Introduction
26Intrusion Detection Systems | Chair for IT Security
• Describethemechanismsusedtotackletheexistingproblem
• Leadthereaderthroughtheproblemsolvingprocedures
• Giveargumentsforthechoiceofmethods
Report - Methodology
27Intrusion Detection Systems | Chair for IT Security
• Giveanoverviewoftheimportantresults• Addtables,graphs...ifyouhavespace• Shortlycommentonthefigures• Avoidphraseslike:Itisobviousfromthisgraphthat...
Report - Results
28Intrusion Detection Systems | Chair for IT Security
• Whatdotheresultsactuallytellus?• Comparetheresultswithrelatedwork• Whatarethelimitationsofthepaper?• Howcanthelimitationsbeaddressed?
Report - Discussion
29Intrusion Detection Systems | Chair for IT Security
• Summaryofthepaperin3-4sentences
• Whatarethemostinterestingresults?
• Whatistheimpactofthepaper?
Report - Conclusion
30Intrusion Detection Systems | Chair for IT Security
• Paperorganization• Languageandgrammar• Subjectknowledge• Abilitytosummarize• Properbibliographyandcitations
Report - Grading
31Intrusion Detection Systems | Chair for IT Security
• Allowedtomissapresentationday?Yes,ifyouhaveaverygoodreason.• Examplesofgoodreason:healthissues• Examplesofbadreason:HiWi work,homework,footballtraining,badmood
• CanIsetameetingifIhaveproblemswithmypapers?• Yes,buttrytodoasmuchasyoucanyourself.
FAQ
32Intrusion Detection Systems | Chair for IT Security
1. Sommer, R., & Paxson, V. (2010). Outside the Closed World: On Using Machine Learning forNetwork Intrusion Detection. 2010 IEEE Symposium on Security and Privacy, 0(May), 305–316.
2. Bhuyan, M. H., Bhattacharyya, D. K., & Kalita, J. K. (2014). Network Anomaly Detection:Methods, Systems and Tools. Communications Surveys & Tutorials, IEEE, 16(1), 303–336.
3. Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM ComputingSurveys (CSUR), 41(September), 1–58.
4. Tavallaee, M., Bagheri, E., Lu, W., & Ghorbani, A.A. (2009). Adetailed analysis of the KDD CUP99 data set. IEEE Symposium on Computational Intelligence for Security and DefenseApplications, CISDA 2009, (Cisda), 1–6.
5. García-Teodoro, P., Díaz-Verdejo, J., Maciá-Ferná Ndez, G., & Vá Zquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security,28, 18–28.
References
33Intrusion Detection Systems | Chair for IT Security