Introduction for Seminar: Intrusion Detection Systems

Mohammad Reza Norouzian

Technische Universität München

Fakultät für Informatik

Lehrstuhl für IT Sicherheit

23.04.2019

• Introductiontoresearcharea• Studentassignments• Grading• Timetable• Presentationguidance• Reportguidance• FAQ

Outline

2Intrusion Detection Systems | Chair for IT Security

What’s an Intrusion?

3Intrusion Detection Systems | Chair for IT Security

• Successful attackis usually (butnot always) associatedwith anaccess control violation

• Abufferoverflow hasbeen exploited, and nowattack code isbeingexecutedinside alegitimate program

• Outsidergained accesstoa protectedresource• Aprogram orfilehasbeen modified• Systemisnot behaving “as itshould”

• The goal of an intrusiondetection system (IDS) is to detect thatbad thingsarehappening (intrusion)

• Just asthey start happening (hopeso)• How isthisdifferent froma firewall?

Intrusion detection styles

4Intrusion Detection Systems | Chair for IT Security

• Misuse detection: precise descriptions of known maliciousbehavior.

• Anomaly detection: have anotionof normal activity andflagdeviations from thatprofile.

IDS

IDSInternal Network

• *Specification-based detection: defining allowed typesofactivity inorder toflaganyotheractivityasforbidden.

TheInternet

AttackerFirewall

• Striking imbalancedeployments:• Almostexclusively only misusedetectorsin use• Detectsignatures (characteristicbytesequences)

• Question:• However, anomaly detection isextremely appealing (intheliteratures)

• Promises to find novel attacks w/oanticipating specifics

• Machine learning works so well inother domains• Butit’s hardto findanymachine learning NIDSin real-worlddeployments, why?

Detection Styles in Actual Deployments

5Intrusion Detection Systems | Chair for IT Security

• Set ofrules defininga behavioral signature likely to beassociatedwith attackof a certain type

• Example: bufferoverflow• A setuid program spawns a shellwith certain arguments• A network packet has lotsof NOPs init• Very longargument to astring function

• Example: SYNflooding (denial ofservice)• LargenumberofSYNpacketswithoutACKscomingback• …oristhissimplyapoornetworkconnection?

• Attacksignaturesareusuallyveryspecificandmaymissvariantsofknownattacks

• Whynotmakesignatures more general?

Misuse Detection (Signature-Based)

6Intrusion Detection Systems | Chair for IT Security

• Originally introducedbyDorothyDenning in 1987• Assumption: attacks exhibit characteristics NOT observed fornormalusage

• Propose: host-based IDS• Host-level system building per-user profiles of activity• E.g., loginfrequency, session duration, resource consumption

• Machinelearning(ML):• Training: trained withreference input to“learn” its specifics

• SupervisedorUnsupervised• Test: deployed onpreviously unseen input forthe actual detectionprocess

Anomaly Detection

7Intrusion Detection Systems | Chair for IT Security

• Define a profile describing “normal”behavior• Works bestfor “small”, well-defined systems single programratherthanhuge multi-userOS

• Profilemay be statistical• Build it manually (this ishard)• Usemachine learning anddatamining techniques

• Log system activities for a while, then “train” IDS to recognize normal andabnormalpatterns

• Risk: attackertrains IDStoaccepthisactivityasnormal - adversariallearning• Daily low-volume port scanmay train IDS to accept port scans

Anomaly Detection Cont’d

8Intrusion Detection Systems | Chair for IT Security

• Examples (for comparison):• Amazon/Netflix – product recommendation• OCR(optical character recognition) systems• Natural language translation• Spamdetection

• Claim: the taskof findingattacksis fundamentally different fromotherapplications

• Making it significantly harderforus toemploy ML

Machine Learning in Other Domains

9Intrusion Detection Systems | Chair for IT Security

• Somewell-known problems:• High false positive rate• Lackof(attack-free) training data• Attackerscantry toevade detection

• Goal:• Using anomaly detection effectivelyin thereal world operationalenvironments (fornetworkintrusion detection)

Machine Learning in Intrusion Detection

10Intrusion Detection Systems | Chair for IT Security

• Outlier Detection• LackofTrainingData• High Cost of Errors• SemanticGap (interpretation of results)• Diversityof NetworkTraffic• So,Whatcouldbethesolutions?

Challenges of Using Machine Learning

11Intrusion Detection Systems | Chair for IT Security

• Pick2papers fromthelist(coursehomepage ),orproposepapers• Thedeadline fortopicselectionis24.04.19

• Firstcome,firstserved

• 1paperusedforaseminarpresentation(20'+10‘discussion)• Writeareportaboutbothpapers(atleastin14pagesLNCSformat)• Whattodeliver:

• 1Presentation

• 1Report(forbothtopics)

Student Assignments

12Intrusion Detection Systems | Chair for IT Security

1

1- https://www.sec.in.tum.de/i20/teaching/ss2019/intrusion-detection-systems

• Seminar- (kindof)simulationofscientificresearch

• Trytobeindependent,butalsoaskquestions

How to do your research

13Intrusion Detection Systems | Chair for IT Security

Read paper Read referenced

papersRead related papers Read related books Ask course

organizers

• Gradingconsistofdifferentparameters:• Report(60%)• Presentation(30%)• Participationanddiscussion(10%)

• Almostneglected!

Grading

14Intrusion Detection Systems | Chair for IT Security

• 29.01.19– Kick-offMeeting

• 23.04.19– Introduction,RulesandDivisionofpapers

• 28.05.19– StudentsPresentation

• 04.06.19– StudentsPresentation• 11.06.19– StudentsPresentation

• 18.06.19– StudentsPresentation

• 25.06.19– StudentsPresentation• 02.07.19– StudentsPresentation

Time Table

15Intrusion Detection Systems | Chair for IT Security

Needstobe:• Correct• Complete• Comprehensible

Presentation

16Intrusion Detection Systems | Chair for IT Security

• Presentinformationfromthepapercorrectly

• Don’tspeculatewithoutareasonorproof

• Don’tclaimsomethingyoucannotexplainwell

Presentation - Correct

17Intrusion Detection Systems | Chair for IT Security

• Explainallkeypointsofthepaper

• Becarefulabouttimeconstraintsanddistribution

• Conveyinformationwithoutleavingoutimportantinsight

Presentation - Complete

18Intrusion Detection Systems | Chair for IT Security

• Speakloudandclear• Thinkabouttheaudience- fellowstudents• Motivatetheaudiencefordiscussion• Don’tfightyouraudience,answerallquestionsfriendly

Presentation - Comprehensible

19Intrusion Detection Systems | Chair for IT Security

• Introductiontothetopic• Presentpaper

• Introduction• MainPoint• Backuparguments• Conclusions (keytakeaways)

Presentation - Structure

20Intrusion Detection Systems | Chair for IT Security

• Readpapers,oratleastabstracts,priortoeachpresentationday• Listencarefully,writedownquestions• Askquestions,comment• Activeparticipationisappreciated!

Presentation - Audience

21Intrusion Detection Systems | Chair for IT Security

• Presentationskills• Generalorganization,useofslides• Language,slidetextandgraphics• Pace,useoftime

• Subject-relatedcompetence• Subjectknowledge• Stayingontopic• Identifying interesting/important points

Presentation - Grading

22Intrusion Detection Systems | Chair for IT Security

Report(Deadline07.07.2019)

23Intrusion Detection Systems | Chair for IT Security

• 14PagesLNCS(minimum)- fitbothpapers,describethemseparately

• Summarizekeypointsofbothpapers- notaneasytask• Useatypicalpaperstructure:

• Abstract->Introduction ->Methodology ->Results->Discussion ->Conclusion

Report

24Intrusion Detection Systems | Chair for IT Security

• Summarizethepaper• Introductiontotheproblem• Howwastheproblemsolved?Methodology• Shortinsightintheresults• Whatistheimpactofthepaper?

Report - Abstract

25Intrusion Detection Systems | Chair for IT Security

• Describethecontext• Whatisthepreexistingwork?• Whatdoesthepreexistingworklack?• Howdoesthispaperclosethegap?

Report - Introduction

26Intrusion Detection Systems | Chair for IT Security

• Describethemechanismsusedtotackletheexistingproblem

• Leadthereaderthroughtheproblemsolvingprocedures

• Giveargumentsforthechoiceofmethods

Report - Methodology

27Intrusion Detection Systems | Chair for IT Security

• Giveanoverviewoftheimportantresults• Addtables,graphs...ifyouhavespace• Shortlycommentonthefigures• Avoidphraseslike:Itisobviousfromthisgraphthat...

Report - Results

28Intrusion Detection Systems | Chair for IT Security

• Whatdotheresultsactuallytellus?• Comparetheresultswithrelatedwork• Whatarethelimitationsofthepaper?• Howcanthelimitationsbeaddressed?

Report - Discussion

29Intrusion Detection Systems | Chair for IT Security

• Summaryofthepaperin3-4sentences

• Whatarethemostinterestingresults?

• Whatistheimpactofthepaper?

Report - Conclusion

30Intrusion Detection Systems | Chair for IT Security

• Paperorganization• Languageandgrammar• Subjectknowledge• Abilitytosummarize• Properbibliographyandcitations

Report - Grading

31Intrusion Detection Systems | Chair for IT Security

• Allowedtomissapresentationday?Yes,ifyouhaveaverygoodreason.• Examplesofgoodreason:healthissues• Examplesofbadreason:HiWi work,homework,footballtraining,badmood

• CanIsetameetingifIhaveproblemswithmypapers?• Yes,buttrytodoasmuchasyoucanyourself.

FAQ

32Intrusion Detection Systems | Chair for IT Security

1. Sommer, R., & Paxson, V. (2010). Outside the Closed World: On Using Machine Learning forNetwork Intrusion Detection. 2010 IEEE Symposium on Security and Privacy, 0(May), 305–316.

2. Bhuyan, M. H., Bhattacharyya, D. K., & Kalita, J. K. (2014). Network Anomaly Detection:Methods, Systems and Tools. Communications Surveys & Tutorials, IEEE, 16(1), 303–336.

3. Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM ComputingSurveys (CSUR), 41(September), 1–58.

4. Tavallaee, M., Bagheri, E., Lu, W., & Ghorbani, A.A. (2009). Adetailed analysis of the KDD CUP99 data set. IEEE Symposium on Computational Intelligence for Security and DefenseApplications, CISDA 2009, (Cisda), 1–6.

5. García-Teodoro, P., Díaz-Verdejo, J., Maciá-Ferná Ndez, G., & Vá Zquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security,28, 18–28.

References

33Intrusion Detection Systems | Chair for IT Security