On an Efficient and Scalable Architecture for Mimicry Attacks Detection Using Probabilistic Methods-Edición Única

Hdl Handle:
http://hdl.handle.net/11285/567126
Title:
On an Efficient and Scalable Architecture for Mimicry Attacks Detection Using Probabilistic Methods-Edición Única
Issue Date:
2004-11-19
Abstract:
An intrusion detection system (IDS) aims at signalling an alarm for every ac- tivity that compromises a secure state of an IT system. It often amounts to detecting a known pattern of computer misuse, a deviation to ordinary, ex- pected user behaviour, or a combination thereof. Regardless of which of these approaches is adopted, current Intrusion Detection Systems (IDSs) are easy to bypass. This thesis addresses about the three most important limitations of existing IDSs: i) current IDSs are easily overwhelmed by the the amount of information they ought to analyse; ii) current IDSs are not sufficient to monitor dynamic environments where the monitored services are changed according to the needs of the organisation; and iii) current IDSs are easy to bypass using a mimicry attack (attacks that simulate normal sequences of system calls). These kinds of attacks simulate normal activity (eg traffic, interaction) by varying an attack signature in a way that does not affect the harmfulness of the attack. Instead of creating a lightweight detection method capable of dealing with large volumes of information, at the probable cost of loss of accuracy, we focus on making intrusion detection more tractable, scalable and efficient (without compromising accuracy). We make intrusion detection more tractable by pre- processing the information. Whether it is a sequence of network packets or a sequence of system calls, the information an IDS analyses is often redundant in at least, two respects: first, every entry in the sequence may contain spurious information; second, any sequence may contain redundant subsequences. To make probabilistic intrusion detection more scalable, efficient and flexible, we propose a novel architecture that includes a service selection mechanism. Instead of analysing a single stream of data, the stream is partitioned in services, each of which is analysed by a very specialised sensor. New sensors can be added on demand; if a new service needs to be monitored another sensor is placed. T o make mimicry attack intrusion detection more accurate (reduce false positives) we propose to divide attacks into smaller segments. For each segmentwe will create a detector that classifies the segment and all its variants. By combining these smaller detectors we hope to detect all variations of an attack. By using rough sets we have identified key attributes to eliminate spu- rious information, without missing chief details. Using n-gram theory we have identified the most redundant subsequences within a sequence, substi- tution of these subsequences with a fresh tag results in a reduction of the sequence length. To approach service selection, we suggest the use of hid- den Markov models (HMMs), trained to detect a specific service described by a family of n-gram.s In this thesis, we introduce a method which is ca- pable of successfully detecting a significant, interesting sub-class of mimicry attacks. The key behind our method's effectiveness lies on the use of a word network [Pereira and Riley, 1997, Young et al., 2002]. A word network conve- niently decomposes a pattern matching problem into a chain of smaller, noise- tolerant pattern matchers, thereby making it more tractable and robust. A word network is realised as a finite state machine, where every state is an HMM. In our experiments, our mechanism shows an accuracy of 93%. .By contrast., the rate of false positive occurrence is only 3%. Our log reduction methods are among the best in reduction ratio and features a minimal loss of information. Ours is one of the first techniques to successfully detect a sub-class of mimicry attacks.
Keywords:
Efficient and Scalable Architecture; Mimicry Attacks; Detection Using Probabilistic Methods; Intrusion detection system
Degree Program:
Programa de Graduados en Computación, Información y Comunicaciones
Advisors:
Dr. Raúl Monroy Borja
Committee Member / Sinodal:
Dr. Lee Giles; Dr. Juan A. Nolazco; Dr. Carlos Mex
Degree Level:
Doctor of Philosophy in Artificial Intelligence
Campus Program:
Campus Monterrey
Discipline:
Ingeniería y Ciencias Aplicadas / Engineering & Applied Sciences
Appears in Collections:
Ciencias Exactas

Full metadata record

DC FieldValue Language
dc.contributor.advisorDr. Raúl Monroy Borjaes
dc.creatorGodínez Delgado, Fernandoen
dc.date.accessioned2015-08-17T09:29:50Zen
dc.date.available2015-08-17T09:29:50Zen
dc.date.issued2004-11-19en
dc.identifier.urihttp://hdl.handle.net/11285/567126en
dc.description.abstractAn intrusion detection system (IDS) aims at signalling an alarm for every ac- tivity that compromises a secure state of an IT system. It often amounts to detecting a known pattern of computer misuse, a deviation to ordinary, ex- pected user behaviour, or a combination thereof. Regardless of which of these approaches is adopted, current Intrusion Detection Systems (IDSs) are easy to bypass. This thesis addresses about the three most important limitations of existing IDSs: i) current IDSs are easily overwhelmed by the the amount of information they ought to analyse; ii) current IDSs are not sufficient to monitor dynamic environments where the monitored services are changed according to the needs of the organisation; and iii) current IDSs are easy to bypass using a mimicry attack (attacks that simulate normal sequences of system calls). These kinds of attacks simulate normal activity (eg traffic, interaction) by varying an attack signature in a way that does not affect the harmfulness of the attack. Instead of creating a lightweight detection method capable of dealing with large volumes of information, at the probable cost of loss of accuracy, we focus on making intrusion detection more tractable, scalable and efficient (without compromising accuracy). We make intrusion detection more tractable by pre- processing the information. Whether it is a sequence of network packets or a sequence of system calls, the information an IDS analyses is often redundant in at least, two respects: first, every entry in the sequence may contain spurious information; second, any sequence may contain redundant subsequences. To make probabilistic intrusion detection more scalable, efficient and flexible, we propose a novel architecture that includes a service selection mechanism. Instead of analysing a single stream of data, the stream is partitioned in services, each of which is analysed by a very specialised sensor. New sensors can be added on demand; if a new service needs to be monitored another sensor is placed. T o make mimicry attack intrusion detection more accurate (reduce false positives) we propose to divide attacks into smaller segments. For each segmentwe will create a detector that classifies the segment and all its variants. By combining these smaller detectors we hope to detect all variations of an attack. By using rough sets we have identified key attributes to eliminate spu- rious information, without missing chief details. Using n-gram theory we have identified the most redundant subsequences within a sequence, substi- tution of these subsequences with a fresh tag results in a reduction of the sequence length. To approach service selection, we suggest the use of hid- den Markov models (HMMs), trained to detect a specific service described by a family of n-gram.s In this thesis, we introduce a method which is ca- pable of successfully detecting a significant, interesting sub-class of mimicry attacks. The key behind our method's effectiveness lies on the use of a word network [Pereira and Riley, 1997, Young et al., 2002]. A word network conve- niently decomposes a pattern matching problem into a chain of smaller, noise- tolerant pattern matchers, thereby making it more tractable and robust. A word network is realised as a finite state machine, where every state is an HMM. In our experiments, our mechanism shows an accuracy of 93%. .By contrast., the rate of false positive occurrence is only 3%. Our log reduction methods are among the best in reduction ratio and features a minimal loss of information. Ours is one of the first techniques to successfully detect a sub-class of mimicry attacks.en
dc.language.isoen-
dc.rightsOpen Accessen
dc.rights.urihttp://creativecommons.org/licenses/by-nc-nd/4.0/*
dc.titleOn an Efficient and Scalable Architecture for Mimicry Attacks Detection Using Probabilistic Methods-Edición Únicaen
dc.typeTesis de Maestríaes
thesis.degree.grantorInstituto Tecnológico y de Estudios Superiores de Monterreyes
thesis.degree.levelDoctor of Philosophy in Artificial Intelligencees
dc.contributor.committeememberDr. Lee Gileses
dc.contributor.committeememberDr. Juan A. Nolazcoes
dc.contributor.committeememberDr. Carlos Mexes
thesis.degree.namePrograma de Graduados en Computación, Información y Comunicacioneses
dc.subject.keywordEfficient and Scalable Architectureen
dc.subject.keywordMimicry Attacksen
dc.subject.keywordDetection Using Probabilistic Methodsen
dc.subject.keywordIntrusion detection systemen
thesis.degree.programCampus Monterreyes
dc.subject.disciplineIngeniería y Ciencias Aplicadas / Engineering & Applied Sciencesen
All Items in REPOSITORIO DEL TECNOLOGICO DE MONTERREY are protected by copyright, with all rights reserved, unless otherwise indicated.