1 / 25

Information Integration and Assurance Laboratory IEE594 Presentation

Information Integration and Assurance Laboratory IEE594 Presentation. Xiangyang Li Dept. of Industrial Engineering Arizona State University Box 875906, Tempe, AZ 85287-5906, USA. Current People. Director Dr. Nong Ye. Students Master: Syed Masum Emran Ph.D.: Qiang Chen Xiangyang Li

ilario
Télécharger la présentation

Information Integration and Assurance Laboratory IEE594 Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Integration and Assurance Laboratory IEE594 Presentation Xiangyang Li Dept. of Industrial Engineering Arizona State University Box 875906, Tempe, AZ 85287-5906, USA

  2. Current People • Director Dr. Nong Ye • Students Master: Syed Masum Emran Ph.D.: Qiang Chen Xiangyang Li Mingming Xu Dawei Zhang Yebin Zhang

  3. Current Researches • Information security Intrusion detection Technology Study • Supply chain - Business School Enterprise modeling and simulation

  4. Intrusion Detection Technology Application of Decision Tree Classifier

  5. Intrusion Detection - Defensive System • Security Policy • What should we protect? • Prevention • How can we prevent an intrusion? • Detection • If there is an intrusion, how can we detect it? • Response/Recovery • If we detect an intrusion, how can we response? How can we recover the system from the damage?

  6. Intrusion Detection - Methods • Norm-based Approach • Statistical-based Techniques (SPC) • Build up a norm profile with statistical methods • Specification-based Techniques (ANN, BN,...) • Build up a norm profile with rules and logical specification • Signature-based Approach (DT, Clustering,...) • Recognize the pre-defined intrusion signature from system activities.

  7. Problem Definition(1) • Intrusion Detection Normality profile method Signature recognition method • Decision tree technique can be used to build the signatures of normal activities and attacks automatically. Each path of the tree corresponds to a signature. • Each leaf represents an IW value. Each leaf corresponds to a specific state of the system.

  8. BSM audit event from Solaris event 217 auid -2 euid 0 egid 0 ruid 0 rgid 0 pid 96 sid 0 RemoteIP 0.0.0.0 time 897047263 error_message 91 process_error 0 retval 0 attack 0 Target variable Label : 0 - normal activity, 1 - attack IW(Intrusion Warning) : 0 - 1 Predictor variables Only use the information of event type. (284 event types - Solaris 2.7) Data sets Training data set Testing data set Problem Definition(2)

  9. Problem Definition(3) • Decision tree algorithms • GINI and CHAID (Answer Tree - SPSS Inc.) • Analysis of testing results • Comparison of Mean, Max and Min of IW values between normal and attack events. • ROC (Receiver Operating Curve) with Hit rates and False alarm rates based on the predicted IW values and the true Label values.

  10. Single-event Decision Tree Classifier • Single-event classifier • Label -> target variable • Event type -> the only predictor variable

  11. Result Analysis(1)

  12. Result Analysis(2)

  13. EWMA Vectors We use one variable to represent one event type. Then there are 284 variables for the 284 event types. In our sample data set there are 49 variables. We use these variables as the predictor variables. Each variable is calculated for each event as: if the audit event at time t belongs to the ith event type if the audit event at time t is different from the ith event type

  14. Result Analysis(3)

  15. Result Analysis(4)

  16. Moving Window

  17. “Existence” and “Count” Classifiers • “Existence” In the transferred data set, variable i records whether event type i exists in current moving window. • “Count” In the transferred data set, variable i records how many times event type i appears in current moving window. We use this one in moving window classifiers on event types. • Truncation Remove the part of transferred data which includes both normal and attack events.

  18. Result Analysis(5)

  19. Result Analysis(6)

  20. Layered Classifiers

  21. Result Analysis(7)

  22. Result Analysis(8)

  23. Result Analysis(9)

  24. Conclusions and Problem Conclusions • DTCs show promising performance in intrusion detection application • The performance of a DTC is dependent on its design, i.e. the choice of predictor variables and target variable. • Different decision tree algorithms impact the results. Problem • Computational Feasibility • Incremental training ability(ITI) • Scalable/Parallel/Database(ScalParC) • Bagging and Boosting?

  25. END • Other works - http://iia.eas.asu.edu/

More Related