1DataMiningandIntrusionDetectionAshortpresentationfocusingoncost-sensitiveissuessubmittedinpartialfulfillmentofCSE8331DataMining,Spring2002- AbhishekD.Sanwal     2OutlineofPresentationIntrusionDetectionSystemsWhere?How?Why?– IssuesandProblemsBigIssue– CostCostSensitiveModelingPast,presentandfuture• CostFactors• CostMetrics• CostModels• ReducingCosts• ImplementationoverviewSummaryConclusionsFutureDirectionsProject1:Real-timeDMIDSAnalysisArchitectureQ&A?     3IntrusionDetectionSystems(IDS)Whydoweneedthemdespiteallothersecuritymeasures?Ifwecanmakeanetworksecureenoughusingafirewallandotherprecautionswhyisitnotenough?Because…Afirewallissimplyafencearoundthenetwork,withacoupleofwell-chosengatesAfencehasnocapabilityindetectingsomebodytryingtobreak-in(suchasdiggingahole/tunnelunderit)NordoesafenceknowifsomebodycomingthroughthegateissupposedtobeallowedinitAnIDSisanalogoustohavingsecurityguards,surveillance,andcountermeasures,inadditiontobarbedwirefencing,high-“toughtoscale”wallsetc.Firewall– ActiveFiltering….IDS– PassiveMonitoring     4IDS– Where,HowandWhy?ThesensorsofanIDSareintuitivelyplacedatlocationsclosetotheperimeter(thoughasecureperimeteritmaybebreached)adjoiningtheperimeter;insideandoutsidetheenclaveIDScouldhaveSingleSensorDistributedSensors(with)CentralProcessingDistributedProcessingCo-relatedDecisionMaking     5IssuesandProblemsDeploymentGeographicalDispersalInstallationSetupandcustomizationManagementUpgradingModificationasperchangeinnetworkarchitectureMaintainingthesensorsDataoverloadChangesintheSecurityWorldIntegrationDisparateDataFormatsLackofsinglecross-referencebetweendatasourcesTimesynchronizationofsensors     6WhatdoweneedtoaddtoanIDS?UniversalDataformatforIDSdataIDEF(IntrusionDetectionExchangeFormat)CIDF(CommonIntrusionDetectionFramework)(IntrusionDetectionWorkingGroup)Commoncross-referencefordifferentIDSforinteroperabilityTimesynchronizationbuiltintoIDSDatareductionforanalysisReducefalsealarmsUpdatingofattacksignaturesontimelybasisAutomatedencodingofintrusionsandtrafficintoModelsPrevioussystems- allknowledge-engineered2     7TacklingsomeIssuesfornow…CostSensitiveIDSMaybelater…inthepaperbutnotthispresentationDMwithUnlabeledDataDMwithco-relationframeworkDetectingNovelAttacks     8CostSensitiveModelingforIDS-Why?NeedtoevaluatetechnicaleffectivenessIDSsfailtodetectnewandstealthyattacksReal-TimeIDSexposedtoOverloadAttacksIntendedIntrusionSuccessfulOverloadofIntrusionReportsforcesadmintoraisedetectionandresponsethresholdsrealattacksgetignored/overlooked     9Whatisneeded?CostEffectivenessoftheIDSAsanyinvestorinabusinesswouldsay…ROI(ReturnonInvestment)Motivation:Topreventlosses     10CostSensitiveModeling- Whynotinuse?ComplexityofIDS-costanalysisonalowprioritySite-specificcostfactorsAdditionoffeaturesImprovementofdetectionRulesNotallfactorsreducetoDiscretedollarsUnitsofmeasurementProbabilitiesSolution:QualitativeAnalysisMeasurerelativemagnitudesofCostFactorsButhow?Wheredowegonow?   