1DataMiningandIntrusionDetectionAshortpresentationfocusingoncost-sensitiveissuessubmittedinpartialfulfillmentofCSE8331DataMining,Spring2002- AbhishekD.Sanwal 2OutlineofPresentationIntrusionDetectionSystemsWhere?How?Why?– IssuesandProblemsBigIssue– CostCostSensitiveModelingPast,presentandfuture• CostFactors• CostMetrics• CostModels• ReducingCosts• ImplementationoverviewSummaryConclusionsFutureDirectionsProject1:Real-timeDMIDSAnalysisArchitectureQ&A? 3IntrusionDetectionSystems(IDS)Whydoweneedthemdespiteallothersecuritymeasures?Ifwecanmakeanetworksecureenoughusingafirewallandotherprecautionswhyisitnotenough?Because…Afirewallissimplyafencearoundthenetwork,withacoupleofwell-chosengatesAfencehasnocapabilityindetectingsomebodytryingtobreak-in(suchasdiggingahole/tunnelunderit)NordoesafenceknowifsomebodycomingthroughthegateissupposedtobeallowedinitAnIDSisanalogoustohavingsecurityguards,surveillance,andcountermeasures,inadditiontobarbedwirefencing,high-“toughtoscale”wallsetc.Firewall– ActiveFiltering….IDS– PassiveMonitoring 4IDS– Where,HowandWhy?ThesensorsofanIDSareintuitivelyplacedatlocationsclosetotheperimeter(thoughasecureperimeteritmaybebreached)adjoiningtheperimeter;insideandoutsidetheenclaveIDScouldhaveSingleSensorDistributedSensors(with)CentralProcessingDistributedProcessingCo-relatedDecisionMaking 5IssuesandProblemsDeploymentGeographicalDispersalInstallationSetupandcustomizationManagementUpgradingModificationasperchangeinnetworkarchitectureMaintainingthesensorsDataoverloadChangesintheSecurityWorldIntegrationDisparateDataFormatsLackofsinglecross-referencebetweendatasourcesTimesynchronizationofsensors 6WhatdoweneedtoaddtoanIDS?UniversalDataformatforIDSdataIDEF(IntrusionDetectionExchangeFormat)CIDF(CommonIntrusionDetectionFramework)(IntrusionDetectionWorkingGroup)Commoncross-referencefordifferentIDSforinteroperabilityTimesynchronizationbuiltintoIDSDatareductionforanalysisReducefalsealarmsUpdatingofattacksignaturesontimelybasisAutomatedencodingofintrusionsandtrafficintoModelsPrevioussystems- allknowledge-engineered2 7TacklingsomeIssuesfornow…CostSensitiveIDSMaybelater…inthepaperbutnotthispresentationDMwithUnlabeledDataDMwithco-relationframeworkDetectingNovelAttacks 8CostSensitiveModelingforIDS-Why?NeedtoevaluatetechnicaleffectivenessIDSsfailtodetectnewandstealthyattacksReal-TimeIDSexposedtoOverloadAttacksIntendedIntrusionSuccessfulOverloadofIntrusionReportsforcesadmintoraisedetectionandresponsethresholdsrealattacksgetignored/overlooked 9Whatisneeded?CostEffectivenessoftheIDSAsanyinvestorinabusinesswouldsay…ROI(ReturnonInvestment)Motivation:Topreventlosses 10CostSensitiveModeling- Whynotinuse?ComplexityofIDS-costanalysisonalowprioritySite-specificcostfactorsAdditionoffeaturesImprovementofdetectionRulesNotallfactorsreducetoDiscretedollarsUnitsofmeasurementProbabilitiesSolution:QualitativeAnalysisMeasurerelativemagnitudesofCostFactorsButhow?Wheredowegonow?
View Full Document