Hybrid Intelligent Systems for Network Security

1
Hybrid Intelligent Systems for Network Security

• Lane Thames
• Georgia Institute of Technology
• Savannah, GA
• lane.thames_at_gtsav.gatech.edu

2
Presentation Overview

• Discuss Network Security Issues
• Discuss the goals of this papers project
• Overview of Self Organizing Maps
• Overview of Bayesian Learning Networks
• Describe the details of the Hybrid System
• Review the Experimental Results
• Discuss Future Work and Conclusions
• QA

3
Network Security Motivation

• Internet Growth is Steadily Increasing
• Over 1 Billion Internet Users
• Many different types of applications are now
  using the Internet as a communication channel

4
Data Source www.idc.com
5
Network Security Motivation

• No more Script Kiddies
• Hacking is now more than just a hobby
• Hackers have created their own revenue generating
  channels
• Common hacking commodities
• Hacking software that is for sale
• Corporate Extortion
• Corporate Espionage
• Identity Theft

6
Network Security Motivation

• Classical Attack Types
• Buffer Overflow
• Denial of Service (DoS)
• Distributed Denial of Service (DDoS)
• Reconnaissance
• Virus
• Worms
• Trojan Horse

7
Network Security Motivation

• Hackers are using more sophisticated mechanisms
• PhishingLess Sophisticated
• Easy to fool a novice user
• PharmingMore Sophisticated
• Easy to fool novice and expert users
• DoS and DDoSUsed for extortion
• Remote Root AccessUsed for espionage and
  identity theft

8
Network Security Motivation

• The numbers do not lie
• Hackers are constantly looking for ways to cause
  mischief
• Steal your data
• Handicap your machines
• Take your money, etc, etc.

9
Data Source http//www.cert.org/stats/cert_stats.
html
10
Network Security Motivation

• The Bottom Line Network Security Research and
  Commerce is here to stay!

11
Project Goals

• Develop an Intelligent System that works reliably
  with data that can be collected purely within a
  Network
• Why? If security mechanisms are difficult to
  use, people will not use them.
• Using data from the network takes the burden off
  the end user

12
Hybrid Intelligent Systems

• A system was developed that made use of two types
  of Intelligence Algorithms
• Self-Organizing Maps
• Bayesian Learning Networks

13
Training and Testing Data Set

• KDD-CUP 99 Data Set
• The Data set used for the Third International
  Knowledge Discovery and Data Mining Tools
  Competition

14
Training and Testing Data Set

• 41 Total Features Categorized as
• Basic TCP/IP features
• Content Features
• Time Based Traffic Features
• Host Based Traffic Features

15
Training and Testing Data Set

• Attack Type Categories
• Remote to Local Exploits
• User to Root Exploits
• Denial of Service
• Probing (Reconnaissance)

16
Self Organizing MapsSOM

• Pioneered by Dr. Teuvo Kohonen
• An algorithm that transforms high dimensional
  input data domains to elements of a low
  dimensional array of nodes
• A fixed size grid of nodessometimes denoted as
  neurons to reflect neural net similarity

17
Self-Organizing Maps

• Input Data Vectors

18
Self Organizing Maps

• Let a parametric real set of vectors be
  associated with each element, i, of the SOM grid

19
Self-Organizing Maps

• Furthermore,

20
Self-Organizing Map

• A decoder function is defined on the basis of
  distance between the input vector and the
  parametric vector.
• The decoder function is used to map the image of
  the input vector onto the SOM grid. The decoder
  function is usually chosen to be either the
  Manhattan or Euclidean distance metric.

21
Self-Organizing Maps

• A Best Matching Unit, denoted as the index c, is
  chosen as the node on the SOM grid that is
  closest to the input vector

22
Self-Organizing Maps

• The dynamics of the SOM algorithm demand that the
  Mi be shifted towards the order of X such that a
  set of values Mi are obtained as the limit of
  convergence of the following

23
SOM Demo

• The next few plots will demonstrate how the
  parametric vector will converge to the input data
  vector
• Demonstrate the effects of parameters on one
  another
• Display the error function for this demo

24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
Bayesian Learning Networks--BLN

• A BLN is a probabilistic model built on the
  concept of the Directed Acyclic Graph (DAG)
• The DAG is a graph of nodes where each node is a
  random variable of interest
• The directed edges of the graph represent
  relationships among the variables
• If an arc is emitted from a node h to a node D,
  we say that h is the parent of D

30
Bayesian Learning Networks

• The Fundamental Equation Bayes Theorem

31
Bayesian Learning Networks

• In Bayesian learning, we calculate the
  probability of an hypothesis and make predictions
  on that basis
• Predictions or classifications are reduced to
  probabilistic inference

32
Bayesian Learning Networks

• With BLN, we have conditional probabilities for
  each node given its parents
• The graph shows causal connections, not the flow
  of information thru the graph
• Prediction versus abduction

x4
33
Naïve Bayesian Learning Network

• The Naïve BLN is a special case of the general
  BLN
• It contains one root (parent) node which is
  called the class variable, C
• The leaf nodes are the attribute variables (X1
  Xi)
• It is Naïve because it assumes the attributes are
  conditionally independent given the class.

x1
34
The Naïve BLN Classifier

• Once the network is trained, it can be used to
  classify new examples where the attributes are
  given and the class variable is
  unobservedabduction
• The Goal Find the most probable class value
  given a set of attribute instantiations (X1 Xi)

35
Naïve BLN Classifier
36
Hybrid System Architecture
37
Experimental Results

• 4 types of analyses were made with the dataset
• BLN analysis with network and host based data
• BLN analysis with network data
• Hybrid analysis with network and host based data
• Hybrid analysis with network based data

38
Experimental Results
39
Future and Current Work

• HoneyNet Project
• Resource Management System with Intelligent
  System Processing at the Core

40
Conclusion

• Intelligent Systems algorithms are very useful
  tools for applications in Network Security
• Experimental results show that a hybrid system
  built with SOM and BLN can produce very accurate
  responses when classifying Network based data
  flows which is very promising for those wishing
  design classification systems that do not rely on
  host based data