Immune System Model for Detecting Web Server Attacks - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Immune System Model for Detecting Web Server Attacks

Description:

Matching an attribute dependent on type. Discrete matches if corresponding bit is set ... Any attribute expressed by both parents is expressed in children ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 27
Provided by: MBD5
Category:

less

Transcript and Presenter's Notes

Title: Immune System Model for Detecting Web Server Attacks


1
Immune System Model for Detecting Web Server
Attacks
  • Melissa Danforth
  • UCD SecLab
  • Apr. 17, 2002

2
Outline
  • Introduction
  • Antibody Overview
  • Results
  • Future Works

3
Introduction
  • Immune system composed of antibodies that react
    to attacks
  • Fingerprinting technique used for antibodies
  • Antibodies go through a lifecycle
  • Genetic algorithm used to breed populations of
    better antibodies over generations
  • Goal few false positives and false negatives

4
Antibodies
  • Each antibody has a set of attributes
  • Attributes are of two types
  • Discrete a bitmap of attribute values
  • Range a baseoffset representation of value
  • Matching an attribute dependent on type
  • Discrete matches if corresponding bit is set
  • Range matches if value falls between base and
    baseoffset

5
Antibody Attributes
6
Antibody Matching
  • Antibody checks 2 or more attributes
  • Range attributes given configurable max value
    based on expected max size
  • If antibody matches a request on all attributes
    it checks, then request is considered an attack
  • If a request has a range attribute greater than
    attributes max, it is labeled an attack

7
Antibody Genome
  • Genome is sequence of attributes
  • Discrete attributes are represented as their
    bitmap
  • Range attributes are represented as value bits
    followed by offset bits (see right)

8
Antibody Statistics
  • Each antibody keeps its own statistics for
    fitness computation during genetic alg.
  • Statistics
  • Total requests tested
  • False positives
  • False negatives
  • Real positives
  • Real negatives

9
Antibody Populations
  • Populations of antibodies check requests
  • False negative is defined as any attack missed by
    all antibodies in the population
  • False positive is defined as any normal traffic
    labeled as an attack by any antibody
  • Populations go through multiple generations of
    the lifecycle

10
Antibody Lifecycle
11
Creation Phase
  • Antibodies are created for the current generation
    via
  • Random creation
  • Children from prior generation matings
  • Survivors from prior generation
  • Population size remains constant over generations

12
Random Creation
  • Randomly select 2 to 6 attributes to express
  • Set value for the expressed attributes randomly
    according to valid values
  • Set value for unexpressed attributes to 0

13
Self-Test Phase
  • Antibodies tested with normal traffic
  • Normal traffic probabilistically split to allow
    simulation of unknown normal traffic during the
    training phase
  • Any antibody which labels normal traffic as an
    attack is killed and replaced with a randomly
    generated antibody

14
Training Phase
  • Test antibodies against normal and attack traffic
    data
  • Normal traffic is probabilistically selected
  • Training phase statistics used to calculate
    fitness for antibodies during breeding phase

15
Breeding Phase
  • Parameters
  • Crossover rate, r
  • Mutation rate, m
  • Population size, p
  • Fitness formula
  • 2.0 - false positive rate - false negative rate

16
Breeding Phase cont.
  • Survivor Selection
  • Antibodies sorted by fitness
  • Select p(1-r) of antibodies with best fitness and
    put into next generation
  • Mating Selection
  • Chose (p r) of best antibodies as parents
  • Each pair of parents creates two offspring

17
Genetic Algorithm
  • Expression of attributes in children
  • Any attribute expressed by both parents is
    expressed in children
  • Any attribute expressed by only one parent is
    randomly expressed in children
  • Any child with less than two expressed attributes
    randomly selects an attribute from each parent to
    express

18
Genetic Algorithm cont.
  • Transmission of genetic material from parents to
    children not affected by which attributes the
    children express
  • Crossover occurs once during mating

19
Crossover
  • Crossover points only in expressed attributes
    (including boundary of such attributes)
  • Crossover point is randomly selected
  • Before crossover point, child 1 gets fathers
    genetic material and child 2 gets mothers
  • After crossover point, this is reversed

20
Mutation
  • Antibodies in next generation have probability m
    to be mutated
  • Mutations are single bit flips
  • Mutations occur only on expressed attributes

21
Data Sets
  • Data gathered from Apache website from Jan 1,
    2002 to Mar 18, 2002
  • 1748 attacks primarily meant for IIS
  • 38533 normal requests
  • Additional 72 attacks gathered from vulnerability
    reports to Bugtraq
  • 1820 attacks in total

22
Testing Details
  • Population sizes were 125, 250, 500 and 1000
    antibodies
  • Crossover rates were 0.7, 0.5 and 0.3
  • Mutation rates were 0.1 and 0.05
  • All possible combinations of these parameters
    were tested
  • 10 different populations for each test
  • 25 generations were run for each test

23
Results
  • Self-test phase eliminated false positives in
    training phase
  • False negative rate more dependant on population
    size than crossover and mutation rates
  • False negative rate increased around 10th
    generation, likely due to excess variation

24
False Negative Rate
25
False Negatives Detailed View
26
Conclusions and Future Work
  • Bias likely in data set
  • Apache normal traffic but primarily IIS attacks
  • Traffic volume in data set was low
  • Future work
  • Test with more diverse data sets
  • Benchmark the speed of the antibodies during the
    training phase
Write a Comment
User Comments (0)
About PowerShow.com