Title: 2003-2004 Final Year Project Presentation DY1 Machine Learning for Computer Security Applications
12003-2004 Final Year Project Presentation
DY1Machine Learning for Computer Security
Applications
by Lam Ho-yu advised by Dr. Yeung Dit-yan
2What is computer security?
- Computer Security Firewall? Is it secure?
- 7-eleven examples
3Intrusion Detection System (IDS)
- Real world Surveillance Camera
- Computer Networks IDS to monitor network
- This project computer security application
Intrusion Detection System (IDS)
4Presentation Flow
- Problems of current IDS technology
- Objectives of this project
- Scenario the key idea of this project
- System framework
- Another approach
- Active Support Vector Machine (ASVM)
5Problems of Current IDS
172.16.113.50/portmap pm_getport sadmind -gt
0/udp 952442110.022445 SensitivePortmapperAccess
rpc 202.77.162.213/659 gt 172.16.112.10/portmap
pm_getport sadmind -gt 56255/udp 952442110.098242
SensitivePortmapperAccess rpc 202.77.162.213/660
gt 172.16.112.50/portmap pm_getport sadmind -gt
56261/udp 952443968.102596 ContentGap
194.27.251.21/13525 gt 172.16.112.194/telnet
content gap (lt 92797/14296) A part of alert.log
of Bro
- Low-level
- Large Quantity
- False alerts Password typo vs. Password
guessing? - Heavy workload for network security officers
6Objectives
- To allow easier separation between false alerts
and real alerts - To transform alerts to a more user-friendly
representation - To relief operators workload by automation
7Notion of Scenario
- A typical attack usually takes several steps
- Scan for candidate machines
- Exploration Gather information of the machine
- Exploitation Break into the machine
- Escalation gain more control (super-user)
- Do anything the intruders want!!
- Operators want to see logical steps that the
intruder is taking
8The System Framework
9Learning Components
- Clustering Group similar alerts together
- Correlation Group alerts that are in the same
scenario
Multi-Layer Perceptrons
Decision Tree
10Key Results
- Total Clusters 236
- Alert count in clusters 835
- Correlation
Results - Total Scenarios 182
- Alert count in Scenarios 236
- --------------- Confusion Matrix ---------------
- Processed Results
- Desired True False Total
- --------------------------------------------------
---- - True 126 1 127
- False 130 578 708
- --------------------------------------------------
---- - Total 256 579 835
- --------------------------------------------------
---- - Processed Results
- Desired True False Total
- --------------------------------------------------
---- - True 99.21 0.7874 15.21
11Screen Shot
12(No Transcript)
13Q A
14Thank you!
15Active Support Vector Machine
- Identify the most useful test data and ask the
user to classify it for training - Most useful?
- Random sampling
- SVM-based sampling
Test data
True Alerts
margin
False Alerts