Case Based Reasoning Approach to Intrusion Detection

1
Case Based Reasoning Approach to Intrusion
Detection

• Date 3/14/2005
• Dr. Seong-Moo Yoo
• Information Assurance Engineering Lab
• Electrical and Computer Engineering Dept.
• University of Alabama in Huntsville

2
Current IDS Systems

• Existed IDS systems are mostly static.
• Tracks known attacks signatures.
• Any recognized attack is blocked from entering
  the protected system.
• Other traffic (friendly and unknown) are
  permitted to access the system.
• Malicious traffic are mostly of unknown signature
  type, so it will not trigger IDS
• Motivation for dynamic approach.

3
Current ID approaches and CBR

• Knowledge-based approaches
• very efficient in detecting intruders of the type
  known previously, but ineffective against new
  forms of threat.
• Behavior-based approaches
• it has the potential for guarding against
  previously unknown types of threats, is not as
  precisely efficient.
• CBR can be considered as a mix of these
  approaches (fuzzy approach)

4
Proposed CBR Approach

• Goal transition from a philosophy that denies
  known threats to one that permits confirmed
  friends.
• Dynamic, real-time detection of friends and
  attacks traffic pattern within evolving
  environment.
• Completely in software.

5
CBR (contd)

• CBR encompasses three-pronged innovation
• A proviso for explicit identification of true
  friends in addition to the traditional
  identification of known threats.
• The use of CBR, hitherto not employed within the
  Intrusion Detection environment, to accomplish
  this goal.
• An unique ongoing learning capability that
  enhances CBR to self-learn new threats as they
  arise.

6
(No Transcript)
7
CBR Steps

1. Identify a viable technique to characterize a
   known set of threat signatures,
2. Develop a similar technique to characterize known
   friend signatures,
3. Incorporate threat intrusion detection,
4. Incorporate true friend detection, and
5. Develop/demonstrate methodology to analysis of
   unknown signatures.

8
CBR Step 1

• Recognizes that a growing threat signatures
  database exists.
• The goal here to
• conduct an analysis to classify these known
  threats into logical groups,
• characterize the key parameters that define each
  group, and
• determine an acceptable set of tolerances that
  can be used to classify unknown signatures as
  likely threats.

9
CBR Step 2 3

• Step 2 runs parallel to Step 1 with
  classification, characterization and tolerance
  definition determined for all known true friend
  signatures. Where an existing database will
  drive threat signature characterization, it is
  recognized that, for a given information system,
  known friend signatures must be initially
  decoded.
• Step 3 incorporates an existing IDS into the
  process.

10
CBR Step 4

• Enhances the achievable level of information
  assurance by adding a filtering process that
  allows only traffic confirmed as friendly into
  the protected system.
• Operating together, the modified IDS (Threat) and
  newly established true-friend detector filter
  known threat and unknown traffic.

11
CBR Step 5

• Facilitates the ongoing learning noted earlier by
  first analyzing the filtered unknown signatures
  for the existence of inherent, similarly
  characterized clusters.
• The goal of this analysis is to expand threat and
  friendly signature databases via the CBR based
  evaluation described above.

12
Three General Clusters

• Likely friend
• Likely threat
• Continued unknown.
• the threshold mechanism will assess if the
  closeness is sufficient enough to be truly
  normal, or if there is ground to suspect a case
  normal behavior impersonation.

13
Other Jobs to Be Done

• Conduct a review of the arenas state of the art
  capabilities to ensure no reinvention of the
  wheel occurs and that funding is utilized
  judiciously to meet the program objectives
• The potential for exploiting the synergy between
  our proposed approach and other techniques
  currently in use will also be investigated
• Our expertise in the field of information and
  decision fusion will be utilized in exploiting
  this synergy between the approaches

14
Jobs to Be Done (cont.)

• An enhanced IDS that will
• Identify incoming message streams as true
  friends, true threats, and unknowns.
• Use CBR, for the first time, to accomplish this
  portioning.
• Incorporate an unique ongoing learning capability
  that enhances CBR to self-learn new threats and
  friends as they arise.

15
Concept Demonstration

• Up-to-date databases of known threat and true
  friend mechanisms can be identified.
• System specific true friend and known threat
  signatures will then be classed, characterized
  and tolerance limits defined.
• The resulting threat signature knowledge will
  then be infused into an existing IDS (Threat)
  filter while the true friend signature
  characterizations will be packaged within a new
  true friend filter.
• The proposed enhanced information assurance
  capability will then be demonstrated by
  subjecting the selected system to known threat as
  well as true friend and unknown signature
  traffic.

16
Support Component

• To conduct this demonstration we need
• access to the Government selected test system to
  identify a emulated network , sponsorship to
  examine an existing Government information
  assurance threat database, and a realistic
  (operational) message traffic characterization.
  

17
Evaluation

• Performance evaluation of CBR will include
• Comparison of effectiveness between this new IDS
  philosophy and current IDS capabilities. This
  comparison will measure such items as effect on
  protected systems operating speed and level of
  protection provided.
• Measurement of the speed and effectiveness of the
  True Friend Detection System (Step 4).
• Measurement of the speed and effectiveness of the
  Analysis of Unknowns (Step 5).

18
Intrinsic Merit

• This project will help to better protect critical
  computer networks through an enhanced intrusion
  detection approach.
• Transition from denies known threats to
  permits only confirmed friends.
• Threshold mechanism on top of the CBR closest
  match identifying process

19
Expected Results

• This effort will provide proof of principle to
  the proposed IDS philosophy.
• The RD is expected to lead to a feasible set of
  real-time algorithms that admit only confirmed
  friend while blocking known threat and unknown
  traffic.
• Ongoing learning will also demonstrate as unknown
  traffic is properly classified and added to the
  respective databases.
• A laboratory demonstration will facilitate the
  evaluation metrics.

20
Program Description

• Task 1 Known Threat Signature Characterization
• A set of known threat signature will first be
  identified for the selected target network.
  These threats will be characterized to document
  the nature and catalogue identifying features.
• Task 2 Known Friend Signature Characterization
• A methodology for identifying and characterizing
  a set of known friend signatures will be
  developed and tested. The methodology will
  enhance the trusted network concept by
  documenting the nature and catalogue identifying
  features truly friendly message traffic for the
  selected network

21
Program Description (contd)

• Task 3 Threat Intrusion Detection
• The results of task 1 will be incorporated into a
  Threat IDS package and tested to ensure that
  known threats are blocked based on the identified
  signature characterization.
• Task 4 True Friend Detection
• The results of task 2 will be incorporated into a
  Friendly IDS package and tested to ensure that
  known friendly message traffic are passed to the
  target network based on positive matching to the
  identified friendly signature characterization.

22
Program Description (contd)

• Task 5 Analysis of Unknown Signatures
• CBR based screening process will first be used to
  identify probable threat and friendly traffic.
  This traffic will be passed, to the threat
  signatures data base and on to the targeted
  network.

23
Project Schedule
Task 1 Known Threat Signature Characterization Ta
sk 2 Known Friend Signature Characterization Task
3 Threat Intrusion Detection Task 4 True
Friend Detection Task 5 Analysis of Unknown
Signatures Task 6 Reporting
24
References

• D. A. Frinckea and M. -Y. Huang, Recent advances
  in intrusion detection systems, Computer
  Networks, Vol. 34, No. 4, pp. 541-545, October
  2000.
• H. Debar, M. Dacier and A. Wespi, Towards a
  Taxonomy of Intrusion-Detection Systems,
  Computer Networks, Volume 31, Issue 8, pp.
  805-822, 23 April 1999.
• B. V. Dasarathy, Nearest Neighbor (NN) Norms - NN
  Pattern Classification Techniques, IEEE Computer
  Society Press, Los Alamitos, CA., 1991.
• B. V. Dasarathy, Nosing Around the Neighborhood
  - A New System Structure and Classification Rule
  for Recognition in Partially Exposed
  Environments, IEEE Transactions on Pattern
  Analysis and Machine Intelligence, Vol. PAMI-2,
  No. 1, pp. 67-71, January 1980.
• B. V. Dasarathy, There Goes the Neighborhood -
  An ALIEN Identification Approach to Recognition
  in Partially Exposed Environments, Proceedings
  of the 5th International Conference on Pattern
  Recognition, pp. 91-93, December 1980