Determining placement of intrusion detectors for a distributed application through bayesian network modeling.

Abstract. To secure today's computer systems, it is critical to have different intrusion detection sensors embedded in them. The complexity of distributed computer systems makes it difficult to determine the appropriate configuration of these detectors, i.e., their choice and placement. In this paper, we describe a method to evaluate the effect of the detector configuration on the accuracy and precision of determining security goals in the system. For this, we develop a Bayesian network model for the distributed system, from an attack graph representation of multi-stage attacks in the system. We use Bayesian inference to solve the problem of determining the likelihood that an attack goal has been achieved, given a certain set of detector alerts. We quantify the overall detection performance in the system for different detector settings, namely, choice and placement of the detectors, their quality, and levels of uncertainty of adversarial behavior. These observations lead us to a greedy algorithm for determining the optimal detector settings in a large-scale distributed system. We present the results of experiments on Bayesian networks representing two real distributed systems and real attacks on them

Intrusion Detection System using Bayesian Network Modeling

Computer Network Security has become a critical and important issue due to ever increasing cyber-crimes. Cybercrimes are spanning from simple piracy crimes to information theft in international terrorism. Defence security agencies and other militarily related organizations are highly concerned about the confidentiality and access control of the stored data. Therefore, it is really important to investigate on Intrusion Detection System (IDS) to detect and prevent cybercrimes to protect these systems. This research proposes a novel distributed IDS to detect and prevent attacks such as denial service, probes, user to root and remote to user attacks. In this work, we propose an IDS based on Bayesian network classification modelling technique. Bayesian networks are popular for adaptive learning, modelling diversity network traffic data for meaningful classification details. The proposed model has an anomaly based IDS with an adaptive learning process. Therefore, Bayesian networks have been applied to build a robust and accurate IDS. The proposed IDS has been evaluated against the KDD DAPRA dataset which was designed for network IDS evaluation. The research methodology consists of four different Bayesian networks as classification models, where each of these classifier models are interconnected and communicated to predict on incoming network traffic data. Each designed Bayesian network model is capable of detecting a major category of attack such as denial of service (DoS). However, all four Bayesian networks work together to pass the information of the classification model to calibrate the IDS system. The proposed IDS shows the ability of detecting novel attacks by continuing learning with different datasets. The testing dataset constructed by sampling the original KDD dataset to contain balance number of attacks and normal connections. The experiments show that the proposed system is effective in detecting attacks in the test dataset and is highly accurate in detecting all major attacks recorded in DARPA dataset. The proposed IDS consists with a promising approach for anomaly based intrusion detection in distributed systems. Furthermore, the practical implementation of the proposed IDS system can be utilized to train and detect attacks in live network traffi

Approche logique pour l'analyse de traces d'exécutions

Les techniques traditionnelles de détection d'intrusions s'appuient sur différentes approches permettant d'identifier une utilisation non prévue et non autorisée de différentes ressources d'un système informatique. Afinn de détecter ces comportements, nous décrivons dans ce mémoire une approche logique de détection d'intrusions basée sur l'identification, dans des traces d'exécutions, de violations de politiques de sécurité données. Le modèle développé spécifie l'état des ressources d'un système ainsi que les effets des différents appels système sur cet état. Le système obtenu, qui s'apparente à un système expert, s'appuie sur un ensemble de règles logiques décrivant les connaissances d'un expert en sécurité informatique. Tout comportement illégal, c'est-à-dire non conforme aux politiques de sécurité considérées, est signalé et est considéré comme une tentative d'intrusion. Le système implémenté est capable de détecter une large classe d'attaques puisque l'approche développée ne se base pas sur certaines séquences particulières d'actions déjà recensées, mais plutôt sur les effets des différentes actions effectuées. De plus, il est capable de détecter de nouveaux comportements malveillants non préalablement identifiés.Traditional techniques for intrusion detection based on different approaches for identifying unintended and unauthorized use of dfferent resources of a computer system. To detect these behaviors, we describe in this paper a logical approach to intrusion detection based on the identification, in execution traces, of violations of given security policies. The developed model specifies the state of system resources as well as the effects of different system calls on this state. The resulting system, which is similar to an expert system, relies on a set of logical rules describing the knowledge of an expert in computer security. Any illegal behavior, that means not conform to the considered security policies, is reported and is considered as an intrusion attempt. The implemented system is able to detect a wide class of attacks since the approach is not based on some particular sequences of actions already identified, but rather on the effects of different actions performed. In addition, it is able to detect new malicious behavior not previously identified