outside the closed world on using machine learning for
play

Outside the Closed World: On Using Machine Learning for Network - PowerPoint PPT Presentation

Dec 24, 2022 •490 likes •1.01k views

Outside the Closed World: On Using Machine Learning for Network Intrusion Detection Robin Sommer Vern Paxson International Computer Science Institute, & International Computer Science Institute, & University of California, Berkeley

  1. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection Robin Sommer Vern Paxson International Computer Science Institute, & International Computer Science Institute, & University of California, Berkeley Lawrence Berkeley National Laboratory IEEE Symposium on Security and Privacy May 2010

  2. Network Intrusion Detection IEEE Symposium on Security and Privacy 2

  3. Network Intrusion Detection NIDS IEEE Symposium on Security and Privacy 2

  4. Network Intrusion Detection NIDS Detection Approaches: Misuse vs. Anomaly IEEE Symposium on Security and Privacy 2

  5. Anomaly Detection Session Duration Session Volume IEEE Symposium on Security and Privacy 3

  6. Anomaly Detection Training Phase: Building a profile of normal activity. Session Duration Session Volume IEEE Symposium on Security and Privacy 3

  7. Anomaly Detection Training Phase: Building a profile of normal activity. Detection Phase: Matching observations against profile. Session Duration Session Volume IEEE Symposium on Security and Privacy 3

  8. Anomaly Detection Training Phase: Building a profile of normal activity. Detection Phase: Matching observations against profile. Session Duration Session Volume IEEE Symposium on Security and Privacy 3

  9. Anomaly Detection Training Phase: Building a profile of normal activity. Detection Phase: Matching observations against profile. Session Duration Session Volume IEEE Symposium on Security and Privacy 3

  10. Anomaly Detection (2) • Assumption: Attacks exhibit characteristics that are different than those of normal traffic. • Originally introduced by Dorothy Denning in1987. • IDES: Host-level system building per-user profiles of activity. • Login frequency, password failures, session duration, resource consumption. IEEE Symposium on Security and Privacy 4

  11. Anomaly Detection (2) · Technique Used Section References Statistical Profiling Section 7.2.1 NIDES [Anderson et al. 1994; Anderson et al. 1995; using Histograms Javitz and Valdes 1991], EMERALD [Porras and Neumann 1997], Yamanishi et al [2001; 2004], Ho et al. [1999], Kruegel at al [2002; 2003], Mahoney et al [2002; 2003; 2003; 2007], Sargor [1998] Parametric Statisti- Section 7.1 Gwadera et al [2005b; 2004], Ye and Chen [2001] cal Modeling Non-parametric Sta- Section 7.2.2 Chow and Yeung [2002] tistical Modeling Bayesian Networks Section 4.2 Siaterlis and Maglaris [2004], Sebyala et al. [2002], Valdes and Skinner [2000], Bronstein et al. [2001] Neural Networks Section 4.1 HIDE [Zhang et al. 2001], NSOM [Labib and Ve- muri 2002], Smith et al. [2002], Hawkins et al. [2002], Kruegel et al. [2003], Manikopoulos and Pa- pavassiliou [2002], Ramadas et al. [2003] Support Vector Ma- Section 4.3 Eskin et al. [2002] chines Rule-based Systems Section 4.4 ADAM [Barbara et al. 2001a; Barbara et al. 2003; Barbara et al. 2001b], Fan et al. [2001], Helmer et al. [1998], Qin and Hwang [2004], Salvador and Chan [2003], Otey et al. [2003] Clustering Based Section 6 ADMIT [Sequeira and Zaki 2002], Eskin et al. [2002], Wu and Zhang [2003], Otey et al. [2003] Nearest Neighbor Section 5 MINDS [Ertoz et al. 2004; Chandola et al. 2006], based Eskin et al. [2002] Spectral Section 9 Shyu et al. [2003], Lakhina et al. [2005], Thottan and Ji [2003],Sun et al. [2007] Information Theo- Section 8 Lee and Xiang [2001],Noble and Cook [2003] retic Source: Chandola et al. 2009 IEEE Symposium on Security and Privacy 4

  12. Anomaly Detection (2) · Features used Technique Used Section References packet sizes Statistical Profiling Section 7.2.1 NIDES [Anderson et al. 1994; Anderson et al. 1995; using Histograms Javitz and Valdes 1991], EMERALD [Porras and IP addresses Neumann 1997], Yamanishi et al [2001; 2004], Ho ports et al. [1999], Kruegel at al [2002; 2003], Mahoney header fields et al [2002; 2003; 2003; 2007], Sargor [1998] Parametric Statisti- Section 7.1 Gwadera et al [2005b; 2004], Ye and Chen [2001] timestamps cal Modeling inter-arrival times Non-parametric Sta- Section 7.2.2 Chow and Yeung [2002] session size tistical Modeling Bayesian Networks Section 4.2 Siaterlis and Maglaris [2004], Sebyala et al. [2002], session duration Valdes and Skinner [2000], Bronstein et al. [2001] session volume Neural Networks Section 4.1 HIDE [Zhang et al. 2001], NSOM [Labib and Ve- payload frequencies muri 2002], Smith et al. [2002], Hawkins et al. [2002], Kruegel et al. [2003], Manikopoulos and Pa- payload tokens pavassiliou [2002], Ramadas et al. [2003] payload pattern Support Vector Ma- Section 4.3 Eskin et al. [2002] ... chines Rule-based Systems Section 4.4 ADAM [Barbara et al. 2001a; Barbara et al. 2003; Barbara et al. 2001b], Fan et al. [2001], Helmer et al. [1998], Qin and Hwang [2004], Salvador and Chan [2003], Otey et al. [2003] Clustering Based Section 6 ADMIT [Sequeira and Zaki 2002], Eskin et al. [2002], Wu and Zhang [2003], Otey et al. [2003] Nearest Neighbor Section 5 MINDS [Ertoz et al. 2004; Chandola et al. 2006], based Eskin et al. [2002] Spectral Section 9 Shyu et al. [2003], Lakhina et al. [2005], Thottan and Ji [2003],Sun et al. [2007] Information Theo- Section 8 Lee and Xiang [2001],Noble and Cook [2003] retic Source: Chandola et al. 2009 IEEE Symposium on Security and Privacy 4

  13. The Holy Grail ... IEEE Symposium on Security and Privacy 5

  14. The Holy Grail ... • Anomaly detection is extremely appealing. • Promises to find novel attacks without anticipating specifics. • It’s plausible : machine learning works so well in other domains. IEEE Symposium on Security and Privacy 5

  15. The Holy Grail ... • Anomaly detection is extremely appealing. • Promises to find novel attacks without anticipating specifics. • It’s plausible : machine learning works so well in other domains. • But guess what’s used in operation ? Snort. • We find hardly any machine learning NIDS in real-world deployments. IEEE Symposium on Security and Privacy 5

  16. The Holy Grail ... • Anomaly detection is extremely appealing. • Promises to find novel attacks without anticipating specifics. • It’s plausible : machine learning works so well in other domains. • But guess what’s used in operation ? Snort. • We find hardly any machine learning NIDS in real-world deployments. • Could using machine learning be harder than it appears? IEEE Symposium on Security and Privacy 5

  17. Why is Anomaly Detection Hard? The intrusion detection domain faces challenges that make it fundamentally different from other fields. IEEE Symposium on Security and Privacy 6

  18. Why is Anomaly Detection Hard? The intrusion detection domain faces challenges that make it fundamentally different from other fields. Outlier detection and the high costs of errors ! How do we find the opposite of normal? Interpretation of results ! What does that anomaly mean ? Evaluation ! ! How do we make sure it actually works? Training data ! What do we train our system with? Evasion risk ! Can the attacker mislead our system? IEEE Symposium on Security and Privacy 6

  19. Why is Anomaly Detection Hard? The intrusion detection domain faces challenges that make it fundamentally different from other fields. Outlier detection and the high costs of errors ! How do we find the opposite of normal? Interpretation of results ! What does that anomaly mean ? Evaluation ! ! How do we make sure it actually works? Training data ! What do we train our system with? Evasion risk ! Can the attacker mislead our system? IEEE Symposium on Security and Privacy 6

  20. Machine Learning for Classification Feature Y Feature X IEEE Symposium on Security and Privacy 7

  21. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  22. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  23. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  24. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  25. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  26. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  27. Machine Learning for Classification Feature Y B Classification Problems A Optical Character Recognition Google’s Machine Translation Amazon’s Recommendations Spam Detection C Feature X IEEE Symposium on Security and Privacy 7

  28. Outlier Detection Feature Y Feature X IEEE Symposium on Security and Privacy 8

  29. Outlier Detection Feature Y Feature X IEEE Symposium on Security and Privacy 8

  30. Outlier Detection Feature Y Feature X IEEE Symposium on Security and Privacy 8

  31. Outlier Detection Feature Y Closed World Assumption Specify only positive examples. Adopt standing assumption that the rest is negative. Can work well if the model is very precise, or mistakes are cheap. Feature X IEEE Symposium on Security and Privacy 8

  32. What is Normal? • Finding a stable notion of normal is hard for networks. • Network traffic is composed of many individual sessions. • Leads to enormous variety and unpredictable behavior. • Observable on all layers of the protocol stack. IEEE Symposium on Security and Privacy 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical Advice for Building Machine Learning Applications Machine Learning Based on lectures

Practical Advice for Building Machine Learning Applications Machine Learning Based on lectures

Practical Advice for Building Machine Learning Applications Machine Learning Based on lectures and papers by Andrew Ng, Pedro Domingos, Tom Mitchell and others 1 ML and the world Making ML work in the world Mostly experiential advice Also

863 views • 69 slides
The Rise of AI and the World of Machine Learning Peter J Bentley What is AI? Robots? Magic

The Rise of AI and the World of Machine Learning Peter J Bentley What is AI? Robots? Magic

The Rise of AI and the World of Machine Learning Peter J Bentley What is AI? Robots? Magic software? Terrifying Super Intelligences? Machine Learning? 1951 This is a maze-solving machine that is capable of solving a maze by trial-and-error

529 views • 48 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

496 views • 26 slides
Machine learning for lattice theories Real-world lattices 2 Machine learning for lattice

Machine learning for lattice theories Real-world lattices 2 Machine learning for lattice

Machine learning for lattice theories 1 Michael S. Albergo, Gurtej Kanwar , Phiala E. Shanahan Center for Theoretical Physics, MIT Deep Learning and Physics 1 Albergo, GK, Shanahan [PRD 100 (2019) 034515] Kyoto, Japan (November 1, 2019) Machine

786 views • 52 slides
Machine learning applications in developing-world sustainability John Quinn AI-DEV Group School

Machine learning applications in developing-world sustainability John Quinn AI-DEV Group School

Machine learning applications in developing-world sustainability John Quinn AI-DEV Group School of Computing and Informatics Technology Makerere University, Kampala, Uganda CompSust 2012 1 / 22 Overview Why machine learning in the

773 views • 22 slides
Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by which computers can be trained through observation, rather than being explicitly programmed. Basically, a program is given input and adjusts its

556 views • 17 slides
World's Fastest Machine Learning With GPUs http://github.com/h2oai/h2o4gpu Speaker: Jonathan C.

World's Fastest Machine Learning With GPUs http://github.com/h2oai/h2o4gpu Speaker: Jonathan C.

World's Fastest Machine Learning With GPUs http://github.com/h2oai/h2o4gpu Speaker: Jonathan C. McKinney Mateusz Erin Navdeep Rory Terry Karen Arno Jonathan S teve H2O4GPU TEAM Machine Learning Deep Learning c RIS

572 views • 33 slides
Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning 10-601 Tom M. Mitchell Machine Learning Department Carnegie Mellon University January 12, 2015 Today: Readings: What is machine learning? The Discipline of ML Decision tree learning Mitchell, Chapter 3

872 views • 29 slides
Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

GCT634/AI613: Musical Applications of Machine Learning (Fall 2020) Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning Pipeline in Classification Tasks A set of hand-designed audio features are selected

398 views • 26 slides
Introductory Applied Machine Learning The primary aim of the course is to provide the student with

Introductory Applied Machine Learning The primary aim of the course is to provide the student with

Introductory Applied Machine Learning The primary aim of the course is to provide the student with a set of practical tools that can be applied to solve real-world problems in machine learning. Nigel Goddard School of Informatics Machine

716 views • 8 slides
10: Biological Applications for HMMs Machine Learning and Real-world Data Ann Copestake and

10: Biological Applications for HMMs Machine Learning and Real-world Data Ann Copestake and

10: Biological Applications for HMMs Machine Learning and Real-world Data Ann Copestake and Simone Teufel Computer Laboratory University of Cambridge Lent 2017 Last session: dice world and HMM decoding You now have written a decoder, i.e., an

401 views • 14 slides
PROJECT SPARROW Improving traffic flow with machine learning TYPES OF MACHINE LEARNING Google

PROJECT SPARROW Improving traffic flow with machine learning TYPES OF MACHINE LEARNING Google

PROJECT SPARROW Improving traffic flow with machine learning TYPES OF MACHINE LEARNING Google Deep Mind MORE VARIABLES Improving the simulation, so it more accurately simulates the real world. USE 3D MAPPING SOFTWARE TO SIMULATE Allows

396 views • 11 slides
Machine Learning Tricks Philipp Koehn 13 October 2020 Philipp Koehn Machine Translation:

Machine Learning Tricks Philipp Koehn 13 October 2020 Philipp Koehn Machine Translation:

Machine Learning Tricks Philipp Koehn 13 October 2020 Philipp Koehn Machine Translation: Machine Learning Tricks 13 October 2020 Machine Learning 1 Myth of machine learning given: real world examples automatically build model

928 views • 53 slides
INFO 1998: Introduction to Machine Learning Lecture 10: Real-World Applications of Data Science

INFO 1998: Introduction to Machine Learning Lecture 10: Real-World Applications of Data Science

INFO 1998: Introduction to Machine Learning Lecture 10: Real-World Applications of Data Science INFO 1998: Introduction to Machine Learning B****es be yearning my earnings concerning machine learning , Your girl started flirting when she saw

671 views • 29 slides
1: Sentiment Classification Machine Learning and Real-world Data (MLRD) Ann Copestake (based on

1: Sentiment Classification Machine Learning and Real-world Data (MLRD) Ann Copestake (based on

1: Sentiment Classification Machine Learning and Real-world Data (MLRD) Ann Copestake (based on slides created by Simone Teufel) Lent 2018 This course: Machine Learning and Real-world Data (MLRD) Three Topics: Classification: sentiment

337 views • 23 slides
10: Biological Applications for HMMs Machine Learning and Real-world Data (MLRD) Ann Copestake

10: Biological Applications for HMMs Machine Learning and Real-world Data (MLRD) Ann Copestake

10: Biological Applications for HMMs Machine Learning and Real-world Data (MLRD) Ann Copestake (partly based on slides created by Simone Teufel) Lent 2019 Last session: dice world and HMM decoding You may by now have written a decoder, i.e.,

555 views • 16 slides
Impact Evaluation of a Cluster Program: An Application of Synthetic Control Methods Diego Aboal*,

Impact Evaluation of a Cluster Program: An Application of Synthetic Control Methods Diego Aboal*,

Impact Evaluation of a Cluster Program: An Application of Synthetic Control Methods Diego Aboal*, Gustavo Crespi** and Marcelo Perera* *CINVE **IDB Impact Evaluation of a Cluster Program Roadmap 1. Motivation 2. Objectives 3. The program

447 views • 33 slides
Paper Summaries Any takers? Light and Color Plan for today Computer Graphics as Virtual

Paper Summaries Any takers? Light and Color Plan for today Computer Graphics as Virtual

Paper Summaries Any takers? Light and Color Plan for today Computer Graphics as Virtual Photography Light and Color real camera photo Photographic Photography: scene (captures processing print Project Possibilities light)

278 views • 15 slides
International Material Resource Dependency in an Input-Output Framework Maaike C. Bouwmeester

International Material Resource Dependency in an Input-Output Framework Maaike C. Bouwmeester

Date 14.06.2011 | 1 of 16 International Material Resource Dependency in an Input-Output Framework Maaike C. Bouwmeester University of Groningen, The Netherlands WIOD conference, Groningen 24 th of April 2012 Date 14.06.2011 | 2 of 16

268 views • 16 slides
COMMON CORE IN CHINA Curriculum mapping American Standards from an International Perspective

COMMON CORE IN CHINA Curriculum mapping American Standards from an International Perspective

COMMON CORE IN CHINA Curriculum mapping American Standards from an International Perspective Marlon Ng American International School (Hong Kong) Teacher of over sixteen years with last 4 years focus on UbD training Upcoming academic year

774 views • 54 slides
Unit-based Simulation for the Bedside Registered Nurse Jocelyn Disher, BSN, MSN, RN Anisha

Unit-based Simulation for the Bedside Registered Nurse Jocelyn Disher, BSN, MSN, RN Anisha

Unit-based Simulation for the Bedside Registered Nurse Jocelyn Disher, BSN, MSN, RN Anisha Desai, BSN, RN Angela Burgum, RN Cynthia Fallon, BSN, RN, ONC Patricia Hart, PhD, RN Kathie Aduddell, EdD, RN Lanell Bellury, PhD, RN, AOCNS

602 views • 18 slides
Ast stro Pi Pi: P Pyt ython o n on the he In Internationa nal Sp Space ce S Station n

Ast stro Pi Pi: P Pyt ython o n on the he In Internationa nal Sp Space ce S Station n

Ast stro Pi Pi: P Pyt ython o n on the he In Internationa nal Sp Space ce S Station n Ben N en Nuttall ll Rasp spber berry Pi F Pi Founda undatio ion UK C Charit ity 1129 1129409 Sli Slides, s, l link nks, feedback ack

841 views • 44 slides
Unit 3 Part 1 Introduction to Military Component Planning Process UN Peacekeeping PDT Standards,

Unit 3 Part 1 Introduction to Military Component Planning Process UN Peacekeeping PDT Standards,

Unit 3 Part 1 Introduction to Military Component Planning Process UN Peacekeeping PDT Standards, Specialized Training Material for Staff Officers 1 st Edition 2011 AIM The aim of this module is to provide Military Staff Officers with the

965 views • 71 slides
Fast Analytics on Big Data with H20 0xdata.com, h2o.ai Tomas Nykodym, Petr Maj Team About H2O

Fast Analytics on Big Data with H20 0xdata.com, h2o.ai Tomas Nykodym, Petr Maj Team About H2O

Fast Analytics on Big Data with H20 0xdata.com, h2o.ai Tomas Nykodym, Petr Maj Team About H2O and 0xdata H2O is a platform for distributed in memory predictive analytics and machine learning Pure Java, Apache v2 Open Source Easy

995 views • 53 slides

More recommend