Intrusion & Intrusion Detection Intruders

Intrusion Detection systems

intrusion detection process intrusion detection techniques Data Mining for Intrusion Detection

The word:
means a wrongful entry or the act of seizing or taking possession of the property of another

means identifying potentially malicious or undesirable activity

 Outsider penetrates a systems access controls to use

a users account

Insider makes unauthorized data, programs

or resources access

both outsider and insider takes the system supervisory

control and uses it to avoid auditing and access controls

The difficulty results from the fact that defender must be ready to prevent all possible attacks, whereas attacker is free to find weakest link in the defense chain and attack it

 combination of software and hardware that attempts to perform intrusion detection raises the alarm when possible intrusion happens
If

a firewall is like having a security guard at your office door, checking the credentials of everyone coming and going, then an intrusion-detection system (IDS) is like having a network of sensors that tells you when someone has broken in, where they are and what they're doing.

Information theft is up over 250% in the last 5 years.

99% of all major companies report at least one major incident.

Telecom and computer fraud totaled $10 billion in the US alone.

There are 5 million attacks in the DOD (Department of Defense) every day

Host-based IDSs

analyze host-bound audit sources such as operating syste audit trails, system logs, or application logs Detect attacks against a single host

Network-Based IDSs

Use network traffic as the audit data source, relieving the burden on the hosts that usually provide normal computing services Detect attacks from network. network-based IDS are like neighborhood police patrols

(BPM) for senesce & Technology University Ibb Branch

10

11

12

Training Set
Tid SrcIP Start time Dest IP Dest Port 139 139 139 139 139 139 139 139 139 139 Number Attack of bytes 192 195 180 199 19 177 172 285 195 163 No 1 206.135.38.95 11:07:20 160.94.179.223 2 206.163.37.95 11:13:56 160.94.179.219 3 206.163.37.95 11:14:29 160.94.179.217 4 206.163.37.95 11:14:30 160.94.179.255 5 206.163.37.95 11:14:32 160.94.179.254 6 206.163.37.95 11:14:35 160.94.179.253 7 206.163.37.95 11:14:36 160.94.179.252 8 206.163.37.95 11:14:38 160.94.179.251 9 206.163.37.95 11:14:41 160.94.179.250 10 206.163.37.95 11:14:44 160.94.179.249
10

Tid
No No No Yes No No Yes No Yes

SrcIP

Start time

Dest Port

Number Attack of bytes 150 208 195 199 181 ? ? ? ? ?

1 206.163.37.81 11:17:51 160.94.179.208 2 206.163.37.99 11:18:10 160.94.179.235 3 206.163.37.55 11:34:35 160.94.179.221 4 206.163.37.37 11:41:37 160.94.179.253 5 206.163.37.41 11:55:19 160.94.179.244

Test Set

Learn Classifier

Model

Rules Discovered:
{Src IP = 206.163.37.95, Dest Port = 139, Bytes [150, 200]} --> {ATTACK}

13

 Paul Dokas, Levent Ertoz, Vipin Kumar, Aleksandar Lazarevic, Jaideep ZSrivastava, PangNing Tan , Data Mining for Network Intrusion Detection

Vipin Kumar , Data Mining Based Network Intrusion Detection System Stalling, Cryptography and Network Security Principles and Practices, Fourth Edition, Prentice Hall,2005.

Marcin Dobrucki, Priorities in the deployment of network intrusion detection systems

Phil Baskerville, Intrusion Prevention Systems: How do they prevent intrusion? Jie Lin, Intrusion Detection Lisong Pei, Jakob Schtte, Carlos Simon, Intrusion detection systems

14

Thank you