Embed Size (px)
Citation preview
Anomaly Based Intrusion Detection SystemUsing Naive Bayesian and Hidden Markov Models
By Jonathan LallyID: 12211753Email: [email protected]
What is an IDS?
What is an IDS
Goals
Identify
Prevent
Learn
Location
Misuse DetectorsAnalyses Signatures
◦IP address◦Port and count◦Packet flags
Misuse Detectors
Advantages• Known attacks• Quick
Disadvantages• Regular patches• Adaptive attackers
Anomaly Detectors
Knows user habits
Flags odd behaviour
Blocks persistently flagged connections
Anomaly Detectors
Advantages◦Powerful
Blocks Unknown Attacks
Disadvantages◦Slow◦False Positives◦Training
Hidden Markov ModelFinite State Analysis
Hidden Markov ModelWatches State Transitions
Advantages◦Accurate
Disadvantages◦Slow◦Memory Usage
Naive Bayesian ModelProbability distribution of packet
type
Average connection: < 3RSTs, 8 SYNs, 48 ACKs, 1 FIN/ACKs, 40
PSH/ACKs >
DoS attack: < 0 RSTs, 100 SYNs, 0 ACKs, 0 FIN/ACKs,
0 PSH/ACKs >
Naive Bayesian ModelAdvantages
Fast Effective
Disadvantages High False positives
My Experiment
Hybrid Naive Bayesian Model with Hidden Markov Model
Previous ExperimentsNaive Bayesian based IDS
Vijayasarathy, R., Raghavan, S. V., & Ravindran, B. in “A system approach to network modeling for DDoS detection using a Naìve Bayesian classifier” 2011.
Hidden Markov Model Rangadurai Karthick, R., Hattiwale, V. P., &
Ravindran, B. In “Adaptive network intrusion detection system using a hybrid approach” in 2012
This Experiment: Time based Training data
