COMPSCI 726

Sumeet

Outside the Closed World: On Using Machine Learning for Network Intrusion Detection

Robin Sommer and Vern Paxson

2

Background

What is an Intrusion Detection System?

What is Machine Learning?

Misuse Detection VS Anomaly Detection

1. http://www.cisco.com/c/en/us/products/security/firepower-8000-series-appliances/index.html

2. http://googleblog.blogspot.co.nz/2012/06/using-large-scale-brain-simulations-for.html

1.

2.

3

Agenda

Introduction

5 Intrusion Detection Domain Specific Problems

Recommendations by the Authors

Critical Points

Summary

4

Introduction Core idea

General Lack of IDS in production Misuse

Anomaly

Premise: Machine learning – Similarity

Anomaly Detection – Novel

Mind Set

5

Domain Specific Problems

Outlier Detection Classification

High Cost of Errors Recommender Systems

OCR

Spam

Semantic Gap Actionable reports

Report Abnormal behaviour

Anomaly Features

6

Diversity of Network Traffic Traffic Types

Establish normality

Difficulties with Evaluation Data Difficulties

DRAPA 1998, 1999

Mind the gap

Operationally relevant

Adversarial setting

Evasion

Domain Specific Problems

7

Recommendations Understanding the Threat Model

What kind of environment does the system target?

What does a missed attack cost?

What skills and resources will the attackers have?

What concerns does evasion pose?

Keeping the scope narrow Machine Learning Selection

Reducing the cost Reduce Systems Scope

Traffic Aggregation

Post processing

8

Recommendations Evaluation

Working with data Honeypots

Send experiments to data sources

Sub-dividing the dataset for testing

Understanding Results Understand their origins

Relate input and output at low level

Inject set of attacks

Feedback from operators

9

Criticism Author Recommendations vs Proof that suggestions work

No Experiments and results

“The intrusion detection community does not benefit any further from yet another study measuring the performance of some previously untried combination of a machine learning scheme with a particular feature set, applied to something like DARPA dataset”

10

Summary

Imbalance in amount of research in machine learning based anomaly detection vs deployments in production

Intrusion Detection Domain has specific problems

Deep Insight

Initiate discussion

11

Questions ?

The End