Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Copy of Genetic Algorithms and Network Intrusion Detection

Mark McFadden, Northern Kentucky University
by

yogesh bansal

on 14 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Copy of Genetic Algorithms and Network Intrusion Detection

Conclusion
Thank you for your attention!
Genetic Algorithms and NID
Mark McFadden

By: Yogesh Bansal
With the increase in network based attacks in general, and the world-wide access to computer networks and systems in particular, those responsible for network and computer system security need to utilize every tool available.
Introduction
Example Intrusion (Denial of Service [DoS] Attack)
Network intrusion detection.
Genetic algorithms with intrusion detection will be reviewed.
Finally, Use of a genetic algorithm within intrusion detection.
What is Network Intrusion Detection?
Network based intrusion detection attempts to identify unauthorized, illicit, and anomalous behaviour based solely on network traffic.
A network IDS, using either a network tap, span port, or hub collects packets that traverse a given network. Using the captured data, the IDS system processes and flags any suspicious traffic.
The goal of intrusion detection is to recognize attempts to sabotage in-place security controls (Berge). Specifically, network traffic is analyzed in search for system based breaches. Network breaches can take various forms. Next, an example intrusion is provided
One such intrusion is a Denial of Service (DoS) attack. A DoS attack is typically an attempt by an attacker to prevent valid users of a service from using or having access to that service.
Examples include:
• Attempts to "flood" a network, thereby preventing legitimate network traffic
• Attempts to disrupt connections between two machines, thereby preventing access to a service
• Attempts to prevent a particular individual from accessing a service.
• Attempts to disrupt service to a specific system or person.
Moreover, genetic algorithms (GA) are good tools for acquiring optimized solutions and their use with determining rule sets for potential and actual network intrusions is both intuitive and potentially valuable.
Firewall devices are typically the first point of entry within computer networks.
A typical content of a firewall log entry.
Suspected Intrusion Log Record
For our purposes in the creation of input data for the Genetic Algorithm, we will consider the following firewall log entry.
For our purposes in the creation of input data for the Genetic Algorithm, we will consider the following firewall log entry.
Structuring the DomainProblem
Chromosome
A typical IDS rule would take the form of the following condition statement:
if {the connection has following information: source IP 125.19.54.155; destination IP address: 109.1.1.0 ~ 109.1.255.255;destination port number: 8184; the protocol used is FTP; the originator sent more than 10,000 bytes of data; and the responder sent more than 250,000 bytes of data }then {stop the connection}
Given that the input value modeled in Table 2 is similar to a desired IDS Rule Set, the input rule will be the model for the chromosome-like data structure.
This input rule within the GA will then be evolved into a fitter output, or as in this case, an IDS Rule.
A clearer view of the IDS rule
The Attribute column takes the contents of the above condition and provides labels.
The Range of Values column shows the lower and upper bounds of the rule.
The suspect source rule set is displayed in the Example Values column.
The Descriptions column displays what each item is in the suspect rule and the justification for why the rule may be a potential threat to the network and/or the systems that are nodes within a network.
In order for a particular domain to be suitable for a genetic algorithm the domain must be converted into numeric values, either within the GA or as raw input.
These numeric values are sometimes referred to as genes and are changed at random within a range during an evolutionary cycle.
The set of chromosomes during a stage of evolution are called a population .
A fitness function is used to calculate the “goodness” of each chromosome.
We can convert the above example into a chromosome form, with each row as a “gene,”
Genetic Algorithm Use in Rule Set Creation
First, the GA creates a random population which is then evaluated concerning its level of fitness in a Fitness Function.
Fitness Function
A GA Fitness Function typically has the following or similar steps.
First, the general outcome is determined based on whether a gene (or allele) “matches” an existing data set of suspect log record that was obtained from a network device such as a firewall.
Then, the function multiplies the “weight” of that field to the degree that the field value “matched” the suspect record field. Typically, the “match” value is either 1 or 0
Weight values are applied to the different genes as historically reported by network devices.
For example, if the Destination IP gene historically demonstrates to be a consist predictor of a network intrusion, its weight will be more than the other genes.
Moreover, all particular genes types have the same weight value so all Protocol genes have a weight of 15, regardless of their degree of being a suspect record
Next, the delta value or absolute difference between the “outcome” of the chromosome and the suspicion_level is then computed using the following equation
The suspicion_level is a value that indicates if the historical gene value and the suspicious gene value are considered a “match” from historic log data.
Continuing with our previous example, given that the Source IP of 125.19.54.155 was determined to be a suspicious IP address, the suspicion_level value would be higher with a value such as 8. Therefore, the delta result is a low number of 2 (2 = |10 – 8|).
If the delta level is high enough, a penalty value is calculated using this delta.
The “ranking” in the equation above indicates whether or not a network intrusion is easy to establish. Historical data should determine the value of the ranking.
For example, given that Destination IP addresses of certain asset systems are well known by those within an organization, this ranking would be higher.
Finally, the chromosome’s fitness is then computed using the above penalty.
The scope of the fitness result is between 0 and 1
In summary, following the running of the fitness function within the GA, the fitness level is reviewed. If the desired fitness level is not obtained, the algorithm then evolves through the selection, crossover (recombination), and mutation functions.
Selection
Once the initial population (of chromosomes) is evaluated, the GA experiments with new generations and iteratively refines the initial outcomes so that those that are most fit are more probable to be ranked higher as results. The objective is to produce
new generation of chromosomes to evaluate.
Crossover
In essence, the crossover operation creates new chromosomes that share optimistic characteristics of the parent chromosomes while at the same time lowering the negative attributes in a child chromosome.








An example of a crossover of chromosomes from the parents to their offspring
Although this step is typical in most genetic algorithms, in the case of this project’s chromosome the crossover operation may not be beneficial. While a Source or Destination IP may be bound by upper and lower IP, a crossover of the IP octet values would probabilistically not be advantageous.
For example, the crossover of the parental values of 209.103.51.134 and 101.1.25.193 could result in child IP addresses of 209.103.25.193 and 101.1.51.134. However, the probability that this offspring will bepotential suspicious Source or Destination IP addresses is low.
Mutation
The final step in the process of generating a new population is mutation.
This phase randomly alters a gene’s value to create a different one.
Figure below details how a gene’s value is changed and thereby creating a new chromosome.
Concerning the applicability of this step with the network intrusion chromosome, as was the case in the crossover step above the probability of useful outcomes is minimal.
The Rule Set
Essentially, the rule set is produced from the output of the GA.
For example, the input of Source IP = 1829975662 (which is an IPv4 address of 109.19.54.110)|Destination IP = 1828782356 (which is an IPv4 address of 109.1.1.20) | Destination Port= 8184 | Protocol = 5 | Originator Bytes = 10500 | Responder Bytes = 250000
Could produce the following rule:
if {the connection has following information: source IP 125.19.54.155; destination IP address: 119.1.1.17 ~ 119.1.1.21; destination port number: 8184; the protocolused is FTP; the originator sent more than 10,000 bytes of data; and theresponder sent more than 250,000 bytes of data } then {log the intrusion and stop the connection}
Conclusion
In conclusion, one can see how that a genetic algorithm can be useful in the creation of rule sets to detect network intrusions. Moreover, genetic algorithms are potential tools for optimized rules sets and the determination of potential and actual network intrusions.
Q ?
Conclusion
In conclusion, one can see how that a genetic algorithm can be useful in the creation of rule sets to detect network intrusions. Moreover, genetic algorithms are potential tools for optimized rules sets and the determination of potential and actual network intrusions.
Full transcript