POLVO-IIDS: Um Sistema de Detecção de Intrusão Inteligente Baseado em Anomalias
Resumo
Os sistemas de detecção de intrusão (IDS) têm como atribuição a identificação de ataques e ameaças aos sistemas computacionais. Adicionalmente, os IDSs podem desempenhar funções de prevenção a intrusão (IPS), incluíndo-se ações pro-ativas às intrusões. Um problema recorrente destes sistemas de detecção de intrusão é a dificuldade de diferenciar ataques de acessos legítimos. Muitos sistemas utilizam assinaturas de ataques conhecidos, contudo não conseguem identificar variações destes ataques nem novos ataques. Este artigo apresenta um modelo de sistema de detecção de intrusão que classifica mensagens por análise comportamental como normal ou anômala. Para detecção de anomalias são utilizadas duas técnicas de inteligência artificial chamadas support vector machine (SVM) e redes neurais de Kohonen (KNN). O uso destas técnicas em conjunto visa melhorar a taxa de acerto do IDS desenvolvido, identificando ataques conhecidos ou novos em tempo real.
Referências
Allen, J., Christie, A., Fithen, W., McHugh, J., and Pickel, J. (2000). State of the practice of intrusion detection technologies. In CMU/SEI-99-TR-028, Carnegie Mellon Software Engineering Institute.
Bolzoni, D., Etalle, S., and Hartel, P. (2006). Poseidon: a 2-tier anomaly-based network intrusion detection system. In Fourth IEEE International Workshop on Information Assurance, pages 220–237.
Bridges, S. M. and Vaughn, R. B. (2000). Fuzzy data mining and genetic algorithms applied to intrusion detection. In National Information Systems Security Conference (NISSC), Baltimore, MD.
Cannady, J. (1998). Artificial neural networks for misuse detection. In Proceedings of the 1998 National Information Systems Security Conference (NISSC’98), pages 443–456, Arlington, VA.
Chen, W.-H., Hsu, S.-H., and Shen, H.-P. (2005). Application of svm and ann for intrusion detection. Comput. Oper. Res., 32(10):2617–2634.
Ghosh, A., Wanken, J., and Charron, F. (1998). Detecting anomalous and unknown intrusions against programs. In Proceedings Annual Computer Security Applications (ACSAC), Los Alamitos, CA.
Giacinto, G., Roli, F., and Didaci, L. (2003). Fusion of multiple classifiers for intrusion detection in computer networks.
Haijun, X., Fang, P., Ling, W., and Hongwei, L. (2007). Ad hoc-based feature selection and support vector machine classifier for intrusion detection. In Proceedings of 2007 IEEE Conference on Grey Systems and Intelligent Services, Nanjing, China.
Kayacik, H. G., Zincir-Heywood, A. N., and Heywood, M. I. (2003). On the capability of an som based intrusion detection system. In Proceedings of the International Joint Conference on Neural Networks, volume 3, pages 1808–1813.
Kohonen, T. (1988). Self-organized formation of topologically correct feature maps. Journal of the American Society for Information Science and Technology, pages 509–521.
Kröse, B. and van der Smagt, P. (1996). An introduction to neural networks. URL ftp://ftp.informatik.uni-freiburg.de/papers/neuro/ann_intro_smag.ps.gz, The University of Amsterdam.
Lee, H. D. (2001). Training a neural-network based intrusion detector to recognize novel attacks, systems, man and cybernetics. In IEEE Transactions on IEEE Computer Press 31, pages 294–299.
Lee, W. and Stolfo, S. (2000). A framework for constructing features and models for intrusion detection systems. 3(4):227–261.
Lee, W., Stolfo, S., and Mok, K. (1998). Mining audit data to build intrusion detection models. In Proceedings of the fourth international conference on knowledge discovery and data mining, New York.
Lei, J. Z. and Ghorbani, A. (2004). Network intrusion detection using an improved competitive learning neural network. In Proceedings of the Second Annual Conference on Communication Networks and Services Research (CNSR), pages 190–197.
Liu, G., Yi, Z., and Yang, S. (2006). A hierarchical intrusion detection model based on the pca neural networks. Journal of the American Society for Information Science and Technology, pages 1561–1568.
Lunt, T. (1993). Detecting intruders in computer systems. In Proceedings of 1993 Conference on Auditing and Computer Technology.
Luo, J. (1999). Integrating fuzzy logic with data mining methods for intrusion detection. In M.S. Thesis, Mississippi.
Mukkamala, R., Gagnon, J., and Jajodia, S. (2000). Integrating data mining techniques with intrusion detection methods. In Research Advances in Database and Information Systems Security, Boston, MA.
Mukkamala, S., Janoski, G., and Sung, A. (2002). Intrusion detection using neural networks and support vector machines. In Proceedings of the 2002 International Joint Conference on Neural Networks, IJCNN ’02, volume 2, pages 1702–1707.
Shyu, M., Chen, S., Sarinnapakorn, K., and Chang, L. (2003). A novel anomaly detection scheme based on principal component classifier. In Proceedings of ICDM’03, pages 172–179.
Stolfo, J. S., Wei, F., Lee, W., Prodromidis, A., and Chan, P. K. (1999). Kdd cup data knowledge discovery and data mining competition (1999).
Wang, H., Huang, J. Z., Qu, Y., and Xie, J. (2004). Web services: problems and future directions. J. Web Sem., 1(3):309–320.
Xiang, C. and Lim, S. M. (2005). Design of multiple-level hybrid classifier for intrusion detection system. In Proceedings of 2005 IEEE Workshop on Machine Learning for Signal Processing, pages 117–122.
Zanero, S. and Savaresi, S. M. (2004). Unsupervised learning techniques for an intrusion detection system. In Proceedings of the ACM symposium on Applied computing, pages 412–419, Nicosia, Cyprus.
Bolzoni, D., Etalle, S., and Hartel, P. (2006). Poseidon: a 2-tier anomaly-based network intrusion detection system. In Fourth IEEE International Workshop on Information Assurance, pages 220–237.
Bridges, S. M. and Vaughn, R. B. (2000). Fuzzy data mining and genetic algorithms applied to intrusion detection. In National Information Systems Security Conference (NISSC), Baltimore, MD.
Cannady, J. (1998). Artificial neural networks for misuse detection. In Proceedings of the 1998 National Information Systems Security Conference (NISSC’98), pages 443–456, Arlington, VA.
Chen, W.-H., Hsu, S.-H., and Shen, H.-P. (2005). Application of svm and ann for intrusion detection. Comput. Oper. Res., 32(10):2617–2634.
Ghosh, A., Wanken, J., and Charron, F. (1998). Detecting anomalous and unknown intrusions against programs. In Proceedings Annual Computer Security Applications (ACSAC), Los Alamitos, CA.
Giacinto, G., Roli, F., and Didaci, L. (2003). Fusion of multiple classifiers for intrusion detection in computer networks.
Haijun, X., Fang, P., Ling, W., and Hongwei, L. (2007). Ad hoc-based feature selection and support vector machine classifier for intrusion detection. In Proceedings of 2007 IEEE Conference on Grey Systems and Intelligent Services, Nanjing, China.
Kayacik, H. G., Zincir-Heywood, A. N., and Heywood, M. I. (2003). On the capability of an som based intrusion detection system. In Proceedings of the International Joint Conference on Neural Networks, volume 3, pages 1808–1813.
Kohonen, T. (1988). Self-organized formation of topologically correct feature maps. Journal of the American Society for Information Science and Technology, pages 509–521.
Kröse, B. and van der Smagt, P. (1996). An introduction to neural networks. URL ftp://ftp.informatik.uni-freiburg.de/papers/neuro/ann_intro_smag.ps.gz, The University of Amsterdam.
Lee, H. D. (2001). Training a neural-network based intrusion detector to recognize novel attacks, systems, man and cybernetics. In IEEE Transactions on IEEE Computer Press 31, pages 294–299.
Lee, W. and Stolfo, S. (2000). A framework for constructing features and models for intrusion detection systems. 3(4):227–261.
Lee, W., Stolfo, S., and Mok, K. (1998). Mining audit data to build intrusion detection models. In Proceedings of the fourth international conference on knowledge discovery and data mining, New York.
Lei, J. Z. and Ghorbani, A. (2004). Network intrusion detection using an improved competitive learning neural network. In Proceedings of the Second Annual Conference on Communication Networks and Services Research (CNSR), pages 190–197.
Liu, G., Yi, Z., and Yang, S. (2006). A hierarchical intrusion detection model based on the pca neural networks. Journal of the American Society for Information Science and Technology, pages 1561–1568.
Lunt, T. (1993). Detecting intruders in computer systems. In Proceedings of 1993 Conference on Auditing and Computer Technology.
Luo, J. (1999). Integrating fuzzy logic with data mining methods for intrusion detection. In M.S. Thesis, Mississippi.
Mukkamala, R., Gagnon, J., and Jajodia, S. (2000). Integrating data mining techniques with intrusion detection methods. In Research Advances in Database and Information Systems Security, Boston, MA.
Mukkamala, S., Janoski, G., and Sung, A. (2002). Intrusion detection using neural networks and support vector machines. In Proceedings of the 2002 International Joint Conference on Neural Networks, IJCNN ’02, volume 2, pages 1702–1707.
Shyu, M., Chen, S., Sarinnapakorn, K., and Chang, L. (2003). A novel anomaly detection scheme based on principal component classifier. In Proceedings of ICDM’03, pages 172–179.
Stolfo, J. S., Wei, F., Lee, W., Prodromidis, A., and Chan, P. K. (1999). Kdd cup data knowledge discovery and data mining competition (1999).
Wang, H., Huang, J. Z., Qu, Y., and Xie, J. (2004). Web services: problems and future directions. J. Web Sem., 1(3):309–320.
Xiang, C. and Lim, S. M. (2005). Design of multiple-level hybrid classifier for intrusion detection system. In Proceedings of 2005 IEEE Workshop on Machine Learning for Signal Processing, pages 117–122.
Zanero, S. and Savaresi, S. M. (2004). Unsupervised learning techniques for an intrusion detection system. In Proceedings of the ACM symposium on Applied computing, pages 412–419, Nicosia, Cyprus.
Publicado
01/09/2008
Como Citar
MAFRA, Paulo M.; FRAGA, Joni da Silva; MOLL, Vinícius; SANTIN, Altair Olivo.
POLVO-IIDS: Um Sistema de Detecção de Intrusão Inteligente Baseado em Anomalias. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 8. , 2008, Gramado.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2008
.
p. 61-72.
DOI: https://doi.org/10.5753/sbseg.2008.20888.
