Conclusions and Future Work
5.2 Limitations and Future work
There are some challenges faced by the DNIDS. Like other supervised learning al-gorithms, the knowledge gathered by our approach is limited by the training data.
However, users’ behaviors change from time to time. The static training data might become outdated and deficient for prediction as time goes by. Thus, we suggest a periodic update to the training sets and profiles. This process could be done off-line without affecting the on-line detection system.
In addition, the computational complexity of the CSI-KNN is still an obstacle for online application. Although the computational complexity can be reduced by a down-sampling process that reduces the number of training instances, the effectiveness of down-sampling may vary for different training sets. To solve this problem, KNN optimization techniques such as Kd-tree and fixed-width clustering can be used along with the down-sampling. By partitioning the feature space, the optimization method reduces the number of instances involved in the KNN distance calculation.
A limitation of the intrusion-tolerant mechanism is that the mechanism is unable to detect unauthorized modification of the DNIDS configuration files. An attacker may change the configuration file and fool the Alert Agents (AAs) into refraining from checking the monitored classifiers. In this case, the mechanism fails its tasks.
This problem can be solved by introducing a function that compares the configuration information on the local host with the information in the services table.
To improve the usability of the DNIDS, the future work we are working toward are as follows: more checking rules are going to be developed and implemented for the AA to improve its ability to detect compromised components; host-based IDSs will be introduced to the DNIDS and used to monitor the hosts and the NIDS components;
an intelligent system will be employed to analyze the intrusion alerts generated by the CSI-KNN-based NIDS and aid the intrusion-tolerant mechanism in treating the compromised components; and finally, a response mechanism is to be introduced in order to stop intrusions before a failure occurs.
[1] D. Anderson, T. Frivold, and A. Valdes. Next-generation intrusion detection expert system (NIDES) - A summary. Technical Report SRI-CSL-95-07, SRI International, May 1995.
[2] A. Avizienis, J. Laprie, and B. Randell. Fundamental concepts of depend-ability. Technical Report N01145, LAAS-CNRS, April 2001. Available at http://citeseer.ist.psu.edu/article/avizienis01fundamental.html.
[3] Stefan Axelsson. Research in intrusion-detection systems: A survey. Technical Report 98–17, Department of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden, December 1998.
[4] D. Barbara, C. Domeniconi, and J. Rogers. Detecting outliers using transduction and statistical testing. In Proceedings of the 12th Annual SIGKDD International Conference on Knowledge Discovery and Data Mining, pages 54–60, Philadel-phia, USA, August 2006.
[5] Jon Louis Bentley. K-d trees for semidynamic point sets. In SCG ’90: Proceedings of the sixth annual Symposium on Computational Geometry, pages 187–197, New York, NY, USA, 1990.
102
[6] M. Dacier. Design of an intrusion-tolerant intrusion detection system. Technical Report D10, IBM Zurich Research Laboratory, 2002. Available at http://www.
maftia.org/deliverables/D10.pdf.
[7] Belur V. Dasarathy. Nearest Neighbor (NN) norms: NN Pattern Classification Techniques. IEEE Computer Society Press, 1990.
[8] Dipankar Dasgupta and Fabio Gonz´alez. An intelligent decision support system for intrusion detection and response. In Proceedings of International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Se-curity (MMM-ACNS), St. Petersburg, May 21-23, 2001.
[9] Dipankar Dasgupta and Fabio A. Gonz´alez. An immunity-based technique to characterize intrusions in computer networks. IEEE Transactions on Evolution-ary Computation, 6(3):1081–1088, June 2002.
[10] KDD Cup 1999 Data. Available at http://kdd.ics.uci.edu/databases/
kddcup99/kddcup99.html (Accessed in July 2007).
[11] H. Debar, M. Dacier, and A. Wepsi. A revised taxonomy for intrusion detection systems. Annales des T´el´ecommunications, 55(7/8):361–78, 2000.
[12] Amanda Delamer. Intrusion detection with data mining. Master’s thesis, Donau University, Krems, Austria, May 2002.
[13] Charles Elkan. Results of the KDD’99 classifier learning. SIGKDD Explorations, 1(2):63–64, 2000.
[14] Carl Endorf, Gene Schultz, and Jim Mellander. Intrusion Detection and Preven-tion. McGraw-Hill Osborne Media, first edition, 2003.
[15] E. Eskin, A. Arnold, M. Prerau, L. Portnoy, and S. Stolfo. A geometric frame-work for unsupervised anomaly detection: Detecting intrusions in unlabeled data.
Applications of Data Mining in Computer Security, 2002.
[16] M. Esposito, C. Mazzariello, F. Oliviero, S. P. Romano, and C. Sansone. Real time detection of novel attacks by means of data mining techniques. In Proceeding of International Conference on Enterprise Information Systems (ICEIS), pages 120–127, 2005.
[17] Stephanie Forrest, Steven A. Hofmeyr, and Anil Somayaji. Computer immunol-ogy. Communications of the ACM, 40(10):88–96, 1997.
[18] The Perl Foundation. Available at http://www.perl.org/.
[19] E. Garcia. Cosine similarity and term weight tutorial. Mi Islita, October 2006.
Available at http://www.miislita.com/information-retrieval-tutorial/
cosine-similarity-tutorial.html (Accessed in July 2007).
[20] L. A. Gordon, M. P. Loeb, W. Lucyshyn, and R. Richardson. Computer crime and security survey, 2006. Available at http://www.gocsi.com/press/
20060712.jhtml.
[21] P. Helman and G. Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering, 19(9):886–901, 1993.
[22] S. Ho and H. Wechsler. Transductive confidence machine for active learning. In IJCNN’03: Proceedings of International Joint Conference on Neural Networks, volume 2, pages 1435–1440, 2003.
[23] Steven A. Hofmeyr and Stephanie Forrest. Architecture for an artificial immune system. Evolutionary Computation, 8(4):443–473, 2000.
[24] Tsong Song Hwang, Tsung-Ju Lee, and Yuh-Jye Lee. A three-tier IDS via data mining approach. In MineNet ’07: Proceedings of the 3rd annual ACM workshop on mining network data, pages 1–6, San Diego, California, USA, June 2007.
[25] Koral Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy, pages 16–28, Oakland, CA, 1993.
[26] Koral Ilgun, Richard A. Kemmerer, and Phillip A. Porras. State transition anal-ysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering, 21(3):181–199, 1995.
[27] Euclidean Distances in Wikipedia. Available at http://en.wikipedia.org/
wiki/Euclidean_distance (Accessed in July 2007).
[28] Internet Security Systems Inc. RealSecure. Available at http://www.iss.net/
products/index.html.
[29] Recursion Software Inc. Available at http://www.recursionsw.com/Products/
voyager.html.
[30] The MathWorks Inc. Available at http://www.mathworks.com/products/
matlab/.
[31] Pankaj Jalote. Fault Tolerance in Distributed Systems. Prentice-Hall, Inc., Upper Saddle River, NJ, USA, 1994.
[32] Richard A. Kemmerer. NSTAT: A model-based real-time network intrusion de-tection system. Technical Report CS97-18, Computer Science Dep., University of California Santa Barbara,, November 1998.
[33] C. Ko, M. Ruschitzka, and K. Levitt. Execution monitoring of security-critical programs in distributed systems: A specification-based approach. In SP’97:
Proceedings of the 1997 IEEE Symposium on Security and Privacy, page 0175, Washington, DC, USA, 1997.
[34] MIT Lincoln Laboratory. DARPA Intrusion Detection Evaluation Data Sets. Available at http://www.ll.mit.edu/IST/ideval/data/data_index.
html (Accessed in July 2007).
[35] W. Lee and S. J. Stolfo. A framework for constructing features and models for intrusion detection systems. In Proceedings of ACM Transactions on Information and System Security (TISSEC), volume 3(4), pages 227–261, November 2000.
[36] Wenke Lee, Salvatore J. Stolfo, Philip K. Chan, Eleazar Eskin, Wei Fan, Matthew Miller, Shlomo Hershkop, and Junxin Zhang. Real time data mining-based in-trusion detection. In Proceedings of the 2nd DARPA Information Survivability Conference and Exposition, pages 85–100, 2001.
[37] Wenke Lee, Salvatore J. Stolfo, and Kui W. Mok. A data mining framework for building intrusion detection models. In IEEE Symposium on Security and Privacy, pages 120–132, 1999.
[38] Fayin Li and Harry Wechsler. Open world face recognition with credibility and confidence measures. In Proceedings of the 4th Audio-and Video-Based Biometric Person Authentication International Conference (AVBPA), pages 462–469, 2003.
[39] Yang Li, Binxing Fang, Li Guo, and You Chen. Network anomaly detection based on TCM-KNN algorithm. In ASIACCS’07: Proceedings of the 2nd ACM symposium on information, computer and communications security, pages 13–19, New York, NY, USA, 2007. ACM Press.
[40] Y. Liao and V. Vemuri. Use of K-Nearest Neighbor classifier for intrusion detec-tion. Computers & Security, 21(5):439–448, October 2002.
[41] Yihua Liao. Machine learning in intrusion detection. PhD thesis, Department of Computer Science, University of California (Davis), USA, July 2005.
[42] Peng Liu. Architectures for intrusion tolerant database systems. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC’02), pages 311–320, Washington, DC, USA, 2002.
[43] T. F. Lunt, A. Tamaru, F. Gilham, R.Jagannathan, C. Jalali, P. G. Neumann, H. S. Javitz, and A. Valdes. A real time intrusion detection expert system (IDES). Technical Report SRI-6784, SRI International, Feburary 1992. Available at http://www.csl.sri.com/papers/9sri/9sri.pdf.
[44] J. McHugh, A. Christie, and J. Allen. Defending yourself: the role of intrusion detection systems. IEEE Software, 17(5):42–51, 2000.
[45] John McHugh. Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln
Laboratory. ACM Transactions on Information and System Security, 3(4):262–
294, November 2000.
[46] Tom Mitchell. Machine Learning. McGraw Hill, 1997.
[47] D. S. Moore and G. P. McCabe. Introduction to the Practice of Statistics. W.
H. Freeman, third edition, 1999.
[48] B. Mukherjee, L. Heberlein, and K. Levitt. Network intrusion detection. IEEE Network, 8(3):26–41, 1994.
[49] S. Mukkamala, G. I. Janoski, and A. H. Sung. Intrusion detection using support vector machines. In Proceedings of the High Performance Computing Symposium - HPC 2002, pages 178–183, San Diego, CA, USA, April 2002.
[50] Ilia Nouretdinov and Vladimir Vovk. Criterion of calibration for transduc-tive confidence machine with limited feedback. Theoretical Computer Science, 364(1):3–9, 2006.
[51] P. Pal, P. Webber, R. E. Schantz, and J. P. Loyall. Intrusion tolerant systems. In Proceedings of the IEEE Information Survivability Workshop (ISW-2000), pages 24–26, Boston, MA, USA, 2000.
[52] P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling re-sponses to anomalous live disturbances. In Proceedings of the 20th NIST-NCSC National Information Systems Security Conference, pages 353–365, 1997.
[53] D. Powell and R. Stroud (editors). Conceptual model and architecture of MAF-TIA. Technical Report D21, IBM Zurich Research Laboratory, 2003. Available at http://www.maftia.org/deliverables/D21.pdf.
[54] K. Praedrou, I. Nauretdinov, V. Vovk, and A. Gammerman. Transductive con-fidence machines for pattern recognition. In Proceedings of the 13th European Conference on Machine Learning (ECML 2002), volume 2430, pages 381–390.
Lecture Notes In Computer Science, August 2002.
[55] M. J. Prerau and E. Eskin. Unsupervised anomaly detection using an op-timized K-nearest neighbors algorithm. Master’s thesis. Available at http:
//www.music.columbia.edu/~mike/publications/thesis.pdf.
[56] Thomas H. Ptacek and Timothy N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., Calgary, Alberta, Canada, 1998.
[57] Safety and Mission Assurance. Reliability Block Diagrams. Technical Report QS-R-002, Marshall Space Flight Center, October 2004.
[58] Y. P. Shen, W. T. Tsai, S. Bhattacharya, and T. Liu. Attack tolerant enhance-ment of intrusion detection systems. In Proceedings of the 21st Century Military Communications Conference (MILCOM 2000), volume 1, pages 425–429, Octo-ber 2000.
[59] Chris Sinclair, Lyn Pierce, and Sara Matzner. An application of machine learning to network intrusion detection. In ACSAC ’99: Proceedings of the 15th Annual Computer Security Applications Conference, pages 371–377, December 1999.
[60] L. Siqueira and Z. Abdelouahab. A fault tolerance mechanism for network in-trusion detection system based on intelligent agents (NIDIA). In Proceedings of
the 4th IEEE Workshop on SEUS-WCCIA’06, volume 19(9), pages 49–54. IEEE Computer Society, April 2006.
[61] E. Skoudis and T. Liston. Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses. Prentice Hall PTR, second edition, 2005.
[62] S. R. Snapp, J. Brentano, G. V. Dias, T. L. Goan, L. T. Heberlein, C. Ho, K. N.
Levitt, B. Mukherjee, and S. E. Smaha. DIDS (distributed intrusion detection system) - motivation, architecture, and an early prototype. In Proceedings of the 14th National Computer Security Conference, pages 167–176, Washington, DC, October 1991.
[63] Aurobindo Sundaram. An introduction to intrusion detection. Crossroads, 2(4):3–7, 1996.
[64] Sebastiaan Tesink. Improving intrusion detection systems through machine learning. Technical Report 07-02, ILK Research Group, Tilburg University, 2007.
[65] Vladimir N. Vapnik. Statistical Learning Theory. Wiley, 1998.
[66] Giovanni Vigna and Richard A. Kemmerer. NetSTAT: A network-based intru-sion detection approach. In Proceedings of the 14th Annual Computer Security Application Conference, pages 25–34, 1998.
[67] C. Wang and J. C. Knight. Towards survivable intrusion detection. In Proceed-ings of the 3rd Information Survivability Workshop (ISW-2000), Boston, USA, October 2000.
[68] F. Wang, F. Jou, F. Gong, C. Sargor, K. G. Popstojanova, and K. Trivedi.
SITAR: A scalable intrusion-tolerant architecture for distributed services. In Proceedings of Foundations of Intrusion Tolerant Systems (OASIS’03), pages 359–367, 2003.
[69] D. Yu and D. Frincke. Towards survivable intrusion detection system. In Pro-ceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS’04) - Track 9, volume 9, page 90299a, January 2004.
[70] J. Zhang and M. Zulkernine. A hybrid network intrusion detection technique using random forests. In Proceedings of The First International Conference on Availability, Reliability and Security, pages 262–269, Vienna, Austria, 2006.
[71] J. Zhang, M. Zulkernine, and A. Haque. Random forest-based network intrusion detection systems. IEEE Transactions on Systems, Man, and Cybernetics, to appear in 2007.
[72] Z. Zhang, J. Li, C. N. Manikopoulos, J. Jorgenson, and J. Ucles. HIDE: A hierarchical network intrusion detection system using statistical preprocessing and neural network classification. In Proceedings of the 2001 IEEE Workshop Information Assurance and Security, pages 85–90, 2001.