CS 5323 Intrusion Detection Evaluation Prof Ravi Sandhu

  • Slides: 25
Download presentation
CS 5323 Intrusion Detection Evaluation Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture

CS 5323 Intrusion Detection Evaluation Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 12 ravi. utsa@gmail. com www. profsandhu. com Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. © Ravi Sandhu World-Leading Research with Real-World Impact! 1

IDS Categorization Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and

IDS Categorization Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. Table 1 © Ravi Sandhu World-Leading Research with Real-World Impact! 2

IDS Categorization Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and

IDS Categorization Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. Table 1 © Ravi Sandhu World-Leading Research with Real-World Impact! 3

Design Space Ø Workloads Ø Metrics Ø Measurement methodology © Ravi Sandhu World-Leading Research

Design Space Ø Workloads Ø Metrics Ø Measurement methodology © Ravi Sandhu World-Leading Research with Real-World Impact! 4

Workloads Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne,

Workloads Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. Figure 1 © Ravi Sandhu World-Leading Research with Real-World Impact! 5

Workloads Table III and IV Table II Figure 2 Publicly available traces DARPA 98,

Workloads Table III and IV Table II Figure 2 Publicly available traces DARPA 98, 99, 00 KDD 99 (derivative) Table V Symantec onsite testing Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. Figure 1 © Ravi Sandhu World-Leading Research with Real-World Impact! 6

Vulnerability and Attack Injection Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer,

Vulnerability and Attack Injection Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. Figure 2 © Ravi Sandhu World-Leading Research with Real-World Impact! 7

Honeypots Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne,

Honeypots Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. Figure 3 © Ravi Sandhu World-Leading Research with Real-World Impact! 8

Metrics Not discussed in lecture Milenkoski, A. , Vieira, M. , Kounev, S. ,

Metrics Not discussed in lecture Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. Figure 4 © Ravi Sandhu World-Leading Research with Real-World Impact! 9

Metrics: Basic Dependent on base rate Milenkoski, A. , Vieira, M. , Kounev, S.

Metrics: Basic Dependent on base rate Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. Figure 4 © Ravi Sandhu World-Leading Research with Real-World Impact! 10

Receiver Operating Curve (ROC) https: //en. wikipedia. org/wiki/Receiver_operating_characteristic © Ravi Sandhu World-Leading Research with

Receiver Operating Curve (ROC) https: //en. wikipedia. org/wiki/Receiver_operating_characteristic © Ravi Sandhu World-Leading Research with Real-World Impact! 11

Zero Reference Curve (ZRC) https: //en. wikipedia. org/wiki/Receiver_operating_characteristic © Ravi Sandhu World-Leading Research with

Zero Reference Curve (ZRC) https: //en. wikipedia. org/wiki/Receiver_operating_characteristic © Ravi Sandhu World-Leading Research with Real-World Impact! 12

ROC Limitations Ø Intrusion detection is not a binary yes/no problem Ø Unit of

ROC Limitations Ø Intrusion detection is not a binary yes/no problem Ø Unit of measurement is ambiguous v Flow versus packet Ø Does not account for base rate P(I) © Ravi Sandhu World-Leading Research with Real-World Impact! 13

Receiver Operating Curve (ROC) Assumed ROC: fixes 1 point, 0. 7 Detection rate, 0.

Receiver Operating Curve (ROC) Assumed ROC: fixes 1 point, 0. 7 Detection rate, 0. 00001 False alarm rate Others are reported results from literature All anomaly detectors are in Fig 2 Axelsson, Stefan. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC) 3, no. 3 (2000): 186 -205. Figures 2 and 3 © Ravi Sandhu World-Leading Research with Real-World Impact! 14

Intrusion Detection Effectiveness Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A.

Intrusion Detection Effectiveness Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. © Ravi Sandhu World-Leading Research with Real-World Impact! 15

Intrusion Detection Effectiveness ZRC Compare area under ROC curve Milenkoski, A. , Vieira, M.

Intrusion Detection Effectiveness ZRC Compare area under ROC curve Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. © Ravi Sandhu World-Leading Research with Real-World Impact! 16

Intrusion Detection Effectiveness Assumes Base rate, P(I) = 0. 1 ZRC Compare area under

Intrusion Detection Effectiveness Assumes Base rate, P(I) = 0. 1 ZRC Compare area under ROC curve TFP: max acceptable false positive rate Compare area difference between PPVZRC and PPVIDS up to TFP Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. © Ravi Sandhu World-Leading Research with Real-World Impact! 17

Metrics: Cost-Based These p 1 p 2 p 3 are different, apply to false

Metrics: Cost-Based These p 1 p 2 p 3 are different, apply to false alert filter Cα: cost of false positive Cβ: cost of false negative C = Cβ/Cα p 1 = P(A) p 2 = P(I|A) p 3 = P(I|¬A) Cexp = Min(CβB, (1 -α)(1 -B)) + Min(C(1 -β)B, α(1 -B)) Crec = CβB + α(1 -B) Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. Figure 6 © Ravi Sandhu World-Leading Research with Real-World Impact! 18

Metrics: Cost-Based Assumptions: B = 0. 1 C = 10 α, β same for

Metrics: Cost-Based Assumptions: B = 0. 1 C = 10 α, β same for base IDS and its false alarm filter Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. © Ravi Sandhu World-Leading Research with Real-World Impact! 19

Measurement Methodology Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and

Measurement Methodology Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. © Ravi Sandhu World-Leading Research with Real-World Impact! 20

Case Study: Snort True positive rate = 2/8 = 0. 25 True positive rate

Case Study: Snort True positive rate = 2/8 = 0. 25 True positive rate = 24/28 = 0. 85 Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. © Ravi Sandhu World-Leading Research with Real-World Impact! 21

Case Study: Snort Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A.

Case Study: Snort Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. © Ravi Sandhu World-Leading Research with Real-World Impact! 22

Case Study: Snort Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A.

Case Study: Snort Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. © Ravi Sandhu World-Leading Research with Real-World Impact! 23

Measurement Methodology Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and

Measurement Methodology Milenkoski, A. , Vieira, M. , Kounev, S. , Avritzer, A. and Payne, B. D. , 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1), p. 12. © Ravi Sandhu World-Leading Research with Real-World Impact! 24

Future Directions Ø Ø High speed IDSs for virtualized environments (e. g. , cloud)

Future Directions Ø Ø High speed IDSs for virtualized environments (e. g. , cloud) IDSs for detecting APTs (advanced persistent threats) IDSs for detecting zero day attacks © Ravi Sandhu World-Leading Research with Real-World Impact! 25

CS 5323 Intrusion Detection Evaluation Prof Ravi SandhuCS 5323 Intrusion Detection Evaluation Prof Ravi Sandhu
OMAM and PEI Prof Ravi Sandhu Ravi SandhuOMAM and PEI Prof Ravi Sandhu Ravi Sandhu
Introduction to Information Security Ravi Sandhu Ravi SandhuIntroduction to Information Security Ravi Sandhu Ravi Sandhu
Intrusion Detection System 1 Intrusion Detection Intrusion detectionIntrusion Detection System 1 Intrusion Detection Intrusion detection
CS 5323 PublicKey Certificates Prof Ravi Sandhu ExecutiveCS 5323 PublicKey Certificates Prof Ravi Sandhu Executive
CS 5323 Authentication by Passwords Prof Ravi SandhuCS 5323 Authentication by Passwords Prof Ravi Sandhu
CS 5323 Symmetric Cryptography Prof Ravi Sandhu ExecutiveCS 5323 Symmetric Cryptography Prof Ravi Sandhu Executive
CS 5323 Asymmetric Cryptography Prof Ravi Sandhu ExecutiveCS 5323 Asymmetric Cryptography Prof Ravi Sandhu Executive
CS 5323 Asymmetric Cryptography Prof Ravi Sandhu ExecutiveCS 5323 Asymmetric Cryptography Prof Ravi Sandhu Executive
CS 5323 PublicKey Certificates Prof Ravi Sandhu ExecutiveCS 5323 PublicKey Certificates Prof Ravi Sandhu Executive
CS 5323 Asymmetric Cryptography Prof Ravi Sandhu ExecutiveCS 5323 Asymmetric Cryptography Prof Ravi Sandhu Executive
CS 5323 Malware Prof Ravi Sandhu Executive DirectorCS 5323 Malware Prof Ravi Sandhu Executive Director
CS 5323 Firewalls Prof Ravi Sandhu Executive DirectorCS 5323 Firewalls Prof Ravi Sandhu Executive Director
Intrusion Detection Arun Hodigere Intrusion and Intrusion DetectionIntrusion Detection Arun Hodigere Intrusion and Intrusion Detection
Intrusion Detection Arun Hodigere Intrusion and Intrusion DetectionIntrusion Detection Arun Hodigere Intrusion and Intrusion Detection
CS 5323 Intrusion Detection Base Rate Fallacy ProfCS 5323 Intrusion Detection Base Rate Fallacy Prof
Intrusion Detection System Intrusion Prevention System Topics IntrusionIntrusion Detection System Intrusion Prevention System Topics Intrusion
Intrusion Detection Methods Intrusion detection is the processIntrusion Detection Methods Intrusion detection is the process
TEMA Intrusion Detection EBITEMA TEMA Intrusion Detection TemalineTEMA Intrusion Detection EBITEMA TEMA Intrusion Detection Temaline
Intrusion Detection Outline p Intrusion detection and computerIntrusion Detection Outline p Intrusion detection and computer
Intrusion Detection Systems IDS IDS Intrusion Detection SystemIntrusion Detection Systems IDS IDS Intrusion Detection System
Intrusion Detection Systems Network Intrusion Detection System NIDSIntrusion Detection Systems Network Intrusion Detection System NIDS
Intrusion Detection Systems Intrusion Detection Systems 1980 PaperIntrusion Detection Systems Intrusion Detection Systems 1980 Paper
HONEYPOTS An Intrusion Detection System Index Intrusion DetectionHONEYPOTS An Intrusion Detection System Index Intrusion Detection