Integrating Artificial Intelligence into Snort IDS 報告人 :葉瑞群

advertisement
Integrating Artificial Intelligence
into Snort IDS
報告人:葉瑞群
日期:2012/05/31
出處:IEEE Transactions on Knowledge and Data Engineering
Outline
 I. INTRODUCTION
 II. THE INTEGRATION OF ARTIFICIAL INTELLIGENCE
AND SNORT IDS
 III. THE IMPLEMENTATION OF THE INTEGRATED ANN
PORTSCAN PREPROCESSOR
 IV. CONCLUSIONS AND FUTURE WORKS
2
I. INTRODUCTION(1/5)
 Snort is an open source network intrusion detection and
prevention system (IDS/IPS) utilizing a rule-driven
language, its shortcoming is unable to detect new attacks.
 This paper explores how to integrate Artificial
Intelligence into Snort IDS/IPS, which enables IDS/IPS
adapt to networks and detect anomalies. As for
preprocessors of Snort IDS, a learning algorithm such as
artificial neural network (ANN) is integrated into it.
3
I. INTRODUCTION(2/5)
 At present, the theoretical researches on anomaly-
detection-based IDS have not yet produced industrialstrength network IDS [1]. Meanwhile, snort IDS is an
open source network IDS/IPS developed by Sourcefire.
 With millions of downloads and approximately 300,000
registered users, Snort has become the de facto standard
for IPS[2]. The figure 1 is the workflow diagram of Snort.
4
I. INTRODUCTION(3/5)
5
I. INTRODUCTION(4/5)
 Snort firstly uses libPcap/winPcap to capture network
packets, the packets go to Packet Decoder Engine for
Link Layer protocol’s packet structure, then it can help
to decode the high-level protocol such TCP and UDP
ports. Therefore this step contains two module: Packet
Capture module and decoder module. The following is
the Snort Preprocessor plug-ins which has three main
function.
6
I. INTRODUCTION(5/5)
 1. Packets reorganization
 2. Decoding protocol
 3. Anomaly detection, Take the “Portscan” for example,
On a certain period time the preprocessor can analyze
the ports and host situation
7
II. THE INTEGRATION OF ARTIFICIAL INTELLIGENCE
AND SNORT IDS( 1/2 )
8
II. THE INTEGRATION OF ARTIFICIAL INTELLIGENCE
AND SNORT IDS( 2/2 )
9
III. THE IMPLEMENTATION OF THE INTEGRATED
ANN PORTSCAN PREPROCESSOR(1/9)
 Firstly analyze the features of port scan attack to extract
the variations from packets using for ANN input data ,
the variations of port scan should be related to the
connection times such as the connection times of
source/destination IP address, average connection times
and so on.. Secondly It use SNNS ( Stuttgart Neural
Network Simulator to train Elman neural network for
identified the attack behaviors.
10
III. THE IMPLEMENTATION OF THE INTEGRATED
ANN PORTSCAN PREPROCESSOR(2/9)
 where there are 7 input neurons, 2 output neurons. and
in the middle layer there are 4 hidden neurons and 4
feedback neurons for recording the lasting time 4 hidden
neurons outputs.
11
III. THE IMPLEMENTATION OF THE INTEGRATED
ANN PORTSCAN PREPROCESSOR(3/9)
12
III. THE IMPLEMENTATION OF THE INTEGRATED
ANN PORTSCAN PREPROCESSOR(4/9)
 Each neuron value of hidden layer and output layer is
obtained by two steps:
 First, obtain the sum, sum =Σinputs *weights (inputs is the
inputs value, weights is the connection weight of
corresponding neuron)
 Secondly ,obtain the value of simulation function:
13
III. THE IMPLEMENTATION OF THE INTEGRATED
ANN PORTSCAN PREPROCESSOR(5/9)
14
III. THE IMPLEMENTATION OF THE INTEGRATED
ANN PORTSCAN PREPROCESSOR(6/9)
 Elman NN need two input datasets: one group is normal
traffic dataset, other is portscan dataset. This article finds
2092 data. The first input group generate from the normal
traffic, and make a output figure(such as 1 0) to mean the
normal traffic, the second input group generate from a
controlled portscan sniffer and make a output figure(such
as 0 1) to mean the abnormal traffic.
15
III. THE IMPLEMENTATION OF THE INTEGRATED
ANN PORTSCAN PREPROCESSOR(7/9)
 Then SNNS used the two datasets to train ANN, let the
weights of the ANN amending and learning in the
processing until the ANN training succeeding. Finally
translate the trained ANN to C language and integrated
to Snort IDS preprocessor. Table II is each neuron bias of
the successful trained ANN.
16
III. THE IMPLEMENTATION OF THE INTEGRATED
ANN PORTSCAN PREPROCESSOR(8/9)
17
III. THE IMPLEMENTATION OF THE INTEGRATED
ANN PORTSCAN PREPROCESSOR(9/9)
18
IV. CONCLUSIONS AND FUTURE
WORKS(1/1)
 This article investigates the technology of integration AI
into Snort preprocessor plug-in, which makes Snort IDS
more intelligent to detect new or variant network
attacks.Future works includes, as for detection engineer
of Snort IDS, some evolutionary algorithms such as
genetic algorithm (GAs)[4] or immune algorithms (IAs)
approaches[5] can be combined with it.
19
END
20
Download