Integrating Artificial Intelligence into Snort IDS 報告人:葉瑞群 日期:2012/05/31 出處:IEEE Transactions on Knowledge and Data Engineering Outline I. INTRODUCTION II. THE INTEGRATION OF ARTIFICIAL INTELLIGENCE AND SNORT IDS III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR IV. CONCLUSIONS AND FUTURE WORKS 2 I. INTRODUCTION(1/5) Snort is an open source network intrusion detection and prevention system (IDS/IPS) utilizing a rule-driven language, its shortcoming is unable to detect new attacks. This paper explores how to integrate Artificial Intelligence into Snort IDS/IPS, which enables IDS/IPS adapt to networks and detect anomalies. As for preprocessors of Snort IDS, a learning algorithm such as artificial neural network (ANN) is integrated into it. 3 I. INTRODUCTION(2/5) At present, the theoretical researches on anomaly- detection-based IDS have not yet produced industrialstrength network IDS [1]. Meanwhile, snort IDS is an open source network IDS/IPS developed by Sourcefire. With millions of downloads and approximately 300,000 registered users, Snort has become the de facto standard for IPS[2]. The figure 1 is the workflow diagram of Snort. 4 I. INTRODUCTION(3/5) 5 I. INTRODUCTION(4/5) Snort firstly uses libPcap/winPcap to capture network packets, the packets go to Packet Decoder Engine for Link Layer protocol’s packet structure, then it can help to decode the high-level protocol such TCP and UDP ports. Therefore this step contains two module: Packet Capture module and decoder module. The following is the Snort Preprocessor plug-ins which has three main function. 6 I. INTRODUCTION(5/5) 1. Packets reorganization 2. Decoding protocol 3. Anomaly detection, Take the “Portscan” for example, On a certain period time the preprocessor can analyze the ports and host situation 7 II. THE INTEGRATION OF ARTIFICIAL INTELLIGENCE AND SNORT IDS( 1/2 ) 8 II. THE INTEGRATION OF ARTIFICIAL INTELLIGENCE AND SNORT IDS( 2/2 ) 9 III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(1/9) Firstly analyze the features of port scan attack to extract the variations from packets using for ANN input data , the variations of port scan should be related to the connection times such as the connection times of source/destination IP address, average connection times and so on.. Secondly It use SNNS ( Stuttgart Neural Network Simulator to train Elman neural network for identified the attack behaviors. 10 III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(2/9) where there are 7 input neurons, 2 output neurons. and in the middle layer there are 4 hidden neurons and 4 feedback neurons for recording the lasting time 4 hidden neurons outputs. 11 III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(3/9) 12 III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(4/9) Each neuron value of hidden layer and output layer is obtained by two steps: First, obtain the sum, sum =Σinputs *weights (inputs is the inputs value, weights is the connection weight of corresponding neuron) Secondly ,obtain the value of simulation function: 13 III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(5/9) 14 III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(6/9) Elman NN need two input datasets: one group is normal traffic dataset, other is portscan dataset. This article finds 2092 data. The first input group generate from the normal traffic, and make a output figure(such as 1 0) to mean the normal traffic, the second input group generate from a controlled portscan sniffer and make a output figure(such as 0 1) to mean the abnormal traffic. 15 III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(7/9) Then SNNS used the two datasets to train ANN, let the weights of the ANN amending and learning in the processing until the ANN training succeeding. Finally translate the trained ANN to C language and integrated to Snort IDS preprocessor. Table II is each neuron bias of the successful trained ANN. 16 III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(8/9) 17 III. THE IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN PREPROCESSOR(9/9) 18 IV. CONCLUSIONS AND FUTURE WORKS(1/1) This article investigates the technology of integration AI into Snort preprocessor plug-in, which makes Snort IDS more intelligent to detect new or variant network attacks.Future works includes, as for detection engineer of Snort IDS, some evolutionary algorithms such as genetic algorithm (GAs)[4] or immune algorithms (IAs) approaches[5] can be combined with it. 19 END 20