Steven Hofmeyr
Stephanie Forrest
Patrik D’haeseleer
Dept. of Computer Science
University of New Mexico
Albuquerque, NM
steveah
forrest, patrik}@cs.unm.edu
http://cs.unm.edu/~steveah/research.html

• Intrusion detection:
– Assume that systems are not secure.
– Attempt to detect violations of security policy (intrusions) by monitoring and analyzing system behavior.
– Construct a model of normal behavior and look for deviations from the model
(anomaly detection).
• Building the model (defining self):
– TCP/IP traffic over a broadcast LAN.
– Based on Network Security Monitor (NSM).
• Every computer on the network should participate in IDS:
– Distributed detection
– Use negative-selection algorithm
• Diversity of protection:
– Permutation masks

• NSM: Network Security Monitor (UCDavis)
{Mukherjee et al. Network Intrusion Detection. IEEE Network, pp26-41, 1994}
External host
Internal host
10.10.10.2
Datapath triple
(10.10.10.2, 20.20.20.5, ftp)
Broadcast
LAN
20.20.20.5
• The right approach:
– Anomaly detection
– Sparsely connected graph
– Normal patterns reasonably stable
– Attackers highly likely to perturb graph
• Disadvantages:
– Heavyweight
– Single point of failure
– Not scalable

• Self (proteins) = normal datapath triples
• Nonself (proteins) = triples generated during an attack
• Universe = Self

Nonself
• Anomaly detection:
– Detection system trained on self
– Detection system classifies new triples as self (normal) or nonself
(anomalous)
• NSM: a single monolithic detector matching self ( positive detection)

• Immune system: Many small detectors matching nonself ( negative detection).
• Advantages of distributed negative detection:
– Localized (no communication costs)
– Scalable
– Tunable
– Robust (no single point of failure)
– Negative selection algorithm minimizes false positives

1. Randomly generate a detector string.
2. Does the detector string match self?
3. If no, accept
If yes, go to 1.
(regenerate).
NO YES
ACCEPT REJECT
Results in a set of valid detectors

• Representation:
– SYN packet triples mapped to 49-bit strings
• Generalized detection:
– Partial matching with r-contiguous bits rule
Triple 0110100101 0100110100
1110111101 1110111101 Detector
Match No Match r = 4
• Consequences of Partial Matching:
– Advantage: Lightweight (few detectors per host)
– Disadvantage: Holes limit detection
Holes

• Problem: Holes limit detection for any partial match rule.
• Solution: A different permutation mask for each host.
• Result: In the broadcast network, detection is limited by the intersection of all hole sets.

• UNM CS subnet of 50 machines on a switched segment.
– 100 49-bit string detectors per machine
• Training set (self):
– Collected over 43 days
– 1 266 000 TCP SYN packets
– 3763 unique binary self strings
• Normal test set (supposedly self):
– Collected over 7 days
– 182 629 TCP SYN packets
– 626 unique binary self strings
• Abnormal test set (nonself):
– 8 different incidents, 7 real occurrences, 1 synthetic
– Real abnormal behavior includes: massive portscanning, limited probing, address-space probing, local host compromise
– Synthetic: 200 random connections between internal (LAN) hosts

• Normal is reasonably stable.
Title:
Cre at or:
Prev ie w :
This EPS pict ure w a s no t s av ed w ith a pre view inc lu de d in it.
Co mmen t:
This EPS pict ure w ill p rin t to a
Pos tSc rip t p rin ter, bu t n ot to o the r ty pe s of p rin te rs.
• Low false positives:
– P(false positive per self string) = 0.000304
– 55 strings, but only 10 unique
– Effectively: under 2 false alarms per day
• High detection rates with few detectors
– 100% successful detection: 8 out of 8 abnormal incidents detected
– Only 100 detectors per host
• Permutation masks improve detection
– Up to an order of magnitude improvement
– Overcomes hole limitation

(Suppose the training set is incomplete)
• Activation threshold:
– Detector is not activated on every match.
– Must have exceeded x matches before activation.
– No time horizon.
– Helps with stealth attacks (distributed in time).
– Reduced false positives by an order of magnitude.
• Adaptive activation:
– Tune local activation thresholds dynamically.
– Whenever a detector matches its first pattern, the activation threshold for that computer is reduced by 1.
– Has a time horizon (threshold gradually returns to default value).
– Hypothesized to help with distributed coordinated attacks.

Incident Fraction Threshold 1 nonself
Phear 1.00
1.00
Cartan 0.44
0.44
Dt03ln93 0.17
Xtream 0.62
0.17
0.62
Cougar 0.54
Sauron 0.10
Pc35nl 1.00
Synthetic 1.00
0.58
0.10
1.00
0.94
Anomaly Signal
Threshold 10 permutation No permutation
0.50
0.09
0.43
0.34
0.16
0.59
0.16
0.61
0.53
0.09
0.84
0.33
0.49
0.09
0.43
0.01

Title:
Creat or:
Prev iew :
This EPS pict ure w as not s av ed w ith a preview inc luded in it.
Comment:
This EPS pict ure w ill print to a
Pos tSc ript printer, but not to other ty pes of printers.

– Distributed networks and immunology
– Combining negative detection and network intrusion detection
– Diversity via permutation masks
– Distributed generation of detectors
– Dynamic detector sets
– Adaptation and memory (misuse detection)