The Performance Evaluation of Intrusion Detection Evaluation Method Based on Bayesian Theory Haiyang SI

Zhiyi FANG and Ruixue LI

Jilin University, School of Computer Science and Technology Graduate University of Chinese Academy of Sciences Beijing, China [email protected]

Jilin University, School of Computer Science and Technology Changchun, China [email protected], [email protected]

Abstract—According to the analysis of intrusion detection model based on the Bayesian theory, an intrusion detection evaluation method was proposed. After comparison with the former related work and the analysis of the key evaluation target result, difference and quality between the performances of various intrusion detection systems were obvious. It can be proved that this performance evaluation is precise.

Y —— Has not examined “the intrusion” the behavior Warning confidence level: P( X |Y ) = System safety:

Keywords- Bayesian theory; IDS; Evaluation; Network security

I.

INTRODUCTION

IDS (Intrusion Detection System) [1] defers to some certain security policy, surveillance to the network, system's movement condition, discoveres each kind of attack attempt, the aggressive behavior or the attack result as far as possible, guarantees the network system resources’s confidentiality, integrity and the usability. IDS develops rapidly, therefore it needs a comprehensive, rigorous method to carry on the fair and credible test and appraisal to the IDS. Bayesian theory method [2,3] is a essential method in statistical model recognition. The Bayesian decision-making judgment both had considered each kind of reference overall appears probability size, and also has considered the loss size which, because of wrong judgement, strong distinction ability. Therefore it definitely may apply in the intrusion detection system's evaluation. But the performance evaluation mechanism of the intrusion detection evaluation that based on the Bayesian theory. which regarding to the IDS essential performance target. It can explain the performance of IDS’s fit and unfit quality sciencely and accurately. II.

INTRUSION DETECTION METHOD BASED ON BAYESIAN THEORY

A. Intrusion detection model based on Bayesian theory The intrusion detection model based on Bayesian theory defined four tuples to express the intrusion and the non-intrusion conditions: < X , X ,Y ,Y > X ——Has the intrusion behavior

X ——The normal behavior (system has not received intrusion) Y ——Examines “the intrusion” the behavior

Identify applicable sponsor/s here. (sponsors)

(

)

P X |Y =

P (Y | X ) P ( X )

(

)

P (Y | X ) P( X ) + P Y | X P( X )

) ( ) P (Y | X ) P ( X ) + P (Y | X ) P ( X )

(1)

(

P Y|X P X

(2)

B. Evaluation Use a few PC machines and switchboards, under the Windows XP, Windows 2000 operating systems, evaluate snort, BlackICE, eTrust this three kind of invasion detection systems. US's Lincoln laboratory and the Rome laboratory made the IDS test appraisal work [4]. Lincoln method uses massive various attack network flow rate sample and the audit data sample as IDS’s input, confirms IDS’s ability by this, and calculates the detection rate and the false alarm rate. It is as shown in Figure1

Figure 1.

Lincoln laboratory off-line testing environment

The Rome laboratory designs a real-time network environment to serve as evaluate IDS as shown in Figure2, its method is places IDS in the actual network environment, confirms IDS’s response condition and compatible in the real-time situation [5].

Figure 2.

Rome laboratory real-time testing environment

These two kinds of testing environments each have the respective shortcoming. The off-line test can only depend upon the data which has been collected to carry on the test, cannot real-timely manifest the IDS condition; Although the real-time test permits many real users to have the real background flow rate through each kind of network service like mail service and the ftp service. However its testing environment exposes under the inside and outside aggressor's attack, the background flow rate possibly includes the invasion data that affects the detection effect, moreover normal system operation may be possibly interruptted by simulated strike. Therefore, use the real-time simulated testing environment, namely use PC machine to carry on the actual attack to the system is the quite good method. Through verificate the attack source, it can be possibly remove the invasion data that influence detection effect, and solve the problem of the off-line test could not to be able to manifest the IDS condition real-timely. III.

EVALUATION REALIZATION

A. Simulation attack Figure3 has given the flow chart of simulation attack way.We choose the form of defensive action through the attack engine, carry on the attack to the goal: Attack engine

Choose forms of defensive action.

Attack way

The defensive action way of the goal, like ARP attack, port scanning and so on.

The goal mainframe accepting the attack target

Figure 3.

Rome laboratory real-time testing environment

Table1 demonstrated part of offensive examples used in the evaluation process TABLE I.

PART OF OFFENSIVE EXAMPLES USED IN THE EVALUATE PROCESS

Attack name

Serial

Attack name

number 1

ARP attack

number 11

TCP/SYN

2

PING attack

12

SYN/Fin

Serial

3

ICMP unreachable ICMP redirection

13

Jolt

14

RST

5

IGMP fragmentation

15

TCP no mark

6

Smurf

16

port scanning

4

7

fragmentation IP

17

Backdoor

8

message Deformity IP fragmentation

18

Land

19

Christmas tree attack

20

Other attacks

9 10

IGMP packet attack UDP attack

B. Functionality evaluation Functionality evaluation primary cognizance weight invasion detection system its own function characteristic formidable degree, for example, system's construction whether can support the extendibility or not, whether can support the rule to have custom-made function or not, whether can examine the sample set’s all the attack samples or not, warning system's function is whether formidable or not, as well as whether can provide formidable and friendly report form function or not, etc. The main Evaluation flow: 1) First, starts the network’s invasion detection system, guarantee each system is in the normal work condition. 2) The inspection of network's connection condition, guarantee our transmit attack text is reachable to the mainframe attacked. 3) Start the simulated strike module, send out the attack data packet. 4) The inspection of invasion detection system deployed on the different machine to the specific aggressive behavior's response situation (for example warning occurrence, blocks occurrence, diary record). 5) Clear the invasion detection system's diary and the related information, return to third step, test IDS’s detection ability to other aggressive behavior. C. Performance evaluation Performance evaluation primary cognizance weight invasion detection system's operational condition under the high load condition, for example, data packet interception and the speed of filtration, whether to present the drop phenomenon, as well as how many examine engine's overall volume of goods can handle and so on. The evaluation flow as follows: 1) Under the normal network flow rate (that is existing laboratory network flow rate), starts each IDS. 2) Start attack simulation software, transmit certain amount of attack package (attack sample space needs to big enough as far as possible). 3) Examine IDS’s detection record, if transmits m pieces of attack information, if it has examined n pieces of attack information so that detection rate is n

m

× 100%

n

m

× 100%

, the rate of

. Calculate the corresponding missing report is 1detection rate and the rate of missing report. 4) Change the network background’s flow rate, here we act according to the laboratory network the special details, we set this stage's test's background flow rates are 25M,50M,75M,100M. 5) Clear each IDS’s diary and recorded information. 6) Return to the second step.

IV.

PERFORMANCE EVALUATION

A. Comparison with the former evaluation work

100% 90%

Our Work

80% 70%

NetWork World@2001

60%

NSS@2001

50% 40% 30%

Neohapsis@200 1

20%

AFRL@1998

10%

MIT/LL@1999

0% Novel Attacks Steal Attacks DoS Attacks Probability of False Probability of False Receiver Operating High Traffic

D. Secure evaluation This evaluation demonstrates the invasion detection system can resist the degree of the aggressive behavior attacked by intruder. Evaluation flows: 1) First start the network’s the invasion detection system, guarantee each system is in the normal work condition. 2) Start each attack end of the distributional refuses to serve the attack, transmit massive data message to the goal mainframe. 3) After each attack end transmit certain amount of texts, start some kind of aggressive behavior of attack simulation software, inspect invasion detection system whether to have the detection ability to attack. 4) Stop distributed denial of service attack, return to third step, test IDS’s restoration ability after being rejection of serve attack. The following method selected in the evaluation: Transmit the massive non-attack data flow rate, these data quantities have surpassed the handling ability which IDS can withstand, because it has the quite great flow rate that needs to be processed, the IDS possibly discard the department subpackage, thus it may not examine the normal aggressive behavior. Transmit the massive data packet without aggressive behavior, but these data packet can match with the IDS detection rule, thus can produce the massive alarm message, at this time the massive alarm message will cause the reflection system malfunction or will be demonstrated the contact surface because of being unable refurbishing to be unable the visual display alarm behavior. Transmit massive data packet includes attack artificially to the IDS, thus cause the IDS administrative personnel’s attention to concentrate on this, by now, the aggressor under these attack smog's cover, started the true aggressive behavior.

Figure 5.

MIT/LL@1998 UCD@1997 MIT@1997

Comparison with the former evaluation work (2)

As Figure4 and Figure5 shows, compared with the former research, although the evaluation in the sole evaluation content is not the most outstanding, but it has covered the majority key indicator that formerly evaluated. B. Function evaluation result analysis

MIT@1997

60 50 40 30

UCD@1997 MIT/LL@19 98

20

MIT/LL@19 99

10

AFRL@1998

0

eTrust

Figure 6.

Neohapsis@ 2001

Number of Attacks IDS system NSS@2001 Number

Figure 4.

100% 80% 60% 40% 20% 0%

ARP… The… IGMP… Fragment… Phf TCP/SYN Jolt TCPflag Backdoor Christmas…

70

Comparison with the former evaluation work (1)

BlackICE Snort

Part of attack detection results

Figure6 demonstrated Snort[6], BlackICE[7] and the eTrust[8] three kind of IDS part attack test results. From this , it may obtain their to these different detection ability of19 kind of attacks. Although received the unknown attack disturbance in the real-time network, this result analysis cannot do completely precise, but also sufficiently manifest three different responses of IDS under each kind of attack. The

evaluation can very accurately and intuitively demonstrate the different IDS’s response ability. C. Performance evaluation result and analysis We have paid emphasis attention to the IDS detection rate in the performance evaluation, the rate of missing report and the rate of false alarm, Figure7 and Figure8 separately gave succeed examine of IDS’s the attack quantity and the success detection rate under the general network, 20M, 50M, 70M, in the 100M network flow rate situation, what is needed to explainis that because of in BlackICE, eTrust, some warning information has been merged together, therefore it is unable to test the related data. In Figure7 and Figure8, it is that initiates the background attack quantity is 2000 times respectively. But the different background flow rate examines the attack quantity successful detection rate respectively is: General network - 1952 times (97.6%); 20M-1204 times (60.2%); 50M-881 times (44.1%); 70M-463 times (23.2%); 100M-24 times (1.2%). 2000 General network 20M

1000 0

50M Examination attack quantity

70M

normal user’s operation also was detected as the aggressive behavior, this is the reason why the detection rate is high, the rate of false alarm is also high.On the other hand, when the rule definition is pine, the detection rate is remarkable deduce, simultaneously the rate of false alarm also will reduce. Therefore it obtains the conclusion: When using the invasion detection system, it cannot pursue the height ofdetection rate unilaterally, but it should make a compromise between the two, take a best balance point, cause the detection rate and the rate of false alarm in the acceptable scope. D. Secure evaluation result and analysis Figure9 demonstrated after Snort, BlackICE as well as eTrust three kind of IDSes’ resiliency simultaneously after the DDOS attack. The moment of0 is the success detection rate of the three kind of IDS after receiving the DDOS saturation attack, the moment of Enough Time is the success detection rate when three kind of IDS restore to the normal level through enough time. But each moment of 1, 2, 3 are three times of resume period extraction, as well as success detections rate of these three kind of IDS at this three times.

Enough Time 3 2

eTrust

1

BlackICE

0

Snort 80 85 90 95 100

Figure 7.

Examination attack quantity Figure 9.

Success examination rate

General network 20M 50M 70M

Figure 8.

Success examination rate

The rate of false alarm is very difficult to test, in general the rate of false alarm occurrence is mainly because of the IDS rule is not very strict or wrong [9]. Generally speaking, the invasion detection system always paces back between the rate of false alarm and forth the detection rate, when the detection rate is high, the rate of false alarm also rise along with, when the rate of false alarm dropped, we saw the detection rate also fell along with it. Through analyzes, we are possibly know that the invasion detection system in the detection invasion is based on some kind of rule, when the rule definition is strict, by now detection rate is high, similarly because of the rule is over strict, some

Speed of Restoration

From Figure9 we may see, the Snort’s restoration speed is slightly superior than BlackICE and eTrust. The security detection may manifest IDS’s fully vigorous degree and the restoration speed after attack, is the important standard of performance evaluation. E. Performance evaluation subtotal Compared with the formerly related work, as well as the contrast and the analysis of the function evaluation result, the performance evaluation result, and the secure evaluation result, it might be intuitively and clearly obtain the difference and the fit and unfit quality of different IDS’s performance. It may see, based on the Bayesian theory's invasion detection evaluation method is effective and successful. Simultaneously, the article proposed the performance evaluation target and the evaluation way are also practical and feasible. V.

CONCLUSION

This article introduced based on the Bayesian theory's invasion detection evaluation method mechanism, and proposed the evaluation target. Using the Bayesian theory to analysis the performance detection's each target, portrays the invasion detection system's target situation through the concrete data. In the test procedure, it has built the

corresponding experimental environment according to the actual situation, evaluated the Snort, BlackICE, eTrust, and has given the dependence test result and the result analysis. The invasion detection system is a very complex system, test and the appraise the invasion detection system, not only relates with the invasion detection system itself, but also with the concerned invasion detection system's environment. In the test procedure, involves to the operating environment, network environment, tool, software, hardware,etc. We are not only need to consider the invasion detection effect, but also consider actual system's influence after applying this system. But the actual system is impossible to achieve the best value involves the each item of test, by now, we may consider to compromise these two factors, find the best valve balance point. REFERENCES [1] [2]

http://wiki.ccw.com.cn/%E5%85%A5%E4%BE%B5%E6%A3%80%E6 %B5%8B%E7%B3%BB%E7%BB%9F Sheng zhou,Xie shiqian,Pan chengyi. Theory of probability and mathematical statistic [M]. Beijing : Higher education publishing house,March, 2000:1-62.

[3] [4]

[5]

[6]

[7] [8]

[9]

Jiwen Guan, David A.Bell, Dayou Liu. Intelligent Data Mining [J]. Tools and Application, 2005, volume 1: 214-232. Lippmann R.P, fried D.7., C,raf I,Haines I.W, Kendall K.R., McClung D., Webe D.,Webster S.E., Wyschogrod D., Cunningham R.K., and Zissman M.A., Evaluating Intrusion Detection Systems: The 1998 DARPA Of Line Intrusion Detection Evaluation, in Proceedings of the 2000 DARPA Information Survivability Conferenceand Exposition (DISCEX), Vol. 2, 12-26,2000, IEEE Computer Society Press: LosAlamitos, CA。 Robert Durst, Terrence Champion, Brian Witten, Eric Miller and Luigi Spagnuolo, Testingand evaluating computer intrusion detection systems, Communications of the ACM, 42(1999) 53-61。 Sun zongcan,Tao lan,Qi jiandong,Invasion examination tool Snort analysis,Computer project and design,2004. Vol.1-25th, 36-39。 http://www.enet.com.cn/article/2004/1112/A20041112361556.shtml Cuppens, F. Miege, A. ,Alert correlation in a cooperative intrusion detection framework, Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium,p 202- 215 Hu jun , Zuo ming , Based on Snort invasion examination rule matching technique research,Network & Computer Security-2007. 2 nd, P.32-342

The Performance Evaluation of Intrusion Detection ...

Keywords- Bayesian theory; IDS; Evaluation; Network security. I. INTRODUCTION. IDS (Intrusion Detection System) ... and credible test and appraisal to the IDS. Bayesian theory method [2,3] is a essential method in .... 2) The inspection of network's connection condition, guarantee our transmit attack text is reachable to the ...

123KB Sizes 2 Downloads 278 Views

Recommend Documents

Performance Evaluation of a Hybrid Algorithm for Collision Detection ...
Extensive tests were conducted and the ... that this approach is recommendable for applications ..... performance in the previous tests for the broad phase.

Performance Evaluation of a Hybrid Algorithm for Collision Detection ...
are also approaches other than spatial partitioning data structures. ... from GPU memory is usually a very slow operation, making buffer ... data structures: grids and octrees. Finally, in ... partitioning the cells in a new grid when required (with.

Performance Evaluation of a Hybrid Algorithm for Collision Detection ...
and the performance of the algorithm was evaluated in terms of output ..... (c). Figure 1. The object's geometry and the object's spherical octree with 4 and 5 levels are shown in ..... [15] G. Rowe, Computer Graphics with Java, Palgrave,. 2001.

Aspects of the Modelling and Performance of Intrusion ...
ally given the ACL of its creator by default. When a user is ...... detectors in this class would probably prove useful, combining as they do the ad- vantages of ...

Aspects of the Modelling and Performance of Intrusion ...
coverage of the area. Furthermore, networking features in ...... Paper A. 17. A. D. E. Muffett. Crack: A sensible password checker for UNIX, 1992. 18. NCSC.

Improving the Usability of Intrusion Detection Systems - CiteSeerX
The resulting system was tested on two corpora of data: Web access logs ..... 13See e.g. 'http://builder.com.com/5100-6387 14-1044883-2.html', verified ...

Improving the Usability of Intrusion Detection Systems - CiteSeerX
Current advanced intrusion detection systems that benefit from utilising machine learning ... server access requests, and a subset of a data set with system call traces. We also ...... Technology/National Computer Security Center. [WFP99] ...

MULTI-NODE MONITORING AND INTRUSION DETECTION
attractors, as they are discerned pre-attentively [1], this leads to a very effective monitoring environment. Given our goal is to provide an additional tool to system.

Intrusion Detection: Detecting Masquerade Attacks Using UNIX ...
While the majority of present intrusion detection system approaches can handle ..... In International Conference on Dependable Systems and Networks (DSN-. 02), 2002 ... Sundaram, A. An Introduction to Intrusion Detection [online]. URL:.

Intrusion Behavior Detection Through Visualization
0-7803-7952-7/03/$17.00 _ 2003 IEEE. Intrusion Behavior Detection Through Visualization. Robert F. Erbacher. Department of Computer Science, LI 67A. University at Albany-SUNY. 1400 Washington Avenue. Albany, NY 12222, USA [email protected]. Abst

MULTI-NODE MONITORING AND INTRUSION DETECTION
We must be able to monitor all of these systems simul- ... on the screen and to differentiate remote nodes as we ..... International Conference On Visualization,.

Intrusion Detection Visualization and Software ... - Semantic Scholar
fake program downloads, worms, application of software vulnerabilities, web bugs, etc. 3. .... Accounting. Process. Accounting ..... e.g., to management. Thus, in a ...

Intrusion Detection Visualization and Software ... - Semantic Scholar
fake program downloads, worms, application of software vulnerabilities, web bugs, etc. 3. .... Accounting. Process. Accounting ..... e.g., to management. Thus, in a ...

MULTI-NODE MONITORING AND INTRUSION DETECTION
attractors, as they are discerned pre-attentively [1], this leads to a very effective monitoring environment. Given our goal is to provide an additional tool to system.

Visualisation for Intrusion Detection
We have chosen to take the access log file of a small personal web server, that has ... of requesting a username–password pair from the originating web browser. .... one parameter choice, the x–y position of the subplot within the trellis plot.

pdf-1490\intrusion-detection-systems-principles-of-operation-and ...
Try one of the apps below to open or edit this item. pdf-1490\intrusion-detection-systems-principles-of-operation-and-application-by-robert-l-barnard.pdf.

On a Difficulty of Intrusion Detection
Aug 9, 1999 - since the developers of the tested systems had prior access to ..... National Institute of Standards and Technology/National Computer Secu-.

Revealing Method for the Intrusion Detection System
Detection System. M.Sadiq Ali Khan. Abstract—The goal of an Intrusion Detection is inadequate to detect errors and unusual activity on a network or on the hosts belonging to a local network .... present in both Windows and Unix operating systems. A

TEACHER PROFESSIONAL PERFORMANCE EVALUATION
Apr 12, 2016 - Principals are required to complete teacher evaluations in keeping with ... Certification of Teachers Regulation 3/99 (Amended A.R. 206/2001).

CDOT Performance Plan Annual Performance Evaluation 2017 ...
48 minutes Feb.: 61 minutes March: 25 minutes April: 44 minutes May: 45 minutes June: 128 minutes 147 minutes 130 minutes. Page 4 of 5. CDOT Performance Plan Annual Performance Evaluation 2017- FINAL.pdf. CDOT Performance Plan Annual Performance Eval

PERFORMANCE EVALUATION OF CURLED TEXTLINE ... - CiteSeerX
2German Research Center for Artificial Intelligence (DFKI), Kaiserslautern, Germany ... Curled textline segmentation is an active research field in camera-based ...

Performance Evaluation of Equalization Techniques under ... - IJRIT
IJRIT International Journal of Research in Information Technology, Volume 2, Issue ... Introduction of wireless and 3G mobile technology has made it possible to ...