outside the closed world on using machine learning for
play

Outside the Closed World: On Using Machine Learning for Network - PowerPoint PPT Presentation

Dec 24, 2022 •490 likes •1.01k views

Outside the Closed World: On Using Machine Learning for Network Intrusion Detection Robin Sommer Vern Paxson International Computer Science Institute, & International Computer Science Institute, & University of California, Berkeley

  1. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection Robin Sommer Vern Paxson International Computer Science Institute, & International Computer Science Institute, & University of California, Berkeley Lawrence Berkeley National Laboratory IEEE Symposium on Security and Privacy May 2010

  2. Network Intrusion Detection IEEE Symposium on Security and Privacy 2

  3. Network Intrusion Detection NIDS IEEE Symposium on Security and Privacy 2

  4. Network Intrusion Detection NIDS Detection Approaches: Misuse vs. Anomaly IEEE Symposium on Security and Privacy 2

  5. Anomaly Detection Session Duration Session Volume IEEE Symposium on Security and Privacy 3

  6. Anomaly Detection Training Phase: Building a profile of normal activity. Session Duration Session Volume IEEE Symposium on Security and Privacy 3

  7. Anomaly Detection Training Phase: Building a profile of normal activity. Detection Phase: Matching observations against profile. Session Duration Session Volume IEEE Symposium on Security and Privacy 3

  8. Anomaly Detection Training Phase: Building a profile of normal activity. Detection Phase: Matching observations against profile. Session Duration Session Volume IEEE Symposium on Security and Privacy 3

  9. Anomaly Detection Training Phase: Building a profile of normal activity. Detection Phase: Matching observations against profile. Session Duration Session Volume IEEE Symposium on Security and Privacy 3

  10. Anomaly Detection (2) • Assumption: Attacks exhibit characteristics that are different than those of normal traffic. • Originally introduced by Dorothy Denning in1987. • IDES: Host-level system building per-user profiles of activity. • Login frequency, password failures, session duration, resource consumption. IEEE Symposium on Security and Privacy 4

  11. Anomaly Detection (2) · Technique Used Section References Statistical Profiling Section 7.2.1 NIDES [Anderson et al. 1994; Anderson et al. 1995; using Histograms Javitz and Valdes 1991], EMERALD [Porras and Neumann 1997], Yamanishi et al [2001; 2004], Ho et al. [1999], Kruegel at al [2002; 2003], Mahoney et al [2002; 2003; 2003; 2007], Sargor [1998] Parametric Statisti- Section 7.1 Gwadera et al [2005b; 2004], Ye and Chen [2001] cal Modeling Non-parametric Sta- Section 7.2.2 Chow and Yeung [2002] tistical Modeling Bayesian Networks Section 4.2 Siaterlis and Maglaris [2004], Sebyala et al. [2002], Valdes and Skinner [2000], Bronstein et al. [2001] Neural Networks Section 4.1 HIDE [Zhang et al. 2001], NSOM [Labib and Ve- muri 2002], Smith et al. [2002], Hawkins et al. [2002], Kruegel et al. [2003], Manikopoulos and Pa- pavassiliou [2002], Ramadas et al. [2003] Support Vector Ma- Section 4.3 Eskin et al. [2002] chines Rule-based Systems Section 4.4 ADAM [Barbara et al. 2001a; Barbara et al. 2003; Barbara et al. 2001b], Fan et al. [2001], Helmer et al. [1998], Qin and Hwang [2004], Salvador and Chan [2003], Otey et al. [2003] Clustering Based Section 6 ADMIT [Sequeira and Zaki 2002], Eskin et al. [2002], Wu and Zhang [2003], Otey et al. [2003] Nearest Neighbor Section 5 MINDS [Ertoz et al. 2004; Chandola et al. 2006], based Eskin et al. [2002] Spectral Section 9 Shyu et al. [2003], Lakhina et al. [2005], Thottan and Ji [2003],Sun et al. [2007] Information Theo- Section 8 Lee and Xiang [2001],Noble and Cook [2003] retic Source: Chandola et al. 2009 IEEE Symposium on Security and Privacy 4

  12. Anomaly Detection (2) · Features used Technique Used Section References packet sizes Statistical Profiling Section 7.2.1 NIDES [Anderson et al. 1994; Anderson et al. 1995; using Histograms Javitz and Valdes 1991], EMERALD [Porras and IP addresses Neumann 1997], Yamanishi et al [2001; 2004], Ho ports et al. [1999], Kruegel at al [2002; 2003], Mahoney header fields et al [2002; 2003; 2003; 2007], Sargor [1998] Parametric Statisti- Section 7.1 Gwadera et al [2005b; 2004], Ye and Chen [2001] timestamps cal Modeling inter-arrival times Non-parametric Sta- Section 7.2.2 Chow and Yeung [2002] session size tistical Modeling Bayesian Networks Section 4.2 Siaterlis and Maglaris [2004], Sebyala et al. [2002], session duration Valdes and Skinner [2000], Bronstein et al. [2001] session volume Neural Networks Section 4.1 HIDE [Zhang et al. 2001], NSOM [Labib and Ve- payload frequencies muri 2002], Smith et al. [2002], Hawkins et al. [2002], Kruegel et al. [2003], Manikopoulos and Pa- payload tokens pavassiliou [2002], Ramadas et al. [2003] payload pattern Support Vector Ma- Section 4.3 Eskin et al. [2002] ... chines Rule-based Systems Section 4.4 ADAM [Barbara et al. 2001a; Barbara et al. 2003; Barbara et al. 2001b], Fan et al. [2001], Helmer et al. [1998], Qin and Hwang [2004], Salvador and Chan [2003], Otey et al. [2003] Clustering Based Section 6 ADMIT [Sequeira and Zaki 2002], Eskin et al. [2002], Wu and Zhang [2003], Otey et al. [2003] Nearest Neighbor Section 5 MINDS [Ertoz et al. 2004; Chandola et al. 2006], based Eskin et al. [2002] Spectral Section 9 Shyu et al. [2003], Lakhina et al. [2005], Thottan and Ji [2003],Sun et al. [2007] Information Theo- Section 8 Lee and Xiang [2001],Noble and Cook [2003] retic Source: Chandola et al. 2009 IEEE Symposium on Security and Privacy 4

  13. The Holy Grail ... IEEE Symposium on Security and Privacy 5

  14. The Holy Grail ... • Anomaly detection is extremely appealing. • Promises to find novel attacks without anticipating specifics. • It’s plausible : machine learning works so well in other domains. IEEE Symposium on Security and Privacy 5

  15. The Holy Grail ... • Anomaly detection is extremely appealing. • Promises to find novel attacks without anticipating specifics. • It’s plausible : machine learning works so well in other domains. • But guess what’s used in operation ? Snort. • We find hardly any machine learning NIDS in real-world deployments. IEEE Symposium on Security and Privacy 5

  16. The Holy Grail ... • Anomaly detection is extremely appealing. • Promises to find novel attacks without anticipating specifics. • It’s plausible : machine learning works so well in other domains. • But guess what’s used in operation ? Snort. • We find hardly any machine learning NIDS in real-world deployments. • Could using machine learning be harder than it appears? IEEE Symposium on Security and Privacy 5

  17. Why is Anomaly Detection Hard? The intrusion detection domain faces challenges that make it fundamentally different from other fields. IEEE Symposium on Security and Privacy 6

  18. Why is Anomaly Detection Hard? The intrusion detection domain faces challenges that make it fundamentally different from other fields. Outlier detection and the high costs of errors ! How do we find the opposite of normal? Interpretation of results ! What does that anomaly mean ? Evaluation ! ! How do we make sure it actually works? Training data ! What do we train our system with? Evasion risk ! Can the attacker mislead our system? IEEE Symposium on Security and Privacy 6

  19. Why is Anomaly Detection Hard? The intrusion detection domain faces challenges that make it fundamentally different from other fields. Outlier detection and the high costs of errors ! How do we find the opposite of normal? Interpretation of results ! What does that anomaly mean ? Evaluation ! ! How do we make sure it actually works? Training data ! What do we train our system with? Evasion risk ! Can the attacker mislead our system? IEEE Symposium on Security and Privacy 6

  20. Machine Learning for Classification Feature Y Feature X IEEE Symposium on Security and Privacy 7

  21. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  22. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  23. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  24. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  25. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  26. Machine Learning for Classification Feature Y B A C Feature X IEEE Symposium on Security and Privacy 7

  27. Machine Learning for Classification Feature Y B Classification Problems A Optical Character Recognition Google’s Machine Translation Amazon’s Recommendations Spam Detection C Feature X IEEE Symposium on Security and Privacy 7

  28. Outlier Detection Feature Y Feature X IEEE Symposium on Security and Privacy 8

  29. Outlier Detection Feature Y Feature X IEEE Symposium on Security and Privacy 8

  30. Outlier Detection Feature Y Feature X IEEE Symposium on Security and Privacy 8

  31. Outlier Detection Feature Y Closed World Assumption Specify only positive examples. Adopt standing assumption that the rest is negative. Can work well if the model is very precise, or mistakes are cheap. Feature X IEEE Symposium on Security and Privacy 8

  32. What is Normal? • Finding a stable notion of normal is hard for networks. • Network traffic is composed of many individual sessions. • Leads to enormous variety and unpredictable behavior. • Observable on all layers of the protocol stack. IEEE Symposium on Security and Privacy 9

Recommend

Practical Advice for Building Machine Learning Applications Machine Learning Based on lectures

Practical Advice for Building Machine Learning Applications Machine Learning Based on lectures

Practical Advice for Building Machine Learning Applications Machine Learning Based on lectures and papers by Andrew Ng, Pedro Domingos, Tom Mitchell and others 1 ML and the world Making ML work in the world Mostly experiential advice Also

863 views • 69 slides
The Rise of AI and the World of Machine Learning Peter J Bentley What is AI? Robots? Magic

The Rise of AI and the World of Machine Learning Peter J Bentley What is AI? Robots? Magic

The Rise of AI and the World of Machine Learning Peter J Bentley What is AI? Robots? Magic software? Terrifying Super Intelligences? Machine Learning? 1951 This is a maze-solving machine that is capable of solving a maze by trial-and-error

529 views • 48 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

496 views • 26 slides
Machine learning for lattice theories Real-world lattices 2 Machine learning for lattice

Machine learning for lattice theories Real-world lattices 2 Machine learning for lattice

Machine learning for lattice theories 1 Michael S. Albergo, Gurtej Kanwar , Phiala E. Shanahan Center for Theoretical Physics, MIT Deep Learning and Physics 1 Albergo, GK, Shanahan [PRD 100 (2019) 034515] Kyoto, Japan (November 1, 2019) Machine

786 views • 52 slides
Machine learning applications in developing-world sustainability John Quinn AI-DEV Group School

Machine learning applications in developing-world sustainability John Quinn AI-DEV Group School

Machine learning applications in developing-world sustainability John Quinn AI-DEV Group School of Computing and Informatics Technology Makerere University, Kampala, Uganda CompSust 2012 1 / 22 Overview Why machine learning in the

773 views • 22 slides
Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by which computers can be trained through observation, rather than being explicitly programmed. Basically, a program is given input and adjusts its

559 views • 17 slides
World's Fastest Machine Learning With GPUs http://github.com/h2oai/h2o4gpu Speaker: Jonathan C.

World's Fastest Machine Learning With GPUs http://github.com/h2oai/h2o4gpu Speaker: Jonathan C.

World's Fastest Machine Learning With GPUs http://github.com/h2oai/h2o4gpu Speaker: Jonathan C. McKinney Mateusz Erin Navdeep Rory Terry Karen Arno Jonathan S teve H2O4GPU TEAM Machine Learning Deep Learning c RIS

572 views • 33 slides
Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning 10-601 Tom M. Mitchell Machine Learning Department Carnegie Mellon University January 12, 2015 Today: Readings: What is machine learning? The Discipline of ML Decision tree learning Mitchell, Chapter 3

872 views • 29 slides
Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

GCT634/AI613: Musical Applications of Machine Learning (Fall 2020) Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning Pipeline in Classification Tasks A set of hand-designed audio features are selected

401 views • 26 slides
Introductory Applied Machine Learning The primary aim of the course is to provide the student with

Introductory Applied Machine Learning The primary aim of the course is to provide the student with

Introductory Applied Machine Learning The primary aim of the course is to provide the student with a set of practical tools that can be applied to solve real-world problems in machine learning. Nigel Goddard School of Informatics Machine

716 views • 8 slides
10: Biological Applications for HMMs Machine Learning and Real-world Data Ann Copestake and

10: Biological Applications for HMMs Machine Learning and Real-world Data Ann Copestake and

10: Biological Applications for HMMs Machine Learning and Real-world Data Ann Copestake and Simone Teufel Computer Laboratory University of Cambridge Lent 2017 Last session: dice world and HMM decoding You now have written a decoder, i.e., an

401 views • 14 slides
PROJECT SPARROW Improving traffic flow with machine learning TYPES OF MACHINE LEARNING Google

PROJECT SPARROW Improving traffic flow with machine learning TYPES OF MACHINE LEARNING Google

PROJECT SPARROW Improving traffic flow with machine learning TYPES OF MACHINE LEARNING Google Deep Mind MORE VARIABLES Improving the simulation, so it more accurately simulates the real world. USE 3D MAPPING SOFTWARE TO SIMULATE Allows

396 views • 11 slides
Machine Learning Tricks Philipp Koehn 13 October 2020 Philipp Koehn Machine Translation:

Machine Learning Tricks Philipp Koehn 13 October 2020 Philipp Koehn Machine Translation:

Machine Learning Tricks Philipp Koehn 13 October 2020 Philipp Koehn Machine Translation: Machine Learning Tricks 13 October 2020 Machine Learning 1 Myth of machine learning given: real world examples automatically build model

928 views • 53 slides
INFO 1998: Introduction to Machine Learning Lecture 10: Real-World Applications of Data Science

INFO 1998: Introduction to Machine Learning Lecture 10: Real-World Applications of Data Science

INFO 1998: Introduction to Machine Learning Lecture 10: Real-World Applications of Data Science INFO 1998: Introduction to Machine Learning B****es be yearning my earnings concerning machine learning , Your girl started flirting when she saw

671 views • 29 slides
1: Sentiment Classification Machine Learning and Real-world Data (MLRD) Ann Copestake (based on

1: Sentiment Classification Machine Learning and Real-world Data (MLRD) Ann Copestake (based on

1: Sentiment Classification Machine Learning and Real-world Data (MLRD) Ann Copestake (based on slides created by Simone Teufel) Lent 2018 This course: Machine Learning and Real-world Data (MLRD) Three Topics: Classification: sentiment

337 views • 23 slides
10: Biological Applications for HMMs Machine Learning and Real-world Data (MLRD) Ann Copestake

10: Biological Applications for HMMs Machine Learning and Real-world Data (MLRD) Ann Copestake

10: Biological Applications for HMMs Machine Learning and Real-world Data (MLRD) Ann Copestake (partly based on slides created by Simone Teufel) Lent 2019 Last session: dice world and HMM decoding You may by now have written a decoder, i.e.,

555 views • 16 slides
10: Biological Applications for HMMs Machine Learning and Real-world Data (MLRD) Ann Copestake

10: Biological Applications for HMMs Machine Learning and Real-world Data (MLRD) Ann Copestake

10: Biological Applications for HMMs Machine Learning and Real-world Data (MLRD) Ann Copestake (based on slides created by Simone Teufel) Lent 2018 Last session: dice world and HMM decoding You may by now have written a decoder, i.e., an

294 views • 15 slides
CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine

CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine

1/22/19 CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine Learning? A Simple Task: Recognize Obama How do you program a computer to Recognize faces? Recommend movies? Decide which web

582 views • 5 slides
Overview Real World Evidence Brief comment on Machine Learning Lessons to date 1

Overview Real World Evidence Brief comment on Machine Learning Lessons to date 1

10/26/2017 Data Systems in Ophthalmology Krishna Yeshwant kcy@google.com Overview Real World Evidence Brief comment on Machine Learning Lessons to date 1 10/26/2017 Opportunities - Real World Evidence RWE - Learning Health

441 views • 8 slides
Machine Learning Machine Learning: algorithms that use experience to improve their

Machine Learning Machine Learning: algorithms that use experience to improve their

Machine Learning Machine Learning: algorithms that use experience to improve their performance We use machine learning in situations where it is very challenging (or impossible) to define the rules by hand: e.g. face detection

1.04k views • 28 slides
Introduction CMPUT 296: Basics of Machine Learning Chapter 1 Don't Come to Campus All of

Introduction CMPUT 296: Basics of Machine Learning Chapter 1 Don't Come to Campus All of

Introduction CMPUT 296: Basics of Machine Learning Chapter 1 Don't Come to Campus All of Computing Science's courses are online-only this semester CSC and Athabasca Hall are closed You can only come if you are explicitly required to

571 views • 29 slides
Statistical Learning Theory Real-World Process and PAC-Learning Training Set New

Statistical Learning Theory Real-World Process and PAC-Learning Training Set New

Learning Classifiers Statistical Learning Theory Real-World Process and PAC-Learning Training Set New Examples CS678 Advanced Topics in Machine Learning Thorsten Joachims Classifier Learner Spring

96 views • 5 slides
machine learning classification algorithms & Topic Modeling A quick look at 145,000 World

machine learning classification algorithms & Topic Modeling A quick look at 145,000 World

An empirical comparison of machine learning classification algorithms & Topic Modeling A quick look at 145,000 World Bank documents Olivier Dupriez, Development Data Group Slides prepared for DEC Policy Research Talk, February 27, 2018

739 views • 43 slides
15: Ethics in Machine Learning, plus Artificial General Intelligence and some old Science Fiction

15: Ethics in Machine Learning, plus Artificial General Intelligence and some old Science Fiction

15: Ethics in Machine Learning, plus Artificial General Intelligence and some old Science Fiction Machine Learning and Real-world Data Ann Copestake and Simone Teufel Computer Laboratory University of Cambridge Lent 2017 Some ethical issues

403 views • 21 slides

More recommend