 |
 |
|
|
![Back to [20]](../all_the_pictures/arrow_left.jpg){kind=icon} [21]
![Forwards to [22]](../all_the_pictures/arrow_right.jpg){kind=icon}
Roy A. Maxion Internet: maxion@cs.cmu.edu Many intrusion-detection schemes are based on a priori knowledge of attack signatures, and make use of pattern matching to recognize particular attacks. Such an approach can work well for predetermined attack scripts or signatures, but are less likely to perform well against novel attacks. Our research is concerned with understanding how to detect novel attacks through the use of machine learning. The goal is to characterize the normal operating signatures of a target system, developing an internal representation of normal behavior. Concomitant with this goal is the need to accommodate drift, or nonstationarity, in normal behavior. For example, network traffic may be normally high at mid-day, and normally low late at night; any representation of network behavior, therefore, needs to accommodate not only such daily variation, but variation over longer time periods as well. Against a constantly varying template of normal behavior, anomalous conditions are detected; if the anomalies exceed a threshold, alerts can be issued, and diagnoses can be undertaken. By this mechanism we are attempting to detect intrusive behavior that has not been previously observed and characterized.
The system has been tested in the environment of Ethernet networks and semiconductor wafer fabrication. The drift in each of these environments can be substantial, but the detection system was successful in finding more than 90% of injected network anomalies and 100% of semiconductor fabrication process anomalies. Current work is focused on testing the system in a purely synthetic, highly controlled experimental environment in which a synthesizer injects anomalous signals automatically, and the system learns to discriminate between normal and anomalous behavior. [21]
|
