Embeddable Hybrid Intrusion Detection System (HybrIDS)Adrian P. Lauf, William H. Robinson, Vanderbilt University Institute for Software Integrated SystemsRichard A. Peters, Vanderbilt University Center for Intelligent Systems

March 20, 2007

Project Description

Action 1 Action n-1 Action n

Aircraft 1 1 30 25

Aircraft 2 2 32 20

Aircraft 3 1 50 22

Aircraft 4 12 2 80

• Security Scenario: a network of aircraft shares position and mission information• A deviant node exists• The deviant node behaves differently• Connected aircraft record activities• Each node fitted with embedded IDS

• Method: develop a hybridized system to provide high-level analysis of interactions in a homogenous device network• An activity profile is established• Machine learning techniques used to build

node profiles• Profiles analyzed by the IDS engine• First phase provides fast, single-anomaly detection• Second phase requires tuning, detects multiple

anomalies

Abstraction Levels

Implemented

• Phase 1• Interactions are represented by

classifiers (abstracted integer labels)• Probability density function is computed• Maxima Analysis begins

• Global max excluded• Local maxima identified• Highest maximum to cross threshold likely

represents deviance• Deviant node isolated by reverse-mapping

Phase 1 Phase 2

Time Progression

Maxima Detection (MDS) HybrIDS Performance• Step 1: MDS runs, possibly detects single

deviant node• Step 2: Transition phase starts CCIDS• Step 3: Thresholds tuned until CCIDS agrees

with MDS• Step 4: CCIDS now tuned properly, detects

multiple deviant nodes

• System can reliably detect deviant nodes up to 22% deviant node pervasion

• Higher pervasion removes determinism• CCIDS phase stops converging

• System performance is scalable according to deviant node pervasion• Size of node cluster has no effective impact on

scalability, ensured by computational management methods

Cross-Correlative IDS (CCIDS)• Phase 2• Cross-Correlation Analysis

• Individual PDFs correlated against average PDF

• Individual scores analyzed against average score• Average score computed from space

of all cross-correlated scores• Threshold Requirements

• A threshold is required to suspect a score as deviant

• Threshold requirement changes according to deviant node pervasion (percentage of deviant nodes in collective)

• Improper threshold yields false positives• Threshold is application-sensitive• Must be set prior to IDS run (if CCIDS used

alone)

Threshold Bounds

Suspect Node Mean Score Line

Scor

e

Node Number