UL | CSC | ILIAS | MINE


Home

: Our Team
: Teaching
: Publications
: Research
: Conferences
: Events
: Open Theses
: Jobs
: Contact

: mics
: binfo
: ilias
: uni gr

internal only

Goethe AG
SANA_ANIMA-ID

Sub-Project: ANIMA-ID - ANIMA for Network Intrusion Detection

Christoph Schommer introduces and Ben Schroeder enhances ANIMA in order to find associations rules in data streams with an online approach. Now, I use this idea in order to store bad-signatures of computer network intrusions and to check packets whether a packet is bad or not. Consequently, I design an online-system which is easy to administrate, adaptive and efficient. I call this ANIMA-system ANIMA-ID bellow.

In current Intrusion Detection Systems (IDS), one major problem is to store the information how to detect an attack. This storage should be efficient; i.e. it should save storage space in storing the information and computational power during checking a packet.

The information of an attack is a string and if a packet contains this string the packet is malicious. These strings will be stored in ANIMA-ID in a directed network where each node contains a character of the string and using the edges the system symbolises the string. The edges and nodes will be weighted in ANIMA-ID. An inserted string of an attack is the sum of the weights of the nodes and connection. If this value is equal to 1 the packet contains definitively an attack and if the value is equal to 0 the packet does not contain an attack. Otherwise, the value is between 0 and 1 and if the value is near to 1 the packet contains an attack with high probability.



If a packet is checked by IDS, it will insert the packet into ANIMA-ID and ANIMA-ID will return a value which evaluates if the packet is malicious, malicious with high probability or non-malicious.



Advantages:

  • ANIMA-ID is highly efficient because redundancies are removed. If the directed graph in ANIMA-ID already contains a character, no new node is added and, hence, storage space is reduced. Furthermore, the graph is smaller and the checking is faster.
  • ANIMA-ID is adaptive because it also detects similar or mutated attacks.
  • ANIMA-ID is easy-to-administrate because the administrator only inserts information about the attacks. The rest works unsupervised.

Disadvantages:

  • There is currently no functionality to remove information about an attack.

Project Status:

  • The approach ANIAM-ID is implemented as a Java-Agent-Class in SANA and performs well. It identifies all types of known attacks properly. A screenshot of the test-system.
  • Furthermore, I analysed the approach theoretically and I showed that if an attack is added to ANIMA-ID it will find this attack again – no forgetting of attacks. Moreover, packets which do not contain an attack are mostly not identified as malicious by ANIMA-ID. Unfortunately, there exist some cases where ANIMA-ID identifies a packet as malicious even if this packet does not contain an attack. However, these cases are far away from practise.
  • Christoph Schommer and I wrote an article about this approach and this article was presented and published at the Fourth Australasian Information Security Workshop (AISW-NetSec 2006) in Hobart, Australia. The Workshop is part of the Australasian Computer Science Week 2006 as well as in the Conferences in Research and Practice in Information Security (CRPIT), Vol. 54. The conference will be held in January 2006. I participated to the Workshop and the first part of the sub-project is finished.

Next Steps:

  • The next step in ANIMA-ID is to include completely ANIMA-ID in the Artificial Immune System-framework.


"SANA_ANIMA-ID" is mentioned on: SANA-Project in Detail
Printable Version
VeryQuickWiki - HTML Export
Version: 2.7.1 (UniLux: 1.15.0 2006-01-19)
Modified: 2006-03-20 23:42:06
Exported: 2012-05-17 01:31:37