Intensive Use of Bayesian Belief Networks for the Unified, Flexible and Adaptable Analysis of Misuses and Anomalies in Network Intrusion Detection and Prevention Systems

This paper describes the ESIDE-Depian intrusion detection and prevention system, which uses Bayesian structural and parametric learning and also evidence propagation and adaptation, in order to improve the accuracy and manageability of network intrusion detection systems (NIDS). Current NIDS do not consider the two main detection paradigms, i.e. misuse detection and anomaly detection, in an unified style, so the analysis is not inherently complete. Besides, historical data are not generally used, neither for analysis nor for sequential adaptation of the knowledge representation models used for detection; hence this wealthy information about the essence and the potential trends of the target system is not commonly considered. Thus, by the generalized use of Bayesian belief networks, ESIDE-Depian achieves the main goal of detecting and preventing both well-known and also zero-day attacks with excellent results, by means of unified real-time analysis of network traffic.

[1]  Juan E. Tapiador,et al.  Stochastic protocol modeling for anomaly based network intrusion detection , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[2]  Peter Mell,et al.  Intrusion Detection Systems , 2001 .

[3]  Salvatore J. Stolfo,et al.  Real time data mining-based intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[4]  Enrique F. Castillo,et al.  Expert Systems and Probabilistic Network Models , 1996, Monographs in Computer Science.

[5]  Judea Pearl,et al.  Reverend Bayes on Inference Engines: A Distributed Hierarchical Approach , 1982, AAAI.

[6]  Mark Burgess,et al.  Probabilistic anomaly detection in distributed computer networks , 2006, Sci. Comput. Program..

[7]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[8]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[9]  Steffen L. Lauritzen,et al.  aHUGIN: A System Creating Adaptive Causal Probabilistic Networks , 1992, UAI.

[10]  David J. Spiegelhalter,et al.  Local computations with probabilities on graphical structures and their application to expert systems , 1990 .

[11]  Anders L. Madsen,et al.  The Hugin Tool for Learning Bayesian Networks , 2003, ECSQARU.

[12]  P. Spirtes,et al.  Causation, prediction, and search , 1993 .

[13]  Andreas Stolcke,et al.  Inducing Probabilistic Grammars by Bayesian Model Merging , 1994, ICGI.

[14]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[15]  Peter Mell,et al.  NIST Special Publication on Intrusion Detection Systems , 2001 .