Multi-Level Intrusion Detection System (ML-IDS)


The rapid growth and deployment of network technologies and Internet services has made security and management of networks a challenging research problem. This growth is accompanied by an exponential growth in the number of network attacks, which have become more complex and organized, more dynamic, and more severe than ever. Existing techniques to respond to such attacks such as Intrusion Detection Systems and firewall hardware/software systems are manual intensive. This makes them too slow to respond efficiently to complex and interacting organized network attacks. Furthermore, countermeasures such as signatures for intrusion detection systems cannot detect new types of attacks. The successful operation of the cyber-security infrastructure requires the ability to detect previously unseen attacks in real-time, to provide appropriate risk and impact analyses and to take appropriate action.

The primary goal of the ML-IDS is to detect known or unknown network attacks, and proactively prevent or minimize their impact on network operations and services. The main modules to implement the proposed ML-IDS are: Online Monitoring and Filtering, Multi-level Behavior Analysis, Risk Analysis, Protective Action and Adaptive Learning

In this project, we are developing a ML-IDS to proactively detect and protect against any type of attacks and mitigate their impacts in real-time. Our project was initially funded by DARPA FT program and later ARL and Air Force. The current prototype system that is based on rule-based flow analysis can detect and protect against any type of network attacks with almost no false alarms and more than 99% detection rate. We are currently extending the current prototype capabilities to include a multi-level analysis (we analyze the behavior of networks and hosts from three different perspectives: Protocol Behavior (TCP, UDP, ICMP), flow based Analysis, and packet-payload analysis), and then use statistical and data mining techniques to fuse the results of these techniques to produce one accurate prediction whether or not the network and/or host behaving normally, and then automatically act on them to mitigate the impact of attacks. This approach is superior to existing techniques that are based on signature analysis and are mainly manual intensive. The anomaly based techniques are not effective due to the large false alarms they produce, while our approach that uses multi-level analysis and fine-grain analysis, does not suffer from this limitation.