A Blackboard-Based Learning Intrusion
Detection System: A New Approach
Presented by: Preeti Anday
Dept of Computer & Information Sciences
University of Delaware
CISC 879 - Machine Learning for Solving Systems Problems
What is a blackboard?
CISC 879 - Machine Learning for Solving Systems Problems
Blackboard Architecture
Knowledge Sources (KS)
KS
KS
Blackboard
KS
KS
KS
Controller
CISC 879 - Machine Learning for Solving Systems Problems
What is an IDS?
An intrusion detection
system (IDS) is a device (or
application) that monitors
network and/or system
activities for malicious
activities or policy
violations.
CISC 879 - Machine Learning for Solving Systems Problems
Intrusion Detection
Anomaly Detection
Misuse Detection
CISC 879 - Machine Learning for Solving Systems Problems
Intrusion Detection
Based on Network system area they audit:
• Host based
Security system that is detecting inside abuses in a
computer system
• Network based
Capable of identifying abusive uses or attempts of
unauthorized usage of the computer network from
outside the system
CISC 879 - Machine Learning for Solving Systems Problems
Prior Approaches
Rule based analysis:
1. Predefined rule set
2. Expert systems
3. Drawbacks
• Inability to detect attack scenarios
• Lack flexibility
• Variations in the attack sequence reduce effectiveness
of the system
CISC 879 - Machine Learning for Solving Systems Problems
Common Types Of Malicious Attacks
•
•
•
Denial-of-service Attack (DoS)
Guessing rlogin Attack
Scanning Attack
CISC 879 - Machine Learning for Solving Systems Problems
Autonomous Agents
What are Autonomous agents?
• Software agents that perform
certain security monitoring
functions at the host
• Independent entities
• Have minimal overhead and
can resist subversion
• Dynamically reconfigurable,
scalable and easily adaptable
• Degrade gracefully
CISC 879 - Machine Learning for Solving Systems Problems
Learning Intrusion Detection System
Architecture
CISC 879 - Machine Learning for Solving Systems Problems
Tier 1
Contains autonomous agents
required for initial alert feature,
A1: Network reader
Collects network data with the
help of a program called
tcpdump
Pastes them on the blackboard
A2: Initial Analyzer
Calls a rule based classifier that
is written as a dll in C++
A3: Display/Output agent
Reports the initial analysis to the
user
CISC 879 - Machine Learning for Solving Systems Problems
Tier 2
Contains agents that analyze the system
specific information,
A4: System reader
Gathers system specific information on
the protected system
Posts it on the blackboard
A5: Attack classifier
Identifies different subclasses of
intrusions present in the network
Send information from blackboard to
the classifier which performs the
diagnosis and posts the results on the
Blackboard
CISC 879 - Machine Learning for Solving Systems Problems
Tier 2 contd.
The information gathered in A4 includes,
• Available network bandwidth
• CPU Usage
•
Network packets
•
•
•
•
•
Memory usage
Number of connections
Connection attempts
Protocol
Packet length
CISC 879 - Machine Learning for Solving Systems Problems
Tier 2 contd.
The classifier used in A5 is a micro genetic
algorithm based classifier that uses the multiple
fault diagnosis concept to perform the
necessary function.
The result states what of attack is present and
what is its probability of presence in the data
set.
The genetic algorithm is capable of
determining the sub-classifications of attacks.
CISC 879 - Machine Learning for Solving Systems Problems
Tier 3
Contains autonomous agents that give
full details of the attacks
A6: Analyzer with ANN
Analyzes information
Decides which type of ANN will be
useful for further analysis
If the analysis finds no attack in the
dataset, the agent flags the dataset
as false positive alarm
CISC 879 - Machine Learning for Solving Systems Problems
Tier 3
A7: Teaching agent
Updates the rule set of A2
A8: Report generation
Displays a complete report of
the analysis to the user
Since the agents are autonomous,
a control pattern is included to
ensure that each agent gets at least
one chance to look at the
blackboard in one process cycle.
CISC 879 - Machine Learning for Solving Systems Problems
Questions
CISC 879 - Machine Learning for Solving Systems Problems