ABSTRACT:
Most
anomaly detection systems rely on machine learning algorithms to derive a model
of normality that is later used to detect suspicious events. Some works
conducted over the last years have pointed out that such algorithms are
generally susceptible to deception, notably in the form of attacks carefully
constructed to evade detection. Various learning schemes have been proposed to
overcome this weakness. One such system is KIDS (Keyed IDS), introduced at
DIMVA’10. KIDS’ core idea is akin to the functioning of some cryptographic
primitives, namely to introduce a secret element (the key) into the scheme so
that some operations are infeasible without knowing it. In KIDS the learned model
and the computation of the anomaly score are both key-dependent, a fact which
presumably prevents an attacker from creating evasion attacks. In this work we
show that recovering the key is extremely simple provided that the attacker can
interact with KIDS and get feedback about probing requests. We present
realistic attacks for two different adversarial settings and show that
recovering the key requires only a small amount of queries, which indicates
that KIDS does not meet the claimed security properties. We finally revisit
KIDS’ central idea and provide heuristic arguments about its suitability and
limitations.
AIM
The
aims of this paper KIDS the learned model and the computation of the anomaly
score are both key-dependent, a fact which presumably prevents an attacker from
creating evasion attacks.
SCOPE
The Scope of this project is show that
recovering the key is extremely simple provided that the attacker can interact
with KIDS and get feedback about probing requests.
EXISTING SYSTEM
Accurately
pointed out that security problems differ from other application domains of
machine learning in, at least, one fundamental feature: the presence of an
adversary who can strategically play against the algorithm to accomplish his
goals. Thus for example, one major objective for the attacker is to avoid
detection. Evasion attacks exploit weaknesses in the underlying classifiers,
which are often unable to identify a malicious sample that has been
conveniently modified so as to look normal. Examples of such attacks abound.
For instance, spammers regularly obfuscate their emails in various ways to
avoid detection, e.g. by modifying words that are usually found in spam, or by
including a large number of words that do not. Similarly malware and other
pieces of attack code can be carefully adapted so as to evade Intrusion
Detection Systems (IDS) without compromising the functionality of the attack
DISADVANTAGES:
- Anomaly detection systems rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events
- Such algorithms are generally susceptible to deception, notably in the form of attacks carefully constructed to evade detection.
PROPOSED SYSTEM
KIDS
(Keyed Intrusion Detection System) , introduced by Mrdovic and Drazenovic at
DIMVA’10. KIDS is an application layer network anomaly detection system that
extracts a number of features (“words”) from each payload. The system then
builds a model of normality based both on the frequency of observed features
and their relative positions in the payload. KIDS’ core idea to impede evasion
attacks is to incorporate the notion of a “key”, this being a secret element
used to determine how classification features are extracted from the payload.
The security argument here is simple: even though the learning and testing
algorithms are public, an adversary who is not in possession of the key will
not know exactly how a request will be processed and, consequently, will not be
able to design attacks that thwart detection
ADVANTAGES
- It has been on recovering the key through efficient procedures, demonstrating that the classification process leaks information about it that can be leveraged by an attacker.
- The ultimate goal is to evade the system, and we have just assumed that knowing the key is essential to craft an attack that evades detection or, at least, that significantly facilitates the process
SYSTEM CONFIGURATION
HARDWARE REQUIREMENTS:-
· Processor - Pentium –III
·
Speed - 1.1 Ghz
·
RAM - 256 MB(min)
·
Hard
Disk - 20 GB
·
Floppy
Drive - 1.44 MB
·
Key
Board - Standard Windows Keyboard
·
Mouse - Two or Three Button Mouse
·
Monitor -
SVGA
SOFTWARE REQUIREMENTS:-
·
Operating
System : Windows
7
·
Front
End : ASP.NET and C#
·
Database
: MSSQL
·
Tool :Visual Studio
REFERENCE:
Tapiador, J.E, Orfila,
A. ; Ribagorda, A. ; Ramos, B.. “Key-Recovery Attacks On
Kids, A Keyed Anomaly Detection System”, IEEE Transactions on
Dependable and Secure Computing, Volume 12
Issue 3 , SEPTEMBER 2013..