By Nitin Bande

Introduction
Deployment of network-centric systems increases, network attacks increases proportionally in intensity as well as complexity Attack detection techniques are broadly classified as Signature-based, Classification-based, or Anomaly-based.

ML-IDS
Multi level intrusion detection system (MLIDS) uses autonomic computing to automate the control and management of ML-IDS Automation allows ML-IDS to detect network attacks and proactively protect against them. ML-IDS inspects and analyzes network traffic using three levels of granularities Traffic flow, Packet header, Payload.

ML-IDS
Employs an efficient fusion decision algorithm to improve the overall detection rate and minimize the occurrence of false alarm Network defense systems (signature based or anomaly based), can be classified according to the attackers misuse type. The first category of network defense systems detects misuse of network resources limitations

ML-IDS
Defense systems use flow level information in making decisions and to detect the attacks such as PeakFlow X, Mazu Profiler, and the AND system The second type focuses on detecting attackers misuse of protocols vulnerabilities. The system detects attacks using information collected from the protocol headers

ML-IDS
Current detection systems statefull firewalls (e.g., IPTABLES, Cisco PIX, and Linksys WRT54GS) It protects against attacks such as DoS attacks and SYN flooding attacks. Network defense systems detects misuses of applications vulnerabilities by analyzing information collected from the packet payloads.

ML-IDS
It is capable of detecting any type of network attacks. The current implementation of ML-IDS uses two types of attack detection techniques: flow based protocol based

Flow-based approach
It employs a set of rules, if violated then flags the traffic flow as being anomalous. The protocol behavior approach views network protocol operation as being a finite state machine, and flags illegal sequences of state transitions as being anomalous. The current protocol behavior analysis module is not affected by the use of TCP window scaling. A fusion module that implements the least square algorithm is used to combine the decision produced by each type of anomaly analysis and thus significantly reduce the attack detection error.

Signature-based detection
SNORT, USTAT, NSTAT and P-Best Limited in that they cannot detect new attacks. New attack is identified, there is a significant time-lapse before the signature database is updated. This is well known for its high number of false positive alerts.

Classification-based detection
Have normal and abnormal data sets, and use data mining techniques to train the system This creates fairly accurate classification models, when compared with signature-based approaches and they are thus extremely powerful in detecting known attacks and their variants. Are not capable of detecting unknown attacks. ADAM uses a combination of association rules mining and classification to discover attacks in a TCPdump audit trail. Another approach is the use of rare class predictive models such as Credos, PNRule. Use association rules to detect intrusions, while others use cost sensitive modeling.

Anomaly-based detection

It build a model of normal behavior, and automatically classify statistically significant deviations from the normal as being abnormal. Advantage of this approach is that it is possible to detect unknown attacks. However, there is a potential for having a high rate of false positive alarms generated when the knowledge collected about normal behaviors is inaccurate.

ML-IDS Architecture

The main modules are the Online Monitoring and Filtering, Multi-level Behavior Analysis, Decision Fusion, Action, Visualization, and Adaptive Learning.

Online Monitoring and Filtering Engine

Multi-level Behavior Analysis Rule-based Flow Behavior Analysis Protocol Behavior Analysis Payload behavior Analysis Decision Fusion Module Risk and Impact Analysis Engine Action Engine Visualization module Adaptive Learning

ML-IDS Modules
Monitoring and Filtering Engine Multi-level Behavior Analysis Rule-based behavior analysis Protocol behavior Analysis Decision Fusion Action Module

Thank you