ids_example

• See file https://github.com/LID-DS/LID-DS/blob/master/algorithms/example_main.py
• Here we will go through and explain this file.

At first, some imports we need here:

from pprint import pprint
from datetime import datetime

from algorithms.decision_engines.stide import Stide
from algorithms.features.impl.stream_sum import StreamSum
from algorithms.features.impl.max_score_threshold import MaxScoreThreshold
from algorithms.features.impl.int_embedding import IntEmbedding
from algorithms.features.impl.ngram import Ngram
from algorithms.ids import IDS
from dataloader.dataloader_factory import dataloader_factory

Now some code to help us load the CVE-2017-7529 scenario of LID-DS-2021

if __name__ == '__main__':
    # TODO: change this to your base path
    lid_ds_base_path = "/path/to/your/data"
    lid_ds_version = "LID-DS-2021"
    scenario_name = "CVE-2017-7529"
    scenario_path = f"{lid_ds_base_path}/{lid_ds_version}/{scenario_name}"        
    dataloader = dataloader_factory(scenario_path, direction=Direction.CLOSE) # just load < closing system calls for this example

Now the features and algorithms we want to use:

• We want to build 7-grams of system call names
• Then we want to use the STIDE algorithm for intrusion detection

    ### Features (for more information see Paper: "Improving Host-based Intrusion Detection Using Thread Information", International Symposium on Emerging Information Security and Applications (EISA), 2021)
    thread_aware = False
    window_length = 100
    ngram_length = 7

    ### Building blocks    
    # First: map each system call to an integer
    int_embedding = IntEmbedding()
    # Now build ngrams from these integers
    ngram = Ngram([int_embedding], thread_aware, ngram_length)
    # Finally calculate the STIDE algorithm using these ngrams
    stide = Stide(ngram)
    # Calculate the StreamSum with a window size of 500
    stream_sum = StreamSum(stide, False, window_length, True)
    # Define the MaxScoreThreshold decider
    my_decider = MaxScoreThreshold(stream_sum)

Now we create an IDS object and tell it to do the intrusion detection

### The IDS    
    ids = IDS(data_loader=dataloader,
            resulting_building_block=my_decider,
            create_alarms=False,
            plot_switch=False)

    print("at evaluation:")
    # Threshold
    ids.determine_threshold()
    # Detection
    ids.detect()

The intrusion detection is done, we can print the results

    ### Print results and plot the anomaly scores
    results = ids.performance.get_result()
    pprint(results)

Using the above configuration should lead to the following result. (consecutive alarms are also described in the paper "Improving Host-based Intrusion Detection Using Thread Information", International Symposium on Emerging Information Security and Applications (EISA), 2021)

{'consecutive_false_positives_exploits': 0,      # number of CFA from files with exploits
 'consecutive_false_positives_normal': 5,        # number of CFA from files without exploits
 'correct_alarm_count': 119,                     # number of files with exploit and marked as intrusion
 'detection_rate': 1.0,                     
 'exploit_count': 119,
 'f1_cfa': 0.9794238683127572,                   # f1 score based of consecutive alarms
 'false_negatives': 13746,                  
 'false_positives': 466,
 'precision_with_cfa': 0.9596774193548387,       # precision using consecutive alarms
 'precision_with_syscalls': 0.20341880341880342, # precision using system calls
 'recall': 1.0,
 'true_negatives': 847527,
 'true_positives': 201535}