4 research outputs found
Analysis of e-mail attachment signatures for potential use by intrusion detection systems
Today, an Intrusion Detection System (IDS) is almost a necessity. The effectiveness of an IDS depends on the number of parameters it can monitor to report malicious activity. Current Intrusion Detection Systems monitor packet headers only.;This thesis investigates the possibility of monitoring network packet data as one of the parameters for IDS. This is done by finding a pattern in each type of payload. This pattern might then be related to the application to which it belongs. Based on this pattern, an attempt is made to determine if there is a difference in packets generated by different applications.;This investigation limits the classification to packets generated by E-mail attachments. Frequency of characters in packet data is used to generate a pattern. This frequency is limited to Base64 alphabets. Based on these patterns, certain E-mail attachments can be related to the source type of the attached file
An Automatically Tuning Intrusion Detection System
An intrusion detection system (IDS) is a security layer used to detect ongoing intrusive activities in information systems. Traditionally, intrusion detection relies on extensive knowledge of security experts, in particular, on their familiarity with the computer system to be protected. To reduce this dependence, various data-mining and machine learning techniques have been deployed for intrusion detection. An IDS is usually working in a dynamically changing environment, which forces continuous tuning of the intrusion detection model, in order to maintain sufficient performance. The manual tuning process required by current systems depends on the system operators in working out the tuning solution and in integrating it into the detection model. In this paper, an automatically tuning IDS (ATIDS) is presented. The proposed system will automatically tune the detection model on-the-fly according to the feedback provided by the system operator when false predictions are encountered. The system is evaluated using the KDDCup\u2799 intrusion detection dataset. Experimental results show that the system achieves up to 35% improvement in terms of misclassification cost when compared with a system lacking the tuning feature. If only 10% false predictions are used to tune the model, the system still achieves about 30% improvement. Moreover, when tuning is not delayed too long, the system can achieve about 20% improvement, with only 1.3% of the false predictions used to tune the model. The results of the experiments show that a practical system can be built based on ATIDS: system operators can focus on verification of predictions with low confidence, as only those predictions determined to be false will be used to tune the detection model
Arhitektura sistema za prepoznavanje nepravilnosti u mrežnom saobraćaju zasnovano na analizi entropije
With the steady increase in reliance on computer networks in all aspects of life, computers and
other connected devices have become more vulnerable to attacks, which exposes them to many major
threats, especially in recent years. There are different systems to protect networks from these threats such
as firewalls, antivirus programs, and data encryption, but it is still hard to provide complete protection
for networks and their systems from the attacks, which are increasingly sophisticated with time. That is
why it is required to use intrusion detection systems (IDS) on a large scale to be the second line of defense
for computer and network systems along with other network security techniques. The main objective of
intrusion detection systems is used to monitor network traffic and detect internal and external attacks.
Intrusion detection systems represent an important focus of studies today, because most
protection systems, no matter how good they are, can fail due to the emergence of new
(unknown/predefined) types of intrusions. Most of the existing techniques detect network intrusions by
collecting information about known types of attacks, so-called signature-based IDS, using them to
recognize any attempt of attack on data or resources. The major problem of this approach is its inability
to detect previously unknown attacks, even if these attacks are derived slightly from the known ones (the
so-called zero-day attack). Also, it is powerless to detect encryption-related attacks. On the other hand,
detecting abnormalities concerning conventional behavior (anomaly-based IDS) exceeds the
abovementioned limitations. Many scientific studies have tended to build modern and smart systems to
detect both known and unknown intrusions. In this research, an architecture that applies a new technique
for IDS using an anomaly-based detection method based on entropy is introduced.
Network behavior analysis relies on the profiling of legitimate network behavior in order to
efficiently detect anomalous traffic deviations that indicate security threats. Entropy-based detection
techniques are attractive due to their simplicity and applicability in real-time network traffic, with no
need to train the system with labelled data. Besides the fact that the NetFlow protocol provides only a
basic set of information about network communications, it is very beneficial for identifying zero-day
attacks and suspicious behavior in traffic structure. Nevertheless, the challenge associated with limited
NetFlow information combined with the simplicity of the entropy-based approach is providing an
efficient and sensitive mechanism to detect a wide range of anomalies, including those of small intensity.
However, a recent study found of generic entropy-based anomaly detection reports its
vulnerability to deceit by introducing spoofed data to mask the abnormality. Furthermore, the majority
of approaches for further classification of anomalies rely on machine learning, which brings additional
complexity.
Previously highlighted shortcomings and limitations of these approaches open up a space for the
exploration of new techniques and methodologies for the detection of anomalies in network traffic in
order to isolate security threats, which will be the main subject of the research in this thesis.
Abstract
An architrvture for network traffic anomaly detection system based on entropy analysis
Page vii
This research addresses all these issues by providing a systematic methodology with the main
novelty in anomaly detection and classification based on the entropy of flow count and behavior features
extracted from the basic data obtained by the NetFlow protocol.
Two new approaches are proposed to solve these concerns. Firstly, an effective protection
mechanism against entropy deception derived from the study of changes in several entropy types, such
as Shannon, Rényi, and Tsallis entropies, as well as the measurement of the number of distinct elements
in a feature distribution as a new detection metric. The suggested method improves the reliability of
entropy approaches.
Secondly, an anomaly classification technique was introduced to the existing entropy-based
anomaly detection system. Entropy-based anomaly classification methods were presented and effectively
confirmed by tests based on a multivariate analysis of the entropy changes of several features as well as
aggregation by complicated feature combinations.
Through an analysis of the most prominent security attacks, generalized network traffic behavior
models were developed to describe various communication patterns. Based on a multivariate analysis of
the entropy changes by anomalies in each of the modelled classes, anomaly classification rules were
proposed and verified through the experiments. The concept of the behavior features is generalized, while
the proposed data partitioning provides greater efficiency in real-time anomaly detection. The practicality
of the proposed architecture for the implementation of effective anomaly detection and classification
system in a general real-world network environment is demonstrated using experimental data
A Modular Multiple Classifier System for the Detection of Intrusions in Computer Networks
Abstract. The security of computer networks plays a strategic role in modern computer systems. In order to enforce high protection levels against threats, a number of software tools have been currently developed. Intrusion Detection Systems aim at detecting intruders who elude “first line ” protection. In this paper, a pattern recognition approach to network intrusion detection based on the fusion of multiple classifiers is proposed. In particular, a modular Multiple Classifier architecture is designed, where each module detects intrusions against one of the services offered by the protected network. Each Multiple Classifier System fuses the information coming from different feature representations of the patterns of network traffic. The potentialities of classifier fusion for the development of effective intrusion detection systems are evaluated and discussed. 1