Performance Metrics for Network Intrusion Systems

Intrusion systems have been the subject of considerable research during the past 33 years, since the original work of Anderson. Much has been published attempting to improve their performance using advanced data processing techniques including neural nets, statistical pattern recognition and genetic algorithms. Whilst some significant improvements have been achieved they are often the result of assumptions that are difficult to justify and comparing performance between different research groups is difficult. The thesis develops a new approach to defining performance focussed on comparing intrusion systems and technologies. A new taxonomy is proposed in which the type of output and the data scale over which an intrusion system operates is used for classification. The inconsistencies and inadequacies of existing definitions of detection are examined and five new intrusion levels are proposed from analogy with other detection-based technologies. These levels are known as detection, recognition, identification, confirmation and prosecution, each representing an increase in the information output from, and functionality of, the intrusion system. These levels are contrasted over four physical data scales, from application/host through to enterprise networks, introducing and developing the concept of a footprint as a pictorial representation of the scope of an intrusion system. An intrusion is now defined as “an activity that leads to the violation of the security policy of a computer system”. Five different intrusion technologies are illustrated using the footprint with current challenges also shown to stimulate further research. Integrity in the presence of mixed trust data streams at the highest intrusion level is identified as particularly challenging. Two metrics new to intrusion systems are defined to quantify performance and further aid comparison. Sensitivity is introduced to define basic detectability of an attack in terms of a single parameter, rather than the usual four currently in use. Selectivity is used to describe the ability of an intrusion system to discriminate between attack types. These metrics are quantified experimentally for network intrusion using the DARPA 1999 dataset and SNORT. Only nine of the 58 attack types present were detected with sensitivities in excess of 12dB indicating that detection performance of the attack types present in this dataset remains a challenge. The measured selectivity was also poor indicting that only three of the attack types could be confidently distinguished. The highest value of selectivity was 3.52, significantly lower than the theoretical limit of 5.83 for the evaluated system. Options for improving selectivity and sensitivity through additional measurements are examined.Stochastic Systems Lt

Recommendation of a security architecture for data loss prevention

Data and people are the most important assets of any organization. The amount of information that is generated increases exponentially due to the number of new devices that create information. On the other hand, more and more organizations are covered by some type of regulation, such as the General Data Protection Regulation. Organizations implement several security controls, however, they do not focus on protecting the information itself and information leakage is a reality and a growing concern. Based on this problem, there is a need to protect confidential information, such as clinical data, personal information, among others. In this regard, data loss prevention solutions (DLP – Data Loss Prevention) that have the ability to identify, monitor and act on data considered confidential, whether at the endpoint, data repositories or in the network, should be part of the information security strategy of organizations in order to mitigate these risks. This dissertation will study the topic of data loss prevention and evaluate several existing solutions in order to identify the key components of this type of solutions. The contribution of this work will be the recommendation of a security architecture that mitigates the risk of information leakage and that can be easily adaptable to any DLP solution to be implemented by organizations. In order to prove the efficiency of the architecture, it was implemented and tested to mitigate the risk of information leakage in specific proposed scenarios.A informação e as pessoas são os ativos mais importantes de qualquer organização. A quantidade de informação que é gerada aumenta exponencialmente devido à quantidade de novos dispositivos que produzem informação. Por outro lado, cada vez mais organizações são abrangidas por algum tipo de regulamento, como o Regulamento Geral de Proteção de Dados. As organizações implementam vários controlos de segurança, no entanto, não se focam na proteção da informação em si e a fuga da informação é uma realidade e uma preocupação crescente. Com base neste problema, existe a necessidade de proteger a informação confidencial, como dados clínicos, informação pessoal, entre outros. Neste sentido, as soluções de prevenção da fuga de informação (DLP – Data Loss Prevention) que têm a capacidade de identificar, monitorizar e atuar em dados considerados confidenciais, seja ao nível do endpoint, repositório de dados ou na rede, devem fazer parte da estratégia da segurança da informação das organizações por forma a mitigar estes riscos. Esta dissertação vai analisar a temática da prevenção da fuga de informação e avaliar várias soluções existentes com o propósito de identificar as componentes chave deste tipo de soluções. A principal contribuição deste trabalho será a recomendação de uma arquitetura de segurança que mitigue o risco da fuga da informação e que poderá ser facilmente adaptável a qualquer solução de DLP a ser implementada pelas organizações. Por forma a comprovar a eficiência da arquitetura, a mesma foi implementada e testada para mitigar o risco de fuga da informação em cenários específicos que foram definidos

Overview of the Course in “Wireless and Mobile Security”

This paper provides an overview of “Wireless and Mobile Security” course. The course offers practical study of security issues and features concerning wireless security. The program of the course effciently interleaves systematic theoretical knowledge and practical work. The theoretical part of the course includes basic information about the architecture of wireless networks, as well as available in this area to modern standards and protection mechanisms built into the equipment for wireless networks. It is also proposed an effective method for integrating a wireless network with the existing network infrastructure, taking into account all aspects of security. More than 50 percent of teaching time is devoted to practical work on the protection of wireless networks. During the course skills to work with software NetStumbler, Kismet, AirSnort, Aircrack, and other monitoring wireless and network tools will be acquired. Particular attention is paid to the use of the most common tools of audit wireless networks, both commercial, and open source. In conclusion, a comprehensive approach to wireless security will be offered for each wireless technology

Self-Learning Algorithms for Intrusion Detection and Prevention Systems (IDPS)

Today, there is an increased risk to data privacy and information security due to cyberattacks that compromise data reliability and accessibility. New machine learning models are needed to detect and prevent these cyberattacks. One application of these models is cybersecurity threat detection and prevention systems that can create a baseline of a network\u27s traffic patterns to detect anomalies without needing pre-labeled data; thus, enabling the identification of abnormal network events as threats. This research explored algorithms that can help automate anomaly detection on an enterprise network using Canadian Institute for Cybersecurity data. This study demonstrates that Neural Networks with Bayesian linear functions as hidden layers display autonomous learning capabilities and are a highly accurate anomaly detection method that can be implemented in cyberattack detection and intrusion prevention with low incidence of false positives

Smart Intrusion Detection System for DMZ

Prediction of network attacks and machine understandable security vulnerabilities are complex tasks for current available Intrusion Detection System [IDS]. IDS software is important for an enterprise network. It logs security information occurred in the network. In addition, IDSs are useful in recognizing malicious hack attempts, and protecting it without the need for change to client‟s software. Several researches in the field of machine learning have been applied to make these IDSs better a d smarter. In our work, we propose approach for making IDSs more analytical, using semantic technology. We made a useful semantic connection between IDSs and National Vulnerability Databases [NVDs], to make the system semantically analyzed each attack logged, so it can perform prediction about incoming attacks or services that might be in danger. We built our ontology skeleton based on standard network security. Furthermore, we added useful classes and relations that are specific for DMZ network services. In addition, we made an option to mallow the user to update the ontology skeleton automatically according to the network needs. Our work is evaluated and validated using four different methods: we presented a prototype that works over the web. Also, we applied KDDCup99 dataset to the prototype. Furthermore,we modeled our system using queuing model, and simulated it using Anylogic simulator. Validating the system using KDDCup99 benchmark shows good results law false positive attacks prediction. Modeling the system in a queuing model allows us to predict the behavior of the system in a multi-users system for heavy network traffic

Security Enhanced Applications for Information Systems

Every day, more users access services and electronically transmit information which is usually disseminated over insecure networks and processed by websites and databases, which lack proper security protection mechanisms and tools. This may have an impact on both the users’ trust as well as the reputation of the system’s stakeholders. Designing and implementing security enhanced systems is of vital importance. Therefore, this book aims to present a number of innovative security enhanced applications. It is titled “Security Enhanced Applications for Information Systems” and includes 11 chapters. This book is a quality guide for teaching purposes as well as for young researchers since it presents leading innovative contributions on security enhanced applications on various Information Systems. It involves cases based on the standalone, network and Cloud environments