A machine learning approach with verification of predictions and assisted supervision for a rule-based network intrusion detection system

Network security is a branch of network management in which network intrusion detection systems provide attack detection features by monitorization of traffic data. Rule-based misuse detection systems use a set of rules or signatures to detect attacks that exploit a particular vulnerability. These rules have to be handcoded by experts to properly identify vulnerabilities, which results in misuse detection systems having limited extensibility. This paper proposes a machine learning layer on top of a rule-based misuse detection system that provides automatic generation of detection rules, prediction verification and assisted classification of new data. Our system offers an overall good performance, while adding an heuristic and adaptive approach to existing rule-based misuse detection systems

A Machine-Synesthetic Approach To DDoS Network Attack Detection

In the authors' opinion, anomaly detection systems, or ADS, seem to be the most perspective direction in the subject of attack detection, because these systems can detect, among others, the unknown (zero-day) attacks. To detect anomalies, the authors propose to use machine synesthesia. In this case, machine synesthesia is understood as an interface that allows using image classification algorithms in the problem of detecting network anomalies, making it possible to use non-specialized image detection methods that have recently been widely and actively developed. The proposed approach is that the network traffic data is "projected" into the image. It can be seen from the experimental results that the proposed method for detecting anomalies shows high results in the detection of attacks. On a large sample, the value of the complex efficiency indicator reaches 97%.Comment: 12 pages, 2 figures, 5 tables. Accepted to the Intelligent Systems Conference (IntelliSys) 201

Detection of Security and Dependability Threats: A Belief Based Reasoning Approach

Monitoring the preservation of security and dependability (S&D) properties during the operation of systems at runtime is an important verification measure that can increase system resilience. However it does not always provide sufficient scope for taking control actions against violations as it only detects problems after they occur. In this paper, we describe a proactive monitoring approach that detects potential violations of S&D properties, called ldquothreatsrdquo, and discuss the results of an initial evaluation of it

Dynamic automata in Larva

As computer systems become larger and more sophisticated, they bring about an increased level of possible execution paths and environment configurations, which, generally, cannot be reliably catered for by testing due to its inherent lack of coverage. As such, many developers are turning onto runtime software verification to be able to provide higher system quality assurance, intercepting undiscovered bugs as they arise. However, sophisticated systems tend to involve large specification properties and thus pose a considerable overhead when the states of such properties are fully enumerated to perform runtime verification. The problem is even more intricate with infinite-state properties where enumeration is not possible. A solution to this issue is through the use of on-the-fly state generation techniques where the next state is dynamically computed at runtime. In this paper, we present dLarva — an extension of the Larva runtime verification tool supporting on-the-fly state-generating automata. This enables the definition of automata in a symbolic manner while also making it possible to traverse infinite state properties. To demonstrate the possibilities of dLarva, we provide an implementation of dLarva that accepts properties using regular expressions which are dynamically evaluated at runtime using derivatives. This implementation is used as the basis for a simple rule-based intrusion detection system for the AnomicFTPD FTP server.peer-reviewe

A Survey: Intrusion Detection System for Vehicular Ad-Hoc Networks (VANETs)

In recent years, the security issues on Vehicular ad hoc networks (VANETs) have become one of the primary concerns. Vehicular Ad Hoc Network has attracted both research and industrial community due to its benefits in facilitating human life and enhancing the security and comfort. However, various issues have been faced in such networks such as information security, routing reliability, dynamic high mobility of vehicles that influence the stability of communication. Furthermore, VANETs are vulnerable against attacks so this can directly lead to the corruption of networks and then possibly provoke big losses of time, money, and even lives. This paper presents a survey of VANETs attacks and solutions in carefully considering other similar works as well as updating new attacks and categorizing them into different classes. Keywords: Intrusion Detection System DOI: 10.7176/ISDE/11-4-02 Publication date:August 31st 202

Fuzzy Aided Application Layer Semantic Intrusion Detection System - FASIDS

The objective of this is to develop a Fuzzy aided Application layer Semantic Intrusion Detection System (FASIDS) which works in the application layer of the network stack. FASIDS consist of semantic IDS and Fuzzy based IDS. Rule based IDS looks for the specific pattern which is defined as malicious. A non-intrusive regular pattern can be malicious if it occurs several times with a short time interval. For detecting such malicious activities, FASIDS is proposed in this paper. At application layer, HTTP traffic's header and payload are analyzed for possible intrusion. In the proposed misuse detection module, the semantic intrusion detection system works on the basis of rules that define various application layer misuses that are found in the network. An attack identified by the IDS is based on a corresponding rule in the rule-base. An event that doesn't make a 'hit' on the rule-base is given to a Fuzzy Intrusion Detection System (FIDS) for further analysis.Comment: 18 Pages, IJNS

Applications of Artificial Intelligence in IT security

The objective of this work is to explore the intrusion detection prob- lem and create simple rules for detecting specific intrusions. The intrusions are explored in the realistic CSE-CIC-IDS2018 dataset. First, the dataset is analyzed by computing appropriate statistics and visualizing the data. In the data visu- alization various dimensionality reduction methods are tested. After analyzing the dataset the data are normalized and prepared for the training. The training process focuses on feature selection and finding the best model for the intrusion detection problem. The feature selection is also used for creating rules. The rules are extracted from an ensemble of Decision Trees. At the end of this work, the rules are compared to the best model. The experiments demonstrate that the simple rules are able to achieve similar results as the best model and can be used in a rule-based intrusion detection system or be deployed as a simple model. 1Cílem této práce je prozkoumat problematiku detekce útoků na počí- tačové systémy a vytvořit jednoduchá pravidla, která jsou schopna detekovat jednotlivé útoky. Útoky jsou prozkoumány na realistickém datasetu CSE-CIC- IDS2018. Nejprve se práce zabývá analýzou datasetu. V analýze jsou spočítány různé statistiky datasetu a na závěr jsou otestované různé metody redukce di- menzí pro zobrazení dat v dvou demenzionálním prostoru. Po analýze následuje příprava a normalizace dat. Proces trénování se pak zaměřuje na výběr vhod- ných příznaků a hledání nejlepšího modelu. Stejné příznaky jsou pak použity i pro vytváření pravidel. Pravidla jsou extrahována ze souboru rozhodovacích stromů. V závěru práce jsou pravidla porovnána s nejlepším modelem. Ex- perimenty ukazují, že jednoduchá pravidla jsou schopna dosáhnout podobných výsledků jako nejlepší model. Mohou být použita v pravidlových systémech pro detekci útoků nebo nasazena jako jednoduchý model. 1Department of Theoretical Computer Science and Mathematical LogicKatedra teoretické informatiky a matematické logikyMatematicko-fyzikální fakultaFaculty of Mathematics and Physic

From Monitoring Templates to Security Monitoring and Threat Detection

This paper presents our pattern-based approach to run-time requirements monitoring and threat detection being developed as part of an approach to build frameworks supporting the construction of secure and dependable systems for ambient intelligence. Our patterns infra-structure is based on templates. From templates we generate event-calculus formulas expressing security requirements to monitor at run-time. From these theories we generate attack signatures, describing threats or possible attacks to the system. At run-time, we evaluate the likelihood of threats from run-time observations using a probabilistic model based on Bayesian networks

Multi-step scenario matching based on unification

This paper presents an approach to multi-step scenario specification and matching, which aims to address some of the issues and problems inherent in to scenario specification and event correlation found in most previous work. Our approach builds upon the unification algorithm which we have adapted to provide a seamless, integrated mechanism and framework to handle event matching, filtering, and correlation. Scenario specifications using our framework need to contain only a definition of the misuse activity to be matched. This characteristic differentiates our work from most of the previous work which generally requires scenario specifications also to include additional information regarding how to detect the misuse activity. In this paper we present a prototype implementation which demonstrates the effectiveness of the unification-based approach and our scenario specification framework. Also, we evaluate the practical usability of the approac