38,987 research outputs found
Multi-paradigm frameworks for scalable intrusion detection
Research in network security and intrusion detection systems (IDSs) has typically focused on small or artificial data sets. Tools are developed that work well on these data sets but have trouble meeting the demands of real-world, large-scale network environments. In addressing this problem, improvements must be made to the foundations of intrusion detection systems, including data management, IDS accuracy and alert volume;We address data management of network security and intrusion detection information by presenting a database mediator system that provides single query access via a domain specific query language. Results are returned in the form of XML using web services, allowing analysts to access information from remote networks in a uniform manner. The system also provides scalable data capture of log data for multi-terabyte datasets;Next, we address IDS alert accuracy by building an agent-based framework that utilizes web services to make the system easy to deploy and capable of spanning network boundaries. Agents in the framework process IDS alerts managed by a central alert broker. The broker can define processing hierarchies by assigning dependencies on agents to achieve scalability. The framework can also be used for the task of event correlation, or gathering information relevant to an IDS alert;Lastly, we address alert volume by presenting an approach to alert correlation that is IDS independent. Using correlated events gathered in our agent framework, we build a feature vector for each IDS alert representing the network traffic profile of the internal host at the time of the alert. This feature vector is used as a statistical fingerprint in a clustering algorithm that groups related alerts. We analyze our results with a combination of domain expert evaluation and feature selection
Intrusion detection and response model for mobile ad hoc networks.
This dissertation presents a research whose objective is to design and develop an intrusion detection and response model for Mobile Ad hoc NETworks (MANET). Mobile ad hoc networks are infrastructure-free, pervasive and ubiquitous in nature, without any centralized authority. These unique MANET characteristics present several changes to secure them. The proposed security model is called the Intrusion Detection and Response for Mobile Ad hoc Networks (IDRMAN). The goal of the proposed model is to provide a security framework that will detect various attacks and take appropriate measures to control the attack automatically. This model is based on identifying critical system parameters of a MANET that are affected by various types of attacks, and continuously monitoring the values of these parameters to detect and respond to attacks. This dissertation explains the design and development of the detection framework and the response framework of the IDRMAN. The main aspects of the detection framework are data mining using CART to identify attack sensitive network parameters from the wealth of raw network data, statistical processing using six sigma to identify the thresholds for the attack sensitive parameters and quantification of the MANET node state through a measure called the Threat Index (TI) using fuzzy logic methodology. The main aspects of the response framework are intruder identification and intruder isolation through response action plans. The effectiveness of the detection and response framework is mathematically analyzed using probability techniques. The detection framework is also evaluated by performance comparison experiments with related models, and through performance evaluation experiments from scalability perspective. Performance metrics used for assessing the detection aspect of the proposed model are detection rate and false positive rate at different node mobility speed. Performance evaluation experiments for scalability are with respect to the size of the MANET, where more and more mobile nodes are added into the MANET at varied mobility speed. The results of both the mathematical analysis and the performance evaluation experiments demonstrate that the IDRMAN model is an effective and viable security model for MANET
Impregnable Defence Architecture using Dynamic Correlation-based Graded Intrusion Detection System for Cloud
Data security and privacy are perennial concerns related to cloud migration, whether it is about applications, business or customers. In this paper, novel security architecture for the cloud environment designed with intrusion detection and prevention system (IDPS) components as a graded multi-tier defense framework. It is a defensive formation of collaborative IDPS components with dynamically revolving alert data placed in multiple tiers of virtual local area networks (VLANs). The model has two significant contributions for impregnable protection, one is to reduce alert generation delay by dynamic correlation and the second is to support the supervised learning of malware detection through system call analysis. The defence formation facilitates malware detection with linear support vector machine- stochastic gradient descent (SVM-SGD) statistical algorithm. It requires little computational effort to counter the distributed, co-ordinated attacks efficiently. The framework design, then, takes distributed port scan attack as an example for assessing the efficiency in terms of reduction in alert generation delay, the number of false positives and learning time through comparison with existing techniques is discussed
INTRUSION PREDICTION SYSTEM FOR CLOUD COMPUTING AND NETWORK BASED SYSTEMS
Cloud computing offers cost effective computational and storage services with on-demand scalable capacities according to the customersā needs. These properties encourage organisations and individuals to migrate from classical computing to cloud computing from different disciplines. Although cloud computing is a trendy technology that opens the horizons for many businesses, it is a new paradigm that exploits already existing computing technologies in new framework rather than being a novel technology. This means that cloud computing inherited classical computing problems that are still challenging. Cloud computing security is considered one of the major problems, which require strong security systems to protect the system, and the valuable data stored and processed in it. Intrusion detection systems are one of the important security components and defence layer that detect cyber-attacks and malicious activities in cloud and non-cloud environments. However, there are some limitations such as attacks were detected at the time that the damage of the attack was already done. In recent years, cyber-attacks have increased rapidly in volume and diversity. In 2013, for example, over 552 million customersā identities and crucial information were revealed through data breaches worldwide [3]. These growing threats are further demonstrated in the 50,000 daily attacks on the London Stock Exchange [4]. It has been predicted that the economic impact of cyber-attacks will cost the global economy $3 trillion on aggregate by 2020 [5]. This thesis focused on proposing an Intrusion Prediction System that is capable of sensing an attack before it happens in cloud or non-cloud environments. The proposed solution is based on assessing the host system vulnerabilities and monitoring the network traffic for attacks preparations. It has three main modules. The monitoring module observes the network for any intrusion preparations. This thesis proposes a new dynamic-selective statistical algorithm for detecting scan activities, which is part of reconnaissance that represents an essential step in network attack preparation. The proposed method performs a statistical selective analysis for network traffic searching for an attack or intrusion indications. This is achieved by exploring and applying different statistical and probabilistic methods that deal with scan detection. The second module of the prediction system is vulnerabilities assessment that evaluates the weaknesses and faults of the system and measures the probability of the system to fall victim to cyber-attack. Finally, the third module is the prediction module that combines the output of the two modules and performs risk assessments of the system security from intrusions prediction. The results of the conducted experiments showed that the suggested system outperforms the analogous methods in regards to performance of network scan detection, which means accordingly a significant improvement to the security of the targeted system. The scanning detection algorithm has achieved high detection accuracy with 0% false negative and 50% false positive. In term of performance, the detection algorithm consumed only 23% of the data needed for analysis compared to the best performed rival detection method
Statistical analysis driven optimized deep learning system for intrusion detection
Attackers have developed ever more sophisticated and intelligent ways to hack
information and communication technology systems. The extent of damage an
individual hacker can carry out upon infiltrating a system is well understood.
A potentially catastrophic scenario can be envisaged where a nation-state
intercepting encrypted financial data gets hacked. Thus, intelligent
cybersecurity systems have become inevitably important for improved protection
against malicious threats. However, as malware attacks continue to dramatically
increase in volume and complexity, it has become ever more challenging for
traditional analytic tools to detect and mitigate threat. Furthermore, a huge
amount of data produced by large networks has made the recognition task even
more complicated and challenging. In this work, we propose an innovative
statistical analysis driven optimized deep learning system for intrusion
detection. The proposed intrusion detection system (IDS) extracts optimized and
more correlated features using big data visualization and statistical analysis
methods (human-in-the-loop), followed by a deep autoencoder for potential
threat detection. Specifically, a pre-processing module eliminates the outliers
and converts categorical variables into one-hot-encoded vectors. The feature
extraction module discard features with null values and selects the most
significant features as input to the deep autoencoder model (trained in a
greedy-wise manner). The NSL-KDD dataset from the Canadian Institute for
Cybersecurity is used as a benchmark to evaluate the feasibility and
effectiveness of the proposed architecture. Simulation results demonstrate the
potential of our proposed system and its outperformance as compared to existing
state-of-the-art methods and recently published novel approaches. Ongoing work
includes further optimization and real-time evaluation of our proposed IDS.Comment: To appear in the 9th International Conference on Brain Inspired
Cognitive Systems (BICS 2018
Threshold Verification Technique for Network Intrusion Detection System
Internet has played a vital role in this modern world, the possibilities and
opportunities offered are limitless. Despite all the hype, Internet services
are liable to intrusion attack that could tamper the confidentiality and
integrity of important information. An attack started with gathering the
information of the attack target, this gathering of information activity can be
done as either fast or slow attack. The defensive measure network administrator
can take to overcome this liability is by introducing Intrusion Detection
Systems (IDSs) in their network. IDS have the capabilities to analyze the
network traffic and recognize incoming and on-going intrusion. Unfortunately
the combination of both modules in real time network traffic slowed down the
detection process. In real time network, early detection of fast attack can
prevent any further attack and reduce the unauthorized access on the targeted
machine. The suitable set of feature selection and the correct threshold value,
add an extra advantage for IDS to detect anomalies in the network. Therefore
this paper discusses a new technique for selecting static threshold value from
a minimum standard features in detecting fast attack from the victim
perspective. In order to increase the confidence of the threshold value the
result is verified using Statistical Process Control (SPC). The implementation
of this approach shows that the threshold selected is suitable for identifying
the fast attack in real time.Comment: 8 Pages, International Journal of Computer Science and Information
Securit
TSE-IDS: A Two-Stage Classifier Ensemble for Intelligent Anomaly-based Intrusion Detection System
Intrusion detection systems (IDS) play a pivotal role in computer security by discovering and repealing malicious activities in computer networks. Anomaly-based IDS, in particular, rely on classification models trained using historical data to discover such malicious activities. In this paper, an improved IDS based on hybrid feature selection and two-level classifier ensembles is proposed. An hybrid feature selection technique comprising three methods, i.e. particle swarm optimization, ant colony algorithm, and genetic algorithm, is utilized to reduce the feature size of the training datasets (NSL-KDD and UNSW-NB15 are considered in this paper). Features are selected based on the classification performance of a reduced error pruning tree (REPT) classifier. Then, a two-level classifier ensembles based on two meta learners, i.e., rotation forest and bagging, is proposed. On the NSL-KDD dataset, the proposed classifier shows 85.8% accuracy, 86.8% sensitivity, and 88.0% detection rate, which remarkably outperform other classification techniques recently proposed in the literature. Results regarding the UNSW-NB15 dataset also improve the ones achieved by several state of the art techniques. Finally, to verify the results, a two-step statistical significance test is conducted. This is not usually considered by IDS research thus far and, therefore, adds value to the experimental results achieved by the proposed classifier
- ā¦