A Critical Analysis of Payload Anomaly-Based Intrusion Detection Systems

Examining payload content is an important aspect of network security, particularly in today\u27s volatile computing environment. An Intrusion Detection System (IDS) that simply analyzes packet header information cannot adequately secure a network from malicious attacks. The alternative is to perform deep-packet analysis using n-gram language parsing and neural network technology. Self Organizing Map (SOM), PAYL over Self-Organizing Maps for Intrusion Detection (POSEIDON), Anomalous Payload-based Network Intrusion Detection (PAYL), and Anagram are next-generation unsupervised payload anomaly-based IDSs. This study examines the efficacy of each system using the design-science research methodology. A collection of quantitative data and qualitative features exposes their strengths and weaknesses

Neural visualization of network traffic data for intrusion detection

This study introduces and describes a novel intrusion detection system (IDS) called MOVCIDS (mobile visualization connectionist IDS). This system applies neural projection architectures to detect anomalous situations taking place in a computer network. By its advanced visualization facilities, the proposed IDS allows providing an overview of the network traffic as well as identifying anomalous situations tackled by computer networks, responding to the challenges presented by volume, dynamics and diversity of the traffic, including novel (0-day) attacks. MOVCIDS provides a novel point of view in the field of IDSs by enabling the most interesting projections (based on the fourth order statistics; the kurtosis index) of a massive traffic dataset to be extracted. These projections are then depicted through a functional and mobile visualization interface, providing visual information of the internal structure of the traffic data. The interface makes MOVCIDS accessible from any mobile device to give more accessibility to network administrators, enabling continuous visualization, monitoring and supervision of computer networks. Additionally, a novel testing technique has been developed to evaluate MOVCIDS and other IDSs employing numerical datasets. To show the performance and validate the proposed IDS, it has been tested in different real domains containing several attacks and anomalous situations. In addition, the importance of the temporal dimension on intrusion detection, and the ability of this IDS to process it, are emphasized in this workJunta de Castilla and Leon project BU006A08, Business intelligence for production within the framework of the Instituto Tecnologico de Cas-tilla y Leon (ITCL) and the Agencia de Desarrollo Empresarial (ADE), and the Spanish Ministry of Education and Innovation project CIT-020000-2008-2. The authors would also like to thank the vehicle interior manufacturer, Grupo Antolin Ingenieria S. A., within the framework of the project MAGNO2008-1028-CENIT Project funded by the Spanish Government

Network Monitoring Traffic Compression Using Singular Value Decomposition

With increasing magnitude of computer network activity, the ability to monitor all network traffic is becoming strained. The need to represent large amounts of data in smaller forms is essential to continued growth of network monitoring tools and network administrators\u27 capabilities. Network monitoring captures many different measurements of the data flowing through the network. This thesis introduces a new method of sending network traffic monitoring data that reduces the overall volume of data from the traditional method of packet capture. By populating a matrix with specific data values in a sparse format, this experiment reduces the data using singular value decomposition (SVD) compression. Matrices were populated using network monitoring datasets from 1996 Information Exploration Shootout (IES). The data populated into the matrices was varied along time frame and data field to determine if the SVD compression algorithm reduced the quantity of original data values. Results indicated that the quantity of data varies dependent on the volume of the data field chosen. The matrix population method was based on port values to allow combining values within the matrix cells. The results trended to a successful reduction of data if the time frame is increased significantly

Survey of Intrusion Detection Research

The literature holds a great deal of research in the intrusion detection area. Much of this describes the design and implementation of specific intrusion detection systems. While the main focus has been the study of different detection algorithms and methods, there are a number of other issues that are of equal importance to make these systems function well in practice. I believe that the reason that the commercial market does not use many of the ideas described is that there are still too many unresolved issues. This survey focuses on presenting the different issues that must be addressed to build fully functional and practically usable intrusion detection systems (IDSs). It points out the state of the art in each area and suggests important open research issues

Aplicación de GHSOM (Growing Hierarchical Self-Organizing Maps) a sistemas de detección de intrusos (IDS)

Con el pasar de los años, en el ámbito de la seguridad informática el problema de la intrusión se desarrolla cada día más, incrementando la existencia de programas que buscan afectar a computadoras tanto a nivel local como a toda una red informática. Esta dinámica lleva a entender los ataques y la mejor manera de contrarrestarlos, ya sea previniéndolos o detectándolos a tiempo, procurando que su impacto sea menor al esperado por el atacante. En este artículo se presenta una revisión de los ataques a sistemas informáticos, ahondando en los Sistemas de Detección de Intrusos (IDS) y en la implementación de técnicas de agrupamiento de datos —como las redes neuronales—, con el fin de encontrar métodos con altas precisiones en la detección de anomalías. Esta propuesta presenta la aplicación de GHSOM en IDS, utilizando el conjunto de datos NSL-KDD, y mostrando las mejoras encontradas en la detección de ataques en el proceso de búsqueda

Application of GHSOM (Growing Hierarchical Self-Organizing Maps) to Intrusion Detection Systems (IDS)

Con el pasar de los años, en el ámbito de la seguridad informática el problema de la intrusión se desarrolla cada día más, incrementando la existencia de programas que buscan afectar a computadoras tanto a nivel local como a toda una red informática. Esta dinámica lleva a entender los ataques y la mejor manera de contrarrestarlos, ya sea previniéndolos o detectándolos a tiempo, procurando que su impacto sea menor al esperado por el atacante. En este artículo se presenta una revisión de los ataques a sistemas informáticos, ahondando en los Sistemas de Detección de Intrusos (IDS) y en la implementación de técnicas de agrupamiento de datos —como las redes neuronales—, con el fin de encontrar métodos con altas precisiones en la detección de anomalías. Esta propuesta presenta la aplicación de GHSOM en IDS, utilizando el conjunto de datos NSL-KDD, y mostrando las mejoras encontradas en la detección de ataques en el proceso de búsquedaAs time passes by, in the field of computer security, intrusion problems grow every day increasing the existence of programs that seek to affect computers both locally and across a network. This dynamic has led to an imminent need of understanding the attacks and find-ing the best way to counteract them either by preventing them or by detecting them on time, diminishing the impact expected by the attacker. This article presents a review of attacks on computer systems, delving into the Intrusion Detection System (IDS) and the implementation of data clustering techniques like neural networks in order to find high accuracy methods for anomaly detection. This proposal presents GHSOM for IDS using NSL-KDD dataset, and illustrates attack detection improvement in the search proces