NeuDetect: A neural network data mining system for wireless network intrusion detection

This thesis proposes an Intrusion Detection System, NeuDetect, which applies Neural Network technique to wireless network packets captured through hardware sensors for purposes of real time detection of anomalous packets. To address the problem of high false alarm rate confronted by the current wireless intrusion detection systems, this thesis presents a method of applying the artificial neural networks technique to the wireless network intrusion detection system. The proposed system solution approach is to find normal and anomalous patterns on preprocessed wireless packet records by comparing them with training data using Back-propagation algorithm. An anomaly score is assigned to each packet by calculating the difference between the output error and threshold. If the anomaly score is positive then the wireless packet is flagged as anomalous and is negative then the packet is flagged as normal. If the anomaly score is zero or close to zero it will be flagged as an unknown attack and will be sent back to training process for re-evaluation

Performance Comparison of Support Vector Machine, Random Forest, and Extreme Learning Machine for Intrusion Detection

Intrusion detection is a fundamental part of security tools, such as adaptive security appliances, intrusion detection systems, intrusion prevention systems, and firewalls. Various intrusion detection techniques are used, but their performance is an issue. Intrusion detection performance depends on accuracy, which needs to improve to decrease false alarms and to increase the detection rate. To resolve concerns on performance, multilayer perceptron, support vector machine (SVM), and other techniques have been used in recent work. Such techniques indicate limitations and are not efficient for use in large data sets, such as system and network data. The intrusion detection system is used in analyzing huge traffic data; thus, an efficient classification technique is necessary to overcome the issue. This problem is considered in this paper. Well-known machine learning techniques, namely, SVM, random forest, and extreme learning machine (ELM) are applied. These techniques are well-known because of their capability in classification. The NSL–knowledge discovery and data mining data set is used, which is considered a benchmark in the evaluation of intrusion detection mechanisms. The results indicate that ELM outperforms other approaches

Minimization of DDoS false alarm rate in Network Security; Refining fusion through correlation

Intrusion Detection Systems are designed to monitor a network environment and generate alerts whenever abnormal activities are detected. However, the number of these alerts can be very large making their evaluation a difficult task for a security analyst. Alert management techniques reduce alert volume significantly and potentially improve detection performance of an Intrusion Detection System. This thesis work presents a framework to improve the effectiveness and efficiency of an Intrusion Detection System by significantly reducing the false positive alerts and increasing the ability to spot an actual intrusion for Distributed Denial of Service attacks. Proposed sensor fusion technique addresses the issues relating the optimality of decision-making through correlation in multiple sensors framework. The fusion process is based on combining belief through Dempster Shafer rule of combination along with associating belief with each type of alert and combining them by using Subjective Logic based on Jøsang theory. Moreover, the reliability factor for any Intrusion Detection System is also addressed accordingly in order to minimize the chance of false diagnose of the final network state. A considerable number of simulations are conducted in order to determine the optimal performance of the proposed prototype

Intrusion Alerts Analysis Using Attack Graphs and Clustering

Network and information security is very crucial in keeping large information infrastructures safe and secure. Many researchers have been working on different issues to strengthen and measure security of a network. An important problem is to model security in order to apply analysis schemes efficiently to that model. An attack graph is a tool to model security of a network which considers individual vulnerabilities in a global view where individual hosts are interconnected. The analysis of intrusion alert information is very important for security evaluation of the system. Because of the huge number of alerts raised by intrusion detection systems, it becomes difficult for security experts to analyze individual alerts. Researchers have worked to address this problem by clustering individual alerts based on similarity in their features such as source IP address, destination IP address, port numbers and others. In this paper, a different method for clustering intrusion alerts is proposed. Sequences of intrusion alerts are prepared by dividing all alerts according to specified time interval. The alert sequences are considered as temporal attack graphs. The sequences are clustered using graph clustering technique, which considers similarity in sequences as a factor to determine closeness of sequences. The suggested approach combines the concept of attack graphs and clustering on sequences of alerts using graph clustering technique

Intrusion Detection System using Bayesian Network Modeling

Computer Network Security has become a critical and important issue due to ever increasing cyber-crimes. Cybercrimes are spanning from simple piracy crimes to information theft in international terrorism. Defence security agencies and other militarily related organizations are highly concerned about the confidentiality and access control of the stored data. Therefore, it is really important to investigate on Intrusion Detection System (IDS) to detect and prevent cybercrimes to protect these systems. This research proposes a novel distributed IDS to detect and prevent attacks such as denial service, probes, user to root and remote to user attacks. In this work, we propose an IDS based on Bayesian network classification modelling technique. Bayesian networks are popular for adaptive learning, modelling diversity network traffic data for meaningful classification details. The proposed model has an anomaly based IDS with an adaptive learning process. Therefore, Bayesian networks have been applied to build a robust and accurate IDS. The proposed IDS has been evaluated against the KDD DAPRA dataset which was designed for network IDS evaluation. The research methodology consists of four different Bayesian networks as classification models, where each of these classifier models are interconnected and communicated to predict on incoming network traffic data. Each designed Bayesian network model is capable of detecting a major category of attack such as denial of service (DoS). However, all four Bayesian networks work together to pass the information of the classification model to calibrate the IDS system. The proposed IDS shows the ability of detecting novel attacks by continuing learning with different datasets. The testing dataset constructed by sampling the original KDD dataset to contain balance number of attacks and normal connections. The experiments show that the proposed system is effective in detecting attacks in the test dataset and is highly accurate in detecting all major attacks recorded in DARPA dataset. The proposed IDS consists with a promising approach for anomaly based intrusion detection in distributed systems. Furthermore, the practical implementation of the proposed IDS system can be utilized to train and detect attacks in live network traffi

An Online Anomaly-Detection Neural Networks-based Clustering for Adaptive Intrusion Detection Systems

In the evolving nature of today’s world of network security, threats have become more and more sophisticated. Although different security solutions such as firewalls and antivirus software have been deployed to protect systems, external attackers are still capable of intruding into computer networks. This is where intrusion detection systems come into play as an additional security layer. Despite the large volume of research conducted in the field of intrusion detection, finding a perfect solution of intrusion detection systems for critical applications is still a major challenge. This is mainly due to the continuous emergence of security threats which can bypass the outdated intrusion detection systems. The main objective of this thesis is to propose an adaptive design of intrusion detection systems which offers the capability of detecting known and novel attacks and being updated according to new trends of data patterns provided by security experts in a cost-effective manner. The proposed intrusion detection system uses an anomaly-based technique and is constructed on the basis of Extreme Learning Machine method which is a variant of neural networks. In this work, two novel approaches are also proposed to enhance the speed of partial updates for the learning model according to new information fed into the system. The performance of the proposed intrusion detection system is evaluated as a network-based solution using NSL-KDD data set. The evaluation results indicate that the system provides an average detection rate of 81 % while having a false positive rate of 3 % in detecting known and novel attacks. In addition, the obtained results show that the system is capable of adapting to the new input information and data injected into the system by a human security expert

An efficient intrusion detection model based on hybridization of artificial bee colony and dragonfly algorithms for training multilayer perceptrons

One of the most persistent challenges concerning network security is to build a model capable of detecting intrusions in network systems. The issue has been extensively addressed in uncountable researches and using various techniques, of which a commonly used technique is that based on detecting intrusions in contrast to normal network traffic and the classification of network packets as either normal or abnormal. However, the problem of improving the accuracy and efficiency of classification models remains open and yet to be resolved. This study proposes a new binary classification model for intrusion detection, based on hybridization of Artificial Bee Colony algorithm (ABC) and Dragonfly algorithm (DA) for training an artificial neural network (ANN) in order to increase the classification accuracy rate for malicious and non-malicious traffic in networks. At first the model selects the suitable biases and weights utilizing a hybrid (ABC) and (DA). Next, the neural network is retrained using these ideal values in order for the intrusion detection model to be able to recognize new attacks. Ten other metaheuristic algorithms were adapted to train the neural network and their performances were compared with that of the proposed model. In addition, four types of intrusion detection evaluation datasets were applied to evaluate the proposed model in comparison to the others. The results of our experiments have demonstrated a significant improvement in inefficient network intrusion detection over other classification methods

Comparative study between signature-based and anomaly-based network intrusion detection system (SBNIDS and ABNIDS)

The rise in numbers of network intrusion is related to the growth and importance of the Internet in our daily live. I order to provide protection to organizations information / data, Intrusion Detection System (IDS) plays an important role in Network security. Signaturebased intrusion detection focus on matching attack signature with the already stored signature in the database, it generates an alert if the incoming packets signature matches with the one in the database. Signature-based is vulnerable against newly emerging attacks, because the signature is not yet stored in the database, this leave this detection technique with the problem of false negative rate. On the other hand, Anomaly-based detection techniques which is a behaviour techniques, detects the abnormal behaviour in a computer systems and networks. The deviation of packets from normal behaviour is considered as attack. This leaves this technique with the problem of false positive rate. In this proposed project we will be making a comparative study of Signature-based and Anomaly-based IDS in order to select suitable comparison parameters between different approach in network intrusion detection, to evaluate suitable software/system for deploying Signature-based and Anomaly-based detection and to conduct experimental study to evaluate the differences in selected parameters in different approach in network intrusion detection. This project will provide a comparative analysis result between SBNIDS and ABNIDS after the evaluation study using DARPA dataset and we will be able to select a suitable techniques in the area of performance, efficiency in data size and non-functional parameters like CPU and Memory usage, which the result proposed that ABNIDS is better than SBNIDS and the conclusion was based on the evaluated parameters

Improving Intrusion Detection System Based on Snort Rules for Network Probe Attacks Detection with Association Rules Technique of Data Mining

The intrusion detection system (IDS) is an important network security tool for securing computer and network systems. It is able to detect and monitor network traffic data. Snort IDS is an open-source network security tool. It can search and match rules with network traffic data in order to detect attacks, and generate an alert. However, the Snort IDS  can detect only known attacks. Therefore, we have proposed a procedure for improving Snort IDS rules, based on the association rules data mining technique for detection of network probe attacks.  We employed the MIT-DARPA 1999 data set for the experimental evaluation. Since behavior pattern traffic data are both normal and abnormal, the abnormal behavior data is detected by way of the Snort IDS. The experimental results showed that the proposed Snort IDS rules, based on data mining detection of network probe attacks, proved more efficient than the original Snort IDS rules, as well as icmp.rules and icmp-info.rules of Snort IDS.  The suitable parameters for the proposed Snort IDS rules are defined as follows: Min_sup set to 10%, and Min_conf set to 100%, and through the application of eight variable attributes. As more suitable parameters are applied, higher accuracy is achieved