Poseidon: a 2-tier Anomaly-based Intrusion Detection System

We present Poseidon, a new anomaly based intrusion detection system. Poseidon is payload-based, and presents a two-tier architecture: the first stage consists of a Self-Organizing Map, while the second one is a modified PAYL system. Our benchmarks on the 1999 DARPA data set show a higher detection rate and lower number of false positives than PAYL and PHAD

Poseidon: a 2-tier Anomaly-based Network Intrusion Detection System

We present Poseidon, a new anomaly based intrusion detection system. Poseidon is payload-based, and presents a two-tier architecture: the first stage consists of a Self-Organizing Map, while the second one is a modified PAYL system. Our benchmarks on the 1999 DARPA data set show a higher detection rate and lower number of false positives than PAYL and PHAD

Intrusion and Anomaly Detection Model Exchange for Mobile Ad-Hoc Networks

Mobile Ad-hoc NETworks (MANETs) pose unique security requirements and challenges due to their reliance on open, peer-to-peer models that often don't require authentication between nodes. Additionally, the limited processing power and battery life of the devices used in a MANET also prevent the adoption of heavy-duty cryptographic techniques. While traditional misuse-based Intrusion Detection Systems (IDSes) may work in a MANET, watching for packet dropouts or unknown outsiders is difficult as both occur frequently in both malicious and non-malicious traffic. Anomaly detection approaches hold out more promise, as they utilize learning techniques to adapt to the wireless environment and flag malicious data. The anomaly detection model can also create device behavior profiles, which peers can utilize to help determine its trustworthiness. However, computing the anomaly model itself is a time-consuming and processor-heavy task. To avoid this, we propose the use of model exchange as a device moves between different networks as a means to minimize computation and traffic utilization. Any node should be able to obtain peers' model(s) and evaluate it against its own model of "normal" behavior. We present this model, discuss scenarios in which it may be used, and provide preliminary results and a framework for future implementation

Sublinear Space Algorithms for the Longest Common Substring Problem

Given $m$ documents of total length $n$, we consider the problem of finding a longest string common to at least $d \geq 2$ of the documents. This problem is known as the \emph{longest common substring (LCS) problem} and has a classic $O(n)$ space and $O(n)$ time solution (Weiner [FOCS'73], Hui [CPM'92]). However, the use of linear space is impractical in many applications. In this paper we show that for any trade-off parameter $1 \leq \tau \leq n$, the LCS problem can be solved in $O(\tau)$ space and $O(n^2/\tau)$ time, thus providing the first smooth deterministic time-space trade-off from constant to linear space. The result uses a new and very simple algorithm, which computes a $\tau$-additive approximation to the LCS in $O(n^2/\tau)$ time and $O(1)$ space. We also show a time-space trade-off lower bound for deterministic branching programs, which implies that any deterministic RAM algorithm solving the LCS problem on documents from a sufficiently large alphabet in $O(\tau)$ space must use $\Omega(n\sqrt{\log(n/(\tau\log n))/\log\log(n/(\tau\log n)})$ time.Comment: Accepted to 22nd European Symposium on Algorithm

Data Sanitization: Improving the Forensic Utility of Anomaly Detection Systems

Anomaly Detection (AD) sensors have become an invaluable tool for forensic analysis and intrusion detection. Unfortunately, the detection performance of all learning-based ADs depends heavily on the quality of the training data. In this paper, we extend the training phase of an AD to include a sanitization phase. This phase significantly improves the quality of unlabeled training data by making them as "attack-free"Â as possible in the absence of absolute ground truth. Our approach is agnostic to the underlying AD, boosting its performance based solely on training-data sanitization. Our approach is to generate multiple AD models for content-based AD sensors trained on small slices of the training data. These AD "micro-models"Â are used to test the training data, producing alerts for each training input. We employ voting techniques to determine which of these training items are likely attacks. Our preliminary results show that sanitization increases 0-day attack detection while in most cases reducing the false positive rate. We analyze the performance gains when we deploy sanitized versus unsanitized AD systems in combination with expensive hostbased attack-detection systems. Finally, we show that our system incurs only an initial modest cost, which can be amortized over time during online operation

Distributed Early Worm Detection Based on Payload Histograms

科研費報告書収録論文(課題番号:18300017/研究代表者:根元義章/通信データ列特徴量の類似性に基づいた不正アクセス逆探知方式)68

A CRYPTOGRAPHIC PRIMITIVE TO PREVENT AN INVADER FROM CREATING DODGING ATTACKS

Keyed invasion recognition method is a charge card applicatoin-layer network system of anomaly recognition that extracts several features from all the payload. The essential idea of Keyed invasion recognition system to obstruct evasion attacks is always to are the thought of key, this like a secret element which determines extraction of classification features within the payload. Our focus remains on recovering key completely through efficient procedures, demonstrating that classification procedure leaks data regarding this which may be leveraged by means of an opponent. Inside our work we evaluate strength of Keyed Invasion Recognition System against key-recovery attacks. We describe that recovering of the end result is particularly simple when as long as the attacker can talk to Keyed invasion recognition system and get feedback regarding probing demands

A KEY IRREGULARITY UNCOVERING SYSTEM -KEY-REVIVAL THRASHES

Keyed intervention unmasking arrangement is an application-layer organization structure of deviation exposure that extracts sundry puss severally of the haul. The source of Keyed intervention unmasking organization to hinder sophistry attacks consider incorporate the assumption of key, this personality a classified factor that determines pedigree of coordination lineaments from the charge. Our concentrate archaic on better key entirely straight economical policy’s, deictic that regulation policy leaks data with reference to it that mayhap leveraged with a raider. In our work, we dissect concentration of Keyed Intrusion Detection System in opposition to key-recovery attacks. We describe that improving of the key is especially honest when if the assailant can combine with Keyed imposition disclosure organization and gain comment with respect to perceptive requests

ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%

Exploiting n-gram location for intrusion detection

Signature-based and protocol-based intrusion detection systems (IDS) are employed as means to reveal content-based network attacks. Such systems have proven to be effective in identifying known intrusion attempts and exploits but they fail to recognize new types of attacks or carefully crafted variants of well known ones. This paper presents the design and the development of an anomaly-based IDS technique which is able to detect content-based attacks carried out over application level protocols, like HTTP and FTP. In order to identify anomalous packets, the payload is split up in chunks of equal length and the n-gram technique is used to learn which byte sequences usually appear in each chunk. The devised technique builds a different model for each pair and uses them to classify the incoming traffic. Models are build by means of a semi-supervised approach. Experimental results witness that the technique achieves an excellent accuracy with a very low false positive rate