Statistical methods used for intrusion detection

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2006Includes bibliographical references (leaves: 58-64)Text in English; Abstract: Turkish and Englishx, 71 leavesComputer networks are being attacked everyday. Intrusion detection systems are used to detect and reduce effects of these attacks. Signature based intrusion detection systems can only identify known attacks and are ineffective against novel and unknown attacks. Intrusion detection using anomaly detection aims to detect unknown attacks and there exist algorithms developed for this goal. In this study, performance of five anomaly detection algorithms and a signature based intrusion detection system is demonstrated on synthetic and real data sets. A portion of attacks are detected using Snort and SPADE algorithms. PHAD and other algorithms could not detect considerable portion of the attacks in tests due to lack of sufficiently long enough training data

A specification-based IDS for detecting attacks on RPL-based network topology

Routing Protocol for Low power and Lossy network (RPL) topology attacks can downgrade the network performance significantly by disrupting the optimal protocol structure. To detect such threats, we propose a RPL-specification, obtained by a semi-auto profiling technique that constructs a high-level abstract of operations through network simulation traces, to use as reference for verifying the node behaviors. This specification, including all the legitimate protocol states and transitions with corresponding statistics, will be implemented as a set of rules in the intrusion detection agents, in the form of the cluster heads propagated to monitor the whole network. In order to save resources, we set the cluster members to report related information about itself and other neighbors to the cluster head instead of making the head overhearing all the communication. As a result, information about a cluster member will be reported by different neighbors, which allow the cluster head to do cross-check. We propose to record the sequence in RPL Information Object (DIO) and Information Solicitation (DIS) messages to eliminate the synchronized issue created by the delay in transmitting the report, in which the cluster head only does cross-check on information that come from sources with the same sequence. Simulation results show that the proposed Intrusion Detection System (IDS) has a high accuracy rate in detecting RPL topology attacks, while only creating insignificant overhead (about 6.3%) that enable its scalability in large-scale network

Prevention of Malicious Transactions in Database Management Systems

Database Management Systems are a key component in the information infrastructure of most organizations nowadays so security of DBMS has become more crucial. Several mechanisms needed to protect data, such as authentication, user privileges, encryption, and auditing, have been implemented in commercial DBMS. But still there are some ways through which systems may be affected by malicious transactions. Our definition of malicious transaction is that transaction which the user is not authorized to perform. Even the sequence of the operations in the transaction is not to be violated. Existing intrusion detection systems use logs to detect malicious transactions. Logs are the histories of the transactions committed in the database. The disadvantage of using logs is that they require lot of memory. In addition to this sometimes even after a transaction is detected as malicious it cannot be rolled back. In this thesis we present a method by which we can overcome the uses of logs and can detect malicious transactions before they are committed. We use counting bloom filters to store the sequence of commands in a transaction and use a prevention model for instant detection of malicious transactions. Simulation was carried out for a single user providing sequence of queries varying the size of the CBF from 1 to 15 and no. of hashing functions from 1 to 15.It was concluded that by choosing optimal value of size of CBF and number of hashing functions the detector can be made to prevent a malicious transaction with a probability of almost 99.85%