CLASSIFYING AND RESPONDING TO NETWORK INTRUSIONS

Intrusion detection systems (IDS) have been widely adopted within the IT community, as passive monitoring tools that report security related problems to system administrators. However, the increasing number and evolving complexity of attacks, along with the growth and complexity of networking infrastructures, has led to overwhelming numbers of IDS alerts, which allow significantly smaller timeframe for a human to respond. The need for automated response is therefore very much evident. However, the adoption of such approaches has been constrained by practical limitations and administrators' consequent mistrust of systems' abilities to issue appropriate responses. The thesis presents a thorough analysis of the problem of intrusions, and identifies false alarms as the main obstacle to the adoption of automated response. A critical examination of existing automated response systems is provided, along with a discussion of why a new solution is needed. The thesis determines that, while the detection capabilities remain imperfect, the problem of false alarms cannot be eliminated. Automated response technology must take this into account, and instead focus upon avoiding the disruption of legitimate users and services in such scenarios. The overall aim of the research has therefore been to enhance the automated response process, by considering the context of an attack, and investigate and evaluate a means of making intelligent response decisions. The realisation of this objective has included the formulation of a response-oriented taxonomy of intrusions, which is used as a basis to systematically study intrusions and understand the threats detected by an IDS. From this foundation, a novel Flexible Automated and Intelligent Responder (FAIR) architecture has been designed, as the basis from which flexible and escalating levels of response are offered, according to the context of an attack. The thesis describes the design and operation of the architecture, focusing upon the contextual factors influencing the response process, and the way they are measured and assessed to formulate response decisions. The architecture is underpinned by the use of response policies which provide a means to reflect the changing needs and characteristics of organisations. The main concepts of the new architecture were validated via a proof-of-concept prototype system. A series of test scenarios were used to demonstrate how the context of an attack can influence the response decisions, and how the response policies can be customised and used to enable intelligent decisions. This helped to prove that the concept of flexible automated response is indeed viable, and that the research has provided a suitable contribution to knowledge in this important domain

Applications of Machine Learning to Threat Intelligence, Intrusion Detection and Malware

Artificial Intelligence (AI) and Machine Learning (ML) are emerging technologies with applications to many fields. This paper is a survey of use cases of ML for threat intelligence, intrusion detection, and malware analysis and detection. Threat intelligence, especially attack attribution, can benefit from the use of ML classification. False positives from rule-based intrusion detection systems can be reduced with the use of ML models. Malware analysis and classification can be made easier by developing ML frameworks to distill similarities between the malicious programs. Adversarial machine learning will also be discussed, because while ML can be used to solve problems or reduce analyst workload, it also introduces new attack surfaces

Classifying Network Intrusions: A Comparison of Data Mining Methods

Network intrusion is an increasingly serious problem experienced by many organizations. In this increasingly hostile environment, networks must be able to detect whether a connection attempt is legitimate or not. The ever-changing nature of these attacks makes them difficult to detect. One solution is to use various data mining methods to determine if the network is being attacked. This paper compares the performance of two data mining methods— i.e., a standard artificial neural network (ANN) and an ANN guided by genetic algorithm (GA)— in classifying network connections as normal or attack. Using connection data drawn from a simulated US Air Force local area network each method was used to construct a predictive model. The models were then applied to validation data and the results were compared. The ANN guided by GA (90.67% correct classification) outperformed the standard ANN (81.75% correct classification) significantly, indicating the superiority of GAbased ANN

ANOMALY NETWORK INTRUSION DETECTION SYSTEM BASED ON DISTRIBUTED TIME-DELAY NEURAL NETWORK (DTDNN)

In this research, a hierarchical off-line anomaly network intrusion detection system based on Distributed Time-Delay Artificial Neural Network is introduced. This research aims to solve a hierarchical multi class problem in which the type of attack (DoS, U2R, R2L and Probe attack) detected by dynamic neural network. The results indicate that dynamic neural nets (Distributed Time-Delay Artificial Neural Network) can achieve a high detection rate, where the overall accuracy classification rate average is equal to 97.24%

Breach of Faith: A Lack of Policy for Responding to Data Breaches and What the Government Should Do About It

One data breach in the summer of 2015 against the United States government cost taxpayers more than $350 million. Since 2005, the U.S. government has lost more than 183 million personnel records and countless files containing sensitive information. Despite all of this, the government has failed to create a policy for responding to data breaches. As proof of a lack of any clear policy, this Note analyzes two recent breaches against the government and explains how the responses, or lack thereof, are at opposite ends of the response continuum. This Note creates a policy for government response to data breaches. This policy analyzes the factors surrounding the breach, including the actor who perpetrated the breach, the information stolen, and the potential uses for that information. This Note then lays out a continuum of potential responses, from doing nothing to kinetic action. Lastly, this Note creates a decision matrix that assigns responses to breaches based on the factors of the breach. The result is a policy shell that allows government decision makers to respond to breaches in a way that instills confidence in the American public and deters potential hackers

Design of Hybrid Network Anomalies Detection System (H-NADS) Using IP Gray Space Analysis

In Network Security, there is a major issue to secure the public or private network from abnormal users. It is because each network is made up of users, services and computers with a specific behavior that is also called as heterogeneous system. To detect abnormal users, anomaly detection system (ADS) is used. In this paper, we present a novel and hybrid Anomaly Detection System with the uses of IP gray space analysis and dominant scanning port identification heuristics used to detect various anomalous users with their potential behaviors. This methodology is the combination of both statistical and rule based anomaly detection which detects five types of anomalies with their three types of potential behaviors and generates respective alarm messages to GUI.Network Security, Anomaly Detection, Suspicious Behaviors Detection