An Artificial Immune System-Inspired Multiobjective Evolutionary Algorithm with Application to the Detection of Distributed Computer Network Intrusions

Today\u27s predominantly-employed signature-based intrusion detection systems are reactive in nature and storage-limited. Their operation depends upon catching an instance of an intrusion or virus after a potentially successful attack, performing post-mortem analysis on that instance and encoding it into a signature that is stored in its anomaly database. The time required to perform these tasks provides a window of vulnerability to DoD computer systems. Further, because of the current maximum size of an Internet Protocol-based message, the database would have to be able to maintain 25665535 possible signature combinations. In order to tighten this response cycle within storage constraints, this thesis presents an Artificial Immune System-inspired Multiobjective Evolutionary Algorithm intended to measure the vector of trade-off solutions among detectors with regard to two independent objectives: best classification fitness and optimal hypervolume size. Modeled in the spirit of the human biological immune system and intended to augment DoD network defense systems, our algorithm generates network traffic detectors that are dispersed throughout the network. These detectors promiscuously monitor network traffic for exact and variant abnormal system events, based on only the detector\u27s own data structure and the ID domain truth set, and respond heuristically. The application domain employed for testing was the MIT-DARPA 1999 intrusion detection data set, composed of 7.2 million packets of notional Air Force Base network traffic. Results show our proof-of-concept algorithm correctly classifies at best 86.48% of the normal and 99.9% of the abnormal events, attributed to a detector affinity threshold typically between 39-44%. Further, four of the 16 intrusion sequences were classified with a 0% false positive rate

Applicability of clustering to cyber intrusion detection

Maintaining cyber security is a complex task, utilizing many levels of network information along with an array of technology. Current practices for combating cyber attacks typically use Intrusion Detection Systems (IDSs) to passively detect and block multi-stage attacks. Because of the speed and force at which a new type of cyber attack can occur, automated detection and response is becoming an apparent necessity. Anomaly-based detection systems, such as statistical-based or clustering algorithms, attempt to address this by analyzing the relative differences in network and host activity. Signature-based IDS systems are typically more accurate for known attacks, but require time and resources for an analyst to update the signature database. This work hypothesizes that the latency from zero-day attack to signature creation can be shortened via anomaly-based algorithms. In particular, the summarizing ability of clustering is leveraged and examined in its applicability of signature creation. This work first investigates a modified density-based clustering algorithm as an IDS, with its strengths and weaknesses identified. Being able to separate malicious from normal activity, the modified algorithm is then applied in a supervised way to signature creation. Lessons learned from the supervised signature creation are then leveraged for the development of unsupervised real-time signature classification. Automating signature creation and classification via clustering turns out satisfactory but with limitations. Density supports for new signatures via clustering can be diluted and lead to misclassification

Online Adaboost-based parameterized methods for dynamic distributed network intrusion detection

Current network intrusion detection systems lack adaptability to the frequently changing network environments. Furthermore, intrusion detection in the new distributed archi- tectures is now a major requirement. In this paper, we propose two online Adaboost-based intrusion detection algorithms. In the first algorithm, a traditional online Adaboost process is used where decision stumps are used as weak classifiers. In the second algorithm, an improved online Adaboost process is proposed, and online Gaussian mixture models (GMMs) are used as weak classifiers. We further propose a distributed intrusion detection framework, in which a local parameterized detection model is constructed in each node using the online Adaboost algorithm. A global detection model is constructed in each node by combining the local parametric models using a small number of samples in the node. This combination is achieved using an algorithm based on particle swarm optimization (PSO) and support vector ma- chines. The global model in each node is used to detect intrusions. Experimental results show that the improved online Adaboost process with GMMs obtains a higher detection rate and a lower false alarm rate than the traditional online Adaboost process that uses decision stumps. Both the algorithms outperform existing intrusion detection algorithms. It is also shown that our PSO, and SVM-based algorithm effectively combines the local detection models into the global model in each node; the global model in a node can handle the intrusion types that are found in other nodes, without sharing the samples of these intrusion types

A Novel Intrusion Detection System for Detecting Black Hole Attacks in Wireless Sensor Network using AODV Protocol

Wireless Sensor Networks (WSN) has wide application in data gathering and data transmission as per the user’s requirement and it consist of number of nodes. These nodes have limited battery power, limited resources and limited computational power .Due to all these factors, WSN faces more security threats. Security issues are a vital problem to be solved in Wireless Sensor networks (WSNs). Different types of intrusion detection systems (IDS) are developed to make WSN more secure. In this paper the proposed IDS are based on watchdog monitoring technique and are able to detect Black Hole attacks using AODV (Ad- Hoc On-Demand Distance Vector) Protocol. Besides, the betterment that makes watchdog monitoring technique more reliable are described and the results of simulations of the IDS on NS-2 simulator are presented

Discovering anomalies in big data: a review focused on the application of metaheuristics and machine learning techniques

With the increase in available data from computer systems and their security threats, interest in anomaly detection has increased as well in recent years. The need to diagnose faults and cyberattacks has also focused scientific research on the automated classification of outliers in big data, as manual labeling is difficult in practice due to their huge volumes. The results obtained from data analysis can be used to generate alarms that anticipate anomalies and thus prevent system failures and attacks. Therefore, anomaly detection has the purpose of reducing maintenance costs as well as making decisions based on reports. During the last decade, the approaches proposed in the literature to classify unknown anomalies in log analysis, process analysis, and time series have been mainly based on machine learning and deep learning techniques. In this study, we provide an overview of current state-of-the-art methodologies, highlighting their advantages and disadvantages and the new challenges. In particular, we will see that there is no absolute best method, i.e., for any given dataset a different method may achieve the best result. Finally, we describe how the use of metaheuristics within machine learning algorithms makes it possible to have more robust and efficient tools