4 research outputs found
Clustering extension of MOVICAB-IDS to distinguish intrusions in flow-based data
Much effort has been devoted to research on intrusion detection (ID) in recent years because intrusion strategies and technologies are constantly and quickly evolving. As an innovative solution based on visualization, MObile VIsualisation Connectionist Agent-Based IDS was previously proposed, conceived as a hybrid-intelligent ID System. It was designed to analyse
continuous network data at a packet level and is extended in present paper for the analysis of flow-based traffic data. By
incorporating clustering techniques to the original proposal, network flows are investigated trying to identify different types
of attacks. The analysed real-life data (the well-known dataset from the University of Twente) come from a honeypot directly
connected to the Internet (thus ensuring attack-exposure) and is analysed by means of clustering and neural techniques, individually and in conjunction. Promising results are obtained, proving the validity of the proposed extension for the analysis
of network flow dat
Intrusion Detection With Unsupervised Techniques for Network Management Protocols Over Smart Grids
[Abstract] The present research work focuses on overcoming cybersecurity problems in the Smart Grid. Smart Grids must have feasible data capture and communications infrastructure to be able to manage the huge amounts of data coming from sensors. To ensure the proper operation of next-generation electricity grids, the captured data must be reliable and protected against vulnerabilities and possible attacks. The contribution of this paper to the state of the art lies in the identification of cyberattacks that produce anomalous behaviour in network management protocols. A novel neural projectionist technique (Beta Hebbian Learning, BHL) has been employed to get a general visual representation of the traffic of a network, making it possible to identify any abnormal behaviours and patterns, indicative of a cyberattack. This novel approach has been validated on 3 different datasets, demonstrating the ability of BHL to detect different types of attacks, more effectively than other state-of-the-art methods
Análisis y detección de ataques informáticos mediante sistemas inteligentes de reducción dimensional
Programa Oficial de Doutoramento en Enerxía e Propulsión Mariña. 5014P01[Resumen] El presente trabajo de investigación aborda el estudio y desarrollo de una metodología para la detección de ataques informáticos mediante el uso de sistemas y técnicas
inteligentes de reducción dimensional en el ámbito de la ciberseguridad. Con esta propuesta
se pretende dividir el problema en dos fases. La primera consiste en un reducción
dimensional del espacio de entrada original, proyectando los datos sobre un espacio de
salida de menor dimensión mediante transformaciones lineales y/o no lineales que permiten
obtener una mejor visualización de la estructura interna del conjunto de datos.
En la segunda fase se introduce el conocimiento de un experto humano que permite
aportar su conocimiento mediante el etiquetado de las muestras en base a las proyecciones
obtenidas y su experiencia sobre el problema. Esta novedosa propuesta pone
a disposición del usuario final una herramienta sencilla y proporciona unos resultados
intuitivos y fácilmente interpretables, permitiendo hacer frente a nuevas amenazas a las
que el usuario no se haya visto expuesto, obteniendo resultados altamente satisfactorios
en todos los casos reales en los que se ha aplicado.
El sistema desarrollado ha sido validado sobre tres supuestos reales diferentes, en
los que se ha avanzado en términos de conocimiento con un claro hilo conductor de
progreso positivo de la propuesta. En el primero de los casos se efectúa un análisis
de un conocido conjunto de datos de malware de Android en el que, mediante técnicas
clásicas de reducción dimensional, se efectúa una caracterización de las diversas
familias de malware. Para la segunda de las propuestas se trabaja sobre el mismo conjunto
de datos, pero en este caso se aplican técnicas más avanzadas e incipientes de
reducción dimensional y visualización, consiguiendo que los resultados se mejoren significativamente. En el último de los trabajos se aprovecha el conocimiento de los dos
trabajos previos, y se aplica a la detección de intrusión en sistemas informáticos sobre
datos de redes, en las que se producen ataques de diversa índole durante procesos de
funcionamiento normal de la red.[Abstract]
This research work addresses the study and development of a methodology for the
detection of computer attacks using intelligent systems and techniques for dimensional
reduction in the eld of cybersecurity. This proposal is intended to divide the problem
into two phases. The rst consists of a dimensional reduction of the original input space,
projecting the data onto a lower-dimensional output space using linear or non-linear
transformations that allow a better visualization of the internal structure of the dataset.
In the second phase, the experience of an human expert is presented, which makes it
possible to contribute his knowledge by labeling the samples based on the projections
obtained and his experience on the problem. This innovative proposal makes a simple
tool available to the end user and provides intuitive and easily interpretable results,
allowing to face new threats to which the user has not been exposed, obtaining highly
satisfactory results in all real cases in which has been applied.
The developed system has been validated on three di erent real case studies, in
which progress has been made in terms of knowledge with a clear guiding thread of
positive progress of the proposal. In the rst case, an analysis of a well-known Android
malware dataset is carried out, in which a characterization of the various families of
malware is developed using classical dimensional reduction techniques. For the second
of the proposals, it has been worked on the same data set, but in this case more advanced
and incipient techniques of dimensional reduction and visualization are applied,
achieving a signi cant improvement in the results. The last work takes advantage of the
knowledge of the two previous works, which is applied to the detection of intrusion in
computer systems on network dataset, in which attacks of di erent kinds occur during
normal network operation processes.[Resumo]
Este traballo de investigación aborda o estudo e desenvolvemento dunha metodoloxía
para a detección de ataques informáticos mediante o uso de sistemas e técnicas
intelixentes de reducción dimensional no ámbito da ciberseguridade. Esta proposta pretende
dividir o problema en dúas fases. A primeira consiste nunha redución dimensional
do espazo de entrada orixinal, proxectando os datos nun espazo de saída de
menor dimensionalidade mediante transformacións lineais ou non lineais que permitan
unha mellor visualización da estrutura interna do conxunto de datos. Na segunda fase,
introdúcese a experiencia dun experto humano, que lle permite achegar os seus coñecementos
etiquetando as mostras en función das proxeccións obtidas e da súa experiencia
sobre o problema. Esta proposta innovadora pon a disposición do usuario nal unha
ferramenta sinxela e proporciona resultados intuitivos e facilmente interpretables, que
permiten facer fronte a novas ameazas ás que o usuario non estivo exposto, obtendo
resultados altamente satisfactorios en todos os casos reais nos que se aplicou.
O sistema desenvolvido validouse sobre tres supostos reais diferentes, nos que se
avanzou en canto ao coñecemento cun claro fío condutor de avance positivo da proposta.
No primeiro caso, realízase unha análise dun coñecido conxunto de datos de malware
Android, no que se realiza unha caracterización das distintas familias de malware mediante
técnicas clásicas de reducción dimensional. Para a segunda das propostas trabállase
sobre o mesmo conxunto de datos, pero neste caso aplícanse técnicas máis avanzadas
e incipientes de reducción dimensional e visualización, conseguindo que os resultados se
melloren notablemente. O último dos traballos aproveita o coñecemento dos dous traballos
anteriores, e aplícase á detección de intrusos en sistemas informáticos en datos
da rede, nos que se producen ataques de diversa índole durante os procesos normais de
funcionamento da rede
Anomaly-based network intrusion detection enhancement by prediction threshold adaptation of binary classification models
Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the performance (accuracy) of anomaly-based network Intrusion Detection Systems (IDS) that are built using predictive models in a batch-learning setup. This thesis investigates how adapting the discriminating threshold of model predictions, specifically to the evaluated traffic, improves the detection rates of these Intrusion Detection models. Specifically, this thesis studied the adaptability features of three well known Machine Learning algorithms: C5.0, Random Forest, and Support Vector Machine. The ability of these algorithms to adapt their prediction thresholds was assessed and analysed under different scenarios that simulated real world settings using the prospective sampling approach. A new dataset (STA2018) was generated for this thesis and used for the analysis.
This thesis has demonstrated empirically the importance of threshold adaptation in improving the accuracy of detection models when training and evaluation (test) traffic have different statistical properties. Further investigation was undertaken to analyse the effects of feature selection and data balancing processes on a model’s accuracy when evaluation traffic with different significant features were used. The effects of threshold adaptation on reducing the accuracy degradation of these models was statistically analysed. The results showed that, of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates.
This thesis then extended the analysis to apply threshold adaptation on sampled traffic subsets, by using different sample sizes, sampling strategies and label error rates. This investigation showed the robustness of the Random Forest algorithm in identifying the best threshold. The Random Forest algorithm only needed a sample that was 0.05% of the original evaluation traffic to identify a discriminating threshold with an overall accuracy rate of nearly 90% of the optimal threshold."This research was supported and funded by the Government of the Sultanate of Oman represented by the Ministry of Higher Education and the Sultan Qaboos University." -- p. i