Using the Pattern-of-Life in Networks to Improve the Effectiveness of Intrusion Detection Systems

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.As the complexity of cyber-attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measureable network traffic, but also on the available high- level information related to the protected network to improve their detection results. We make use of the Pattern-of-Life (PoL) of a network as the main source of high-level information, which is correlated with the time of the day and the usage of the network resources. We propose the use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. The main aim of this work is to evidence the improved the detection performance of an IDS using an FCM to leverage on network related contextual information. The results that we present verify that the proposed method improves the effectiveness of our IDS by reducing the total number of false alarms; providing an improvement of 9.68% when all the considered metrics are combined and a peak improvement of up to 35.64%, depending on particular metric combination

A multi-layer data fusion system for Wi-Fi attack detection using automatic belief assignment

Wireless networks are increasingly becoming susceptible to more sophisticated threats. An attacker may spoof the identity of legitimate users before implementing more serious attacks. Most of the current Intrusion Detection Systems (IDS) that employ multi-layer approach to help towards mitigating network attacks, offer high detection accuracy rate and low numbers of false alarms. Dempster-Shafer theory has been used with the purpose of combining beliefs of different metric measurements across multiple layers. However, an important step to be investigated remains open; this is to find an automatic and self-adaptive process of Basic Probability Assignment (BPA). This paper describes a novel BPA methodology able to automatically adapt its detection capabilities to the current measured characteristics, with a light weight process of generating a baseline profile of normal utilisation and without intervention from the IDS administrator. We have developed a multi-layer based application able to classify individual network frames as normal or malicious

An automatic and self-adaptive multi-layer data fusion system for WiFi attack detection

Wireless networks are becoming susceptible to increasingly more sophisticated threats. Most of the current intrusion detection systems (IDSs) that employ multi-layer techniques for mitigating network attacks offer better performance than IDSs that employ single layer approach. However, few of the current multi-layer IDSs could be used off-the-shelf without prior thorough training with completely clean datasets or a fine tuning period. Dempster-Shafer theory has been used with the purpose of combining beliefs of different metric measurements across multiple layers. However, an important step to be investigated remains open; this is to find an automatic and self-adaptive process of basic probability assignment (BPA). This paper describes a novel BPA methodology able to automatically adapt its detection capabilities to the current measured characteristics, without intervention from the IDS administrator. We have developed a multi-layer-based application able to classify individual network frames as normal or malicious with perfect detection accuracy. Copyright © 2013 Inderscience Enterprises Ltd

Using metrics from multiple layers to detect attacks in wireless networks

The IEEE 802.11 networks are vulnerable to numerous wireless-specific attacks. Attackers can implement MAC address spoofing techniques to launch these attacks, while masquerading themselves behind a false MAC address. The implementation of Intrusion Detection Systems has become fundamental in the development of security infrastructures for wireless networks. This thesis proposes the designing a novel security system that makes use of metrics from multiple layers of observation to produce a collective decision on whether an attack is taking place. The Dempster-Shafer Theory of Evidence is the data fusion technique used to combine the evidences from the different layers. A novel, unsupervised and self- adaptive Basic Probability Assignment (BPA) approach able to automatically adapt its beliefs assignment to the current characteristics of the wireless network is proposed. This BPA approach is composed of three different and independent statistical techniques, which are capable to identify the presence of attacks in real time. Despite the lightweight processing requirements, the proposed security system produces outstanding detection results, generating high intrusion detection accuracy and very low number of false alarms. A thorough description of the generated results, for all the considered datasets is presented in this thesis. The effectiveness of the proposed system is evaluated using different types of injection attacks. Regarding one of these attacks, to the best of the author knowledge, the security system presented in this thesis is the first one able to efficiently identify the Airpwn attack