CONDOR: A Hybrid IDS to Offer Improved Intrusion Detection

Intrusion Detection Systems are an accepted and very useful option to monitor, and detect malicious activities. However, Intrusion Detection Systems have inherent limitations which lead to false positives and false negatives; we propose that combining signature and anomaly based IDSs should be examined. This paper contrasts signature and anomaly-based IDSs, and critiques some proposals about hybrid IDSs with signature and heuristic capabilities, before considering some of their contributions in order to include them as main features of a new hybrid IDS named CONDOR (COmbined Network intrusion Detection ORientate), which is designed to offer superior pattern analysis and anomaly detection by reducing false positive rates and administrator intervention

Unsupervised Anomaly Detection with Unlabeled Data Using Clustering

Intrusions pose a serious security risk in a network environment. New intrusion types, of which detection systems are unaware, are the most difficult to detect. The amount of available network audit data instances is usually large; human labeling is tedious, time-consuming, and expensive. Traditional anomaly detection algorithms require a set of purely normal data from which they train their model. We present a clustering-based intrusion detection algorithm, unsupervised anomaly detection, which trains on unlabeled data in order to detect new intrusions. Our method is able to detect many different types of intrusions, while maintaining a low false positive rate as verified over the Knowledge Discovery and Data Mining - KDD CUP 1999 dataset

Data analytics for modeling and visualizing attack behaviors: A case study on SSH brute force attacks

In this research, we explore a data analytics based approach for modeling and visualizing attack behaviors. To this end, we employ Self-Organizing Map and Association Rule Mining algorithms to analyze and interpret the behaviors of SSH brute force attacks and SSH normal traffic as a case study. The experimental results based on four different data sets show that the patterns extracted and interpreted from the SSH brute force attack data sets are similar to each other but significantly different from those extracted from the SSH normal traffic data sets. The analysis of the attack traffic provides insight into behavior modeling for brute force SSH attacks. Furthermore, this sheds light into how data analytics could help in modeling and visualizing attack behaviors in general in terms of data acquisition and feature extraction

A taxonomy framework for unsupervised outlier detection techniques for multi-type data sets

The term "outlier" can generally be defined as an observation that is significantly different from the other values in a data set. The outliers may be instances of error or indicate events. The task of outlier detection aims at identifying such outliers in order to improve the analysis of data and further discover interesting and useful knowledge about unusual events within numerous applications domains. In this paper, we report on contemporary unsupervised outlier detection techniques for multiple types of data sets and provide a comprehensive taxonomy framework and two decision trees to select the most suitable technique based on data set. Furthermore, we highlight the advantages, disadvantages and performance issues of each class of outlier detection techniques under this taxonomy framework

Intelligent Detection of Intrusion into Databases Using Extended Classifier System (XCS)

With increasing tendency of users to distributed computer systems in comparison with concentrat-ed systems, intrusion into such systems has emerged as a serious challenge. Since techniques of intrusion into systems are being intelligent, it seems necessary to use intelligent methods to en-counter them. Success of the intrusion systems depends on the strategy employed in these sys-tems for attack detection. Application of eXtended Classifier Systems (XCS) is proposed in this paper for detection of intrusions to databases. The extended classifier systems which are known as one of the most successful types of learning agents create a set of stochastic rules and com-plete them based on the methods inspired from human learning process. Thereby, they can grad-ually get a comprehensive understanding of the environment under study which enables them to predict the correct answer at an acceptable accuracy once encountered with new issues. The method suggested in this paper an improved version of extended classifier systems is “trained” using a set of existing examples in order to identify and avoid attempts to intrude computer sys-tems during phases of application and encountering these attempts. The proposed method has been tested on several problems to demonstrate its performance while its results indicate a 91% detection of various known intrusions to the databases.DOI:http://dx.doi.org/10.11591/ijece.v3i5.403