A Performance Metrics Scorecard Based Approach to Intrusion Detection System Evaluation for Wireless Network

Wireless Intrusion Detection System (IDS) performance metrics are used to measure the ability of a wireless IDS to perform a particular task and to fit within the performance constraints. These metrics measure and evaluate the parameters that impact the performance of a wireless IDS. Wireless IDS analyze wireless specific traffic including scanning for external users trying to connect to the network through access points and play important role in security to the wireless network. Design of wireless IDS is a difficult task as wireless technology is advancing every day, performance metrics can play an important role in the design of efficient wireless IDS by measuring the factors concern with the performance of a wireless IDS. In this paper we provide a performance metrics scorecard based approach to evaluate intrusion detection systems that are currently popular for wireless networks in the commercial sector. We provide a set of performance metrics that are relevant to wireless IDS and use a 201C;scorecard201D; containing the set of values as the centerpiece of testing and evaluating a wireless IDS. Evaluation of a wireless IDS is done by assigning score to various performance metrics concern with wireless IDS. We apply our performance metrics scorecard evaluation based approach to three popular wireless IDS Snort-wireless, AirDefense Guard, and Kismet. Finally we discuss the results and the opportunities for further work in this area

Hybrid Intrusion Detection System for DDoS Attacks

Distributed denial-of-service (DDoS) attacks are one of the major threats and possibly the hardest security problem for today’s Internet. In this paper we propose a hybrid detection system, referred to as hybrid intrusion detection system (H-IDS), for detection of DDoS attacks. Our proposed detection system makes use of both anomaly-based and signature-based detection methods separately but in an integrated fashion and combines the outcomes of both detectors to enhance the overall detection accuracy. We apply two distinct datasets to our proposed system in order to test the detection performance of H-IDS and conclude that the proposed hybrid system gives better results than the systems based on nonhybrid detection

MEMBANGUN PORTABLE WIRELESS INTRUSION DETECTION SYSTEM (IDS) DENGAN EMBEDDED SYSTEM BERBASIS OPEN SOURCE (STUDI KASUS: PT NETKRIDA TUAH CAKRAWALA)

Menurut hasil riset, survey, dan berbagai penelitian menunjukkan jumlah serangan pada teknologi informasi dan komunikasi terus meningkat secara signifikan, baik secara kualitas mapun kuantitas. NETKRIDA, adalah perusahaan Layanan IT Konsultan Indonesia yang berlokasi di Pekanbaru, Riau berbadan hukum perusahaan dengan nama PT NETKRIDA TUAH CAKRAWALA. Salah satu layanan dari NETKRIDA adalah layanan keamanan jaringan, khususnya jaringan wireless. Untuk memastikan tingkat keamanan jaringan komunikasi dan infromasi khususnya jaringan wireless yang lebih cenderung rentan karena dapat digunakan langsung oleh siapa saja yang dapat menjangkau area konektifitasnya (hotspot). Maka, perlu dibangun sebuah aplikasi pendukung keamanan jaringan sebagai upaya dalam melakukan pencegahan dan mengurangi potensi eksploitasi lebih jauh terhadap kerentanan. Aplikasi pendukung keamanan jaringan tersebut dapat berupa ]Portable Wireless IDS (Intrusion Detection System), yaitu perangkat yang dibangun untuk dapat melakukan monitoring dan pendeteksian dini terhadap aktifitas-aktifitas di dalam jaringan yang dapat menyebabkan security incident, guna melindungi asset-aset informasi dan komunikasi. IDS ini dibangun dengan menggunakan pemanfaatan dan pengembangan sistem operasi Linux dan berbagai aplikasi FOSS (Free Open Source Software)

Relational network-service clustering analysis with set evidences

Network administrators are faced with a large amount of network data that they need to sift through to analyze user behaviors and detect anomalies. Through a network monitoring tool, we obtained TCP and UDP connection records together with additional information of the associated users and software in an enterprise network. Instead of using traditional payload inspection techniques, we propose a method that clusters such network traffic data by using relations between entities so that it can be analyzed for frequent behaviors and anomalies. Relational methods like Markov Logic Networks is able to avoid the feature extraction stage and directly handle multi-relation situations. We extend the common pairwise representation in relational models by adopting set evidence to build a better objective for the network service clustering problem. The automatic clustering process helps the administrator filter out normal traffic in shorter time and get an abstract overview of opening transport layer ports in the whole network, which is beneficial for assessing network security risks. Experimental results on synthetic and real datasets suggest that our method is able to discover underlying services and anomalies (malware or abused ports) with good interpretations. © 2010 ACM

A System to detect suspicious activities in network traffic

Thesis submitted in partial fulfillment of the requirements for the Degree of Master of Science in Information Technology (MSIT) at Strathmore UniversityModern enterprise networks have become targets of attacks from Internet malware including worms, self-propagating bots, spamming bots, client-side infects (drive-by downloads) and phishing attacks. The results of a cyber-attack which include loss of company information, theft of money, costs of repairing the affected systems and perhaps damage to the reputation of the organization, can be devastating. However, with the right tools, security can dissect suspicious traffic to detect these attacks. When a company institutes a good method of network security surveillance, security analysts could be alerted within minutes of problems occurring in good time. It is with this aim that this study sought to research and develop a simple and robust system that could be used to detect suspicious activities in network traffic. Specifically, the study sought to; Discuss and analyze suspicious activities in network traffic and devices; analyze the existing techniques used to detect suspicious activities in network traffic; develop a system for detecting suspicious activities in a network traffic; and validate the proposed system. The study adopted an experimental design. The experiment was conducted on an Ubuntu machine running 16.04 LTS where Snort was installed alongside PulledPork, Barnyard2 and BASE to act as the Web GUI. ICMP large packets were sent to the network for detection and the system was able to detect, analyze and report them on the BASE GUI. The target population for this study was network traffic. The researcher generated the network traffic through sending data packets across the networks. The network traffic was analyzed by using the network security tools analyzed by the researcher and chosen based on their availability and compatibility with one another to come with the desired setup. This research was not aimed at reinventing the wheel but offering major improvement through precise feedback on what network administrators across different organizations could identify as suspicious activities in their network

Anomaly-Based Intrusion Detection by Modeling Probability Distributions of Flow Characteristics

In recent years, with the increased use of network communication, the risk of compromising the information has grown immensely. Intrusions have evolved and become more sophisticated. Hence, classical detection systems show poor performance in detecting novel attacks. Although much research has been devoted to improving the performance of intrusion detection systems, few methods can achieve consistently efficient results with the constant changes in network communications. This thesis proposes an intrusion detection system based on modeling distributions of network flow statistics in order to achieve a high detection rate for known and stealthy attacks. The proposed model aggregates the traffic at the IP subnetwork level using a hierarchical heavy hitters algorithm. This aggregated traffic is used to build the distribution of network statistics for the most frequent IPv4 addresses encountered as destination. The obtained probability density functions are learned by the Extreme Learning Machine method which is a single-hidden layer feedforward neural network. In this thesis, different sequential and batch learning strategies are proposed in order to analyze the efficiency of this proposed approach. The performance of the model is evaluated on the ISCX-IDS 2012 dataset consisting of injection attacks, HTTP flooding, DDoS and brute force intrusions. The experimental results of the thesis indicate that the presented method achieves an average detection rate of 91% while having a low misclassification rate of 9%, which is on par with the state-of-the-art approaches using this dataset. In addition, the proposed method can be utilized as a network behavior analysis tool specifically for DDoS mitigation, since it can isolate aggregated IPv4 addresses from the rest of the network traffic, thus supporting filtering out DDoS attacks

Application of a Layered Hidden Markov Model in the Detection of Network Attacks

Network-based attacks against computer systems are a common and increasing problem. Attackers continue to increase the sophistication and complexity of their attacks with the goal of removing sensitive data or disrupting operations. Attack detection technology works very well for the detection of known attacks using a signature-based intrusion detection system. However, attackers can utilize attacks that are undetectable to those signature-based systems whether they are truly new attacks or modified versions of known attacks. Anomaly-based intrusion detection systems approach the problem of attack detection by detecting when traffic differs from a learned baseline. In the case of this research, the focus was on a relatively new area known as payload anomaly detection. In payload anomaly detection, the system focuses exclusively on the payload of packets and learns the normal contents of those payloads. When a payload\u27s contents differ from the norm, an anomaly is detected and may be a potential attack. A risk with anomaly-based detection mechanisms is they suffer from high false positive rates which reduce their effectiveness. This research built upon previous research in payload anomaly detection by combining multiple techniques of detection in a layered approach. The layers of the system included a high-level navigation layer, a request payload analysis layer, and a request-response analysis layer. The system was tested using the test data provided by some earlier payload anomaly detection systems as well as new data sets. The results of the experiments showed that by combining these layers of detection into a single system, there were higher detection rates and lower false positive rates

Network Traffic Analysis Framework For Cyber Threat Detection

The growing sophistication of attacks and newly emerging cyber threats requires advanced cyber threat detection systems. Although there are several cyber threat detection tools in use, cyber threats and data breaches continue to rise. This research is intended to improve the cyber threat detection approach by developing a cyber threat detection framework using two complementary technologies, search engine and machine learning, combining artificial intelligence and classical technologies. In this design science research, several artifacts such as a custom search engine library, a machine learning-based engine and different algorithms have been developed to build a new cyber threat detection framework based on self-learning search and machine learning engines. Apache Lucene.Net search engine library was customized in order to function as a cyber threat detector, and Microsoft ML.NET was used to work with and train the customized search engine. This research proves that a custom search engine can function as a cyber threat detection system. Using both search and machine learning engines in the newly developed framework provides improved cyber threat detection capabilities such as self-learning and predicting attack details. When the two engines run together, the search engine is continuously trained by the machine learning engine and grow smarter to predict yet unknown threats with greater accuracy. While customizing the search engine to function as a cyber threat detector, this research also identified and proved the best algorithms for the search engine based cyber threat detection model. For example, the best scoring algorithm was found to be the Manhattan distance. The validation case study also shows that not every network traffic feature makes an equal contribution to determine the status of the traffic, and thus the variable-dimension Vector Space Model (VSM) achieves better detection accuracy than n-dimensional VSM. Although the use of different technologies and approaches improved detection results, this research is primarily focused on developing techniques rather than building a complete threat detection system. Additional components such as those that can track and investigate the impact of network traffic on the destination devices make the newly developed framework robust enough to build a comprehensive cyber threat detection appliance

固有値分解とテンソル分解を用いた大規模グラフデータ分析に関する研究

筑波大学 (University of Tsukuba)201