Active Virtual Network Management Prediction: Complexity as a Framework for Prediction, Optimization, and Assurance

Research into active networking has provided the incentive to re-visit what has traditionally been classified as distinct properties and characteristics of information transfer such as protocol versus service; at a more fundamental level this paper considers the blending of computation and communication by means of complexity. The specific service examined in this paper is network self-prediction enabled by Active Virtual Network Management Prediction. Computation/communication is analyzed via Kolmogorov Complexity. The result is a mechanism to understand and improve the performance of active networking and Active Virtual Network Management Prediction in particular. The Active Virtual Network Management Prediction mechanism allows information, in various states of algorithmic and static form, to be transported in the service of prediction for network management. The results are generally applicable to algorithmic transmission of information. Kolmogorov Complexity is used and experimentally validated as a theory describing the relationship among algorithmic compression, complexity, and prediction accuracy within an active network. Finally, the paper concludes with a complexity-based framework for Information Assurance that attempts to take a holistic view of vulnerability analysis

Denial of Service in Web-Domains: Building Defenses Against Next-Generation Attack Behavior

The existing state-of-the-art in the field of application layer Distributed Denial of Service (DDoS) protection is generally designed, and thus effective, only for static web domains. To the best of our knowledge, our work is the first that studies the problem of application layer DDoS defense in web domains of dynamic content and organization, and for next-generation bot behaviour. In the first part of this thesis, we focus on the following research tasks: 1) we identify the main weaknesses of the existing application-layer anti-DDoS solutions as proposed in research literature and in the industry, 2) we obtain a comprehensive picture of the current-day as well as the next-generation application-layer attack behaviour and 3) we propose novel techniques, based on a multidisciplinary approach that combines offline machine learning algorithms and statistical analysis, for detection of suspicious web visitors in static web domains. Then, in the second part of the thesis, we propose and evaluate a novel anti-DDoS system that detects a broad range of application-layer DDoS attacks, both in static and dynamic web domains, through the use of advanced techniques of data mining. The key advantage of our system relative to other systems that resort to the use of challenge-response tests (such as CAPTCHAs) in combating malicious bots is that our system minimizes the number of these tests that are presented to valid human visitors while succeeding in preventing most malicious attackers from accessing the web site. The results of the experimental evaluation of the proposed system demonstrate effective detection of current and future variants of application layer DDoS attacks

A denial of service detector based on maximum likelihood detection and the random neural network

In spite of extensive research in defence against De- nial of Service (DoS), such attacks remain a predom- inant threat in today’s networks. Due to the sim- plicity of the concept and the availability of the rele- vant attack tools, launching a DoS attack is relatively easy, while defending a network resource against it is disproportionately difficult. The first step of any comprehensive protection scheme against DoS is the detection of its existence, ideally long before the de- structive traffic build-up. In this paper we propose a generic approach for DoS detection which uses multi- ple Bayesian classifiers and random neural networks (RNN). Our method is based on measuring various instantaneous and statistical variables describing the incoming network traffic, acquiring a likelihood esti- mation and fusing the information gathered from the individual input features using likelihood averaging and different architectures of RNNs. We present and compare seven different implementations of it and evaluate our experimental results obtained in a large networking testbed

Statistical anomaly denial of service and reconnaissance intrusion detection

This dissertation presents the architecture, methods and results of the Hierarchical Intrusion Detection Engine (HIDE) and the Reconnaissance Intrusion Detection System (RIDS); the former is denial-of-service (DoS) attack detector while the latter is a scan and probe (P&S) reconnaissance detector; both are statistical anomaly systems. The HIDE is a packet-oriented, observation-window using, hierarchical, multi-tier, anomaly based network intrusion detection system, which monitors several network traffic parameters simultaneously, constructs a 64-bin probability density function (PDF) for each, statistically compares it to a reference PDF of normal behavior using a similarity metric, then combines the results into an anomaly status vector that is classified by a neural network classifier. Three different data sets have been utilized to test the performance of HIDE; they are OPNET simulation data, DARPA\u2798 intrusion detection evaluation data and the CONEX TESTBED attack data. The results showed that HIDE can reliably detect DoS attacks with high accuracy and very low false alarm rates on all data sets. In particular, the investigation using the DARPA\u2798 data set yielded an overall total misclassification rate of 0.13%, false negative rate of 1.42%, and false positive rate of 0.090%; the latter implies a rate of only about 2.6 false alarms per day. The RIDS is a session oriented, statistical tool, that relies on training to model the parameters of its algorithms, capable of detecting even distributed stealthy reconnaissance attacks. It consists of two main functional modules or stages: the Reconnaissance Activity Profiler (RAP) and the Reconnaissance Alert Correlater (RAC). The RAP is a session-oriented module capable of detecting stealthy scanning and probing attacks, while the RAG is an alert-correlation module that fuses the RAP alerts into attack scenarios and discovers the distributed stealthy attack scenarios. RIDS has been evaluated against two data sets: (a) the DARPA\u2798 data, and (b) 3 weeks of experimental data generated using the CONEX TESTBED network. The RIDS has demonstrably achieved remarkable success; the false positive, false negative and misclassification rates found are low, less than 0.1%, for most reconnaissance attacks; they rise to about 6% for distributed highly stealthy attacks; the latter is a most challenging type of attack, which has been difficult to detect effectively until now

A Robust Mechanism for Defending Distributed Denial OF Service Attacks on Web Servers

Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.Comment: 18 pages, 3 figures, 5 table

Towards privacy preserving cooperative cloud based intrusion detection systems

Les systèmes infonuagiques deviennent de plus en plus complexes, dynamiques et vulnérables aux attaques. Par conséquent, il est de plus en plus difficile pour qu'un seul système de détection d'intrusion (IDS) basé sur le cloud puisse repérer toutes les menaces, en raison des lacunes de connaissances sur les attaques et leurs conséquences. Les études récentes dans le domaine de la cybersécurité ont démontré qu'une coopération entre les IDS d'un nuage pouvait apporter une plus grande efficacité de détection dans des systèmes informatiques aussi complexes. Grâce à cette coopération, les IDS d'un nuage peuvent se connecter et partager leurs connaissances afin d'améliorer l'exactitude de la détection et obtenir des bénéfices communs. L'anonymat des données échangées par les IDS constitue un élément crucial de l'IDS coopérative. Un IDS malveillant pourrait obtenir des informations confidentielles d'autres IDS en faisant des conclusions à partir des données observées. Pour résoudre ce problème, nous proposons un nouveau système de protection de la vie privée pour les IDS en nuage. Plus particulièrement, nous concevons un système uniforme qui intègre des techniques de protection de la vie privée dans des IDS basés sur l'apprentissage automatique pour obtenir des IDS qui respectent les informations personnelles. Ainsi, l'IDS permet de cacher des informations possédant des données confidentielles et sensibles dans les données partagées tout en améliorant ou en conservant la précision de la détection. Nous avons mis en œuvre un système basé sur plusieurs techniques d'apprentissage automatique et de protection de la vie privée. Les résultats indiquent que les IDS qui ont été étudiés peuvent détecter les intrusions sans utiliser nécessairement les données initiales. Les résultats (c'est-à-dire qu'aucune diminution significative de la précision n'a été enregistrée) peuvent être obtenus en se servant des nouvelles données générées, analogues aux données de départ sur le plan sémantique, mais pas sur le plan synthétique.Cloud systems are becoming more sophisticated, dynamic, and vulnerable to attacks. Therefore, it's becoming increasingly difficult for a single cloud-based Intrusion Detection System (IDS) to detect all attacks, because of limited and incomplete knowledge about attacks and their implications. The recent works on cybersecurity have shown that a co-operation among cloud-based IDSs can bring higher detection accuracy in such complex computer systems. Through collaboration, cloud-based IDSs can consult and share knowledge with other IDSs to enhance detection accuracy and achieve mutual benefits. One fundamental barrier within cooperative IDS is the anonymity of the data the IDS exchanges. Malicious IDS can obtain sensitive information from other IDSs by inferring from the observed data. To address this problem, we propose a new framework for achieving a privacy-preserving cooperative cloud-based IDS. Specifically, we design a unified framework that integrates privacy-preserving techniques into machine learning-based IDSs to obtain privacy-aware cooperative IDS. Therefore, this allows IDS to hide private and sensitive information in the shared data while improving or maintaining detection accuracy. The proposed framework has been implemented by considering several machine learning and privacy-preserving techniques. The results suggest that the consulted IDSs can detect intrusions without the need to use the original data. The results (i.e., no records of significant degradation in accuracy) can be achieved using the newly generated data, similar to the original data semantically but not synthetically

New Anomaly Network Intrusion Detection System in Cloud Environment Based on Optimized Back Propagation Neural Network Using Improved Genetic Algorithm

Cloud computing is distributed architecture, providing computing facilities and storage resource as a service over an open environment (Internet), this lead to different matters related to the security and privacy in cloud computing. Thus, defending network accessible Cloud resources and services from various threats and attacks is of great concern. To address this issue, it is essential to create an efficient and effective Network Intrusion System (NIDS) to detect both outsider and insider intruders with high detection precision in the cloud environment. NIDS has become popular as an important component of the network security infrastructure, which detects malicious activities by monitoring network traffic. In this work, we propose to optimize a very popular soft computing tool widely used for intrusion detection namely, Back Propagation Neural Network (BPNN) using an Improved Genetic Algorithm (IGA). Genetic Algorithm (GA) is improved through optimization strategies, namely Parallel Processing and Fitness Value Hashing, which reduce execution time, convergence time and save processing power. Since,  Learning rate and Momentum term are among the most relevant parameters that impact the performance of BPNN classifier, we have employed IGA to find the optimal or near-optimal values of these two parameters which ensure high detection rate, high accuracy and low false alarm rate. The CloudSim simulator 4.0 and DARPA’s KDD cup datasets 1999 are used for simulation. From the detailed performance analysis, it is clear that the proposed system called “ANIDS BPNN-IGA” (Anomaly NIDS based on BPNN and IGA) outperforms several state-of-art methods and it is more suitable for network anomaly detection

Detecting Specific Types of DDoS Attacks in Cloud Environment by Using Anomaly Detection

RÉSUMÉ Un des avantages les plus importants de l'utilisation du cloud computing est d'avoir des services sur demande, et donc la méthode de paiement dans l'environnement du cloud est de type payer selon l'utilisation (pay per use). Cette caractéristique introduit un nouveau type d'attaque de déni des services appelée déni économique de la durabilité (Economic Denial of Sustainability EDoS) où le client paie des montants supplémentaires au fournisseur du cloud à cause de l'attaque. Les attaques DDoS avec leur nouvelle version sont divisées en trois catégories: 1) Les attaques de consommation de la bande passante. 2) Les attaques qui ciblent des applications spécifiques. 3) Les attaques d'épuisement sur la couche des connections. Dans ce travail, nous avons proposé un nouveau modèle pour détecter précisément les différents types des attaques DDoS et EDoS en comparant le trafic et l'utilisation des ressources dans des situations normale et d'attaque. Des caractéristiques (features) qui sont liées au trafic et à l'utilisation des ressources dans le cas de chaque attaque ont été recueillies. Elles constituent les métriques de notre modèle de détection. Dans la conception de notre modèle, nous avons utilisé les caractéristiques liées à tous les 3 types d'attaques puisque les caractéristiques d'un type d'attaque jouent un rôle important pour détecter un autre type. En effet, pour trouver un point de changement dans l'utilisation des ressources et le comportement du trafic nous avons utilisé l'algorithme des sommes cumulées CUSUM. La précision de notre algorithme a ensuite été étudiée en comparant sa performance avec celle d'un travail populaire précédent. Le taux de détection du modele était élevé, Ce qui indique la haute précision de l'algorithme conçu.----------ABSTRACT One of the most important benefits of using cloud computing is to have on-demand services; accordingly the method of payment in cloud environment is pay per use. This feature results in a new kind of DDOS attack called Economic Denial of Sustainability (EDoS) in which the customer pays extra to the cloud provider because of the attack. DDoS attacks and a new version of these attacks which called EDoS attack are divided into three different categories: 1) Bandwidth–consuming attacks, 2) Attacks which target specific applications and 3) Connection–layer exhaustion attacks. In this work we proposed a novel and inclusive model to precisely detect different types of DDoS and EDoS attacks by comparing the traffic and resource usage in normal and attack situations. Features which are related to traffic and resource usage in each attack were collected as the metrics of our detection model. In designing our model, we used the metrics related to all 3 types of attacks since features of one kind of attack play an important role to detect another type. Moreover, to find a change point in resource usage and traffic behavior we used CUSUM algorithm. The accuracy of our algorithm was then investigated by comparing its performance with one of the popular previous works. Achieving a higher rate of correct detection in our model proved the high accuracy of the designed algorithm

Application of a Layered Hidden Markov Model in the Detection of Network Attacks

Network-based attacks against computer systems are a common and increasing problem. Attackers continue to increase the sophistication and complexity of their attacks with the goal of removing sensitive data or disrupting operations. Attack detection technology works very well for the detection of known attacks using a signature-based intrusion detection system. However, attackers can utilize attacks that are undetectable to those signature-based systems whether they are truly new attacks or modified versions of known attacks. Anomaly-based intrusion detection systems approach the problem of attack detection by detecting when traffic differs from a learned baseline. In the case of this research, the focus was on a relatively new area known as payload anomaly detection. In payload anomaly detection, the system focuses exclusively on the payload of packets and learns the normal contents of those payloads. When a payload\u27s contents differ from the norm, an anomaly is detected and may be a potential attack. A risk with anomaly-based detection mechanisms is they suffer from high false positive rates which reduce their effectiveness. This research built upon previous research in payload anomaly detection by combining multiple techniques of detection in a layered approach. The layers of the system included a high-level navigation layer, a request payload analysis layer, and a request-response analysis layer. The system was tested using the test data provided by some earlier payload anomaly detection systems as well as new data sets. The results of the experiments showed that by combining these layers of detection into a single system, there were higher detection rates and lower false positive rates