Intelligent data leak detection through behavioural analysis

In this paper we discuss a solution to detect data leaks in an intelligent and furtive way through a real time analysis of the user’s behaviour while handling classified information. Data is based on experiences with real world use cases and a variety of data preparation and data analysis techniques have been tried. Results show the feasibility of the approach, but also the necessity to correlate with other security events to improve the precision.UID/CEC/00319/201

An Historical Analysis of Factors Contributing to the Emergence of the Intrusion Detection Discipline and its Role in Information Assurance

In 2003, Gartner, Inc., predicted the inevitable demise of the intrusion detection (ID) market, a major player in the computer security technology industry. In light of this prediction, IT executives need to know if intrusion detection technologies serve a strategic purpose within the framework of information assurance (IA). This research investigated the historical background and circumstances that led to the birth of the intrusion detection field and explored the evolution of the discipline through current research in order to identify appropriate roles for IDS technology within an information assurance framework. The research identified factors contributing to the birth of ID including increased procurement and employment of resource-sharing computer systems in the DoD, a growing need to operate in an open computing environment while maintaining security and the unmanageable volume of audit data produced as a result of security requirements. The research also uncovered six trends that could be used to describe the evolution of the ID discipline encompassing passive to active response mechanisms, centralized to distributed management platforms, centralized to distributed/agent-based detection, single to multiple detection approaches within a system, host-based to network to hybrid analysis and software-based to hardware-based/in-line devices. Finally, the research outlined three roles suitable for IDS to fulfill within the IA framework including employing IDS as a stimulus to incident response mechanisms, as a forensic tool for gathering evidence of computer misuse and as a vulnerability assessment or policy enforcement facility

Feature selection and visualization techniques for network anomaly detector

Intrusion detection systems have been widely used as burglar alarms in the computer security field. There are two major types of detection techniques: misuse detection and anomaly detection. Although misuse detection can detect known attacks with lower false positive rate, anomaly detection is capable of detecting any new or varied attempted intrusion as long as the attempted intrusions disturb the normal states of the systems. The network anomaly detector is employed to monitor a segment of network for any suspicious activities based on the sniffered network traffic. The fast speed of network and wide use of encryption techniques make it almost unpractical to read payload information for the network anomaly detector. This work tries to answer the question: What are the best features for network anomaly detector? The main experiment data sets are from 1999 DARPA Lincoln Library off-line intrusion evaluation project since it is still the most comprehensive public benchmark data up to today. Firstly, 43 features of different levels and protocols are defined. Using the first three weeks as training data and last two weeks as testing data, the performance of the features are testified by using 5 different classifiers. Secondly, the feasibility of feature selection is investigated by employing some filter and wrapper techniques such as Correlation Feature Selection, etc. Thirdly, the effect of changing overlap and time window for the network anomaly detector is investigated. At last, GGobi and Mineset are utilized to visualize intrusion detections to save time and effort for system administrators. The results show the capability of our features is not limited to probing attacks and denial of service attacks. They can also detect remote to local attacks and backdoors. The feature selection techniques successfully reduce the dimensionality of the features from 43 to 10 without performance degrading. The three dimensional visualization pictures provide a straightforward view of normal network traffic and malicious attacks. The time plot of key features can be used to aid system administrators to quickly locate the possible intrusions

Метод оцінки систем виявлення вторгнень

Робота обсягом 64 сторінки містить 5ілюстрацій, 4 таблиці та 21літературне посилання. Метою роботи є оцінка Систем виявлення вторгнень за допомогою методу, який буде розроблений в ході даної дипломної роботи. Завданням роботи є побудова методу оцінки Систем виявлення вторгнень; розробка математичних методів що будуть застосовані при оцінці СВВ; а також апробація даного методу на готових програмних рішеннях. Об’єктом дослідження є Системи виявлення вторгнень. Предметом дослідження є захищеність та ефективність Систем виявлення вторгнень. Результати роботи викладені у вигляді таблиці та методу, що демонструє оцінку обраних для аналізу Систем виявлення вторгнень згідно запропонованого методу. Результати роботи можуть бути використані для вибору Системи виявлення вторгнень. Також можна використовувати представлений метод для оцінки систем виявлення вторгнень та порівняння з результатами оцінки захищеності інших систем виявлення вторгнень.The work includes64 pages, contains 5 illustrations, 4 tables and 21 literary references. The purpose of the work is to evaluate the Intrusion Detection Systems using a method that will be developed during this work. The task of the work is to construct a method for estimating Intrusion Detection Systems; development of mathematical methods that will be used in the estimation of IDS; as well as approbation of this method on existing software solutions. The object of the research is Intrusion Detection Systems. The subject of the research is the security and effectiveness of Intrusion Detection Systems. The results of the work are presented in the form of a table and a method that demonstrates the evaluation of the selected intrusion detection systems according to the proposed method. The results of the work can be used to select the Intrusion Detection System. You can also use the provided method to evaluate intrusion detection systems and compare them with the evaluation results of other intrusion detection systems

Using CLIPS to Detect Network Intrusions

We describe how to build a network intrusion detection sensor by slightly modifying NASA's CLIPS source code introducing some new features. An overview of the system is presented emphasizing the strategies used to inter-operate between the packet capture engine written in C and CLIPS. Some extensions were developed in order to manipulate timestamps, multiple string pattern matching and certainty factors. Several Snort functions and plugins were adapted and used for packet decoding and preprocessing. A rule translator was also built to reuse most of the Snort's attack signatures. Despite some performance drawbacks, results prove that CLIPS can be used for real-time network intrusion detection under certain conditions. Several attack signatures using CLIPS rules are showed in the appendix. By mixing CLIPS with Snort features, it was possible to introduce flexibility and expressiveness to network intrusion detection