871 research outputs found
Reduction of False Positives in Intrusion Detection Based on Extreme Learning Machine with Situation Awareness
Protecting computer networks from intrusions is more important than ever for our privacy, economy, and national security. Seemingly a month does not pass without news of a major data breach involving sensitive personal identity, financial, medical, trade secret, or national security data. Democratic processes can now be potentially compromised through breaches of electronic voting systems. As ever more devices, including medical machines, automobiles, and control systems for critical infrastructure are increasingly networked, human life is also more at risk from cyber-attacks. Research into Intrusion Detection Systems (IDSs) began several decades ago and IDSs are still a mainstay of computer and network protection and continue to evolve. However, detecting previously unseen, or zero-day, threats is still an elusive goal. Many commercial IDS deployments still use misuse detection based on known threat signatures. Systems utilizing anomaly detection have shown great promise to detect previously unseen threats in academic research. But their success has been limited in large part due to the excessive number of false positives that they produce.
This research demonstrates that false positives can be better minimized, while maintaining detection accuracy, by combining Extreme Learning Machine (ELM) and Hidden Markov Models (HMM) as classifiers within the context of a situation awareness framework. This research was performed using the University of New South Wales - Network Based 2015 (UNSW-NB15) data set which is more representative of contemporary cyber-attack and normal network traffic than older data sets typically used in IDS research. It is shown that this approach provides better results than either HMM or ELM alone and with a lower False Positive Rate (FPR) than other comparable approaches that also used the UNSW-NB15 data set
Cross-Site Scripting (XSS) Detection Integrating Evidences in Multiple Stages
As Cross-Site Scripting (XSS) remains one of the top web security risks, people keep exploring ways to detect such attacks efficiently. So far, existing solutions only focus on the payload in a web request or a response, a single stage of a web transaction. This work proposes a new approach that integrates evidences from both a web request and its response in order to better characterize XSS attacks and separate them from normal web transactions. We first collect complete payloads of XSS and normal web transactions from two databases and extract features from them using the Word2vec technique. Next, we train two Gaussian mixture models (GMM) with these features, one for XSS transaction and one for normal web transactions. These two models can generate two probability scores for a new web transaction, which indicate how similar this web transaction is to XSS and normal traffics respectively. Finally, we put together these two GMM models in classification by combining these two probabilities to further improve detection accuracy
Contemporary sequential network attacks prediction using hidden Markov model
Intrusion prediction is a key task for forecasting
network intrusions. Intrusion detection systems have been
primarily deployed as a first line of defence in a network,
however; they often suffer from practical testing and evaluation
due to unavailability of rich datasets. This paper evaluates
the detection accuracy of determining all states (AS), the
current state (CS), and the prediction of next state (NS) of
an observation sequence, using the two conventional Hidden
Markov Model (HMM) training algorithms, namely, Baum
Welch (BW) and Viterbi Training (VT). Both BW and VT were
initialised using uniform, random and count-based parameters
and the experiment evaluation was conducted on the CSE-CICIDS2018 dataset. Results show that the BW and VT countbased initialisation techniques perform better than uniform and
random initialisation when detecting AS and CS. In contrast,
for NS prediction, uniform and random initialisation techniques
perform better than BW and VT count-based approaches
Enhanced Prediction of Network Attacks Using Incomplete Data
For years, intrusion detection has been considered a key component of many organizations’ network defense capabilities. Although a number of approaches to intrusion detection have been tried, few have been capable of providing security personnel responsible for the protection of a network with sufficient information to make adjustments and respond to attacks in real-time. Because intrusion detection systems rarely have complete information, false negatives and false positives are extremely common, and thus valuable resources are wasted responding to irrelevant events. In order to provide better actionable information for security personnel, a mechanism for quantifying the confidence level in predictions is needed. This work presents an approach which seeks to combine a primary prediction model with a novel secondary confidence level model which provides a measurement of the confidence in a given attack prediction being made. The ability to accurately identify an attack and quantify the confidence level in the prediction could serve as the basis for a new generation of intrusion detection devices, devices that provide earlier and better alerts for administrators and allow more proactive response to events as they are occurring
Hidden Markov Model Based Intrusion Alert Prediction
Intrusion detection is only a starting step in securing IT infrastructure. Prediction of intrusions is the next step to provide an active defense against incoming attacks.
Most of the existing intrusion prediction methods mainly focus on prediction of either intrusion type or intrusion category. Also, most of them are built based on domain knowledge and specific scenario knowledge. This thesis proposes an alert prediction framework which provides more detailed information than just the intrusion type or category to initiate possible defensive measures. The proposed algorithm is based on hidden Markov model and it does not depend on specific domain knowledge. Instead, it depends on a training process. Hence the proposed algorithm is adaptable to different conditions. Also, it is based on prediction of the next alert cluster, which contains source IP address, destination IP range, alert type and alert category. Hence, prediction of next alert cluster provides more information about future strategies of the attacker.
Experiments were conducted using a public data set generated over 2500 alert predictions. Proposed alert prediction framework achieved accuracy of 81% and 77% for single step and five step predictions respectively for prediction of the next alert cluster. It also achieved an accuracy of prediction of 95% and 92% for single step and five step predictions respectively for prediction of the next alert category. The proposed methods achieved 5% prediction accuracy improvement for alert category over variable length Markov based alert prediction method, while providing more information for a possible defense
IT Intrusion Detection Using Statistical Learning and Testbed Measurements
We study automated intrusion detection in an IT infrastructure, specifically
the problem of identifying the start of an attack, the type of attack, and the
sequence of actions an attacker takes, based on continuous measurements from
the infrastructure. We apply statistical learning methods, including Hidden
Markov Model (HMM), Long Short-Term Memory (LSTM), and Random Forest Classifier
(RFC) to map sequences of observations to sequences of predicted attack
actions. In contrast to most related research, we have abundant data to train
the models and evaluate their predictive power. The data comes from traces we
generate on an in-house testbed where we run attacks against an emulated IT
infrastructure. Central to our work is a machine-learning pipeline that maps
measurements from a high-dimensional observation space to a space of low
dimensionality or to a small set of observation symbols. Investigating
intrusions in offline as well as online scenarios, we find that both HMM and
LSTM can be effective in predicting attack start time, attack type, and attack
actions. If sufficient training data is available, LSTM achieves higher
prediction accuracy than HMM. HMM, on the other hand, requires less
computational resources and less training data for effective prediction. Also,
we find that the methods we study benefit from data produced by traditional
intrusion detection systems like SNORT.Comment: A shortened version of this paper will appear in the conference
proceedings of NOMS 2024 (IEEE/IFIP Network Operations and Management
Symposium
- …