Flow-based intrusion detection

The spread of 1-10Gbps technology has in recent years paved the way to a flourishing\ud landscape of new, high-bandwidth Internet services. As users, we depend on the Internet\ud in our daily life for simple tasks such as checking e-mails, but also for managing private\ud and financial information. However, entrusting such information to the Internet also means\ud that the network has become an alluring place for hackers. To this threat, the research\ud community has answered with an increased interest in intrusion detection, and the\ud researchers' attention is focused on developing new techniques to timely detect intruders\ud and prevent damage. Our studies in the field of intrusion detection, however, made us\ud realize that additional research is needed, in particular: the creation of shared data sets to\ud validate Intrusion Detection Systems (IDSs) and the development of automatic procedures\ud to tune the parameters of IDSs.\ud The contribution of this thesis is that it develops a structured approach to intrusion\ud detection that focuses on (i) shared ground-truth data sets and (ii) automatic parameter\ud tuning. We develop our approach by focusing on network flows, which offer an\ud aggregated view of network traffic in terms of the amount of packets and bytes exchanged\ud over the network, and on flow-based time series, which describe how the number of flows,\ud packets and bytes changes over time. We approach the problem of shared ground truth\ud first, by manually creating it, and, second, by proposing network models to generate\ud artificial ground truth. Finally, the performance of an IDS is governed by the trade-off\ud between detecting all anomalies (at the expense of raising alarms too often), and missing\ud anomalies (but not issuing many false alarms). We approach the problem of automatic\ud tuning of IDSs by developing a procedure that aims to mathematically optimize the system\ud performance in a systematic manner

SSHCure: a flow-based SSH intrusion detection system

SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today's high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data

Autonomic Parameter Tuning of Anomaly-Based IDSs: an SSH Case Study

Anomaly-based intrusion detection systems classify network traffic instances by comparing them with a model of the normal network behavior. To be effective, such systems are expected to precisely detect intrusions (high true positive rate) while limiting the number of false alarms (low false positive rate). However, there exists a natural trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing any false alarms). The parameters of a detection system play a central role in this trade-off, since they determine how responsive the system is to an intrusion attempt. Despite the importance of properly tuning the system parameters, the literature has put little emphasis on the topic, and the task of adjusting such parameters is usually left to the expertise of the system manager or expert IT personnel. In this paper, we present an autonomic approach for tuning the parameters of anomaly-based intrusion detection systems in case of SSH traffic. We propose a procedure that aims to automatically tune the system parameters and, by doing so, to optimize the system performance. We validate our approach by testing it on a flow-based probabilistic detection system for the detection of SSH attacks

CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets

Inspecting packets to detect intrusions faces challenges when coping with a high volume of network traffic. Packet-based detection processes every payload on the wire, which degrades the performance of network intrusion detection system (NIDS). This issue requires an introduction of a flow-based NIDS that reduces the amount of data to be processed by examining aggregated information of related packets. However, flow-based detection still suffers from the generation of the false positive alerts due to incomplete data input. This study proposed a Conditional Hybrid Intrusion Detection (CHID) by combining the flow-based with packet-based detection. In addition, it is also aimed to improve the resource consumption of the packet-based detection approach. CHID applied attribute wrapper features evaluation algorithms that marked malicious flows for further analysis by the packet-based detection. Input Framework approach was employed for triggering packet flows between the packetbased and flow-based detections. A controlled testbed experiment was conducted to evaluate the performance of detection mechanism’s CHID using datasets obtained from on different traffic rates. The result of the evaluation showed that CHID gains a significant performance improvement in terms of resource consumption and packet drop rate, compared to the default packet-based detection implementation. At a 200 Mbps, CHID in IRC-bot scenario, can reduce 50.6% of memory usage and decreases 18.1% of the CPU utilization without packets drop. CHID approach can mitigate the false positive rate of flow-based detection and reduce the resource consumption of packet-based detection while preserving detection accuracy. CHID approach can be considered as generic system to be applied for monitoring of intrusion detection systems

Network attack detection at flow level

In this paper, we propose a new method for detecting unauthorized network intrusions, based on a traffic flow model and Cisco NetFlow protocol application. The method developed allows us not only to detect the most common types of network attack (DDoS and port scanning), but also to make a list of trespassers' IP-addresses. Therefore, this method can be applied in intrusion detection systems, and in those systems which lock these IP-addresses

Detecting Cyber Attacks at Data Dribble

This research article proposes a new technique for detecting unauthorized network intrusions, based on a traffic flow model and Cisco NetFlow protocol application [1,2]. This technique allows us to detect the most common types of network attack (DDoS and port scanning) and most importantly make a list of IP-addresses of trespassers. So, the technique can be used in intrusion detection systems, and in those systems which can track and lock these IP-addresses. Keywords: Network Attacks, Intrusion Detection, IP Address of Trespassers, DDoS attack, Cisco NetFlow, flow traffic model

E-GraphSAGE: A Graph Neural Network based Intrusion Detection System for IoT

This paper presents a new Network Intrusion Detection System (NIDS) based on Graph Neural Networks (GNNs). GNNs are a relatively new sub-field of deep neural networks, which can leverage the inherent structure of graph-based data. Training and evaluation data for NIDSs are typically represented as flow records, which can naturally be represented in a graph format. This establishes the potential and motivation for exploring GNNs for network intrusion detection, which is the focus of this paper. Current studies on machine learning-based NIDSs only consider the network flows independently rather than taking their interconnected patterns into consideration. This is the key limitation in the detection of sophisticated IoT network attacks such as DDoS and distributed port scan attacks launched by IoT devices. In this paper, we propose \mbox{E-GraphSAGE}, a GNN approach that overcomes this limitation and allows capturing both the edge features of a graph as well as the topological information for network anomaly detection in IoT networks. To the best of our knowledge, our approach is the first successful, practical, and extensively evaluated approach of applying Graph Neural Networks on the problem of network intrusion detection for IoT using flow-based data. Our extensive experimental evaluation on four recent NIDS benchmark datasets shows that our approach outperforms the state-of-the-art in terms of key classification metrics, which demonstrates the potential of GNNs in network intrusion detection, and provides motivation for further research.Comment: 9 pages, 5 figures, 6 table

A Two-stage Flow-based Intrusion Detection Model ForNext-generation Networks

The next-generation network provides state-of-the-art access-independent services over converged mobile and fixed networks. Security in the converged network environment is a major challenge. Traditional packet and protocol-based intrusion detection techniques cannot be used in next-generation networks due to slow throughput, low accuracy and their inability to inspect encrypted payload. An alternative solution for protection of next-generation networks is to use network flow records for detection of malicious activity in the network traffic. The network flow records are independent of access networks and user applications. In this paper, we propose a two-stage flow-based intrusion detection system for next-generation networks. The first stage uses an enhanced unsupervised one-class support vector machine which separates malicious flows from normal network traffic. The second stage uses a self-organizing map which automatically groups malicious flows into different alert clusters. We validated the proposed approach on two flow-based datasets and obtained promising results