Anomaly Detection in LAN with ARP Request Monitoring

学位の種別: 修士University of Tokyo(東京大学

Studying machine learning techniques for intrusion detection systems

Intrusion detection systems (IDSs) have been studied widely in the computer security community for a long time. The recent development of machine learning techniques has boosted the performance of the intrusion detection systems significantly. However, most modern machine learning and deep learning algorithms are exhaustive of labeled data that requires a lot of time and effort to collect. Furthermore, it might be late until all the data is collected to train the model. In this study, we first perform a comprehensive survey of existing studies on using machine learning for IDSs. Hence we present two approaches to detect the network attacks. We present that by using a tree-based ensemble learning with feature engineering we can outperform state-of-the-art results in the field. We also present a new approach in selecting training data for IDSs hence by using a small subset of training data combined with some weak classification algorithms we can improve the performance of the detector while maintaining the low running cost

Machine Learning Based Classification Model for Network Traffic Anomaly Detection

In current days, cloud environments are facing a huge challenge from the attackers in terms of various attacks thrown to the cloud service providers. In both industry and academics, the problem of detection and mitigation of DDoS attacks is now a challenging issue. Detecting Distributed Denial of Service (DDos) threats is mainly a classification problem that can be addressed using data mining, machine learning and deep learning techniques. DDoS attacks can occur in any of the seven-layer OSI model's network. Hence, detecting the DDoS attacks is an important task for cloud service providers to overcome dangerous attacks and loss incurred to stake holders and also the provider

Locally Weighted Classifiers for Detection of Neighbour Discovery Protocol DDoS and Replayed Attacks

The Internet of Thing (IoT) requires more IP addresses than Internet Protocol version 4 can offer. To solve this problem, Internet Protocol version 6 was developed to expand the availability of address spaces. Moreover, it supports hierarchical address allocation methods, which can facilitate route aggregation, thus limiting expansion of routing tables. An important feature of the Internet Protocol version 6 (IPv6) suites is the Neighbour Discovery Protocol (NDP), which is geared towards substitution of the Address Resolution Protocol in router discovery, and function redirection in Internet Protocol version 4. However, NDP is vulnerable to Denial of Service (DoS) attacks. In this contribution, we present a novel detection method for Distributed Denial of Service (DDoS) attacks, launched using NDP in IPv6. The proposed system uses flow-based network representation, instead of packet-based. It exploits the advantages of Locally Weighted Learning techniques, with three different machine learning models as its base learners. Simulation studies demonstrate that the intrusion detection method does not suffer from overfitting issues, offers lower computation costs and complexity, while exhibiting high accuracy rates. In summary, the proposed system uses 6 features, extracted from our bespoke dataset and is capable of detecting DDoS attacks with 99% accuracy and replayed attacks with an accuracy of 91.17%, offering a marked improvement in detection performance over state-of-the-art approaches

Methods and Techniques for Dynamic Deployability of Software-Defined Security Services

With the recent trend of “network softwarisation”, enabled by emerging technologies such as Software-Defined Networking and Network Function Virtualisation, system administrators of data centres and enterprise networks have started replacing dedicated hardware-based middleboxes with virtualised network functions running on servers and end hosts. This radical change has facilitated the provisioning of advanced and flexible network services, ultimately helping system administrators and network operators to cope with the rapid changes in service requirements and networking workloads. This thesis investigates the challenges of provisioning network security services in “softwarised” networks, where the security of residential and business users can be provided by means of sets of software-based network functions running on high performance servers or on commodity devices. The study is approached from the perspective of the telecom operator, whose goal is to protect the customers from network threats and, at the same time, maximize the number of provisioned services, and thereby revenue. Specifically, the overall aim of the research presented in this thesis is proposing novel techniques for optimising the resource usage of software-based security services, hence for increasing the chances for the operator to accommodate more service requests while respecting the desired level of network security of its customers. In this direction, the contributions of this thesis are the following: (i) a solution for the dynamic provisioning of security services that minimises the utilisation of computing and network resources, and (ii) novel methods based on Deep Learning and Linux kernel technologies for reducing the CPU usage of software-based security network functions, with specific focus on the defence against Distributed Denial of Service (DDoS) attacks. The experimental results reported in this thesis demonstrate that the proposed solutions for service provisioning and DDoS defence require fewer computing resources, compared to similar approaches available in the scientific literature or adopted in production networks