Clustering extension of MOVICAB-IDS to distinguish intrusions in flow-based data

Much effort has been devoted to research on intrusion detection (ID) in recent years because intrusion strategies and technologies are constantly and quickly evolving. As an innovative solution based on visualization, MObile VIsualisation Connectionist Agent-Based IDS was previously proposed, conceived as a hybrid-intelligent ID System. It was designed to analyse continuous network data at a packet level and is extended in present paper for the analysis of flow-based traffic data. By incorporating clustering techniques to the original proposal, network flows are investigated trying to identify different types of attacks. The analysed real-life data (the well-known dataset from the University of Twente) come from a honeypot directly connected to the Internet (thus ensuring attack-exposure) and is analysed by means of clustering and neural techniques, individually and in conjunction. Promising results are obtained, proving the validity of the proposed extension for the analysis of network flow dat

RT-MOVICAB-IDS: Addressing real-time intrusion detection

This study presents a novel Hybrid Intelligent Intrusion Detection System (IDS) known as RT-MOVICAB-IDS that incorporates temporal control. One of its main goals is to facilitate real-time Intrusion Detection, as accurate and swift responses are crucial in this field, especially if automatic abortion mechanisms are running. The formulation of this hybrid IDS combines Artificial Neural Networks (ANN) and Case-Based Reasoning (CBR) within a Multi-Agent System (MAS) to detect intrusions in dynamic computer networks. Temporal restrictions are imposed on this IDS, in order to perform real/execution time processing and assure system response predictability. Therefore, a dynamic real-time multi-agent architecture for IDS is proposed in this study, allowing the addition of predictable agents (both reactive and deliberative). In particular, two of the deliberative agents deployed in this system incorporate temporal-bounded CBR. This upgraded CBR is based on an anytime approximation, which allows the adaptation of this Artificial Intelligence paradigm to real-time requirements. Experimental results using real data sets are presented which validate the performance of this novel hybrid IDSMinisterio de Economía y Competitividad (TIN2010-21272-C02-01, TIN2009-13839-C03-01), Ministerio de Ciencia e Innovación (CIT-020000-2008-2, CIT-020000-2009-12

Intrusion Detection With Unsupervised Techniques for Network Management Protocols Over Smart Grids

[Abstract] The present research work focuses on overcoming cybersecurity problems in the Smart Grid. Smart Grids must have feasible data capture and communications infrastructure to be able to manage the huge amounts of data coming from sensors. To ensure the proper operation of next-generation electricity grids, the captured data must be reliable and protected against vulnerabilities and possible attacks. The contribution of this paper to the state of the art lies in the identification of cyberattacks that produce anomalous behaviour in network management protocols. A novel neural projectionist technique (Beta Hebbian Learning, BHL) has been employed to get a general visual representation of the traffic of a network, making it possible to identify any abnormal behaviours and patterns, indicative of a cyberattack. This novel approach has been validated on 3 different datasets, demonstrating the ability of BHL to detect different types of attacks, more effectively than other state-of-the-art methods

Visualization and clustering for SNMP intrusion detection

Accurate intrusion detection is still an open challenge. The present work aims at being one step toward that purpose by studying the combination of clustering and visualization techniques. To do that, the mobile visualization connectionist agent-based intrusion detection system (MOVICAB-IDS), previously proposed as a hybrid intelligent IDS based on visualization techniques, is upgraded by adding automatic response thanks to clustering methods. To check the validity of the proposed clustering extension, it has been applied to the identification of different anomalous situations related to the simple network management network protocol by using real-life data sets. Different ways of applying neural projection and clustering techniques are studied in the present article. Through the experimental validation it is shown that the proposed techniques could be compatible and consequently applied to a continuous network flow for intrusion detectionSpanish Ministry of Economy and Competitiveness with ref: TIN2010-21272-C02-01 (funded by the European Regional Development Fund) and SA405A12-2 from Junta de Castilla y Leon

The Importance of Time in the Identification of Anomalous Situations by Means of MOVICAB-IDS

Intrusion Detection Systems (IDSs) are a part of the computer security infrastructure of most organizations. They are designed to detect suspect patterns by monitoring and analysing computer network events. Different areas of artificial intelligence, statistical and signature verification techniques have been applied in the field of IDSs. Additionally, visualization tools have been applied for intrusion detection, some of them providing visual measurements of network traffic. As described in previous works, MOVICAB-IDS (MObile VIsualization Cooperative Agent-Based IDS) is a bio-inspired tool based on the use of unsupervised Neural Networks (NN), and provides the network administrator with a snapshot of network traffic, protocol interactions and traffic volume. It offers a complete and more intuitive visualization of the network traffic by depicting each simple packet. To improve the accessibility of the system, the administrator may visualize the results on a mobile device (such as PDA’s, mobile phones or embedded devices), enabling informed decisions to be taken anywhere and at any time. It is a combination of a connectionist model and a multiagent system enriched by a functional and mobile visualization. The viability and effectiveness of MOVICAB-IDS has been shown in previous works. This paper focuses on the importance of the time-information dependence in the identification of anomalous situations in the case of the proposed model. Several experiments show that the connectionist method on which MOVICAB-IDS is based (that has never been applied to the IDS and network security field before the beginning of this research) can highlight the evolution of packets along time. That is, MOVICAB-IDS identifies anomalous situations by taking into account the time-related dimension among others and by using unsupervised bio-inspired models

Clustering extension of MOVICAB-IDS to identify SNMP community searches

There are many security systems to protect information resources, but we are still not free from possible successful attacks. This study aims at being one step towards the proposal of an intrusion detection system (IDS) that faces those attacks not previously seen (zero-day attacks), by studying the combination of clustering and neural visualization techniques. To do that, MObile VIsualization Connectionist Agent-Based IDS (MOVICAB-IDS), previously proposed as a hybrid intelligent IDS based on a visualization approach, is upgraded by adding clustering methods. One of the main drawbacks of MOVICAB-IDS was its dependence on human processing; it could not automatically raise an alarm to warn about attacks. Additionally, human users could fail to detect an intrusion even when visualized as an anomalous one. To overcome this limitation, present work proposes the application of clustering techniques to provide automatic response to MOVICAB-IDS to quickly abort intrusive actions while happening. To check the validity of the proposed clustering extension, it faces now an anomalous situation related to the Simple Network Management Protocol: a community search. This attack to get the community string (password guessing) is analysed by clustering and neural tools, individually and in conjunction. Through the experimental stage, it is shown that the combination of clustering and neural projection improves the detection capability on a continuous network flow

Visualizationi and clustering for SNMP intrusion detection

Accurate intrusion detection is still an open challenge. The present work aims at being one step toward that purpose by studying the combination of clustering and visualization techniques. To do that, the mobile visualization connectionist agent-based intrusion detection system (MOVICAB-IDS), previously proposed as a hybrid intelligent IDS based on visualization techniques, is upgraded by adding automatic response thanks to clustering methods. To check the validity of the proposed clustering extension, it has been applied to the identification of different anomalous situations related to the simple network management network protocol by using real-life data sets. Different ways of applying neural projection and clustering techniques are studied in the present article. Through the experimental validation it is shown that the proposed techniques could be compatible and consequently applied to a continuous network flow for intrusion detection

Mobile Hybrid Intrusion Detection

This monograph comprises work on network-based Intrusion Detection (ID) that is grounded in visualisation and hybrid Artificial Intelligence (AI). It has led to the design of MOVICAB-IDS (MObile VIsualisation Connectionist Agent-Based IDS), a novel Intrusion Detection System (IDS), which is comprehensively described in this book. This novel IDS combines different AI paradigms to visualise network traffic for ID at packet level. It is based on a dynamic Multiagent System (MAS), which integrates an unsupervised neural projection model and the Case-Based Reasoning (CBR) paradigm through the use of deliberative agents that are capable of learning and evolving with the environment. The proposed novel hybrid IDS provides security personnel with a synthetic, intuitive snapshot of network traffic and protocol interactions. This visualisation interface supports the straightforward detection of anomalous situations and their subsequent identification. The performance of MOVICAB-IDS was tested through a novel mutation-based testing method in different real domains which entailed several attacks and anomalous situations

Incorporating Temporal Constraints in the Analysis Task of a Hybrid Intelligent IDS

This paper presents an extension of MOVICAB-IDS, a Hybrid Intelligent Intrusion Detection System characterized by incorporating temporal control to enable real-time processing and response. The original formulation of MOVICAB-IDS combines different Computational Intelligence techniques within a multiagent system to perform Intrusion Detection in dynamic computer networks. This work extends the initial proposal by incorporating temporal constraints in the analysis step of the Intrusion Detection process, when a neural projection model is applied