Mobile Hybrid Intrusion Detection

This monograph comprises work on network-based Intrusion Detection (ID) that is grounded in visualisation and hybrid Artificial Intelligence (AI). It has led to the design of MOVICAB-IDS (MObile VIsualisation Connectionist Agent-Based IDS), a novel Intrusion Detection System (IDS), which is comprehensively described in this book. This novel IDS combines different AI paradigms to visualise network traffic for ID at packet level. It is based on a dynamic Multiagent System (MAS), which integrates an unsupervised neural projection model and the Case-Based Reasoning (CBR) paradigm through the use of deliberative agents that are capable of learning and evolving with the environment. The proposed novel hybrid IDS provides security personnel with a synthetic, intuitive snapshot of network traffic and protocol interactions. This visualisation interface supports the straightforward detection of anomalous situations and their subsequent identification. The performance of MOVICAB-IDS was tested through a novel mutation-based testing method in different real domains which entailed several attacks and anomalous situations

RT-MOVICAB-IDS: Addressing real-time intrusion detection

This study presents a novel Hybrid Intelligent Intrusion Detection System (IDS) known as RT-MOVICAB-IDS that incorporates temporal control. One of its main goals is to facilitate real-time Intrusion Detection, as accurate and swift responses are crucial in this field, especially if automatic abortion mechanisms are running. The formulation of this hybrid IDS combines Artificial Neural Networks (ANN) and Case-Based Reasoning (CBR) within a Multi-Agent System (MAS) to detect intrusions in dynamic computer networks. Temporal restrictions are imposed on this IDS, in order to perform real/execution time processing and assure system response predictability. Therefore, a dynamic real-time multi-agent architecture for IDS is proposed in this study, allowing the addition of predictable agents (both reactive and deliberative). In particular, two of the deliberative agents deployed in this system incorporate temporal-bounded CBR. This upgraded CBR is based on an anytime approximation, which allows the adaptation of this Artificial Intelligence paradigm to real-time requirements. Experimental results using real data sets are presented which validate the performance of this novel hybrid IDSMinisterio de Economía y Competitividad (TIN2010-21272-C02-01, TIN2009-13839-C03-01), Ministerio de Ciencia e Innovación (CIT-020000-2008-2, CIT-020000-2009-12

Clustering extension of MOVICAB-IDS to distinguish intrusions in flow-based data

Much effort has been devoted to research on intrusion detection (ID) in recent years because intrusion strategies and technologies are constantly and quickly evolving. As an innovative solution based on visualization, MObile VIsualisation Connectionist Agent-Based IDS was previously proposed, conceived as a hybrid-intelligent ID System. It was designed to analyse continuous network data at a packet level and is extended in present paper for the analysis of flow-based traffic data. By incorporating clustering techniques to the original proposal, network flows are investigated trying to identify different types of attacks. The analysed real-life data (the well-known dataset from the University of Twente) come from a honeypot directly connected to the Internet (thus ensuring attack-exposure) and is analysed by means of clustering and neural techniques, individually and in conjunction. Promising results are obtained, proving the validity of the proposed extension for the analysis of network flow dat

Visualization and clustering for SNMP intrusion detection

Accurate intrusion detection is still an open challenge. The present work aims at being one step toward that purpose by studying the combination of clustering and visualization techniques. To do that, the mobile visualization connectionist agent-based intrusion detection system (MOVICAB-IDS), previously proposed as a hybrid intelligent IDS based on visualization techniques, is upgraded by adding automatic response thanks to clustering methods. To check the validity of the proposed clustering extension, it has been applied to the identification of different anomalous situations related to the simple network management network protocol by using real-life data sets. Different ways of applying neural projection and clustering techniques are studied in the present article. Through the experimental validation it is shown that the proposed techniques could be compatible and consequently applied to a continuous network flow for intrusion detectionSpanish Ministry of Economy and Competitiveness with ref: TIN2010-21272-C02-01 (funded by the European Regional Development Fund) and SA405A12-2 from Junta de Castilla y Leon

Hybrid Multi Agent-Neural Network Intrusion Detection with Mobile Visualization

A multiagent system that incorporates an Artificial Neural Networks based Intrusion Detection System (IDS) has been defined to guaranty an efficient computer network security architecture. The proposed system facilitates the intrusion detection in dynamic networks. This paper presents the structure of the Mobile Visualization Connectionist Agent-Based IDS, more flexible and adaptable. The proposed improvement of the system in this paper includes deliberative agents that use the artificial neural network to identify intrusions in computer networks. The agent based system has been probed through anomalous situations related to the Simple Network Management Protocol

Clustering extension of MOVICAB-IDS to identify SNMP community searches

There are many security systems to protect information resources, but we are still not free from possible successful attacks. This study aims at being one step towards the proposal of an intrusion detection system (IDS) that faces those attacks not previously seen (zero-day attacks), by studying the combination of clustering and neural visualization techniques. To do that, MObile VIsualization Connectionist Agent-Based IDS (MOVICAB-IDS), previously proposed as a hybrid intelligent IDS based on a visualization approach, is upgraded by adding clustering methods. One of the main drawbacks of MOVICAB-IDS was its dependence on human processing; it could not automatically raise an alarm to warn about attacks. Additionally, human users could fail to detect an intrusion even when visualized as an anomalous one. To overcome this limitation, present work proposes the application of clustering techniques to provide automatic response to MOVICAB-IDS to quickly abort intrusive actions while happening. To check the validity of the proposed clustering extension, it faces now an anomalous situation related to the Simple Network Management Protocol: a community search. This attack to get the community string (password guessing) is analysed by clustering and neural tools, individually and in conjunction. Through the experimental stage, it is shown that the combination of clustering and neural projection improves the detection capability on a continuous network flow

Incorporating Temporal Constraints in the Analysis Task of a Hybrid Intelligent IDS

This paper presents an extension of MOVICAB-IDS, a Hybrid Intelligent Intrusion Detection System characterized by incorporating temporal control to enable real-time processing and response. The original formulation of MOVICAB-IDS combines different Computational Intelligence techniques within a multiagent system to perform Intrusion Detection in dynamic computer networks. This work extends the initial proposal by incorporating temporal constraints in the analysis step of the Intrusion Detection process, when a neural projection model is applied

Approaching Real-Time Intrusion Detection through MOVICAB-IDS

This paper presents an extension of MOVICAB-IDS, a Hybrid Intelligent Intrusion Detection System characterized by incorporating temporal control to enable real-time processing and response. The original formulation of MOVICAB-IDS combines artificial neural networks and case-based reasoning within a multiagent system to perform Intrusion Detection in dynamic computer networks. The contribution of the anytime algorithm, one of the most promising to adapt Artificial Intelligent techniques to real-time requirements; is comprehensively presented in this work

Incorporating Temporal Constraints in the Planning Task of a Hybrid Intelligent IDS

Accurate and swift responses are crucial to Intrusion Detection Systems (IDSs), especially if automatic abortion mechanisms are running. In keeping with this idea, this work presents an extension of a Hybrid Intelligent IDS characterized by incorporating temporal control to facilitate real-time processing. The hybrid intelligent -IDS has been conceived as a Hybrid Artificial Intelligent System to perform Intrusion Detection in dynamic computer networks. It combines Artificial Neural Networks and Case-based Reasoning within a multiagent system, in order to develop a more efficient computer network security architecture. Although this temporal issue was taken into account in the initial formulation of this hybrid IDS, in this upgraded version, temporal restrictions are imposed in order to perform real/execution time processing. Experimental results are presented which validate the performance of this upgraded version

Deliberative Agents for Intrusion Detection.

This work describes a multiagent system incorporating some artificial intelligence techniques for intrusion detection. The proposed Intrusion Detection System (IDS) provides a network administrator with a comprehensive visualization of the network traffic. Thus, the network manager can supervise the network activity and detect anomalies at a glance. This paper describes the structure of the Mobile Visualization Connectionist Agent-Based IDS (MOVICAB-IDS). The system includes deliberative agents using a connectionist model to identify intrusions in computer networks. Some experiments dealing with anomalous situations related to the Simple Network Management Protocol are described