Master of Science in Computing

thesisCurrent Intrusion Detection Systems (IDS) in a typical enterprise or campus network are limited by having a number of static monitoring points and static IDS resources deployed. The monitoring points are typically deployed using hardware optical taps or span ports which are directly fed into the IDS. The IDS system is a compute resource requiring dedicated-server-grade hardware, and these are statically configured when installing the network for an enterprise or campus. We designed a framework for making a distributed elastic Intrusion Detection System (IDS) for a Software Defined Network (SDN) capable network, called Distributed Elastic Intrusion DeTECTion (DEIDtect). We combine the flexibility of SDN and the elastic resource usage of a cloud infrastructure with a DEIDtect orchestrating controller to achieve an elastic IDS framework. DEIDtect enables simple and more dynamic management of IDS systems. The flexibility of our approach also enables new IDS use cases and deployment strategies

Energy Prediction Based Intrusion Detection In Wireless Sensor Networks

A challenge in designing wireless sensor networks is to maximize the lifetime of the network with respect to limited resources and energy. These limitations make the network particularly vulnerable to attacks from adversaries. Denial of Service (DOS) is considered a severely damaging attack in monitoring applications when intruders attack the network and force it to lose its power and die early. There are intrusion detection approaches, but they require communications and calculations which waste the network’s limited resources. In this paper, we propose a new intrusion detection model that is suitable for defending against DOS attacks. We use the idea of energy prediction to anticipate the energy consumption of the network in order to detect intruders based on the each individual node’s excessive usage of power. Our approach does not require a lot of communications or calculations between the nodes and the cluster head. It is energy efficient and accurate in detecting intruders. Simulations show that our energy aware intrusion detection approach can effectively detect intruders based on energy consumption rate

Energy Prediction Based Intrusion Detection In Wireless Sensor Networks

A challenge in designing wireless sensor networks is to maximize the lifetime of the network with respect to limited resources and energy. These limitations make the network particularly vulnerable to attacks from adversaries. Denial of Service (DOS) is considered a severely damaging attack in monitoring applications when intruders attack the network and force it to lose its power and die early. There are intrusion detection approaches, but they require communications and calculations which waste the network’s limited resources. In this paper, we propose a new intrusion detection model that is suitable for defending against DOS attacks. We use the idea of energy prediction to anticipate the energy consumption of the network in order to detect intruders based on the each individual node’s excessive usage of power. Our approach does not require a lot of communications or calculations between the nodes and the cluster head. It is energy efficient and accurate in detecting intruders. Simulations show that our energy aware intrusion detection approach can effectively detect intruders based on energy consumption rate

INTRUSION DETECTION SYSTEM USING DYNAMIC AGENT SELECTION AND CONFIGURATION

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analysing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. It identifies unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. Intrusion detection systems (IDS) are essential components in a secure network environment, allowing for early detection of malicious activities and attacks. By employing information provided by IDS, it is possible to apply appropriate countermeasures and mitigate attacks that would otherwise seriously undermine network security. However, Increasing traffic and the necessity of stateful analysis impose strong computational requirements on network intrusion detection systems (NIDS), and motivate the need of architectures with multiple dynamic sensors. In a context of high traffic with heavy tailed characteristics, static rules for dispatching traffic slices among sensors cause severe imbalance. The current high volumes of network traffic overwhelm most IDS techniques requiring new approaches that are able to handle huge volume of log and packet analysis while still maintaining high throughput. This paper shows that the use of dynamic agents has practical advantages for intrusion detection. Our approach features unsupervised adjustment of its configuration and dynamic adaptation to the changing environment, which improvises the performance of IDS significantly. KEYWORDS—Intrusion Detection System, Agent Based IDS, Dynamic Sensor Selection. I

Implementation of hybrid artificial intelligence technique to detect covert channels in new generation network protocol IPv6

Intrusion detection systems offer monolithic way to detect attacks through monitoring, searching for abnormal characteristics and malicious behavior in network communications. Cyber-attack is performed through using covert channel which currently, is one of the most sophisticated challenges facing network security systems. Covert channel is used to ex/infiltrate classified information from legitimate targets, consequently, this manipulation violates network security policy and privacy. The New Generation Internet Protocol version 6 (IPv6) has certain security vulnerabilities and need to be addressed using further advanced techniques. Fuzzy rule is implemented to classify different network attacks as an advanced machine learning technique, meanwhile, Genetic algorithm is considered as an optimization technique to obtain the ideal fuzzy rule. This paper suggests a novel hybrid covert channel detection system implementing two Artificial Intelligence (AI) techniques; Fuzzy Logic and Genetic Algorithm (FLGA) to gain sufficient and optimal detection rule against covert channel. Our approach counters sophisticated network unknown attacks through an advanced analysis of deep packet inspection. Results of our suggested system offer high detection rate of 97.7% and a better performance in comparison to previous tested techniques

Intelligent network intrusion detection using an evolutionary computation approach

With the enormous growth of users\u27 reliance on the Internet, the need for secure and reliable computer networks also increases. Availability of effective automatic tools for carrying out different types of network attacks raises the need for effective intrusion detection systems. Generally, a comprehensive defence mechanism consists of three phases, namely, preparation, detection and reaction. In the preparation phase, network administrators aim to find and fix security vulnerabilities (e.g., insecure protocol and vulnerable computer systems or firewalls), that can be exploited to launch attacks. Although the preparation phase increases the level of security in a network, this will never completely remove the threat of network attacks. A good security mechanism requires an Intrusion Detection System (IDS) in order to monitor security breaches when the prevention schemes in the preparation phase are bypassed. To be able to react to network attacks as fast as possible, an automatic detection system is of paramount importance. The later an attack is detected, the less time network administrators have to update their signatures and reconfigure their detection and remediation systems. An IDS is a tool for monitoring the system with the aim of detecting and alerting intrusive activities in networks. These tools are classified into two major categories of signature-based and anomaly-based. A signature-based IDS stores the signature of known attacks in a database and discovers occurrences of attacks by monitoring and comparing each communication in the network against the database of signatures. On the other hand, mechanisms that deploy anomaly detection have a model of normal behaviour of system and any significant deviation from this model is reported as anomaly. This thesis aims at addressing the major issues in the process of developing signature based IDSs. These are: i) their dependency on experts to create signatures, ii) the complexity of their models, iii) the inflexibility of their models, and iv) their inability to adapt to the changes in the real environment and detect new attacks. To meet the requirements of a good IDS, computational intelligence methods have attracted considerable interest from the research community. This thesis explores a solution to automatically generate compact rulesets for network intrusion detection utilising evolutionary computation techniques. The proposed framework is called ESR-NID (Evolving Statistical Rulesets for Network Intrusion Detection). Using an interval-based structure, this method can be deployed for any continuous-valued input data. Therefore, by choosing appropriate statistical measures (i.e. continuous-valued features) of network trafc as the input to ESRNID, it can effectively detect varied types of attacks since it is not dependent on the signatures of network packets. In ESR-NID, several innovations in the genetic algorithm were developed to keep the ruleset small. A two-stage evaluation component in the evolutionary process takes the cooperation of rules into consideration and results into very compact, easily understood rulesets. The effectiveness of this approach is evaluated against several sources of data for both detection of normal and abnormal behaviour. The results are found to be comparable to those achieved using other machine learning methods from both categories of GA-based and non-GA-based methods. One of the significant advantages of ESR-NIS is that it can be tailored to specific problem domains and the characteristics of the dataset by the use of different fitness and performance functions. This makes the system a more flexible model compared to other learning techniques. Additionally, an IDS must adapt itself to the changing environment with the least amount of configurations. ESR-NID uses an incremental learning approach as new flow of traffic become available. The incremental learning approach benefits from less required storage because it only keeps the generated rules in its database. This is in contrast to the infinitely growing size of repository of raw training data required for traditional learning

Detecting Network-Based Obfuscated Code Injection Attacks Using Sandboxing

Intrusion detection systems (IDSs) are widely recognised as the last line of defence often used to enable incident response when intrusion prevention mechanisms are ineffective, or have been compromised. A signature based network IDS (NIDS) which operates by comparing network traffic to a database of suspicious activity patterns (known as signatures) is a popular solution due to its ease of deployment and relatively low false positive (incorrect alert) rate. Lately, attack developers have focused on developing stealthy attacks designed to evade NIDS. One technique used to accomplish this is to obfuscate the shellcode (the executable component of an attack) so that it does not resemble the signatures the IDS uses to identify the attacks but is still logically equivalent to the clear-text attacks when executed. We present an approach to detect obfuscated code injection attacks, an approach which compensates for efforts to evade IDSs. This is achieved by executing those network traffic segments that are judged potentially to contain executable code and monitoring the execution to detect operating system calls which are a necessary component of any such code. This detection method is based not on how the injected code is represented but rather on the actions it performs. Correct configuration of the IDS at deployment time is crucial for correct operation when this approach is taken, in particular, the examined executable code must be executed in an environment identical to the execution environment of the host the IDS is monitoring with regards to both operating system and architecture. We have implemented a prototype detector that is capable of detecting obfuscated shellcodes in a Linux environment, and demonstrate how it can be used to detect new or previously unseen code injection attacks and obfuscated attacks as well as well known attacks