5,026 research outputs found
Collaborative Feature Maps of Networks and Hosts for AI-driven Intrusion Detection
Intrusion Detection Systems (IDS) are critical security mechanisms that
protect against a wide variety of network threats and malicious behaviors on
networks or hosts. As both Network-based IDS (NIDS) or Host-based IDS (HIDS)
have been widely investigated, this paper aims to present a Combined Intrusion
Detection System (CIDS) that integrates network and host data in order to
improve IDS performance. Due to the scarcity of datasets that include both
network packet and host data, we present a novel CIDS dataset formation
framework that can handle log files from a variety of operating systems and
align log entities with network flows. A new CIDS dataset named SCVIC-CIDS-2021
is derived from the meta-data from the well-known benchmark dataset,
CIC-IDS-2018 by utilizing the proposed framework. Furthermore, a
transformer-based deep learning model named CIDS-Net is proposed that can take
network flow and host features as inputs and outperform baseline models that
rely on network flow features only. Experimental results to evaluate the
proposed CIDS-Net under the SCVIC-CIDS-2021 dataset support the hypothesis for
the benefits of combining host and flow features as the proposed CIDS-Net can
improve the macro F1 score of baseline solutions by 6.36% (up to 99.89%).Comment: IEEE Global Communications Conference (Globecom), 2022, 6 pages, 3
figures 4 table
Payload-Byte: A Tool for Extracting and Labeling Packet Capture Files of Modern Network Intrusion Detection Datasets
Adapting modern approaches for network intrusion detection is becoming critical, given the rapid technological advancement and adversarial attack rates. Therefore, packet-based methods utilizing payload data are gaining much popularity due to their effectiveness in detecting certain attacks. However, packet-based approaches suffer from a lack of standardization, resulting in incomparability and reproducibility issues. Unlike flow-based datasets, no standard labeled dataset exists, forcing researchers to follow bespoke labeling pipelines for individual approaches. Without a standardized baseline, proposed approaches cannot be compared and evaluated with each other. One cannot gauge whether the proposed approach is a methodological advancement or is just being benefited from the proprietary interpretation of the dataset. Addressing comparability and reproducibility issues, we introduce Payload-Byte, an open-source tool for extracting and labeling network packets in this work. Payload-Byte utilizes metadata information and labels raw traffic captures of modern intrusion detection datasets in a generalized manner. Moreover, we transformed the labeled data into a byte-wise feature vector that can be utilized for training machine learning models. The whole cycle of processing and labeling is explicitly stated in this work. Furthermore, source code and processed data are made publicly available so that it may act as a standardized baseline for future research work. Lastly, we present a brief comparative analysis of machine learning models trained on packet-based and flow-based data
Clustering extension of MOVICAB-IDS to distinguish intrusions in flow-based data
Much effort has been devoted to research on intrusion detection (ID) in recent years because intrusion strategies and technologies are constantly and quickly evolving. As an innovative solution based on visualization, MObile VIsualisation Connectionist Agent-Based IDS was previously proposed, conceived as a hybrid-intelligent ID System. It was designed to analyse
continuous network data at a packet level and is extended in present paper for the analysis of flow-based traffic data. By
incorporating clustering techniques to the original proposal, network flows are investigated trying to identify different types
of attacks. The analysed real-life data (the well-known dataset from the University of Twente) come from a honeypot directly
connected to the Internet (thus ensuring attack-exposure) and is analysed by means of clustering and neural techniques, individually and in conjunction. Promising results are obtained, proving the validity of the proposed extension for the analysis
of network flow dat
A hierarchical Intrusion Detection System using support vector machine for SDN network in cloud data center
Software-Defined Networks (SDN) has emerged as a dominant programmable network architecture for cloud based data centers. Its centralised programmable control plane decoupled from the data plane with a global view of the network state provides new opportunities to implement innovate security mechanisms. This research leverages this features of SDN and presents the architecture of a hierarchical and lightweight Intrusion Detection System (IDS) for software enabled networks by exploiting the concept of SDN flows. It combines advantages of a flow-based IDS and a packet-based IDS in order to provide a high detection rate without degrading network performances. The flow-based IDS uses an anomaly detection algorithm based on Support Vector Machines (SVM) trained with DARPA Intrusion Detection Dataset . This first line of defence detects any intrusions on the network. When an attack is detected, the malicious flow is mirrored to a packet-based IDS, for further examination and actions. The results show that this scheme provides good detection rates and performances with minimal extra overhead
- …