Mutating network scans for the assessment of supervised classifier ensembles

As it is well known, some Intrusion Detection Systems (IDSs) suffer from high rates of false positives and negatives. A mutation technique is proposed in this study to test and evaluate the performance of a full range of classifier ensembles for Network Intrusion Detection when trying to recognize new attacks. The novel technique applies mutant operators that randomly modify the features of the captured network packets to generate situations that could not otherwise be provided to IDSs while learning. A comprehensive comparison of supervised classifiers and their ensembles is performed to assess their generalization capability. It is based on the idea of confronting brand new network attacks obtained by means of the mutation technique. Finally, an example application of the proposed testing model is specially applied to the identification of network scans and related mutationsSpanish Ministry of Science and Innovation (TIN2010-21272-C02-01 and CIT-020000-2009-12) (both funded by the European Regional Development Fund). The authors would also like to thank the vehicle interior manufacturer, Grupo Antolin Ingenieria S. A., within the framework of the MAGNO2008 - 1028.- CENIT. Project also funded by the MICINN, the Spanish Ministry of Science and Innovation (PID 560300-2009-11) and the Regional Government of Castile-Leon (CCTT/10/BU/0002). This work was also supported in the framework of the IT4Innovations Centre of Excellence project, reg. no. (CZ.1.05/1.1.00/02.0070) supported by the Operational Program 'Research and Development for Innovations' funded through the Structural Funds of the European Union and the state budget of the Czech Republic.This is a pre-copyedited, author-produced PDF of an article accepted for publication in Logic Journal of the IGPL following peer review. The version of record: Javier Sedano, Silvia González, Álvaro Herrero, Bruno Baruque, and Emilio Corchado, Mutating network scans for the assessment of supervised classifier ensembles, Logic Jnl IGPL, first published online September 3, 2012, doi:10.1093/jigpal/jzs037 is available online at: http://jigpal.oxfordjournals.org/content/early/2012/09/03/jigpal.jzs03

Anomaly-based network intrusion detection: Techniques, systems and challenges.

Threat Intrusion detection Anomaly detection IDS systems and platforms Assessment a b s t r a c t The Internet and computer networks are exposed to an increasing number of security threats. With new types of attacks appearing continually, developing flexible and adaptive security oriented approaches is a severe challenge. In this context, anomaly-based network intrusion detection techniques are a valuable technology to protect target systems and networks against malicious activities. However, despite the variety of such methods described in the literature in recent years, security tools incorporating anomaly detection functionalities are just starting to appear, and several important problems remain to be solved. This paper begins with a review of the most well-known anomaly-based intrusion detection techniques. Then, available platforms, systems under development and research projects in the area are presented. Finally, we outline the main challenges to be dealt with for the wide scale deployment of anomaly-based intrusion detectors, with special emphasis on assessment issues. ª 2008 Elsevier Ltd. All rights reserved. Introduction Intrusion Detection Systems (IDS) are security tools that, like other measures such as antivirus software, firewalls and access control schemes, are intended to strengthen the security of information and communication systems. Although, as shown i