Unsupervised Real-Time Network Intrusion and Anomaly Detection by Memristor Based Autoencoder

Custom low power hardware systems for real-time network security and anomaly detection are in high demand, as these would allow for adequate protection in battery-powered network devices, such as edge devices and the internet of the things. This paper presents a memristor based system for real-time intrusion detection, as well as an anomaly detection based on autoencoders. Intrusion detection is performed by training only on a single autoencoder, and the overall detection accuracy of this system is 92.91%, with a malicious packet detection accuracy of 98.89%. The system described in this paper is also capable of using two autoencoders to perform anomaly detection using real-time online learning. Using this system, we show that the system flags anomalous data, but over time the system stops flagging a particular datatype if its presence is abundant. Utilizing memristors in these designs allows us to present extremely low power systems for intrusion and anomaly detection while sacrificing little accuracy.https://ecommons.udayton.edu/stander_posters/2850/thumbnail.jp

Threshold verification using statistical approach for fast attack detection

Network has grows to a mammoth size and becoming more complex, thus exposing the services it offers towards multiple types of intrusion vulnerabilities.One method to overcome intrusion is by introducing Intrusion Detection System (IDS) for detecting the threat before it can damage the network resources.IDS have the ability to analyze network traffic and recognize incoming and on-going network attack.In detecting intrusion attack, Information gathering on such activity can be classified into fast attack and slow attack.Yet, majority of the current intrusion detection systems do not have the ability to differentiate between these two types of attacks. Early detection of fast attack is very useful in a real time environment; in which it can help the targeted network from further intrusion that could let the intruder to gain access to the vulnerable machine.To address this challenge, this paper introduces a fast attack detection framework that set a threshold value to differentiate between the normal network traffic and abnormal network traffic on the victim perspective. The threshold value is abstract with the help of suitable set of feature used to detect the anomaly in the network. By introducing the threshold value, anomaly based detection can build a complete profile to detect any intrusion threat as well as at the same time reducing it false alarm alert

Performance Evaluation and Validation of Intelligent Security Mechanism in Software Defined Network

Network attacks are discovered using intrusion detection systems (IDS), one of the most crucial security solutions. Machine learning techniques-based intrusion detection approaches have been rapidly created as a result of the widespread use of standard machine learning algorithms in the security field. Unfortunately, as technology has advanced and there have been faults in the machine learning-based intrusion detection system, the system has consistently failed to fulfill the standards for cyber security. Generative adversarial networks (GANs) have drawn a lot of interest recently and have been utilized widely in anomaly detection due to their enormous capacity for learning difficult high-dimensional real time data distribution. Traditional machine learning algorithms for intrusion detection have a number of drawbacks that deep learning techniques can significantly mitigate. With the help of a real time dataset, this work suggests employing GANs and its variants to detect network intrusions in SDN. The feasibility and comparison results are also presented. For different kinds of datasets, the BiGAN outcomes outperform the GAN

Payload-based anomaly detection in HTTP traffic

University of Technology, Sydney. Faculty of Engineering and Information Technology.Internet provides quality and convenience to human life but at the same time it provides a platform for network hackers and criminals. Intrusion Detection Systems (IDSs) have been proven to be powerful methods for detecting anomalies in the network. Traditional IDSs based on signatures are unable to detect new (zero days) attacks. Anomaly-based systems are alternative to signature based systems. However, present anomaly detection systems suffer from three major setbacks: (a) Large number of false alarms, (b) Very high volume of network traffic due to high data rates (Gbps), and (c) Inefficiency in operation. In this thesis, we address above issues and develop efficient intrusion detection frameworks and models which can be used in detecting a wide variety of attacks including web-based attacks. Our proposed methods are designed to have very few false alarms. We also address Intrusion Detection as a Pattern Recognition problem and discuss all aspects that are important in realizing an anomaly-based IDS. We present three payload-based anomaly detectors, including Geometrical Structure Anomaly Detection (GSAD), Two-Tier Intrusion Detection system using Linear Discriminant Analysis (LDA), and Real-time Payload-based Intrusion Detection System (RePIDS), for intrusion detection. These detectors perform deep-packet analysis and examine payload content using n-gram text categorization and Mahalanobis Distance Map (MDM) techniques. An MDM extracts hidden correlations between the features within each payload and among packet payloads. GSAD generates model of normal network payload as geometrical structure using MDMs in a fully automatic and unsupervised manner. We have implemented the GSAD model in HTTP environment for web-based applications. For efficient operation of IDSs, the detection speed is a key point. Current IDSs examine a large number of data features to detect intrusions and misuse patterns. Hence, for quickly and accurately identifying anomalies of Internet traffic, feature reduction becomes mandatory. We have proposed two models to address this issue, namely two-tier intrusion detection model and RePIDS. Two-tier intrusion detection model uses Linear Discriminant Analysis approach for feature reduction and optimal feature selection. It uses MDM technique to create a model of normal network payload using an extracted feature set. RePIDS uses a 3-tier Iterative Feature Selection Engine (IFSEng) to reduce dimensionality of the raw dataset using Principal Component Analysis (PCA) technique. IFSEng extracts the most significant features from the original feature set and uses mathematical and graphical methods for optimal feature subset selection. Like two-tier intrusion detection model, RePIDS then uses MDM technique to generate a model of normal network payload using extracted features. We test the proposed IDSs on two publicly available datasets of attacks and normal traffic. Experimental results confirm the effectiveness and validation of our proposed solutions in terms of detection rate, false alarm rate and computational complexity

ReRe: A Lightweight Real-time Ready-to-Go Anomaly Detection Approach for Time Series

Anomaly detection is an active research topic in many different fields such as intrusion detection, network monitoring, system health monitoring, IoT healthcare, etc. However, many existing anomaly detection approaches require either human intervention or domain knowledge, and may suffer from high computation complexity, consequently hindering their applicability in real-world scenarios. Therefore, a lightweight and ready-to-go approach that is able to detect anomalies in real-time is highly sought-after. Such an approach could be easily and immediately applied to perform time series anomaly detection on any commodity machine. The approach could provide timely anomaly alerts and by that enable appropriate countermeasures to be undertaken as early as possible. With these goals in mind, this paper introduces ReRe, which is a Real-time Ready-to-go proactive Anomaly Detection algorithm for streaming time series. ReRe employs two lightweight Long Short-Term Memory (LSTM) models to predict and jointly determine whether or not an upcoming data point is anomalous based on short-term historical data points and two long-term self-adaptive thresholds. Experiments based on real-world time-series datasets demonstrate the good performance of ReRe in real-time anomaly detection without requiring human intervention or domain knowledge.Comment: 10 pages, 9 figures, COMPSAC 202

Web server load prediction and anomaly detection from hypertext transfer protocol logs

As network traffic increases and new intrusions occur, anomaly detection solutions based on machine learning are necessary to detect previously unknown intrusion patterns. Most of the developed models require a labelled dataset, which can be challenging owing to a shortage of publicly available datasets. These datasets are often too small to effectively train machine learning models, which further motivates the use of real unlabeled traffic. By using real traffic, it is possible to more accurately simulate the types of anomalies that might occur in a real-world network and improve the performance of the detection model. We present a method able to predict and categorize anomalies without the aid of a labelled dataset, demonstrating the model’s usability while also gathering a dataset from real noisy network traffic. The proposed long short-term memory (LTSM) based intrusion detection system was tested in a real-world setting of an antivirus company and was successful in detecting various intrusions using 5-minute windowing over both the predicted and real update curves thereby demonstrating its usefulness. Our contribution was the development of a robust model generally applicable to any hypertext transfer protocol (HTTP) traffic with almost real-time anomaly detection, while also outperforming earlier studies in terms of prediction accuracy

Deep Predictive Coding Neural Network for RF Anomaly Detection in Wireless Networks

Intrusion detection has become one of the most critical tasks in a wireless network to prevent service outages that can take long to fix. The sheer variety of anomalous events necessitates adopting cognitive anomaly detection methods instead of the traditional signature-based detection techniques. This paper proposes an anomaly detection methodology for wireless systems that is based on monitoring and analyzing radio frequency (RF) spectrum activities. Our detection technique leverages an existing solution for the video prediction problem, and uses it on image sequences generated from monitoring the wireless spectrum. The deep predictive coding network is trained with images corresponding to the normal behavior of the system, and whenever there is an anomaly, its detection is triggered by the deviation between the actual and predicted behavior. For our analysis, we use the images generated from the time-frequency spectrograms and spectral correlation functions of the received RF signal. We test our technique on a dataset which contains anomalies such as jamming, chirping of transmitters, spectrum hijacking, and node failure, and evaluate its performance using standard classifier metrics: detection ratio, and false alarm rate. Simulation results demonstrate that the proposed methodology effectively detects many unforeseen anomalous events in real time. We discuss the applications, which encompass industrial IoT, autonomous vehicle control and mission-critical communications services.Comment: 7 pages, 7 figures, Communications Workshop ICC'1