Intrusion detection using geometrical structure

We propose a statistical model, namely Geometrical Structure Anomaly Detection (GSAD) to detect intrusion using the packet payload in the network. GSAD takes into account the correlations among the packet payload features arranged in a geometrical structure. The representation is based on statistical analysis of Mahalanobis distances among payload features, which calculate the similarity of new data against precomputed profile. It calculates weight factor to determine anomaly in the payload. In the 1999 DARPA intrusion detection evaluation data set, we conduct several tests for limited attacks on port 80 and port 25. Our approach establishes and identifies the correlation among packet payloads in a network. © 2009 IEEE

A Fuzzy-logic based Alert Prioritization Engine for IDSs: Architecture and Configuration

Intrusion Detection Systems (IDSs) are designed to monitor a networked environment and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large making their evaluation by security analysts a difficult task. The management is complicated by the need to configure the different components of alert evaluation systems. In addition, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide results that are inaccurate and difficult to manage. Thus, the tuning of an IDS alert management system in order to provide optimal results remains a major challenge, which is further complicated by the large spectrum of potential attacks the system can be subject to. This thesis considers the specification and configuration issues of FuzMet, a novel IDS alert management system which employs several metrics and a fuzzy-logic based approach for scoring and prioritizing alerts. In addition, it features an alert rescoring technique that leads to a further reduction of the number of alerts. We study the impact of different configurations of the proposed metrics on the accuracy and completeness of the alert scores generated by FuzMet. Our approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and FuzMet alert prioritization scheme are presented. A considerable number of simulations were conducted in order to determine the optimal configuration of FuzMet with selected simulation results presented and analyzed

Security Configuration Management in Intrusion Detection and Prevention Systems

Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defense against a variety of attacks that can compromise the security and proper functioning of an enterprise information system. IDPSs can be network or host-based and can collaborate in order to provide better detection of malicious traffic. Although several IDPS systems have been proposed, their appropriate con figuration and control for e effective detection/ prevention of attacks and efficient resource consumption is still far from trivial. Another concern is related to the slowing down of system performance when maximum security is applied, hence the need to trade o between security enforcement levels and the performance and usability of an enterprise information system. In this dissertation, we present a security management framework for the configuration and control of the security enforcement mechanisms of an enterprise information system. The approach leverages the dynamic adaptation of security measures based on the assessment of system vulnerability and threat prediction, and provides several levels of attack containment. Furthermore, we study the impact of security enforcement levels on the performance and usability of an enterprise information system. In particular, we analyze the impact of an IDPS con figuration on the resulting security of the network, and on the network performance. We also analyze the performance of the IDPS for different con figurations and under different traffic characteristics. The analysis can then be used to predict the impact of a given security con figuration on the prediction of the impact on network performance

Anomaly detection in computer networks

Orientadores: Leonardo de Souza Mendes, Mario Lemes Proença JuniorTese (doutorado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de ComputaçãoResumo: Anomalias em redes de computadores são desvios súbitos e acentuados que ocorrem no tráfego em consequência de diversas situações como defeitos em softwares, uso abusivo de recursos da rede, falhas em equipamentos, erros em configurações e ataques. Nesta tese, é proposto um sistema de detecção de anomalias em redes de computadores baseado em três níveis de análise. O primeiro nível de análise é responsável por comparar os dados coletados em um objeto SNMP (Simple Network Management Protocol) com o perfil de operações normais da rede. O segundo nível de análise correlaciona os alarmes gerados no primeiro nível de análise utilizando um grafo de dependências que representa as relações entre os objetos SNMP monitorados. O terceiro nível de análise reúne os alarmes de segundo nível utilizando informações sobre a topologia de rede e gera um alarme de terceiro nível que reporta a propagação da anomalia pela rede. Os testes foram realizados na rede da Universidade Estadual de Londrina, utilizando situações reais. Os resultados mostraram que a proposta apresentou baixas taxas de falsos positivos combinadas a altas taxas de detecção. Além disso, o sistema foi capaz de correlacionar alarmes gerados para diferentes objetos SNMP em toda a rede, produzindo conjuntos menores de alarmes que ofereceram ao administrador de redes uma visão panorâmica do problemaAbstract: Anomalies in computer networks are unexpected and significant deviations that occur in network traffic due to different situations such as software bugs, unfair resource usage, failures, misconfiguration and attacks. In this work, it is proposed an anomaly detection system based on three levels of analysis. The first level of analysis is responsible for comparing the data collected from SNMP (Simple Network Management Protocol) objects with the profile of network normal behavior. The second level of analysis correlates the alarms generated by the first level of analysis by using a dependency graph, which represents the relationships between the SNMP objects. The third level of analysis correlates the second level alarms by using network topology information. The third level generates a third level alarm that presents the anomaly propagation path through the network. Tests were performed in the State University of Londrina network, exploring real situations. Results showed that the proposal presents low false positive rates and high detection rates. Moreover, the proposed system is able to correlate alarms that were generated for SNMP objects at different places of the network, producing smaller sets of alarms that offer a wide-view of the problem to the network administratorDoutoradoTelecomunicações e TelemáticaDoutor em Engenharia Elétric