Probabilistic Models for Anomaly Detection Based on Usage of Network Traffic

Recent advances in intrusions and attacks reflect vulnerabilities in computer networks. Innovative methods and tools can help attack defenses, prevent attack propagations, detect and respond to such attacks in a timely manner. Intrusion detection and prevention systems search for unauthorized use, recognize anomalous behavior, and prevent attempts to deny services.  These systems gather and analyze information from the network, identify possible breaches of the security profile, as well as misuses. We have been experimenting with methods for introducing important concepts related to intrusion detection and improving undergraduate research experiences and education. To achieve this goal, probabilistic models are introduced to students in computer, information system and network security courses. This article presents a set of probabilistic methods and statistical models for network traffic anomaly detection. It also describes some prospects and how models have ripened from theories to big data analysis applications. Keywords: Intrusion, conditional probability, network system, regression, data analysi

Autoencoder-Based Representation Learning to Predict Anomalies in Computer Networks

With the recent advances in Internet-of-thing devices (IoT), cloud-based services, and diversity in the network data, there has been a growing need for sophisticated anomaly detection algorithms within the network intrusion detection system (NIDS) that can tackle advanced network threats. Advances in Deep and Machine learning (ML) has been garnering considerable interest among researchers since it has the capacity to provide a solution to advanced threats such as the zero-day attack. An Intrusion Detection System (IDS) is the first line of defense against network-based attacks compared to other traditional technologies, such as firewall systems. This report adds to the existing approaches by proposing a novel strategy to incorporate both supervised and unsupervised learning to Intrusion Detection Systems (IDS). Specifically, the study will utilize deep Autoencoder (DAE) as a dimensionality reduction tool and Support Vector Machine (SVM) as a classifier to perform anomaly-based classification. The study diverts from other similar studies by performing a thorough analysis of using deep autoencoders as a valid non-linear dimensionality tool by comparing it against Principal Component Analysis (PCA) and tuning hyperparameters that optimizes for \u27F-1 Micro\u27 score and \u27Balanced Accuracy\u27 since we are dealing with a dataset with imbalanced classes. The study employs robust analysis tools such as Precision-Recall Curves, Average-Precision score, Train-Test Times, t-SNE, Grid Search, and L1/L2 regularization. Our model will be trained and tested on a publicly available datasets KDDTrain+ and KDDTest+

Intrusion Tolerance: Concepts and Design Principles. A Tutorial

In traditional dependability, fault tolerance has been the workhorse of the many solutions published over the years. Classical security-related work has on the other hand privileged, with few exceptions, intrusion prevention, or intrusion detection without systematic forms of processing the intrusion symptoms. A new approach has slowly emerged during the past decade, and gained impressive momentum recently: intrusion tolerance. The purpose of this tutorial is to explain the underlying concepts and design principles. The tutorial reviews previous results under the light of intrusion tolerance (IT), introduces the fundamental ideas behind IT, and presents recent advances of the state-of-the-art, coming from European and US research efforts devoted to IT. The program of the tutorial will address: a review of the dependability and security background; introduction of the fundamental concepts of intrusion tolerance (IT); intrusion-aware fault models; intrusion prevention; intrusion detection; IT strategies and mechanisms; design methodologies for IT systems; examples of IT systems and protocol

Improving network intrusion detection by means of domain-aware genetic programming

Proceeding of: International Conference on Availability, Reliability, and Security, 2010. ARES '10, 15-18 February 2010, Krakow, PolandOne of the central areas in network intrusion detection is how to build effective systems that are able to distinguish normal from intrusive traffic. In this paper we explore the use of Genetic Programming (GP) for such a purpose. Although GP has already been studied for this task, the inner features of network intrusion detection have been systematically ignored. To avoid the blind use of GP shown in previous research, we guide the search by means of a fitness function based on recent advances on IDS evaluation. For the experimental work we use a well-known dataset (i.e. KDD- 99) that has become a standard to compare research although its drawbacks. Results clearly show that an intelligent use of GP achieves systems that are comparable (and even better in realistic conditions) to top state-of-the-art proposals in terms of effectiveness, improving them in efficiency and simplicity.This work was partially supported by CDTI, Ministerio de Industria, Turismo y Comercio of Spain in collaboration with Telefónica I+D, Project SEGUR@ CENIT-2007 2004Publicad

DCDIDP: A Distributed, Collaborative, and Data-driven IDP Framework for the Cloud

Recent advances in distributed computing, grid computing, virtualization mechanisms, and utility computing led into Cloud Computing as one of the industry buzz words of our decade. As the popularity of the services provided in the cloud environment grows exponentially, the exploitation of possible vulnerabilities grows with the same pace. Intrusion Detection and Prevention Systems (IDPSs) are one of the most popular tools among the front line fundamental tools to defend the computation and communication infrastructures from the intruders. In this poster, we propose a distributed, collaborative, and data-driven IDP (DCDIDP) framework for cloud computing environments. Both cloud providers and cloud customers will benefit significantly from DCDIDP that dynamically evolves and gradually mobilizes the resources in the cloud as suspicion about attacks increases. Such system will provide homogeneous IDPS for all the cloud providers that collaborate distributively. It will respond to the attacks, by collaborating with other peers and in a distributed manner, as near as possible to attack sources and at different levels of operations (e.g. network, host, VM). We present the DCDIDP framework and explain its components. However, further explanation is part of our ongoing work

A Systematic and Comprehensive Survey of Recent Advances in Intrusion Detection Systems Using Machine Learning: Deep Learning, Datasets, and Attack Taxonomy

Recently, intrusion detection systems (IDS) have become an essential part of most organisations’ security architecture due to the rise in frequency and severity of network attacks. To identify a security breach, the target machine or network must be watched and analysed for signs of an intrusion. It is defined as efforts to compromise the confidentiality, integrity, or availability of a computer or network or to circumvent its security mechanisms. Several IDS have been proposed in the literature to efficiently detect such attempts exploiting different characteristics of cyberattacks. These systems can provide with timely sensing the network intrusions and, subsequently, notifying the manager or the responsible person in an organisation. Important actions are then carried out to reduce the degree of damage caused by the intrusion. Organisations use such techniques to defend their systems from the network disconnectivity and increase reliance on the information systems by employing intrusion detection. This paper presents a detailed summary of recent advances in IDS from the literature. Nevertheless, a review of future research directions for detecting malicious operations and launching different attacks on systems is discussed and highlighted. Furthermore, this study presents detailed description of well-known publicly available datasets and a variety of strategies developed for dealing with intrusions