Intrusion detection using geometrical structure

We propose a statistical model, namely Geometrical Structure Anomaly Detection (GSAD) to detect intrusion using the packet payload in the network. GSAD takes into account the correlations among the packet payload features arranged in a geometrical structure. The representation is based on statistical analysis of Mahalanobis distances among payload features, which calculate the similarity of new data against precomputed profile. It calculates weight factor to determine anomaly in the payload. In the 1999 DARPA intrusion detection evaluation data set, we conduct several tests for limited attacks on port 80 and port 25. Our approach establishes and identifies the correlation among packet payloads in a network. © 2009 IEEE

An Immune Inspired Approach to Anomaly Detection

The immune system provides a rich metaphor for computer security: anomaly detection that works in nature should work for machines. However, early artificial immune system approaches for computer security had only limited success. Arguably, this was due to these artificial systems being based on too simplistic a view of the immune system. We present here a second generation artificial immune system for process anomaly detection. It improves on earlier systems by having different artificial cell types that process information. Following detailed information about how to build such second generation systems, we find that communication between cells types is key to performance. Through realistic testing and validation we show that second generation artificial immune systems are capable of anomaly detection beyond generic system policies. The paper concludes with a discussion and outline of the next steps in this exciting area of computer security.Comment: 19 pages, 4 tables, 2 figures, Handbook of Research on Information Security and Assuranc

Statistical methods used for intrusion detection

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2006Includes bibliographical references (leaves: 58-64)Text in English; Abstract: Turkish and Englishx, 71 leavesComputer networks are being attacked everyday. Intrusion detection systems are used to detect and reduce effects of these attacks. Signature based intrusion detection systems can only identify known attacks and are ineffective against novel and unknown attacks. Intrusion detection using anomaly detection aims to detect unknown attacks and there exist algorithms developed for this goal. In this study, performance of five anomaly detection algorithms and a signature based intrusion detection system is demonstrated on synthetic and real data sets. A portion of attacks are detected using Snort and SPADE algorithms. PHAD and other algorithms could not detect considerable portion of the attacks in tests due to lack of sufficiently long enough training data

Distributed Detection of DDoS Attacks During the Intermediate Phase Through Mobile Agents

A Distributed Denial of Service attack is a large-scale, coordinated attack on the availability of services of a victim system, launched indirectly through many compromised computers on the Internet. Intrusion detection systems are network security tools that process local audit data or monitor network traffic to search for specific patterns or certain deviations from expected behavior, which indicate malicious activities against the protected network. In this study, we propose distributed intrusion detection methods to detect Distributed Denial of Service attacks in a special dataset and test these methods in a simulated-real time environment, in which the mobile agents are synchronized with the timestamp stated in the dataset. All of our methods use the alarms generated by SNORT, a signature-based network intrusion detection system. We use mobile agents in our methods on the Jade platform in order to reduce network bandwidth usage and to decrease the dependency on the central unit for a higher reliability. The methods are compared based on reliability, network load and mean detection time values

Online Adaboost-based parameterized methods for dynamic distributed network intrusion detection

Current network intrusion detection systems lack adaptability to the frequently changing network environments. Furthermore, intrusion detection in the new distributed archi- tectures is now a major requirement. In this paper, we propose two online Adaboost-based intrusion detection algorithms. In the first algorithm, a traditional online Adaboost process is used where decision stumps are used as weak classifiers. In the second algorithm, an improved online Adaboost process is proposed, and online Gaussian mixture models (GMMs) are used as weak classifiers. We further propose a distributed intrusion detection framework, in which a local parameterized detection model is constructed in each node using the online Adaboost algorithm. A global detection model is constructed in each node by combining the local parametric models using a small number of samples in the node. This combination is achieved using an algorithm based on particle swarm optimization (PSO) and support vector ma- chines. The global model in each node is used to detect intrusions. Experimental results show that the improved online Adaboost process with GMMs obtains a higher detection rate and a lower false alarm rate than the traditional online Adaboost process that uses decision stumps. Both the algorithms outperform existing intrusion detection algorithms. It is also shown that our PSO, and SVM-based algorithm effectively combines the local detection models into the global model in each node; the global model in a node can handle the intrusion types that are found in other nodes, without sharing the samples of these intrusion types

Network Attack Detection using an Unsupervised Machine Learning Algorithm

With the increase in network connectivity in today\u27s web-enabled environments, there is an escalation in cyber-related crimes. This increase in illicit activity prompts organizations to address network security risk issues by attempting to detect malicious activity. This research investigates the application of a MeanShift algorithm to detect an attack on a network. The algorithm is validated against the KDD 99 dataset and presents an accuracy of 81.2% and detection rate of 79.1%. The contribution of this research is two-fold. First, it provides an initial application of a MeanShift algorithm on a network traffic dataset to detect an attack. Second, it provides the foundation for future research involving the application of MeanShift algorithm in the area of network attack detection

Performance Metrics for Network Intrusion Systems

Intrusion systems have been the subject of considerable research during the past 33 years, since the original work of Anderson. Much has been published attempting to improve their performance using advanced data processing techniques including neural nets, statistical pattern recognition and genetic algorithms. Whilst some significant improvements have been achieved they are often the result of assumptions that are difficult to justify and comparing performance between different research groups is difficult. The thesis develops a new approach to defining performance focussed on comparing intrusion systems and technologies. A new taxonomy is proposed in which the type of output and the data scale over which an intrusion system operates is used for classification. The inconsistencies and inadequacies of existing definitions of detection are examined and five new intrusion levels are proposed from analogy with other detection-based technologies. These levels are known as detection, recognition, identification, confirmation and prosecution, each representing an increase in the information output from, and functionality of, the intrusion system. These levels are contrasted over four physical data scales, from application/host through to enterprise networks, introducing and developing the concept of a footprint as a pictorial representation of the scope of an intrusion system. An intrusion is now defined as “an activity that leads to the violation of the security policy of a computer system”. Five different intrusion technologies are illustrated using the footprint with current challenges also shown to stimulate further research. Integrity in the presence of mixed trust data streams at the highest intrusion level is identified as particularly challenging. Two metrics new to intrusion systems are defined to quantify performance and further aid comparison. Sensitivity is introduced to define basic detectability of an attack in terms of a single parameter, rather than the usual four currently in use. Selectivity is used to describe the ability of an intrusion system to discriminate between attack types. These metrics are quantified experimentally for network intrusion using the DARPA 1999 dataset and SNORT. Only nine of the 58 attack types present were detected with sensitivities in excess of 12dB indicating that detection performance of the attack types present in this dataset remains a challenge. The measured selectivity was also poor indicting that only three of the attack types could be confidently distinguished. The highest value of selectivity was 3.52, significantly lower than the theoretical limit of 5.83 for the evaluated system. Options for improving selectivity and sensitivity through additional measurements are examined.Stochastic Systems Lt