Computational-Intelligence Models for Visualization-based Intrusion Detection Systems.

Intrusion Detection Systems (IDS’s) are essential components in a network communication infrastructure, as they enforce security by monitoring traffic and detecting malicious activities. In this research, Computational Intelligence models support an IDS technology to obtain a synthetic, effective visualization of the traffic analysis. Auto-Associative Back-Propagation (AABP) neural networks map feature vectors extracted from traffic sources into a compact representation on a 2-D display. During training, the neural network learns to compress the data in an unsupervised fashion; at run time, the trained neural component synthesizes an effective, 2-D representation of the traffic situation. Empirical tests involving Simple Network Management Protocol (SNMP) traffic proved the validity of the approach.

Auto-Associative Neural Techniques for Intrusion Detection Systems

Intrusion detection systems (IDS's) ensure the security of computer networks by monitoring traffic and generating alerts, or taking actions, when suspicious activities are detected. This paper proposes a network-based IDS supporting an intuitive visualization of the time evolution of network traffic. The system is designed to assist the network manager in detecting anomalies, and exploits auto-associative back-propagation (AABP) neural networks to turn raw data extracted from traffic sources into an intuitive 2D representation. The neural component operates as a sort of smart compression operator and supports a compact representation of multi-dimensional data. The empirical verification of the mapping method involved the detection of anomalies in traffic ascribed to the simple network management protocol (SNMP), and confirmed the validity of the proposed approach

Development of a Network Monitoring System for Ship's Network Security Using SNMP

Nowadays, the risk of unauthorized access or malicious attacks on ship’s systems onboard internally or externally is possible to be a threat to the safe operation of ship’s network. According to the requirements of IEC (International Electro-Technical Commission) 61162-460 network standard, a secure 460-Network is designed for safety and security of networks on board ships and developed a network monitoring software application for monitoring the 460-Network. Therefore, in this thesis to secure the ship’s network, ship’s security network is designed and implemented by using 460-Switch, 460-Nodes, 460-gateway that contains firewalls and DMZ (Demilitarized Zone) with various security application servers in compliance with IEC 61162-460. Also, 460-firewall is used to permit/deny traffic to/from unauthorized networks. 460-NMS (Network Monitoring System) is a network monitoring software application, developed by using SNMP (Simple Network Management Protocol) SharpNet library with.Net 4.5 frameworks and backhand SQLite database management which are used to manage the network information. 460-NMS configures 460-Switch and communicates by SNMP, SNMP Trap, and Syslog to gather the network information and status of each 460-Switch interface. 460-NMS analyze and monitors the 460-Network load, traffic flow, current system status, network failure, or detect unknown device connection. It notifies the system administrator via alarms, notifications or warnings in case if any network problem occurs. To confirm the performance of the designed 460-Network according to the requirements of IEC 61162-460 standard: First, the laboratory is composed of the dedicated network with CISCO 460-Switch, 460-Gateway, Fortigate 460-Firewall, and lab computers. These network devices exclude from external networks such as the internet. The 460-NMS is connected with configured laboratory network to analyze and monitor the network traffic flow, load and device connections by using SNMP. Second, the test of 460-NMS is carried out in a company’s network. That is very complex network environment which includes IEC 61162-460, IEC 61162-450, IEC 61162-3 (NMEA 2000), IEC 61162-1, -2 (NMEA 0183) data networks with 450-Gateway, Gateway 450 to 0183, Gateway N2K to 0183, and Gateway 0183 to N2K and excludes from unauthorized networks. Finally after testing, it is confirmed that the 460-NMS analyzes, monitors the whole 460-network and notifies and warns abnormal status of 460-network as the requirements of IEC 61162-460 international standards.ABSTRACT IX 1. INTRODUCTION 1 1.1 MOTIVATION 1 1.2 STUDY IDEA 4 2. INTERNATIONAL STANDARDS OF SHIP NETWORK 5 2.1 OVERVIEW 5 2.2 SHIP’S DATA NETWORK 7 2.3 IEC 61162-1, IEC 61162-2, NMEA 0183 8 2.4 IEC 61162-3, NMEA 2000 10 2.4.1 CAN 11 2.4.2 NMEA 2000 Messages 12 2.5 IEC 61162-450 14 2.5.1 Function Blocks 15 2.5.2 IEC 61162-450 Message 16 2.5.3 IEC 61162-1 sentence 17 2.6 IEC61162-460 18 2.6.1 Objectives 18 2.6.2 Scope 19 3. 460-NETWORK REQUIREMENTS 21 3.1 OVERVIEW 21 3.1.1 Network Components 21 3.2 460-NETWORK TRAFFIC MANAGEMENT REQUIREMENTS 24 3.2.1 460-Node Requirements 24 3.2.2 460-Switch Requirements 25 3.3 SECURITY REQUIREMENTS 26 3.3.1 Threat Scenarios 26 3.3.2 Internal Network Security Requirements 29 3.3.3 Uncontrolled Network security requirements 30 3.4 460-GATEWAY REQUIREMENTS 32 3.5 IEC 61162 460-NMS REQUIREMENTS 34 3.5.1 460-Node 34 3.5.2 460-Switch 34 3.5.3 Network load-monitoring requirements 35 3.5.4 Syslog recording function requirements 36 3.5.5 SNMP requirements 37 4. 460-GATEWAY DESIGN AND SNMP 38 4.1 SNMP 38 4.1.1 SNMP Components 38 4.1.2 SNMP Versions 39 4.1.3 MIB 41 4.1.4 Syslog 44 4.2 CISCO SWITCH 49 4.2.1 Initial configuration for the Switch 50 4.2.2 IP Configuration 52 4.2.3 SNMP Configuration 53 4.2.4 Syslog Configuration 54 4.3 IEC 61162-460-GATEWAY DESIGN AND 460-NETWORK CONFIGURE 55 5. DESIGN OF A 460-NMS 58 5.1 460-NMS ARCHITECTURE 59 5.2 460-NMS DESIGN AND TOOLS 61 5.2.1 Application Interface 61 5.2.2 Database 62 5.2.3 Backhand developing 62 5.3 ENTITY—RELATIONSHIP DIAGRAMS (ERD) MODEL OF 460-NMS 63 5.4 TRAFFIC FLOW INFORMATION LISTS OF 460-NMS 64 5.5 SNMP MIB DATA PARSING 66 5.5.1 SNMP message parsing 68 5.5.2 SNMP Trap 69 5.5.3 Syslog Parsing 69 6. IMPLEMENTATION AND TESTING OF 460-NMS 70 6.1 460-NMS INTERFACE 70 6.1.1 Login Wizard 70 6.1.2 Main Form 70 6.2 460-NMS TESTING 72 6.2.1 Lab Test 72 6.3 REAL NETWORK TEST 78 7. CONCLUSION 87 REFERENCES 88 APPENDIX 91 1. INFORMATION LIST OF 460-NMS DATABASE 91 2. SYSLOG MESSAGE 94 3. SNMP VERSIONS 96 4. SNMP MESSAGE 97Maste

Why (and How) Networks Should Run Themselves

The proliferation of networked devices, systems, and applications that we depend on every day makes managing networks more important than ever. The increasing security, availability, and performance demands of these applications suggest that these increasingly difficult network management problems be solved in real time, across a complex web of interacting protocols and systems. Alas, just as the importance of network management has increased, the network has grown so complex that it is seemingly unmanageable. In this new era, network management requires a fundamentally new approach. Instead of optimizations based on closed-form analysis of individual protocols, network operators need data-driven, machine-learning-based models of end-to-end and application performance based on high-level policy goals and a holistic view of the underlying components. Instead of anomaly detection algorithms that operate on offline analysis of network traces, operators need classification and detection algorithms that can make real-time, closed-loop decisions. Networks should learn to drive themselves. This paper explores this concept, discussing how we might attain this ambitious goal by more closely coupling measurement with real-time control and by relying on learning for inference and prediction about a networked application or system, as opposed to closed-form analysis of individual protocols