On the Detection of Cyber-Attacks in the Communication Network of IEC 61850 Electrical Substations

The availability of the data within the network communication remains one of the most critical requirement when compared to integrity and confidentiality. Several threats such as Denial of Service (DoS) or flooding attacks caused by Generic Object Oriented Substation Event (GOOSE) poisoning attacks, for instance, might hinder the availability of the communication within IEC 61850 substations. To tackle such threats, a novel method for the Early Detection of Attacks for the GOOSE Network Traffic (EDA4GNeT) is developed in the present work. Few of previously available intrusion detection systems take into account the specific features of IEC 61850 substations and offer a good trade-off between the detection performance and the detection time. Moreover, to the best of our knowledge, none of the existing works proposes an early anomaly detection method of GOOSE attacks in the network traffic of IEC 61850 substations that account for the specific characteristics of the network data in electrical substations. The EDA4GNeT method considers the dynamic behavior of network traffic in electrical substations. The mathematical modeling of the GOOSE network traffic first enables the development of the proposed method for anomaly detection. In addition, the developed model can also support the management of the network architecture in IEC 61850 substations based on appropriate performance studies. To test the novel anomaly detection method and compare the obtained results with available techniques, two use cases are used

O-ADPI: Online Adaptive Deep-Packet Inspector Using Mahalanobis Distance Map for Web Service Attacks Classification

Most active research in Host and Network Intrusion Detection Systems are only able to detect attacks of the computer systems and attacks at the network layer, which are not sufficient to counteract SOAP/REST or XML/JSON-related attacks. In dealing with the problem of anomaly detection in web service message datasets, this paper roposes an anomaly detection system called the Online Adaptive DeepPacket Inspector (O-ADPI) for web service message attacks classification. The proposed approach relies on multiple statistical methods which use Unigram-based Weighting Scheme (UWS) that combines text mining techniques with a set of different statistical criteria for Feature Selection Engine (FSE) to effectively and efficiently explore optimal subspaces in detecting anomalies embedded deep in the high dimensional feature subspaces. We utilize a supervised intrusion detection algorithm based on mahalanobis distance map classifier. As web service attacks can be classified into anomaly and normal, the task of anomaly detection can be modeled as a classification problem. The O-ADPI model was assessed for F-value, true positive rate (TPR), and false positive rate (FPR) in order to evaluate the detectionx performance of OADPI against different type of feature selections engines with corresponding PCs for each service messagespecific. The experiments were performed using the REST-IDS Dataset 2015 and the results demonstrated that the proposed O-ADPI model achieved the best results in each message-specific service

ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%

A survey of intrusion detection techniques in Cloud

Cloud computing provides scalable, virtualized on-demand services to the end users with greater flexibility and lesser infrastructural investment. These services are provided over the Internet using known networking protocols, standards and formats under the supervision of different managements. Existing bugs and vulnerabilities in underlying technologies and legacy protocols tend to open doors for intrusion. This paper, surveys different intrusions affecting availability, confidentiality and integrity of Cloud resources and services. It examines proposals incorporating Intrusion Detection Systems (IDS) in Cloud and discusses various types and techniques of IDS and Intrusion Prevention Systems (IPS), and recommends IDS/IPS positioning in Cloud architecture to achieve desired security in the next generation networks

ATLANTIDES: Automatic Configuration for Alert Verification in Network Intrusion Detection Systems

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%

AI Solutions for MDS: Artificial Intelligence Techniques for Misuse Detection and Localisation in Telecommunication Environments

This report considers the application of Articial Intelligence (AI) techniques to the problem of misuse detection and misuse localisation within telecommunications environments. A broad survey of techniques is provided, that covers inter alia rule based systems, model-based systems, case based reasoning, pattern matching, clustering and feature extraction, articial neural networks, genetic algorithms, arti cial immune systems, agent based systems, data mining and a variety of hybrid approaches. The report then considers the central issue of event correlation, that is at the heart of many misuse detection and localisation systems. The notion of being able to infer misuse by the correlation of individual temporally distributed events within a multiple data stream environment is explored, and a range of techniques, covering model based approaches, `programmed' AI and machine learning paradigms. It is found that, in general, correlation is best achieved via rule based approaches, but that these suffer from a number of drawbacks, such as the difculty of developing and maintaining an appropriate knowledge base, and the lack of ability to generalise from known misuses to new unseen misuses. Two distinct approaches are evident. One attempts to encode knowledge of known misuses, typically within rules, and use this to screen events. This approach cannot generally detect misuses for which it has not been programmed, i.e. it is prone to issuing false negatives. The other attempts to `learn' the features of event patterns that constitute normal behaviour, and, by observing patterns that do not match expected behaviour, detect when a misuse has occurred. This approach is prone to issuing false positives, i.e. inferring misuse from innocent patterns of behaviour that the system was not trained to recognise. Contemporary approaches are seen to favour hybridisation, often combining detection or localisation mechanisms for both abnormal and normal behaviour, the former to capture known cases of misuse, the latter to capture unknown cases. In some systems, these mechanisms even work together to update each other to increase detection rates and lower false positive rates. It is concluded that hybridisation offers the most promising future direction, but that a rule or state based component is likely to remain, being the most natural approach to the correlation of complex events. The challenge, then, is to mitigate the weaknesses of canonical programmed systems such that learning, generalisation and adaptation are more readily facilitated

Intrusion Detection Systems for Community Wireless Mesh Networks

Wireless mesh networks are being increasingly used to provide affordable network connectivity to communities where wired deployment strategies are either not possible or are prohibitively expensive. Unfortunately, computer networks (including mesh networks) are frequently being exploited by increasingly profit-driven and insidious attackers, which can affect their utility for legitimate use. In response to this, a number of countermeasures have been developed, including intrusion detection systems that aim to detect anomalous behaviour caused by attacks. We present a set of socio-technical challenges associated with developing an intrusion detection system for a community wireless mesh network. The attack space on a mesh network is particularly large; we motivate the need for and describe the challenges of adopting an asset-driven approach to managing this space. Finally, we present an initial design of a modular architecture for intrusion detection, highlighting how it addresses the identified challenges