Experiments on Adaptive Techniques for Host-Based Intrusion Detection

This research explores four experiments of adaptive host-based intrusion detection (ID) techniques in an attempt to develop systems that can detect novel exploits. The technique considered to have the most potential is adaptive critic designs (ACDs) because of their utilization of reinforcement learning, which allows learning exploits that are difficult to pinpoint in sensor data. Preliminary results of ID using an ACD, an Elman recurrent neural network, and a statistical anomaly detection technique demonstrate an ability to learn to distinguish between clean and exploit data. We used the Solaris Basic Security Module (BSM) as a data source and performed considerable preprocessing on the raw data. A detection approach called generalized signature-based ID is recommended as a middle ground between signature-based ID, which has an inability to detect novel exploits, and anomaly detection, which detects too many events including events that are not exploits. The primary results of the ID experiments demonstrate the use of custom data for generalized signature-based intrusion detection and the ability of neural network-based systems to learn in this application environment

Enhancing the Efficiency of Attack Detection System Using Feature selection and Feature Discretization Methods

Intrusion detection technologies have grown in popularity in recent years using machine learning. The variety of new security attacks are increasing, necessitating the development of effective and intelligent countermeasures. The existing intrusion detection system (IDS) uses Signature or Anomaly based detection systems with machine learning algorithms to detect malicious activities. The Signature-based detection rely only on signatures that have been pre-programmed into the systems, detect known attacks and cannot detect any new or unusual activity. The Anomaly based detection using supervised machine learning algorithm detects only known threats. To address this issue, the proposed model employs an unsupervised machine learning approach for detecting attacks. This approach combines the Sub Space Clustering and One Class Support Vector Machine algorithms and utilizes feature selection methods such as Chi-square, as well as Feature Discretization Methods like Equal Width Discretization to identify both known and undiscovered assaults. The results of the experiments using proposed model outperforms several of the existing system in terms of detection rate and accuracy and decrease in the computational time

Comparative study between signature-based and anomaly-based network intrusion detection system (SBNIDS and ABNIDS)

The rise in numbers of network intrusion is related to the growth and importance of the Internet in our daily live. I order to provide protection to organizations information / data, Intrusion Detection System (IDS) plays an important role in Network security. Signaturebased intrusion detection focus on matching attack signature with the already stored signature in the database, it generates an alert if the incoming packets signature matches with the one in the database. Signature-based is vulnerable against newly emerging attacks, because the signature is not yet stored in the database, this leave this detection technique with the problem of false negative rate. On the other hand, Anomaly-based detection techniques which is a behaviour techniques, detects the abnormal behaviour in a computer systems and networks. The deviation of packets from normal behaviour is considered as attack. This leaves this technique with the problem of false positive rate. In this proposed project we will be making a comparative study of Signature-based and Anomaly-based IDS in order to select suitable comparison parameters between different approach in network intrusion detection, to evaluate suitable software/system for deploying Signature-based and Anomaly-based detection and to conduct experimental study to evaluate the differences in selected parameters in different approach in network intrusion detection. This project will provide a comparative analysis result between SBNIDS and ABNIDS after the evaluation study using DARPA dataset and we will be able to select a suitable techniques in the area of performance, efficiency in data size and non-functional parameters like CPU and Memory usage, which the result proposed that ABNIDS is better than SBNIDS and the conclusion was based on the evaluated parameters

Performance Study of the Running Times of well known Pattern Matching Algorithms for Signature-based Intrusion Detection Systems

Intrusion detection system (IDS) is the basic component of any network defense scheme. Signature based intrusion detection techniques are widely used in networks for fast response to detect threats. One of the main challenges faced by signature-based IDS is that every signature requires an entry in the database, and so a complete database might contain hundreds or even thousands of entries. Each packet is to be compared with all the entries in the database. This can be highly resource-consuming and doing so will slow down the throughput and making the IDS vulnerable. Since pattern matching computations dominate in the overall performance of a Signature-based IDS, efficient pattern matching algorithms should be used which use minimal computer storage and which minimize the searching response time. In this paper we present a performance study of the running times of different well known pattern matching algorithms using multiple sliding windows approach. DOI: 10.17762/ijritcc2321-8169.150613

A Temporal Logic Based Approach to Multi-Agent Intrusion Detection and Prevention

Collaborative systems research in the last decade have led to the development in several areas ranging from social computing, e-learning systems to management of complex computer networks. Intrusion Detection Systems (IDS) available today have a number of problems that limit their configurability, scalability or efficiency. An important shortcoming is that the existing architectures is built around a single entity that does most of the data collection and analysis. This work introduces a new architecture for intrusion detection and prevention based on multiple autonomous agents working collectively. We adopt a temporal logic approach to signature-based intrusion detection. We specify intrusion patterns as formulas in a monitorable logic called EAGLE. We also incorporate logics of knowledge into the agents. We implement a prototype tool, called MIDTL and use this tool to detect a variety of security attacks in large log-files provided by DARPA

Analyze Different approaches for IDS using KDD 99 Data Set

the integrity, confidentiality, and availability of Network security is one of the challenging issue and so as Intrusion Detection system (IDS). IDS are an essential component of the network to be secured. Intrusion detection is the process of monitoring and analyzing the events occurring in a computer system in order to detect signs of security problems. Intrusion detection includes identifying a set of malicious actions that compromise information resources. Traditional methods for in trusion detection are based on extensive knowledge of signatures of known attacks . In the last three years, the networking revolution has finally come of age. More than ever before, we see that the Internet is changing computing, as we know it. The possibilities and opportunities are limitless; unfortunately, so too are the risks and chances of malicious intrusions There are two primary methods of monitoring these are signature - based and anomaly based. In this paper is to analyze different approaches of IDS . Some approach belongs to supervised method and some approach belongs to unsupervised method

Machine Learning Applications in Misuse and Anomaly Detection

Machine learning and data mining algorithms play important roles in designing intrusion detection systems. Based on their approaches toward the detection of attacks in a network, intrusion detection systems can be broadly categorized into two types. In the misuse detection systems, an attack in a system is detected whenever the sequence of activities in the network matches with a known attack signature. In the anomaly detection approach, on the other hand, anomalous states in a system are identified based on a significant difference in the state transitions of the system from its normal states. This chapter presents a comprehensive discussion on some of the existing schemes of intrusion detection based on misuse detection, anomaly detection and hybrid detection approaches. Some future directions of research in the design of algorithms for intrusion detection are also identified

Application of a Layered Hidden Markov Model in the Detection of Network Attacks

Network-based attacks against computer systems are a common and increasing problem. Attackers continue to increase the sophistication and complexity of their attacks with the goal of removing sensitive data or disrupting operations. Attack detection technology works very well for the detection of known attacks using a signature-based intrusion detection system. However, attackers can utilize attacks that are undetectable to those signature-based systems whether they are truly new attacks or modified versions of known attacks. Anomaly-based intrusion detection systems approach the problem of attack detection by detecting when traffic differs from a learned baseline. In the case of this research, the focus was on a relatively new area known as payload anomaly detection. In payload anomaly detection, the system focuses exclusively on the payload of packets and learns the normal contents of those payloads. When a payload\u27s contents differ from the norm, an anomaly is detected and may be a potential attack. A risk with anomaly-based detection mechanisms is they suffer from high false positive rates which reduce their effectiveness. This research built upon previous research in payload anomaly detection by combining multiple techniques of detection in a layered approach. The layers of the system included a high-level navigation layer, a request payload analysis layer, and a request-response analysis layer. The system was tested using the test data provided by some earlier payload anomaly detection systems as well as new data sets. The results of the experiments showed that by combining these layers of detection into a single system, there were higher detection rates and lower false positive rates