Network Traffic Classification for Intrusion Detection

Nowadays enterprises are looking for efficient security devices, like Intrusion Detection Systems (IDS), to supplement the firewalls supervision. Nevertheless, IDS are plugged with several problems that slow down their development: the high speed traffic and the increasing number of attack detection rules. We discuss in this paper new propositions to solve the outlined problems. Our first contribution consists in defining a new classification algorithm that splits the traffic using security policies and IDS characteristics. The proposed method can also be applied to quickly verify the detection rules. However, the memory consumption may grow up due to the increasing number of these rules. Therefore, we propose an efficient method to match the detection rules as our second contribution. The main idea is to properly organize the rules. This enables us to restrict the verification domain to only some ranges by taking advantage of the similarities and the differences between the different parts of the detection rules

Detection of firewall configuration errors with updatable tree

International audienceThe fundamental goals of security policy are to allow uninterrupted access to the network resources for authenticated users and to deny access to unauthenticated users. For this purpose, firewalls are frequently deployed in every size network. However, bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicted filtering rules lead to block legitimate traffic and to accept unwanted packets. This fact troubles administrators who have to insert and delete filtering rules in a huge configuration file. We propose in this paper a quick method for managing a firewall configuration file. We represent the set of filtering rules by a firewall anomaly tree (FAT). Then, an administrator can update the FAT by inserting and deleting some filtering rules. The FAT modification automatically reveals emerged anomalies and helps the administrator to find the adequate position for a new added filtering rule. All the algorithms presented in the paper have been implemented, and computer experiments show the usefulness of updating the FAT data structure in order to quickly detect anomalies when dealing with a huge firewall configuration file

Qualitative and Quantitative Risk Analysis and Safety Assessment of Unmanned Aerial Vehicles Missions Over the Internet

In the last few years, unmanned aerial vehicles (UAVs) are making a revolution as an emerging technology with many different applications in the military, civilian, and commercial elds. The advent of autonomous drones has initiated serious challenges, including how to maintain their safe operation during their missions. The safe operation of UAVs remains an open and sensitive issue since any unexpected behavior of the drone or any hazard would lead to potential risks that might be very severe. The motivation behind this work is to propose a methodology for the safety assurance of drones over the Internet (Internet of drones (IoD)). Two approaches will be used in performing the safety analysis: (1) a qualitative safety analysis approach and (2) a quantitative safety analysis approach. The rst approach uses the international safety standards, namely, ISO 12100 and ISO 13849 to assess the safety of drone's missions by focusing on qualitative assessment techniques. The methodology starts with hazard identi cation, risk assessment, risk mitigation, and nally draws the safety recommendations associated with a drone delivery use case. The second approach presents a method for the quantitative safety assessment using Bayesian networks (BN) for probabilistic modeling. BN utilizes the information provided by the rst approach to model the safety risks related to UAVs' ights. An illustrative UAV crash scenario is presented as a case study, followed by scenario analysis, to demonstrate the applicability of the proposed approach. These two analyses, qualitative and quantitative, enable all involved stakeholders to detect, explore, and address the risks of UAV ights, which will help the industry to better manage the safety concerns of UAVs.info:eu-repo/semantics/publishedVersio

Real-time automated image segmentation technique for cerebral aneurysm on reconfigurable system-on-chip

Cerebral aneurysm is a weakness in a blood vessel that may enlarge and bleed into the surrounding area, which is a life-threatening condition. Therefore, early and accurate diagnosis of aneurysm is highly required to help doctors to decide the right treatment. This work aims to implement a real-time automated segmentation technique for cerebral aneurysm on the Zynq system-on-chip (SoC), and virtualize the results on a 3D plane, utilizing virtual reality (VR) facilities, such as Oculus Rift, to create an interactive environment for training purposes. The segmentation algorithm is designed based on hard thresholding and Haar wavelet transformation. The system is tested on six subjects, for each consists 512 × 512 DICOM slices, of 16 bits 3D rotational angiography. The quantitative and subjective evaluation show that the segmented masks and 3D generated volumes have admitted results. In addition, the hardware implement results show that the proposed implementation is capable to process an image using Zynq SoC in an average time of 5.2 ms

Classification du trafic et optimisation des règles de filtrage pour la détection d'intrusions

In this dissertation we are interested by some bottlenecks that the intrusion detection faces, namely the high load traffic, the evasion techniques and the false alerts generation. In order to ensure the supervision of overloaded networks, we classify the traffic using Intrusion Detection Systems (IDS) characteristics and network security policies. Therefore each IDS supervises less IP traffic and uses less detection rules (with respect to traffics it analyses). In addition we reduce the packets time processing by a wise attack detection rules application. During this analysis we rely on a fly pattern matching strategy of several attack signatures. Thus we avoid the traffic reassembly previously used to deceive evasion techniques. Besides, we employ the protocol analysis with decision tree in order to accelerate the intrusion detection and reduce the number of false positives noticed when using a raw pattern matching method.Nous nous intéressons dans cette thèse à des problèmes sensibles rencontrés par la détection d'intrusions à savoir le haut débit, les techniques d'évasion et les fausses alertes. Afin de soutenir le haut débit, nous procédons à une classification du trafic réseau ce qui permet de diviser la charge d'analyse sur plusieurs systèmes de détection d'intrusions et de sélectionner pour chaque classe du trafic la meilleure méthode de détection. Par ailleurs nous réduisons le temps de traitement de chaque paquet en organisant convenablement les règles de détection d'attaques stockées sur les systèmes de détection d'intrusions. Au cours de cette analyse nous proposons un filtrage à la volée de plusieurs signatures d'attaques. Ainsi, nous évitons le réassemblage du trafic qui était auparavant nécessaire pour résister aux techniques d'évasion. Par ailleurs nous assurons une analyse protocolaire avec des arbres de décisions ce qui accélère la détection des attaques et évite les inconvénients du filtrage brut de motifs telles que la génération abondante des faux positifs

Protocol Analysis in Intrusion Detection Using Decision Tree

Network based intrusion detection are the most deployed IDS. They frequently rely on signature matching detection method and focus on the security of low level network protocols. Because of the large number of false positives from one side, and the incapacity to detect some attack types from another side, IDS must allow more interest to the monitoring of application level protocols. We propose in this paper a combination of pattern matching and protocol analysis approaches. While the first method of detection relies on a multipattern matching strategy, the second one benefits from an efficient decision tree adaptative to the network traffic characteristics.

Fast Multipattern Matching for Intrusion Detection

M. Rusinowitch is senior researcher at INRIA. He got a Ph.D. in Computer Science at Nancy in 1987. He is now leader of the CASSIS research team of INRIA-Lorraine with about 20 members, whose activities are focused on automated deduction, software verification and security. M. Rusinowitch’s research is concerned with the automated detection of flaws in software using symbolic analysis techniques. He is the author or coauthor of more than 22 papers in journals and 50 papers in conference and is the author of a book. He is also cochairman of the next IJCAR conference to be held in 2004 at Cork and PC member of several events in automated deduction and security

Classification du trafic et optimisation des règles de filtrage pour la détection d'intrusions

Nous nous intéressons dans cette thèse à des problèmes sensibles rencontrés par la détection d'intrusions à savoir le haut débit, les techniques d'évasion et les fausses alertes. Afin de soutenir le haut débit, nous procédons à une classification du trafic réseau ce qui permet de diviser la charge d'analyse sur plusieurs systèmes de détection d'intrusions et de sélectionner pour chaque classe du trafic la meilleure méthode de détection. Par ailleurs nous réduisons le temps de traitement de chaque paquet en organisant convenablement les règles de détection d'attaques stockées sur les systèmes de détection d'intrusions. Au cours de cette analyse nous proposons un filtrage à la volée de plusieurs signatures d'attaques. Ainsi, nous évitons le réassemblage du trafic qui était auparavant nécessaire pour résister aux techniques d'évasion. Par ailleurs nous assurons une analyse protocolaire avec des arbres de décisions ce qui accélère la détection des attaques et évite les inconvénients du filtrage brut de motifs telles que la génération abondante des faux positifs.In this dissertation we are interested by some bottlenecks that the intrusion detection faces, namely the high load traffic, the evasion techniques and the false alerts generation. In order to ensure the supervision of overloaded networks, we classify the traffic using Intrusion Detection Systems (IDS) characteristics and network security policies. Therefore each IDS supervises less IP traffic and uses less detection rules (with respect to traffics it analyses). In addition we reduce the packets time processing by a wise attack detection rules application. During this analysis we rely on a fly pattern matching strategy of several attack signatures. Thus we avoid the traffic reassembly previously used to deceive evasion techniques. Besides, we employ the protocol analysis with decision tree in order to accelerate the intrusion detection and reduce the number of false positives noticed when using a raw pattern matching method.NANCY1-SCD Sciences & Techniques (545782101) / SudocSudocFranceF

High Performance Intrusion Detection using Traffic Classification

Colloque avec actes et comité de lecture. internationale.International audienceThe crucial problem of ever increasing high traffic encountered by an IDS can be tackled by classifying the network traffic and distributing the analysis among several IDSes ensuring faster detection. Besides, each IDS equipped with only the required functionalities can provide sharper analysis of the traffic. We propose in this paper a new classification algorithm that constructs a Direct Acyclic Graph (DAG) to split the traffic using security policies and IDS characteristics. The method divides different classfication rule features into several bytes and sorts them by considering explicit values before masked one thereby reducing overlaps between rules ensuring smaller DAG and easier way to classify packets during runtime