APHRODITE: an Anomaly-based Architecture for False Positive Reduction

We present APHRODITE, an architecture designed to reduce false positives in network intrusion detection systems. APHRODITE works by detecting anomalies in the output traffic, and by correlating them with the alerts raised by the NIDS working on the input traffic. Benchmarks show a substantial reduction of false positives and that APHRODITE is effective also after a "quick setup", i.e. in the realistic case in which it has not been "trained" and set up optimall

Revisiting anomaly-based network intrusion detection systems

Intrusion detection systems (IDSs) are well-known and widely-deployed security tools to detect cyber-attacks and malicious activities in computer systems and networks. A signature-based IDS works similar to anti-virus software. It employs a signature database of known attacks, and a successful match with current input raises an alert. A signature-based IDS cannot detect unknown attacks, either because the database is out of date or because no signature is available yet. To overcome this limitation, researchers have been developing anomaly-based IDSs. An anomaly-based IDS works by building a model of normal data/usage patterns during a training phase, then it compares new inputs to the model (using a similarity metric). A significant deviation is marked as an anomaly. An anomaly-based IDS is able to detect previously unknown, or modifications of well-known, attacks as soon as they take place (i.e., so called zero-day attacks) and targeted attacks. Cyber-attacks and breaches of information security appear to be increasing in frequency and impact. Signature-based IDSs are likely to miss an increasingly number of attack attempts, as cyber-attacks diversify. Thus, one would expect a large number of anomalybased IDSs to have been deployed to detect the newest disruptive attacks. However, most IDSs in use today are still signature-based, and few anomaly-based IDSs have been deployed in production environments. Up to now a signature-based IDS has been easier to implement and simpler to configure and maintain than an anomaly-based IDS, i.e., it is easier and less expensive to use. We see in these limitations the main reason why anomaly-based systems have not been widely deployed, despite research that has been conducted for more than a decade. To address these limitations we have developed SilentDefense, a comprehensive anomaly-based intrusion detection architecture that outperforms competitors not only in terms of attack detection and false alert rates, but it reduces the user effort as well. SilentDefense is the first systematic attempt to develop an anomaly-based intrusion detection system with a high degree of usability

ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%

Smart Device Profiling for Smart SCADA

SCADA (Supervisory Control and Data Acquisition) systems are computer systems used for monitoring and controlling industrial processes such as power plants and power grid systems, water, gas and oil distribution systems, production systems for food, cars and other products. We propose a new approach for regulating and detecting malicious behaviour of network devices in SCADA systems. Our approach consists of building proles that describe normal communication between pairs of devices in the network. Each prole describes four aspects of network communication: device ngerprint, connectivity pattern, pseudo-protocol pattern and packet content. We validate our approach using network trac from two real-life SCADA installations

A log mining approach for process monitoring in SCADA

SCADA (Supervisory Control and Data Acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow

Model-Based Mitigation of Availability Risks

The assessment and mitigation of risks related to the availability of the IT infrastructure is becoming increasingly important in modern organizations. Unfortunately, present standards for Risk Assessment and Mitigation show limitations when evaluating and mitigating availability risks. This is due to the fact that they do not fully consider the dependencies between the constituents of an IT infrastructure that are paramount in large enterprises. These dependencies make the technical problem of assessing availability issues very challenging. In this paper we define a method and a tool for carrying out a Risk Mitigation activity which allows to assess the global impact of a set of risks and to choose the best set of countermeasures to cope with them. To this end, the presence of a tool is necessary due to the high complexity of the assessment problem. Our approach can be integrated in present Risk Management methodologies (e.g. COBIT) to provide a more precise Risk Mitigation activity. We substantiate the viability of this approach by showing that most of the input required by the tool is available as part of a standard business continuity plan, and/or by performing a common tool-assisted Risk Management

Poseidon: a 2-tier Anomaly-based Network Intrusion Detection System

We present Poseidon, a new anomaly based intrusion detection system. Poseidon is payload-based, and presents a two-tier architecture: the first stage consists of a Self-Organizing Map, while the second one is a modified PAYL system. Our benchmarks on the 1999 DARPA data set show a higher detection rate and lower number of false positives than PAYL and PHAD

Poseidon: a 2-tier Anomaly-based Intrusion Detection System

We present Poseidon, a new anomaly based intrusion detection system. Poseidon is payload-based, and presents a two-tier architecture: the first stage consists of a Self-Organizing Map, while the second one is a modified PAYL system. Our benchmarks on the 1999 DARPA data set show a higher detection rate and lower number of false positives than PAYL and PHAD

Towards securing SCADA systems against process-related threats

We propose a tool-assisted approach to address process-related threats on SCADA systems. Process-related threats have not been addressed before in a systematic manner. Our approach consists of two steps: threat analysis and threat\ud mitigation. For the threat analysis, we combine two methodologies (PHEA and HAZOP) to systematically identify process-related threats. The threat mitigation is supported by our tool, MELISSA, that helps to detect incidents (attacks or user mistakes). MELISSA uses SCADA system logs and visualization techniques to highlight potential incidents. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular SCADA process work-flow

A Log Mining Approach for Process Monitoring in SCADA

SCADA (Supervisory Control and Data Acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which areintended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective indetecting anomalous events that might alter the regular process workflow