Anomalous Payload-Based Network Intrusion Detection

We present a payload-based anomaly detector, we call PAYL, for intrusion detection. PAYL models the normal application payload of network traffic in a fully automatic, unsupervised and very efficient fashion. We first compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port. We then use Mahalanobis distance during the detection phase to calculate the similarity of new data against the pre-computed profile. The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold. We demonstrate the surprising effectiveness of the method on the 1999 DARPA IDS dataset and a live dataset we collected on the Columbia CS department network. In once case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic

Ray-optical refraction with confocal lenslet arrays

Two parallel lenslet arrays with focal lengths f1 and f2 that share a common focal plane (that is, which are separated by a distance f1+f2) can refract transmitted light rays according to Snell's law, but with the 'sin's replaced with 'tan's. This is the case for a limited range of input angles and other conditions. Such confocal lenslet arrays can therefore simulate the interface between optical media with different refractive indices, n1 and n2, whereby the ratio η=-f2/f1 plays the role of the refractive-index ratio n2/n1. Suitable choices of focal lengths enable positive and negative refraction. In contrast to Snell's law, which leads to nontrivial geometric imaging by a planar refractive-index interface only for the special case of n1=±n2, the modified refraction law leads to geometric imaging by planar confocal lenslet arrays for any value of η. We illustrate some of the properties of confocal lenslet arrays with images rendered using ray-tracing software

Evolving high-speed, easy-to-understand network intrusion detection rules with genetic programming

Proceeding of: EvoWorkshops 2009: EvoCOMNET, EvoENVIRONMENT, EvoFIN, EvoGAMES, EvoHOT, EvoIASP, EvoINTERACTION, EvoMUSART, EvoNUM, EvoSTOC, EvoTRANSLOG, Tübingen, Germany, April 15-17, 2009An ever-present problem in intrusion detection technology is how to construct the patterns of (good, bad or anomalous) behaviour upon which an engine have to make decisions regarding the nature of the activity observed in a system. This has traditionally been one of the central areas of research in the field, and most of the solutions proposed so far have relied in one way or another upon some form of data mining–with the exception, of course, of human-constructed patterns. In this paper, we explore the use of Genetic Programming (GP) for such a purpose. Our approach is not new in some aspects, as GP has already been partially explored in the past. Here we show that GP can offer at least two advantages over other classical mechanisms: it can produce very lightweight detection rules (something of extreme importance for high-speed networks or resource-constrained applications) and the simplicity of the patterns generated allows to easily understand the semantics of the underlying attack.Publicad

Effectiveness evaluation of data mining based IDS

Proceeding of: 6th Industrial Conference on Data Mining, ICDM 2006, Leipzig, Germany, July 14-15, 2006.Data mining has been widely applied to the problem of Intrusion Detection in computer networks. However, the misconception of the underlying problem has led to out of context results. This paper shows that factors such as the probability of intrusion and the costs of responding to detected intrusions must be taken into account in order to compare the effectiveness of machine learning algorithms over the intrusion detection domain. Furthermore, we show the advantages of combining different detection techniques. Results regarding the well known 1999 KDD dataset are shown.Publicad

A hybrid nonlinear-discriminant analysis feature projection technique

Feature set dimensionality reduction via Discriminant Analysis (DA) is one of the most sought after approaches in many applications. In this paper, a novel nonlinear DA technique is presented based on a hybrid of Artificial Neural Networks (ANN) and the Uncorrelated Linear Discriminant Analysis (ULDA). Although dimensionality reduction via ULDA can present a set of statistically uncorrelated features, but similar to the existing DA's it assumes that the original data set is linearly separable, which is not the case with most real world problems. In order to overcome this problem, a one layer feed-forward ANN trained with a Differential Evolution (DE) optimization technique is combined with ULDA to implement a nonlinear feature projection technique. This combination acts as nonlinear discriminant analysis. The proposed approach is validated on a Brain Computer Interface (BCI) problem and compared with other techniques. © 2008 Springer Berlin Heidelberg

Network Anomaly Classification by Support Vector Classifiers Ensemble and Non-linear Projection Techniques

Network anomaly detection is currently a challenge due to the number of different attacks and the number of potential attackers. Intrusion detection systems aim to detect misuses or network anomalies in order to block ports or connections, whereas firewalls act according to a predefined set of rules. However, detecting the specific anomaly provides valuable information about the attacker that may be used to further protect the system, or to react accordingly. This way, detecting network intrusions is a current challenge due to growth of the Internet and the number of potential intruders. In this paper we present an intrusion detection technique using an ensemble of support vector classifiers and dimensionality reduction techniques to generate a set of discriminant features. The results obtained using the NSL-KDD dataset outperforms previously obtained classification rates

Inhalation exposure methodology.

Modern man is being confronted with an ever-increasing inventory of potentially toxic airborne substances. Exposures to these atmospheric contaminants occur in residential and commercial settings, as well as in the workplace. In order to study the toxicity of such materials, a special technology relating to inhalation exposure systems has evolved. The purpose of this paper is to provide a description of the techniques which are used in exposing laboratory subjects to airborne particles and gases. The various modes of inhalation exposure (whole body, head only, nose or mouth only, etc.) are described at length, including the advantages and disadvantages inherent to each mode. Numerous literature citations are included for further reading. Among the topics briefly discussed are the selection of appropriate animal species for toxicological testing, and the types of inhalation studies performed (acute, chronic, etc.)

The spatial and temporal variability of sand bar morphology

The spatial and temporal variability of nearshore sand bar morphology is quantified using a unique data set spanning 2 years. The data consist of daily time exposure images of incident wave breaking on an open coast sandy beach which may be used to infer bar morphology (Lippmann and Holman, 1989). The morphology in each image is classified into an eight state morphologic scheme in which bars are uniquely defined by four independent criteria. The most frequently observed morphologies are the longshore-periodic (rhythmic) bars, observed in 68% of the data. Linear bars occur under highest wave conditions Hs = 1.78 m) and are unstable (mean residence time ≈ 2 days). Shore-attached rhythmic bars are the most stable (mean residence time ≈ 11 days) and generally form 5-16 days following peak wave events. Non-rhythmic, three-dimensional bars are very transient (mean residence time ≈ 3 days). Eighty-seven percent of transitions to lower bar types (defined in text) occurred one state at a time, supporting our selection of the ordering of states, and suggesting the suitability of a sequential morphology model. Transitions to higher states occurred under rising wave energy and were evenly spread among the possible higher states, with more substantial changes in morphology resulting from larger wave increases. This suggests that up-state, erosional transitions (based on offshore bar migration) are better described by an equilibrium model where response is better correlated with incident wave energy than with preceding morphological state. Time exposure images were also digitized to yield quantitative estimates of bar crest location as a function of longshore distance. Principal component analysis was used to decompose bar position into two-dimensional (linear) and three-dimensional (longshore variable) components. Cross-shore (linear) bar position ranges ±50 m about the 2-year mean (27 m standard deviation) and dominates bar variability (74.6%). Three-dimensional bar structure accounts for ~14% of the variance (12 m standard deviation). Changes in incident wave height precede cross-shore bar migration by less than I day. Changes in longshore variability are inversely correlated to changing wave conditions, with bar morphology becoming linear rapidly during storms (on time scales of less than I day). Evolution to significantly tbree dimensional structure typically occurs over 5-7 days following peak wave events.Copyrighted by American Geophysical Union