11 research outputs found
Automated detection of changes in computer network measurements using wavelets
Monitoring and measuring various metrics of high
speed and high capacity networks produces a vast amount of
information over a long period of time. For the collected monitoring
data to be useful to administrators, these measurements
need to be analyzed and processed in order to detect interesting
characteristics such as sudden changes. In this paper wavelet
analysis is used along with the universal threshold proposed
by Donoho - Johnstone in order to detect abrupt changes
in computer network measurements. Experimental results are
obtained to compare the behaviour of the algorithm on delay and
data rate signals. Both type of signals are measurements from
real networks and not produced from a simulation tool. Results
show that detection of anomalies is achievable in a variety of
signals
Misbehaviour metrics in WiMAX networks under attack
Much effort has been taken to make WiMAX a
secure technology. Due to its broadcast nature, WiMAX is more susceptible to security threats than a wired network. In this paper, we give a general overview of the security architecture and possible attacks that a WiMAX network may face. For each type of attack the misbehaviour metrics that may vary under these attacks are listed. This work can be used to select an appropriate threshold for detecting attack and can be applied to future research on IDS
Predicting multi-stage attacks based on hybrid approach
Multi-stage attacks can evolve dramatically causing much loss and damage to organisations. These attacks are frequently instigated by exploiting actions, which in isolation are legal and are therefore particularly challenging to detect. Much research has been conducted in the multi-stage detection area, in order to build a framework based on an events correlation approach. This paper proposes a framework that predicts multi-stage attacks based on a hybrid approach, which combines two techniques; IP information evaluation and process query system (PQS). This paper shows the analysis of three multi stage attacks, detailing their steps and information hitherto unexploited in current intrusion detection systems. The paper also goes through the implementation of each technique used in the hybrid approach
Predicting multi-stage attacks based on IP information
Multi-stage attacks can evolve dramatically, causing much loss and damage to organisations. These attacks are frequently instigated by exploiting actions, which in isolation are legal, and are therefore particularly challenging to detect. Much research has been conducted in the multi-stage detection area, in order to build a framework based on an events correlation approach. This paper proposes a framework that predicts multi-stage attacks based on a different approach, which is an IP information evaluation. This approach was chosen after analysing three different multi-stage attack scenarios. This paper shows the analysis of those scenarios, detailing their steps and information hitherto unexploited in current intrusion detection systems. The paper also details the results obtained in the evaluation process, including detection and false positive rates
Automated Detection of Changes in Computer Network Measurements using Wavelets
Monitoring and measuring various metrics of high
speed and high capacity networks produces a vast amount of
information over a long period of time. For the collected monitoring
data to be useful to administrators, these measurements
need to be analyzed and processed in order to detect interesting
characteristics such as sudden changes. In this paper wavelet
analysis is used along with the universal threshold proposed
by Donoho - Johnstone in order to detect abrupt changes
in computer network measurements. Experimental results are
obtained to compare the behaviour of the algorithm on delay and
data rate signals. Both type of signals are measurements from
real networks and not produced from a simulation tool. Results
show that detection of anomalies is achievable in a variety of
signals
Adding contextual information to intrusion detection systems using fuzzy cognitive maps
In the last few years there has been considerable increase in the efficiency of Intrusion Detection Systems (IDSs). However, networks are still the victim of attacks. As the complexity of these attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of IDSs should be designed incorporating reasoning
engines supported by contextual information about the network, cognitive information from the network users and situational awareness to improve their detection results. In this paper, we propose the use of a Fuzzy Cognitive Map (FCM) in conjunction with an IDS to incorporate contextual information into the detection process. We have evaluated the use of FCMs to adjust the Basic Probability Assignment (BPA) values defined prior to the data fusion process, which is crucial for the IDS that we have
developed. The results that we present verify that FCMs can improve the efficiency of our IDS by reducing the number of false alarms, while not affecting the number of correct detections
Honey Plotter and the Web of Terror
Honeypots are a useful tool for discovering the
distribution of malicious traffic on the Internet and how that
traffic evolves over time. In addition, they allow an insight into
new attacks appearing. One major problem is analysing the large
amounts of data generated by such honeypots and correlating
between multiple honeypots. Honey Plotter is a web-based query
and visualisation tool to allow investigation into data gathered by
a distributed honeypot network. It is built on top of a relational
database, which allows great flexibility in the questions that can
be asked and has automatic generation of visualisations based on
the results of queries. The main focus is on aggregate statistics but
individual attacks can also be analysed. Statistical comparison of
distributions is also provided to assist with detecting anomalies
in the data; helping separate out common malicious traffic from
new threats and trends. Two short case studies are presented to
give an example of the types of analysis that can be performed
Improving intrusion detection by the automated generation of detection rules
Rule Based Detection Systems have been successful in preventing attacks on network resources, but suffer a problem in that they are not adaptable in cases where new attacks are made i.e. they need human intervention for investigating new attacks. This paper proposes the creation of a predictive intrusion detection model that is based on usage of classification techniques such as decision tree, Naïve Bayes, neural network, and fuzzy logic to generate new rules. The proposed model in this paper consists of two stages. The first stage uses either a Decision tree (J48 based on C4.5) or Naïve Bayes classifier based on the results obtained in experiments while the second stage is based on a hybrid module that uses both a neural network (MLP) and fuzzy logic. Training and evaluation phases used randomly selected connections in a subset of the KDD’99 intrusion detection data set. A selected set of features has been extracted from those connections using a subset evaluation algorithm. This paper shows how the proposed system has been trained detailing parameters that affect the training process; it also details results obtained in the evaluation process including detection and false positive rates
Predicting multi-stage attacks based on IP information
Multi-stage attacks can evolve dramatically, causing much loss and damage to organisations. These attacks are frequently instigated by exploiting actions, which in isolation are legal, and are therefore particularly challenging to detect. Much research has been conducted in the multi-stage detection area, in order to build a framework based on an events correlation approach. This paper proposes a framework that predicts multi-stage attacks based on a different approach, which is an IP information evaluation. This approach was chosen after analysing three different multi-stage attack scenarios. This paper shows the analysis of those scenarios, detailing their steps and information hitherto unexploited in current intrusion detection systems. The paper also details the results obtained in the evaluation process, including detection and false positive rates
An on-line wireless attack detection system using multi-layer data fusion
Computer networks and more specifically wireless
communication networks are increasingly becoming susceptible
to more sophisticated and untraceable attacks. Most of the current
Intrusion Detection Systems either focus on just one layer of
observation or use a limited number of metrics without proper
data fusion techniques. However, the true status of a network is
rarely accurately detectable by examining only one network
layer. This paper describes a synergistic approach of fusing decisions
of whether an attack takes place by using multiple measurements
from different layers of wireless communication networks.
The described method is implemented on a live system
that monitors a wireless network in real time and gives an indication
of whether a malicious frame exists or not. This is achieved
by analysing specific metrics and comparing them
against historical data. The proposed system assigns for each
metric a belief of whether an attack takes place or not. The beliefs
from different metrics are fused with the Dempster-Shafer
technique with the ultimate goal of limiting false alarms by combining
beliefs from various network layers. The on-line experimental
results show that cross-layer techniques and data fusion
perform more efficiently compared to conventional methods