Automated detection of changes in computer network measurements using wavelets

Monitoring and measuring various metrics of high speed and high capacity networks produces a vast amount of information over a long period of time. For the collected monitoring data to be useful to administrators, these measurements need to be analyzed and processed in order to detect interesting characteristics such as sudden changes. In this paper wavelet analysis is used along with the universal threshold proposed by Donoho - Johnstone in order to detect abrupt changes in computer network measurements. Experimental results are obtained to compare the behaviour of the algorithm on delay and data rate signals. Both type of signals are measurements from real networks and not produced from a simulation tool. Results show that detection of anomalies is achievable in a variety of signals

Misbehaviour metrics in WiMAX networks under attack

Much effort has been taken to make WiMAX a secure technology. Due to its broadcast nature, WiMAX is more susceptible to security threats than a wired network. In this paper, we give a general overview of the security architecture and possible attacks that a WiMAX network may face. For each type of attack the misbehaviour metrics that may vary under these attacks are listed. This work can be used to select an appropriate threshold for detecting attack and can be applied to future research on IDS

Predicting multi-stage attacks based on hybrid approach

Multi-stage attacks can evolve dramatically causing much loss and damage to organisations. These attacks are frequently instigated by exploiting actions, which in isolation are legal and are therefore particularly challenging to detect. Much research has been conducted in the multi-stage detection area, in order to build a framework based on an events correlation approach. This paper proposes a framework that predicts multi-stage attacks based on a hybrid approach, which combines two techniques; IP information evaluation and process query system (PQS). This paper shows the analysis of three multi stage attacks, detailing their steps and information hitherto unexploited in current intrusion detection systems. The paper also goes through the implementation of each technique used in the hybrid approach

Predicting multi-stage attacks based on IP information

Multi-stage attacks can evolve dramatically, causing much loss and damage to organisations. These attacks are frequently instigated by exploiting actions, which in isolation are legal, and are therefore particularly challenging to detect. Much research has been conducted in the multi-stage detection area, in order to build a framework based on an events correlation approach. This paper proposes a framework that predicts multi-stage attacks based on a different approach, which is an IP information evaluation. This approach was chosen after analysing three different multi-stage attack scenarios. This paper shows the analysis of those scenarios, detailing their steps and information hitherto unexploited in current intrusion detection systems. The paper also details the results obtained in the evaluation process, including detection and false positive rates

Automated Detection of Changes in Computer Network Measurements using Wavelets

Monitoring and measuring various metrics of high speed and high capacity networks produces a vast amount of information over a long period of time. For the collected monitoring data to be useful to administrators, these measurements need to be analyzed and processed in order to detect interesting characteristics such as sudden changes. In this paper wavelet analysis is used along with the universal threshold proposed by Donoho - Johnstone in order to detect abrupt changes in computer network measurements. Experimental results are obtained to compare the behaviour of the algorithm on delay and data rate signals. Both type of signals are measurements from real networks and not produced from a simulation tool. Results show that detection of anomalies is achievable in a variety of signals

Adding contextual information to intrusion detection systems using fuzzy cognitive maps

In the last few years there has been considerable increase in the efficiency of Intrusion Detection Systems (IDSs). However, networks are still the victim of attacks. As the complexity of these attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of IDSs should be designed incorporating reasoning engines supported by contextual information about the network, cognitive information from the network users and situational awareness to improve their detection results. In this paper, we propose the use of a Fuzzy Cognitive Map (FCM) in conjunction with an IDS to incorporate contextual information into the detection process. We have evaluated the use of FCMs to adjust the Basic Probability Assignment (BPA) values defined prior to the data fusion process, which is crucial for the IDS that we have developed. The results that we present verify that FCMs can improve the efficiency of our IDS by reducing the number of false alarms, while not affecting the number of correct detections

Honey Plotter and the Web of Terror

Honeypots are a useful tool for discovering the distribution of malicious traffic on the Internet and how that traffic evolves over time. In addition, they allow an insight into new attacks appearing. One major problem is analysing the large amounts of data generated by such honeypots and correlating between multiple honeypots. Honey Plotter is a web-based query and visualisation tool to allow investigation into data gathered by a distributed honeypot network. It is built on top of a relational database, which allows great flexibility in the questions that can be asked and has automatic generation of visualisations based on the results of queries. The main focus is on aggregate statistics but individual attacks can also be analysed. Statistical comparison of distributions is also provided to assist with detecting anomalies in the data; helping separate out common malicious traffic from new threats and trends. Two short case studies are presented to give an example of the types of analysis that can be performed

Improving intrusion detection by the automated generation of detection rules

Rule Based Detection Systems have been successful in preventing attacks on network resources, but suffer a problem in that they are not adaptable in cases where new attacks are made i.e. they need human intervention for investigating new attacks. This paper proposes the creation of a predictive intrusion detection model that is based on usage of classification techniques such as decision tree, Naïve Bayes, neural network, and fuzzy logic to generate new rules. The proposed model in this paper consists of two stages. The first stage uses either a Decision tree (J48 based on C4.5) or Naïve Bayes classifier based on the results obtained in experiments while the second stage is based on a hybrid module that uses both a neural network (MLP) and fuzzy logic. Training and evaluation phases used randomly selected connections in a subset of the KDD’99 intrusion detection data set. A selected set of features has been extracted from those connections using a subset evaluation algorithm. This paper shows how the proposed system has been trained detailing parameters that affect the training process; it also details results obtained in the evaluation process including detection and false positive rates

Predicting multi-stage attacks based on IP information

Multi-stage attacks can evolve dramatically, causing much loss and damage to organisations. These attacks are frequently instigated by exploiting actions, which in isolation are legal, and are therefore particularly challenging to detect. Much research has been conducted in the multi-stage detection area, in order to build a framework based on an events correlation approach. This paper proposes a framework that predicts multi-stage attacks based on a different approach, which is an IP information evaluation. This approach was chosen after analysing three different multi-stage attack scenarios. This paper shows the analysis of those scenarios, detailing their steps and information hitherto unexploited in current intrusion detection systems. The paper also details the results obtained in the evaluation process, including detection and false positive rates

An on-line wireless attack detection system using multi-layer data fusion

Computer networks and more specifically wireless communication networks are increasingly becoming susceptible to more sophisticated and untraceable attacks. Most of the current Intrusion Detection Systems either focus on just one layer of observation or use a limited number of metrics without proper data fusion techniques. However, the true status of a network is rarely accurately detectable by examining only one network layer. This paper describes a synergistic approach of fusing decisions of whether an attack takes place by using multiple measurements from different layers of wireless communication networks. The described method is implemented on a live system that monitors a wireless network in real time and gives an indication of whether a malicious frame exists or not. This is achieved by analysing specific metrics and comparing them against historical data. The proposed system assigns for each metric a belief of whether an attack takes place or not. The beliefs from different metrics are fused with the Dempster-Shafer technique with the ultimate goal of limiting false alarms by combining beliefs from various network layers. The on-line experimental results show that cross-layer techniques and data fusion perform more efficiently compared to conventional methods