Spelling suggestions: "subject:": intrusion detection system"" "subject:": ntrusion detection system""
41 |
Pruning GHSOM to create an explainable intrusion detection systemKirby, Thomas Michael 12 May 2023 (has links) (PDF)
Intrusion Detection Systems (IDS) that provide high detection rates but are black boxes leadto models that make predictions a security analyst cannot understand. Self-Organizing Maps(SOMs) have been used to predict intrusion to a network, while also explaining predictions throughvisualization and identifying significant features. However, they have not been able to compete withthe detection rates of black box models. Growing Hierarchical Self-Organizing Maps (GHSOMs)have been used to obtain high detection rates on the NSL-KDD and CIC-IDS-2017 network trafficdatasets, but they neglect creating explanations or visualizations, which results in another blackbox model.This paper offers a high accuracy, Explainable Artificial Intelligence (XAI) based on GHSOMs.One obstacle to creating a white box hierarchical model is the model growing too large and complexto understand. Another contribution this paper makes is a pruning method used to cut down onthe size of the GHSOM, which provides a model that can provide insights and explanation whilemaintaining a high detection rate.
|
42 |
Leveraging PLC Ladder Logic for Signature Based IDS Rule GenerationRichey, Drew Jackson 12 August 2016 (has links)
Industrial Control Systems (ICS) play a critical part in our world’s economy, supply chain and critical infrastructure. Securing the various types of ICS is of the utmost importance and has been a focus of much research for the last several years. At the heart of many defense in depth strategies is the signature based intrusion detection system (IDS). The signatures that define an IDS determine the effectiveness of the system. Existing methods for IDS signature creation do not leverage the information contained within the PLC ladder logic file. The ladder logic file is a rich source of information about the PLC control system. This thesis describes a method for parsing PLC ladder logic to extract address register information, data types and usage that can be used to better define the normal operation of the control system which will allow for rules to be created to detect abnormal activity.
|
43 |
Cyber attacks against small companies that outsource their servicesHaji Akbar, Mahan, Babar, Shahryar Khan January 2022 (has links)
Companies outsource a lot of their development tasks. The use of external development teams introduces security problems which may lead to data breaches and even corporate espionage where business ideas are used in other companies, leading to leaking of trade secrets. A detailed explanation of the security implications of outsourcing is given, with ways to mitigate such risks in the first section of the report. The report also explains some basics theory in cyber security such as information gathering, vulnerability scanning, exploitation and post exploitation. We also look at some software tools used in the field. Due to the lack of knowledge and awareness about cyber security, most small companies do not have enough protection against these malicious attacks. The proposed intrusion detection system is capable of recognizing various kinds of cyber attacks including denial of serviceattack, spoofing attack, sniffing attack and so on. The proposed system employs ensemble learning and feature selection techniques to reduce the computational cost and improve the detection rate simultaneously. This paper presents an intelligent intrusion detection system based on tree-structure machine learning models. After the implementation of the proposed intrusion detection system on standard data sets, the system has achieved high detection rate and low computational cost simultaneously. The method used to bring results is python with scikit library that can help with machine learning. The results will show figures of heatmap and scores of models that will explain how likely it will identify a cyber attack.
|
44 |
Machine Learning-Enabled Security in Internet of Things and Cyber-Physical SystemsLiu, Jinxin 13 April 2023 (has links)
Internet of Things (IoT) is a promising and thriving technology that incorporates a variety of smart devices that provide enhanced services for remote communication and interaction between humans and physical items. The number of deployed IoT devices will increase to 41.6 billion in 2025, as predicted by International Data Corporation. With such a large population, assaults on IoT networks will harm a vast number of users and IoT devices. In light of this, we explore security from physical and network viewpoints in this thesis.
To preserve privacy in IoT environment, this thesis begins by proposing RASA, a context-sensitive access authorization approach.
We evaluate the promise of RASA-generated policies against a heuristic rule-based policy. The decisions of the RASA and that of the policy are more than 99% consistent.
Furthermore, not only physical attacks but also cybercrimes will threaten IoT networks; consequently, this thesis proposes various Network Intrusion Detection System (NIDS) to identify network intrusions. In this thesis, we firstly examine traditional attacks in the NSL-KDD dataset that can impact sensor networks. Furthermore, in order to detect the introduced attacks, we study eleven machine learning algorithms, among which, XGBoost ranks the first with 97% accuracy.
As attack tactics continue to evolve, Advanced Persistent Threat (APT) poses a greater risk to IoT networks than traditional incursions. This thesis presents SCVIC-APT-2021 to define a APT benchmark. Following upon this, an ML-based Attack Centric Method (ACM) is introduced achieving 9.4% improvement with respect to the baseline performance.
This thesis proposes a Combined Intrusion Detection System (CIDS) that takes network and host information into consideration to reduce data noise and improve the performance of IDS. Two new CIDS datasets, SCVIC-CIDS-2021 and SCVIC-CIDS-2022, are generated. We further propose CIDS-Net to incorporate network and host related data. CIDS-Net boost the macro F1 score of the best baseline by 5.8% (up to 99.95%) and 5.1% (up to 91.3%), respectively on the two datasets.
Besides of detection performance, timely response is considered as a critical metric of NIDS. This thesis introduces Multivariate Time Series (MTS) early detection into NIDS . We form TS-CICIDS2017 which is a time series based NIDS dataset and a new deep learning-based early detection model called Multi-Domain Transformer (MDT) is proposed, resulting in a 84.1% macro F-score with only few of the initial packets.
To reduce the size of NIDS inputs, this work proposes a deep learning-based lossy time series compressor (Deep Dict) to achieve a high compression ratio while limiting the decompression error within a desired range. As demonstrated by the results, Deep Dict outperforms the compression ratio of the state-of-the-art lossy compression methods by up to 53.66%.
|
45 |
Methods for network intrusion detection : Evaluating rule-based methods and machine learning models on the CIC-IDS2017 datasetLindstedt, Henrik January 2022 (has links)
Network intrusion detection is a task aimed to identify malicious network traffic. Malicious networktraffic is generated when a perpetrator attacks a network or internet-connected device with the intent todisrupt, steal or destroy a service or information. Two approaches for this particular task is the rule-basedmethod and the use of machine learning. The purpose of this paper was to contribute with knowledgeon how to evaluate and build better network intrusion detection systems (NIDS). That was fulfilled bycomparing the detection ability of two machine learning models, a neural network and a random forestmodel, with a rule-based NIDS called Snort. The paper describes how the two models and Snort wereconstructed and how performance metrics were generated on a dataset called CIC-IDS2017. It also describes how we capture our own malicious network traffic and the models ability to classify that data. Thecomparisons shows that the neural network outperforms Snort and the Random forest. We also presentfour factors that may influence which method that should be used for intrusion detection. In addition weconclude that we see potential in using CIC-IDS2017 to build NIDS based on machine learning.
|
46 |
Machine Learning and Knowledge-Based Integrated Intrusion Detection SchemesShen, Yu 06 July 2022 (has links)
As electronic computer technology advances, files and data are kept in computers and exchanged through networks. The computer is a physically closed system for users, making it harder for others to steal data via direct touch. Computer networks, on the other hand, can be used by hackers to gain access to user accounts and steal sensitive data. The academics are concentrating their efforts on preventing network attacks and assuring data security. The Intrusion Detection System (IDS) relies on network traffic and host logs to detect and protect against network threats. They all, however, necessitate a lot of data analysis and quick reaction tactics, which puts a lot of pressure on network managers. The advancement of AI allows computers to take over difficult and time-consuming data processing activities, resulting in more intelligent network attack protection techniques and timely alerts of suspected network attacks. The SCVIC-APT-2021 dataset which is specific to the APT attacks is generated to serve as a benchmark for APT detection. A Virtual Private Network (VPN) connects two network domains to form the basic network environment for creating the dataset. Kali Linux is used as a hacker to launch multiple rounds of APT attacks and compromise two network domains from the external network. The generated dataset contains six APT stages, each of which includes different attack techniques. Following that, a knowledge-based machine learning model is proposed to detect APT attacks on the developed SCVIC-APT-2021 dataset. The macro average F1-score increases by 11.01% and reach up to 81.92% when compared to the supervised baseline model. NSL-KDD and UNSW-NB15 are then utilized as benchmarks to verify the performance of the proposed model. The weighted average F1-score on both datasets can reach 76.42% and 79.20%, respectively. Since some network attacks leave host-based information such as system logs on the network devices, the detection scheme that integrates network-based features and host-based features are used to boost the network attack detection capabilities of IDS. The raw data of CSE-CIC-IDS2018 is utilized to create the SCIVC-CIDS-2021 dataset which includes both network-based features and host-based features. To ensure precise classification results, the SCVIC-CIDS-2021 is labelled with the attacking techniques. Due to the high dimensionalities of the features in the produced dataset, Autoencoder (AE) and Gated Recurrent Unit (GRU) are employed to reduce the dimensionality of network-based and host-based features, respectively. Finally, classification of the data points is performed using knowledge-based PKI and PKI Difference (PKID) models. Among these, the PKID model performs better with a macro average F1-score of 96.60%, which is 7.62% higher than the results only utilizing network-based features.
|
47 |
Improving the precision of an Intrusion Detection System using Indicators of Compromise : - a proof of concept -Lejonqvist, Gisela, Larsson, Oskar January 2018 (has links)
The goal of this research is to improve an IDS so that the percentage of true positives is high, an organisation can cut time and cost and use its resources in a more optimal way. This research goal was to prove that the precision of an intrusion detection system (IDS), in terms of producing lower rate of false positives or higher rate of true alerts, can be achieved by parsing indicators of compromise (IOC) to gather information, that combined with system-specific knowledge will be a solid base for manual fine-tuning of IDS-rules. The methodology used is Design Science Research Methodology (DSRM) because it is used for research that aims to answer an existing problem with a new or improved solution. A part of that solution is a proposed process for tuning of an arbitrary intrusion detection system. The implemented and formalized process Tuned Intrusion Detection System (TIDS) has been designed during this research work, aiding us in presenting and performing validation tests in a structured and robust way. The testbed consisted of a Windows 10 operating system and a NIDS implementation of Snort as an IDS. The work was experimental, evaluated and improved regarding IDS rules and tools over several iterations. With the use of recorded data traffic from the public dataset CTU-13, the difference between the use of tuned versus un-tuned rules in an IDS was presented in terms of precision of the alerts created by the IDS. Our contributions were that the concept holds; the precision can be improved by adding custom rules based on known parameters in the network and features of the network traffic and disabling rules that were out of scope. The second contribution is the TIDS process, as designed during the thesis work, serving us well during the process.
|
48 |
Cross-Device Federated Intrusion Detector For Early Stage Botnet PropagationFamera, Angela Grace 03 January 2023 (has links)
No description available.
|
49 |
AI-Based Intrusion Detection Systems to Secure Internet of Things (IoT)Otoum, Yazan 20 September 2022 (has links)
The Internet of Things (IoT) is comprised of numerous devices that are connected through wired or wireless networks, including sensors and actuators. The number of IoT applications has recently increased dramatically, including Smart Homes, Internet of Vehicles (IoV), Internet of Medical Things (IoMT), Smart Cities, and Wearables. IoT Analytics has reported that the number of connected devices is expected to grow 18% to 14.4 billion in 2022 and will be 27 billion by 2025. Security is a critical issue in today's IoT, due to the nature of the architecture, the types of devices, the different methods of communication (mainly wireless), and the volume of data being transmitted over the network. Furthermore, security will become even more important as the number of devices connected to the IoT increases. However, devices can protect themselves and detect threats with the Intrusion Detection System (IDS). IDS typically use one of two approaches: anomaly-based or signature-based. In this thesis, we define the problems and the particular requirements of securing the IoT environments, and we have proposed a Deep Learning (DL) anomaly-based model with optimal features selection to detect the different potential attacks in IoT environments. We then compare the performance results with other works that have been used for similar tasks. We also employ the idea of reinforcement learning to combine the two different IDS approaches (i.e., anomaly-based and signature-based) to enable the model to detect known and unknown IoT attacks and classify the recognized attacked into five classes: Denial of Service (DDoS), Probe, User-to-Root (U2R), Remote-to-Local (R2L), and Normal traffic. We have also shown the effectiveness of two trending machine-learning techniques, Federated and Transfer learning (FL/TL), over using the traditional centralized Machine and Deep Learning (ML/DL) algorithms. Our proposed models improve the model's performance, increase the learning speed, reduce the amount of data that needs to be trained, and reserve user data privacy when compared with the traditional learning approaches. The proposed models are implemented using the three benchmark datasets generated by the Canadian Institute for Cybersecurity (CIC), NSL-KDD, CICIDS2017, and the CSE-CIC-IDS2018. The performance results were evaluated in different metrics, including Accuracy, Detection Rate (DR), False Alarm Rate (FAR), Sensitivity, Specificity, F-measure, and training and fine-tuning times.
|
50 |
Hidden Markov models and alert correlations for the prediction of advanced persistent threatsGhafir, Ibrahim, Kyriakopoulos, K.G., Lambotharan, S., Aparicio-Navarro, F.J., Assadhan, B., Binsalleeh, H., Diab, D.M. 24 January 2020 (has links)
Yes / Cyber security has become a matter of a global interest, and several attacks target industrial companies and governmental organizations. The advanced persistent threats (APTs) have emerged as a new and complex version of multi-stage attacks (MSAs), targeting selected companies and organizations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker's strategies and aims. This paper proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases; the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts that are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilizes the hidden Markov model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91.80%. In addition, it predicts the next step of the APT campaign with an accuracy of 66.50%, 92.70%, and 100% based on two, three, and four correlated alerts, respectively. / The Gulf Science, Innovation and Knowledge Economy Programme of the U.K. Government under UK-Gulf Institutional Link Grant IL 279339985 and in part by the Engineering and Physical Sciences Research Council (EPSRC), U.K., under Grant EP/R006385/1.
|
Page generated in 0.1321 seconds