Wireless Intrusion Detection Sytem

Vigo, John Louis, Jr.

17 December 2004

The decrease in price and the ease of use of wireless network devices make them an attractive alternative to standard wired networks. However, the intrinsic insecurity of wireless media and weaknesses in the standards for use of wireless media leave wireless networks vulnerable to attacks from unauthorized users. The intrinsic insecurity of wireless media results from radio signals extending beyond the networks intended coverage area and the weaknesses in the standards result from the methods used for authorization and privacy. These insecurities restrict the use of wireless networks by entities that need a high level of security. This paper describes a Wireless Intrusion Detection System (WIDS) that provides additional security for 802.11b wireless networks. WIDS provides intrusion detection that can react to potential threats and locate an intruder through the use of intelligent access points equipped with rotating directional antennas.

Wireless

802.11

802.11b

intrusion detection

security

Misconfiguration Analysis of Network Access Control Policies

Tran, Tung

16 February 2009

Network access control (NAC) systems have a very important role in network security. However, NAC policy configuration is an extremely complicated and error-prone task due to the semantic complexity of NAC policies and the large number of rules that could exist. This significantly increases the possibility of policy misconfigurations and network vulnerabilities. NAC policy misconfigurations jeopardize network security and can result in a severe consequence such as reachability and denial of service problems. In this thesis, we choose to study and analyze the NAC policy configuration of two significant network security devices, namely, firewall and IDS/IPS. In the first part of the thesis, a visualization technique is proposed to visualize firewall rules and policies to efficiently enhance the understanding and inspection of firewall configuration. This is implemented in a tool called PolicyVis. Our tool helps the user to answer general questions such as ‘‘Does this policy satisfy my connection/security requirements’’. If not, the user can detect all misconfigurations in the firewall policy. In the second part of the thesis, we study various policy misconfigurations of Snort, a very popular IDS/IPS. We focus on the misconfigurations of the flowbits option which is one of the most important features to offers a stateful signature-based NIDS. We particularly concentrate on a class of flowbits misconfiguration that makes Snort susceptible to false negatives. We propose a method to detect the flowbits misconfiguration, suggest practical solutions with controllable false positives to fix the misconfiguration and formally prove that the solutions are complete and sound.

firewall

intrusion detection system

Computer Science

Misconfiguration Analysis of Network Access Control Policies

Tran, Tung

16 February 2009

Network access control (NAC) systems have a very important role in network security. However, NAC policy configuration is an extremely complicated and error-prone task due to the semantic complexity of NAC policies and the large number of rules that could exist. This significantly increases the possibility of policy misconfigurations and network vulnerabilities. NAC policy misconfigurations jeopardize network security and can result in a severe consequence such as reachability and denial of service problems. In this thesis, we choose to study and analyze the NAC policy configuration of two significant network security devices, namely, firewall and IDS/IPS. In the first part of the thesis, a visualization technique is proposed to visualize firewall rules and policies to efficiently enhance the understanding and inspection of firewall configuration. This is implemented in a tool called PolicyVis. Our tool helps the user to answer general questions such as ‘‘Does this policy satisfy my connection/security requirements’’. If not, the user can detect all misconfigurations in the firewall policy. In the second part of the thesis, we study various policy misconfigurations of Snort, a very popular IDS/IPS. We focus on the misconfigurations of the flowbits option which is one of the most important features to offers a stateful signature-based NIDS. We particularly concentrate on a class of flowbits misconfiguration that makes Snort susceptible to false negatives. We propose a method to detect the flowbits misconfiguration, suggest practical solutions with controllable false positives to fix the misconfiguration and formally prove that the solutions are complete and sound.

firewall

intrusion detection system

Computer Science

Detecting Backdoor

Kao, Cheng-yuan

12 August 2004

Cyber space is like a society. Attacking events happen all the time. No matter what is in the cyber space. We need to do many things to defend our computers and network devices form attackers, for example: update patches, install anti-virus software, firewalls and intrusion detection system. In all kinds of network attacks, it is hard to detect that an attacker install a backdoor after he crack the system. He can do many things by the backdoor, like steal sensitive or secret information. Otherwise, intrusion detection systems are responsible for early warnings, but they usually need to capture all the network packets include the headers and contents to analyze. It costs many overheads for the system. The goal of our research is to detect backdoors correctly, and we only use the network packet headers to analyze.

Network Security

Backdoor

Data Mining

Intrusion Detection

Lightweight Network Intrusion Detection

Chen, Ya-lin

26 July 2005

Exploit codes based on system vulnerabilities are often used by attackers to attack target computers or services. Such exploit programs often send attack packets in the first few packets right after a connection established with the target machine or service. And such attacks are often launched via Telnet service as well. A lightweight network-based intrusion detection system is proposed on detecting such attacks on Telnet traffic. The proposed system filters the first a few packets after each Telnet connection established and only uses partial data of a packet rather than total of it to detect intrusion, i.e. such design makes system load reduced a lot. This research is anomaly detection. The proposed system characterizes the normal traffic behavior and constructs it as a normal model based on the filtered normal traffic. In detection phase, the system examines the deviation of current filtered packet from the normal model via an anomaly score function, i.e. a more deviate packet will receive a higher anomaly score. Finally, we use 1999 DARPA Intrusion Detection Evaluation Data Set which contains 5 days of training data and 10 days of testing data, and 44 attack instances of 16 types of attacks, to evaluate our proposed system. The proposed system has the detection rate of 73% under a low false alarm rate of 2 false alarms per day; 80% for the hard detected attacks which are poorly detected in 1999 DARPA IDEP.

Anomaly Detection

Intrusion Detection

Network Security

Intrusion Detection on Distributed Attacks

Cheng, Wei-Cheng

29 July 2003

The number of significant security incidents tends to increase day by day in recent years. The distributed denial of service attacks and worm attacks extensively influence the network and cause serious damages. In the thesis, we analyze these two critical distributed attacks. We propose an intrusion detection approach against this kind of attacks and implement an attack detection system based on the approach. We use anomaly detection of intrusion detecting techniques and observed the anomalous distribution of packet fields to perform the detection. The proposed approach records the characteristics of normal traffic volumes so that to make detections more flexible and more precise. Finally, we evaluated our approach by experiments.

distributed denial of service attack

worm

intrusion detection

A Hybrid Framework for Intrusion Detection in Wireless Mesh Networks

Bin Aftab, Muhammad Usama

22 December 2015

Network security is an important domain in the field of computer engineering. Sensitive information flowing across computer networks is vulnerable to potential threats, therefore it is important to ensure their security. Wireless Mesh Networks (WMNs) are self-organized networks deployed in small proximity which have an wireless ad-hoc mesh topology. While they are cost effective and easy to deploy, they are extremely vulnerable to network intrusions due to no central switch or router. However, they can be secured using cryptographic techniques, firewalls or Demilitarized Zones (DMZs). Intrusion Detection Systems (IDSs) are used as a secondary line-of-defence in computer networks from possible intrusions. This thesis proposes a framework for a Hybrid Intrusion Detection System (HIDS) for WMN. / Graduate

wireless

mesh networks

intrusion detection

network security

Ensemble Fuzzy Belief Intrusion Detection Design

Chou, Te-Shun

13 November 2007

With the rapid growth of the Internet, computer attacks are increasing at a fast pace and can easily cause millions of dollar in damage to an organization. Detecting these attacks is an important issue of computer security. There are many types of attacks and they fall into four main categories, Denial of Service (DoS) attacks, Probe, User to Root (U2R) attacks, and Remote to Local (R2L) attacks. Within these categories, DoS and Probe attacks continuously show up with greater frequency in a short period of time when they attack systems. They are different from the normal traffic data and can be easily separated from normal activities. On the contrary, U2R and R2L attacks are embedded in the data portions of the packets and normally involve only a single connection. It becomes difficult to achieve satisfactory detection accuracy for detecting these two attacks. Therefore, we focus on studying the ambiguity problem between normal activities and U2R/R2L attacks. The goal is to build a detection system that can accurately and quickly detect these two attacks. In this dissertation, we design a two-phase intrusion detection approach. In the first phase, a correlation-based feature selection algorithm is proposed to advance the speed of detection. Features with poor prediction ability for the signatures of attacks and features inter-correlated with one or more other features are considered redundant. Such features are removed and only indispensable information about the original feature space remains. In the second phase, we develop an ensemble intrusion detection system to achieve accurate detection performance. The proposed method includes multiple feature selecting intrusion detectors and a data mining intrusion detector. The former ones consist of a set of detectors, and each of them uses a fuzzy clustering technique and belief theory to solve the ambiguity problem. The latter one applies data mining technique to automatically extract computer users’ normal behavior from training network traffic data. The final decision is a combination of the outputs of feature selecting and data mining detectors. The experimental results indicate that our ensemble approach not only significantly reduces the detection time but also effectively detect U2R and R2L attacks that contain degrees of ambiguous information.

belief theory

fuzzy logic

intrusion detection

Augmenting Network Flows with User Interface Context to Inform Access Control Decisions

Chuluundorj, Zorigtbaatar

10 October 2019

Whitelisting IP addresses and hostnames allow organizations to employ a default-deny approach to network traffic. Organizations employing a default-deny approach can stop many malicious threats, even including zero-day attacks, because it only allows explicitly stated legitimate activities. However, creating a comprehensive whitelist for a default-deny approach is difficult due to user-supplied destinations that can only be known at the time of usage. Whitelists, therefore, interfere with user experience by denying network traffic to user-supplied legitimate destinations. In this thesis, we focus on creating dynamic whitelists that are capable of allowing user-supplied network activity. We designed and built a system called Harbinger, which leverages user interface activity to provide contextual information in which network activity took place. We built Harbinger for Microsoft Windows operating systems and have tested its usability and effectiveness on four popular Microsoft applications. We find that Harbinger can reduce false positives-positive detection rates from 44%-54% to 0%-0.4% in IP and DNS whitelists. Furthermore, while traditional whitelists failed to detect propagation attacks, Harbinger detected the same attacks 96% of the time. We find that our system only introduced six milliseconds of delay or less for 96% of network activity.

Cybersecurity

Intrusion Detection System

Dynamic Whitelists

Deep Learning -Based Anomaly Detection System for Guarding Internet of Things Devices

Azumah, Sylvia w.

05 October 2021

No description available.

Information Technology

lstm

deep learning

intrusion detection