ARL-VIDS visualization techniques : 3D information visualization of network security events

Gaw, Tyler J.

03 May 2014

Government agencies and corporations are growing increasingly reliant on networks for day-to-day operations including communication, data processing, and data storage. As a result, these networks are in a constant state of growth. These burgeoning networks cause the number of network security events requiring investigation to grow exceptionally, creating new problems for network security analysts. The increasing number of attacks propagated against high-value networks only increases the gravity. Therefore, security analysts need assistance to be able to continue to monitor network events at an acceptable rate. Network analysts rely on many different systems and tools to properly secure a network. One line of defense is an intrusion detection system or IDS. Intrusion detection systems monitor networks for suspicious activity and then print alerts to a log file. An important part of effective intrusion detection is finding relationships between network events, which allows for detection of network anomalies. However, network analysts typically monitor these logs in a sparsely formatted view, which simply isn’t effective for large networks. Therefore, a Visual Intrusion Detection System or VIDS is an interesting solution to aid network security analysts in properly securing the networks. The visualization tool takes a log file and represents the alerts on a three-dimensional graph. Previous research shows that humans have an innate ability to match patterns based on visual cues, which we hope will allow network analysts to match patterns between alerts and identify anomalies. In addition, the tool will leverage the user’s intuition and experience to aid intrusion detection by allowing them to manipulate the view of the data. The objective of this thesis is to quantify and measure the effectiveness of this Visual Intrusion Detection System built as an extension to the SNORT open source IDS. The purpose of the visualization is to give network security analysts an alternative view from what traditional network security software provides. This thesis will also explore other features that can be built into a Visual Intrusion Detection System to improve its functionality. / Department of Computer Science

Information visualization

Snort (Software)

Anomaly-based correlation of IDS alarms

Tjhai, Gina C.

January 2011

An Intrusion Detection System (IDS) is one of the major techniques for securing information systems and keeping pace with current and potential threats and vulnerabilities in computing systems. It is an indisputable fact that the art of detecting intrusions is still far from perfect, and IDSs tend to generate a large number of false IDS alarms. Hence human has to inevitably validate those alarms before any action can be taken. As IT infrastructure become larger and more complicated, the number of alarms that need to be reviewed can escalate rapidly, making this task very difficult to manage. The need for an automated correlation and reduction system is therefore very much evident. In addition, alarm correlation is valuable in providing the operators with a more condensed view of potential security issues within the network infrastructure. The thesis embraces a comprehensive evaluation of the problem of false alarms and a proposal for an automated alarm correlation system. A critical analysis of existing alarm correlation systems is presented along with a description of the need for an enhanced correlation system. The study concludes that whilst a large number of works had been carried out in improving correlation techniques, none of them were perfect. They either required an extensive level of domain knowledge from the human experts to effectively run the system or were unable to provide high level information of the false alerts for future tuning. The overall objective of the research has therefore been to establish an alarm correlation framework and system which enables the administrator to effectively group alerts from the same attack instance and subsequently reduce the volume of false alarms without the need of domain knowledge. The achievement of this aim has comprised the proposal of an attribute-based approach, which is used as a foundation to systematically develop an unsupervised-based two-stage correlation technique. From this formation, a novel SOM K-Means Alarm Reduction Tool (SMART) architecture has been modelled as the framework from which time and attribute-based aggregation technique is offered. The thesis describes the design and features of the proposed architecture, focusing upon the key components forming the underlying architecture, the alert attributes and the way they are processed and applied to correlate alerts. The architecture is strengthened by the development of a statistical tool, which offers a mean to perform results or alert analysis and comparison. The main concepts of the novel architecture are validated through the implementation of a prototype system. A series of experiments were conducted to assess the effectiveness of SMART in reducing false alarms. This aimed to prove the viability of implementing the system in a practical environment and that the study has provided appropriate contribution to knowledge in this field.

621.382

Performance metrics for network intrusion systems

Tucker, Christopher John

January 2013

Intrusion systems have been the subject of considerable research during the past 33 years, since the original work of Anderson. Much has been published attempting to improve their performance using advanced data processing techniques including neural nets, statistical pattern recognition and genetic algorithms. Whilst some significant improvements have been achieved they are often the result of assumptions that are difficult to justify and comparing performance between different research groups is difficult. The thesis develops a new approach to defining performance focussed on comparing intrusion systems and technologies. A new taxonomy is proposed in which the type of output and the data scale over which an intrusion system operates is used for classification. The inconsistencies and inadequacies of existing definitions of detection are examined and five new intrusion levels are proposed from analogy with other detection-based technologies. These levels are known as detection, recognition, identification, confirmation and prosecution, each representing an increase in the information output from, and functionality of, the intrusion system. These levels are contrasted over four physical data scales, from application/host through to enterprise networks, introducing and developing the concept of a footprint as a pictorial representation of the scope of an intrusion system. An intrusion is now defined as “an activity that leads to the violation of the security policy of a computer system”. Five different intrusion technologies are illustrated using the footprint with current challenges also shown to stimulate further research. Integrity in the presence of mixed trust data streams at the highest intrusion level is identified as particularly challenging. Two metrics new to intrusion systems are defined to quantify performance and further aid comparison. Sensitivity is introduced to define basic detectability of an attack in terms of a single parameter, rather than the usual four currently in use. Selectivity is used to describe the ability of an intrusion system to discriminate between attack types. These metrics are quantified experimentally for network intrusion using the DARPA 1999 dataset and SNORT. Only nine of the 58 attack types present were detected with sensitivities in excess of 12dB indicating that detection performance of the attack types present in this dataset remains a challenge. The measured selectivity was also poor indicting that only three of the attack types could be confidently distinguished. The highest value of selectivity was 3.52, significantly lower than the theoretical limit of 5.83 for the evaluated system. Options for improving selectivity and sensitivity through additional measurements are examined.

005.8

Detection of Deviations From Authorized Network Activity Using Dynamic Bayesian Networks

Ewell, Cris Vincent

01 January 2011

This research addressed one of the hard problems still plaguing the information security profession; detection of network activity deviations from authorized accounts when the deviations are similar to normal network activity. Specifically, when user and administrator type accounts are used for malicious activity, harm can come to the organization. Accurately modeling normal user network activity is hard to accomplish and detecting misuse is a complex problem. Much work has been done in the past with intrusion detection systems, but being able to detect masquerade events with high accuracy and low false alarm rates continues to be an issue. Bayesian networks have been successfully used in the past to reason under certainty by combining prior knowledge with observed data. The use of dynamic Bayesian Networks, such as multi-entity Bayesian network, extends the capability and can address complex problems. The goal of the research was to extend previous research with multi-entity Bayesian networks along with discretization methods to improve the effectiveness of the detection rate while maintaining an acceptable level of false positives. Preprocessing continuous variables has proven effective in prior research but has not been applied to multi-entity Bayesian networks in the past. Five different discretization methods were used in this research. Analysis using receiver operating characteristic curves, confusion matrix, and other comparison methods were completed as part of this research. The results of the research demonstrated that a multi-entity Bayesian network model based on multiple data sources and the relationship between the user attributes could be used to detect unauthorized access to data. The supervised top down discretization methods had better performance related to the overall classification accuracy. Specifically, the class-attribute interdependence maximization discretization method outperformed the other four discretization methods. When compared to previous masquerade detection methods, the class-attribute interdependence maximization discretization method had a comparable true positive rate with a lower false positive rate.

Bayesian Networks

Information Security

Intrusion Detection

Computer Sciences

Cloud intrusion detection based on change tracking and a new benchmark dataset

Aldribi, Abdulaziz

30 August 2018

The adoption of cloud computing has increased dramatically in recent years due to at- tractive features such as flexibility, cost reductions, scalability, and pay per use. Shifting towards cloud computing is attracting not only industry but also government and academia. However, given their stringent privacy and security policies, this shift is still hindered by many security concerns related to the cloud computing features, namely shared resources, virtualization and multi-tenancy. These security concerns vary from privacy threats and lack of transparency to intrusions from within and outside the cloud infrastructure. There- fore, to overcome these concerns and establish a strong trust in cloud computing, there is a need to develop adequate security mechanisms for effectively handling the threats faced in the cloud. Intrusion Detection Systems (IDSs) represent an important part of such mech- anisms. Developing cloud based IDS that can capture suspicious activity or threats, and prevent attacks and data leakage from both inside and outside the cloud environment is paramount. However, cloud computing is faced with a multidimensional and rapidly evolv- ing threat landscape, which makes cloud based IDS more challenging. Moreover, one of the most significant hurdles for developing such cloud IDS is the lack of publicly available datasets collected from a real cloud computing environment. In this dissertation, we intro- duce the first public dataset of its kind, named ISOT Cloud Intrusion Dataset (ISOT-CID), for cloud intrusion detection. The dataset consists of several terabytes of data, involving normal activities and a wide variety of attack vectors, collected over multiple phases and periods of time in a real cloud environment. We also introduce a new hypervisor-based cloud intrusion detection system (HIDS) that uses online multivariate statistical change analysis to detect anomalous network behaviors. As a departure from the conventional monolithic network IDS feature model, we leverage the fact that a hypervisor consists of a collection of instances, to introduce an instance-oriented feature model that exploits indi- vidual as well as correlated behaviors of instances to improve the detection capability. The proposed approach is evaluated using ISOT-CID and the experiments along with results are presented. / Graduate / 2020-08-14

Cloud Computing

Intrusion Detection

Cloud computing Dataset

Change Point

Self-adaptable Security Monitoring for IaaS Cloud Environments / Supervision de sécurité auto-adaptative dans les clouds IaaS

Giannakou, Anna

06 July 2017

Les principales caractéristiques des clouds d'infrastructure (laaS), comme l'élasticité instantanée et la mise à disposition automatique de ressources virtuelles, rendent ces clouds très dynamiques. Cette nature dynamique se traduit par de fréquents changements aux différents niveaux de l'infrastructure virtuelle. Étant données la criticité et parfois la confidentialité des informations traitées dans les infrastructures virtuelles des clients, la supervision de sécurité est une préoccupation importante pour les clients comme pour le fournisseur de cloud. Malheureusement, les changements dynamiques altèrent la capacité du système de supervision de sécurité à détecter avec succès les attaques ciblant les infrastructures virtuelles. Dans cette thèse, nous avons conçu un système de supervision de sécurité auto-adaptatif pour les clouds laaS. Ce système est conçu pour adapter ses composants en fonction des différents changements pouvant se produire dans une infrastructure de cloud. Notre système est instancié sous deux formes ciblant des équipements de sécurité différents : SAIDS, un système de détection d'intrusion réseau qui passe à l'échelle, et AL-SAFE, un firewall applicatif fondé sur l'introspection. Nous avons évalué notre prototype sous l'angle de la performance, du coût, et de la sécurité pour les clients comme pour le fournisseur. Nos résultats montrent que notre prototype impose un coût additionnel tolérable tout en fournissant une bonne qualité de détection. / Rapid elasticity and automatic provisioning of virtual resources are some of the main characteristics of laaS clouds. The dynamic nature of laaS clouds is translated to frequent changes that refer to different levels of the virtual infrastructure. Due to the critical and sometimes private information hosted in tenant virtual infrastructures, security monitoring is of great concern for both tenants and the provider. Unfortunately, the dynamic changes affect the ability of a security monitoring framework to successfully detect attacks that target cloud-hosted virtual infrastructures. In this thesis we have designed a self-adaptable security monitoring framework for laaS cloud environments that is designed to adapt its components based on different changes that occur in a virtual infrastructure. Our framework has two instantiations focused on different security devices: SAIDS, a scalable network intrusion detection system, and AL-SAFE, an introspection-based application-level firewall. We have evaluated our prototype focusing on performance, cost and security for both tenants and the provider. Our results demonstrate that our prototype imposes a tolerable overhead while providing accurate detection results.

Firewalls

Sécurité

Security

Self-adaptation

Clouds

Intrusion detection

Firewalls

005

An Artificial Immune System Approach to Preserving Security in Computer Networks

Ranang, Martin Thorsen

January 2002

<p>It is believed that many of the mechanisms present in the biological immune system are well suited for adoption to the field of computer intrusion detection, in the form of artificial immune systems. In this report mechanisms in the biological immune system are introduced, their parallels in artificial immune systems are presented, and how they may be applied to intrusion detection in a computer environment is discussed. An artificial immune system is designed, implemented and applied to detect intrusive behavior in real network data in a simulated network environment. The effect of costimulation and clonal proliferation combined with somatic hypermutation to perform affinity maturation of detectors in the artificial immune system is explored through experiments. An exact expression for the probability of a match between two randomly chosen strings using the r-contiguous matching rule is developed. The use of affinity maturation makes it possible to perform anomaly detection by using smaller sets of detectors with a high level of specificity while maintaining a high level of cover and diversity, which increases the number of true positives, while keeping a low level of false negatives.</p>

artificial intelligence

ai

artificial immune system

network intrusion detection

An Artificial Immune System Approach to Preserving Security in Computer Networks

Ranang, Martin Thorsen

January 2002

It is believed that many of the mechanisms present in the biological immune system are well suited for adoption to the field of computer intrusion detection, in the form of artificial immune systems. In this report mechanisms in the biological immune system are introduced, their parallels in artificial immune systems are presented, and how they may be applied to intrusion detection in a computer environment is discussed. An artificial immune system is designed, implemented and applied to detect intrusive behavior in real network data in a simulated network environment. The effect of costimulation and clonal proliferation combined with somatic hypermutation to perform affinity maturation of detectors in the artificial immune system is explored through experiments. An exact expression for the probability of a match between two randomly chosen strings using the r-contiguous matching rule is developed. The use of affinity maturation makes it possible to perform anomaly detection by using smaller sets of detectors with a high level of specificity while maintaining a high level of cover and diversity, which increases the number of true positives, while keeping a low level of false negatives.

artificial intelligence

ai

artificial immune system

network intrusion detection

Detection of covert channel communications based on intentionally corrupted frame check sequences

Najafizadeh, Ali

01 July 2011

This thesis presents the establishment of a covert-channel in wireless networks in the form of frames with intentionally corrupted Frame Check Sequences (FCSs). Previous works had alluded to the possibility of using this kind of covert-channel as an attack vector. We modify a simulation tool, called Sinalgo, which is used as a test bed for generating hypothetical scenarios for establishing a covert-channel. Single and Multi-Agent systems have been proposed as behaviour-based intrusion detection mechanisms, which utilize statistical information about network traffic. This utilized statistical information is used to detect covert-channel communications. This work highlights the potential impact of having this attack perpetrated in communications equipment with a low chance of being detected, if properly crafted. / UOIT

Wireless networks

Covert-channel

Hidden-channel

Behavioural intrusion detection

A Fuzzy-logic based Alert Prioritization Engine for IDSs: Architecture and Configuration

Alsubhi, Khalid

January 2008

Intrusion Detection Systems (IDSs) are designed to monitor a networked environment and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large making their evaluation by security analysts a difficult task. The management is complicated by the need to configure the different components of alert evaluation systems. In addition, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide results that are inaccurate and difficult to manage. Thus, the tuning of an IDS alert management system in order to provide optimal results remains a major challenge, which is further complicated by the large spectrum of potential attacks the system can be subject to. This thesis considers the specification and configuration issues of FuzMet, a novel IDS alert management system which employs several metrics and a fuzzy-logic based approach for scoring and prioritizing alerts. In addition, it features an alert rescoring technique that leads to a further reduction of the number of alerts. We study the impact of different configurations of the proposed metrics on the accuracy and completeness of the alert scores generated by FuzMet. Our approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and FuzMet alert prioritization scheme are presented. A considerable number of simulations were conducted in order to determine the optimal configuration of FuzMet with selected simulation results presented and analyzed.

Security

Intrusion detection

alert management

IDS

Computer Science