Spelling suggestions: "subject:"attack detection"" "subject:"attack 1detection""
1 |
A computationally intelligent approach to the detection of wormhole attacks in wireless sensor networksShaon, Mohammad 29 July 2016 (has links)
This thesis proposes an innovative wormhole detection scheme to detect wormhole attacks using computational intelligence and an artificial neural network (ANN). The aim of the proposed research is to develop a detection scheme that can detect wormhole attacks (In-band, out of band, hidden wormhole attack, active wormhole attack) in both uniformly and non-uniformly distributed sensor networks. Furthermore, the proposed research does not require any special hardware and causes no significant network overhead throughout the network. Most importantly, the probable location of the wormhole nodes can be tracked down by the proposed ANN-based detection scheme.
We evaluate the efficacy of the proposed detection scheme in terms of detection accuracy, false positive rate, and false negative rate. The performance of the proposed model is also compared with other machine learning techniques (i.e. SVM and regularized nonlinear logistic regression (LR) based detection models) based detection schemes. The simulation results show that proposed ANN-based detection model outperforms the SVM and LR based detection schemes in terms of detection accuracy, false positive rate, and false negative rates. / February 2017
|
2 |
Physical Layer Security for Wireless Position Location in the Presence of Location SpoofingLee, Jeong Heon 14 March 2011 (has links)
While significant research effort has been dedicated to wireless position location over the past decades, most location security aspects have been overlooked. Recently, with the proliferation of diverse wireless devices and the desire to determine their position, there is an increasing concern about the security of location information which can be spoofed or disrupted by adversaries or unreliable signal sources. This dissertation addresses the problem of securing a radio location system against location spoofing, specifically the characterization, analysis, detection, and localization of location spoofing attacks by focusing on fundamental location estimation issues.
The objective of this dissertation is four-fold. First, it provides an overview of fundamental security issues for position location, particularly associated with range-based localization. Of particular interest are security risks and vulnerabilities in location estimation, types of localization attacks, and their impact. The second objective is to characterize the effects of signal strength and beamforming attacks on range estimates and the resulting position estimate. The characterization can be generalized to a variety of location spoofing attacks and provides insight into the anomalous behavior of range and location estimators when under attack. Through this effort we can also identify effective attacks that are of particular interest to attack detection and localization. The third objective is to develop an effective technique for attack detection which requires neither prior environmental nor statistical knowledge. This is accomplished by exploiting the bilateral behavior of a hybrid framework using two received signal strength (RSS) based location estimators. We show that the resulting approach is effective at detecting attacks with the detection rate increasing with the severity of the induced location error. The last objective of this dissertation is to develop a localization method resilient to attacks and other adverse effects.
Since the detection and localization approach relies solely on RSS measurements in order to be applicable to a wide range of wireless systems and scenarios, this dissertation focuses on RSS-based position location. Nevertheless, many of the basic concepts and results can be applied to any range-based positioning system. / Ph. D.
|
3 |
Mining Network Traffic Data for Supporting Denial of Service Attack DetectionMa, Shu-Chen 17 August 2005 (has links)
Denial of Service (DoS) attacks aim at rendering a computer or network incapable of providing normal services by exploiting bugs or holes of system programs or network communication protocols. Existing DoS attack defense mechanisms (e.g., firewalls, intrusion detection systems, intrusion prevention systems) typically rely on data gathered from gateways of network systems. Because these data are IP-layer or above packet information, existing defense mechanisms are incapable of detecting internal attacks or attackers who disguise themselves by spoofing the source IP addresses of their packets. To address the aforementioned limitations of existing DoS attack defense mechanisms, we propose a classification-based DoS attack detection technique on the basis of the SNMP MIB II data from the network interface to induce a DoS detection model from a set of training examples that consist of both normal and attack traffic data). The constructed DoS detection model is then used for predicting whether a network traffic from the network interface is a DoS attack.
To empirically evaluate our proposed classification-based DoS attack detection technique, we collect, with various traffic aggregation intervals (including 1, 3, and 5 minutes), normal network traffic data from two different environments (including an enterprise network, and a university campus network) and attack network traffics (including TCP SYN Flood, Land, Fake Ping, and Angry Ping) from an independent experimental network. Our empirical evaluation results show that the detection accuracy of the proposed technique reaches 98.59% or above in the two network environments. The evaluation results also suggest that the proposed technique is insensitive to the traffic aggregation intervals examined and has a high distinguishing power for the four types of DoS attacks under investigation.
|
4 |
DETECÇÃO DE INTRUSÃO ATRAVÉS DA ANÁLISE DE SÉRIES TEMPORAIS E CORRELAÇÃO DO TRÁFEGO DE REDE / INTRUSION DETECTION THROUGH TIME SERIES ANALYSIS AND NETWORK TRAFFIC CORRELATIONVogt, Francisco Carlos 09 December 2012 (has links)
Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / This work presents a model to identify anomalies in the computer network behavior
applied to the problem of traffic management and security information. Due to the
feature of the traffic growth, some models do not differ an anomaly from an attack,
generating false positives that damage the security and quality service of the network. In
order to present an alternative, this work explores ARIMA model that allows turning
stationary the time series and the CUSUM algorithm that allows to detect anomalies.
This approach provides a way to evaluate the behavior and identification of an anomaly
with better quality through the traffic variables and its correlations. The results
demonstrate the approach demands a careful step of variables selection that can have
influence by interest s attacks. / Este trabalho apresenta um modelo para identificação de anomalias no
comportamento da rede de computadores, aplicado ao problema de gestão do
tráfego de redes e segurança da informação. Devido à característica de
crescimento de tráfego, alguns modelos não diferenciam anomalias de um
ataque, gerando falsos positivos prejudiciais a segurança da rede e
conseqüentemente a sua qualidade serviço. Com fim de apresentar uma
alternativa, este trabalho explora o modelo ARIMA, que permite tornar
estacionária a série temporal, e o algoritmo CUSUM, que permite detectar
anomalias. Esta abordagem possibilita avaliar com melhor qualidade o
comportamento e a identificação de uma anomalia a partir de variáveis
descritoras de tráfego e suas correlações. Os resultados demonstram que a
abordagem exige uma etapa criteriosa de seleção de variáveis que podem ser
influenciadas pelos ataques de interesse.
|
5 |
A Kangaroo-Based Intrusion Detection System on Software-Defined NetworksYazdinejadna, Abbas, Parizi, Reza M., Dehghantanha, Ali, Khan, Mohammad S. 15 January 2021 (has links)
In recent years, a new generation of architecture has emerged in the world of computer networks, known as software-defined networking (SDN), that aims to improve and remove the limitations of traditional networks. Although SDN provides viable benefits, it has faced many security threats and vulnerability-related issues. To solve security issues in the SDN, one of the most vital solutions is employing an intrusion detection system (IDS). Merging IDS into the SDN network remains efficient due to the unique features of SDN, such as high manageability, flexibility, and programmability. In this paper, we propose a new approach as a kangaroo-based intrusion detection system (KIDS), which is an SDN-based architecture for attack detection and malicious behaviors in the data plane. Designing a zone-based architecture in the KIDS assists us in achieving a distributed architecture which is scalable in both area and anomaly detection. In the KIDS architecture, the IDS module supplies the flow-based and packet-based intrusion detection components based on monitoring packet parser and Flow tables of the SDN switches. In the proposed approach, the IDS uses consecutive jumps like a kangaroo for announcing the attacks both to the SDN controller and other IDSs, contributing to improved scalability and efficiency. The evaluation of the proposed approach shows an enhanced performance against that of peer approaches in detecting malicious packets.
|
6 |
Detecting DoS Attack in Smart Home IoT Devices Using a Graph-Based ApproachPaudel, Ramesh, Muncy, Timothy, Eberle, William 01 December 2019 (has links)
The use of the Internet of Things (IoT) devices has surged in recent years. However, due to the lack of substantial security, IoT devices are vulnerable to cyber-attacks like Denial-of-Service (DoS) attacks. Most of the current security solutions are either computationally expensive or unscalable as they require known attack signatures or full packet inspection. In this paper, we introduce a novel Graph-based Outlier Detection in Internet of Things (GODIT) approach that (i) represents smart home IoT traffic as a real-time graph stream, (ii) efficiently processes graph data, and (iii) detects DoS attack in real-time. The experimental results on real-world data collected from IoT-equipped smart home show that GODIT is more effective than the traditional machine learning approaches, and is able to outperform current graph-stream anomaly detection approaches.
|
7 |
Design and Analysis of Anomaly Detection and Mitigation Schemes for Distributed Denial of Service Attacks in Software Defined Network. An Investigation into the Security Vulnerabilities of Software Defined Network and the Design of Efficient Detection and Mitigation Techniques for DDoS Attack using Machine Learning TechniquesSangodoyin, Abimbola O. January 2019 (has links)
Software Defined Networks (SDN) has created great potential and hope to
overcome the need for secure, reliable and well managed next generation
networks to drive effective service delivery on the go and meet the demand
for high data rate and seamless connectivity expected by users. Thus, it
is a network technology that is set to enhance our day-to-day activities.
As network usage and reliance on computer technology are increasing
and popular, users with bad intentions exploit the inherent weakness of
this technology to render targeted services unavailable to legitimate users.
Among the security weaknesses of SDN is Distributed Denial of Service
(DDoS) attacks.
Even though DDoS attack strategy is known, the number of successful
DDoS attacks launched has seen an increment at an alarming rate over
the last decade. Existing detection mechanisms depend on signatures of
known attacks which has not been successful in detecting unknown or
different shades of DDoS attacks. Therefore, a novel detection mechanism
that relies on deviation from confidence interval obtained from the normal
distribution of throughput polled without attack from the server. Furthermore, sensitivity analysis to determine which of the network metrics (jitter, throughput and response time) is more sensitive to attack by
introducing white Gaussian noise and evaluating the local sensitivity using feed-forward artificial neural network is evaluated. All metrics are sensitive in detecting DDoS attacks. However, jitter appears to be the most sensitive to attack. As a result, the developed framework provides
an avenue to make the SDN technology more robust and secure to DDoS
attacks.
|
8 |
Modelization and identification of multi-step cyberattacks in sets of events / Modélisation et identification de cyberattaques multi-étapes dans des ensembles d'événementsNavarro Lara, Julio 14 March 2019 (has links)
Une cyberattaque est considérée comme multi-étapes si elle est composée d’au moins deux actions différentes. L’objectif principal de cette thèse est aider l’analyste de sécurité dans la création de modèles de détection à partir d’un ensemble de cas alternatifs d’attaques multi-étapes. Pour répondre à cet objectif, nous présentons quattre contributions de recherche. D’abord, nous avons réalisé la première bibliographie systématique sur la détection d’attaques multi-étapes. Une des conclusions de cette bibliographie est la manque de méthodes pour confirmer les hypothèses formulées par l’analyste de sécurité pendant l’investigation des attaques multi-étapes passées. Ça nous conduit à la deuxième de nos contributions, le graphe des scénarios d’attaques abstrait ou AASG. Dans un AASG, les propositions alternatives sur les étapes fondamentales d’une attaque sont répresentées comme des branches pour être évaluées avec l’arrivée de nouveaux événements. Pour cette évaluation, nous proposons deux modèles, Morwilog et Bidimac, qui font de la détection au même temps que l’identification des hypothèses correctes. L’évaluation des résultats par l’analyste permet l’évolution des modèles.Finalement, nous proposons un modèle pour l’investigation visuel des scénarios d’attaques sur des événements non traités. Ce modèle, qui s’appelle SimSC, est basé sur la similarité entre les adresses IP, en prenant en compte la distance temporelle entre les événements. / A cyberattack is considered as multi-step if it is composed of at least two distinct actions. The main goal of this thesis is to help the security analyst in the creation of detection models from a set of alternative multi-step attack cases. To meet this goal, we present four research contributions. First of all, we have conducted the first systematic survey about multi-step attack detection. One of the conclusions of this survey is the lack of methods to confirm the hypotheses formulated by the security analyst during the investigation of past multi-step attacks. This leads us to the second of our contributions, the Abstract Attack Scenario Graph or AASG. In an AASG, the alternative proposals about the fundamental steps in an attack are represented as branches to be evaluated on new incoming events. For this evaluation, we propose two models, Morwilog and Bidimac, which perform detection and identification of correct hypotheses. The evaluation of the results by the analyst allows the evolution of the models. Finally, we propose a model for the visual investigation of attack scenarios in non-processed events. This model, called SimSC, is based on IP address similarity, considering the temporal distance between the events.
|
9 |
Abstracting and correlating heterogeneous events to detect complex scenariosPanichprecha, Sorot January 2009 (has links)
The research presented in this thesis addresses inherent problems in signaturebased intrusion detection systems (IDSs) operating in heterogeneous environments. The research proposes a solution to address the difficulties associated with multistep attack scenario specification and detection for such environments. The research has focused on two distinct problems: the representation of events derived from heterogeneous sources and multi-step attack specification and detection. The first part of the research investigates the application of an event abstraction model to event logs collected from a heterogeneous environment. The event abstraction model comprises a hierarchy of events derived from different log sources such as system audit data, application logs, captured network traffic, and intrusion detection system alerts. Unlike existing event abstraction models where low-level information may be discarded during the abstraction process, the event abstraction model presented in this work preserves all low-level information as well as providing high-level information in the form of abstract events. The event abstraction model presented in this work was designed independently of any particular IDS and thus may be used by any IDS, intrusion forensic tools, or monitoring tools. The second part of the research investigates the use of unification for multi-step attack scenario specification and detection. Multi-step attack scenarios are hard to specify and detect as they often involve the correlation of events from multiple sources which may be affected by time uncertainty. The unification algorithm provides a simple and straightforward scenario matching mechanism by using variable instantiation where variables represent events as defined in the event abstraction model. The third part of the research looks into the solution to address time uncertainty. Clock synchronisation is crucial for detecting multi-step attack scenarios which involve logs from multiple hosts. Issues involving time uncertainty have been largely neglected by intrusion detection research. The system presented in this research introduces two techniques for addressing time uncertainty issues: clock skew compensation and clock drift modelling using linear regression. An off-line IDS prototype for detecting multi-step attacks has been implemented. The prototype comprises two modules: implementation of the abstract event system architecture (AESA) and of the scenario detection module. The scenario detection module implements our signature language developed based on the Python programming language syntax and the unification-based scenario detection engine. The prototype has been evaluated using a publicly available dataset of real attack traffic and event logs and a synthetic dataset. The distinct features of the public dataset are the fact that it contains multi-step attacks which involve multiple hosts with clock skew and clock drift. These features allow us to demonstrate the application and the advantages of the contributions of this research. All instances of multi-step attacks in the dataset have been correctly identified even though there exists a significant clock skew and drift in the dataset. Future work identified by this research would be to develop a refined unification algorithm suitable for processing streams of events to enable an on-line detection. In terms of time uncertainty, identified future work would be to develop mechanisms which allows automatic clock skew and clock drift identification and correction. The immediate application of the research presented in this thesis is the framework of an off-line IDS which processes events from heterogeneous sources using abstraction and which can detect multi-step attack scenarios which may involve time uncertainty.
|
10 |
Security related self-protected networks: autonomous threat detection and response (ATDR)Havenga, Wessel Johannes Jacobus January 2021 (has links)
Doctor Educationis / Cybersecurity defense tools, techniques and methodologies are constantly faced with increasing
challenges including the evolution of highly intelligent and powerful new generation threats. The
main challenges posed by these modern digital multi-vector attacks is their ability to adapt with
machine learning. Research shows that many existing defense systems fail to provide adequate
protection against these latest threats. Hence, there is an ever-growing need for self-learning technologies that can autonomously adjust according to the behaviour and patterns of the offensive
actors and systems. The accuracy and effectiveness of existing methods are dependent on decision
making and manual input by human expert. This dependence causes 1) administration overhead,
2) variable and potentially limited accuracy and 3) delayed response time.
In this thesis, Autonomous Threat Detection and Response (ATDR) is a proposed general method
aimed at contributing toward security related self-protected networks. Through a combination
of unsupervised machine learning and Deep learning, ATDR is designed as an intelligent and
autonomous decision-making system that uses big data processing requirements and data frame
pattern identification layers to learn sequences of patterns and derive real-time data formations.
This system enhances threat detection and response capabilities, accuracy and speed. Research
provided a solid foundation for the proposed method around the scope of existing methods and
the unanimous problem statements and findings by other authors.
|
Page generated in 0.0606 seconds