Ant tree miner amyntas for intrusion detection

Botes, Frans Hendrik

January 2018

Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2018. / With the constant evolution of information systems, companies have to acclimatise to the vast increase of data flowing through their networks. Business processes rely heavily on information technology and operate within a framework of little to no space for interruptions. Cyber attacks aimed at interrupting business operations, false intrusion detections and leaked information burden companies with large monetary and reputational costs. Intrusion detection systems analyse network traffic to identify suspicious patterns that intent to compromise the system. Classifiers (algorithms) are used to classify the data within different categories e.g. malicious or normal network traffic. Recent surveys within intrusion detection highlight the need for improved detection techniques and warrant further experimentation for improvement. This experimental research project focuses on implementing swarm intelligence techniques within the intrusion detection domain. The Ant Tree Miner algorithm induces decision trees by using ant colony optimisation techniques. The Ant Tree Miner poses high accuracy with efficient results. However, limited research has been performed on this classifier in other domains such as intrusion detection. The research provides the intrusion detection domain with a new algorithm that improves upon results of decision trees and ant colony optimisation techniques when applied to the domain. The research has led to valuable insights into the Ant Tree Miner classifier within a previously unknown domain and created an intrusion detection benchmark for future researchers.

Ant Tree Miner

Computer networks -- Security measures

Computer algorithms

Algorithms for Large-Scale Internet Measurements

Leonard, Derek Anthony

2010 December 1900

As the Internet has grown in size and importance to society, it has become increasingly difficult to generate global metrics of interest that can be used to verify proposed algorithms or monitor performance. This dissertation tackles the problem by proposing several novel algorithms designed to perform Internet-wide measurements using existing or inexpensive resources. We initially address distance estimation in the Internet, which is used by many distributed applications. We propose a new end-to-end measurement framework called Turbo King (T-King) that uses the existing DNS infrastructure and, when compared to its predecessor King, obtains delay samples without bias in the presence of distant authoritative servers and forwarders, consumes half the bandwidth, and reduces the impact on caches at remote servers by several orders of magnitude. Motivated by recent interest in the literature and our need to find remote DNS nameservers, we next address Internet-wide service discovery by developing IRLscanner, whose main design objectives have been to maximize politeness at remote networks, allow scanning rates that achieve coverage of the Internet in minutes/hours (rather than weeks/months), and significantly reduce administrator complaints. Using IRLscanner and 24-hour scan durations, we perform 20 Internet-wide experiments using 6 different protocols (i.e., DNS, HTTP, SMTP, EPMAP, ICMP and UDP ECHO). We analyze the feedback generated and suggest novel approaches for reducing the amount of blowback during similar studies, which should enable researchers to collect valuable experimental data in the future with significantly fewer hurdles. We finally turn our attention to Intrusion Detection Systems (IDS), which are often tasked with detecting scans and preventing them; however, it is currently unknown how likely an IDS is to detect a given Internet-wide scan pattern and whether there exist sufficiently fast stealth techniques that can remain virtually undetectable at large-scale. To address these questions, we propose a novel model for the windowexpiration rules of popular IDS tools (i.e., Snort and Bro), derive the probability that existing scan patterns (i.e., uniform and sequential) are detected by each of these tools, and prove the existence of stealth-optimal patterns.

Distance Estimation

Horizontal Scanning

Service Discovery

Intrusion Detection Systems

Internet Measurements

Network Forensics and Log Files Analysis : A Novel Approach to Building a Digital Evidence Bag and Its Own Processing Tool

Qaisi, Ahmed Abdulrheem Jerribi

January 2011

Intrusion Detection Systems (IDS) tools are deployed within networks to monitor data that is transmitted to particular destinations such as MySQL,Oracle databases or log files. The data is normally dumped to these destinations without a forensic standard structure. When digital evidence is needed, forensic specialists are required to analyse a very large volume of data. Even though forensic tools can be utilised, most of this process has to be done manually, consuming time and resources. In this research, we aim to address this issue by combining several existing tools to archive the original IDS data into a new container (Digital Evidence Bag) that has a structure based upon standard forensic processes. The aim is to develop a method to improve the current IDS database function in a forensic manner. This database will be optimised for future, forensic, analysis. Since evidence validity is always an issue, a secondary aim of this research is to develop a new monitoring scheme. This is to provide the necessary evidence to prove that an attacker had surveyed the network prior to the attack. To achieve this, we will set up a network that will be monitored by multiple IDSs. Open source tools will be used to carry input validation attacks into the network including SQL injection. We will design a new tool to obtain the original data in order to store it within the proposed DEB. This tool will collect the data from several databases of the different IDSs. We will assume that the IDS will not have been compromised.

IDS

snort

barnyard

snorby

mysql

intrusion detection systems

multiple IDSs

forensics

digital evidence bags

Implementação de um IDS utilizando SNMP e lógica difusa / Implementation of an IDS using SNMP and fuzzy logic

Virti, Émerson Salvadori

January 2007

Este trabalho busca o estudo da segurança em redes de computadores através da implementação de um sistema detector de intrusão embasado na captura de informações pela utilização do protocolo SNMP. Para alcançar-se a diminuição no número de falsos positivo e negativo, problema peculiar à maioria dos IDS, utiliza-se a lógica difusa para, com o auxilio dos administradores de segurança de cada rede, possibilitar a construção de um sistema detector de intrusão que melhor se adeque às características das redes monitoradas. Posteriormente, utilizando o monitoramento de uma rede de produção, avalia-se a melhora na segurança obtida com o uso do IDS implementado por esse trabalho que, atuando quase em tempo real, propicia sua adoção como mecanismo complementar à segurança de redes. / This work develops a study about Computer Network Security through the implementation of an Instruction Detection System (IDS) based on system information captured by the SNMP protocol. To reach a reduction in the number of false positive and false negative, a peculiar problem to the majority of the IDS, it is used fuzzy logic and the assistance of Network Security Administrators. Thus it is possible to build an Intrusion Detection System better adjusted to the network characteristics that must be monitored. At last, by monitoring a production network, it is evaluated the overall security improvement obtained by the IDS proposed in this work and considers its adoption as a complementary network security mechanism.

Seguranca : Computadores

Seguranca : Redes : Computadores

Detecção : Intrusão

Intrusion detection systems

Security

Fuzzy logic

SNMP

Implementação de um IDS utilizando SNMP e lógica difusa / Implementation of an IDS using SNMP and fuzzy logic

Virti, Émerson Salvadori

January 2007

Este trabalho busca o estudo da segurança em redes de computadores através da implementação de um sistema detector de intrusão embasado na captura de informações pela utilização do protocolo SNMP. Para alcançar-se a diminuição no número de falsos positivo e negativo, problema peculiar à maioria dos IDS, utiliza-se a lógica difusa para, com o auxilio dos administradores de segurança de cada rede, possibilitar a construção de um sistema detector de intrusão que melhor se adeque às características das redes monitoradas. Posteriormente, utilizando o monitoramento de uma rede de produção, avalia-se a melhora na segurança obtida com o uso do IDS implementado por esse trabalho que, atuando quase em tempo real, propicia sua adoção como mecanismo complementar à segurança de redes. / This work develops a study about Computer Network Security through the implementation of an Instruction Detection System (IDS) based on system information captured by the SNMP protocol. To reach a reduction in the number of false positive and false negative, a peculiar problem to the majority of the IDS, it is used fuzzy logic and the assistance of Network Security Administrators. Thus it is possible to build an Intrusion Detection System better adjusted to the network characteristics that must be monitored. At last, by monitoring a production network, it is evaluated the overall security improvement obtained by the IDS proposed in this work and considers its adoption as a complementary network security mechanism.

Seguranca : Computadores

Seguranca : Redes : Computadores

Detecção : Intrusão

Intrusion detection systems

Security

Fuzzy logic

SNMP

Implementação de um IDS utilizando SNMP e lógica difusa / Implementation of an IDS using SNMP and fuzzy logic

Virti, Émerson Salvadori

January 2007

Este trabalho busca o estudo da segurança em redes de computadores através da implementação de um sistema detector de intrusão embasado na captura de informações pela utilização do protocolo SNMP. Para alcançar-se a diminuição no número de falsos positivo e negativo, problema peculiar à maioria dos IDS, utiliza-se a lógica difusa para, com o auxilio dos administradores de segurança de cada rede, possibilitar a construção de um sistema detector de intrusão que melhor se adeque às características das redes monitoradas. Posteriormente, utilizando o monitoramento de uma rede de produção, avalia-se a melhora na segurança obtida com o uso do IDS implementado por esse trabalho que, atuando quase em tempo real, propicia sua adoção como mecanismo complementar à segurança de redes. / This work develops a study about Computer Network Security through the implementation of an Instruction Detection System (IDS) based on system information captured by the SNMP protocol. To reach a reduction in the number of false positive and false negative, a peculiar problem to the majority of the IDS, it is used fuzzy logic and the assistance of Network Security Administrators. Thus it is possible to build an Intrusion Detection System better adjusted to the network characteristics that must be monitored. At last, by monitoring a production network, it is evaluated the overall security improvement obtained by the IDS proposed in this work and considers its adoption as a complementary network security mechanism.

Seguranca : Computadores

Seguranca : Redes : Computadores

Detecção : Intrusão

Intrusion detection systems

Security

Fuzzy logic

SNMP

Modeling and simulation of intrusion detection system in mobile ad-hoc networks

Jarmal, Piotr

January 2008

The thesis investigates the process of modeling and simulation of the mobile ad-hoc networks. It provides a overview of the actual state of art together with a literature survey. Basic ideas of both security issues in mobile ad-hoc networks as well as intrusion detection systems are presented. Additionally some new ideas for improvements - like the AGM mobility model - are proposed, and tested during the simulation proces. As an addition a set of applications designer for automating the simulation processes were created.

mobile ad-hoc networks

intrusion detection systems

mobility models

Computer Sciences

Datavetenskap (datalogi)

An empirical comparison of the market-leading IDS's

Hedemalm, Daniel

January 2018

In this day and age of the Internet, organizations need to address network threats, therefore more education material also needs to be established. An already established methodology for evaluating intrusion detection systems was chosen, and a selection of the market-leading intrusion detection systems are evaluated. The results show that all the systems were able to identify threats in 50% of the datasets, with different threat detection accuracies.

intrusion detection systems

IDS

network security

Computer and Information Sciences

Data- och informationsvetenskap

Amber : a aero-interaction honeypot with distributed intelligence

Schoeman, Adam

January 2015

For the greater part, security controls are based on the principle of Decision through Detection (DtD). The exception to this is a honeypot, which analyses interactions between a third party and itself, while occupying a piece of unused information space. As honeypots are not located on productive information resources, any interaction with it can be assumed to be non-productive. This allows the honeypot to make decisions based simply on the presence of data, rather than on the behaviour of the data. But due to limited resources in human capital, honeypots’ uptake in the South African market has been underwhelming. Amber attempts to change this by offering a zero-interaction security system, which will use the honeypot approach of decision through Presence (DtP) to generate a blacklist of third parties, which can be passed on to a network enforcer. Empirical testing has proved the usefulness of this alternative and low cost approach in defending networks. The functionality of the system was also extended by installing nodes in different geographical locations, and streaming their detections into the central Amber hive.

Security systems -- Security measures

Computer viruses

Computer security

Detector Comparison for Simultaneous Determination of Organic Acids and Inorganic Anions

Pannell, Daniel K. (Daniel Kirk)

08 1900

The research reported here is a study of detector systems to determine those most suited for simultaneous organic acid, inorganic anion determination. Comparisons are made on the basis of detection limits and sensitivities for conductivity, UV/Vis, photoconductivity, and derivative conductivity detection systems. The investigation was made using a constant chromatographic system with the only variable component being the detector system. Eluant optimization conditions for each detector are reported along with tables reporting detection limits and sensitivities for each detector system. Various chromatograms are also shown to provide a visual comparison between detector results.

organic acid

ion exchange chromatography

conductivity detection systems

inorganic anions

Organic acids.

Anions.

Ion exchange chromatography.