Classificação de anomalias e redução de falsos positivos em sistemas de detecção de intrusão baseados em rede utilizando métodos de agrupamento / Anomalies classification and false positives reduction in network intrusion detection systems using clustering methods

Ferreira, Vinícius Oliveira [UNESP]

27 April 2016

Submitted by VINÍCIUS OLIVEIRA FERREIRA null (viniciusoliveira@acmesecurity.org) on 2016-05-18T20:29:41Z No. of bitstreams: 1 Dissertação-mestrado-vinicius-oliveira-biblioteca-final.pdf: 1594758 bytes, checksum: 0dbb0d2dd3fca3ed2b402b19b73006e7 (MD5) / Approved for entry into archive by Ana Paula Grisoto (grisotoana@reitoria.unesp.br) on 2016-05-20T16:27:30Z (GMT) No. of bitstreams: 1 ferreira_vo_me_sjrp.pdf: 1594758 bytes, checksum: 0dbb0d2dd3fca3ed2b402b19b73006e7 (MD5) / Made available in DSpace on 2016-05-20T16:27:30Z (GMT). No. of bitstreams: 1 ferreira_vo_me_sjrp.pdf: 1594758 bytes, checksum: 0dbb0d2dd3fca3ed2b402b19b73006e7 (MD5) Previous issue date: 2016-04-27 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES) / Os Sistemas de Detecção de Intrusão baseados em rede (NIDS) são tradicionalmente divididos em dois tipos de acordo com os métodos de detecção que empregam, a saber: (i) detecção por abuso e (ii) detecção por anomalia. Aqueles que funcionam a partir da detecção de anomalias têm como principal vantagem a capacidade de detectar novos ataques, no entanto, é possível elencar algumas dificuldades com o uso desta metodologia. Na detecção por anomalia, a análise das anomalias detectadas pode se tornar dispendiosa, uma vez que estas geralmente não apresentam informações claras sobre os eventos maliciosos que representam; ainda, NIDSs que se utilizam desta metodologia sofrem com a detecção de altas taxas de falsos positivos. Neste contexto, este trabalho apresenta um modelo para a classificação automatizada das anomalias detectadas por um NIDS. O principal objetivo é a classificação das anomalias detectadas em classes conhecidas de ataques. Com essa classificação pretende-se, além da clara identificação das anomalias, a identificação dos falsos positivos detectados erroneamente pelos NIDSs. Portanto, ao abordar os principais problemas envolvendo a detecção por anomalias, espera-se equipar os analistas de segurança com melhores recursos para suas análises. / Network Intrusion Detection Systems (NIDS) are traditionally divided into two types according to the detection methods they employ, namely (i) misuse detection and (ii) anomaly detection. The main advantage in anomaly detection is its ability to detect new attacks. However, this methodology has some downsides. In anomaly detection, the analysis of the detected anomalies is expensive, since they often have no clear information about the malicious events they represent; also, it suffers with high amounts of false positives detected. In this context, this work presents a model for automated classification of anomalies detected by an anomaly based NIDS. Our main goal is the classification of the detected anomalies in well-known classes of attacks. By these means, we intend the clear identification of anomalies as well as the identification of false positives erroneously detected by NIDSs. Therefore, by addressing the key issues surrounding anomaly based detection, our main goal is to equip security analysts with best resources for their analyses.

Classificação de anomalias

Métodos de agrupamento

Redução de falsos positivos

Anomalies classification

Clustering methods

Network intrusion detection systems

False positives reduction

An agent-based Bayesian method for network intrusion detection

Pikoulas, John

January 2003

Security is one of the major issues in any network and on the Internet. It encapsulates many different areas, such as protecting individual users against intruders, protecting corporate systems against damage, and protecting data from intrusion. It is obviously impossible to make a network totally secure, as there are so many areas that must be protected. This thesis includes an evaluation of current techniques for internal misuse of computer systems, and tries to propose a new way of dealing with this problem. This thesis proposes that it is impossible to fully protect a computer network from intrusion, and shows how different methods are applied at differing levels of the OSI model. Most systems are now protected at the network and transport layer, with systems such as firewalls and secure sockets. A weakness, though, exists in the session layer that is responsible for user logon and their associated password. It is thus important for any highly secure system to be able to continually monitor a user, even after they have successfully logged into the system. This is because once an intruder has successfully logged into a system, they can use it as a stepping-stone to gain full access (often right up to the system administrator level). This type of login identifies another weakness of current intrusion detection systems, in that they are mainly focused on detecting external intrusion, whereas a great deal of research identifies that one of the main problems is from internal intruders, and from staff within an organisation. Fraudulent activities can often he identified by changes in user behaviour. While this type of behaviour monitoring might not be suited to most networks, it could be applied to high secure installations, such as in government, and military organisations. Computer networks are now one of the most rapidly changing and vulnerable systems, where security is now a major issue. A dynamic approach, with the capacity to deal with and adapt to abrupt changes, and be simple, will provide an effective modelling toolkit. Analysts must be able to understand how it works and be able to apply it without the aid of an expert. Such models do exist in the statistical world, and it is the purpose of this thesis to introduce them and to explain their basic notions and structure. One weakness identified is the centralisation and complex implementation of intrusion detection. The thesis proposes an agent-based approach to monitor the user behaviour of each user. It also proposes that many intrusion detection systems cannot cope with new types of intrusion. It thus applies Bayesian statistics to evaluate user behaviour, and predict the future behaviour of the user. The model developed is a unique application of Bayesian statistics, and the results show that it can improve future behaviour prediction than existing ARIMA models. The thesis argues that the accuracy of long-term forecasting questionable, especially in systems that have a rapid and often unexpected evolution and behaviour. Many of the existing models for prediction use long-term forecasting, which may not be the optimal type for intrusion detection systems. The experiments conducted have varied the number of users and the time interval used for monitoring user behaviour. These results have been compared with ARIMA, and an increased accuracy has been observed. The thesis also shows that the new model can better predict changes in user behaviour, which is a key factor in identifying intrusion detection. The thesis concludes with recommendations for future work, including how the statistical model could be improved. This includes research into changing the specification of the design vector for Bayesian. Another interesting area is the integration of standard agent communication agents, which will make the security agents more social in their approach and be able to gather information from other agents

005.8

Lógica nebulosa aplicada a um sistema de detecção de intrusos em computação em nuvem. / A fuzzy system intrusiondetection for cloud computing.

Carolina Yoshico Ji

16 August 2013

O objetivo deste trabalho é avaliar os riscos de ocorrências de intrusos em um sistema de computação em nuvem para sistemas distribuídos utilizando lógica nebulosa. A computação em nuvem é um tema que vem sendo bastante abordado e vem alavancando discussões calorosas, tanto na comunidade acadêmica quanto em palestras profissionais. Embora essa tecnologia esteja ganhando mercado, alguns estudiosos encontram-se céticos afirmando que ainda é cedo para se tirar conclusões. Isto se deve principalmente por causa de um fator crítico, que é a segurança dos dados armazenados na nuvem. Para esta dissertação, foi elaborado um sistema distribuído escrito em Java com a finalidade de controlar um processo de desenvolvimento colaborativo de software na nuvem, o qual serviu de estudo de caso para avaliar a abordagem de detecção de intrusos proposta. Este ambiente foi construído com cinco máquinas (sendo quatro máquinas virtuais e uma máquina real). Foram criados dois sistemas de inferência nebulosos, para análise de problemas na rede de segurança implementados em Java, no ambiente distribuído. Foram realizados diversos testes com o intuito de verificar o funcionamento da aplicação, apresentando um resultado satisfatório dentro dessa metodologia. / The objective of this study is to evaluate the risk of occurrence of intruders in a system of cloud computing at distributed systems using fuzzy logic. Cloud computing is a topic that has been widely discussed and has been leveraging heated discussions, both in academic and in professional speaking. Although this technology is gaining market share, some academics are incredulous saying that is too early to draw conclusions. This is mainly because of a critical factor, which is the security of data stored in the cloud. For this thesis, we designed a distributed system written in Java, with the purpose of controlling a process of softwares development in the cloud, wich served as a case study to evaluate the approach proposed intrusion detection. This environment was build with five machines (being four virtual machines and one real machine). It was created two fuzzy inference systems for analysis of problems in network security implemented in Java, in the distributed environment. Several tests were performed in order to verify the functionality of the application, presenting a satisfactory outcome within this methodology.

Engenharia Eletrônica

Detecção de intrusos

Lógica nebulosa

Sistemas distribuídos

Computação em nuvem

Desenvolvimento de software

Electronic Engineering

Analysis of intrusion detection systems

Fuzzy logic

Cloud computing

Software development

ENGENHARIAS

Lógica nebulosa aplicada a um sistema de detecção de intrusos em computação em nuvem. / A fuzzy system intrusiondetection for cloud computing.

Carolina Yoshico Ji

16 August 2013

O objetivo deste trabalho é avaliar os riscos de ocorrências de intrusos em um sistema de computação em nuvem para sistemas distribuídos utilizando lógica nebulosa. A computação em nuvem é um tema que vem sendo bastante abordado e vem alavancando discussões calorosas, tanto na comunidade acadêmica quanto em palestras profissionais. Embora essa tecnologia esteja ganhando mercado, alguns estudiosos encontram-se céticos afirmando que ainda é cedo para se tirar conclusões. Isto se deve principalmente por causa de um fator crítico, que é a segurança dos dados armazenados na nuvem. Para esta dissertação, foi elaborado um sistema distribuído escrito em Java com a finalidade de controlar um processo de desenvolvimento colaborativo de software na nuvem, o qual serviu de estudo de caso para avaliar a abordagem de detecção de intrusos proposta. Este ambiente foi construído com cinco máquinas (sendo quatro máquinas virtuais e uma máquina real). Foram criados dois sistemas de inferência nebulosos, para análise de problemas na rede de segurança implementados em Java, no ambiente distribuído. Foram realizados diversos testes com o intuito de verificar o funcionamento da aplicação, apresentando um resultado satisfatório dentro dessa metodologia. / The objective of this study is to evaluate the risk of occurrence of intruders in a system of cloud computing at distributed systems using fuzzy logic. Cloud computing is a topic that has been widely discussed and has been leveraging heated discussions, both in academic and in professional speaking. Although this technology is gaining market share, some academics are incredulous saying that is too early to draw conclusions. This is mainly because of a critical factor, which is the security of data stored in the cloud. For this thesis, we designed a distributed system written in Java, with the purpose of controlling a process of softwares development in the cloud, wich served as a case study to evaluate the approach proposed intrusion detection. This environment was build with five machines (being four virtual machines and one real machine). It was created two fuzzy inference systems for analysis of problems in network security implemented in Java, in the distributed environment. Several tests were performed in order to verify the functionality of the application, presenting a satisfactory outcome within this methodology.

Engenharia Eletrônica

Detecção de intrusos

Lógica nebulosa

Sistemas distribuídos

Computação em nuvem

Desenvolvimento de software

Electronic Engineering

Analysis of intrusion detection systems

Fuzzy logic

Cloud computing

Software development

ENGENHARIAS

SurRFE -Sub-rede de filtragens espec?ficas

Galv?o, Ricardo Kl?ber Martins

11 July 2006

Made available in DSpace on 2014-12-17T14:55:05Z (GMT). No. of bitstreams: 1 RicardoKMG.pdf: 620624 bytes, checksum: 2265857dd8185aa481f6e9891ee2c38f (MD5) Previous issue date: 2006-07-11 / The increasing of the number of attacks in the computer networks has been treated with the increment of the resources that are applied directly in the active routers equip-ments of these networks. In this context, the firewalls had been consolidated as essential elements in the input and output control process of packets in a network. With the advent of intrusion detectors systems (IDS), efforts have been done in the direction to incorporate packets filtering based in standards of traditional firewalls. This integration incorporates the IDS functions (as filtering based on signatures, until then a passive element) with the already existing functions in firewall. In opposite of the efficiency due this incorporation in the blockage of signature known attacks, the filtering in the application level provokes a natural retard in the analyzed packets, and it can reduce the machine performance to filter the others packets because of machine resources demand by this level of filtering. This work presents models of treatment for this problem based in the packets re-routing for analysis by a sub-network with specific filterings. The suggestion of implementa- tion of this model aims reducing the performance problem and opening a space for the consolidation of scenes where others not conventional filtering solutions (spam blockage, P2P traffic control/blockage, etc.) can be inserted in the filtering sub-network, without inplying in overload of the main firewall in a corporative network / O aumento do n?mero de ataques a redes de computadores tem sido combatido com o incremento dos recursos aplicados diretamente nos equipamentos ativos de roteamento destas redes. Nesse contexto, os firewalls consolidaram-se como elementos essenciais no processo de controle de entrada e sa?da de pacotes em uma rede. O surgimento dos sistemas detectores de intrus?o (IDS) levou a esfor?os no sentido de incorporar a filtragem de pacotes baseada em padr?es ao firewall tradicional, integrando as fun??es do IDS (como a filtragem baseada em assinaturas, at? ent?o um elemento passivo) ?s fun??es j? existentes no firewall. Em contrapartida ? efici?ncia obtida atrav?s desta incorpora??o no bloqueio de ataques com assinaturas conhecidas, a filtragem no n?vel de aplica??o, al?m de provocar um retardo natural nos pacotes analisados, pode comprometer o desempenho da m?quina na filtragem dos demais pacotes, pela natural demanda por recursos da m?quina para este n?vel de filtragem. Essa tese apresenta modelos de tratamento deste problema, baseados no re-roteamento dos pacotes para an?lise por uma sub-rede de filtragens espec?ficas. A sugest?o de implementa??o deste modelo visa, al?m de amenizar o problema de desempenho supra-citado, abrir espa?o para a consolida??o de cen?rios em que outras solu??es de filtragem n?o convencionais (como ferramentas de bloqueio de SPAM, controle/bloqueio de tr?fego P2P, e outras) possam ser inseridas na sub-rede de filtragem, sem implicar em sobrecarga do firewall principal da rede corporativa

Seguran?a

Sistemas de Detec??o de Intrus?es

Filtro de Pacotes

Re-roteamento

&#65279

Security

Firewalls

Intrusion Detection Systems

Packet Filter

Re-routing

CNPQ::ENGENHARIAS::ENGENHARIA ELETRICA

Processamento embarcado aplicado a um sistema de detecc?o de vazamentos

Avelino, ?lvaro Medeiros

23 December 2009

Made available in DSpace on 2014-12-17T14:55:41Z (GMT). No. of bitstreams: 1 AlvaroMA_DISSERT.pdf: 1811875 bytes, checksum: d1a8b9710060f420383a8d715381bfb9 (MD5) Previous issue date: 2009-12-23 / Embedded systems are widely spread nowadays. An example is the Digital Signal Processor (DSP), which is a high processing power device. This work s contribution consist of exposing DSP implementation of the system logic for detecting leaks in real time. Among the various methods of leak detection available today this work uses a technique based on the pipe pressure analysis and usesWavelet Transform and Neural Networks. In this context, the DSP, in addition to do the pressure signal digital processing, also communicates to a Global Positioning System (GPS), which helps in situating the leak, and to a SCADA, sharing information. To ensure robustness and reliability in communication between DSP and SCADA the Modbus protocol is used. As it is a real time application, special attention is given to the response time of each of the tasks performed by the DSP. Tests and leak simulations were performed using the structure of Laboratory of Evaluation of Measurement in Oil (LAMP), at Federal University of Rio Grande do Norte (UFRN) / Os sistemas embarcados est?o amplamente difundidos atualmente. Um exemplo ? o Digital Signal Processor (DSP), que ? um dispositivo com alto poder de processamento. A contribui??o deste trabalho consiste na implementa??o em DSP da l?gica de um sistema de detec??o de vazamentos em tempo real. Dentre os v?rios m?todos de detec??o de vazamentos existentes atualmente este trabalho se desenvolve utilizando uma t?cnica baseada na an?lise da press?o no duto e que utiliza Transformada Wavelet e Redes Neurais. Nesse contexto o DSP, al?m de realizar o processamento digital do sinal de press?o, tamb?m comunica-se com um Global Positioning System (GPS), que auxilia na localiza??o do vazamento e com um sistema supervis?rio, disponibilizando informa??es para este. Para garantir robustez e confiabilidade na comunica??o entre DSP e sistema supervis?rio ? utilizado o protocolo Modbus. Como trata-se de uma aplica??o de tempo real, uma aten??o especial ? dada ao tempo de resposta de cada uma das tarefas realizadas pelo DSP. Os testes e simula??es de vazamentos foram realizados utilizando a estrutura do Laborat?rio de Avalia??o de Medi??o em Petr?leo (LAMP), da Universidade Federal do Rio Grande do Norte (UFRN)

Sistemas de detec??o de vazamentos

DSP

GPS

Sistemas de tempo real

Leak detection systems

DSP

GPS

Real time systems

Expert-in-the-loop supervised learning for computer security detection systems / Apprentissage supervisé et systèmes de détection : une approche de bout-en-bout impliquant les experts en sécurité

Beaugnon, Anaël

25 June 2018

L’objectif de cette thèse est de faciliter l’utilisation de l’apprentissage supervisé dans les systèmes de détection pour renforcer la détection. Dans ce but, nous considérons toute la chaîne de traitement de l’apprentissage supervisé (annotation, extraction d’attributs, apprentissage, et évaluation) en impliquant les experts en sécurité. Tout d’abord, nous donnons des conseils méthodologiques pour les aider à construire des modèles de détection supervisés qui répondent à leurs contraintes opérationnelles. De plus, nous concevons et nous implémentons DIADEM, un outil de visualisation interactif qui aide les experts en sécurité à appliquer la méthodologie présentée. DIADEM s’occupe des rouages de l’apprentissage supervisé pour laisser les experts en sécurité se concentrer principalement sur la détection. Par ailleurs, nous proposons une solution pour réduire le coût des projets d’annotations en sécurité informatique. Nous concevons et implémentons un système d’apprentissage actif complet, ILAB, adapté aux besoins des experts en sécurité. Nos expériences utilisateur montrent qu’ils peuvent annoter un jeu de données avec une charge de travail réduite grâce à ILAB. Enfin, nous considérons la génération automatique d’attributs pour faciliter l’utilisation de l’apprentissage supervisé dans les systèmes de détection. Nous définissons les contraintes que de telles méthodes doivent remplir pour être utilisées dans le cadre de la détection de menaces. Nous comparons trois méthodes de l’état de l’art en suivant ces critères, et nous mettons en avant des pistes de recherche pour mieux adapter ces techniques aux besoins des experts en sécurité. / The overall objective of this thesis is to foster the deployment of supervised learning in detection systems to strengthen detection. To that end, we consider the whole machine learning pipeline (data annotation, feature extraction, training, and evaluation) with security experts as its core since it is crucial to pursue real-world impact. First, we provide methodological guidance to help security experts build supervised detection models that suit their operational constraints. Moreover, we design and implement DIADEM, an interactive visualization tool that helps security experts apply the methodology set out. DIADEM deals with the machine learning machinery to let security experts focus mainly on detection. Besides, we propose a solution to effectively reduce the labeling cost in computer security annotation projects. We design and implement an end-to-end active learning system, ILAB, tailored to security experts needs. Our user experiments on a real-world annotation project demonstrate that they can annotate a dataset with a low workload thanks to ILAB. Finally, we consider automatic feature generation as a means to ease, and thus foster, the use of machine learning in detection systems. We define the constraints that such methods should meet to be effective in building detection models. We compare three state-of-the-art methods based on these criteria, and we point out some avenues of research to better tailor automatic feature generation to computer security experts needs.

Sécurité informatique

Systèmes de détection

Apprentissage supervisé

Systèmes interactifs

Apprentissage actif

Génération automatique d'attributs

Computer Security

Detection Systems

Supervised Learning

Interactive systems

Active learning

Automatic feature generation

005.8

Zabezpečení Open source PBX proti útokům / Open source PBX security against attacks

Orsák, David

January 2012

This master's thesis deals with open source PBX security against security attacks. In the theoretical part is detailed description of problematic about attacks that could be used on VoIP systems with high focus on the Denial of Service attack. Furthermore are in theoretical part described methods of security of initialization protocol SIP. Individual chapter is devoted to intrusion detection and prevention of IDS and IPS systems, focusing on Snort and OSSEC. In the practical part of the work was created generator of attacks against various PBX systems, which was subsequently used for detailed testing. Special tests of PBX system are then used against DoS attacks, for which was created protection in form of active elements consisting of IDS Snort & OSSEC. These are capable to provide protection in real-time. The protection was tested on particular PBX systems and in matter of comparison were measured possibilities before and after of security implementation. The output of this work is attacks generator VoIPtester and creation of configuration rules for Snort and OSSEC.

Alert correlation towards an efficient response decision support / Corrélation d’alertes : un outil plus efficace d’aide à la décision pour répondre aux intrusions

Ben Mustapha, Yosra

30 April 2015

Les SIEMs (systèmes pour la Sécurité de l’Information et la Gestion des Événements) sont les cœurs des centres opérationnels de la sécurité. Ils corrèlent un nombre important d’événements en provenance de différents capteurs (anti-virus, pare-feux, systèmes de détection d’intrusion, etc), et offrent des vues synthétiques pour la gestion des menaces ainsi que des rapports de sécurité. La gestion et l’analyse de ce grand nombre d’alertes est une tâche difficile pour l’administrateur de sécurité. La corrélation d’alertes a été conçue afin de remédier à ce problème. Des solutions de corrélation ont été développées pour obtenir une vue plus concise des alertes générées et une meilleure description de l’attaque détectée. Elles permettent de réduire considérablement le volume des alertes remontées afin de soutenir l’administrateur dans le traitement de ce grand nombre d’alertes. Malheureusement, ces techniques ne prennent pas en compte les connaissances sur le comportement de l’attaquant, les fonctionnalités de l’application et le périmètre de défense du réseau supervisé (pare-feu, serveurs mandataires, Systèmes de détection d’intrusions, etc). Dans cette thèse, nous proposons deux nouvelles approches de corrélation d’alertes. La première approche que nous appelons corrélation d’alertes basée sur les pots de miel utilise des connaissances sur les attaquants recueillies par le biais des pots de miel. La deuxième approche de corrélation est basée sur une modélisation des points d’application de politique de sécurité / Security Information and Event Management (SIEM) systems provide the security analysts with a huge amount of alerts. Managing and analyzing such tremendous number of alerts is a challenging task for the security administrator. Alert correlation has been designed in order to alleviate this problem. Current alert correlation techniques provide the security administrator with a better description of the detected attack and a more concise view of the generated alerts. That way, it usually reduces the volume of alerts in order to support the administrator in tackling the amount of generated alerts. Unfortunately, none of these techniques consider neither the knowledge about the attacker’s behavior nor the enforcement functionalities and the defense perimeter of the protected network (Firewalls, Proxies, Intrusion Detection Systems, etc). It is still challenging to first improve the knowledge about the attacker and second to identify the policy enforcement mechanisms that are capable to process generated alerts. Several authors have proposed different alert correlation methods and techniques. Although these approaches support the administrator in processing the huge number of generated alerts, they remain limited since these solutions do not provide us with more information about the attackers’ behavior and the defender’s capability in reacting to detected attacks. In this dissertation, we propose two novel alert correlation approaches. The first approach, which we call honeypot-based alert correlation, is based on the use of knowledge about attackers collected through honeypots. The second approach, which we call enforcement-based alert correlation, is based on a policy enforcement and defender capabilities’ model

Corrélation d'alertes

Aide à la décision

Pots de miels

Renforcement de politique de sécurité

Systèmes de détection d'intrusions

Réponses aux intrusions

Alert correlation

Decision support

Honeypots

Security policy enforcement

Detection systems

Responses to intrusions

A Study on Behaviors of Machine Learning-Powered Intrusion Detection Systems under Normal and Adversarial Settings

Pujari, Medha Rani

15 June 2023

No description available.

Computer Science

Intrusion detection systems

machine learning

contemporary research datasets

UNSW-NB15

Bot-IoT

CSE-CIC-IDS2018

adversarial machine learning

white-box attacks

black-box attacks

defense mechanism