Immune Based Event-Incident Model for Intrusion Detection Systems: A Nature Inspired Approach to Secure Computing

Vasudevan, Swetha

26 June 2007

No description available.

Computer Science

Intrusion Detection Systems

Immune System

Immune Detectors

Intrusion Detection Squad

Multi-Agent System

Performance Evaluation Study of Intrusion Detection Systems.

Alhomoud, Adeeb M., Munir, Rashid, Pagna Disso, Jules F., Al-Dhelaan, A., Awan, Irfan U.

2011 August 1917

With the thriving technology and the great increase in the usage of computer networks, the risk of having these network to be under attacks have been increased. Number of techniques have been created and designed to help in detecting and/or preventing such attacks. One common technique is the use of Network Intrusion Detection / Prevention Systems NIDS. Today, number of open sources and commercial Intrusion Detection Systems are available to match enterprises requirements but the performance of these Intrusion Detection Systems is still the main concern. In this paper, we have tested and analyzed the performance of the well know IDS system Snort and the new coming IDS system Suricata. Both Snort and Suricata were implemented on three different platforms (ESXi virtual server, Linux 2.6 and FreeBSD) to simulate a real environment. Finally, in our results and analysis a comparison of the performance of the two IDS systems is provided along with some recommendations as to what and when will be the ideal environment for Snort and Suricata.

Attacks

; Intrusion Detection Systems (IDS)

; Traffic

; Performance evaluation

; Packet drops

; Suricata

; Snort

; Alerts

; Network security

Adversarial Attacks Against Network Intrusion Detection Systems

Sanidhya Sharma (19203919)

26 July 2024

<p dir="ltr">The explosive growth of computer networks over the past few decades has significantly enhanced communication capabilities. However, this expansion has also attracted malicious attackers seeking to compromise and disable these networks for personal gain. Network Intrusion Detection Systems (NIDS) were developed to detect threats and alert users to potential attacks. As the types and methods of attacks have grown exponentially, NIDS have struggled to keep pace. A paradigm shift occurred when NIDS began using Machine Learning (ML) to differentiate between anomalous and normal traffic, alleviating the challenge of tracking and defending against new attacks. However, the adoption of ML-based anomaly detection in NIDS has unraveled a new avenue of exploitation due to the inherent inadequacy of machine learning models - their susceptibility to adversarial attacks.</p><p dir="ltr">In this work, we explore the application of adversarial attacks from the image domain to bypass Network Intrusion Detection Systems (NIDS). We evaluate both white-box and black-box adversarial attacks against nine popular ML-based NIDS models. Specifically, we investigate Projected Gradient Descent (PGD) attacks on two ML models, transfer attacks using adversarial examples generated by the PGD attack, the score-based Zeroth Order Optimization attack, and two boundary-based attacks, namely the Boundary and HopSkipJump attacks. Through comprehensive experiments using the NSL-KDD dataset, we find that logistic regression and multilayer perceptron models are highly vulnerable to all studied attacks, whereas decision trees, random forests, and XGBoost are moderately vulnerable to transfer attacks or PGD-assisted transfer attacks with approximately 60 to 70% attack success rate (ASR), but highly susceptible to targeted HopSkipJump or Boundary attacks with close to a 100% ASR. Moreover, SVM-linear is highly vulnerable to both transfer attacks and targeted HopSkipJump or Boundary attacks achieving around 100% ASR, whereas SVM-rbf is highly vulnerable to transfer attacks with a 77% ASR but only moderately to targeted HopSkipJump or Boundary attacks with a 52% ASR. Finally, both KNN and Label Spreading models exhibit robustness against transfer-based attacks with less than 30% ASR but are highly vulnerable to targeted HopSkipJump or Boundary attacks with a 100% ASR with a large perturbation. Our findings may provide insights for designing future NIDS that are robust against potential adversarial attacks.</p>

Data security and protection

System and network security

Machine Learning

Deep Learning

Network Intrusion Detection Systems

Development of a high flux neutron radiation detection system for in-core temperature monitoring

Singo, Thifhelimbilu Daphney

03 1900

Thesis (PhD)--Stellenbosch University, 2012. / ENGLISH ABSTRACT: The objective of this research was to develop a neutron detection system that incorporates a mass spectrometer to measure high neutron flux in a nuclear reactor environment. This system consists of slow and fast neutron detector elements for measuring fluxes in those energy regions respectively. The detector should further be capable of withstanding the harsh conditions associated with a high temperature reactor. This novel detector which was initially intended for use in the PBMR reactor has possible applications as an in-core neutron and indirect temperature-monitoring device in any of the HTGR. Simulations of a generic HTGR core model were performed in order to obtain the neutron energy spectrum with emphasis on the behavior of three energy regions, slow, intermediate and fast neutrons within the core at different temperatures. The slow neutron flux which has the characteristic of a Maxwell- Boltzmann distribution were found to shift to larger values of neutron flux at higher energies as the fuel temperature increased, while fast neutron flux spectra remained relatively constant. In addition, the results of the fit of the slow neutron flux with a modified Maxwell-Boltzmann equation confirmed that in the presence of the neutron source, leakage and absorption, the effective neutron temperatures is above the medium temperatures. From these results, it was clear that the detection system will need to monitor both slow and fast neutron flux. Placing neutron detectors inside the reactor core, that are sensitive to a particular energy range of slow and fast neutrons, would thus provide information about the change of temperature in the fuel and hence act as an in-core temperature monitor. A detection mechanism was developed that employs the neutron-induced break-up reaction of 6Li and 12C into α-particles. These materials make excellent neutron converters without interference due to γ-rays, as the contributions from 6Li(γ,np)4He and 12C(γ,3α) reactions are negligible. The mass spectrometer measures the 4He partial pressure as a function of time under high vacuum with the help of pressure gradient provided by a high-vacuum turbomolecular pump and a positive-displacement fore-vacuum pump connected in series. A cryogenic trap, which contains a molecular sieve made of pellets 1.6 mm in diameter, was also designed and manufactured to remove impurities which cause a background in the lighter mass region of the spectrum. The development and testing of the high flux neutron detection system were performed at the iThemba Laboratory for Accelerator Based Sciences (LABS), South Africa. These tests were carried out with a high energy proton beam at the D-line neutron facility, and with a fast neutron beam at the neutron radiation therapy facility. To test the principle and capability of the detection system in measuring high fluxes, a high intensity 66 MeV proton beam was used to produce a large yield of α-particles. This was done because the proton inelastic scattering cross-section with 12C nuclei is similar to that of neutrons, with a threshold energy of about 8 MeV for both reactions. Secondly, the secondary fast neutrons produced from the 9Be(p,n)9B reaction were also measured with the fast neutron detector. The response of this detection system during irradiation was found to be relatively fast, with a rise time of a few seconds. This is seen as a sharp increase in the partial pressure of 4He gas as the proton or neutron beam bombards the 12C material. It was found that the production of 4He with the proton beam was directly proportional to the beam intensity. The number of 4He atoms produced per second was deduced from the partial pressure observed during the irradiation period. With a neutron beam of 1010 s−1 irradiating the detector, the deduced number of 4He atoms was 109 s−1. When irradiation stops, the partial pressure drops exponentially. This response is attributed to a small quantity of 4He trapped in the present design. Overall, the measurements of 4He partial pressure produced during the tests with proton and fast neutron beams were successful and demonstrated proof of principle of the new detection technique. It was also found that this system has no upper neutron flux detection limit; it can be even higher than 1014 n·cm−2·s−1. The lifetime of this detection system in nuclear reactor environment is practically unlimited, as determined by the known ability of stainless steel to keeps its integrity under the high radiation levels. Hence, it is concluded that this high flux neutron detection system is excellent for neutron detection in the presence of high γ-radiation level and provides real-time flux measurements. / AFRIKAANSE OPSOMMING: Die doel van hierdie navorsing was om ’n neutrondetektorstelsel te ontwikkel wat hoë neutronvloed binne in ’n kernreaktor kan meet. Die stelsel bevat twee aparte detektorelemente sodat die termiese sowel as snelneutronvloed gemeet kan word. Die detektor moet verder in staat wees om die strawwe toestande, kenmerkend aan ’n hoë temperatuur reaktor, te kan weerstaan. Die innoverende detektorstelsel, oorspronklik geoormerk vir gebruik in die PBMR reaktor, het toepassingsmoontlikhede as in-kern neutron- sowel as indirekte temperatuurmonitor. Simulasies van ’n generiese model van ’n HTGR reaktorkern is uitgevoer ten einde die neutronenergiespektrum in die kern by verskillende temperature te bekom met klem op die gedrag van neutrone in drie energiegroepe: stadig (termies), intermediêr en snel (vinnig). Daar is bevind dat die stadige neutrone, wat ’n Maxwell-Boltzman verdeling toon, in intensiteit toeneem en dat die piek na hoër energie verskuif met toename in temperatuur, terwyl die vinnige neutronspektrum relatief onveranderd bly. ’n Passing van die stadige spektrum op ’n gemodifiseerde Maxwell-Boltzmann verdeling het bevestig dat die effektiewe neutrontemperatuur weens die teenwoordigheid van bronterme, verliese en absorpsie, hoër as die temperatuur van die medium is. Hierdie resultate maak dit duidelik dat die detektorstelsel beide die stadige sowel as die vinnige neutronvloed moet kan waarneem. Deur detektorelemente wat sensitief is vir die onderskeie spekrale gebiede in die reaktorhart te plaas, kan informasie bekom word wat tot in-kern temperatuur herleibaar is sodat die stelsel inderdaad as indirekte temperatuurmonitor kan dien. Die feit dat alfa-deeltjies geproduseer word in neutron-geïnduseerde opbreekreaksies van 6Li en 12C is as die basis van die nuwe opsporingsmeganisme aangewend. Hierdie materiale funksioneer uitstekend as neutron-selektiewe omsetters in die teenwoordigheid van gamma-strale aangesien laasgenoemde se bydraes tot helium produksie via die 6Li(γ,np)4He en 12C(γ,3α) reaksies, weglaatbaar is. Die massaspektrometer meet die tydgedrag van die 4He parsiële druk binne ’n hoogvakuum wat met behulp van ’n seriegeskakelde kombinasie van ’n turbomolekulêre en positiewe-verplasingsvoorpomp verkry word. ’n Koueval met ’n molekulêre sif, bestaande uit 1.6 mm diameter korrels, is ontwerp en vervaardig om onsuiwerhede te verwyder wat andersins as agtergrond by die ligter gedeelte van die massaspektrum sou wys. Die ontwikkeling en toetsing van die hoëvloed detektorstelsel is te iThembaLABS (iThemba Laboratories for Accelerator Based Sciences) gedoen. Dit is uitgevoer deur gebruik te maak van die hoë energie protonbundel van die D-lyn neutronfasiliteit asook van die bundel vinnige neutrone by die neutronterapiefasiliteit. Om die beginsel en vermoë te toets om by ’n hoë neutronvloed te kan meet, is van die intense 66 MeV protonbudel gebruik gemaak om ’n hoë opbrengs alfa-deeltjies te verkry. Dit is gedoen omdat die reaksiedeursnit vir onelastiese verstrooiing van protone vanaf 12C kerne soortgelyk is aan die van neutrone, met ’n drumpelenergie van 8 MeV vir beide reaksies. Tweedens is die sekondêre vinnige neutrone afkomstig van die 9Be(p,n)9B reaksie ook met die neutrondetektor gemeet. Daar is bevind dat die reaksietyd van die deteksiestelsel tydens bestraling relatief vinnig is, soos gekenmerk deur ’n stygtyd van etlike sekondes. Laasgenoemde manifesteer as ’n toename in die parsiële druk van die 4He sodra die proton- of neutronbundel op die 12C teiken inval. Daar is verder bevind dat die 4He produksie direk eweredig aan die bundelintensiteit is. Vir ’n neutronbundel van nagenoeg 1010 s−1, invallend op die neutrondetektor, is vanaf die gemete parsiële druk afgelei dat die produksie van 4He atome sowat 109 s−1 beloop. In die geheel beoordeel, was die meting van die 4He parsiële druk tydens die toetse met vinnige protone en neutrone suksesvol en het dit die nuwe meetbeginsel bevestig. Dit is verder bevind dat die meetstelsel nie ’n beperking op die boonste neutronvloed plaas nie, maar dat dit vloede van selfs hoër as 1014 s−1 kan hanteer. Die leeftyd van die detektorstelsel in die reaktor is prakties onbeperk en onderhewig aan die bevestigde integriteit van vlekvrystaal onder hoë bestraling. Die gevolgtrekking is dus dat die nuwe detektorstelsel uitstekend geskik is vir die in-tyd meting van ’n baie hoë vloed van neutrone ook in die teenwoordigheid van intense gammabestraling.

Neutron spectroscopy

Nuclear reactor

High fluence

Detector

Dissertations -- Physics

Theses -- Physics

Neutron physics

Neutron transport

High flux neutron detection systems

Using metrics from multiple layers to detect attacks in wireless networks

Aparicio-Navarro, Francisco J.

January 2014

The IEEE 802.11 networks are vulnerable to numerous wireless-specific attacks. Attackers can implement MAC address spoofing techniques to launch these attacks, while masquerading themselves behind a false MAC address. The implementation of Intrusion Detection Systems has become fundamental in the development of security infrastructures for wireless networks. This thesis proposes the designing a novel security system that makes use of metrics from multiple layers of observation to produce a collective decision on whether an attack is taking place. The Dempster-Shafer Theory of Evidence is the data fusion technique used to combine the evidences from the different layers. A novel, unsupervised and self- adaptive Basic Probability Assignment (BPA) approach able to automatically adapt its beliefs assignment to the current characteristics of the wireless network is proposed. This BPA approach is composed of three different and independent statistical techniques, which are capable to identify the presence of attacks in real time. Despite the lightweight processing requirements, the proposed security system produces outstanding detection results, generating high intrusion detection accuracy and very low number of false alarms. A thorough description of the generated results, for all the considered datasets is presented in this thesis. The effectiveness of the proposed system is evaluated using different types of injection attacks. Regarding one of these attacks, to the best of the author knowledge, the security system presented in this thesis is the first one able to efficiently identify the Airpwn attack.

621.382

Um modelo dinâmico de clusterização de dados aplicado na detecção de intrusão

Furukawa, Rogério Akiyoshi

25 April 2003

Atualmente, a segurança computacional vem se tornando cada vez mais necessária devido ao grande crescimento das estatísticas que relatam os crimes computacionais. Uma das ferramentas utilizadas para aumentar o nível de segurança é conhecida como Sistemas de Detecção de Intrusão (SDI). A flexibilidade e usabilidade destes sistemas têm contribuído, consideravelmente, para o aumento da proteção dos ambientes computacionais. Como grande parte das intrusões seguem padrões bem definidos de comportamento em uma rede de computadores, as técnicas de classificação e clusterização de dados tendem a ser muito apropriadas para a obtenção de uma forma eficaz de resolver este tipo de problema. Neste trabalho será apresentado um modelo dinâmico de clusterização baseado em um mecanismo de movimentação dos dados. Apesar de ser uma técnica de clusterização de dados aplicável a qualquer tipo de dados, neste trabalho, este modelo será utilizado para a detecção de intrusão. A técnica apresentada neste trabalho obteve resultados de clusterização comparáveis com técnicas tradicionais. Além disso, a técnica proposta possui algumas vantagens sobre as técnicas tradicionais investigadas, como realização de clusterizações multi-escala e não necessidade de determinação do número inicial de clusters / Nowadays, the computational security is becoming more and more necessary due to the large growth of the statistics that describe computer crimes. One of the tools used to increase the safety level is named Intrusion Detection Systems (IDS). The flexibility and usability of these systems have contributed, considerably, to increase the protection of computational environments. As large part of the intrusions follows behavior patterns very well defined in a computers network, techniques for data classification and clustering tend to be very appropriate to obtain an effective solutions to this problem. In this work, a dynamic clustering model based on a data movement mechanism are presented. In spite of a clustering technique applicable to any data type, in this work, this model will be applied to the detection intrusion. The technique presented in this work obtained clustering results comparable to those obtained by traditional techniques. Besides the proposed technique presents some advantages on the traditional techniques investigated, like multi-resolution clustering and no need to previously know the number of clusters

Análise dos componentes principais

Clusterização de dados

Data clustering

Intrusion detection systems

Principal analisys component

Sistemas de detecção de intrusão

UMA ONTOLOGIA DE APLICAÇÃO PARA APOIO À TOMADA DE DECISÕES EM SITUAÇÕES DE AMEAÇA À SEGURANÇA DA INFORMAÇÃO. / AN ONTOLOGY OF INFORMATION FOR DECISION SUPPORT IN SITUATIONS OF THREAT TO INFORMATION SECURITY.

SILVA, Rayane Meneses da

24 June 2015

Submitted by Maria Aparecida (cidazen@gmail.com) on 2017-08-31T14:44:32Z No. of bitstreams: 1 Rayane.pdf: 4026589 bytes, checksum: 7e6066416420555456030ab6db3a1231 (MD5) / Made available in DSpace on 2017-08-31T14:44:32Z (GMT). No. of bitstreams: 1 Rayane.pdf: 4026589 bytes, checksum: 7e6066416420555456030ab6db3a1231 (MD5) Previous issue date: 2015-06-24 / Many security mechanisms, such as Intrusion Detection Systems (IDSs) have been developed to approach the problem of information security attacks but most of them are traditional information systems in which their threats repositories are not represented semantically. Ontologies are knowledge representation structures that enable semantic processing of information and the construction of knowledge-based systems, which provide greater effectiveness compared to traditional systems. This paper proposes an application ontology called “Application Ontology for the Development of Case-based Intrusion Detection Systems” that formally represents the concepts related to information security domain of intrusion detection systems and “Case Based Reasoning”. The “Case Based Reasoning” is an approach for problem solving in which you can reuse the knowledge of past experiences to solve new problems. The evaluation of the ontology was performed by the development of an Intrusion Detection System that can detect attacks on computer networks and recommend solutions to these attacks. The ontology was specified using the “Ontology Web Language” and the Protégé ontology editor and. It was also mapped to a cases base in Prolog using the “Thea” tool. The results have shown that the developed Intrusion Detection System presented a good effectiveness in detecting attacks that the proposed ontology conceptualizes adequately the domain concepts and tasks. / Muitos mecanismos de segurança, como os Sistemas de Detecção de Intrusão têm sido desenvolvidos para abordar o problema de ataques à Segurança da Informação. Porém, a maioria deles são sistemas de informação tradicionais nos quais seus repositórios de ameaças não são representados semanticamente. As ontologias são estruturas de representação do conhecimento que permitem o processamento semântico das informações bem como a construção dos sistemas baseados em conhecimento, os quais fornecem uma maior efetividade em relação aos sistemas tradicionais. Neste trabalho propõe-se uma ontologia de aplicação denominada “Application Ontology for the Development of Case-based Intrusion Detection Systems” que representa formalmente os conceitos relacionados ao domínio de Segurança da Informação, dos sistemas de detecção de intrusão e do “Case-Based Reasoning”. O “Case-Based Reasoning” é uma abordagem para resolução de problemas nos quais é possível reutilizar conhecimentos de experiências passadas para resolver novos problemas. A avaliação da ontologia foi realizada por meio do desenvolvimento de um Sistema de Detecção de Intrusão que permite detectar ataques a redes de computadores e recomendar soluções a esses ataques. A ontologia foi especificada na linguagem “Ontology Web Language” utilizando o editor de ontologias Protegé e, logo após, mapeada a uma base de casos em Prolog utilizando o ferramenta “Thea”. Os resultados mostraram que o Sistema de Detecção de Intrusão desenvolvido apresentou boa efetividade na detecção de ataques e portanto, conclui-se que a ontologia proposta conceitualiza de forma adequada os conceitos de domínio e tarefa abordados.

Sistemas de Informação

Improving host-based computer security using secure active monitoring and memory analysis

Payne, Bryan D.

03 June 2010

Thirty years ago, research in designing operating systems to defeat malicious software was very popular. The primary technique was to design and implement a small security kernel that could provide security assurances to the rest of the system. However, as operating systems grew in size throughout the 1980's and 1990's, research into security kernels slowly waned. From a security perspective, the story was bleak. Providing security to one of these large operating systems typically required running software within that operating system. This weak security foundation made it relatively easy for attackers to subvert the entire system without detection. The research presented in this thesis aims to reimagine how we design and deploy computer systems. We show that through careful use of virtualization technology, one can effectively isolate the security critical components in a system from malicious software. Furthermore, we can control this isolation to allow the security software a complete view to monitor the running system. This view includes all of the necessary information for implementing useful security applications including the system memory, storage, hardware events, and network traffic. In addition, we show how to perform both passive and active monitoring securely, using this new system architecture. Security applications must be redesigned to work within this new monitoring architecture. The data acquired through our monitoring is typically very low-level and difficult to use directly. In this thesis, we describe work that helps bridge this semantic gap by locating data structures within the memory of a running virtual machine. We also describe work that shows a useful and novel security framework made possible through this new monitoring architecture. This framework correlates human interaction with the system to distinguish legitimate and malicious outgoing network traffic.

Memory analysis

Introspection

Virtualization

Security

Active monitoring

User intent

Computer networks Security measures

Computer security

An Anomaly Behavior Analysis Methodology for Network Centric Systems

Alipour, Hamid Reza

January 2013

Information systems and their services (referred to as cyberspace) are ubiquitous and touch all aspects of our life. With the exponential growth in cyberspace activities, the number and complexity of cyber-attacks have increased significantly due to an increase in the number of applications with vulnerabilities and the number of attackers. Consequently, it becomes extremely critical to develop efficient network Intrusion Detection Systems (IDS) that can mitigate and protect cyberspace resources and services against cyber-attacks. On the other hand, since each network system and application has its own specification as defined in its protocol, it is hard to develop a single IDS which works properly for all network protocols. The keener approach is to design customized detection engines for each protocol and then aggregate the reports from these engines to define the final security state of the system. In this dissertation, we developed a general methodology based on data mining, statistical analysis and protocol semantics to perform anomaly behavior analysis and detection for network-centric systems and their protocols. In our approach, we develop runtime models of protocol's state transitions during a time interval ΔΤ. We consider any n consecutive messages in a session during the time interval ΔΤ as an n-transition pattern called n-gram. By applying statistical analysis over these n-gram patterns we can accurately model the normal behavior of any protocol. Then we use the amount of the deviation from this normal model to quantify the anomaly score of the protocol activities. If this anomaly score is higher than a well-defined threshold the system marks that activity as a malicious activity. To validate our methodology, we have applied it to two different protocols: DNS (Domain Name System) at the application layer and the IEEE 802.11(WiFi) at the data link layer, where we have achieved good detection results (>95%) with low detection errors (<0.1%).

Computer Networks

Domain Name System

IEEE 802.11

Intrusion Detection Systems

Security

Electrical & Computer Engineering

Anomaly Detection

A Modified Genetic Algorithm and Switch-Based Neural Network Model Applied to Misuse-Based Intrusion Detection

Stewart, IAN

17 March 2009

As our reliance on the Internet continues to grow, the need for secure, reliable networks also increases. Using a modified genetic algorithm and a switch-based neural network model, this thesis outlines the creation of a powerful intrusion detection system (IDS) capable of detecting network attacks. The new genetic algorithm is tested against traditional and other modified genetic algorithms using common benchmark functions, and is found to produce better results in less time, and with less human interaction. The IDS is tested using the standard benchmark data collection for intrusion detection: the DARPA 98 KDD99 set. Results are found to be comparable to those achieved using ant colony optimization, and superior to those obtained with support vector machines and other genetic algorithms. / Thesis (Master, Computing) -- Queen's University, 2009-03-03 13:28:23.787

Network security

Intrusion Detection Systems (IDS)

Data mining

Machine learning

Real time detection

Genetic algorithm

Neural networks