DNIDS: A dependable network intrusion detection system using the CSI-KNN algorithm

Kuang, Liwei

14 September 2007

The dependability of an Intrusion Detection System (IDS) relies on two factors: ability to detect intrusions and survivability in hostile environments. Machine learning-based anomaly detection approaches are gaining increasing attention in the network intrusion detection community because of their intrinsic ability to discover novel attacks. This ability has become critical since the number of new attacks has kept growing in recent years. However, most of today’s anomaly-based IDSs generate high false positive rates and miss many attacks because of a deficiency in their ability to discriminate attacks from legitimate behaviors. These unreliable results damage the dependability of IDSs. In addition, even if the detection method is sound and effective, the IDS might still be unable to deliver detection service when under attack. With the increasing importance of the IDS, some attackers attempt to disable the IDS before they launch a thorough attack. In this thesis, we propose a Dependable Network Intrusion Detection System (DNIDS) based on the Combined Strangeness and Isolation measure K-Nearest Neighbor (CSI-KNN) algorithm. The DNIDS can effectively detect network intrusions while providing continued service even under attacks. The intrusion detection algorithm analyzes different characteristics of network data by employing two measures: strangeness and isolation. Based on these measures, a correlation unit raises intrusion alerts with associated confidence estimates. In the DNIDS, multiple CSI-KNN classifiers work in parallel to deal with different types of network traffic. An intrusion-tolerant mechanism monitors the classifiers and the hosts on which the classifiers reside and enables the IDS to survive component failure due to intrusions. As soon as a failed IDS component is discovered, a copy of the component is installed to replace it and the detection service continues. We evaluate our detection approach over the KDD’99 benchmark dataset. The experimental results show that the performance of our approach is better than the best result of KDD’99 contest winner’s. In addition, the intrusion alerts generated by our algorithm provide graded confidence that offers some insight into the reliability of the intrusion detection. To verify the survivability of the DNIDS, we test the prototype in simulated attack scenarios. In addition, we evaluate the performance of the intrusion-tolerant mechanism and analyze the system reliability. The results demonstrate that the mechanism can effectively tolerate intrusions and achieve high dependability. / Thesis (Master, Computing) -- Queen's University, 2007-09-05 14:36:57.128

Intrusion detection

CSI-KNN

Intrusion-tolerant IDS

Detekce těžení kryptoměn pomocí analýzy dat o IP tocích / Detection of Cryptocurrency Miners Based on IP Flow Analysis

Šabík, Erik

January 2017

This master’s thesis describes the general information about cryptocurrencies, what principles are used in the process of creation of new coins and why mining cryptocurrencies can be malicious. Further, it discusses what is an IP flow, and how to monitor networks by monitoring network traffic using IP flows. It describes the Nemea framework that is used to build comprehensive system for detecting malicious traffic. It explains how the network data with communications of the cryptocurrencies mining process were obtained and then provides an analysis of this data. Based on this analysis a proposal is created for methods capable of detecting mining cryptocurrencies by using IP flows records. Finally, proposed detection method was evaluated on various networks and the results are further described.

Filtrace útoků na odepření služeb / Filtering of denial-of-service attacks

Klimeš, Jan

January 2019

This thesis deals with filtering selected DDoS attacks on denial of the service. The the toretical part deals with the problems of general mechanisms used for DDoS attacks, defense mechanisms and mechanisms of detection and filtration. The practical part deals with the filtering of attacks using the iptables and IPS Suricata firewall on the Linux operating system in an experimental workplace using a network traffic generator to verify its functionality and performance, including the statistical processing of output data from filter tools using the Elasticsearch database.

Systémy detekce a prevence průniku / Intrusion Detection and Prevention Systems

Černý, Michal

January 2010

The detection and intrusion prevention systems could be realized as independent hardware or set in the software form on to the host. The primary purpose of these protective elements is the undesirable activity detection such as integrity intrusion of the files, invalid attempts while connecting to the remote service or acquisition of the local network data. The systems react to the event on the basis of the action that is defined by internal rules. We can include the caution sending or communication blocking among possible counteractions. The base principals of the detection and intrusion prevention systems are described in the dissertation. Various types of captured data analyses and processes of the inhere rules creation and further more caution formats are mentioned in the dissertation. There are also considered the alternatives of their location including advantages of selected situations. There is described the installation and setting up of particular elements of the realized network and security systems. In order to the verification of functionality and factor of the protection providing there was realized several selected types of attacks.

HIDS IDS IPS NIPS Snort inline OSSEC

MACHINE LEARNING BASED IDS LOG ANALYSIS

Tianshuai Guan (10710258)

06 May 2021

<p>With the rapid development of information technology, network traffic is also increasing dramatically. However, many cyber-attack records are buried in this large amount of network trafficking. Therefore, many Intrusion Detection Systems (IDS) that can extract those malicious activities have been developed. Zeek is one of them, and due to its powerful functions and open-source environment, Zeek has been adapted by many organizations. Information Technology at Purdue (ITaP), which uses Zeek as their IDS, captures netflow logs for all the network activities in the whole campus area but has not delved into effective use of the information. This thesis examines ways to help increase the performance of anomaly detection. As a result, this project intends to combine basic database concepts with several different machine learning algorithms and compare the result from different combinations to better find potential attack activities in log files.</p>

Pattern Recognition and Data Mining

Clustering analysis

IDS,

A Meta-Learning based IDS

Zhenyu Wan (18431475)

26 April 2024

<p dir="ltr">As the demand for IoT devices continues to grow, our reliance on networks in daily life increases. Whether we are considering individual users or large multinational companies, networks have become an essential asset for people across various industries. However, this dependence on networks also exposes us to security vulnerabilities when traffic is not adequately filtered. A successful attack on the network could have severe consequences for its users. Therefore, the implementation of a network intrusion detection system (IDS) is crucial to safeguard the well-being of our modern society.</p><p dir="ltr">While AI-based IDS is a new force in the field of intrusion detection, it outperforms some traditional approaches. However, it is not without its flaws. The performance of ML-based IDS decreases when applied to a different dataset than the one it was trained on. This decrease in performance hinders the ML-based IDS's ability to be used in a production environment, as the data generated in a production environment also differs from the data that is used to train the IDS. This paper aims to devise an ML-based IDS that is generalizable to a different environment.</p>

System and network security

IDS

network classification

LIDS: An Extended LSTM Based Web Intrusion Detection System With Active and Distributed Learning

Sagayam, Arul Thileeban

24 May 2021

Intrusion detection systems are an integral part of web application security. As Internet use continues to increase, the demand for fast, accurate intrusion detection systems has grown. Various IDSs like Snort, Zeek, Solarwinds SEM, and Sleuth9, detect malicious intent based on existing patterns of attack. While these systems are widely deployed, there are limitations with their approach, and anomaly-based IDSs that classify baseline behavior and trigger on deviations were developed to address their shortcomings. Existing anomaly-based IDSs have limitations that are typical of any machine learning system, including high false-positive rates, a lack of clear infrastructure for deployment, the requirement for data to be centralized, and an inability to add modules tailored to specific organizational threats. To address these shortcomings, our work proposes a system that is distributed in nature, can actively learn and uses experts to improve accuracy. Our results indicate that the integrated system can operate independently as a holistic system while maintaining an accuracy of 99.03%, a false positive rate of 0.5%, and speed of processing 160,000 packets per second for an average system. / Master of Science / Intrusion detection systems are an integral part of web application security. The task of an intrusion detection system is to identify attacks on web applications. As Internet use continues to increase, the demand for fast, accurate intrusion detection systems has grown. Various IDSs like Snort, Zeek, Solarwinds SEM, and Sleuth9, detect malicious intent based on existing attack patterns. While these systems are widely deployed, there are limitations with their approach, and anomaly-based IDSs that learn a system's baseline behavior and trigger on deviations were developed to address their shortcomings. Existing anomaly-based IDSs have limitations that are typical of any machine learning system, including high false-positive rates, a lack of clear infrastructure for deployment, the requirement for data to be centralized, and an inability to add modules tailored to specific organizational threats. To address these shortcomings, our work proposes a system that is distributed in nature, can actively learn and uses experts to improve accuracy. Our results indicate that the integrated system can operate independently as a holistic system while maintaining an accuracy of 99.03%, a false positive rate of 0.5%, and speed of processing 160,000 packets per second for an average system.

IDS

Distributed active learning

Web application security

FORENSE COMPUTACIONAL EM AMBIENTE DE REDE BASEADO NA GERAÇÃO DE ALERTAS DE SISTEMAS DE DETECÇÃO DE INTRUSOS AUXILIADO PELA ENGENHARIA DIRIGIDA POR MODELOS / COMPUTATIONAL FORENSIC IN ENVIRONMENT OF NETWORK BASED ON GENERATING OF ALERTS OF INTRUDERS DETECTION SYSTEMS ASSISTED BY ENGINEERING DIRECTED BY MODELS

DUARTE, Lianna Mara Castro

19 October 2012

Made available in DSpace on 2016-08-17T14:53:23Z (GMT). No. of bitstreams: 1 Dissertacao Liana Mara.pdf: 7779999 bytes, checksum: eff54ba035aa6dab1569b8f121f7ee0a (MD5) Previous issue date: 2012-10-19 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / Even the great progress of techniques used by protection systems as firewalls, intrusion detection systems and antivirus to detect and prevent attacks are not enough to eliminate the cyber-attacks threat. Known attacks for decades still achieve success, and well-known vulnerabilities continue to exist and reappear on the Internet and corporate networks [1]. The intrusion detection technologies we have today provide rich information about attacks. However, the main focus of intrusion detection focuses on the fact that security has been compromised. The computer forensics, on the other hand, attempts to understand and explain what happened to the security environment and how a security violation can happen [2]. However, there is a lack of investigative mechanisms to work synergistically with these sensors and identify not only the attackers, but the malicious actions that were performed. The lack of standardization in the process of computer and network forensics [3], as well as the heterogeneity of tools and the fact that the log/alert files depend on developers, causes a large variety in the formats of these security alerts. Moreover, the knowledge used in the incidents investigation still restricted to security analysts in each case. This work proposes, the development of a model based on computer forensics that can be applied in a network environment to work with IDS NIDIA [4] and heterogeneous IDSs associating information to alerts about procedures that can be performed to investigate the incident using existing tools. The methodology used to develop this was initially use literature to achieve the proposed objectives, derived from books, theses, dissertations, research papers and hypermedia documents, followed by the gathering of information for the development of the solution and analysis tools that could assist in the implementation and modeling the prototype, that was assisted by Model Driven Architecture. / Mesmo o grande progresso das técnicas utilizadas pelos sistemas de proteção como firewalls, sistemas de detecção de invasão e antivírus para detecção e prevenção de ataques, não são suficientes para eliminar a ameaça dos ciberataques. Mesmo ataques que existem há décadas ainda alcançam sucesso, e as vulnerabilidades bem conhecidas continuam a existir e reaparecer na Internet e redes corporativas [1]. As tecnologias de detecção de intrusão atuais fornecem informações ricas sobre um ataque. No entanto, o principal foco de detecção de intrusão centra-se no fato da segurança ter sido comprometida. A computação forense, por outro lado, tenta entender e explicar o que aconteceu com o ambiente de segurança e como uma violação de segurança pode acontecer [2]. No entanto, existe uma carência de mecanismos investigativos que possam trabalhar em sinergia com estes sensores e identificar não só os atacantes, mas as ações maliciosas que foram executadas. A falta de padronização no processo de realização da forense computacional e de rede [3], assim como a heterogeneidade das ferramentas e o fato de que os tipos de arquivos de logs dependem dos desenvolvedores, faz com que haja uma grande variedade nos formatos destes alertas de segurança. Além disto, o conhecimento empregado na investigação dos incidentes fica restrito aos analistas de segurança de cada caso. Esta dissertação propõe, de forma geral, o desenvolvimento de um modelo baseado na forense computacional que possa ser aplicado em ambiente de rede para trabalhar em conjunto com o IDS NIDIA [4] e IDSs heterogêneos associando aos alertas informações sobre procedimentos que podem ser executados para a investigação dos incidentes utilizando ferramentas existentes. A metodologia empregada para o desenvolvimento deste trabalho utilizou inicialmente de pesquisa bibliográfica para atingir os objetivos propostos, oriundas de livros, teses, dissertações, artigos científicos e documentos hipermídia, seguida de levantamento das informações para a elaboração da solução e uma análise de ferramentas que pudessem auxiliar no processo de modelagem e implementação do protótipo que foi auxiliado pela Arquitetura Dirigida por Modelos.

Computação Forense

MDA

IDS

Forensics Computer

MDA

IDS

Behaviorální analýza síťového provozu a detekce útoků (D)DoS / Behavioral Analysis of Network Traffic and (D)DoS Attack Detection

Chapčák, David

January 2017

The semestral thesis deals with the analysis of the modern open-source NIDPS tools for monitoring and analyzing the network traffic. The work rates these instruments in terms of their network location and functions. Also refers about more detailed analysis of detecting and alerting mechanisms. Further analyzes the possibilities of detection of anomalies, especially in terms of statistical analysis and shows the basics of other approaches, such as approaches based on data mining and machine learning. The last section presents specific open-source tools, deals with comparison of their activities and the proposal allowing monitoring and traffic analysis, classification, detection of anomalies and (D)DoS attacks.

Gestion dynamique et évolutive de règles de sécurité pour l'Internet des Objets / Dynamic and scalable management of security rules for the Internet of Things

Mahamat charfadine, Salim

02 July 2019

Avec l'évolution exponentielle de l'Internet des Objets (IoT), assurer la sécurité des réseaux est devenue un grand défi pour les administrateurs réseaux. La sécurité des réseaux est basée sur de multiples équipements indépendants tels que Firewall, IDS/IPS, NAC dont le rôle principal est de contrôler les informations échangées entre le réseau de l'entreprise et l'extérieur. Or, l'administration de ces équipements peut s'avérer très complexe et fastidieuse si elle est réalisée manuellement, équipement après équipement. L'introduction du concept de Software Defined Networking (SDN) depuis ces dernières années, et du protocole OpenFlow, offre beaucoup d'opportunités pour l'amélioration de la sécurité des réseaux en proposant une administration centralisée et programmable.Dans le cadre de cette thèse, nous avons proposé une nouvelle approche de sécurisation des échanges dans un réseau en fonction des événements détectés et de manière automatisée. Cette solution basée sur l'approche SDN couplé avec un système de détection d'intrusion permet d’analyser, de détecter et de supprimer des menaces de sécurité dans un réseau et de manière automatisée. En implémentant cette solution, nous contribuons à faire évoluer la manière de sécuriser les échanges dans un réseau avec du SDN couplé avec un IDS à travers la mise en place d'une architecture réelle de cas d'usage. Ainsi, la gestion de la sécurité du réseau devient simplifiée, dynamique et évolutive. / With the exponential evolution of the Internet of Things (IoT), ensure the network security has become a big challenge for networkadministrators. Traditionally, the network security is based on multiple independent devices such as firewall, IDS/IPS, NAC where the main role is to monitor the information exchanged between the inside and the outside perimeters of the enterprises networks. However, the administration of these network devices can be complex and tedious with an independent manual configuration. Recently, with the introduction of the Software Defined Networking concept (SDN) and the OpenFlow protocol offers many opportunities by providing a centralized and programmable network administration.As part of this research work, we proposed a new approach to secure the network traffic flows exchanges based on a method of events detection, in an automated manner. This solution is based on the SDN approach coupled to an intrusion detection system which allows analyze, detect and remove security threats. With the implementation, we contribute to change the paradigm of secure the network traffic flows exchanges using the SDN principle, coupled with an IDS in a real use case architecture. In this way, the management of network security becomes simplified, dynamic and scalable.

IoT

Sdn

Sécurité

OpenFlow

Firewall

Ids/ips

IoT

Sdn

Security

OpenFlow

Firewall

Ids/ips

004.6