EXPLAINABLE AI METHODS FOR ENHANCING AI-BASED NETWORK INTRUSION DETECTION SYSTEMS

Osvaldo Guilherme Arreche (18569509)

03 September 2024

<p dir="ltr">In network security, the exponential growth of intrusions stimulates research toward developing advanced artificial intelligence (AI) techniques for intrusion detection systems (IDS). However, the reliance on AI for IDS presents challenges, including the performance variability of different AI models and the lack of explainability of their decisions, hindering the comprehension of outputs by human security analysts. Hence, this thesis proposes end-to-end explainable AI (XAI) frameworks tailored to enhance the understandability and performance of AI models in this context.</p><p><br></p><p dir="ltr">The first chapter benchmarks seven black-box AI models across one real-world and two benchmark network intrusion datasets, laying the foundation for subsequent analyses. Subsequent chapters delve into feature selection methods, recognizing their crucial role in enhancing IDS performance by extracting the most significant features for identifying anomalies in network security. Leveraging XAI techniques, novel feature selection methods are proposed, showcasing superior performance compared to traditional approaches.</p><p><br></p><p dir="ltr">Also, this thesis introduces an in-depth evaluation framework for black-box XAI-IDS, encompassing global and local scopes. Six evaluation metrics are analyzed, including descrip tive accuracy, sparsity, stability, efficiency, robustness, and completeness, providing insights into the limitations and strengths of current XAI methods.</p><p><br></p><p dir="ltr">Finally, the thesis addresses the potential of ensemble learning techniques in improving AI-based network intrusion detection by proposing a two-level ensemble learning framework comprising base learners and ensemble methods trained on input datasets to generate evalua tion metrics and new datasets for subsequent analysis. Feature selection is integrated into both levels, leveraging XAI-based and Information Gain-based techniques.</p><p><br></p><p dir="ltr">Holistically, this thesis offers a comprehensive approach to enhancing network intrusion detection through the synergy of AI, XAI, and ensemble learning techniques by providing open-source codes and insights into model performances. Therefore, it contributes to the security advancement of interpretable AI models for network security, empowering security analysts to make informed decisions in safeguarding networked systems.<br></p>

System and network security

artificial intelligence - AI

Intrusion Detection Systems (IDS)

explainable ai system

ensemble learner

feature selection applied

IDS on Raspberry Pi : A Performance Evaluation / IDS på Raspberry Pi : En prestandautvärdering

Aspernäs, Andreas, Simonsson, Thommy

January 2015

This is a report on the possibility of using a Raspberry Pi as an intrusion detection system in a home environment to increase network security. The focus of this study was on how well two different generations of Raspberry Pi would be able to  handle network traffic while acting as an intrusion detection system. To examine this a testing environment was set up containing two workstation computers connected to a Raspberry Pi, each computer hosting a virtual machine. Tests measuring the network throughput as well as the CPU and memory usage were performed on each of the Raspberry Pi devices. Two models of Raspberry Pis were used; Raspberry Pi model B+ and Raspberry Pi 2 model B; each of them running the operating system Arch Linux ARM. The results of these tests were that both of the Raspberry Pis could be used as an intrusion detection system but has some limitations that could impede usage depending on the requirements of the user. Raspberry Pi 2 model B show benefits of its updated hardware by suffering lower throughput degradation than Raspberry Pi model B+, while using less of it's total CPU and memory capacity. / Den här rapporten behandlar möjligheten att använda en Raspberry Pi som ett intrångdetekteringssystem i en hemma miljö för att öka nätverkssäkerheten. Fokusen i den här studien ligger på hur väl de två senaste generationerna av Raspberry Pi skulle kunna hantera nätverkstrafik samtidigt som den undersöker nätverkstrafiken och söker efter hot. För att kontrollera hur väl en Raspberry Pi kan fungera som ett intrångdetekteringssystem har en laborationsmiljö upprättats bestående av två fysiska maskiner som vardera används för att virtualisera en virtuell maskin. Tester för att mäta datagenomströmning, processor och minnesbelastning utfördes på var och en av Raspberry Pi. Två modeller av Raspberry Pi användes; Raspberry Pi model b+ och Raspberry Pi 2 model b, både körde operativsystemet Arch Linux ARM. Resultatet av testerna visade att det går att använda båda enheterna för att upprätta ett intrångdetekteringssystem, men det finns vissa begränsningar i enheterna vilket kan begränsa implementationsmöjligheterna. Raspberry Pi 2 model B uppvisade bättre resultat i form av att den är lägre belastad och har en högre datagenomströmning till skillnad från Raspberry Pi model B+. Raspberry Pi 2 model B har nyare och snabbare hårdvara vilket är den troliga orsaken till att den presterar bättre.

IDS

intrusion detection system

Raspberry Pi model B+

Raspberry Pi 2 model B

Arch Linux ARM

Snort

network

security

throughput

IDS

intrångdetekteringssystem

Raspberry Pi model B+

Raspberry Pi 2 model B

Arch Linux ARM

Snort

nätverk

säkerhet

datagenomströmning

Computer Sciences

Datavetenskap (datalogi)

Návrh vedení sběrné místní komunikace s tramvajovou tratí linky č.3 areálu Zbrojovky v Brně / Design of the local connecting road with the tram track of the line no.3 in the area of Zbrojovka in Brno

Paszandová, Zuzana

January 2013

The thesis deals with design of the tram power collecting route and the tram track of the route no. 3 in reconstruction area recently called “Zbrojovka Brno”. Connection to the present infrastructure is also considered. Housing, resting, administration sectors and tram stops are designed for easy availability in the new area. Because the railroad bounds the area on the East and will be extended in the future, joining the tram transport with integrated transport system in Židenice is possible. Design includes the new bridge across Svitava river and connection with surrounding areas. If we divide individual car transport (IAD) from the tram route, the trolley car transportation is designed in place IAD.

Machine Learning for a Network-based Intrusion Detection System : An application using Zeek and the CICIDS2017 dataset / Maskininlärning för ett Nätverksbaserat Intrångsdetekteringssystem : En tillämpning med Zeek och datasetet CICIDS2017

Gustavsson, Vilhelm

January 2019

Cyber security is an emerging field in the IT-sector. As more devices are connected to the internet, the attack surface for hackers is steadily increasing. Network-based Intrusion Detection Systems (NIDS) can be used to detect malicious traffic in networks and Machine Learning is an up and coming approach for improving the detection rate. In this thesis the NIDS Zeek is used to extract features based on time and data size from network traffic. The features are then analyzed with Machine Learning in Scikit-Learn in order to detect malicious traffic. A 98.58% Bayesian detection rate was achieved for the CICIDS2017 which is about the same level as the results from previous works on CICIDS2017 (without Zeek). The best performing algorithms were K-Nearest Neighbors, Random Forest and Decision Tree. / IT-säkerhet är ett växande fält inom IT-sektorn. I takt med att allt fler saker ansluts till internet, ökar även angreppsytan och risken för IT-attacker. Ett Nätverksbaserat Intrångsdetekteringssystem (NIDS) kan användas för att upptäcka skadlig trafik i nätverk och maskininlärning har blivit ett allt vanligare sätt att förbättra denna förmåga. I det här examensarbetet används ett NIDS som heter Zeek för att extrahera parametrar baserade på tid och datastorlek från nätverkstrafik. Dessa parametrar analyseras sedan med maskininlärning i Scikit-Learn för att upptäcka skadlig trafik. För datasetet CICIDS2017 uppnåddes en Bayesian detection rate på 98.58% vilket är på ungefär samma nivå som resultat från tidigare arbeten med CICIDS2017 (utan Zeek). Algoritmerna som gav bäst resultat var K-Nearest Neighbors, Random Forest och Decision Tree.

Machine Learning

Flow-based traffic characterization

Intrusion Detection System (IDS)

Zeek

Bro

CICIDS2017

Scikit-Learn

Maskininlärning

Flödesbaserad trafik-karaktärisering

Intrångsdetekteringssystem (IDS)

Zeek

Bro

CICIDS2017

Scikit-Learn

Other Computer and Information Science

Annan data- och informationsvetenskap

Information Systems

Communication Systems

Kommunikationssystem

Improved performance high speed network intrusion detection systems (NIDS) : a high speed NIDS architectures to address limitations of packet loss and low detection rate by adoption of dynamic cluster architecture and traffic anomaly filtration (IADF)

Akhlaq, Monis

January 2011

Intrusion Detection Systems (IDS) are considered as a vital component in network security architecture. The system allows the administrator to detect unauthorized use of, or attack upon a computer, network or telecommunication infrastructure. There is no second thought on the necessity of these systems however; their performance remains a critical question. This research has focussed on designing a high performance Network Intrusion Detection Systems (NIDS) model. The work begins with the evaluation of Snort, an open source NIDS considered as a de-facto IDS standard. The motive behind the evaluation strategy is to analyze the performance of Snort and ascertain the causes of limited performance. Design and implementation of high performance techniques are considered as the final objective of this research. Snort has been evaluated on highly sophisticated test bench by employing evasive and avoidance strategies to simulate real-life normal and attack-like traffic. The test-methodology is based on the concept of stressing the system and degrading its performance in terms of its packet handling capacity. This has been achieved by normal traffic generation; fussing; traffic saturation; parallel dissimilar attacks; manipulation of background traffic, e.g. fragmentation, packet sequence disturbance and illegal packet insertion. The evaluation phase has lead us to two high performance designs, first distributed hardware architecture using cluster-based adoption and second cascaded phenomena of anomaly-based filtration and signature-based detection. The first high performance mechanism is based on Dynamic Cluster adoption using refined policy routing and Comparator Logic. The design is a two tier mechanism where front end of the cluster is the load-balancer which distributes traffic on pre-defined policy routing ensuring maximum utilization of cluster resources. The traffic load sharing mechanism reduces the packet drop by exchanging state information between load-balancer and cluster nodes and implementing switchovers between nodes in case the traffic exceeds pre-defined threshold limit. Finally, the recovery evaluation concept using Comparator Logic also enhance the overall efficiency by recovering lost data in switchovers, the retrieved data is than analyzed by the recovery NIDS to identify any leftover threats. Intelligent Anomaly Detection Filtration (IADF) using cascaded architecture of anomaly-based filtration and signature-based detection process is the second high performance design. The IADF design is used to preserve resources of NIDS by eliminating large portion of the traffic on well defined logics. In addition, the filtration concept augment the detection process by eliminating the part of malicious traffic which otherwise can go undetected by most of signature-based mechanisms. We have evaluated the mechanism to detect Denial of Service (DoS) and Probe attempts based by analyzing its performance on Defence Advanced Research Projects Agency (DARPA) dataset. The concept has also been supported by time-based normalized sampling mechanisms to incorporate normal traffic variations to reduce false alarms. Finally, we have observed that the IADF has augmented the overall detection process by reducing false alarms, increasing detection rate and incurring lesser data loss.

621.382

Detekce útoku pomocí analýzy systémových logů / Attack Detection by Analysis of the System's Logs

Holub, Ondřej

Unknown Date

The thesis deals with the attack detection possibilities and the nonstandard behaviour. It focuses on problems with the IDS detection systems, the subsequent classification and methods which are being used for the attack detection. One part of the thesis presents the existing IDS systems and their properties which are necessary for the successful attack detection. Other parts describe methods to obtain information from the operating systems Microsoft Windows and it also analyses the theoretical methods of data abnormalities. The practical part focuses on the design and implementation of the HIDS application. The final application and its detection abilities are tested at the end of the practical part with the help of some model situations. In the conclusion, the thesis sums up the gained information and shows a possible way of the future development.

Anomaly-based network intrusion detection enhancement by prediction threshold adaptation of binary classification models

Al Tobi, Amjad Mohamed

January 2018

Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the performance (accuracy) of anomaly-based network Intrusion Detection Systems (IDS) that are built using predictive models in a batch-learning setup. This thesis investigates how adapting the discriminating threshold of model predictions, specifically to the evaluated traffic, improves the detection rates of these Intrusion Detection models. Specifically, this thesis studied the adaptability features of three well known Machine Learning algorithms: C5.0, Random Forest, and Support Vector Machine. The ability of these algorithms to adapt their prediction thresholds was assessed and analysed under different scenarios that simulated real world settings using the prospective sampling approach. A new dataset (STA2018) was generated for this thesis and used for the analysis. This thesis has demonstrated empirically the importance of threshold adaptation in improving the accuracy of detection models when training and evaluation (test) traffic have different statistical properties. Further investigation was undertaken to analyse the effects of feature selection and data balancing processes on a model's accuracy when evaluation traffic with different significant features were used. The effects of threshold adaptation on reducing the accuracy degradation of these models was statistically analysed. The results showed that, of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates. This thesis then extended the analysis to apply threshold adaptation on sampled traffic subsets, by using different sample sizes, sampling strategies and label error rates. This investigation showed the robustness of the Random Forest algorithm in identifying the best threshold. The Random Forest algorithm only needed a sample that was 0.05% of the original evaluation traffic to identify a discriminating threshold with an overall accuracy rate of nearly 90% of the optimal threshold.

004

IPSFlow: Um framework para Sistema de Prevenção de Intrusão baseado em Redes Definidas por Software

NAGAHAMA, Fábio Yu

09 October 2013

Submitted by Cleide Dantas (cleidedantas@ufpa.br) on 2014-07-31T14:26:52Z No. of bitstreams: 2 license_rdf: 23898 bytes, checksum: e363e809996cf46ada20da1accfcd9c7 (MD5) Dissertacao_IpsflowFrameworkSistema.pdf: 5908429 bytes, checksum: 790a3383734a6d24cf5e9a14636bca8b (MD5) / Approved for entry into archive by Ana Rosa Silva (arosa@ufpa.br) on 2014-09-05T13:54:37Z (GMT) No. of bitstreams: 2 license_rdf: 23898 bytes, checksum: e363e809996cf46ada20da1accfcd9c7 (MD5) Dissertacao_IpsflowFrameworkSistema.pdf: 5908429 bytes, checksum: 790a3383734a6d24cf5e9a14636bca8b (MD5) / Made available in DSpace on 2014-09-05T13:54:37Z (GMT). No. of bitstreams: 2 license_rdf: 23898 bytes, checksum: e363e809996cf46ada20da1accfcd9c7 (MD5) Dissertacao_IpsflowFrameworkSistema.pdf: 5908429 bytes, checksum: 790a3383734a6d24cf5e9a14636bca8b (MD5) Previous issue date: 2013 / Os Sistemas de Detecção e Prevenção de Intrusão (Intrusion Detection Systems – IDS e Intrusion Prevention Systems - IPS) são ferramentas bastante conhecidas e bem consagradas no mundo da segurança da informação. Porém, a falta de integração com os equipamentos de rede como switches e roteadores acaba limitando a atuação destas ferramentas e exige um bom dimensionamento de recursos de hardware como processamento, memória e interfaces de rede de alta velocidade, utilizados para implementá-las. Diante de diversas limitações deparadas por pesquisadores e administradores de redes, surgiu o conceito de Rede Definida por Software (Software Defined Network – SDN), que ao separar os planos de controle e de dados, permite adaptar o funcionamento da rede de acordo com as necessidades de cada um. Desta forma, devido à padronização e flexibilidade propostas pelas SDNs, e das limitações apresentadas dos IPSs, esta dissertação de mestrado propõe o IPSFlow, um framework que utiliza uma rede baseada na arquitetura SDN e o protocolo OpenFlow para a criação de um IPS com ampla cobertura e que permite bloquear um tráfego caracterizado pelos IDS(s) como malicioso no equipamento mais próximo da origem. Para validar o framework, experimentos no ambiente virtual Mininet foram realizados utilizando-se o Snort como IDS para analisar tráfego de varredura (scan) gerado pelo Nmap de um host ao outro. Os resultados coletados apresentam que o IPSFlow funcionou conforme planejado ao efetuar o bloqueio de 85% do tráfego de varredura. / Intrusion Detection and Prevention Systems (IDSs/IPSs) are well known tools and well enshrined in the world of information security. However, the lack of integration with network equipment, such as switches and routers, tends to limit the performance of these tools leads to require a proper dimensioning of hardware resources such as processor, memory and high-speed network interfaces used to implement them. Faced with several limitations encountered by researchers and network administrators, the concept of Software Defined Network (SDN), that separates the data and control planes, emerged allowing to adapt the operation of the network according to their needs. Thus, due to standardization and flexibility offered by SDNs, and the limitations presented by IDSs, this dissertation proposes IPSFlow, a framework that uses a network based on the SDN architecture, and the OpenFlow protocol, to create an IPS with wide coverage that blocks a malicious traffic in the equipment closer to the origin. To validate the framework, experiments in the virtual Mininet environment were conducted using Snort as IDS to analyze scanning traffic generated by Nmap from a host to another. The results show that the IPSFlow worked as planned by blocking almost 85% of scanning traffic.

Redes de computadores

IPSFlow

Segurança de dados

SDNs

IDS

IPS

Rede definida por software

Framework

以SDN為基礎之自動化防火牆：規則學習、入侵偵測與多路頻寬負載平衡器之實作 / SDN based Automatic Firewall for Rules Learning, IDS and Multi-WAN Load Balancer

王昌弘, Wang, Chang Hung

Unknown Date

防火牆是現今網路中的重要設備，負責區隔內部網路和公共網路，維護內部網路安全。然而防火牆也存在幾個重要的問題，首先，防火牆的規則是由網管人員設定，近年來隨著網路科技蓬勃發展、虛擬技術大量應用，此項工作已帶給網管人員龐大的負擔。其次，防火牆雖可隔離外部網路，阻擋有害流量，但對內部網路的防範卻毫無用武之地。目前市面上普遍使用入侵偵測系統(IDS)進行偵測，但僅能在發現攻擊行為後發出警告訊息，無法即時處理。最後，企業在連外網路部分，通常採用多條線路進行備援，並倚賴多路頻寬負載平衡器(Multi-WAN load balancer)增加頻寬的使用率，但在線路數量上卻受限於廠商所制定之規格，無法彈性調整。而在負載平衡演算法方面，也只能基於網路特徵(IP位置)、權重比例(weight)或是輪詢機制(round robin)，無法依據目前網路狀況做出更好判斷。 為改善上述問題，本論文在軟體定義網路(SDN)環境下，使用交換機取代傳統防火牆設備，透過封包分析與信任觀測區間達到規則學習，並整合Snort入侵偵測系統，透過特徵比對，找出危害網路環境之封包，即時阻擋該危險流量。本論文也提出基於隨需(on demand)概念，動態調整防火牆規則，降低管理人員負擔。最後利用交換機擁有多個實體通訊埠的概念 ，依需求可自由調整對外及對內線路數量，不再受限於廠商規格，取代傳統多路寬頻負載平衡器，建構更彈性的架構。並透過收集交換機上的實體埠與資料流表中的資訊，即時評估網路狀況，加強負載平衡。為驗證本論文所提出之⽅法的有效性，我們使用Linux伺服器架設KVM、OpenvSwitch以及POX控制器實際建構SDN網路環境，透過發送封包對防火牆提出請求，以驗證實驗方法的正確性。 根據實驗結果顯示，本論文所提出之概念均能正確運作，有效降低調整防火牆所需之人工作業。在多路寬頻負載平衡器部分，本研究所提出之負載平衡方法，與round robin負載平衡方法相較之下，在最佳情況下，能有效提升約25%平均頻寬使用率，並降低約17.5%封包遺失率。 / Firewall is an important device that is responsible for securing internal network by separating Internet from Intranet, but here are several existing issues about the firewall. First, the firewall rules are set by the network admistrator manually. Along with the vigorous development of Internet technologies and great amount of applications of virtual technology in recent years. This work burdens the network adminstrator with a heavy workload. Second, the firewall is able to isolate the external network from harmful traffic, however, it can do nothing to the internal network. The common situation is to use IDS to detect the harmful packet, but it can only send an alert message to the adminstrater, no more actions can be done. Finally, most companies use several ISP connections to assure fault tolerance and use Multi-WAN load balancer to integrate those connections to enhance bandwidth utilization. But the number of WAN/LAN ports is set by the manufacturer, and the load balance algorithm is also limited by the manufacturer. It offers only a few algorithms (network-based features, round-robin, etc.), and there is no other way to provide more efficient algorithms. In order to resolve the mentioned problems, we propose an automatic firewall based Software Defined Network (SDN). We use Openflow switches to replace traditional firewalls, the system is able to learn the rules automaticlly by packet analysis during an observation interval. We aslo integrate Snort Intrusion Detection System (IDS) to localize the dangerous packets and block them immediately. Next, we propose an on-demand based dynamic firewall rules adjustment mechanism which is able to reduce management workload. Finally, we implement a Multi-WAN load balancer architecture and provide a more efficient load balance algorithm by collecting port usage and firewall rule information. In order to verify the proposed methods, we implement a SDN environment by using Linux Ubuntu servers with KVM, Open vSwitch and POX controller. According to the experiment result, it proves that the proposed method is able to reduce the firewall configuration effectively. In the Multi-WAN load balancer, experiment results show that our method outperforms round-robin argrithom in terms of average bandwidth utilization and packet loss rate by 25% and 17.5%, respectively.

軟體定義網路

防火牆

入侵偵測系統

多路頻寬負載平衡器

SDN

Firewall

IDS

Multi-WAN Load Balancer

Contributions à la sécurité dans les réseaux mobiles ad Hoc

Rachedi, Abderrezak

26 November 2008

La thèse se focalise sur la sécurité dans les réseaux mobiles ad hoc (MANET : Mobile Ad hoc NETwork) [RFC 2501]. L'absence d'une gestion centrale des fonctionnalités du réseau rend ces réseaux beaucoup plus vulnérables aux attaques que les réseaux sans fil (WLAN) et filaires (LAN). Malheureusement, les protocoles de sécurité qui existent actuellement ne sont pas conçus pour un tel environnement (dynamique). Ils ne prennent pas la contrainte des ressources en considération car non seulement l'environnement est dynamique, mais les ressources sont aussi limitées (mémoire, capacité de calcul et surtout énergie), ce qui complique davantage la problématique, car on sait bien que les solutions de sécurité sont gourmandes en terme de ressources. Cependant, en raison de l'importance des domaines d'application des réseaux mobiles ad hoc comme les opérations militaires (communication entre les avions, les voitures et le personnel et opérations de secours, situations d'urgence en cas de sinistre, etc . . .), il faut relever le défi, car concevoir un mécanisme de sécurité infaillible pour les réseaux mobiles ad hoc est nécessaire. L'objectif principal de la thèse consiste à étudier les solutions susceptibles d'assurer la sécurité dans les réseaux mobiles ad hoc, en proposant une architecture hiérarchique distribuée qui permet d'établir une infrastructure dynamique à clé publique. Cette architecture doit supporter les différentes caractéristiques de ces réseaux (absence d'une unité centrale de gestion de réseau, topologie réseau dynamique, etc . . .). Dans ce but, un modèle de confiance adapté à l'environnement dynamique pour assurer l'évolution des niveaux de confiance des nœuds est établi. De plus, les vulnérabilités au niveau des autorités de certification sont prises en compte dans le nouveau concept de DDMZ (zone dynamique démilitarisée) que nous proposons. Dans le but de sécuriser les nœuds dont le rôle est crucial au sein du réseau, leur identité doit être cachée. C'est pourquoi le concept d'anonymat est introduit. Un protocole d'authentification anonyme est proposé. De plus, nous nous inspirons du modèle militaire pour mettre en place un mécanisme de camouflage qui cache le rôle des nœuds sensibles. Pour entretenir le modèle de confiance, un mécanisme de surveillance est indispensable. Il est adapté aux contraintes de l'environnement sans fil dynamique et réduit le taux de fausses alarmes (faux positifs). Il est fondé sur une approche inter-couches et un modèle probabiliste pour améliorer l'observation du nœud surveillant. Pour faire face aux attaques intelligentes de type inter-couches, une étude des vulnérabilités au niveau des couches inférieures comme la couche MAC est menée. Ensuite, des mécanismes de prévention et de détection sont analysés et évalués. La performance de ces mécanismes est évaluée avec la prise en compte des métriques primordiales pour les réseaux mobiles ad hoc, telles que la consommation d'énergie, la mobilité, la densité des nœuds et du trafic, etc . . .

Réseaux mobiles Ad hoc

Sécurité

Algorithmes distribués

Mécanisme de surveillance

IEEE 802.11

Infrastructure à clé publique (PKI)

Zone dynamique démilitarisée (DDMZ)

Anonymat

Attaques inter-couches