Machine learning and system administration : A structured literature review

Jonsson, Karl

January 2020

Denna literaturöversikt går igenom två olika system inom IT-säkerhet och hur de fungerar tillsammans med maskinlärningstekniker till en relativt ytlig nivå.Syftet med denna rapport är att kunna sammanfatta dessa system och se hur de kan hjälpa med en systemadministratörs uppgifter, hur det kan användas för automatisera och vad för positiva och negativa förändringar det kan ha på en infrastruktur.Maskinlärning kan vara ett kraftigt verktyg för systemadministratörer för att lätta på arbetsmängden som kan förekomma inom en organisation, vilket är också varför det är viktigt att diskutera när och var man ska utplacera en lösning. Den här studien ska diskutera användningen av maskinlärning och när och var det kan användas. / This literature review discusses two different systems within IT-security and how they work within machine learning to a relatively surface-level degree.The purpose of this paper is to be able to summarize these systems and see how they can help a system administrator’s assignments. how it can be used for automation and the positives and negatives.Machine learning can be a powerful tool for system administrators to alleviate the workload which can exist within an organization, which is why it is important to discuss when and where to deploy a solution.

Intrusion Detection systems

IDS

Machine Learning

Anti-virus

Anti-malware

malware

Information Systems

Lightweight Cyberattack Intrusion Detection System for Unmanned Aerial Vehicles using Recurrent Neural Networks

Wei-Cheng Hsu (10929852)

30 July 2021

<div>Unmanned aerial vehicles (UAVs) have gained more attention in recent years because of their ability to execute various missions. However, recent works have identified vulnerabilities in UAV systems that make them more readily prone to cyberattacks. In this work, the vulnerabilities in the communication channel between the UAV and ground control station are exploited to implement cyberattacks, specifically, the denial of service and false data injection attacks. Unlike other related studies that implemented attacks in simulations, we demonstrate the actual implementation of these attacks on a Holybro S500 quadrotor with PX4 autopilot firmware and MAVLink communication protocol.</div><div><br></div><div>The goal was to create a lightweight intrusion detection system (IDS) that leverages recurrent neural networks (RNNs) to accurately detect cyberattacks, even when implemented on a resource-constrained platform. Different types of RNNs, including simple RNNs, long short-term memory, gated recurrent units, and simple recurrent units, were trained and tested on actual experimental data. A recursive feature elimination approach was carried out on selected features to remove redundant features and to create a lighter RNN IDS model. We also studied the resource consumption of these RNNs on an Arduino Uno board, the lowest-cost companion computer that can be implemented with PX4 autopilot firmware and Pixhawk autopilot boards. The results show that a simple RNN has the best accuracy while also satisfying the constraints of the selected computer.<br></div>

Aerospace Engineering

Autonomous Vehicles

Autopilot

Cyberattacks

intrusion detection systems

Recurrent Neural Networks

unmanned aerial vehicles

Session-based Intrusion Detection System To Map Anomalous Network Traffic

Caulkins, Bruce

01 January 2005

Computer crime is a large problem (CSI, 2004; Kabay, 2001a; Kabay, 2001b). Security managers have a variety of tools at their disposal -- firewalls, Intrusion Detection Systems (IDSs), encryption, authentication, and other hardware and software solutions to combat computer crime. Many IDS variants exist which allow security managers and engineers to identify attack network packets primarily through the use of signature detection; i.e., the IDS recognizes attack packets due to their well-known "fingerprints" or signatures as those packets cross the network's gateway threshold. On the other hand, anomaly-based ID systems determine what is normal traffic within a network and reports abnormal traffic behavior. This paper will describe a methodology towards developing a more-robust Intrusion Detection System through the use of data-mining techniques and anomaly detection. These data-mining techniques will dynamically model what a normal network should look like and reduce the false positive and false negative alarm rates in the process. We will use classification-tree techniques to accurately predict probable attack sessions. Overall, our goal is to model network traffic into network sessions and identify those network sessions that have a high-probability of being an attack and can be labeled as a "suspect session." Subsequently, we will use these techniques inclusive of signature detection methods, as they will be used in concert with known signatures and patterns in order to present a better model for detection and protection of networks and systems.

Data Mining

Intrusion Detection Systems

Anomaly Detection

Network Modeling

Categorical Data Analysis

Explainable Intrusion Detection Systems using white box techniques

Ables, Jesse

08 December 2023

Artificial Intelligence (AI) has found increasing application in various domains, revolutionizing problem-solving and data analysis. However, in decision-sensitive areas like Intrusion Detection Systems (IDS), trust and reliability are vital, posing challenges for traditional black box AI systems. These black box IDS, while accurate, lack transparency, making it difficult to understand the reasons behind their decisions. This dissertation explores the concept of eXplainable Intrusion Detection Systems (X-IDS), addressing the issue of trust in X-IDS. It explores the limitations of common black box IDS and the complexities of explainability methods, leading to the fundamental question of trusting explanations generated by black box explainer modules. To address these challenges, this dissertation presents the concept of white box explanations, which are innately explainable. While white box algorithms are typically simpler and more interpretable, they often sacrifice accuracy. However, this work utilized white box Competitive Learning (CL), which can achieve competitive accuracy in comparison to black box IDS. We introduce Rule Extraction (RE) as another white box technique that can be applied to explain black box IDS. It involves training decision trees on the inputs, weights, and outputs of black box models, resulting in human-readable rulesets that serve as global model explanations. These white box techniques offer the benefits of accuracy and trustworthiness, which are challenging to achieve simultaneously. This work aims to address gaps in the existing literature, including the need for highly accurate white box IDS, a methodology for understanding explanations, small testing datasets, and comparisons between white box and black box models. To achieve these goals, the study employs CL and eclectic RE algorithms. CL models offer innate explainability and high accuracy in IDS applications, while eclectic RE enhances trustworthiness. The contributions of this dissertation include a novel X-IDS architecture featuring Self-Organizing Map (SOM) models that adhere to DARPA’s guidelines for explainable systems, an extended X-IDS architecture incorporating three CL-based algorithms, and a hybrid X-IDS architecture combining a Deep Neural Network (DNN) predictor with a white box eclectic RE explainer. These architectures create more explainable, trustworthy, and accurate X-IDS systems, paving the way for enhanced AI solutions in decision-sensitive domains.

Intrusion Detection

Artificial Intelligence

Explainable Artificial Intelligence

Explainabile Intrusion Detection Systems

Competitive Learning

Rule Extraction

A Trusted Environment for MPI Programs

Florez-Larrahondo, German

13 December 2002

Several algorithms have been proposed to implement intrusion detection systems (IDS) based on the idea that anomalies in the behavior of a system might be produced by a set of actions of an intruder or by a system fault. Almost no previous research has been conducted in the area of anomaly detection for high performance clusters. The research reported in this thesis demonstrates that the analysis of sequences of function calls issued by one or more processes can be used to verify the correct execution of parallel programs written in C/C++ with the Message Passing Interface (MPI) in a cluster of Linux workstations. The functions calls were collected via library interposition. Two anomaly detection algorithms previously reported to be effective methods for anomaly detection in sequences of system calls, Hidden Markov Model and sequence matching, were implemented and tested. In general, the simpler sequence matching algorithm out-performed the Hidden Markov Model.

process behavior

parallel programs

artificial intelligence

intrusion detection systems

computer security

Immune Based Event-Incident Model for Intrusion Detection Systems: A Nature Inspired Approach to Secure Computing

Vasudevan, Swetha

26 June 2007

No description available.

Computer Science

Intrusion Detection Systems

Immune System

Immune Detectors

Intrusion Detection Squad

Multi-Agent System

Performance Evaluation Study of Intrusion Detection Systems.

Alhomoud, Adeeb M., Munir, Rashid, Pagna Disso, Jules F., Al-Dhelaan, A., Awan, Irfan U.

2011 August 1917

With the thriving technology and the great increase in the usage of computer networks, the risk of having these network to be under attacks have been increased. Number of techniques have been created and designed to help in detecting and/or preventing such attacks. One common technique is the use of Network Intrusion Detection / Prevention Systems NIDS. Today, number of open sources and commercial Intrusion Detection Systems are available to match enterprises requirements but the performance of these Intrusion Detection Systems is still the main concern. In this paper, we have tested and analyzed the performance of the well know IDS system Snort and the new coming IDS system Suricata. Both Snort and Suricata were implemented on three different platforms (ESXi virtual server, Linux 2.6 and FreeBSD) to simulate a real environment. Finally, in our results and analysis a comparison of the performance of the two IDS systems is provided along with some recommendations as to what and when will be the ideal environment for Snort and Suricata.

Attacks

; Intrusion Detection Systems (IDS)

; Traffic

; Performance evaluation

; Packet drops

; Suricata

; Snort

; Alerts

; Network security

Using metrics from multiple layers to detect attacks in wireless networks

Aparicio-Navarro, Francisco J.

January 2014

The IEEE 802.11 networks are vulnerable to numerous wireless-specific attacks. Attackers can implement MAC address spoofing techniques to launch these attacks, while masquerading themselves behind a false MAC address. The implementation of Intrusion Detection Systems has become fundamental in the development of security infrastructures for wireless networks. This thesis proposes the designing a novel security system that makes use of metrics from multiple layers of observation to produce a collective decision on whether an attack is taking place. The Dempster-Shafer Theory of Evidence is the data fusion technique used to combine the evidences from the different layers. A novel, unsupervised and self- adaptive Basic Probability Assignment (BPA) approach able to automatically adapt its beliefs assignment to the current characteristics of the wireless network is proposed. This BPA approach is composed of three different and independent statistical techniques, which are capable to identify the presence of attacks in real time. Despite the lightweight processing requirements, the proposed security system produces outstanding detection results, generating high intrusion detection accuracy and very low number of false alarms. A thorough description of the generated results, for all the considered datasets is presented in this thesis. The effectiveness of the proposed system is evaluated using different types of injection attacks. Regarding one of these attacks, to the best of the author knowledge, the security system presented in this thesis is the first one able to efficiently identify the Airpwn attack.

621.382

Um modelo dinâmico de clusterização de dados aplicado na detecção de intrusão

Furukawa, Rogério Akiyoshi

25 April 2003

Atualmente, a segurança computacional vem se tornando cada vez mais necessária devido ao grande crescimento das estatísticas que relatam os crimes computacionais. Uma das ferramentas utilizadas para aumentar o nível de segurança é conhecida como Sistemas de Detecção de Intrusão (SDI). A flexibilidade e usabilidade destes sistemas têm contribuído, consideravelmente, para o aumento da proteção dos ambientes computacionais. Como grande parte das intrusões seguem padrões bem definidos de comportamento em uma rede de computadores, as técnicas de classificação e clusterização de dados tendem a ser muito apropriadas para a obtenção de uma forma eficaz de resolver este tipo de problema. Neste trabalho será apresentado um modelo dinâmico de clusterização baseado em um mecanismo de movimentação dos dados. Apesar de ser uma técnica de clusterização de dados aplicável a qualquer tipo de dados, neste trabalho, este modelo será utilizado para a detecção de intrusão. A técnica apresentada neste trabalho obteve resultados de clusterização comparáveis com técnicas tradicionais. Além disso, a técnica proposta possui algumas vantagens sobre as técnicas tradicionais investigadas, como realização de clusterizações multi-escala e não necessidade de determinação do número inicial de clusters / Nowadays, the computational security is becoming more and more necessary due to the large growth of the statistics that describe computer crimes. One of the tools used to increase the safety level is named Intrusion Detection Systems (IDS). The flexibility and usability of these systems have contributed, considerably, to increase the protection of computational environments. As large part of the intrusions follows behavior patterns very well defined in a computers network, techniques for data classification and clustering tend to be very appropriate to obtain an effective solutions to this problem. In this work, a dynamic clustering model based on a data movement mechanism are presented. In spite of a clustering technique applicable to any data type, in this work, this model will be applied to the detection intrusion. The technique presented in this work obtained clustering results comparable to those obtained by traditional techniques. Besides the proposed technique presents some advantages on the traditional techniques investigated, like multi-resolution clustering and no need to previously know the number of clusters

Análise dos componentes principais

Clusterização de dados

Data clustering

Intrusion detection systems

Principal analisys component

Sistemas de detecção de intrusão

UMA ONTOLOGIA DE APLICAÇÃO PARA APOIO À TOMADA DE DECISÕES EM SITUAÇÕES DE AMEAÇA À SEGURANÇA DA INFORMAÇÃO. / AN ONTOLOGY OF INFORMATION FOR DECISION SUPPORT IN SITUATIONS OF THREAT TO INFORMATION SECURITY.

SILVA, Rayane Meneses da

24 June 2015

Submitted by Maria Aparecida (cidazen@gmail.com) on 2017-08-31T14:44:32Z No. of bitstreams: 1 Rayane.pdf: 4026589 bytes, checksum: 7e6066416420555456030ab6db3a1231 (MD5) / Made available in DSpace on 2017-08-31T14:44:32Z (GMT). No. of bitstreams: 1 Rayane.pdf: 4026589 bytes, checksum: 7e6066416420555456030ab6db3a1231 (MD5) Previous issue date: 2015-06-24 / Many security mechanisms, such as Intrusion Detection Systems (IDSs) have been developed to approach the problem of information security attacks but most of them are traditional information systems in which their threats repositories are not represented semantically. Ontologies are knowledge representation structures that enable semantic processing of information and the construction of knowledge-based systems, which provide greater effectiveness compared to traditional systems. This paper proposes an application ontology called “Application Ontology for the Development of Case-based Intrusion Detection Systems” that formally represents the concepts related to information security domain of intrusion detection systems and “Case Based Reasoning”. The “Case Based Reasoning” is an approach for problem solving in which you can reuse the knowledge of past experiences to solve new problems. The evaluation of the ontology was performed by the development of an Intrusion Detection System that can detect attacks on computer networks and recommend solutions to these attacks. The ontology was specified using the “Ontology Web Language” and the Protégé ontology editor and. It was also mapped to a cases base in Prolog using the “Thea” tool. The results have shown that the developed Intrusion Detection System presented a good effectiveness in detecting attacks that the proposed ontology conceptualizes adequately the domain concepts and tasks. / Muitos mecanismos de segurança, como os Sistemas de Detecção de Intrusão têm sido desenvolvidos para abordar o problema de ataques à Segurança da Informação. Porém, a maioria deles são sistemas de informação tradicionais nos quais seus repositórios de ameaças não são representados semanticamente. As ontologias são estruturas de representação do conhecimento que permitem o processamento semântico das informações bem como a construção dos sistemas baseados em conhecimento, os quais fornecem uma maior efetividade em relação aos sistemas tradicionais. Neste trabalho propõe-se uma ontologia de aplicação denominada “Application Ontology for the Development of Case-based Intrusion Detection Systems” que representa formalmente os conceitos relacionados ao domínio de Segurança da Informação, dos sistemas de detecção de intrusão e do “Case-Based Reasoning”. O “Case-Based Reasoning” é uma abordagem para resolução de problemas nos quais é possível reutilizar conhecimentos de experiências passadas para resolver novos problemas. A avaliação da ontologia foi realizada por meio do desenvolvimento de um Sistema de Detecção de Intrusão que permite detectar ataques a redes de computadores e recomendar soluções a esses ataques. A ontologia foi especificada na linguagem “Ontology Web Language” utilizando o editor de ontologias Protegé e, logo após, mapeada a uma base de casos em Prolog utilizando o ferramenta “Thea”. Os resultados mostraram que o Sistema de Detecção de Intrusão desenvolvido apresentou boa efetividade na detecção de ataques e portanto, conclui-se que a ontologia proposta conceitualiza de forma adequada os conceitos de domínio e tarefa abordados.

Sistemas de Informação