An Artificial Immune System Approach to Preserving Security in Computer Networks

Ranang, Martin Thorsen

January 2002

It is believed that many of the mechanisms present in the biological immune system are well suited for adoption to the field of computer intrusion detection, in the form of artificial immune systems. In this report mechanisms in the biological immune system are introduced, their parallels in artificial immune systems are presented, and how they may be applied to intrusion detection in a computer environment is discussed. An artificial immune system is designed, implemented and applied to detect intrusive behavior in real network data in a simulated network environment. The effect of costimulation and clonal proliferation combined with somatic hypermutation to perform affinity maturation of detectors in the artificial immune system is explored through experiments. An exact expression for the probability of a match between two randomly chosen strings using the r-contiguous matching rule is developed. The use of affinity maturation makes it possible to perform anomaly detection by using smaller sets of detectors with a high level of specificity while maintaining a high level of cover and diversity, which increases the number of true positives, while keeping a low level of false negatives.

artificial intelligence

ai

artificial immune system

network intrusion detection

Detection of covert channel communications based on intentionally corrupted frame check sequences

Najafizadeh, Ali

01 July 2011

This thesis presents the establishment of a covert-channel in wireless networks in the form of frames with intentionally corrupted Frame Check Sequences (FCSs). Previous works had alluded to the possibility of using this kind of covert-channel as an attack vector. We modify a simulation tool, called Sinalgo, which is used as a test bed for generating hypothetical scenarios for establishing a covert-channel. Single and Multi-Agent systems have been proposed as behaviour-based intrusion detection mechanisms, which utilize statistical information about network traffic. This utilized statistical information is used to detect covert-channel communications. This work highlights the potential impact of having this attack perpetrated in communications equipment with a low chance of being detected, if properly crafted. / UOIT

Wireless networks

Covert-channel

Hidden-channel

Behavioural intrusion detection

A Fuzzy-logic based Alert Prioritization Engine for IDSs: Architecture and Configuration

Alsubhi, Khalid

January 2008

Intrusion Detection Systems (IDSs) are designed to monitor a networked environment and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large making their evaluation by security analysts a difficult task. The management is complicated by the need to configure the different components of alert evaluation systems. In addition, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide results that are inaccurate and difficult to manage. Thus, the tuning of an IDS alert management system in order to provide optimal results remains a major challenge, which is further complicated by the large spectrum of potential attacks the system can be subject to. This thesis considers the specification and configuration issues of FuzMet, a novel IDS alert management system which employs several metrics and a fuzzy-logic based approach for scoring and prioritizing alerts. In addition, it features an alert rescoring technique that leads to a further reduction of the number of alerts. We study the impact of different configurations of the proposed metrics on the accuracy and completeness of the alert scores generated by FuzMet. Our approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and FuzMet alert prioritization scheme are presented. A considerable number of simulations were conducted in order to determine the optimal configuration of FuzMet with selected simulation results presented and analyzed.

Security

Intrusion detection

alert management

IDS

Computer Science

An Analysis and Comparison of The Security Features of Firewalls and IDSs

Sulaman, Sardar Muhammad

January 2011

In last few years we have observed a significant increase in the usage of computing devices and their capabilities to communicate with each other. With the increase in usage and communicating capabilities the higher level of network security is also required. Today the main devices used for the network security are the firewalls and IDS/IPS that provide perimeter defense. Both devices provide many overlapping security features but they have different aims, different protection potential and need to be used together. A firewall is an active device that implements ACLs and restricts unauthorized access to protected resources. An IDS only provides information for further necessary actions, not necessarily perimeter related, but some of these needed actions can be automated, such as automatic blocking in the firewall of attacking sites, which creates an IPS. This thesis report analyzed some common firewall and IDS products, and described their security features, functionalities, and limitations in detail. It also contains the comparison of the security features of the both devices. The firewall and IDS perform different functions for the network security, so they should be used in layered defense architecture. The passwords, firewalls, IDSs/IPSs and physical security all together provide a layered defense and complement each other. The firewall and IDS alone cannot offer sufficient network protection against the network attacks, and they should be used together to enhance the defense-in-depth or layered approach.

Firewall

Intrusion Detection

Anomaly

Access Control

Packet Inspection

Signatures

IDS

A Fuzzy-logic based Alert Prioritization Engine for IDSs: Architecture and Configuration

Alsubhi, Khalid

January 2008

Intrusion Detection Systems (IDSs) are designed to monitor a networked environment and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large making their evaluation by security analysts a difficult task. The management is complicated by the need to configure the different components of alert evaluation systems. In addition, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide results that are inaccurate and difficult to manage. Thus, the tuning of an IDS alert management system in order to provide optimal results remains a major challenge, which is further complicated by the large spectrum of potential attacks the system can be subject to. This thesis considers the specification and configuration issues of FuzMet, a novel IDS alert management system which employs several metrics and a fuzzy-logic based approach for scoring and prioritizing alerts. In addition, it features an alert rescoring technique that leads to a further reduction of the number of alerts. We study the impact of different configurations of the proposed metrics on the accuracy and completeness of the alert scores generated by FuzMet. Our approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and FuzMet alert prioritization scheme are presented. A considerable number of simulations were conducted in order to determine the optimal configuration of FuzMet with selected simulation results presented and analyzed.

Security

Intrusion detection

alert management

IDS

Computer Science

A Probabilistic-Based Framework for INFOSEC Alert Correlation

Qin, Xinzhou

15 July 2005

Deploying a large number of information security (INFOSEC) systems can provide in-depth protection for systems and networks. However, the sheer number of security alerts output by security sensors can overwhelm security analysts from performing effective analysis and taking timely response. Therefore, alert correlation is the core component in a security management system. Most of existing alert correlation techniques depend on a priori and hard-coded domain knowledge that lead to their limited capabilities of detecting new attack strategies. These approaches also focus more on the aggregation and analysis of raw security alerts, and build basic or low-level attack scenarios. This thesis focuses on discovering novel attack strategies with analysis of security alerts. Our framework helps security administrator aggregate redundant alerts, intelligently correlate security alerts, analyze attack strategies, and take appropriate actions against forthcoming attacks. In alert correlation, we have developed an integrated correlation system with three complementary correlation mechanisms. We have developed a probabilistic-based correlation engine that incorporates domain knowledge to correlate alerts that have direct causal relationship. We have developed a statistical analysis-based and a temporal analysis-based correlation engines to discover attack transition patterns in which attack steps do not have direct causal relationship in terms of security and performance measure but exhibit statistical and temporal patterns. We construct attack scenarios and conduct attack path analysis based on the correlation results. Security analysts are presented with aggregated information on attack strategies from the integrated correlation system. In attack plan recognition, we address the challenges of identifying attacker's high-level strategies and intentions as well as predicting upcoming attacks. We apply graph-based techniques to correlating isolated attack scenarios derived from low-level alert correlation based on their relationship in attack plans. We conduct probabilistic inference to evaluate the likelihood of attack goal(s) and predict potential upcoming attacks based on observed attack activities. We evaluate our algorithms using DARPA's Grand Challenge Problem (GCP) data sets and live traffic data collected from our backbone network. The results show that our approach can effectively discover novel attack strategies, provide a quantitative analysis of attack scenarios and identify attack plans.

Security management

Attack scenario analysis

Alert correlation

Intrusion detection

Towards Self-Healing Systems: Re-establishing Trust in Compromised Systems

Grizzard, Julian B.

10 April 2006

Computer systems are subject to a range of attacks that can compromise their intended operations. Conventional wisdom states that once a system has been compromised, the only way to recover is to format and reinstall. In this work, we present methods to automatically recover or self-heal from a compromise. We term the system an intrusion recovery system. The design consists of a layered architecture in which the production system and intrusion recovery system run in separate isolated virtual machines. The intrusion recovery system monitors the integrity of the production system and repairs state if a compromise is detected. A method is introduced to track the dynamic control flow graph of the production system guest kernel. A prototype of the system was built and tested against a suite of rootkit attacks. The system was able to recover from all attacks at a cost of about a 30% performance penalty.

Virtual machine

End-user security

Intrusion detection

Intrusion recovery

Rootkits

NIDS im Campusnetz

Schier, Thomas

04 May 2004

Workshop "Netz- und Service-Infrastrukturen" Dieser Beitrag zum Workshop "Netz- und Service-Infrastrukturen" behandelt den Aufbau eines Network Intrusion Detection System im Campusnetz.

Internetwurm

Network Intrusion Detection System

Netzwerksicherheit

ddc:004

Computervirus

Telemetry Network Intrusion Detection Test Bed

Moten, Daryl, Moazzami, Farhad

10 1900

ITC/USA 2013 Conference Proceedings / The Forty-Ninth Annual International Telemetering Conference and Technical Exhibition / October 21-24, 2013 / Bally's Hotel & Convention Center, Las Vegas, NV / The transition of telemetry from link-based to network-based architectures opens these systems to new security risks. Tools such as intrusion detection systems and vulnerability scanners will be required for emerging telemetry networks. Intrusion detection systems protect networks against attacks that occur once the network boundary has been breached. An intrusion detection model was developed in the Wireless Networking and Security lab at Morgan State University. The model depends on network traffic being filtered into traffic streams. The streams are then reduced to vectors. The current state of the network can be determined using Viterbi analysis of the stream vectors. Viterbi uses the output of the Hidden Markov Model to find the current state of the network. The state information describes the probability of the network being in predefined normal or attack states based on training data. This output can be sent to a network administrator depending on threshold levels. In this project, a penetration-testing tool called Metasploit was used to launch attacks against systems in an isolated test bed. The network traffic generated during an attack was analyzed for use in the MSU intrusion detection model.

iNET

Telemetry

Intrusion Detection System (IDS)

Hidden Markov Model

Metasploit

Intrusion and Fraud Detection using Multiple Machine Learning Algorithms

Peters, Chad

22 August 2013

New methods of attacking networks are being invented at an alarming rate, and pure signature detection cannot keep up. The ability of intrusion detection systems to generalize to new attacks based on behavior is of increasing value. Machine Learning algorithms have been successfully applied to intrusion and fraud detection; however the time and accuracy tradeoffs between algorithms are not always considered when faced with such a broad range of choices. This thesis explores the time and accuracy metrics of a wide variety of machine learning algorithms, using a purpose-built supervised learning dataset. Topics covered include dataset dimensionality reduction through pre-processing techniques, training and testing times, classification accuracy, and performance tradeoffs. Further, ensemble learning and meta-classification are used to explore combinations of the algorithms and derived data sets, to examine the effects of homogeneous and heterogeneous aggregations. The results of this research are presented with observations and guidelines for choosing learning schemes in this domain.

computer security

artificial intelligence

machine learning

intrusion detection

performance evaluation