Classificação de anomalias e redução de falsos positivos em sistemas de detecção de intrusão baseados em rede utilizando métodos de agrupamento / Anomalies classification and false positives reduction in network intrusion detection systems using clustering methods

Ferreira, Vinícius Oliveira [UNESP]

27 April 2016

Submitted by VINÍCIUS OLIVEIRA FERREIRA null (viniciusoliveira@acmesecurity.org) on 2016-05-18T20:29:41Z No. of bitstreams: 1 Dissertação-mestrado-vinicius-oliveira-biblioteca-final.pdf: 1594758 bytes, checksum: 0dbb0d2dd3fca3ed2b402b19b73006e7 (MD5) / Approved for entry into archive by Ana Paula Grisoto (grisotoana@reitoria.unesp.br) on 2016-05-20T16:27:30Z (GMT) No. of bitstreams: 1 ferreira_vo_me_sjrp.pdf: 1594758 bytes, checksum: 0dbb0d2dd3fca3ed2b402b19b73006e7 (MD5) / Made available in DSpace on 2016-05-20T16:27:30Z (GMT). No. of bitstreams: 1 ferreira_vo_me_sjrp.pdf: 1594758 bytes, checksum: 0dbb0d2dd3fca3ed2b402b19b73006e7 (MD5) Previous issue date: 2016-04-27 / Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES) / Os Sistemas de Detecção de Intrusão baseados em rede (NIDS) são tradicionalmente divididos em dois tipos de acordo com os métodos de detecção que empregam, a saber: (i) detecção por abuso e (ii) detecção por anomalia. Aqueles que funcionam a partir da detecção de anomalias têm como principal vantagem a capacidade de detectar novos ataques, no entanto, é possível elencar algumas dificuldades com o uso desta metodologia. Na detecção por anomalia, a análise das anomalias detectadas pode se tornar dispendiosa, uma vez que estas geralmente não apresentam informações claras sobre os eventos maliciosos que representam; ainda, NIDSs que se utilizam desta metodologia sofrem com a detecção de altas taxas de falsos positivos. Neste contexto, este trabalho apresenta um modelo para a classificação automatizada das anomalias detectadas por um NIDS. O principal objetivo é a classificação das anomalias detectadas em classes conhecidas de ataques. Com essa classificação pretende-se, além da clara identificação das anomalias, a identificação dos falsos positivos detectados erroneamente pelos NIDSs. Portanto, ao abordar os principais problemas envolvendo a detecção por anomalias, espera-se equipar os analistas de segurança com melhores recursos para suas análises. / Network Intrusion Detection Systems (NIDS) are traditionally divided into two types according to the detection methods they employ, namely (i) misuse detection and (ii) anomaly detection. The main advantage in anomaly detection is its ability to detect new attacks. However, this methodology has some downsides. In anomaly detection, the analysis of the detected anomalies is expensive, since they often have no clear information about the malicious events they represent; also, it suffers with high amounts of false positives detected. In this context, this work presents a model for automated classification of anomalies detected by an anomaly based NIDS. Our main goal is the classification of the detected anomalies in well-known classes of attacks. By these means, we intend the clear identification of anomalies as well as the identification of false positives erroneously detected by NIDSs. Therefore, by addressing the key issues surrounding anomaly based detection, our main goal is to equip security analysts with best resources for their analyses.

Classificação de anomalias

Métodos de agrupamento

Redução de falsos positivos

Anomalies classification

Clustering methods

Network intrusion detection systems

False positives reduction

An agent-based Bayesian method for network intrusion detection

Pikoulas, John

January 2003

Security is one of the major issues in any network and on the Internet. It encapsulates many different areas, such as protecting individual users against intruders, protecting corporate systems against damage, and protecting data from intrusion. It is obviously impossible to make a network totally secure, as there are so many areas that must be protected. This thesis includes an evaluation of current techniques for internal misuse of computer systems, and tries to propose a new way of dealing with this problem. This thesis proposes that it is impossible to fully protect a computer network from intrusion, and shows how different methods are applied at differing levels of the OSI model. Most systems are now protected at the network and transport layer, with systems such as firewalls and secure sockets. A weakness, though, exists in the session layer that is responsible for user logon and their associated password. It is thus important for any highly secure system to be able to continually monitor a user, even after they have successfully logged into the system. This is because once an intruder has successfully logged into a system, they can use it as a stepping-stone to gain full access (often right up to the system administrator level). This type of login identifies another weakness of current intrusion detection systems, in that they are mainly focused on detecting external intrusion, whereas a great deal of research identifies that one of the main problems is from internal intruders, and from staff within an organisation. Fraudulent activities can often he identified by changes in user behaviour. While this type of behaviour monitoring might not be suited to most networks, it could be applied to high secure installations, such as in government, and military organisations. Computer networks are now one of the most rapidly changing and vulnerable systems, where security is now a major issue. A dynamic approach, with the capacity to deal with and adapt to abrupt changes, and be simple, will provide an effective modelling toolkit. Analysts must be able to understand how it works and be able to apply it without the aid of an expert. Such models do exist in the statistical world, and it is the purpose of this thesis to introduce them and to explain their basic notions and structure. One weakness identified is the centralisation and complex implementation of intrusion detection. The thesis proposes an agent-based approach to monitor the user behaviour of each user. It also proposes that many intrusion detection systems cannot cope with new types of intrusion. It thus applies Bayesian statistics to evaluate user behaviour, and predict the future behaviour of the user. The model developed is a unique application of Bayesian statistics, and the results show that it can improve future behaviour prediction than existing ARIMA models. The thesis argues that the accuracy of long-term forecasting questionable, especially in systems that have a rapid and often unexpected evolution and behaviour. Many of the existing models for prediction use long-term forecasting, which may not be the optimal type for intrusion detection systems. The experiments conducted have varied the number of users and the time interval used for monitoring user behaviour. These results have been compared with ARIMA, and an increased accuracy has been observed. The thesis also shows that the new model can better predict changes in user behaviour, which is a key factor in identifying intrusion detection. The thesis concludes with recommendations for future work, including how the statistical model could be improved. This includes research into changing the specification of the design vector for Bayesian. Another interesting area is the integration of standard agent communication agents, which will make the security agents more social in their approach and be able to gather information from other agents

005.8

AGENTES INTELIGENTES PARA DETECÇÃO DE INTRUSOS EM REDES DE COMPUTADORES / AGENTS FOR INTELLIGENT DETECTION OF INTRUSOS IN NETWORKS COMPUTERS

Lima, Christiane Ferreira Lemos

10 May 2002

Made available in DSpace on 2016-08-17T14:52:45Z (GMT). No. of bitstreams: 1 Cristiane Lima.pdf: 1837914 bytes, checksum: acce166dfcbb2c425c7249c9bd06c29d (MD5) Previous issue date: 2002-05-10 / Recently, the interest for advanced techniques for network intrusion detection have been increased for protecting important information in computational environment. This research work presents a proposal of a new network intrusion detection system based on a society of intelligent agents whose reasoning are aupported by neural network paradigms, named NIDIA (Network Intrusion Detection System based on Intelligent Agents). A computational implementation has been carried out for the network and host sensors for dealing with task of capturing packets related to suspicious connections or abnormal behaviors within critical hosts. / Técnicas avançadas de detecção de intrusos em redes de computadores tornam-se cada vez mais importantes para prevenir abusos e proteger informações no ambiente. Esta dissertação apresenta uma proposta de um sistema de detecção de intrusos em redes de computadores, baseado na noção de sociedade de agentes inteligentes e redes neurais, denominado NIDIA. Uma implementação computacional é feita dos agentes sensores de rede e de host para realizar a tarefa de captura de pacotes associados às conexões suspeitas ou comportamentos anormais em servidores críticos.

detecção de intrusos

segurança de redes de computadores

sistemas multiagentes

redes neurais

network intrusion detection

network security

multi-agents systems

neural networks

Pattern Synthesis Techniques And Compact Data Representation Schemes For Efficient Nearest Neighbor Classification

Pulabaigari, Viswanath

01 1900

No description available.

Nearest Neighbor Classification

Pattern Synthesis

Partition Pattern Synthesis

Ovelap Based Pattern Synthesis

Network Intrusion Detection

Data Representation

NN Classification

NN Classifier

Synthetic Patterns

Nearest Neighbor Classifier

Computer Science

Generating Datasets Through the Introduction of an Attack Agent in a SCADA Testbed : A methodology of creating datasets for intrusion detection research in a SCADA system using IEC-60870-5-104

Fundin, August

January 2021

No description available.

SCADA

IEC-60870-5-104

IEC-104

Network Intrusion Detection

Grid

Dataset generation

Computer Engineering

Datorteknik

Other Computer and Information Science

Annan data- och informationsvetenskap

Comparing Anomaly-Based Network Intrusion Detection Approaches Under Practical Aspects

Helmrich, Daniel

07 July 2021

While many of the currently used network intrusion detection systems (NIDS) employ signature-based approaches, there is an increasing research interest in the examination of anomaly-based detection methods, which seem to be more suited for recognizing zero-day attacks. Nevertheless, requirements for their practical deployment, as well as objective and reproducible evaluation methods, are hereby often neglected. The following thesis defines aspects that are crucial for a practical evaluation of anomaly-based NIDS, such as the focus on modern attack types, the restriction to one-class classification methods, the exclusion of known attacks from the training phase, a low false detection rate, and consideration of the runtime efficiency. Based on those principles, a framework dedicated to developing, testing and evaluating models for the detection of network anomalies is proposed. It is applied to two datasets featuring modern traffic, namely the UNSW-NB15 and the CIC-IDS-2017 datasets, in order to compare and evaluate commonly-used network intrusion detection methods. The implemented approaches include, among others, a highly configurable network flow generator, a payload analyser, a one-hot encoder, a one-class support vector machine, and an autoencoder. The results show a significant difference between the two chosen datasets: While for the UNSW-NB15 dataset several reasonably well performing model combinations for both the autoencoder and the one-class SVM can be found, most of them yield unsatisfying results when the CIC-IDS-2017 dataset is used. / Obwohl viele der derzeit genutzten Systeme zur Erkennung von Netzwerkangriffen (engl. NIDS) signaturbasierte Ansätze verwenden, gibt es ein wachsendes Forschungsinteresse an der Untersuchung von anomaliebasierten Erkennungsmethoden, welche zur Identifikation von Zero-Day-Angriffen geeigneter erscheinen. Gleichwohl werden hierbei Bedingungen für deren praktischen Einsatz oft vernachlässigt, ebenso wie objektive und reproduzierbare Evaluationsmethoden. Die folgende Arbeit definiert Aspekte, die für eine praxisorientierte Evaluation unabdingbar sind. Dazu zählen ein Schwerpunkt auf modernen Angriffstypen, die Beschränkung auf One-Class Classification Methoden, der Ausschluss von bereits bekannten Angriffen aus dem Trainingsdatensatz, niedrige Falscherkennungsraten sowie die Berücksichtigung der Laufzeiteffizienz. Basierend auf diesen Prinzipien wird ein Rahmenkonzept vorgeschlagen, das für das Entwickeln, Testen und Evaluieren von Modellen zur Erkennung von Netzwerkanomalien bestimmt ist. Dieses wird auf zwei Datensätze mit modernem Netzwerkverkehr, namentlich auf den UNSW-NB15 und den CIC-IDS- 2017 Datensatz, angewendet, um häufig genutzte NIDS-Methoden zu vergleichen und zu evaluieren. Die für diese Arbeit implementierten Ansätze beinhalten, neben anderen, einen weit konfigurierbaren Netzwerkflussgenerator, einen Nutzdatenanalysierer, einen One-Hot-Encoder, eine One-Class Support Vector Machine sowie einen Autoencoder. Die Resultate zeigen einen großen Unterschied zwischen den beiden ausgewählten Datensätzen: Während für den UNSW-NB15 Datensatz verschiedene angemessen gut funktionierende Modellkombinationen, sowohl für den Autoencoder als auch für die One-Class SVM, gefunden werden können, bringen diese für den CIC-IDS-2017 Datensatz meist unbefriedigende Ergebnisse.

info:eu-repo/classification/ddc/000

ddc:000

A framework for correlation and aggregation of security alerts in communication networks. A reasoning correlation and aggregation approach to detect multi-stage attack scenarios using elementary alerts generated by Network Intrusion Detection Systems (NIDS) for a global security perspective.

Alserhani, Faeiz

January 2011

The tremendous increase in usage and complexity of modern communication and network systems connected to the Internet, places demands upon security management to protect organisations¿ sensitive data and resources from malicious intrusion. Malicious attacks by intruders and hackers exploit flaws and weakness points in deployed systems through several sophisticated techniques that cannot be prevented by traditional measures, such as user authentication, access controls and firewalls. Consequently, automated detection and timely response systems are urgently needed to detect abnormal activities by monitoring network traffic and system events. Network Intrusion Detection Systems (NIDS) and Network Intrusion Prevention Systems (NIPS) are technologies that inspect traffic and diagnose system behaviour to provide improved attack protection. The current implementation of intrusion detection systems (commercial and open-source) lacks the scalability to support the massive increase in network speed, the emergence of new protocols and services. Multi-giga networks have become a standard installation posing the NIDS to be susceptible to resource exhaustion attacks. The research focuses on two distinct problems for the NIDS: missing alerts due to packet loss as a result of NIDS performance limitations; and the huge volumes of generated alerts by the NIDS overwhelming the security analyst which makes event observation tedious. A methodology for analysing alerts using a proposed framework for alert correlation has been presented to provide the security operator with a global view of the security perspective. Missed alerts are recovered implicitly using a contextual technique to detect multi-stage attack scenarios. This is based on the assumption that the most serious intrusions consist of relevant steps that temporally ordered. The pre- and post- condition approach is used to identify the logical relations among low level alerts. The alerts are aggregated, verified using vulnerability modelling, and correlated to construct multi-stage attacks. A number of algorithms have been proposed in this research to support the functionality of our framework including: alert correlation, alert aggregation and graph reduction. These algorithms have been implemented in a tool called Multi-stage Attack Recognition System (MARS) consisting of a collection of integrated components. The system has been evaluated using a series of experiments and using different data sets i.e. publicly available datasets and data sets collected using real-life experiments. The results show that our approach can effectively detect multi-stage attacks. The false positive rates are reduced due to implementation of the vulnerability and target host information.

Communication networks

Security alerts

Multi-stage attack scenarios

Internet

Security management

Cyber sécurité des systèmes industriels pour les smart-grids : détection d'intrusion dans les réseaux de communication IEC 61850 / Cyber security of smart-grid control systems : intrusion detection in IEC 61850 communication networks

Kabir-Querrec, Maëlle

28 June 2017

Les systèmes de contrôle et d'automatisation industriels (IACS - Industrial Control and Automation Systems) reposent largement et de plus en plus sur les Technologies de l'Information et de la Communication. A l'origine, les IACS utilisaient des protocoles propriétaires sur des réseaux fermés, assurant ainsi une sécurité par obscurité et isolement. Mais les technologies et les usages ont évolué et cette sécurité intrinsèque n'existe plus désormais. Cette évolution concerne entre autre le domaine électrique : le réseau électrique devenant le "smart grid".Le standard IEC 61850 est un pilier pour le développement du smart grid. Il a pour objectif de rendre possible l'interopérabilité dans les "Systèmes et réseaux de communication pour l'automatisation des services de distribution d'énergie". Pour cela, la norme définit un modèle de données commun ainsi qu'une pile de protocoles répondant à divers besoins de communication.Le standard IEC 61850 n'aborde pas la question de la cyber sécurité malgré une prise de conscience générale qu'un risque cyber pèse sur les IACS.Ces travaux de recherche proposent de répondre à cette question de la cyber sécurité par de la détection d'intrusion dans les réseaux IEC 61850, et plus précisément dans les communications temps-réel GOOSE. L'idée est d'exploiter au maximum les sources d'informations que sont les spécifications du protocole et la configuration du système pour développer un système de détection d'intrusion réseau (NIDS - Network Intrusion Detection System) sur mesure. Cette approche comportementale déterministe est un gage de précision de détection.Ce manuscrit compte quatre chapitres. Les deux premiers consistent en un état de l'art détaillé sur les NIDS pour les IACS d'une part, et l'analyse du risque cyber d'autre part. Les deux autres chapitres présentent les contributions proprement dites de ces travaux de thèse. Le chapitre 3 explore tout d'abord le risque cyber pesant sur un poste électrique et pouvant compromettre la sûreté de fonctionnement du système. Dans un deuxième temps, est proposée une extension du modèle de données IEC 61850 dédiées à la détection d'intrusion dans les communication GOOSE. Le chapitre 4 commence avec la démonstration expérimentale de la faisabilité d'une attaque de type injection de données sur le protocole GOOSE, puis explique comment utiliser les fichiers de configuration du système pour spécifier les règles de détection. Un analyseur syntaxique pour le protocole GOOSE a été intégré à l'analyseur de trafic open source Bro, permettant l'implémentation d'un algorithme de détection. / Information and Communication Technologies have been pervading Industrial Automation and Control Systems (IACS) for a few decades now. Initially, IACS ran proprietary protocols on closed networks, thus ensuring some level of security through obscurity and isolation. Technologies and usages have evolved and today this intrinsic security does not exist any longer, though. This transition is in progress in the electricity domain, the power infrastructure turning into the "smart grid".The IEC 61850 standard is key to the smart grid development. It is aimed at making interoperability possible in ``Communication networks and systems for power utility automation''. It thus defines a common data object model and a stack of protocols answering different purposes.Although the cyber risk in IACS is now widely acknowledged, IEC 61850 does not address cyber security in any way whatsoever.This work tackles the question of cyber security through network intrusion detection in IEC 61850 networks, and more specifically in real-time GOOSE communications. The idea is to get the most out of the protocol specifications and system configuration while developing a tailored NIDS. This enables detection accuracy.

IEC 61850

Détection d'intrusion réseau - NIDS

Systèmes de contrôle industriel - ICS

Cyber sécurité

Protocole GOOSE

Smart grid

IEC 61850

Network intrusion detection - NIDS

Industrial control system - ICS

Cyber security

GOOSE protocol

Smart grid

620

A SOM+ Diagnostic System for Network Intrusion Detection

Langin, Chester Louis

01 August 2011

This research created a new theoretical Soft Computing (SC) hybridized network intrusion detection diagnostic system including complex hybridization of a 3D full color Self-Organizing Map (SOM), Artificial Immune System Danger Theory (AISDT), and a Fuzzy Inference System (FIS). This SOM+ diagnostic archetype includes newly defined intrusion types to facilitate diagnostic analysis, a descriptive computational model, and an Invisible Mobile Network Bridge (IMNB) to collect data, while maintaining compatibility with traditional packet analysis. This system is modular, multitaskable, scalable, intuitive, adaptable to quickly changing scenarios, and uses relatively few resources.

3D Full-Color Self-Organizing Map (SOM)

Complex Hybridized Soft Computing (SC)

Information Security Diagnostic System

Network Intrusion Detection Types

Mitteilungen des URZ 2/2004

Heide,, Richter,, Riedel,, Schier,, Kratzert,, Ziegler,

10 May 2004

Informationen des Universitätsrechenzentrums

Campusnetz

Computerpools

Zeichenkodierung

DINI Recherche

Linux Fedora Core 1

MONARCH

Mail-Würmer

PHP-Programmierung

sichere

Swish-E

ddc:050

ddc:004

Unicode

Windows XP

Zertifizierung

Sicherheit