http://dtstc.ugr.es/~jedv/descargas/2009_CoSe09-Anomaly-based-network-intrusion-detection-Techniques,-systems-and-challenges.pdf

Anomaly-based network intrusion detection: Techniques, systems and challenges

This survey paper describes a focused literature survey of machine learning (ML) and data mining (DM) methods for cyber analytics in support of intrusion detection. Short tutorial descriptions of each ML/DM method are provided. Based on the number of citations or the relevance of an emerging method, papers representing each method were identified, read, and summarized. Because data are so important in ML/DM approaches, some well-known cyber data sets used in ML/DM are described. The complexity of ML/DM algorithms is addressed, discussion of challenges for using ML/DM for cyber security is presented, and some recommendations on when to use a given method are provided.

A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection

An overview of anomaly detection techniques: Existing solutions and latest technological trends

The Transmission Control Protocol.

Review: Intrusion detection system: A comprehensive review

In this work, a novel approach for the purpose of anomaly-based network intrusion detection at the application layer is presented. The problem of identifying anomalous payloads is addressed by using a technique based on the modelling of short sequences of adjoining bytes in the requests destined to a given service. Upon this theoretical framework, we propose an algorithm that assigns an anomaly score to each service request on the basis of its similarity with a previously established model of normality. The introduced approach has been evaluated by considering datasets composed of HTTP and DNS traffic. Thus, a large amount of attacks related with such services has been gathered, and detailed experimental results concerning the detection capability of the proposed system are shown. The experiments demonstrate that our approach yields a very high detection rate with a low level of false alarms.

/pdf/n3-a-geometrical-approach-for-network-intrusion-detection-at-3pksm5r2iu.pdf

N3: A Geometrical Approach for Network Intrusion Detection at the Application Layer

There is a growing interest in network traffic classification without accessing the packets payload. A main concern for network management is peer-to-peer (P2P) traffic identification. This can be performed at several levels, including packet level, flow level and node level. Most current traffic identification approaches rely on flow level identification, being highly demanding and time consuming procedures. This paper introduces a similarity-based method to pair flows up, which is aimed at reducing the cost of identifying P2P/non-P2P traffic flows. For that, different similarity measures for flows pairing are proposed and analyzed. Keywords-Traffic classification; peer-to-peer; k-Nearest Neighbors

/pdf/pair-wise-similarity-criteria-for-flows-identification-in-34puuzhujo.pdf

Pair-wise similarity criteria for flows identification in P2P/non-P2P traffic classification

En el presente trabajo se desarrollan tecnicas de agrupamiento de vectores de caracteristicas para su aplicacion en un sistema de deteccion de intrusiones en red propuesto por los autores. Este sistema, denominado de Vecino Normal mas Cercano (N3), proporciona unos excelentes resultados de deteccion, aunque adolece de un alto coste computacional para su aplicacion efectiva en entornos reales. En este trabajo se mostrara que, mediante la aplicacion de tecnicas de agrupamiento, es posible reducir significativamente la complejidad computacional del sistema, sin degradar los resultados de deteccion.

/pdf/aplicacion-de-tecnicas-de-agrupamiento-a-la-deteccion-de-1f4xrkpstn.pdf

Aplicación de técnicas de agrupamiento a la detección de intrusiones en red mediante N3

This paper introduces a response mechanism to improve the tolerance against security threats in MANET environments. The mechanism is started after detecting the existence of nodes with malicious behavior, and is based on the use of one or more mobile agents to improve the connectivity of the network. This way, in the event of the detection of a malicious node (e.g. a selfish node or a dropper node), an agent is employed to maximize the overall connectivity of the network. Every agent acts as a relaying node within the MANET and it is automatically positioned according to a particle swarm optimization (PSO) process. This paper represents a work in progress. However, the promising results obtained show the good suitability of the approach to improve the survivability of the network from a security perspective.

A Security Response Approach Based on the Deployment of Mobile Agents

This work introduces a novel Android monitoring app named AMon. It is aimed at collecting device related information from several sources: communications, /proc filesystem, applications and device usage. The information is dynamically gathered over time and its execution does not require to get special privileges or to be system root. In order to assess AMon capabilities, we have used it as the acquisition module of a subsequent security incident detection process. The results obtained show a good performance in terms of battery consumption, CPU and RAM usage, as well as overall system overhead. In order to contribute to the community, AMon is available at a public repository for free use and improvement.

Pedro García-Teodoro

Papers

N3: A Geometrical Approach for Network Intrusion Detection at the Application Layer

Pair-wise similarity criteria for flows identification in P2P/non-P2P traffic classification

Aplicación de técnicas de agrupamiento a la detección de intrusiones en red mediante N3

A Security Response Approach Based on the Deployment of Mobile Agents

AMon: A Monitoring Multidimensional Feature Application to Secure Android Environments