http://dtstc.ugr.es/~jedv/descargas/2009_CoSe09-Anomaly-based-network-intrusion-detection-Techniques,-systems-and-challenges.pdf

Anomaly-based network intrusion detection: Techniques, systems and challenges

This survey paper describes a focused literature survey of machine learning (ML) and data mining (DM) methods for cyber analytics in support of intrusion detection. Short tutorial descriptions of each ML/DM method are provided. Based on the number of citations or the relevance of an emerging method, papers representing each method were identified, read, and summarized. Because data are so important in ML/DM approaches, some well-known cyber data sets used in ML/DM are described. The complexity of ML/DM algorithms is addressed, discussion of challenges for using ML/DM for cyber security is presented, and some recommendations on when to use a given method are provided.

A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection

An overview of anomaly detection techniques: Existing solutions and latest technological trends

The Transmission Control Protocol.

Review: Intrusion detection system: A comprehensive review

Traffic identification is a relevant issue for network operators nowadays. As P2P services are often used as an attack vector, Internet Service Providers (ISPs) and network administrators are interested in modeling the traffic transported on their networks with behavior identification and classification purposes. In this paper, we present a stochastic detection approach, based on the use of Markov models, for classifying network traffic to trigger subsequent security related actions. The detection system works at flow level considering the packets as incoming observations, and is capable of analyze both plain and encrypted communications. After suggesting a general structure for modeling any network service, we apply it to eDonkey traffic classification as a case study.

Stochastic Traffic Identification for Security Management: eDonkey Protocol as a Case Study

Recent research exposes the vulnerability of current networked applications to a family of low-rate DoS attacks based on timing mechanisms. A kind of those attacks is targeted against iterative servers and employs an ON/OFF scheme to send attack packets during the chosen critical periods. The overall behaviour of the attack is well known and its effectiveness has been demonstrated in previous works. Nevertheless, it is possible to achieve a trade off between the performance of the attack and its detectability. This can be done by tuning some parameters of the attack waveform according to the needs of the attacker and the deployed detection mechanisms. In this paper, a mathematical model for the relationship among those parameters and their impact in the performance of the attack is evaluated. The main goal of the model is to provide a better understanding of the dynamics of the attack, which is explored through simulation. The results obtained point out the model as accurate, thus providing a framework feasible to be used to tune the attack.

/pdf/on-the-design-of-a-low-rate-dos-attack-against-iterative-4j0zzrj8mi.pdf

On the design of a low-rate dos attack against iterative servers

Web is a primary and essential service to share information among users and organizations at present all over the world. Despite the current significance of such a kind of traffic on the Internet, the so-called Surface Web traffic has been estimated in just about 5% of the total. The rest of the volume of this type of traffic corresponds to the portion of Web known as Deep Web. These contents are not accessible by search engines because they are authentication protected contents or pages that are only reachable through the well known as darknets. To browse through darknets websites special authorization or specific software and configurations are needed. Despite TOR is the most used darknet nowadays, there are other alternatives such as I2P or Freenet, which offer different features for end users. In this work, we perform an analysis of the connectivity of websites in the I2P network (named eepsites) aimed to discover if different patterns and relationships from those used in legacy web are followed in I2P, and also to get insights about its dimension and structure. For that, a novel tool is specifically developed by the authors and deployed on a distributed scenario. Main results conclude the decentralized nature of the I2P network, where there is a structural part of interconnected eepsites while other several nodes are isolated probably due to their intermittent presence in the network.

Unveiling the I2P web structure: a connectivity analysis

BitTorrent is nowadays the most common protocol to distribute contents through peer-to-peer networks. Because of its relevance, it is important to study and understand its behaviour and impact from several points of view, including those related to communication efficiency and security risks. In this paper, we analyse BitTorrent network focusing on the behaviour of shared resources. For that, we develop a monitoring methodology that allows to extract the time evolution of a sample of 1/256 of all the resources shared in the network. As a main difference with previous approaches, our methodology allows to monitor distributed hash table-based BitTorrent networks, that is, without considering trackers. We discuss the data obtained from a monitoring process carried out during 3 months, and as a result, we analyse the information of more than 70000 resources. This analysis is based on four features: geographic dispersion, popularity, sharing duration and availability. Finally, we show the potential of our methodology by outlining an example application that consists of a detection system intended to identify anomalous behaviours in the sharing of BitTorrent resources. Copyright © 2014 John Wiley & Sons, Ltd.

Analysis and modelling of resources shared in the BitTorrent network

The identification of P2P traffic has become a principal concern for the research community in the last years. Although several P2P traffic identification proposals can be found in the specialized literature, the problem still persists mainly due to obfuscation and privacy matters. This paper presents a flow-based P2P traffic identification scheme which is based on a multiple classification procedure. First, every traffic flow monitored is parameterized by using three different groups of features: time related features, data transfer features and signalling features. After that, a flow identification process is performed for each group of features. Finally, a global identification procedure is carried out by combining the three individual classifications. Promising experimental results have been obtained by using a basic KNN scheme as the classifier. These results provide some insights on the relevance of the group of features considered and demonstrate the validity of our approach to identify P2P traffic in a reliable way, while content inspection is avoided.

Pedro García-Teodoro

Papers

Stochastic Traffic Identification for Security Management: eDonkey Protocol as a Case Study

On the design of a low-rate dos attack against iterative servers

Unveiling the I2P web structure: a connectivity analysis

Analysis and modelling of resources shared in the BitTorrent network

Multiple vector classification for P2P traffic identification