Showing papers on "Intrusion detection system published in 2012"

Processing flows of information: From data stream to complex event processing

Abstract: A large number of distributed applications requires continuous and timely processing of information as it flows from the periphery to the center of the system. Examples include intrusion detection systems which analyze network traffic in real-time to identify possible attacks; environmental monitoring applications which process raw data coming from sensor networks to identify critical situations; or applications performing online analysis of stock prices to identify trends and forecast future values.Traditional DBMSs, which need to store and index data before processing it, can hardly fulfill the requirements of timeliness coming from such domains. Accordingly, during the last decade, different research communities developed a number of tools, which we collectively call Information flow processing (IFP) systems, to support these scenarios. They differ in their system architecture, data model, rule model, and rule language. In this article, we survey these systems to help researchers, who often come from different backgrounds, in understanding how the various approaches they adopt may complement each other.In particular, we propose a general, unifying model to capture the different aspects of an IFP system and use it to provide a complete and precise classification of the systems and mechanisms proposed so far.

Hierarchical Trust Management for Wireless Sensor Networks and its Applications to Trust-Based Routing and Intrusion Detection

Abstract: We propose a highly scalable cluster-based hierarchical trust management protocol for wireless sensor networks (WSNs) to effectively deal with selfish or malicious nodes. Unlike prior work, we consider multidimensional trust attributes derived from communication and social networks to evaluate the overall trust of a sensor node. By means of a novel probability model, we describe a heterogeneous WSN comprising a large number of sensor nodes with vastly different social and quality of service (QoS) behaviors with the objective to yield "ground truth" node status. This serves as a basis for validating our protocol design by comparing subjective trust generated as a result of protocol execution at runtime against objective trust obtained from actual node status. To demonstrate the utility of our hierarchical trust management protocol, we apply it to trust-based geographic routing and trust-based intrusion detection. For each application, we identify the best trust composition and formation to maximize application performance. Our results indicate that trust-based geographic routing approaches the ideal performance level achievable by flooding-based routing in message delivery ratio and message delay without incurring substantial message overhead. For trust-based intrusion detection, we discover that there exists an optimal trust threshold for minimizing false positives and false negatives. Furthermore, trust-based intrusion detection outperforms traditional anomaly-based intrusion detection approaches in both the detection probability and the false positive probability.

Consensus Computation in Unreliable Networks: A System Theoretic Approach

Abstract: This paper addresses the problem of ensuring trustworthy computation in a linear consensus network. A solution to this problem is relevant for several tasks in multi-agent systems including motion coordination, clock synchronization, and cooperative estimation. In a linear consensus network, we allow for the presence of misbehaving agents, whose behavior deviate from the nominal consensus evolution. We model misbehaviors as unknown and unmeasurable inputs affecting the network, and we cast the misbehavior detection and identification problem into an unknown-input system theoretic framework. We consider two extreme cases of misbehaving agents, namely faulty (non-colluding) and malicious (Byzantine) agents. First, we characterize the set of inputs that allow misbehaving agents to affect the consensus network while remaining undetected and/or unidentified from certain observing agents. Second, we provide worst-case bounds for the number of concurrent faulty or malicious agents that can be detected and identified. Precisely, the consensus network needs to be 2k+1 (resp. k+1) connected for k malicious (resp. faulty) agents to be generically detectable and identifiable by every well behaving agent. Third, we quantify the effect of undetectable inputs on the final consensus value. Fourth, we design three algorithms to detect and identify misbehaving agents. The first and the second algorithm apply fault detection techniques, and affords complete detection and identification if global knowledge of the network is available to each agent, at a high computational cost. The third algorithm is designed to exploit the presence in the network of weakly interconnected subparts, and provides local detection and identification of misbehaving agents whose behavior deviates more than a threshold, which is quantified in terms of the interconnection structure.

An efficient intrusion detection system based on support vector machines and gradually feature removal method

Abstract: The efficiency of the intrusion detection is mainly depended on the dimension of data features. By using the gradually feature removal method, 19 critical features are chosen to represent for the various network visit. With the combination of clustering method, ant colony algorithm and support vector machine (SVM), an efficient and reliable classifier is developed to judge a network visit to be normal or not. Moreover, the accuracy achieves 98.6249% in 10-fold cross validation and the average Matthews correlation coefficient (MCC) achieves 0.861161.

A network intrusion detection system based on a Hidden Naïve Bayes multiclass classifier

Abstract: With increasing Internet connectivity and traffic volume, recent intrusion incidents have reemphasized the importance of network intrusion detection systems for combating increasingly sophisticated network attacks. Techniques such as pattern recognition and the data mining of network events are often used by intrusion detection systems to classify the network events as either normal events or attack events. Our research study claims that the Hidden Naive Bayes (HNB) model can be applied to intrusion detection problems that suffer from dimensionality, highly correlated features and high network data stream volumes. HNB is a data mining model that relaxes the Naive Bayes method's conditional independence assumption. Our experimental results show that the HNB model exhibits a superior overall performance in terms of accuracy, error rate and misclassification cost compared with the traditional Naive Bayes model, leading extended Naive Bayes models and the Knowledge Discovery and Data Mining (KDD) Cup 1999 winner. Our model performed better than other leading state-of-the art models, such as SVM, in predictive accuracy. The results also indicate that our model significantly improves the accuracy of detecting denial-of-services (DoS) attacks.

Decision tree based light weight intrusion detection using a wrapper approach

Abstract: The objective of this paper is to construct a lightweight Intrusion Detection System (IDS) aimed at detecting anomalies in networks. The crucial part of building lightweight IDS depends on preprocessing of network data, identifying important features and in the design of efficient learning algorithm that classify normal and anomalous patterns. Therefore in this work, the design of IDS is investigated from these three perspectives. The goals of this paper are (i) removing redundant instances that causes the learning algorithm to be unbiased (ii) identifying suitable subset of features by employing a wrapper based feature selection algorithm (iii) realizing proposed IDS with neurotree to achieve better detection accuracy. The lightweight IDS has been developed by using a wrapper based feature selection algorithm that maximizes the specificity and sensitivity of the IDS as well as by employing a neural ensemble decision tree iterative procedure to evolve optimal features. An extensive experimental evaluation of the proposed approach with a family of six decision tree classifiers namely Decision Stump, C4.5, Naive Baye's Tree, Random Forest, Random Tree and Representative Tree model to perform the detection of anomalous network pattern has been introduced.

An Implementation of Intrusion Detection System Using Genetic Algorithm

Abstract: Nowadays it is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. But secured data communication over internet and any other network is always under threat of intrusions and misuses. So Intrusion Detection Systems have become a needful component in terms of computer and network security. There are various approaches being utilized in intrusion detections, but unfortunately any of the systems so far is not completely flawless. So, the quest of betterment continues. In this progression, here we present an Intrusion Detection System (IDS), by applying genetic algorithm (GA) to efficiently detect various types of network intrusions. Parameters and evolution processes for GA are discussed in details and implemented. This approach uses evolution theory to information evolution in order to filter the traffic data and thus reduce the complexity. To implement and measure the performance of our system we used the KDD99 benchmark dataset and obtained reasonable detection rate.

An implementation of intrusion detection system using genetic algorithm

Abstract: Nowadays it is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. But secured data communication over internet and any other network is always under threat of intrusions and misuses. So Intrusion Detection Systems have become a needful component in terms of computer and network security. There are various approaches being utilized in intrusion detections, but unfortunately any of the systems so far is not completely flawless. So, the quest of betterment continues. In this progression, here we present an Intrusion Detection System (IDS), by applying genetic algorithm (GA) to efficiently detect various types of network intrusions. Parameters and evolution processes for GA are discussed in details and implemented. This approach uses evolution theory to information evolution in order to filter the traffic data and thus reduce the complexity. To implement and measure the performance of our system we used the KDD99 benchmark dataset and obtained reasonable detection rate.

An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection

Abstract: Intrusion detection system (IDS) is to monitor the attacks occurring in the computer or networks. Anomaly intrusion detection plays an important role in IDS to detect new attacks by detecting any deviation from the normal profile. In this paper, an intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection is proposed. The key idea is to take the advantage of support vector machine (SVM), decision tree (DT), and simulated annealing (SA). In the proposed algorithm, SVM and SA can find the best selected features to elevate the accuracy of anomaly intrusion detection. By analyzing the information from using KDD'99 dataset, DT and SA can obtain decision rules for new attacks and can improve accuracy of classification. In addition, the best parameter settings for the DT and SVM are automatically adjusted by SA. The proposed algorithm outperforms other existing approaches. Simulation results demonstrate that the proposed algorithm is successful in detecting anomaly intrusion detection.

Robust anomaly detection and regularized domain adaptation of classifiers with application to internet packet-flows

Abstract: Sound, robust methods identify the most suitable, parsimonious set of tests to use with respect to prioritized, sequential anomaly detection in a collected batch of sample data. While the focus is on detecting anomalies in network traffic flows and classifying network traffic flows into application types, the methods are also applicable to other anomaly detection and classification application settings, including detecting email spam, (e.g. credit card) fraud detection, detecting imposters, unusual event detection (for example, in images and video), host-based computer intrusion detection, detection of equipment or complex system failures, as well as of anomalous measurements in scientific experiments.

RASID demo: A robust WLAN device-free passive motion detection system

Abstract: WLAN Device-free passive (DfP) indoor localization is an emerging technology enabling the localization of entities that do not carry any devices nor participate actively in the localization process using the already installed wireless infrastructure. This technology is useful for a variety of applications such as intrusion detection, smart homes and border protection. We present the design, implementation and evaluation of RASID, a DfP system for human motion detection. RASID combines different modules for statistical anomaly detection while adapting to changes in the environment to provide accurate, robust, and low-overhead detection of human activities using standard WiFi hardware. Evaluation of the system in two different testbeds shows that it can achieve an accurate detection capability in both environments with an F-measure of at least 0.93. In addition, the high accuracy and low overhead performance are robust to changes in the environment as compared to the current state of the art DfP detection systems.

SCPSE: Security-Oriented Cyber-Physical State Estimation for Power Grid Critical Infrastructures

Abstract: Preserving the availability and integrity of the power grid critical infrastructures in the face of fast-spreading intrusions requires advances in detection techniques specialized for such large-scale cyber-physical systems. In this paper, we present a security-oriented cyber-physical state estimation (SCPSE) system, which, at each time instant, identifies the compromised set of hosts in the cyber network and the maliciously modified set of measurements obtained from power system sensors. SCPSE fuses uncertain information from different types of distributed sensors, such as power system meters and cyber-side intrusion detectors, to detect the malicious activities within the cyber-physical system. We implemented a working prototype of SCPSE and evaluated it using the IEEE 24-bus benchmark system. The experimental results show that SCPSE significantly improves on the scalability of traditional intrusion detection techniques by using information from both cyber and power sensors. Furthermore, SCPSE was able to detect all the attacks against the control network in our experiments.

A hybrid network intrusion detection system using simplified swarm optimization (SSO)

Abstract: The network intrusion detection techniques are important to prevent our systems and networks from malicious behaviors. However, traditional network intrusion prevention such as firewalls, user authentication and data encryption have failed to completely protect networks and systems from the increasing and sophisticated attacks and malwares. In this paper, we propose a new hybrid intrusion detection system by using intelligent dynamic swarm based rough set (IDS-RS) for feature selection and simplified swarm optimization for intrusion data classification. IDS-RS is proposed to select the most relevant features that can represent the pattern of the network traffic. In order to improve the performance of SSO classifier, a new weighted local search (WLS) strategy incorporated in SSO is proposed. The purpose of this new local search strategy is to discover the better solution from the neighborhood of the current solution produced by SSO. The performance of the proposed hybrid system on KDDCup 99 dataset has been evaluated by comparing it with the standard particle swarm optimization (PSO) and two other most popular benchmark classifiers. The testing results showed that the proposed hybrid system can achieve higher classification accuracy than others with 93.3% and it can be one of the competitive classifier for the intrusion detection system.

Two-stage intrusion detection system for high-speed packet processing using network processor and method thereof

Abstract: A system and method for detecting network intrusion by using a network processor are provided. The intrusion detection system includes: a first intrusion detector, configured to use a first network processor to perform intrusion detection on layer 3 and layer 4 of a protocol field among information included in a packet header of a packet transmitted to the intrusion detection system, and when no intrusion is detected, classify the packets according to stream and transmit the classified packets to a second intrusion detector; and a second intrusion detector, configured to use a second network processor to perform intrusion detection through deep packet inspection (DPI) for the packet payload of the packets transmitted from the first intrusion detector. Thereby, intrusion detection for high-speed packets can be performed in a network environment.

Kargus: a highly-scalable software-based intrusion detection system

Abstract: As high-speed networks are becoming commonplace, it is increasingly challenging to prevent the attack attempts at the edge of the Internet. While many high-performance intrusion detection systems (IDSes) employ dedicated network processors or special memory to meet the demanding performance requirements, it often increases the cost and limits functional flexibility. In contrast, existing software-based IDS stacks fail to achieve a high throughput despite modern hardware innovations such as multicore CPUs, manycore GPUs, and 10 Gbps network cards that support multiple hardware queues.We present Kargus, a highly-scalable software-based IDS that exploits the full potential of commodity computing hardware. First, Kargus batch processes incoming packets at network cards and achieves up to 40 Gbps input rate even for minimum-sized packets. Second, it exploits high processing parallelism by balancing the pattern matching workloads with multicore CPUs and heterogeneous GPUs, and benefits from extensive batch processing of multiple packets per each IDS function call. Third, Kargus adapts its resource usage depending on the input rate, significantly saving the power in a normal situation. Our evaluation shows that Kargus on a 12-core machine with two GPUs handles up to 33 Gbps of normal traffic and achieves 9 to 10 Gbps even when all packets contain attack signatures, a factor of 1.9 to 4.3 performance improvements over the existing state-of-the-art software IDS. We design Kargus to be compatible with the most popular software IDS, Snort.

Unsupervised Clustering Approach for Network Anomaly Detection

Abstract: This paper describes the advantages of using the anomaly detection approach over the misuse detection technique in detecting unknown network intrusions or attacks. It also investigates the performance of various clustering algorithms when applied to anomaly detection. Five different clustering algorithms: k-Means, improved k-Means, k-Medoids, EM clustering and distance-based outlier detection algorithms are used. Our experiment shows that misuse detection techniques, which implemented four different classifiers (naive Bayes, rule induction, decision tree and nearest neighbour) failed to detect network traffic, which contained a large number of unknown intrusions; where the highest accuracy was only 63.97% and the lowest false positive rate was 17.90%. On the other hand, the anomaly detection module showed promising results where the distance-based outlier detection algorithm outperformed other algorithms with an accuracy of 80.15%. The accuracy for EM clustering was 78.06%, for k-Medoids it was 76.71%, for improved k-Means it was 65.40% and for k-Means it was 57.81%. Unfortunately, our anomaly detection module produces high false positive rate (more than 20%) for all four clustering algorithms. Therefore, our future work will be more focus in reducing the false positive rate and improving the accuracy using more advance machine learning techniques.

6LoWPAN: a study on QoS security threats and countermeasures using intrusion detection system approach

Abstract: Fuelled to bring the Internet of Things concept to real life, the Internet Engineering Task Force is working on 6LoWPAN, in which the standard allows a vast number of smart objects to be deployed in local wireless sensor networks (WSNs) using the huge address space of IPv6 for data and information harvesting through the Internet. From the security point of view, 6LoWPAN/WSN will be open to security threats from the local network itself and the Internet. Cryptography techniques applied as the front line of defence or deterrent can easily be broken because of the weak secure nature of LoWPAN devices and the wireless environment. Compromised nodes could lead to insider attacks without being detected by any cryptography checking. An intrusion detection system (IDS) is, primarily needed as a second line of defence to monitor the network operations and raise an alarm in case of any anomaly. This paper analyses potential security threats in 6LoWPAN and reviews the current countermeasures, in particular, the IDS-based solutions for countering insider/internal threats. Additionally, it discovers three novel QoS-related security threats, namely rank attack, local repair attack, and resource depleting attack, which are more seriously affecting the routing protocol for low-power and lossy network, the routing protocol used to establish 6LoWPAN network topology. A new two-layer IDS concept is introduced as a countermeasure method for securing the routing protocol for low-power and lossy network-built network topology from the internal QoS attacks. Potential research works are also presented to provide baseline reference to researchers in this field. Copyright © 2012 John Wiley & Sons, Ltd.

A hybrid system for reducing the false alarm rate of anomaly intrusion detection system

Abstract: In this paper, we propose a hybrid intrusion detection system that combines k-Means, and two classifiers: K-nearest neighbor and Naive Bayes for anomaly detection. It consists of selecting features using an entropy based feature selection algorithm which selects the important attributes and removes the irredundant attributes. This algorithm operates on the KDD-99 Data set; this data set is used worldwide for evaluating the performance of different intrusion detection systems. The next step is clustering phase using k-Means. We have used the KDD99 (knowledge Discovery and Data Mining) intrusion detection contest. This system can detect the intrusions and further classify them into four categories: Denial of Service (DoS), U2R (User to Root), R2L (Remote to Local), and probe. The main goal is to reduce the false alarm rate of IDS1.

Intrusion detection using reduced-size RNN based on feature grouping

Abstract: Intrusion detection is well-known as an essential component to secure the systems in Information and Communication Technology (ICT). Based on the type of analyzing events, two kinds of Intrusion Detection Systems (IDS) have been proposed: anomaly-based and misuse-based. In this paper, three-layer Recurrent Neural Network (RNN) architecture with categorized features as inputs and attack types as outputs of RNN is proposed as misuse-based IDS. The input features are categorized to basic features, content features, time-based traffic features, and host-based traffic features. The attack types are classified to Denial-of-Service (DoS), Probe, Remote-to-Local (R2L), and User-to-Root (U2R). For this purpose, in this study, we use the 41 features per connection defined by International Knowledge Discovery and Data mining group (KDD). The RNN has an extra output which corresponds to normal class (no attack). The connections between the nodes of two hidden layers of RNN are considered partial. Experimental results show that the proposed model is able to improve classification rate, particularly in R2L attacks. This method also offers better Detection Rate (DR) and Cost Per Example (CPE) when compared to similar related works and also the simulated Multi-Layer Perceptron (MLP) and Elman-based intrusion detectors. On the other hand, False Alarm Rate (FAR) of the proposed model is not degraded significantly when compared to some recent machine learning methods.

Integrated Computer Security Management System and Method

Abstract: The present invention is generally directed to a computer security management system that integrates a firewall with an intrusion detection system (IDS). In other words, the firewall and IDS of the present invention can be designed to communicate process or status information and packets with one another. The present invention can facilitate centralized control of the firewall and the IDS and can increase the speed at which packets are passed between a secured computer network and an external network. Increased packet processing speed can be achieved in several ways. For example, the firewall and IDS can process packets in series, in parallel, and sometimes singularly when one of the components is not permitted to process a packet. Alternatively, singular processing can also be performed when one component is permitted to pass a packet to the secured computer network without checking with the other component.

A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems

Abstract: MODBUS RTU/ASCII Snort is software to retrofit serial based industrial control systems to add Snort intrusion detection and intrusion prevention capabilities. This article discusses the need for such a system by describing 4 classes of intrusion vulnerabilities (denial of service, command injection, response injection, and system reconnaissance) which can be exploited on MODBUS RTU/ASCII industrial control systems. The article provides details on how Snort rules can detect and prevent such intrusions. Finally, the article describes the MODBUS RTU/ASCII Snort implementation, provides details on placement of a MODBUS RTU/ASCII Snort host within a control system to maximize intrusion detection and prevention capabilities, and discusses the system's validation.

Automated sniffer apparatus and method for monitoring computer systems for unauthorized access

Abstract: An apparatus for wireless communication including an automated intrusion detection process is provided. The apparatus has a portable housing, which may have a length no greater than 1 meter, a width no greater than 1 meter, and a height of no greater than 1 meter. A processing unit (e.g., CPU) is within the housing. One or more wireless network interface devices are within the housing and are coupled to the processing unit. The apparatus has an Ethernet (or like) network interface device within the housing and coupled to the processing unit. A network connector is coupled to the Ethernet network device. One or more memories are coupled to the processing unit. A code is directed to perform a process for detection of a wireless activity within a selected local geographic region. According to a specific embodiment, the wireless activity is derived from at least one authorized device or at least an other device. A code is directed to receiving at least identity information associated with the wireless activity from the detection process in a classification process. A code is directed to labeling the identity information into at least one of a plurality of categories in the classification process. Depending upon the embodiment, other codes may exist to carry out the functionality described herein.

AMI threats, intrusion detection requirements and deployment recommendations

Abstract: Advanced Metering Infrastructures (AMI) facilitate bidirectional communication between smart meters and utilities, allowing information about consumption, outages, and electricity rates to be shared reliably and efficiently. However, the numerous smart meters being connected through mesh networks open new opportunities for attackers to interfere with communications and compromise utilities' assets or steal customers' private information. The goal of this paper is to survey the various threats facing AMIs and the common attack techniques used to realize them in order to identify and understand the requirements for a comprehensive intrusion detection solution. The threat analysis leads to an extensive “attack tree” that captures the attackers' key objectives (e.g., energy theft) and the individual attack steps (e.g., eavesdropping on the network) that would be involved in achieving them. With reference to the attack tree, we show the type of information that would be required to effectively detect attacks. We also suggest that the widest coverage in monitoring the attacks can be provided by a hybrid sensing infrastructure that uses both a centralized intrusion detection system and embedded meter sensors.

CIDS: A Framework for Intrusion Detection in Cloud Systems

Abstract: By impersonating legitimate users, intruders can use the abundant resources of cloud computing environments. This paper develops a framework for "CIDS" a cloud based intrusion detection system, to solve the deficiencies of current IDSs. CIDS also provides a component to summarize the alerts and inform the cloud administrator. CIDS architecture is scalable and elastic with no central coordinator. This paper describes the components, architecture, detection models, and advantages of CIDS.

Evaluation of anomaly‐based IDS for mobile devices using machine learning classifiers

Abstract: Mobile devices have evolved and experienced an immense popularity over the last few years. This growth however has exposed mobile devices to an increasing number of security threats. Despite the variety of peripheral protection mechanisms described in the literature, authentication and access control cannot provide integral protection against intrusions. Thus, a need for more intelligent and sophisticated security controls such as intrusion detection systems (IDSs) is necessary. Whilst much work has been devoted to mobile device IDSs, research on anomaly-based or behaviour-based IDS for such devices has been limited leaving several problems unsolved. Motivated by this fact, in this paper, we focus on anomaly-based IDS for modern mobile devices. A dataset consisting of iPhone users data logs has been created, and various classification and validation methods have been evaluated to assess their effectiveness in detecting misuses. Specifically, the experimental procedure includes and cross-evaluates four machine learning algorithms (i.e. Bayesian networks, radial basis function, K-nearest neighbours and random Forest), which classify the behaviour of the end-user in terms of telephone calls, SMS and Web browsing history. In order to detect illegitimate use of service by a potential malware or a thief, the experimental procedure examines the aforementioned services independently as well as in combination in a multimodal fashion. The results are very promising showing the ability of at least one classifier to detect intrusions with a high true positive rate of 99.8%. Copyright © 2011 John Wiley & Sons, Ltd.

Intrusion as (anti)social communication: characterization and detection

Abstract: A reasonable definition of intrusion is: entering a community to which one does not belong. This suggests that in a network, intrusion attempts may be detected by looking for communication that does not respect community boundaries. In this paper, we examine the utility of this concept for identifying malicious network sources. In particular, our goal is to explore whether this concept allows a core-network operator using flow data to augment signature-based systems located at network edges. We show that simple measures of communities can be defined for flow data that allow a remarkably effective level of intrusion detection simply by looking for flows that do not respect those communities. We validate our approach using labeled intrusion attempt data collected at a large number of edge networks. Our results suggest that community-based methods can offer an important additional dimension for intrusion detection systems.