Showing papers on "Intrusion detection system published in 2014"

Network Anomaly Detection: Methods, Systems and Tools

Abstract: Network anomaly detection is an important and dynamic research area. Many network intrusion detection methods and systems (NIDS) have been proposed in the literature. In this paper, we provide a structured and comprehensive overview of various facets of network anomaly detection so that a researcher can become quickly familiar with every aspect of network anomaly detection. We present attacks normally encountered by network intrusion detection systems. We categorize existing network anomaly detection methods and systems based on the underlying computational techniques used. Within this framework, we briefly describe and compare a large number of network anomaly detection methods and systems. In addition, we also discuss tools that can be used by network defenders and datasets that researchers in network anomaly detection can use. We also highlight research directions in network anomaly detection.

A Survey of Intrusion Detection Systems in Wireless Sensor Networks

Abstract: Wireless Sensor Networking is one of the most promising technologies that have applications ranging from health care to tactical military. Although Wireless Sensor Networks (WSNs) have appealing features (e.g., low installation cost, unattended network operation), due to the lack of a physical line of defense (i.e., there are no gateways or switches to monitor the information flow), the security of such networks is a big concern, especially for the applications where confidentiality has prime importance. Therefore, in order to operate WSNs in a secure way, any kind of intrusions should be detected before attackers can harm the network (i.e., sensor nodes) and/or information destination (i.e., data sink or base station). In this article, a survey of the state-of-the-art in Intrusion Detection Systems (IDSs) that are proposed for WSNs is presented. Firstly, detailed information about IDSs is provided. Secondly, a brief survey of IDSs proposed for Mobile Ad-Hoc Networks (MANETs) is presented and applicability of those systems to WSNs are discussed. Thirdly, IDSs proposed for WSNs are presented. This is followed by the analysis and comparison of each scheme along with their advantages and disadvantages. Finally, guidelines on IDSs that are potentially applicable to WSNs are provided. Our survey is concluded by highlighting open research issues in the field.

A survey of intrusion detection techniques for cyber-physical systems

Abstract: Pervasive healthcare systems, smart grids, and unmanned aircraft systems are examples of Cyber-Physical Systems (CPSs) that have become highly integrated in the modern world. As this integration deepens, the importance of securing these systems increases. In order to identify gaps and propose research directions in CPS intrusion detection research, we survey the literature of this area. Our approach is to classify modern CPS Intrusion Detection System (IDS) techniques based on two design dimensions: detection technique and audit material. We summarize advantages and drawbacks of each dimension’s options. We also summarize the most and least studied CPS IDS techniques in the literature and provide insight on the effectiveness of IDS techniques as they apply to CPSs. Finally, we identify gaps in CPS IDS research and suggest future research areas.

A novel hybrid intrusion detection method integrating anomaly detection with misuse detection

Abstract: In this paper, a new hybrid intrusion detection method that hierarchically integrates a misuse detection model and an anomaly detection model in a decomposition structure is proposed. First, a misuse detection model is built based on the C4.5 decision tree algorithm and then the normal training data is decomposed into smaller subsets using the model. Next, multiple one-class SVM models are created for the decomposed subsets. As a result, each anomaly detection model does not only use the known attack information indirectly, but also builds the profiles of normal behavior very precisely. The proposed hybrid intrusion detection method was evaluated by conducting experiments with the NSL-KDD data set, which is a modified version of well-known KDD Cup 99 data set. The experimental results demonstrate that the proposed method is better than the conventional methods in terms of the detection rate for both unknown and known attacks while it maintains a low false positive rate. In addition, the proposed method significantly reduces the high time complexity of the training and testing processes. Experimentally, the training and testing time of the anomaly detection model is shown to be only 50% and 60%, respectively, of the time required for the conventional models.

Intrusion Detection in Wireless Ad-Hoc Networks

Abstract: This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted , or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Intrusion detection in wireless ad-hoc networks / editors, Nabendu Chaki and Rituparna Chaki. pages cm Includes bibliographical references and index. Contents Preface ix a b o u t t h e e d i t o r s xi c o n t r i b u t o r s xiii chaP t e r 1 intro d u c t i o n 1 Nova ru N De b , M a N a l i CH a k r a bor T y, a N D N a beN Du CH a k i chaP t e r 2 a r c h i t e c t u r e a n d o r g a n i z at i o n is s u e s 43 M a N a l i CH a k r a bor T y, Nova ru N De b , De bDu T Ta ba r M a N roy, a N D r i T u pa r N a CH a k i chaP t e r 3 routin g f o r …

Ultra-long high-sensitivity Φ-OTDR for high spatial resolution intrusion detection of pipelines

Abstract: An ultra-long phase-sensitive optical time domain reflectometry (Φ-OTDR) that can achieve high-sensitivity intrusion detection over 131.5km fiber with high spatial resolution of 8m is presented, which is the longest Φ-OTDR reported to date, to the best of our knowledge. It is found that the combination of distributed Raman amplification with heterodyne detection can extend the sensing distance and enhances the sensitivity substantially, leading to the realization of ultra-long Φ-OTDR with high sensitivity and spatial resolution. Furthermore, the feasibility of applying such an ultra-long Φ-OTDR to pipeline security monitoring is demonstrated and the features of intrusion signal can be extracted with improved SNR by using the wavelet detrending/denoising method proposed.

Big data classification: problems and challenges in network intrusion prediction with machine learning

Abstract: This paper focuses on the specific problem of Big Data classification of network intrusion traffic. It discusses the system challenges presented by the Big Data problems associated with network intrusion prediction. The prediction of a possible intrusion attack in a network requires continuous collection of traffic data and learning of their characteristics on the fly. The continuous collection of traffic data by the network leads to Big Data problems that are caused by the volume, variety and velocity properties of Big Data. The learning of the network characteristics require machine learning techniques that capture global knowledge of the traffic patterns. The Big Data properties will lead to significant system challenges to implement machine learning frameworks. This paper discusses the problems and challenges in handling Big Data classification using geometric representation-learning techniques and the modern Big Data networking technologies. In particular this paper discusses the issues related to combining supervised learning techniques, representation-learning techniques, machine lifelong learning techniques and Big Data technologies (e.g. Hadoop, Hive and Cloud) for solving network traffic classification problems.

A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns

Abstract: Host-based anomaly intrusion detection system design is very challenging due to the notoriously high false alarm rate. This paper introduces a new host-based anomaly intrusion detection methodology using discontiguous system call patterns, in an attempt to increase detection rates whilst reducing false alarm rates. The key concept is to apply a semantic structure to kernel level system calls in order to reflect intrinsic activities hidden in high-level programming languages, which can help understand program anomaly behaviour. Excellent results were demonstrated using a variety of decision engines, evaluating the KDD98 and UNM data sets, and a new, modern data set. The ADFA Linux data set was created as part of this research using a modern operating system and contemporary hacking methods, and is now publicly available. Furthermore, the new semantic method possesses an inherent resilience to mimicry attacks, and demonstrated a high level of portability between different operating system versions.

PADS: Passive detection of moving targets with dynamic speed using PHY layer information

Abstract: Device-free passive detection is an emerging technology to detect whether there exists any moving entities in the area of interests without attaching any device to them. It is an essential primitive for a broad range of applications including intrusion detection for safety precautions, patient monitoring in hospitals, child and elder care at home, etc. Despite of the prevalent signal feature Received Signal Strength (RSS), most robust and reliable solutions resort to finer-grained channel descriptor at physical layer, e.g., the Channel State Information (CSI) in the 802.11n standard. Among a large body of emerging techniques, however, few of them have explored full potentials of CSI for human detection. Moreover, space diversity supported by nowadays popular multi-antenna systems are not investigated to the comparable extent as frequency diversity. In this paper, we propose a novel scheme for device-free PAssive Detection of moving humans with dynamic Speed (PADS). Both amplitude and phase information of CSI are extracted and shaped into sensitive metrics for target detection; and CSI across multi-antennas in MIMO systems are further exploited to improve the detection accuracy and robustness. We prototype PADS on commercial WiFi devices and experiment results in different scenarios demonstrate that PADS achieves great performance improvement in spite of dynamic human movements.

A New Intrusion Detection System Based on KNN Classification Algorithm in Wireless Sensor Network

Abstract: The Internet of Things has broad application in military field, commerce, environmental monitoring, and many other fields. However, the open nature of the information media and the poor deployment environment have brought great risks to the security of wireless sensor networks, seriously restricting the application of wireless sensor network. Internet of Things composed of wireless sensor network faces security threats mainly from Dos attack, replay attack, integrity attack, false routing information attack, and flooding attack. In this paper, we proposed a new intrusion detection system based on -nearest neighbor (-nearest neighbor, referred to as KNN below) classification algorithm in wireless sensor network. This system can separate abnormal nodes from normal nodes by observing their abnormal behaviors, and we analyse parameter selection and error rate of the intrusion detection system. The paper elaborates on the design and implementation of the detection system. This system has achieved efficient, rapid intrusion detection by improving the wireless ad hoc on-demand distance vector routing protocol (Ad hoc On-Demand Distance the Vector Routing, AODV). Finally, the test results show that: the system has high detection accuracy and speed, in accordance with the requirement of wireless sensor network intrusion detection.

Through the eye of the PLC: semantic security monitoring for industrial processes

Abstract: Off-the-shelf intrusion detection systems prove an ill fit for protecting industrial control systems, as they do not take their process semantics into account. Specifically, current systems fail to detect recent process control attacks that manifest as unauthorized changes to the configuration of a plant's programmable logic controllers (PLCs). In this work we present a detector that continuously tracks updates to corresponding process variables to then derive variable-specific prediction models as the basis for assessing future activity. Taking a specification-agnostic approach, we passively monitor plant activity by extracting variable updates from the devices' network communication. We evaluate the capabilities of our detection approach with traffic recorded at two operational water treatment plants serving a total of about one million people in two urban areas. We show that the proposed approach can detect direct attacks on process control, and we further explore its potential to identify more sophisticated indirect attacks on field device measurements as well.

Adaptive Intrusion Detection of Malicious Unmanned Air Vehicles Using Behavior Rule Specifications

Abstract: In this paper, we propose an adaptive specification-based intrusion detection system (IDS) for detecting malicious unmanned air vehicles (UAVs) in an airborne system in which continuity of operation is of the utmost importance. An IDS audits UAVs in a distributed system to determine if the UAVs are functioning normally or are operating under malicious attacks. We investigate the impact of reckless, random, and opportunistic attacker behaviors (modes which many historical cyber attacks have used) on the effectiveness of our behavior rule-based UAV IDS (BRUIDS) which bases its audit on behavior rules to quickly assess the survivability of the UAV facing malicious attacks. Through a comparative analysis with the multiagent system/ant-colony clustering model, we demonstrate a high detection accuracy of BRUIDS for compliant performance. By adjusting the detection strength, BRUIDS can effectively trade higher false positives for lower false negatives to cope with more sophisticated random and opportunistic attackers to support ultrasafe and secure UAV applications.

Multiattribute SCADA-Specific Intrusion Detection System for Power Networks

Abstract: The increased interconnectivity and complexity of supervisory control and data acquisition (SCADA) systems in power system networks has exposed the systems to a multitude of potential vulnerabilities. In this paper, we present a novel approach for a next-generation SCADA-specific intrusion detection system (IDS). The proposed system analyzes multiple attributes in order to provide a comprehensive solution that is able to mitigate varied cyberattack threats. The multiattribute IDS comprises a heterogeneous white list and behavior-based concept in order to make SCADA cybersystems more secure. This paper also proposes a multilayer cyber-security framework based on IDS for protecting SCADA cybersecurity in smart grids without compromising the availability of normal data. In addition, this paper presents a SCADA-specific cybersecurity testbed to investigate simulated attacks, which has been used in this paper to validate the proposed approach.

Feature selection and intrusion classification in NSL-KDD cup 99 dataset employing SVMs

Abstract: Intrusion is the violation of information security policy by malicious activities. Intrusion detection (ID) is a series of actions for detecting and recognising suspicious actions that make the expedient acceptance of standards of confidentiality, quality, consistency, and availability of a computer based network system. In this paper, we present a new approach consists with merging of feature selection and classification for multiple class NSL-KDD cup 99 intrusion detection dataset employing support vector machine (SVM). The objective is to improve the competence of intrusion classification with a significantly reduced set of input features from the training data. In supervised learning, feature selection is the process of selecting the important input training features and removing the irrelevant input training features, with the objective of obtaining a feature subset that produces higher classification accuracy. In the experiment, we have applied SVM classifier on several input feature subsets of training dataset of NSL-KDD cup 99 dataset. The experimental results obtained showed the proposed method successfully bring 91% classification accuracy using only three features and 99% classification accuracy using 36 features, while all 41 training features achieved 99% classification accuracy.

An Intrusion Detection Model Based on Deep Belief Networks

Abstract: This paper focuses on an important research problem of Big Data classification in intrusion detection system. Deep Belief Networks is introduced to the field of intrusion detection, and an intrusion detection model based on Deep Belief Networks is proposed to apply in intrusion recognition domain. The deep hierarchical model is a deep neural network classifier of a combination of multilayer unsupervised learning networks, which is called as Restricted Boltzmann Machine, and a supervised learning network, which is called as Back-propagation network. The experimental results on KDD CUP 1999 dataset demonstrate that the performance of Deep Belief Networks model is better than that of SVM and ANN.

System and methods for adaptive model generation for detecting intrusion in computer systems

Abstract: A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.

Integrated Anomaly Detection for Cyber Security of the Substations

Abstract: Cyber intrusions to substations of a power grid are a source of vulnerability since most substations are unmanned and with limited protection of the physical security. In the worst case, simultaneous intrusions into multiple substations can lead to severe cascading events, causing catastrophic power outages. In this paper, an integrated Anomaly Detection System (ADS) is proposed which contains host- and network-based anomaly detection systems for the substations, and simultaneous anomaly detection for multiple substations. Potential scenarios of simultaneous intrusions into the substations have been simulated using a substation automation testbed. The host-based anomaly detection considers temporal anomalies in the substation facilities, e.g., user-interfaces, Intelligent Electronic Devices (IEDs) and circuit breakers. The malicious behaviors of substation automation based on multicast messages, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Measured Value (SMV), are incorporated in the proposed network-based anomaly detection. The proposed simultaneous intrusion detection method is able to identify the same type of attacks at multiple substations and their locations. The result is a new integrated tool for detection and mitigation of cyber intrusions at a single substation or multiple substations of a power grid.

Industrial Control System Traffic Data Sets for Intrusion Detection Research

Abstract: Supervisory control and data acquisition (SCADA) systems monitor and control physical processes associated with the critical infrastructure. Weaknesses in the application layer protocols, however, leave SCADA networks vulnerable to attack. In response, cyber security researchers have developed myriad intrusion detection systems. Researchers primarily rely on unique threat models and the corresponding network traffic data sets to train and validate their intrusion detection systems. This leads to a situation in which researchers cannot independently verify the results, cannot compare the effectiveness of different intrusion detection systems, and cannot adequately validate the ability of intrusion detection systems to detect various classes of attacks. Indeed, a common data set is needed that can be used by researchers to compare intrusion detection approaches and implementations. This paper describes four data sets, which include network traffic, process control and process measurement features from a set of 28 attacks against two laboratory-scale industrial control systems that use the MODBUS application layer protocol. The data sets, which are freely available, enable effective comparisons of intrusion detection solutions for SCADA systems.

Ubiquitous Smart Home System Using Android Application

Abstract: This paper presents a flexible standalone, low-cost smart home system, which is based on the Android app communicating with the micro-web server providing more than the switching functionalities. The Arduino Ethernet is used to eliminate the use of a personal computer (PC) keeping the cost of the overall system to a minimum while voice activation is incorporated for switching functionalities. Devices such as light switches, power plugs, temperature sensors, humidity sensors, current sensors, intrusion detection sensors, smoke/gas sensors and sirens have been integrated in the system to demonstrate the feasibility and effectiveness of the proposed smart home system. The smart home app is tested and it is able to successfully perform the smart home operations such as switching functionalities, automatic environmental control and intrusion detection, in the later case where an email is generated and the siren goes on.

Intrusion detection in SCADA systems using machine learning techniques

Abstract: © 2014 The Science and Information (SAI) Organization.In this paper we present a intrusion detection module capable of detecting malicious network traffic in a SCADA (Supervisory Control and Data Acquisition) system. Malicious data in a SCADA system disrupt its correct functioning and tamper with its normal operation. OCSVM (One-Class Support Vector Machine) is an intrusion detection mechanism that does not need any labeled data for training or any information about the kind of anomaly is expecting for the detection process. This feature makes it ideal for processing SCADA environment data and automate SCADA performance monitoring. The OCSVM module developed is trained by network traces off line and detect anomalies in the system real time. The module is part of an IDS (Intrusion Detection System) system developed under CockpitCI project and communicates with the other parts of the system by the exchange of IDMEF (Intrusion Detection Message Exchange Format) messages that carry information about the source of the incident, the time and a classification of the alarm.

Intrusion Detection in Cyber-Physical Systems: Techniques and Challenges

Abstract: Cyber-physical systems (CPSs) integrate the computation with physical processes. Embedded computers and networks monitor and control the physical processes, usually with feedback loops where physical processes affect computations and vice versa. CPS was identified as one of the eight research priority areas in the August 2007 report of the President's Council of Advisors on Science and Technology, as CPS will be the core component of many critical infrastructures and industrial control systems in the near future. However, a variety of random failures and cyber attacks exist in CPS, which greatly restrict their growth. Fortunately, an intrusion detection mechanism could take effect for protecting CPS. When a misbehavior is found by the intrusion detector, the appropriate action can be taken immediately so that any harm to the system will be minimized. As CPSs are yet to be defined universally, the application of the instruction detection mechanism remain open presently. As a result, the effort will be made to discuss how to appropriately apply the intrusion detection mechanism to CPS in this paper. By examining the unique properties of CPS, it intends to define the specific requirements first. Then, the design outline of the intrusion detection mechanism in CPS is introduced in terms of the layers of system and specific detection techniques. Finally, some significant research problems are identified for enlightening the subsequent studies.

On Covert Acoustical Mesh Networks in Air

Abstract: Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the ultrasonic frequency range. We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a meshed botnet or malnet that is accessible via inaudible audio transmissions. Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities.

Online Adaboost-Based Parameterized Methods for Dynamic Distributed Network Intrusion Detection

Abstract: Current network intrusion detection systems lack adaptability to the frequently changing network environments. Furthermore, intrusion detection in the new distributed architectures is now a major requirement. In this paper, we propose two online Adaboost-based intrusion detection algorithms. In the first algorithm, a traditional online Adaboost process is used where decision stumps are used as weak classifiers. In the second algorithm, an improved online Adaboost process is proposed, and online Gaussian mixture models (GMMs) are used as weak classifiers. We further propose a distributed intrusion detection framework, in which a local parameterized detection model is constructed in each node using the online Adaboost algorithm. A global detection model is constructed in each node by combining the local parametric models using a small number of samples in the node. This combination is achieved using an algorithm based on particle swarm optimization (PSO) and support vector machines. The global model in each node is used to detect intrusions. Experimental results show that the improved online Adaboost process with GMMs obtains a higher detection rate and a lower false alarm rate than the traditional online Adaboost process that uses decision stumps. Both the algorithms outperform existing intrusion detection algorithms. It is also shown that our PSO, and SVM-based algorithm effectively combines the local detection models into the global model in each node; the global model in a node can handle the intrusion types that are found in other nodes, without sharing the samples of these intrusion types.

Support Vector Machine and Random Forest Modeling for Intrusion Detection System (IDS)

Abstract: The success of any Intrusion Detection System (IDS) is a complicated problem due to its nonlinearity and the quantitative or qualitative network traffic data stream with many features. To get rid of this problem, several types of intrusion detection methods have been proposed and shown different levels of accuracy. This is why the choice of the effective and robust method for IDS is very important topic in information security. In this work, we have built two models for the classification purpose. One is based on Support Vector Machines (SVM) and the other is Random Forests (RF). Experimental results show that either classifier is effective. SVM is slightly more accurate, but more expensive in terms of time. RF produces similar accuracy in a much faster manner if given modeling parameters. These classifiers can contribute to an IDS system as one source of analysis and increase its accuracy. In this paper, KDD’99 Dataset is used and find out which one is the best intrusion detector for this dataset. Statistical analysis on KDD’99 dataset found important issues which highly affect the performance of evaluated systems and results in a very poor evaluation of anomaly detection approaches. The most important deficiency in the KDD’99 dataset is the huge number of redundant records. To solve these issues, we have developed a new dataset, KDD99Train+ and KDD99Test+, which does not include any redundant records in the train set as well as in the test set, so the classifiers will not be biased towards more frequent records. The numbers of records in the train and test sets are now reasonable, which make it affordable to run the experiments on the complete set without the need to randomly select a small portion. The findings of this paper will be very useful to use SVM and RF in a more meaningful way in order to maximize the performance rate and minimize the false negative rate.