Anomaly based Network Intrusion Detection System
|
|
- Rodney Stephens
- 5 years ago
- Views:
Transcription
1 Synopsis on Anomaly based Network Intrusion Detection System Submitted by Under the guidance of : Dinakara K (06CS6026) MTech (CSE) 2nd Year : Prof. Jayanta Mukhopadhyay Dept. of CSE Prof. S K Ghosh School of IT Indian Institute Of Technology, Kharagpur Version 1.00 Date: 30 April
2 Table of Contents 1 INTRODUCTION ORGANIZATION OF THESIS RELATED WORK MOTIVATION AND OBJECTIVE OBJECTIVE SYSTEM ARCHITECTURE OPERATING ENVIRONMENT APPROACH STATISTICAL MOMENTS OR MEAN AND STANDARD DEVIATION MODEL HOTELLING S T 2 HYPOTHESIS, A MULTIVARIATE STATISTICAL TECHNIQUE [10] BAYESIAN CLASSIFICATION, A PROBABILISTIC TECHNIQUE EXPERIMENTAL RESULTS AND DISCUSSION DISCUSSION CONCLUSION BIBLIOGRAPHY
3 1 INTRODUCTION Internet is forcing organizations into an era of open and trusted communications. This openness at the same time brings its share of vulnerabilities and problems such as financial losses, damage to reputation, maintaining availability of services, protecting the personal and customer data and many more, pushing both enterprises and service providers to take steps to guard their valuable data from intruders, hackers and insiders. Intrusion Detection System has become the fundamental need for the successful content networking. IDS provide two primary benefits: Visibility and Control. It is the combination of these two benefits that makes it possible to create and enforce an enterprise security policy to make the private computer network secure. Visibility is the ability to see and understand the nature of the network and the traffic on the network while Control is the ability to affect network traffic including access to the network or parts thereof. Visibility is paramount to decision making and makes it possible to create a security policy based on quantifiable, real world data. Control is paramount to enforcement and makes it possible to enforce compliance with security policy. There are two general approaches to detecting intrusions: anomaly detection (also called behavior-based) and signature based (also named misuse or pattern based) [1]. Signature based techniques identify and store signature patterns of known intrusions, match activities in an information system with known patterns of intrusion signatures, and signal intrusions when there is a match. Pattern recognition techniques are efficient and accurate in detecting known intrusions, but cannot detect novel intrusions whose signature patterns are unknown. Anomaly detection techniques can detect both novel and known attacks if they demonstrate large differences from the norm profile. Since anomaly detection techniques signal all anomalies as intrusions, false alarms are expected when anomalies are caused by behavioral irregularity instead of intrusions. Hence, pattern recognition techniques and anomaly detection techniques are often used together to complement each other. In the research work, a Anomaly based IDS is designed and developed which is integrated with the open source signature based network IDS, called SNORT [2] to give best results. In the Anomaly based IDS, three different techniques are used for detecting the network based attacks leading to abnormal network activities. The IDS is evaluated with MIT_LL DARPA 1999 Data set [3] and a comparative analysis of the techniques is given in the later section of the synopsis. 3
4 1.1 ORGANIZATION OF THESIS The synopsis covers the work accomplished so far in the realization of the Anomaly based network intrusion detection system. It is organized as follows. Section 2 gives Motivation and Objective for taking up the project. Section 3 deals with the system architecture of the Anomaly based Network IDS. Section 4 presents the Approach followed in executing the project and Section 5 gives the experimental results and conclusion. 1.2 RELATED WORK Network intrusion detection systems like snort (2001) or Bro (Paxson, 1998) typically use signature detection, matching patterns in network traffic to the patterns of known attacks. This works well, but has the obvious disadvantage of being vulnerable to novel attacks. An alternative approach is anomaly detection, which models normal traffic and signals any deviation from this model as suspicious. The idea is based on work by Forrest et al. (1996), who found that most UNIX processes make (mostly) highly predictable sequences of system calls in normal use. Network anomaly detectors look for unusual traffic rather than unusual system calls. ADAM (Audit Data and Mining) [4] is an anomaly detector trained on both attack-free traffic and traffic with labeled attacks. It monitors port numbers, IP addresses and subnets, and TCP state. ADAM uses a naive Bayes classifier which means that the probability that a packet belongs to some class (normal, known attack, or unknown) depends on the a-priori probability of the class, and the combined probabilities of a large collection of rules under the assumption that they are independent. Matthew V. Mahoney and Philip K. Chan developed Packet Header Anomaly detection for identifying Hostile Network (PHAD) [5],[7] that learns the normal ranges of values for each packet header field at the data link (Ethernet), network (IP), and transport/control layers (TCP, UDP, ICMP). PHAD detects some of the attacks in the DARPA data set that involve exploits at the transport layer and below. The paper, Detecting Novel Network Intrusions Using Bayes Estimators [6] authored by Daniel Barbara and et al suggests a method called pseudo-bayes estimators as a means to estimate the prior and posterior probabilities of new attacks. Then a Naive Bayes classifier is used to classify the instances into normal instances, known attacks and new attacks. 4
5 2 MOTIVATION AND OBJECTIVE Despite the fact that intrusion detection systems are commercially developed and used for more than a decade, there still exist many issues around IDS. Some of the shortcomings of the current IDS which handicap its effectiveness are discussed below. a) Only the known attacks are detected in signature based techniques which simply means no protection is offered against novel attacks or new variants of existing intrusions. b) How well a signature captures the attacks in its string is again a matter of concern. There is quite some number of such poorly written signature codes. So the actual attack pattern may stretch across multiple packets, easily evading the detection system c) In order to perform an exhaustive signature based search, the processing and memory needs are very high and in the real time scenario, there is quite likely hood of missing genuine attacks. Also, there is the problem of ever increasing attack signature databases. d) In anomaly approach, though new kinds of intrusions are detected, this benefit is paralyzed by high number of false alarms. More over improper/insufficient training to anomaly module results in showing the genuine changes in the network traffic pattern as suspicious activities only to raise the false positives and false negatives. 2.1 OBJECTIVE The aim of the present work was to design and develop of a Anomaly or behavioral based Network Intrusion Detection System which can detect intrusions based on behavioral patterns (i.e. without the use of signatures) and can also detect novel attacks which are anomalous in nature. The work also aimed at reducing number of false alarms by characterizing the target network with appropriate network parameters and analyzing them with mathematical models. Literature survey reveals that, the Bayesian Analysis is successfully used in the SPAM filters but in the area of IDS it is still not explored to great extent. So in this work, Bayesian classification technique is used for discriminating the anomalous attacks from that of normal activities. Hotelling s Multivariate statistical hypothesis technique is also being used. The project is integrated with a open source signature based IDS called SNORT so that it forms a complete package having both signature and anomaly techniques for effective defense against the Network attacks 5
6 3 SYSTEM ARCHITECTURE The proposed architecture of Network IDS has various components as depicted in the figure 1. This architecture is based on SNORT, which is a open source Network IDS [8]. The components execute different functionalities which are discussed below. Figure 1. The overall system architecture Sensor/Decoder The NIC is put in promiscuous mode to sniff all the packets in the network irrespective of their target. The decoder receives the packets from the libpcap packet capturing library and processes them. This module executes following functionalities. - Sniffs all the network packets visible to it in real time. - Extract the header and payload information from the Ethernet packet. - Updates the Ethernet/ARP/RARP/IP/TCP/UDP and ICMP counter as and when the respective packets are received - Perform necessary checks on header and payload information. - Sniffed packets sent to the Preprocessor Preprocessor This module takes the packets from the decoder and performs the functions like IP defragmentation, building the sessions for reassembly of packets etc. Several preprocessor are available with SNORT to execute the necessary tasks. This module also hosts the Anomaly learning and detection preprocessor used for detecting the intrusions leading to anomalies. Figure 2 shows the structure of Anomaly detection preprocessor. 6
7 Figure 2. Anomaly Detection preprocessor The preprocessor has following responsibilites : - Defragments the fragmented IP packets - Reassembles the TCP packets into streams - Normalizes Application Layer protocols like Telnet/HTTP - Detects Port scans/evasion Attacks - Preprocessed packets sent to Detection Engine - Anomaly Detection preprocessor detects the intrusive activities in the network Detection Engine It is the main part of the entire system which is responsible for detecting the attack signatures in the preprocessed packets. The overall system performance directly depends on this module. Some of the main functions handled by this module are listed below. - Parse the rules and build an internal data structure that holds the rules in a customized tree structure. Once the tree is built, load it into memory. - Pass traffic through this rule tree for comparing the packet header and data against the rules. (Uses strings matching algorithms) - Report to the alert module on packets that have found to be carrying malicious data. - If any new rules have been added or if existing rules are modified or deleted then update the same to the detection engine tree structure. - When the application is exited this will clean up all memory allocated for building the detection engine. Alert Module - Sends the alerts triggered by the Detection Engine to Alert Console in real time. - Stores the alerts into alert file or into a Database as per the configuration 7
8 Open source php based console, called Basic Analysis and Security Engine (BASE) is integrated with the Alert Module to enhance the user friendliness. The figure 3 shows a screenshot of the BASE console. Figure 3. Screenshot of BASE console showing the generated alerts 3.1 OPERATING ENVIRONMENT The development work is carried out in C language on linux platform to comply with the SNORT program. The following softwares/tools are used for the development and execution of the project ANJUTA - Open source IDE BASE - Basic Analysis and Security Engine GCC - GNU C Compiler to compile the components. Libpcap - Linux Packet capturing library MYSQL - Centralized database storage. RHEL4 - Redhat Enterprise Linux 4 SNORT - Open Source Network Intrusion Detection System The IDS works efficiently on a system with the following configuration: Pentium IV 2.0GHz 512MBRAM 40 GB Hard Disk or higher 10/100 Mbps Ethernet Interface Card. 8
9 4 APPROACH The primary task was to characterize the target network in terms of suitable network parameters. The parameters are chosen such that their values will change perceivably in normal and intrusive conditions. The features considered are the commonly seen protocols in the network traffic, the traffic data rate and the flow direction. Once the network behavior is quantified with these parameters, the next step would be to observe how they vary with time. The observation has to be made on different days of a week because the network behavior changes over working days and non working days of a week and also on general holidays. The Anomaly based IDS has two operational modes. Learning(or training) mode : In this mode, the IDS logs the selected network parameters to a file. The frequency of packet sampling is set as per requirement; it is set by default to 10 minutes. IDS is put in learning mode for some time, say over a month to learn the normal network behavior. Sufficient training period is the key factor in reducing the false alarms. Once the learning is over, profile for the target network is generated using another program. The IDS is also trained to learn the network behavior in the face of intrusions. Intrusions are simulated using the MIT-DARPA training data set (Week 2). Network profile is also generated for this condition. The logic for profile generation is given in figure 4. Figure 4. Algorithm for generating the profile 9
10 Detection mode: In this mode, IDS detects in real time, the network based attacks leading to abnormal traffic pattern. The abnormality is decided on the basis of the network profile. The flow chart in figure 6 shows the working of Anomaly Detection technique. Figure 6. Flow chart for Anomaly Detection technique Three techniques are applied for the classifying the events as a intrusive or non intrusive. 10
11 4.1 STATISTICAL MOMENTS OR MEAN AND STANDARD DEVIATION MODEL Statistical based anomaly detection techniques use statistical properties (mean and variance) of normal activities to build a statistical based normal profile and employ statistical tests to determine whether observed activities deviate significantly from the normal profile [9]. A confidence interval is chosen suitably based on the experimentation [12]. μ n * σ < x < μ + n* σ x denotes the value of a network parameter. If the value of x goes beyond ( μ ± n* σ ), it simply indicates an anomalous situation and can be flagged as alert. 4.2 HOTELLING S T 2 HYPOTHESIS, A MULTIVARIATE STATISTICAL TECHNIQUE [10] 2 Hotelling s Τ statistic for an observation X is determined by 2 T 1 Τ = ( X μ ) Σ ( X μ ) Where X = ( X, X 2, X 3... X 1 p ( p ), denotes an observation of p variables at time t μ = μ, μ, μ,... μ ), denotes a vector of mean values of p variables at time t and n 1 Σ = ( n 1) 1 T ( x μ )( x μ), where n is the data sample size 11
12 The computed 2 Τ value is small if the data point conforms to the norm profile. 2 Hotellings Τ test provides a complete data model of multivariate data. Since it uses the covariance matrix Σ of p variables, it detects both mean shifts and their interrelationship in a multivariate manner which is important in finding the network anomalies. 4.3 BAYESIAN CLASSIFICATION, A PROBABILISTIC TECHNIQUE Bayesian statistics, in the most general form, provides a framework for combining observed data with prior assumptions in order to model stochastic systems [11]. p( A/ I) p ( I / A) = p( I ) (1) p( A) Where p( I / A) is the posterior probability of an event being intrusion given the evidence A p (I) is the prior probability of the intrusion, before the observation of evidence A p ( A / I ) =Likelihood function of A given I p (A) = Total probability of evidence The likelihood function p ( A / I ) denotes a probability density function of the vector samples A given a particular estimate I of the underlying probability distribution generating that data. A multivariate normal distribution is assumed for p ( A / I ). A Gaussian or multivariate normal distribution is characterized by its mean value vector μ and its covariance matrix Σ and has the distribution function, 1 1 T 1 f ( μ, Σ) = exp{ 2 ( X μ) Σ ( X μ)} (2) p 1/ 2 (2π ) Σ Here X is a p dimensional pattern vector of real valued attributes The discriminant function g i (X) can be derived by using the equations (1) and (2). 1 1 T 1 gi ( X ) = ln Σ ( X μ ) Σ ( X μ) ln p( I ) The values of g i (X ) can distinguish the intrusions from the normal events. 12
13 5 EXPERIMENTAL RESULTS AND DISCUSSION To evaluate the system, two major indicators of performances are chosen. - Detection rate - False positive rate Detection rate is defined as the number of intrusion instances detected by the system divided by the total number of intrusion instances present in the test set. The false positive rate is defined as the total number of instances that were wrongly detected as intrusions divided by the total number of normal instances. These are good measures of performances since they measure what percentage of intrusions the system is able to detect and how many incorrect classifications it makes in the process. The System was evaluated against the MIT_LL DARPA 1999 Data set and the results are given in the Table 1 below. Attack Name Tools/Data set used Count Detection using different Techniques Probabilistic (Bayesian Classifier) Statistical (Hotelliing's Hypothesis) Statistical (Mean ± 2*SD) ping flood ping tool DoS attack ddos open source tool TCP RST attack neti open source code TCP Syn flood attack neti open source code UDP attack neti open source code X mas scan nmap tool NTinfoscan MIT_LL DARPA 1999 Data set(2nd week) pod " " back '' " httptunnel " " land " "
14 secret " " portsweep " " eject " " mailbomb " " ipsweep " " satan " " neptune " " Total Detection Accuracy(%) Total Alerts generated No. of Attacks missed False Positive rate(%) False Negative rate(%) positive prediction rate(%) Table 1. Experimental results Table 2. given below shows the results obtained by Daniel Barbara et al using pseudo-bayes estimators [6] Table 2. Experimental results on MIT_LL DARPA 1999 Data set. Source: 14
15 5.1 DISCUSSION The experiment clearly revealed that the Bayesian classification method gives better detection rate and less false positives in detecting the intrusions among the three techniques used in the project. The detection accuracy of 84 % is achieved using the Bayesian method with the false positive rate of 4.6%. Hotelling s statistical method gave a hit rate of 81% at 6.2% false positive rate. The performance metrics for statistical Moments(mean and standard deviation) model yielded hit rate of 78% while the false positive rate was 13%. The comparative analysis with the previous works also reveals that the Bayesian approach is a superior technique. 5.2 CONCLUSION Network Intrusion Detection System has a major role to play in safeguarding the network resources against various kinds of attacks. With the advent of new vulnerabilities and sophistications in the nature of attacks, new techniques for intrusion detection have evolved. The main objectives of the research being increasing the detection accuracy while keeping the false positive rate low. In the present framework of project, discussed the design and development of Anomaly based intrusion Detection system which is built on top of a existing open source signature based network IDS, called SNORT so to have both the analysis techniques in a single package. The system is trained for more than four weeks to learn the profile of the target network. It is also exposed to the simulated network intrusions using DARPA intrusion detection data set 1999 and other open source tools for more than three weeks. The thesis presented three techniques for detecting anomaly based intrusions at the network level. They are evaluated with the DARPA IDS evaluation Data sets and the results are compared. Bayesian approach proved to be a better solution than the Hotelling s Multivariate technique and the method of Statistical Moments. Presently, the work caters only to identify the events into normal and attack classes. It can be extended to detect and classify the attacks into multiple attack classes. Dynamic updation of the Anomaly Model using Bayesian Network can also be considered for future enhancement. 15
16 6 BIBLIOGRAPHY [1]. R.Coolen, Intrusion Detection: Generics and State of the Art, RTO Technical Report 49, [2]. Martin Roesch : Snort Documents, [3]. DARPA Intrusion Detection Evaluation, Data Sets and Documentation, _1999.html [4]. D. Barbar a and S. Jajodia and N. Wu and B. Speegle,, The ADAM project, [5]. M. Mahoney and P. Chan,. PHAD: Packet header anomaly detection for identifying hostile network traffic, Technical report, Florida Tech., technical report CS , April 2001, [6]. Daniel Barbara, Ningning Wu and Sushil Jajodia : Detecting Novel Network Intrusions Using Bayes Estimators, 29.pdf [7]. Mahoney, M., P. K. Chan, "Learning Models of Network Traffic for Detectin Novel Attacks",Florida Tech. technical report , [8]. Jack Koziol, Intrusion Detection with Snort, Pearson publications, 2003 [9]. R. Dan Reid & Nada R. Sanders : Operations Management, 3 rd Edition Wiley,2007 [10]. Ye, N., Li, X., Chen, Q., Emran, S. M., and Xu, M. Probabilistic Techniques for Intrusion Detection Based on Computer Audit Data, IEEE Transactions on Systems,Man, and Cybernetics, vol. 31(4), pp , July [11]. R. Puttini, Z. Marrakchi, and L. Me. Bayesian Classification Model for Real-Time Intrusion Detection, in 22th International Workshop on Bayesian Inference and Maximum Entropy Methods in Science and Engineering, [12]. Petar Cisar, Sanja Maravic Cisar, Quality Control in Function of Statistical Anomaly Detection in Intrusion Detection Systems, SISY th Serbian- Hungarian Joint Symposium on Intelligent Systems 16
CSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More informationAlfonso Valdes Keith Skinner SRI International
Adaptive, Model-Based Monitoring And Threat Detection Alfonso Valdes Keith Skinner SRI International http://www.sdl.sri.com/emerald/adaptbn-paper/adaptbn.html 2 Outline Objectives Approach Bayes net models
More informationImplementation of Signature-based Detection System using Snort in Windows
Implementation of Signature-based Detection System using Snort in Windows Prerika Agarwal Sangita Satapathy Ajay Kumar Garg Engineering College, Ghaziabad Abstract: Threats of attacks are increasing day
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationImproving the Database Logging Performance of the Snort Network Intrusion Detection Sensor
-0- Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland Department of Computer Science and Engineering University
More informationMultivariate Correlation Analysis based detection of DOS with Tracebacking
1 Multivariate Correlation Analysis based detection of DOS with Tracebacking Jasheeda P Student Department of CSE Kathir College of Engineering Coimbatore jashi108@gmail.com T.K.P.Rajagopal Associate Professor
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis Anomaly-based IDS Pavel Laskov Wilhelm Schickard Institute for Computer Science Taxonomy of anomaly-based IDS Features: Packet headers Byte streams Syntactic events
More informationNetwork Traffic Anomaly Detection Based on Packet Bytes ABSTRACT Bugs in the attack. Evasion. 1. INTRODUCTION User Behavior. 2.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology Technical Report CS-2002-13 mmahoney@cs.fit.edu ABSTRACT Hostile network traffic is often "different"
More informationApplication Protocol Breakdown
Snort 2.0: Protocol Flow Analyzer Authors: Daniel Roelker Sourcefire Inc. Marc Norton Sourcefire Inc. Abstract The Snort 2.0 Protocol Flow Analyzer
More informationHybrid Modular Approach for Anomaly Detection
Hybrid Modular Approach for Anomaly Detection A.Laxmi Kanth Associate Professor, M.Tech (IT) Sri Indu College of Engineering & Technology, Sheriguda, IBP. Suresh Yadav Assistant Professor, (M.Tech),B.Tech,
More informationA SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK
A SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK P.Priya 1, S.Tamilvanan 2 1 M.E-Computer Science and Engineering Student, Bharathidasan Engineering College, Nattrampalli. 2
More informationReview on Data Mining Techniques for Intrusion Detection System
Review on Data Mining Techniques for Intrusion Detection System Sandeep D 1, M. S. Chaudhari 2 Research Scholar, Dept. of Computer Science, P.B.C.E, Nagpur, India 1 HoD, Dept. of Computer Science, P.B.C.E,
More informationEnhanced Multivariate Correlation Analysis (MCA) Based Denialof-Service
International Journal of Computer Science & Mechatronics A peer reviewed International Journal Article Available online www.ijcsm.in smsamspublications.com Vol.1.Issue 2. 2015 Enhanced Multivariate Correlation
More informationImproved Detection of Low-Profile Probes and Denial-of-Service Attacks*
Improved Detection of Low-Profile Probes and Denial-of-Service Attacks* William W. Streilein Rob K. Cunningham, Seth E. Webster Workshop on Statistical and Machine Learning Techniques in Computer Intrusion
More informationANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS
ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS Saulius Grusnys, Ingrida Lagzdinyte Kaunas University of Technology, Department of Computer Networks, Studentu 50,
More informationCS Review. Prof. Clarkson Spring 2017
CS 5430 Review Prof. Clarkson Spring 2017 Recall: Audit logs Recording: what to log what not to log how to log locally remotely how to protect the log Reviewing: manual exploration automated analysis MANUAL
More informationDenial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows
Denial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows S. Farzaneh Tabatabaei 1, Mazleena Salleh 2, MohammadReza Abbasy 3 and MohammadReza NajafTorkaman 4 Faculty of Computer
More informationINTRUSION DETECTION WITH TREE-BASED DATA MINING CLASSIFICATION TECHNIQUES BY USING KDD DATASET
INTRUSION DETECTION WITH TREE-BASED DATA MINING CLASSIFICATION TECHNIQUES BY USING KDD DATASET Bilal Ahmad Department of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics,
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationAnomaly Intrusion Detection System Using Hierarchical Gaussian Mixture Model
264 IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.8, August 2008 Anomaly Intrusion Detection System Using Hierarchical Gaussian Mixture Model M. Bahrololum and M. Khaleghi
More informationIntrusion Detection Systems Overview
Intrusion Detection Systems Overview Chris Figueroa East Carolina University figueroac13@ecu.edu Abstract Modern intrusion detection systems provide a first line of defense against attackers for organizations.
More informationBig Data Analytics for Host Misbehavior Detection
Big Data Analytics for Host Misbehavior Detection Miguel Pupo Correia joint work with Daniel Gonçalves, João Bota (Vodafone PT) 2016 European Security Conference June 2016 Motivation Networks are complex,
More informationCE Advanced Network Security
CE 817 - Advanced Network Security Lecture 5 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained from other
More informationIntrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia
Intrusion Detection - Snort Network Security Workshop 25-27 April 2017 Bali Indonesia Issue Date: [31-12-2015] Revision: [V.1] Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied
More informationPacket Header Anomaly Detection Using Bayesian Belief Network
26 ECTI TRANSACTIONS ON COMPUTER AND INFORMATION TECHNOLOGY VOL.3, NO.1 MAY 2007 Packet Header Anomaly Detection Using Bayesian Belief Network Mongkhon Thakong 1 and Satra Wongthanavasu 2, Non-members
More informationNetwork Traffic Measurements and Analysis
DEIB - Politecnico di Milano Fall, 2017 Introduction Often, we have only a set of features x = x 1, x 2,, x n, but no associated response y. Therefore we are not interested in prediction nor classification,
More informationDetecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0
Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0 April 9, 2012 Introduction One of the earliest indicators of an impending network attack is the presence of network reconnaissance.
More informationINTRUSION DETECTION SYSTEM USING BIG DATA FRAMEWORK
INTRUSION DETECTION SYSTEM USING BIG DATA FRAMEWORK Abinesh Kamal K. U. and Shiju Sathyadevan Amrita Center for Cyber Security Systems and Networks, Amrita School of Engineering, Amritapuri, Amrita Vishwa
More informationPyrite or gold? It takes more than a pick and shovel
Pyrite or gold? It takes more than a pick and shovel SEI/CERT -CyLab Carnegie Mellon University 20 August 2004 John McHugh, and a cast of thousands Pyrite or Gold? Failed promises Data mining and machine
More informationNetwork Intrusion Detection and Mitigation Against Denial of Service Attack
University of Pennsylvania ScholarlyCommons Technical Reports (CIS) Department of Computer & Information Science 1-1-2013 Network Intrusion Detection and Mitigation Against Denial of Service Attack Dong
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationAnomaly Detection of Network Traffic Based on Analytical Discrete Wavelet Transform. Author : Marius SALAGEAN, Ioana FIROIU 10 JUNE /06/10
Anomaly Detection of Network Traffic Based on Analytical Discrete Transform Author : Marius SALAGEAN, Ioana FIROIU 10 JUNE 2010 1 10/06/10 Introduction MAIN OBJECTIVES : -a new detection mechanism of network
More informationModeling Intrusion Detection Systems With Machine Learning And Selected Attributes
Modeling Intrusion Detection Systems With Machine Learning And Selected Attributes Thaksen J. Parvat USET G.G.S.Indratrastha University Dwarka, New Delhi 78 pthaksen.sit@sinhgad.edu Abstract Intrusion
More informationintelop Stealth IPS false Positive
There is a wide variety of network traffic. Servers can be using different operating systems, an FTP server application used in the demilitarized zone (DMZ) can be different from the one used in the corporate
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationTable of Contents...2 Abstract...3 Protocol Flow Analyzer...3
TABLE OF CONTENTS Table of Contents...2 Abstract...3 Protocol Flow Analyzer...3 What is a Protocol Flow?...3 Protocol Flow Analysis...3 Benefits of Protocol Flow Analysis...4 HTTP Flow Analyzer Overview...4
More informationIntrusion Detection Using Data Mining Technique (Classification)
Intrusion Detection Using Data Mining Technique (Classification) Dr.D.Aruna Kumari Phd 1 N.Tejeswani 2 G.Sravani 3 R.Phani Krishna 4 1 Associative professor, K L University,Guntur(dt), 2 B.Tech(1V/1V),ECM,
More informationAnomaly Detection in Communication Networks
Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u
More informationTowards Traffic Anomaly Detection via Reinforcement Learning and Data Flow
Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow Arturo Servin Computer Science, University of York aservin@cs.york.ac.uk Abstract. Protection of computer networks against security
More informationNETWORK TRAFFIC ANALYSIS - A DIFFERENT APPROACH USING INCOMING AND OUTGOING TRAFFIC DIFFERENCES
NETWORK TRAFFIC ANALYSIS - A DIFFERENT APPROACH USING INCOMING AND OUTGOING TRAFFIC DIFFERENCES RENATO PREIGSCHADT DE AZEVEDO, DOUGLAS CAMARGO FOSTER, RAUL CERETTA NUNES, ALICE KOZAKEVICIUS Universidade
More informationNetwork Security. Chapter 0. Attacks and Attack Detection
Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part
More informationCOMPARISON OF THE ACCURACY OF BIVARIATE REGRESSION AND BOX PLOT ANALYSIS IN DETECTING DDOS ATTACKS
International Journal of Electronics and Communication Engineering & Technology (IJECET) Volume 6, Issue 12, Dec 2015, pp. 43-48, Article ID: IJECET_06_12_007 Available online at http://www.iaeme.com/ijecetissues.asp?jtype=ijecet&vtype=6&itype=12
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationDetecting Anomalies in Network Traffic Using Maximum Entropy Estimation
Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Yu Gu, Andrew McCallum, Don Towsley Department of Computer Science, University of Massachusetts, Amherst, MA 01003 Abstract We develop
More informationCS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion Detection Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events,
More informationIntrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis
Intrusion Detection Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 22-1 1. Intruders 2. Intrusion
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationSelecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion Detection Datasets
Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion Detection Datasets H. Günes Kayacık, A. Nur Zincir-Heywood, Malcolm I. Heywood Dalhousie University, Faculty
More informationA Network Intrusion Detection System Architecture Based on Snort and. Computational Intelligence
2nd International Conference on Electronics, Network and Computer Engineering (ICENCE 206) A Network Intrusion Detection System Architecture Based on Snort and Computational Intelligence Tao Liu, a, Da
More informationCooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems
Cooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems Kai Hwang, Fellow IEEE, Hua Liu, Student Member and Ying Chen, Student Member Abstract: Network-centric
More informationMeasuring Intrusion Detection Capability: An Information- Theoretic Approach
Measuring Intrusion Detection Capability: An Information- Theoretic Approach Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee Georgia Tech Boris Skoric Philips Research Lab Outline Motivation Problem Why
More informationFuzzy Intrusion Detection
Fuzzy Intrusion Detection John E. Dickerson, Jukka Juslin, Ourania Koukousoula, Julie A. Dickerson Electrical and Computer Engineering Department Iowa State University Ames, IA, USA {jedicker,juslin,koukouso,julied}@iastate.edu
More informationInternet Threat Detection System Using Bayesian Estimation
Internet Threat Detection System Using Bayesian Estimation Masaki Ishiguro 1 Hironobu Suzuki 2 Ichiro Murase 1 Hiroyuki Ohno 3 Abstract. We present an Internet security threat detection system 4 using
More informationStochastic Analysis of Horizontal IP Scanning
Stochastic Analysis of Horizontal IP Scanning Derek Leonard, Zhongmei Yao,, Xiaoming Wang, and Dmitri Loguinov Internet Research Lab Department of Computer Science and Engineering Texas A&M University
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 9 Performing Vulnerability Assessments
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments Objectives Define risk and risk management Describe the components of risk management List
More informationANOMALY DETECTION IN COMMUNICTION NETWORKS
Anomaly Detection Summer School Lecture 2014 ANOMALY DETECTION IN COMMUNICTION NETWORKS Prof. D.J.Parish and Francisco Aparicio-Navarro Loughborough University (School of Electronic, Electrical and Systems
More informationFlow-based Anomaly Intrusion Detection System Using Neural Network
Flow-based Anomaly Intrusion Detection System Using Neural Network tational power to analyze only the basic characteristics of network flow, so as to Intrusion Detection systems (KBIDES) classify the data
More informationRaj Jain. Washington University in St. Louis
Intrusion Detection Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationMcPAD and HMM-Web: two different approaches for the detection of attacks against Web applications
McPAD and HMM-Web: two different approaches for the detection of attacks against Web applications Davide Ariu, Igino Corona, Giorgio Giacinto, Fabio Roli University of Cagliari, Dept. of Electrical and
More informationInternational Journal of Scientific & Engineering Research, Volume 4, Issue 7, July-2013 ISSN
1 Review: Boosting Classifiers For Intrusion Detection Richa Rawat, Anurag Jain ABSTRACT Network and host intrusion detection systems monitor malicious activities and the management station is a technique
More informationBayesian Learning Networks Approach to Cybercrime Detection
Bayesian Learning Networks Approach to Cybercrime Detection N S ABOUZAKHAR, A GANI and G MANSON The Centre for Mobile Communications Research (C4MCR), University of Sheffield, Sheffield Regent Court, 211
More informationWeek Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development
Weekly Tasks Week 5 Rich Macfarlane 2013 Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development Aim: The aim of these labs are to further investigate the Snort, network IDS, and methods
More informationFlow-based Worm Detection using Correlated Honeypot Logs
Flow-based Worm Detection using Correlated Honeypot Logs Falko Dressler, Wolfgang Jaegers, and Reinhard German Computer Networks and Communication Systems, University of Erlangen, Martensstr. 3, 91058
More informationHSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort
HSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort Divya Asst. Prof. in CSE Department Haryana Institute of Technology, India Surender Lakra Asst. Prof. in CSE Department
More informationIntrusion Detection System
Intrusion Detection System Marmagna Desai March 12, 2004 Abstract This report is meant to understand the need, architecture and approaches adopted for building Intrusion Detection System. In recent years
More informationDDoS Attacks Classification using Numeric Attribute-based Gaussian Naive Bayes
DDoS Attacks Classification using Numeric Attribute-based Gaussian Naive Bayes Abdul Fadlil Department of Electrical Engineering Ahmad Dahlan University Yogyakarta, Indonesia Imam Riadi Department of Information
More informationIntroduction Challenges with using ML Guidelines for using ML Conclusions
Introduction Challenges with using ML Guidelines for using ML Conclusions Misuse detection Exact descriptions of known bad behavior Anomaly detection Deviations from profiles of normal behavior First proposed
More informationIntrusion Detection Systems
Intrusion Detection Systems Dr. Ahmad Almulhem Computer Engineering Department, KFUPM Spring 2008 Ahmad Almulhem - Network Security Engineering - 2008 1 / 15 Outline 1 Introduction Overview History 2 Types
More informationMahalanobis Distance Map Approach for Anomaly Detection
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2010 Mahalanobis Distance Map Approach for Anomaly Detection Aruna Jamdagnil
More informationCollaborative Intrusion Detection System : A Framework for Accurate and Efficient IDS. Outline
Collaborative Intrusion Detection System : A Framework for Accurate and Efficient IDS Yu-Sung Wu, Bingrui Foo, Yongguo Mei, Saurabh Bagchi Dependable Computing Systems Lab School of Electrical and Computer
More informationIntrusion Detection - Snort
Intrusion Detection - Snort 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures not always up to date 0-days get through Someone brings in an infected
More informationA senior design project on network security
Michigan Technological University Digital Commons @ Michigan Tech School of Business and Economics Publications School of Business and Economics Fall 2007 A senior design project on network security Yu
More informationCSE543 - Computer and Network Security Module: Intrusion Detection
CSE543 - Computer and Network Security Module: Intrusion Detection Professor Trent Jaeger 1 Intrusion An authorized action... that exploits a vulnerability... that causes a compromise... and thus a successful
More informationIJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology
ISSN 2229-5518 321 Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology Abstract - Nowadays all are working with cloud Environment(cloud
More informationEXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS
EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS Andry Putra Fajar and Tito Waluyo Purboyo Faculty of Electrical Engineering,
More informationOSSIM Fast Guide
----------------- OSSIM Fast Guide ----------------- February 8, 2004 Julio Casal http://www.ossim.net WHAT IS OSSIM? In three phrases: - VERIFICATION may be OSSIM s most valuable contribution
More informationCertified Snort Professional VS-1148
VS-1148 Certified Snort Professional Certification Code VS-1148 Vskills certification for Snort Professional assesses the candidate as per the company s need for network security and assessment. The certification
More informationCSE543 - Computer and Network Security Module: Intrusion Detection
CSE543 - Computer and Network Security Module: Intrusion Detection Professor Trent Jaeger CMPSC443 - Introduction to Computer and Network Security 1 2 Intrusion An authorized action... that exploits a
More informationDenial of Service and Distributed Denial of Service Attacks
Denial of Service and Distributed Denial of Service Attacks Objectives: 1. To understand denial of service and distributed denial of service. 2. To take a glance about DoS techniques. Distributed denial
More informationCS395/495 Computer Security Project #2
CS395/495 Computer Security Project #2 Important Dates Out: 1/19/2005 Due: 2/15/2005 11:59pm Winter 2005 Project Overview Intrusion Detection System (IDS) is a common tool to detect the malicious activity
More informationSCP SC Network Defense and Countermeasures (NDC) Exam.
SCP SC0-402 Network Defense and Countermeasures (NDC) Exam TYPE: DEMO http://www.examskey.com/sc0-402.html Examskey SCP SC0-402 exam demo product is here for you to test the quality of the product. This
More informationProCurve Network Immunity
ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
More informationA Software Tool for Network Intrusion Detection
A Software Tool for Network Intrusion Detection 4th Biennial Conference Presented by: Christiaan van der Walt Date:October 2012 Presentation Outline Need for intrusion detection systems Overview of attacks
More informationCombining Cross-Correlation and Fuzzy Classification to Detect Distributed Denial-of-Service Attacks*
Combining Cross-Correlation and Fuzzy Classification to Detect Distributed Denial-of-Service Attacks* Wei Wei 1, Yabo Dong 1, Dongming Lu 1, and Guang Jin 2 1 College of Compute Science and Technology,
More informationUMSSIA INTRUSION DETECTION
UMSSIA INTRUSION DETECTION INTRUSION DETECTION Sensor1 Event1, Event2 Monitor No intrusion M SensorN Event1, Event2 Alarm! IDS CHARACTERISTICS Characteristics an IDS can be classified/evaluated by: Type
More informationIntrusion Detection Systems and Network Security
Intrusion Detection Systems and Network Security Chapter 13 Background A layered network security approach starts with a well-secured system: Up-to-date application and operating system patches. Well-chosen
More informationFlowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert
Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks Anna Giannakou, Daniel Gunter, Sean Peisert Research Networks Scientific applications that process large amounts of data
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationAN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM
1 AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM 2 Introduction (1/2) TCP provides a full duplex reliable stream connection between two end points A connection is uniquely defined by the quadruple
More informationMechanisms for Database Intrusion Detection and Response. Michael Sintim - Koree SE 521 March 6, 2013.
Mechanisms for Database Intrusion Detection and Response Michael Sintim - Koree SE 521 March 6, 2013. Article Title: Mechanisms for Database Intrusion Detection and Response Authors: Ashish Kamra, Elisa
More informationIntrusion Detection - Snort
Intrusion Detection - Snort Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures
More informationIntruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:
Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: masquerader misfeasor clandestine user varying levels of competence
More informationCLASSIFICATION WITH RADIAL BASIS AND PROBABILISTIC NEURAL NETWORKS
CLASSIFICATION WITH RADIAL BASIS AND PROBABILISTIC NEURAL NETWORKS CHAPTER 4 CLASSIFICATION WITH RADIAL BASIS AND PROBABILISTIC NEURAL NETWORKS 4.1 Introduction Optical character recognition is one of
More informationDeveloping the Sensor Capability in Cyber Security
Developing the Sensor Capability in Cyber Security Tero Kokkonen, Ph.D. +358504385317 tero.kokkonen@jamk.fi JYVSECTEC JYVSECTEC - Jyväskylä Security Technology - is the cyber security research, development
More informationA Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models
A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models Marc Ph. Stoecklin Jean-Yves Le Boudec Andreas Kind
More informationCHAPTER V KDD CUP 99 DATASET. With the widespread use of computer networks, the number of attacks has grown
CHAPTER V KDD CUP 99 DATASET With the widespread use of computer networks, the number of attacks has grown extensively, and many new hacking tools and intrusive methods have appeared. Using an intrusion
More informationChapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)
SeoulTech UCS Lab Chapter 7 Network Intrusion Detection and Analysis 2015. 11. 3 (Daming Wu) Email: wdm1517@gmail.com Copyright c 2015 by USC Lab All Rights Reserved. Table of Contents 7.1 Why Investigate
More information