A Multi-Stage Network Anomaly Detection Method for Improving Efficiency and Accuracy
|
|
- Camron Cook
- 6 years ago
- Views:
Transcription
1 Journal o Inormation Security, 2012, 3, Published Online January 2012 ( A Multi-Stage Network Anomaly Detection Method or Improving Eiciency and Accuracy Yuji Waizumi, Hiroshi Tsunoda, Masashi Tsuji, Yoshiaki Nemoto Graduate School o Inormation Sciences (GSIS), Tohoku University, Miyagi, Japan wai@ecei.tohoku.ac.jp Received September 29, 2011; revised October 27, 2011; accepted November 10, 2011 ABSTRACT Because o an explosive growth o the intrusions, necessity o anomaly-based Intrusion Detection Systems (IDSs) which are capable o detecting novel attacks, is increasing. Among those systems, low-based detection systems which use a series o packets exchanged between two terminals as a unit o observation, have an advantage o being able to detect anomaly which is included in only some speciic sessions. However, in large-scale networks where a large number o communications takes place, analyzing every low is not practical. On the other hand, a timeslot-based detection systems need not to prepare a number o buers although it is diicult to speciy anomaly communications. In this paper, we propose a multi-stage anomaly detection system which is combination o timeslot-based and low-based detectors. The proposed system can reduce the number o lows which need to be subjected to low-based analysis but yet exhibits high detection accuracy. Through experiments using data set, we present the eectiveness o the proposed method. Keywords: Network Anomaly Detection; Timeslot-Based Analysis; Flow-Based Analysis; Multi-Stage Traic Analysis; Flow Reduction 1. Introduction In recent years, intrusions such as worms and denial o service attack have become a major threat to the Internet. In particular, novel intrusions such as novel worms and zero-day attacks are increasing and are responsible or a big damage to the Internet. For detecting intrusions, Network Intrusion Detection Systems (NIDSs) have gained attention. NIDSs are classiied into misuse detection system and anomaly detection system. In misuse detection systems such as Snort [1], intrusions are detected by matching signatures which are prepared manually in advance. They are highly popular in network security because they exhibit higher detection accuracy and generate ewer alse positives or known intrusions than anomaly detection systems. However, developing signatures is cumbersome and time-consuming task because they have to be made by security experts manually. Thereore, novel intrusions can cause a signiicant damage to the Internet beore signatures are developed. On the other hand, anomaly detection systems such as NIDES [2] and ADAM [3] can detect unknown intrusions. This is because these methods detect intrusions based on the deviation rom the normal behavior, and thus do not require a pre-hand knowledge o intrusions. However, these methods tend to generate more alse positives than signature base IDSs. Although a lot o researchers carried out to increase the detection accuracy, still higher detection accuracy is demanded. Thereore, we ocus our research on anomaly detection systems. In anomaly detection systems, network traic is analyzed using observation units such as timeslot and low. A timeslot-based detection has an advantage o being able to detect network anomaly states eectively. On the other hand, the low-based analysis is capable o examining each communication in a more detail orm. Our group has proposed a combination o timeslot-based and low-based detections and shown its eectiveness [4]. However, in a low-based analysis, a large number o buers have to be prepared. Analyzing all lows o network traic is not realistic, and the buer size can be vulnerability to Denial o Service (DoS) attacks because all low analysis can result in a buer overlow. In this paper, we propose a high accuracy multi-stage anomaly detection system which can reduce the number o lows necessary to be analyzed. The proposed system consists o two detection stages. The irst stage is a timeslot-based detector which picks up lows need to be analyzed by low-based detector in detail. It then inspects only these suspicious lows in the second stage, thus, computational load and buer size to analyze lows can
2 Y. WAIZUMI ET AL. 19 be reduced. The remainder o this paper is organized as ollows. Section 2 explains timeslot-based and low-based analyses, and mentions issues in a combination o these analyses. In Section 3, we proposed a multi-stage anomaly detection system. Evaluation o the proposed system is presented in Section 4. Finally, Section 5 concludes this paper. 2. Combination o Timeslot-Based and Flow-Based Analyses Anomaly detection systems generally analyze traic in observation units such as timeslots and lows. In this section, we explain these units or the intrusion detection and introduce a conventional method which combines the two detectors. Furthermore, issues in the conventional method are also presented Timeslot-Based Analysis Anomaly detection oten uses timeslot-based analysis [4-6]. In this method, the overall traic is separated into timeslots o ixed length and its eatures, which are numerical values representing the network state, are extracted rom traic in the timeslot. It has an advantage o low buer storage since this analysis releases buers ater each timeslot. However, it is diicult or this method to speciy anomalous communication lows Flow-Based Analysis A low is deined as a set o packets which have the same values or the ollowing three header ields. Protocol (TCP/UDP) Source/Destination address pair Source/Destination port pair A TCP low ends with FIN or RST lags and UDP lows are terminated by time-out T u. A low is oten used in anomaly detection [4,7,8]. A low-based analysis method can analyze each bidirectional communication in detail and can speciy each anomalous communication. However, in this analysis, buers must be prepared or every low. The number o buers to be prepared lineally increases with as increase in the number o lows. Thus, this method possesses a risk o buer overlow. Thereore, storage o buers is a bottleneck in the low-based analysis and vulnerability to DoS attacks A Conventional Combination Method Our research group has proposed a combined system using the timeslot-based and the low-based analyses in parallel [4]. Figure 1(a) shows the overview o the conventional system, which we term as a parallel system. Network traic is inputted to both the timeslot-based and the low-based detectors, and is analyzed by each detector. A combination o timeslot-based and low-based detectors can detect intrusions eectively by taking advantage o the merits possessed by both o these methods. Thereore, the combination system is highly accurate in anomaly detection and [4] shows the eectiveness o the parallel system through some experiments using DARPA data set [9]. However, it is still necessary to address the problem o large buer storage in the low-based analysis. For reducing the amount o data to be analyzed by low-based analysis, packet sampling [10-12] and setting short timeouts [13] have been proposed. However, by using the ormer, it is diicult to observe lows which consist o only ew packets, and thus there is a high chance o missing important packets during detection. Since novel worms tend to be ew packets in order to spread as ast as possible [14], such worms are diicult to be sampled. In the latter case, since long traic lows will be split up i its interval o arrival time o packets exceeds the low timeout, the short timeouts causes increasing the number o lows and declining eiciency and accuracy [11]. As a result, we consider that these approaches suer rom lack o inormation or detecting anomalous events and exhibit low detection accuracy. Since packet sampling and setting short timeout diminish data o each low without any regards or evaluating anomaly, it may result in lack o inormation needed to detect anomalous lows. For avoiding lack o inormation, not data o each low but the number o lows should be reduced with appropriate criteria. 3. A Multi-Stage Anomaly Detection System In this section, we propose a multi-stage network anomaly detection system. It uses ewer amount o buer, but yet detects intrusions with high accuracy Outline Figure 1(b) shows the overview o the proposed multistage (a) (b) Figure 1. Overview o parallel system and multi-stage system.
3 20 Y. WAIZUMI ET AL. system. The proposed system consists o timeslotbased detector in the irst stage and low-based detector in the second stage. The role o the irst stage is to exclude lows that can be judged as obvious anomalous or obvious normal. For such lows, detailed analysis by the low-based detector is not needed. By excluding such lows, the proposed method can achieve the both high eiciency and high accuracy in network anomaly detection. Considering the role o the irst stage, we utilize timeslotbased detector in it. In the timeslot-based detector, the anomaly level o a time slot basically depends on the number o anomalous lows. Thereore, i timeslots have extremely high or extremely low degree o anomaly, we can consider lows included in such timeslots as obvious anomalous or normal, respectively. Only lows included in the remaining timeslots need to be analyzed by the low-based analysis. Thereore the proposed system can reduce the number o lows that need to be analyzed by the low-based analysis. The architecture o the proposed system is illustrated in Figure 2. Network traic is input into both the timeslotbased detector and the dump module. The timeslot-based detector analyzes the network traic or each timeslot. Based on the anomaly level o the timeslot, it classiies each slot into three levels which are anomalous, suspicious and normal. Normal slots are excluded rom urther analysis. For anomalous slots, this detector generates alerts to administrators to inorm that anomalous traic is detected. For suspicious slots, inormation needed to aggregate packets to assemble lows, which we term suspicious inormation, is sent to the dump module. This inormation includes start and end times o the suspicious slot, source/destination IP addresses and source/destina- tion port numbers. The role o the dump module is to pick up packets based on the suspicious inormation, and to assemble them into suspicious lows. These lows are sent to the low-based detector. The low-based detector analyzes them and generates alarms i any anomaly is detected. As a result, it is not necessary to analyze lows in normal and anomalous slots. Thereore, the proposed system can reduce the number o lows that need to be stored in a buer. In Sections 3.2 and 3.3, we describe the timeslot-based detector and the low-based detector respectively Timeslot-Based Detector Outline Figure 3 shows the slot classiication carried out by the timeslot-based detector. Firstly, each slot is classiied into either anomalous slot candidate or normal slot by a threshold ( Th ac ). Then the anomaly score o a slot exceeds the threshold ( Th ac ), the slot is regarded as an anomalous slot candidate. Next, the anomalous slot candidates are classiied into anomalous slots or suspicious slots by another threshold ( Th as ). When the anomaly score o an anomalous slot candidate exceeds the threshold (Th as ), this slot is judged as an anomalous slot. For anomalous slots, the timeslot-based detector outputs alerts. For suspicious slots, this detector generates suspicious inormation. For normal slots, this detector outputs nothing. In the end, only the suspicious slots whose anomaly scores in the range rom to are sent to second stage or a detail analysis. It is eective to detect anomaly based on packet header and payload individually [4]. Thereore, the timeslot-based detector has two modules, header-based detection module and payloadbased detection module. Figure 2. Detailed architecture o the proposed system.
4 Y. WAIZUMI ET AL. 21 Figure 3. Slot classiication using two thresholds in timeslotbased detector Header-Based Detection Module The header-based detection module analyzes network traic based on eatures mainly extracted rom the header o each packet included in each timeslot. The eatures (37 types) extracted are as ollows: 1) For all traic. a) Each number o packets o TCP/ UDP/ ICMP (3 types). b) The number o TCP bytes. c) The number o port varieties o TCP. d) Each number o TCP lags (5 types). e) The number o DNS packets. ) The number o ragment packets. g) The number o IP address varieties (each byte, 4 types). 2) For port #21, #22, #23, #25, #80 and #110. a) Each number o TCP lags (3 types). 3) For port #80. a) The maximum number o bytes between delimiter (space/line eed). b) A ratio o the number o message headers per the number o request lines. c) A ratio o the number o packets per the number o clients. These eatures become elements o a eature vector. This detector calculates a projection distances rom a eature vector to the irst principal components using Principal Component Analysis (PCA) and deines the projection distance as the anomaly score o the low rom which the eature vector is extracted. Based on the anomaly score, slots are labeled as anomalous slots, suspicious slots, or normal slots Payload-Based Detection Module The payload-based detection module analyzes network traic by eatures extracted rom payloads o a packet. In the payload-based detection module, packet payloads are divided into 8-bit codes. Appearance and transition probabilities o each code are calculated using training data. Then, we assume that the code sequences in packet payloads o each port generate with Markov process. Hence, the appearance probability o a code sequence x1, x2,, xn in a packet payload is obtained rom Equation (1) 1, 2,, n n n 1 P x x x P x P x x P x x where n is the length o a packet. Anomaly score H or each packet is deined as the measure o inormation o code sequences and are obtained rom Equation (2) because anomalous code sequences occur ew many times. The anomaly o a slot is deined as the maximum value o in that slot (1) H log P x, x,, xn (2) Based on H, slots are labeled as anomalous slots, suspicious slots, or normal slots Output o Timeslot-Based Detector Table 1 summarizes the inal outputs o the timeslot-based detector. When any one o the header-based and the payload-based detection modules label a slot as an anomalous slot, the timeslot-based detector outputs an alert. I header-based or payload-based detection modules label a slot as a suspicious slot, suspicious inormation is generated and sent to the dump module. When one detector labels a slot as an anomalous slot and the other labels a slot as a suspicious slot, the timeslot-based detector outputs both o alert and suspicious inormation. When both header-based and payload-based detection modules label a slot as a normal slot, the timeslot-based detector outputs nothing Flow-Based Detector Outline The timeslot-based detector creates suspicious inormation when a slot is classiied a suspicious slot. The lowbased detector analyzes suspicious lows which are assembled by the dump module using suspicious inormation. This detector classiies suspicious lows into anomalous lows or normal lows. Similar to the timeslot-based detector, the low-based detector consists o two analysis modules: header-based and payload-based detection modules. When any o the header-based and the payload-based detection modules classiies a low as anomalous, the low-based detector outputs an alert. PDM Table 1. Output o the timeslot-based detector. HDM Anomalous Suspicious Anomalous Suspicious Normal Alert Alert & SI Alert Alert & SI SI SI Normal Alert SI - HDM: Header-based Detection Module; PDM: Payload-based Detection Module; SI: Suspicious Inormation.
5 22 Y. WAIZUMI ET AL Header-Based Detection Module The header-based detection module detects anomalous lows using eatures extracted rom packet headers o a low. It analyzes the ollowing eatures (TCP: 19 types, UDP: 7 tyes): 1) For both o TCP and UDP lows. a) The number o packets. b) Inverse o the number o lows which have same port number. c) The number o ragment packets. 2) For TCP lows (only sending packets rom clients). a) Each number o TCP lags (8 types). b) Each number o packets with only a TCP lag (8 types). 3) For UDP lows. a) Each number o sending/receiving packets or clients (2 types). b) Each number o sending/receiving packets or clients (2 types). The projection distance rom a eature vector to the irst principle component is calculated by PCA using these eatures. The projection distances are then used as anomaly scores o lows. I some plural lows which have same source/destination IP addresses are observed in a short period o time, this module regards them as related lows and treats them as one set. Because some attacks, such as scan, consist o plural lows rom single IP address, assembling the related lows can promotes the eiciency o detection. When a low is observed, lows which have the identical IP addresses with and meet the conditions below are regarded as the related lows o t T t t (3) i where denotes a related low, i t and t i are the inish time o low and i, respectively. A parameter T is used to evaluate whether two lows and i are observed in a short period o time. Denoting the anomaly score o and i as a and a i, respectively, the anomaly score o the set o the related lows A can be expressed as: F N 1 A a a (4) F i i 0 where F denotes the set o the related lows and N is the maximum size o buer to store the related lows or evaluating A F. Even i each low o an intrusion has small anomaly score, we can detect such intrusion by evaluating A F. Moreover, i an alert or F is generated, this module does not generate more alerts or successive lows that have same source/destination IP addresses as F during t T. Thus, only one alert is generated or a single intrusion and we can avoid receiving redundant alerts Payload-Based Detection Module For each TCP low, a eature vector consists o 512 eatures which are the 256 codes rom client to server and the 256 codes rom server to client. For others, such as UDP low, the eature vector consists o 256 eatures which are the 256 codes rom client to server. Projection distances rom the eature vector rom the irst principle component are calculated by PCA using these eatures. The low-based detector deines the projection distances as anomaly scores o lows. This analysis is carried out or all TCP lows, port #20, #21, #23, #25 and #80 respectively. 4. Evaluation 4.1. Experimental Environment We use the 1999 DARPA o-line IDS evaluation data set [9] to investigate the number o lows reduced by the timeslot-based detector and to evaluate o detection accuracy. The ollowing inormation o intrusions is given in this data set. Intrusion instants. IP addresses and port numbers o intruders. IP addresses and port numbers o victims. Types o intrusions. This data set consists o network traic o 5 weeks. Week 1 and week 3 (10 days) traic are attack-ree while week 4 and week 5 (10 days) traic include some intrusions. Data o week 1 and week 3 are used or training the detectors o the proposed system, and intrusions included in week 4 and week 5 are the detection targets. In week 4 and week 5, nearly 700,000 TCP and UDP lows are included. Table 2 shows the values o parameters T t, T, u T and N, which are same as the parallel system [4]. A payload-based detection module in timeslot-based detector targets port #21, #25 and #80 on which the payloadbased detection module is able to train eectively as the data set. According to [15], and thresholds o low-based detector are set such that the number o alse positives does Table 2. Values o parameters set in evaluation. Parameter Description Value T t Timeslot Length 60 [sec] T u T N Timeout or Terminating UDP lows Available period o a base low i 600 [sec] 600 [sec] Maximum number o 10
6 Y. WAIZUMI ET AL. 23 not exceed 10 or each day (100 in 10 days). Thresholds o detection module in the proposed system are set as shown in Table 3. The value o Th ac is set as explained in the next subsection Flow Reduction Perormance By using suspicious low ratio per all lows in week 4 and week 5 ( Rs ), and the ratio o detectable intrusions in anomalous slot candidates per all intrusions ( Rac ), we evaluate low reduction eect o the proposed system. A low value o Rs is preerred as it implies that the number o lows which will be analyzed in the low-based detection modules are reduced. High R ac means that many intrusions included in the anomalous slots can be detected by the proposed method. Figure 4 shows changes in Rs with respect to Rac. This graph indicates that the bottom right portion o the line shows a high perormance. Figure 4 shows that Rs is about 40 percent when Rac is about 90 percent. That is to say, it is possible to detect 90 percent intrusions by analyzing merely 40 percent o the total lows. This indicates the proposed system can eectively reduce lows to be analyzed. Note that remained 10 percent intrusions become alse negatives in the proposed method. However, ater investtigating these intrusions, we ind that most o these intrusions cannot detect even by the low-based detector. Since the behavior o these intrusions is almost same as normal communication, it is diicult to detect such intrusions by the already existed timeslot-based and lowbased detector. As a result, we conclude that there can be ew additional alse negatives caused by the proposed method. Thereore, Thac is adjusted so that Rac becomes 90 percent in the next section Intrusion Detection Perormance In this section, the proposed system is evaluated in terms o detection accuracy. Table 4 indicates the number o detected intrusions, the total number o intrusion and detection rate or existing IDSs and the proposed system. As shown in Table 4, the proposed system has higher detection rate than other IDSs except NETAD. The proposed method achieves higher detection rate than the parallel system because the number o alse positives are reduced by the proposed method. When lows are generated by mistaken operation o a user (e.g., access to closed service), these lows have a tendency to be detected by the low-based detector and cause alse positives. In case that some lows are included in normal slots in the proposed method, however, the low-based detector does not need to analyze and detect such lows. This results in reduction o alse positives. Table 3. A limitation number o alse positives or each day set in evaluation or each detector. Timeslot Flow Header Payload Header Payload Table 4. A comparison with other IDSs. IDS Detection rate (detected attacks/detectable attacks) Expert-1 [16] 50.3% (85/169) Expert-2 [17] 46.8% (81/173) Dmine [18] 40.2% (41/102) Forensics [19] 55.6% (15/27) NETAD [20] 71.4% (132/185) Parallel system [4] 60.8% (104/171) Proposed system 68.4% (117/171) Figure 4. Changes in R with respect to s R. ac NETAD indicates higher detection ratio than the proposed system. However, NETAD has some drawbacks in practical situations. It detects intrusions using the appearance number o IP addresses. This causes many alse positives in networks which provide services to any users. Moreover, intruders can easily evade the NETAD s detection because the IP addresses o intruders can be regarded as normal i they can access victims normally beorehand. In this regard, the proposed system can be applied to any networks because it does not use eatures such as IP addresses. Next, NETAD analyzes traic using only the irst ew portion o payloads included in each packet. Thereore, NETAD is not able to detect intrusions which have anomalies the latter hal o packet payloads. On the other hand, the proposed system analyzes all payloads, and can detect these intrusions. Consequently, the proposed system will work well in practical situations.
7 24 Y. WAIZUMI ET AL. 5. Conclusions and Future Works In this paper, we proposed a multi-stage anomaly detection system which is combination o timeslot-based and low-based detectors. To obtain high intrusion detection accuracy, a detection system should analyze each observed low in detail. This low-based analysis, however, needs high computational cost and large buer to store lows. The computational cost and buer size can be vulnerability or DoS attacks. To avoid this potential risk, the proposed system reduces the computational cost and buer size by adopting timeslot-based detection modules, which can work with lower computational cost and smaller buer size, at the stage o prior to low-based detector. In the detection experiment, we demonstrated that the proposed system can reduce the number o lows which needs to be analyzed at the low-based detection modules to 40 percent with high detection accuracy compared with existing intrusion detection systems. Thus, the proposed system can avoid the risk which arises rom the computational cost and buer size with high detection accuracy. But, some lows were classiied as non attack lows at the irst detection stage. This is a potential drawback o the proposed system and a uture work. REFERENCES [1] M. Roesch, Snort-Lightweight Intrusion Detection or Networks, LISA 99 Proceedings o the 13th USENIX Conerence on System Administration, USENIX Association, Berkeley, 7-12 November [2] D. Anderson, T. F. Lunt, H. Javits, A. Tamaru and A. Baldes, Detecting Unusual Program Behavior Using the Statistical Component o the Nextgeneration Intrusion Detection Expert System (NIDES), Computer Science Laboratory SRI-CSL 95-06, May [3] R. Sekar, M. Bendre, D. Dhurjati and P. Bollineni, A Fast Automaton-Based Method or Detecting Anomalous Program Behaviors, Proceedings o the 2001 IEEE Symposium on Security and Privacy, Oakland, [4] Y. Sato, Y. Waizumi and Y. Nemoto, Improving Accuracy o Network-Based Anomaly Detection Using Multiple Detection Modules, Proceedings o IEICE Technical Report, NS , 2004, pp [5] P. Barord, J. Kline, D. Plonka and A. Ron, A Signal Analysis o Network Traic Anomalies, Proceedings o ACM SIGCOMM Internet Measurement Workshop (IMW) 2002, Marseille, November 2002, pp doi: / [6] T. Oikawa, Y. Waizumi, K. Ohta, N. Kato and Y. Nemoto, Network Anomaly Detection Using Statistical Clustering Method, Proceedings o IEICE Technical Report, NS , IN , CS , Oct, 2002 pp [7] Y. Waizumi, D. Kudo, N.Kato and Y. Nemoto, A New Network Anomaly Detection Technique Based on Per- Flow and Per-Service Statistics, Proceedings o International Conerence on Computational Intelligence and Security, Xi an, December 2005, pp [8] A. Lakhina, M. Crovella and C. Diot, Characterization o Network-Wide Anomalies in Traic Flows, Proceedings o the ACM/SIGCOMM Internet Measurement Conerence, Taormina, October 2004, pp [9] DARPA Intrusion Detection Evaluation, MIT Lincoln Labortory, Lincoln, [10] Inmon Corporation, Flow Accuracy and Billing, [11] N. Duield, C. Lund and M. Thorup, Properties and Prediction o Flow Statistics rom Sampled Packet Streams, Proceedings o ACM SIGCOMM Internet Measurement Workshop (IMW), Marseille, 6-8 November doi: / [12] N. Duield, C. Lund and M. Thorup, Flow Sampling under Hard Resource Constraints, Proceedings o ACM SIGMETRICS, New York, June [13] NeFlow, w/index.shtml. [14] P. Akritidis, K. Anagnostakis and E. P. Markatos, Eicient Content-Based Detection o Zero-Day Worms, Proceedings o the International Conerence on Communications (ICC 2005), Seoul, May [15] R. Lippmann, J. W. Haines, D. J. Fried, J. Korba and K. Das, The 1999 DARPA O-Line Intrusion Detection Evaluation, Computer Networks, Vol. 34, No. 4, 2000, pp doi: /s (00) [16] P. Neumann and P. Porras, Experience with EMERALD to DATE, Proceedings o 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, 9-12 April 1999, pp [17] G. Vigna, S. T. Eckmann and R. A. Kemmerer, The STAT Tool Suite, Proceedings o the 2000 DARPA Inormation Survivability Conerence and Exposition (DIS- CEX), Hilton Head, January [18] S. Jajodia, D. Barbara, B. Speegle and N. Wu, Audit Data Analysis and Mining (ADAM), [19] M. Tyson, P. Berry, N. Willams, D. Moran and D. Blei, DERBI: Diagnosis, Explanation and Recovery rom computer Break-Ins, [20] M. Mahoney, Network Traic Anomaly Detection Based on Packet Bytes, Proceedings o ACM-SAC, Melbourne, 9-12 March 2003, pp
Denial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows
Denial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows S. Farzaneh Tabatabaei 1, Mazleena Salleh 2, MohammadReza Abbasy 3 and MohammadReza NajafTorkaman 4 Faculty of Computer
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationTechnical Aspects of Intrusion Detection Techniques
Technical Aspects of Intrusion Detection Techniques Final Year Project 2003-04 Project Plan Version 0.2 28th, November 2003 By Cheung Lee Man 2001572141 Computer Science and Information Systems Supervisor
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationDDoS Attacks Detection Using GA based Optimized Traffic Matrix
2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing DDoS Attacks Detection Using GA based Optimized Traffic Matrix Je Hak Lee yitsup2u@gmail.com Dong
More informationNetwork Traffic Anomaly Detection Based on Packet Bytes ABSTRACT Bugs in the attack. Evasion. 1. INTRODUCTION User Behavior. 2.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology Technical Report CS-2002-13 mmahoney@cs.fit.edu ABSTRACT Hostile network traffic is often "different"
More informationINTRUSION DETECTION SYSTEM USING BIG DATA FRAMEWORK
INTRUSION DETECTION SYSTEM USING BIG DATA FRAMEWORK Abinesh Kamal K. U. and Shiju Sathyadevan Amrita Center for Cyber Security Systems and Networks, Amrita School of Engineering, Amritapuri, Amrita Vishwa
More informationMcPAD and HMM-Web: two different approaches for the detection of attacks against Web applications
McPAD and HMM-Web: two different approaches for the detection of attacks against Web applications Davide Ariu, Igino Corona, Giorgio Giacinto, Fabio Roli University of Cagliari, Dept. of Electrical and
More informationA STUDY ON COEXISTENCE OF WLAN AND WPAN USING A PAN COORDINATOR WITH AN ARRAY ANTENNA
A STUDY ON COEXISTENCE OF WLAN AND WPAN USING A PAN COORDINATOR WITH AN ARRAY ANTENNA Yuta NAKAO(Graduate School o Engineering, Division o Physics, Electrical and Computer Engineering, Yokohama National
More informationCharacterizing the network behavior of P2P traffic
Characterizing the network behavior o PP traic Raaele Bolla, Marco Canini, Riccardo Rapuzzi, Michele Sciuto DIST - Department o Communication, Computer and System Sciences, University o Genoa Via Opera
More informationImproving the Database Logging Performance of the Snort Network Intrusion Detection Sensor
-0- Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland Department of Computer Science and Engineering University
More informationStatistical Analysis in Syslog Files in DNS and Spam SMTP Relay Servers
Statistical Analysis in Syslog Files in DNS and Spam SMTP Relay Servers Ryuichi Matsuba, Yasuo Musashi, and Kenichi Sugitani Center for Multimedia and Information Technologies, Kumamoto University, Kurokami,
More informationInternet Threat Detection System Using Bayesian Estimation
Internet Threat Detection System Using Bayesian Estimation Masaki Ishiguro 1 Hironobu Suzuki 2 Ichiro Murase 1 Hiroyuki Ohno 3 Abstract. We present an Internet security threat detection system 4 using
More informationMATRIX ALGORITHM OF SOLVING GRAPH CUTTING PROBLEM
UDC 681.3.06 MATRIX ALGORITHM OF SOLVING GRAPH CUTTING PROBLEM V.K. Pogrebnoy TPU Institute «Cybernetic centre» E-mail: vk@ad.cctpu.edu.ru Matrix algorithm o solving graph cutting problem has been suggested.
More informationANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS
ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS Saulius Grusnys, Ingrida Lagzdinyte Kaunas University of Technology, Department of Computer Networks, Studentu 50,
More informationClassification Method for Colored Natural Textures Using Gabor Filtering
Classiication Method or Colored Natural Textures Using Gabor Filtering Leena Lepistö 1, Iivari Kunttu 1, Jorma Autio 2, and Ari Visa 1, 1 Tampere University o Technology Institute o Signal Processing P.
More informationCSE3213 Computer Network I
SE33 omputer Network I Service Model, Error ontrol, Flow ontrol, and Link Sharing (h. 5. 5.3. and 5.7.) ourse page: http://www.cse.yorku.ca/course/33 Slides modiied om lberto Leon-Garcia and Indra Widjaja
More informationPyrite or gold? It takes more than a pick and shovel
Pyrite or gold? It takes more than a pick and shovel SEI/CERT -CyLab Carnegie Mellon University 20 August 2004 John McHugh, and a cast of thousands Pyrite or Gold? Failed promises Data mining and machine
More informationNetwork Traffic Anomaly Detection based on Ratio and Volume Analysis
190 Network Traffic Anomaly Detection based on Ratio and Volume Analysis Hyun Joo Kim, Jung C. Na, Jong S. Jang Active Security Technology Research Team Network Security Department Information Security
More informationOn the Double-Faced Nature of P2P Traffic
On the Double-Faced Nature o P2P Traic Raaele Bolla, Marco Canini, Riccardo Rapuzzi, Michele Sciuto DIST - Department o Communication, Computer and System Sciences, University o Genoa Via Opera Pia 13,
More informationDetection of Mass Mailing Worm-infected IP address by Analysis of Syslog for DNS server
DNS syslog IP : - DNS syslog : (1) PC A MX DNS (2) UNIX PC spam A MX PTR DNS DNS PC Detection of Mass Mailing Worm-infected IP address by Analysis of Syslog for DNS server Ryuichi Matsuba, Yasuo Musashi,
More informationROC in Assessing IDS Quality
ROC in Assessing IDS Quality Rune Hammersland {firstname.lastname}@hig.no Norwegian Information Security Lab, Gjøvik University College November 30, 2007 1 Terms For assessing the quality of IDS systems,
More informationRule Hashing for Efficient Packet Classification in Network Intrusion Detection
Rule Hashing for Efficient Packet Classification in Network Intrusion Detection Atsushi Yoshioka, Shariful Hasan Shaikot, and Min Sik Kim School of Electrical Engineering and Computer Science Washington
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking
More information9.8 Graphing Rational Functions
9. Graphing Rational Functions Lets begin with a deinition. Deinition: Rational Function A rational unction is a unction o the orm P where P and Q are polynomials. Q An eample o a simple rational unction
More informationDNS. Analysis of IPv6 Based DNS Query Traffic
IPv6 DNS DNS IPv6 DNS (1) IPv4 () IPv6 IPv6 IPv4 Analysis of IPv6 Based DNS Query Traffic Hirofumi Nagatomi and Dennis Artona Ludeña Romaña Yasuo Musashi, Ryuichi Matsuba, and Kenichi Sugitani Abstract
More informationOverview. Introduction. Internet Worm. Defenses. Recent Trends. Detection and Propagation Modeling of Internet Worms
Overview Detection and Propagation Modeling o Internet Worms Ph.D. research proposal by: Parbati Kumar Manna Co-advised by: Dr. Sanjay Ranka and Dr. Shigang Chen Research opportunities in Internet worm
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationThe Subspace Method for Diagnosing Network-Wide Traffic Anomalies. Anukool Lakhina, Mark Crovella, Christophe Diot
The Subspace Method for Diagnosing Network-Wide Traffic Anomalies Anukool Lakhina, Mark Crovella, Christophe Diot What s happening in my network? Is my customer being attacked? probed? infected? Is there
More informationIdentifying Stepping Stone Attack using Trace Back Based Detection Approach
International Journal of Security Technology for Smart Device Vol.3, No.1 (2016), pp.15-20 http://dx.doi.org/10.21742/ijstsd.2016.3.1.03 Identifying Stepping Stone Attack using Trace Back Based Detection
More informationCS4/MSc Computer Networking. Lectures 4-5 Transport layer protocols TCP/UDP automatic repeat request
S4/MSc omputer Networking Lectures 4-5 Transport layer protocols TP/UDP automatic repeat request omputer Networking, opyright University o Edinburgh 005 Transport services and protocols provide logical
More informationLecture Notes on Critique of 1998 and 1999 DARPA IDS Evaluations
Lecture Notes on Critique of 1998 and 1999 DARPA IDS Evaluations Prateek Saxena March 3 2008 1 The Problems Today s lecture is on the discussion of the critique on 1998 and 1999 DARPA IDS evaluations conducted
More informationTowards Traffic Anomaly Detection via Reinforcement Learning and Data Flow
Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow Arturo Servin Computer Science, University of York aservin@cs.york.ac.uk Abstract. Protection of computer networks against security
More informationApplying fair queueing and traffic shaping for Internet applications on top of ATM The LB_SCFQ algorithm
Applying air queueing and traic shaping or Internet applications on top o ATM The LB_SCFQ algorithm Abstract Fair queueing mechanisms give very promising results or ATM networks. Combining a air queueing
More informationIP Packet Size Entropy-Based Scheme for Detection of DoS/DDoS Attacks
1274 IEICE TRANS. INF. & SYST., VOL.E91-D, NO.5 MAY 2008 PAPER Special Section on Information and Communication System Security IP Packet Size Entropy-Based Scheme for Detection of DoS/DDoS Attacks Ping
More informationEfficient Network Intrusion Detection System Navaneethakrishnan.P a*,theivanathan.g b
World Journal of Technology, Engineering and Research, Volume 2, Issue 1 (2017) 168-173 Contents available at WJTER World Journal of Technology, Engineering and Research Journal Homepage: www.wjter.com
More informationImplementation of Signature-based Detection System using Snort in Windows
Implementation of Signature-based Detection System using Snort in Windows Prerika Agarwal Sangita Satapathy Ajay Kumar Garg Engineering College, Ghaziabad Abstract: Threats of attacks are increasing day
More informationEvidence Gathering for Network Security and Forensics DFRWS EU Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L.
Evidence Gathering for Network Security and Forensics DFRWS EU 2017 Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L. Thing Talk outline Context and problem Objective Evidence gathering framework
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More informationIntrusion Detection System
Intrusion Detection System Marmagna Desai March 12, 2004 Abstract This report is meant to understand the need, architecture and approaches adopted for building Intrusion Detection System. In recent years
More informationBayesian Learning Networks Approach to Cybercrime Detection
Bayesian Learning Networks Approach to Cybercrime Detection N S ABOUZAKHAR, A GANI and G MANSON The Centre for Mobile Communications Research (C4MCR), University of Sheffield, Sheffield Regent Court, 211
More informationHybrid Feature Selection for Modeling Intrusion Detection Systems
Hybrid Feature Selection for Modeling Intrusion Detection Systems Srilatha Chebrolu, Ajith Abraham and Johnson P Thomas Department of Computer Science, Oklahoma State University, USA ajith.abraham@ieee.org,
More informationDNS Query Access and Backscattering SMTP Distributed Denial-of-Service Attack
DNS Query Access and Backscattering SMTP Distributed Denial-of-Service Attack Yasuo Musashi, Ryuichi Matsuba, and Kenichi Sugitani Center for Multimedia and Information Technologies, Kumamoto University,
More informationClassifier Evasion: Models and Open Problems
Classiier Evasion: Models and Open Problems Blaine Nelson 1, Benjamin I. P. Rubinstein 2, Ling Huang 3, Anthony D. Joseph 1,3, and J. D. Tygar 1 1 UC Berkeley 2 Microsot Research 3 Intel Labs Berkeley
More informationTO meet the increasing bandwidth demands and reduce
Assembling TCP/IP Packets in Optical Burst Switched Networks Xiaojun Cao Jikai Li Yang Chen Chunming Qiao Department o Computer Science and Engineering State University o New York at Bualo Bualo, NY -
More informationCS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion Detection Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events,
More informationHybrid Modular Approach for Anomaly Detection
Hybrid Modular Approach for Anomaly Detection A.Laxmi Kanth Associate Professor, M.Tech (IT) Sri Indu College of Engineering & Technology, Sheriguda, IBP. Suresh Yadav Assistant Professor, (M.Tech),B.Tech,
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis Anomaly-based IDS Pavel Laskov Wilhelm Schickard Institute for Computer Science Taxonomy of anomaly-based IDS Features: Packet headers Byte streams Syntactic events
More informationAbalone Age Prediction using Artificial Neural Network
IOSR Journal o Computer Engineering (IOSR-JCE) e-issn: 2278-066,p-ISSN: 2278-8727, Volume 8, Issue 5, Ver. II (Sept - Oct. 206), PP 34-38 www.iosrjournals.org Abalone Age Prediction using Artiicial Neural
More informationNeighbourhood Operations
Neighbourhood Operations Neighbourhood operations simply operate on a larger neighbourhood o piels than point operations Origin Neighbourhoods are mostly a rectangle around a central piel Any size rectangle
More informationMeasuring Intrusion Detection Capability: An Information- Theoretic Approach
Measuring Intrusion Detection Capability: An Information- Theoretic Approach Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee Georgia Tech Boris Skoric Philips Research Lab Outline Motivation Problem Why
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS 1 FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN ooding: attacker
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL OF COMMUNICATION TECHNOLOGY, JUNE 2010, VOLUME: 01, ISSUE: 02 DOI: 10.21917/ijct.2010.0013 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationResearch on Image Splicing Based on Weighted POISSON Fusion
Research on Image Splicing Based on Weighted POISSO Fusion Dan Li, Ling Yuan*, Song Hu, Zeqi Wang School o Computer Science & Technology HuaZhong University o Science & Technology Wuhan, 430074, China
More informationDetecting Denial of Service using BENEF Model: An Alternative Approach. Abstract
Detecting Denial of Service using BENEF Model: An Alternative Approach Urupoj Kanlayasiri, Surasak Sanguanpong, and Yuen Poovarawan Applied Network Research Group Department of Computer Engineering Kasetsart
More informationDetecting Novel Attacks by Identifying Anomalous Network Packet Headers
Detecting Novel Attacks by Identifying Anomalous Network Packet Headers Matthew V. Mahoney and Philip K. Chan Department of Computer Sciences Florida Institute of Technology Melbourne, FL 32901 {mmahoney,pkc}@cs.fit.edu
More informationIntrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia
Intrusion Detection - Snort Network Security Workshop 25-27 April 2017 Bali Indonesia Issue Date: [31-12-2015] Revision: [V.1] Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied
More informationA study of Intrusion Detection System for Cloud Network Using FC-ANN Algorithm
A study of Intrusion Detection System for Cloud Network Using FC-ANN Algorithm Gayatri K. Chaturvedi 1, Arjun K. Chaturvedi 2, Varsha R. More 3 (MECOMP-Lecturer) 1, (BEIT-Student) 2, (BEE&TC-Student) 3
More informationA Novel Accurate Genetic Algorithm for Multivariable Systems
World Applied Sciences Journal 5 (): 137-14, 008 ISSN 1818-495 IDOSI Publications, 008 A Novel Accurate Genetic Algorithm or Multivariable Systems Abdorreza Alavi Gharahbagh and Vahid Abolghasemi Department
More informationFlowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert
Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks Anna Giannakou, Daniel Gunter, Sean Peisert Research Networks Scientific applications that process large amounts of data
More informationScheduling in Multihop Wireless Networks without Back-pressure
Forty-Eighth Annual Allerton Conerence Allerton House, UIUC, Illinois, USA September 29 - October 1, 2010 Scheduling in Multihop Wireless Networks without Back-pressure Shihuan Liu, Eylem Ekici, and Lei
More informationAnomaly based Network Intrusion Detection System
Synopsis on Anomaly based Network Intrusion Detection System Submitted by Under the guidance of : Dinakara K (06CS6026) MTech (CSE) 2nd Year : Prof. Jayanta Mukhopadhyay Dept. of CSE Prof. S K Ghosh School
More informationIntrusion Detection in Dos Attacks
Intrusion Detection in Dos Attacks P.Rajapandian Asst.Professor Dept of Computer Science Madurai Kamaraj University College Madurai,Tamil Nadu,India Dr.K.Alagarsamy Associate Professor Dept of Computer
More informationSUPER RESOLUTION IMAGE BY EDGE-CONSTRAINED CURVE FITTING IN THE THRESHOLD DECOMPOSITION DOMAIN
SUPER RESOLUTION IMAGE BY EDGE-CONSTRAINED CURVE FITTING IN THE THRESHOLD DECOMPOSITION DOMAIN Tsz Chun Ho and Bing Zeng Department o Electronic and Computer Engineering The Hong Kong University o Science
More informationA Study on Intrusion Detection Techniques in a TCP/IP Environment
A Study on Intrusion Detection Techniques in a TCP/IP Environment C. A. Voglis and S. A. Paschos Department of Computer Science University of Ioannina GREECE Abstract: The TCP/IP protocol suite is the
More informationMobile Robot Static Path Planning Based on Genetic Simulated Annealing Algorithm
Mobile Robot Static Path Planning Based on Genetic Simulated Annealing Algorithm Wang Yan-ping 1, Wubing 2 1. School o Electric and Electronic Engineering, Shandong University o Technology, Zibo 255049,
More informationAMP-Based Flow Collection. Greg Virgin - RedJack
AMP-Based Flow Collection Greg Virgin - RedJack AMP- Based Flow Collection AMP - Analytic Metadata Producer : Patented US Government flow / metadata producer AMP generates data including Flows Host metadata
More informationA new approach for ranking trapezoidal vague numbers by using SAW method
Science Road Publishing Corporation Trends in Advanced Science and Engineering ISSN: 225-6557 TASE 2() 57-64, 20 Journal homepage: http://www.sciroad.com/ntase.html A new approach or ranking trapezoidal
More informationClassifier Evasion: Models and Open Problems
. In Privacy and Security Issues in Data Mining and Machine Learning, eds. C. Dimitrakakis, et al. Springer, July 2011, pp. 92-98. Classiier Evasion: Models and Open Problems Blaine Nelson 1, Benjamin
More informationFuzzy Intrusion Detection
Fuzzy Intrusion Detection John E. Dickerson, Jukka Juslin, Ourania Koukousoula, Julie A. Dickerson Electrical and Computer Engineering Department Iowa State University Ames, IA, USA {jedicker,juslin,koukouso,julied}@iastate.edu
More informationA Fault Model Centered Modeling Framework for Self-healing Computing Systems
A Fault Model Centered Modeling Framework or Sel-healing Computing Systems Wei Lu 1, Yian Zhu 1, Chunyan Ma 1, and Longmei Zhang 2 1 Department o Sotware and Microelectronics, Northwestern Polytechnical
More informationMethod for security monitoring and special filtering traffic mode in info communication systems
Method for security monitoring and special filtering traffic mode in info communication systems Sherzod Rajaboyevich Gulomov Provide Information Security department Tashkent University of Information Technologies
More informationFPGA based Network Traffic Analysis using Traffic Dispersion Graphs
FPGA based Network Traffic Analysis using Traffic Dispersion Graphs 2 nd September, 2010 Faisal N. Khan, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department
More informationBinary Morphological Model in Refining Local Fitting Active Contour in Segmenting Weak/Missing Edges
0 International Conerence on Advanced Computer Science Applications and Technologies Binary Morphological Model in Reining Local Fitting Active Contour in Segmenting Weak/Missing Edges Norshaliza Kamaruddin,
More informationMultivariate Correlation Analysis based detection of DOS with Tracebacking
1 Multivariate Correlation Analysis based detection of DOS with Tracebacking Jasheeda P Student Department of CSE Kathir College of Engineering Coimbatore jashi108@gmail.com T.K.P.Rajagopal Associate Professor
More informationIntrusion Detection by Combining and Clustering Diverse Monitor Data
Intrusion Detection by Combining and Clustering Diverse Monitor Data TSS/ACC Seminar April 5, 26 Atul Bohara and Uttam Thakore PI: Bill Sanders Outline Motivation Overview of the approach Feature extraction
More informationMahalanobis Distance Map Approach for Anomaly Detection
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2010 Mahalanobis Distance Map Approach for Anomaly Detection Aruna Jamdagnil
More informationEffective Intrusion Type Identification with Edit Distance for HMM-Based Anomaly Detection System
Effective Intrusion Type Identification with Edit Distance for HMM-Based Anomaly Detection System Ja-Min Koo and Sung-Bae Cho Dept. of Computer Science, Yonsei University, Shinchon-dong, Seodaemoon-ku,
More informationIntrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks
Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks So we are proposing a network intrusion detection system (IDS) which uses a Keywords: DDoS (Distributed Denial
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationWhat is Clustering? Clustering. Characterizing Cluster Methods. Clusters. Cluster Validity. Basic Clustering Methodology
Clustering Unsupervised learning Generating classes Distance/similarity measures Agglomerative methods Divisive methods Data Clustering 1 What is Clustering? Form o unsupervised learning - no inormation
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks John Bethencourt, Jason Franklin, and Mary Vernon {bethenco, jfrankli, vernon}@cs.wisc.edu Computer Sciences Department University of Wisconsin, Madison
More informationLarger K-maps. So far we have only discussed 2 and 3-variable K-maps. We can now create a 4-variable map in the
EET 3 Chapter 3 7/3/2 PAGE - 23 Larger K-maps The -variable K-map So ar we have only discussed 2 and 3-variable K-maps. We can now create a -variable map in the same way that we created the 3-variable
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationNETWORK TRAFFIC ANALYSIS - A DIFFERENT APPROACH USING INCOMING AND OUTGOING TRAFFIC DIFFERENCES
NETWORK TRAFFIC ANALYSIS - A DIFFERENT APPROACH USING INCOMING AND OUTGOING TRAFFIC DIFFERENCES RENATO PREIGSCHADT DE AZEVEDO, DOUGLAS CAMARGO FOSTER, RAUL CERETTA NUNES, ALICE KOZAKEVICIUS Universidade
More informationEmpirical Models of TCP and UDP End User Network Traffic from Data Analysis
Empirical Models of TCP and UDP End User Network Traffic from NETI@home Data Analysis Charles R. Simpson, Jr., Dheeraj Reddy, George F. Riley School of Electrical and Computer Engineering Georgia Institute
More informationA NEW APPROACH TO INTRUSION DETECTION SYSTEM
A NEW APPROACH TO INTRUSION DETECTION SYSTEM 1 A. KARTIT, 2 A. SAIDI, 3 F. BEZZAZI, 4 M. EL MARRAKI, 5 A. RADI 1,2,3,4,5 Laboratoire de Recherche en Informatique et Télécommunications, Faculty of Sciences,
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationDDoS Attack Detection Using Moment in Statistics with Discriminant Analysis
DDoS Attack Detection Using Moment in Statistics with Discriminant Analysis Pradit Pitaksathienkul 1 and Pongpisit Wuttidittachotti 2 King Mongkut s University of Technology North Bangkok, Thailand 1 praditp9@gmail.com
More informationAutomatic Video Segmentation for Czech TV Broadcast Transcription
Automatic Video Segmentation or Czech TV Broadcast Transcription Jose Chaloupka Laboratory o Computer Speech Processing, Institute o Inormation Technology and Electronics Technical University o Liberec
More informationJoint Congestion Control and Scheduling in Wireless Networks with Network Coding
Title Joint Congestion Control and Scheduling in Wireless Networks with Network Coding Authors Hou, R; Wong Lui, KS; Li, J Citation IEEE Transactions on Vehicular Technology, 2014, v. 63 n. 7, p. 3304-3317
More informationFirst Video Streaming Experiments on a Time Driven Priority Network
First Video Streaming Experiments on a Driven Priority Network Mario Baldi and Guido Marchetto Department o Control and Computer Engineering Politecnico di Torino (Technical University o Torino) Abstract
More informationROBUST FACE DETECTION UNDER CHALLENGES OF ROTATION, POSE AND OCCLUSION
ROBUST FACE DETECTION UNDER CHALLENGES OF ROTATION, POSE AND OCCLUSION Phuong-Trinh Pham-Ngoc, Quang-Linh Huynh Department o Biomedical Engineering, Faculty o Applied Science, Hochiminh University o Technology,
More informationTree-Based Minimization of TCAM Entries for Packet Classification
Tree-Based Minimization of TCAM Entries for Packet Classification YanSunandMinSikKim School of Electrical Engineering and Computer Science Washington State University Pullman, Washington 99164-2752, U.S.A.
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More information3-4 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks
3-4 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks Mio SUZUKI, Koei SUZUKI, Yaichiro TAKAGI, and Ryoichi ISAWA In a regular organization, major approach
More informationDeveloping the Sensor Capability in Cyber Security
Developing the Sensor Capability in Cyber Security Tero Kokkonen, Ph.D. +358504385317 tero.kokkonen@jamk.fi JYVSECTEC JYVSECTEC - Jyväskylä Security Technology - is the cyber security research, development
More informationBinary Protector: Intrusion Detection in Multitier Web Applications
Binary Protector: Intrusion Detection in Multitier Web Applications C. Venkatesh 1 D.Nagaraju 2 T.Sunil Kumar Reddy 3 1 P.G Scholar, CSE Dept, Sir Vishveshwariah Institute of Science and Technology 2 Assistant
More information