CHAPTER 2 DARPA KDDCUP99 DATASET
|
|
- Christiana Hall
- 5 years ago
- Views:
Transcription
1 44 CHAPTER 2 DARPA KDDCUP99 DATASET 2.1 THE DARPA INTRUSION-DETECTION EVALUATION PROGRAM The number of intrusions is to be found in any computer and network audit data are plentiful as well as ever-changing. They are also thoroughly scattered and attempts to structure or catalogue audit data are extremely effort-intensive. In order to create effective detection models, model-building algorithms typically require a large amount of labelled data. One major difficulty in deploying IDS is the need to label system audit data for the algorithms. Misuse-detection systems need the data to be accurately labelled as either normal or attack,. Whereas for anomaly-detection systems, the data must be verified to ensure that it is exclusively normal namely attack-free. This requires the same effort (Eskin et al 2000; Lee et al 2001) and preparation of the data in this manner is both time-consuming and costly. A generous sponsor for the production of intrusion-detection audit data was found in the US government agency DARPA (Defense Advanced Research Project Agency, US) an innovator and promoter of technology, this organization has funded many projects in the last few decades. In 1969, one such research and development project was subsidized to create an experimental packet-switched network. This one venture saw the modest beginnings of what grew into the omnipresent Internet, known today. As a matter of fact, DARPA supports the evaluation of developing technologies: focusing on an effort, documenting existing capabilities and guiding research.
2 45 The 1998 DARPA Off-line Intrusion-Detection Evaluation Program (Lippmann et al 2000; data_index.html 1999; Lippmann. et al 2000; Haines et al 2001) was one such project. Aware of the lack of suitable audit data sets for intrusion detection, DARPA sets out (1) to generate an intrusion-detection evaluation corpus which could be shared by many researchers, (2) to evaluate many intrusion-detection systems, (3) to include a wide variety of attacks and (4) to measure both attack-detection rates and false-alarm rates for realistic normal traffic. To avoid publicizing confidential information concerning any real network in connection with the data and in order not to cause disruption in the operation of an on-line network, an extensive test bed has been set up at MIT s Lincoln Laboratories for synthesis purpose. This test bed simulated the operation of a typical US Air Force LAN for over two months allowing considerable amount of audit data to be collected from it. 2.2 ATTACK TYPES IN THE 1999 DARPA DATA SET categories: Each attack type falls into one of the four following main Denial-of-service (DOS) attacks have the goal of limiting or denying service(s) provided to a user, computer or network. A common tactic is to severely overload the targeted system like a SYN flood. Probing or surveillance attacks have the goal of gaining knowledge of the existence or configuration of a computer system or network. Port scans or sweeping of a given IPaddress range is typically used in this category like IPsweep. Remote-to-Local (R2L) attacks have the goal of gaining local access to a computer or network to which the attacker
3 46 only previously had remote access. Examples of this are attempts to gain control of a user account say the Dictionary. User-to-Root (U2R) attacks have the goal of gaining root or super-user access on a particular computer or system with which the attacker previously had user level access. These are the attempts by a non-privileged user to gain administrative privileges (e.g. Eject). A total of 24 attack types was included in the training data and further 14 novel attacks were added to the test data, to compare the performance of IDS on known and on yet-unseen attacks. A further aim of the evaluation was to determine whether systems could detect stealthy attacks. These are variations of an attack. They have been modified from the standard form available on the Internet, in an attempt to evade detection. Methods of being stealthy vary, depending on the attack type (Kendall 1999). The attacks are grouped according to a category and type. The number of occurrences is detailed; distinguishing between attacks launched in the clear or performed stealthily. Furthermore, specifying whether it is appeared in training or test data. For example, there were 46 Eject attacks in the simulation. Of these, 10 were stealthy and 36 were performed in the clear. Of those in the clear category, 29 figured in the training data and 7 in the test data. In the DARPA programmes, detection rates for each attack category was estimated for comparative purposes, when evaluating the performance of IDS.
4 Different Attack Types The category of an attack is determined by its ultimate goal, so that within a given category, attacks may closely resemble each other. The DOS attacks are designed to disrupt a host or network service. Some DOS attacks (e.g. smurf) excessively load a legitimate network service; others (e.g. teardrop, Ping of Death) create malformed packets, which are incorrectly handled by the victim machine. Others still (e.g. apache2, back, syslogd) take advantage of software bugs in network daemon programmes. Probe attacks are launched by programmes, which can automatically scan a network of computers to gather information or find known vulnerabilities. Such probes are often precursors to more dangerous attacks because they provide mapping to machines and services and pinpoint weak links in a network. Some of these scanning tools, satans, saint and mscan enable even an unskilled attacker to check hundreds of machines on a network for known vulnerabilities. In the R2L attacks, an attacker who does not have an account on a victim machine sends packets to that machine and gains local access. Some R2L attacks exploit buffer overflows in network server software (e.g. imap, named, sendmail); others exploit weak or misconfigured security policies (e.g. dictionary, ftp-write, and guest) and one (xsnoop) is a Trojan passwordcapture programme. The snmp-get R2L attack against the router is a password-guessing attack where the community password of the router is guessed and an attacker then uses SNMP to monitor the router. During U2R attacks, a local user on a machine tries to obtain privileges normally reserved for the UNIX root or super-user. Some U2R attacks exploit poorly-written system programmes which run at root level and are susceptible to buffer overflows (e.g. eject, ffbconfig, fdformat). Others may exploit weaknesses in path-name verification (e.g. loadmodule), bugs in some versions of perl (e.g. suidperl) or other software weaknesses.
5 Attack Descriptions back - Denial-of-service attack against apache webserver, where a client requests a URL containing many backslashes. dict - Guess passwords for a valid user, using simple variants of the account name over a telnet connection. eject - Buffer overflow using eject program on Solaris. Leads to a userto-root transition if successful. ffb - Buffer overflow using the ffbconfig UNIX system command leads to root shell. format - Buffer overflow using the fdformat UNIX system command leads to root shell. ftp-write - Remote FTP user creates.rhost file in world writable anonymous FTP directory and obtains local login. guest ipsweep - Try to guess password via telnet for guest account. - Surveillance sweep performing either a port sweep or ping on multiple host addresses. land - Denial of service where a remote host is sent a UDP packet with the same source and destination. loadmodule - Non-stealthy load module attack which resets IFS for a normal user and creates a root shell. multihop - Multi-day scenario in which a user first breaks into one machine. neptune - Syn-flood denial-of-service on one or more ports. nmap - Network mapping using the nmap tool. Mode of exploring network will vary-options include SYN.
6 49 perlmagic - Perl attack which sets the user id to root in a perl script and creates a root shell. phf - Exploitable CGI script which allows a client to execute arbitrary commands on a machine with a misconfigured web server. pod - Denial-of-service ping-of-death. portsweep- Surveillance sweep through many ports to determine which services are supported on a single host. rootkit - Multi-day scenario where a user installs one or more components of a rootkit. satan - Network probing tool which looks for well-known weaknesses. operates at three different levels. Level 0 is light. smurf spy - Denial-of-service icmp-echo reply flood. - Multi-day scenario in which a user breaks into a machine with the purpose of finding important information where the user tries to avoid detection. Uses several different exploit methods to gain access. syslog - Denial of service for the syslog service connects to port 514 with unresolvable source ip. teardrop - Denial of service where mis-fragmented UDP packets cause some systems to reboot. warez - User logs into anonymous FTP site and creates a hidden directory. warezclient - Users downloading illegal software which was previously posted via anonymous FTP by the warezmaster. warezmaster - Anonymous FTP upload of Warez (usually illegal copies of copyrighted software) onto FTP server.
7 DATA-SET DESCRIPTION The KDDCUP99 Data (Irvine 1999) are the data sets, which were issued for use in the KDDCUP 99 Classifier-Learning Competition. These sets of training and test data were made available by Stolfo and Lee ( kdd.ics.uci.edu/ databases/kddcup99/task.htm. 1999) and consisted of a preprocessed version of the 1998 DARPA Evaluation Data. This team s IDS had performed particularly well in the Intrusion-Detection Evaluation Program of that year, using data mining even as a pre-processing stage to extract characteristic intrusion features from raw TCP/IP audit data. The original raw training data were about four gigabytes of compressed binary tcpdump data obtained from the first seven weeks of network traffic at MIT. This was preprocessed with the feature-construction framework MADAM ID (Mining Audit data for automated models for Intrusion Detection) to produce about five-million connection records. A connection is defined to be a sequence of TCP packets starting and ending at some well-defined times, between which data flow to and fro from a source IP address to a destination IP address, under some well-defined protocol. Each connection is labelled as either normal or with the name of its specific attack type. A connection record consists of about 100 bytes. Ten percent of the complementary two-weeks of the test data were, likewise, pre-processed to yield a further less than half-amillion connection records. For the information of contestants, it was stressed that these test data were not from the same probability distribution as the training data, and that they included specific attack types which are not found in the training data. The full amount of labeled test data with some two million records was not included in this data set.
8 Set of Features used in the Connection Records In the KDDCUP99 Data, the initial features extracted for a connection record (Eskin 2002; Lee ) include the basic features of an individual TCP connection, such as: its duration, protocol type, number of bytes transferred and the flag indicating the normal or error status of the connection. These intrinsic features provide information for general network-traffic analysis purposes. Since most DOS and Probe attacks involve sending a lot of connections to the same host(s) at the same time, they can have frequent sequential patterns, which are different to the normal traffic. For these patterns, a same host feature examines all other connections in the previous 2 seconds, which had the same destination as the current connection. Similarly, a same service feature examines all other connections in the previous 2 seconds, which had the same service as the current connection. These temporal and statistical characteristics are referred to as the timebased traffic features. There are several Probe attacks which use a much longer interval than 2 seconds (for example, one minute) when scanning the hosts or ports. For these, a mirror set of host-based traffic features were constructed based on a connection window of 100 connections: The R2L and U2R attacks are embedded in the data portions of the TCP packets and it may involve only a single connection. To detect these, connection features individual connections were constructed using domain knowledge. These features suggest whether the data contains suspicious behaviour, such as: a number of failed logins successfully logged in or not, whether logged in as root, whether a root shell is obtained, etc. In total, there are 42 features (including the attack type) in each connection record, with most of them taking on values. The individual features are listed and briefly described in Table 2.2 to 2.5. Table 2.1 shows the different types of attacks and their categories:
9 52 Table 2.1 Class Labels that Appears in 10% KDDCUP99 Dataset Attack Number of Samples Category smurf DOS neptune DOS back DOS teardrop. 979 DOS pod. 264 DOS land. 21 DOS normal Normal satan Probe ipsweep Probe portsweep Probe nmap. 231 Probe warezclient R2L guess_passwd. 53 R2L warezmaster. 20 R2L imap. 12 R2L ftp_write. 8 R2L multihop. 7 R2L phf. 4 R2L spy 2 R2L buffer_overflow. 30 U2R rootkit. 10 U2R loadmodule. 9 U2R perl. 3 U2R
10 53 Connection Features, KDDCUP99 Table 2.2 Basic Features of Individual TCP Connections Feature name Description Type Duration length (number of seconds) of the connection Protocol_type type of the protocol, e.g. tcp, udp, etc. discrete Service network service on the destination, e.g., http, telnet, etc.discrete Src_bytes number of data bytes from source to destination Dst_bytes number of data bytes from destination to source Flag normal or error status of the connection discrete Land 1 if connection is from/to the same host/port; 0 otherwise Wrong_fragment number of wrong fragments discrete Urgent number of urgent packets Table 2.3 Content Features Within a Connection Suggested by Domain Knowledge Feature name Description Type hot Number of hot ' indicators Num_failed_logins Number of failed login attempts Logged_in 1 if successfully logged in ; 0 otherwise discrete Num_compromised Number of compromised conditions Root_shell 1 if root shell is obtained; 0 otherwise discrete Su_attempted 1 if su root command attempted; 0 otherwise discrete Num_root Number of root accesses Num_file_creations Number of file creation operations Num_shells Number of shell prompts Num_access_files Number of operations on access control files Num_outbound_cmds Number of outbound commands in an ftp session Is_hot_login 1 if the login belongs to the hot list; 0 otherwise discrete Is_guest_login 1 if the login is a guest login ; 0 otherwise discrete
11 54 Table 2.4 Traffic Features Computed Using a Two-Second Time Window Feature name Description Type count number of connections to the same host as the current connection in the past two seconds Note: The following features refer to these same-host connections. serror_rate % of connections that have ``SYN'' errors rerror_rate % of connections that have ``REJ'' errors same_srv_rate % of connections to the same service diff_srv_rate % of connections to different services srv_count number of connections to the same service as the current connection in the past two seconds Note: The following features refer to these same-service connections. srv_serror_rate % of connections that have SYN errors srv_rerror_rate % of connections that have REJ errors srv_diff_host_rate % of connections to different hosts
12 55 Table 2.5 Traffic Features Computed Using a Hundred Second Connection Window Traffic features computed using a hundred connection window *=same-host cxn **=sameservice cxn dst_host_count* dst_host_serror_ rate* dst_host_rerror_ rate* dst_host_same_s rv_rate* dst_host_diff_sr v_rate* dst_host_srv_co unt** dst_host_srv_ser ror_rate** dst_host_srv_rer ror_rate** dst_host_srv_dif f_host_rate** No. of connections to same host as the current connection in the past two seconds % of connections that have SYN errors % of connections that have REJ errors % of connections to the same service % of connections to the different services No. of connections to the same service as the current connection in the past two seconds % of the connections that have SYN errors % of the connections that have REJ errors % of the connections to different hosts
13 56 Figure 2.1 Umatrix for KDDCUP99 Data (Features 1 to 10 are shown) The U-matrix visualizes the distances between neighbouring map units, and thus shows the cluster structure of the map: high values of the U- matrix indicates a cluster border; uniform areas of low values indicate clusters themselves. Each component plane shows the values of one variable in each map unit. On top of these visualizations, additional information can be shown: labels, data histograms and trajectories. U-Matrix of the KDDCUP99 data is shown in Figure 2.1. Continued use of the KDDCUP99 Data in current research reported from Columbia University (Pfahringer 2000; Elkan 2000; Levin 2000; Lee ; Chimphlee et al 2006) confirms the uniqueness of these data set in offering a large volume of network audit data (originally from DARPA) with a wide variety of labelled intrusions. For these reasons, it was decided to use the KDDCUP99 Data set for the investigation which was done in this research work.
CHAPTER V KDD CUP 99 DATASET. With the widespread use of computer networks, the number of attacks has grown
CHAPTER V KDD CUP 99 DATASET With the widespread use of computer networks, the number of attacks has grown extensively, and many new hacking tools and intrusive methods have appeared. Using an intrusion
More informationA Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and Forensics
International OPEN ACCESS Journal Of Modern Engineering Research (IJMER) A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and Forensics Abhishek choudhary 1, Swati Sharma 2, Pooja
More informationINTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEM Project Trainee Muduy Shilpa B.Tech Pre-final year Electrical Engineering IIT Kharagpur, Kharagpur Supervised By: Dr.V.Radha Assistant Professor, IDRBT-Hyderabad Guided By: Mr.
More informationSelecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion Detection Datasets
Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion Detection Datasets H. Günes Kayacık, A. Nur Zincir-Heywood, Malcolm I. Heywood Dalhousie University, Faculty
More informationNetwork attack analysis via k-means clustering
Network attack analysis via k-means clustering - By Team Cinderella Chandni Pakalapati cp6023@rit.edu Priyanka Samanta ps7723@rit.edu Dept. of Computer Science CONTENTS Recap of project overview Analysis
More informationCHAPTER 4 DATA PREPROCESSING AND FEATURE SELECTION
55 CHAPTER 4 DATA PREPROCESSING AND FEATURE SELECTION In this work, an intelligent approach for building an efficient NIDS which involves data preprocessing, feature extraction and classification has been
More informationDetection of DDoS Attack on the Client Side Using Support Vector Machine
Detection of DDoS Attack on the Client Side Using Support Vector Machine Donghoon Kim * and Ki Young Lee** *Department of Information and Telecommunication Engineering, Incheon National University, Incheon,
More informationFUZZY KERNEL C-MEANS ALGORITHM FOR INTRUSION DETECTION SYSTEMS
FUZZY KERNEL C-MEANS ALGORITHM FOR INTRUSION DETECTION SYSTEMS 1 ZUHERMAN RUSTAM, 2 AINI SURI TALITA 1 Senior Lecturer, Department of Mathematics, Faculty of Mathematics and Natural Sciences, University
More informationClassification of Attacks in Data Mining
Classification of Attacks in Data Mining Bhavneet Kaur Department of Computer Science and Engineering GTBIT, New Delhi, Delhi, India Abstract- Intrusion Detection and data mining are the major part of
More informationBig Data Analytics: Feature Selection and Machine Learning for Intrusion Detection On Microsoft Azure Platform
Big Data Analytics: Feature Selection and Machine Learning for Intrusion Detection On Microsoft Azure Platform Nachirat Rachburee and Wattana Punlumjeak Department of Computer Engineering, Faculty of Engineering,
More informationAnalysis of FRAUD network ACTIONS; rules and models for detecting fraud activities. Eren Golge
Analysis of FRAUD network ACTIONS; rules and models for detecting fraud activities Eren Golge FRAUD? HACKERS!! DoS: Denial of service R2L: Unauth. Access U2R: Root access to Local Machine. Probing: Survallience....
More informationAnalysis of neural networks usage for detection of a new attack in IDS
Annales UMCS Informatica AI X, 1 (2010) 51-59 DOI: 10.2478/v10065-010-0035-7 Analysis of neural networks usage for detection of a new attack in IDS Przemysław Kukiełka 1, Zbigniew Kotulski 2 1 Institute
More informationAnomaly Intrusion Detection System Using Hierarchical Gaussian Mixture Model
264 IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.8, August 2008 Anomaly Intrusion Detection System Using Hierarchical Gaussian Mixture Model M. Bahrololum and M. Khaleghi
More informationFeature Reduction for Intrusion Detection Using Linear Discriminant Analysis
Feature Reduction for Intrusion Detection Using Linear Discriminant Analysis Rupali Datti 1, Bhupendra verma 2 1 PG Research Scholar Department of Computer Science and Engineering, TIT, Bhopal (M.P.) rupal3010@gmail.com
More informationAnalysis of Feature Selection Techniques: A Data Mining Approach
Analysis of Feature Selection Techniques: A Data Mining Approach Sheena M.Tech Scholar CSE, SBSSTC Krishan Kumar Associate Professor CSE, SBSSTC Gulshan Kumar Assistant Professor MCA, SBSSTC ABSTRACT Feature
More informationClassification Trees with Logistic Regression Functions for Network Based Intrusion Detection System
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 19, Issue 3, Ver. IV (May - June 2017), PP 48-52 www.iosrjournals.org Classification Trees with Logistic Regression
More informationA Study on NSL-KDD Dataset for Intrusion Detection System Based on Classification Algorithms
ISSN (Online) 2278-121 ISSN (Print) 2319-594 Vol. 4, Issue 6, June 215 A Study on NSL-KDD set for Intrusion Detection System Based on ification Algorithms L.Dhanabal 1, Dr. S.P. Shantharajah 2 Assistant
More informationImproved Detection of Low-Profile Probes and Denial-of-Service Attacks*
Improved Detection of Low-Profile Probes and Denial-of-Service Attacks* William W. Streilein Rob K. Cunningham, Seth E. Webster Workshop on Statistical and Machine Learning Techniques in Computer Intrusion
More informationIntrusion Detection -- A 20 year practice. Outline. Till Peng Liu School of IST Penn State University
Intrusion Detection -- A 20 year practice Peng Liu School of IST Penn State University Pennsylvania State Unviersity 1 Outline Motivation Intrusion Detection Techniques Intrusion Detection Products Some
More informationClassifying Network Intrusions: A Comparison of Data Mining Methods
Association for Information Systems AIS Electronic Library (AISeL) AMCIS 2005 Proceedings Americas Conference on Information Systems (AMCIS) 2005 Classifying Network Intrusions: A Comparison of Data Mining
More informationCombination of Three Machine Learning Algorithms for Intrusion Detection Systems in Computer Networks
Vol. () December, pp. 9-8 ISSN95-9X Combination of Three Machine Learning Algorithms for Intrusion Detection Systems in Computer Networks Ali Reza Zebarjad, Mohmmad Mehdi Lotfinejad Dapartment of Computer,
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationRUSMA MULYADI. Advisor: Dr. Daniel Zeng
Evaluating Classification Algorithms for Intrusion Detection Systems RUSMA MULYADI Advisor: Dr. Daniel Zeng A Master Project Report Submitted to the Department of Management Information Systems In Partial
More informationA Data Mining Framework for Building Intrusion Detection Models
A Data Mining Framework for Building Intrusion Detection Models Wenke Lee Salvatore J. Stolfo Kui W. Mok Computer Science Department, Columbia University 500 West 120th Street, New York, NY 10027 {wenke,sal,mok}@cs.columbia.edu
More informationBayesian Learning Networks Approach to Cybercrime Detection
Bayesian Learning Networks Approach to Cybercrime Detection N S ABOUZAKHAR, A GANI and G MANSON The Centre for Mobile Communications Research (C4MCR), University of Sheffield, Sheffield Regent Court, 211
More informationWhy Machine Learning Algorithms Fail in Misuse Detection on KDD Intrusion Detection Data Set
Why Machine Learning Algorithms Fail in Misuse Detection on KDD Intrusion Detection Data Set Maheshkumar Sabhnani and Gursel Serpen Electrical Engineering and Computer Science Department The University
More informationCHAPTER 5 CONTRIBUTORY ANALYSIS OF NSL-KDD CUP DATA SET
CHAPTER 5 CONTRIBUTORY ANALYSIS OF NSL-KDD CUP DATA SET 5 CONTRIBUTORY ANALYSIS OF NSL-KDD CUP DATA SET An IDS monitors the network bustle through incoming and outgoing data to assess the conduct of data
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationIndependent degree project - first cycle Bachelor s thesis 15 ECTS credits
Fel! Hittar inte referenskälla. - Fel! Hittar inte referenskälla.fel! Hittar inte referenskälla. Table of Contents Independent degree project - first cycle Bachelor s thesis 15 ECTS credits Master of Science
More informationAnomaly detection using machine learning techniques. A comparison of classification algorithms
Anomaly detection using machine learning techniques A comparison of classification algorithms Henrik Hivand Volden Master s Thesis Spring 2016 Anomaly detection using machine learning techniques Henrik
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationINTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) PROPOSED HYBRID-MULTISTAGES NIDS TECHNIQUES
INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) International Journal of Electronics and Communication Engineering & Technology (IJECET), ISSN 0976 ISSN 0976 6464(Print)
More informationSNIDS: An Intelligent Multiclass Support Vector Machines Based NIDS
Srinivasa K G AdarshPatil, Harsha K C, Akshay V Joshi and Pramod N Machine Learning Applications Laboratory, Department of Computer Science and Engineering, M S Ramaiah Institute of Technology, Bangalore,
More informationMining Audit Data for Intrusion Detection Systems Using Support Vector Machines and Neural Networks
Journal on Information Sciences and Computing, Vol.1, No.1, December 2007 Mining Audit Data for Intrusion Detection Systems Using Support Vector Machines and Neural Networks 47 Ramamoorthy Subbureddiar,
More informationAnalysis of TCP Segment Header Based Attack Using Proposed Model
Chapter 4 Analysis of TCP Segment Header Based Attack Using Proposed Model 4.0 Introduction Though TCP has been extensively used for the wired network but is being used for mobile Adhoc network in the
More informationLearning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks (Technical Report CS )
Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks (Technical Report CS-2002-06) Matthew V. Mahoney and Philip K. Chan Department of Computer Sciences Florida Institute
More informationA COMPARATIVE STUDY OF CLASSIFICATION MODELS FOR DETECTION IN IP NETWORKS INTRUSIONS
A COMPARATIVE STUDY OF CLASSIFICATION MODELS FOR DETECTION IN IP NETWORKS INTRUSIONS 1 ABDELAZIZ ARAAR, 2 RAMI BOUSLAMA 1 Assoc. Prof., College of Information Technology, Ajman University, UAE 2 MSIS,
More informationInternational Journal of Scientific & Engineering Research, Volume 6, Issue 6, June ISSN
International Journal of Scientific & Engineering Research, Volume 6, Issue 6, June-2015 1496 A Comprehensive Survey of Selected Data Mining Algorithms used for Intrusion Detection Vivek Kumar Srivastava
More informationA COMPARATIVE STUDY OF DATA MINING ALGORITHMS FOR NETWORK INTRUSION DETECTION IN THE PRESENCE OF POOR QUALITY DATA (complete-paper)
A COMPARATIVE STUDY OF DATA MINING ALGORITHMS FOR NETWORK INTRUSION DETECTION IN THE PRESENCE OF POOR QUALITY DATA (complete-paper) Eitel J.M. Lauría Marist College Eitel.Lauria@Marist.edu Giri K. Tayi
More informationarxiv: v1 [cs.cr] 25 Jun 2018
On the model-checking-based IDS Weijun ZHU School of Information Engineering, Zhengzhou University, Zhengzhou, 450001 China arxiv:1806.09337v1 [cs.cr] 25 Jun 2018 Abstract: How to identify the comprehensive
More informationOn Dataset Biases in a Learning System with Minimum A Priori Information for Intrusion Detection
On Dataset Biases in a Learning System with Minimum A Priori Information for Intrusion Detection H. G. Kayacik A. N. Zincir-Heywood M. I. Heywood Dalhousie University Faculty of Computer Science Halifax,
More informationNAVAL POSTGRADUATE SCHOOL THESIS
NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS NEURAL DETECTION OF MALICIOUS NETWORK ACTIVITIES USING A NEW DIRECT PARSING AND FEATURE EXTRACTION TECHNIQUE by Cheng Hong Low September 2015 Thesis
More informationNetwork Traffic Anomaly Detection Based on Packet Bytes ABSTRACT Bugs in the attack. Evasion. 1. INTRODUCTION User Behavior. 2.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology Technical Report CS-2002-13 mmahoney@cs.fit.edu ABSTRACT Hostile network traffic is often "different"
More informationMachine Learning for Network Intrusion Detection
Machine Learning for Network Intrusion Detection ABSTRACT Luke Hsiao Stanford University lwhsiao@stanford.edu Computer networks have become an increasingly valuable target of malicious attacks due to the
More information9. Security. Safeguard Engine. Safeguard Engine Settings
9. Security Safeguard Engine Traffic Segmentation Settings Storm Control DoS Attack Prevention Settings Zone Defense Settings SSL Safeguard Engine D-Link s Safeguard Engine is a robust and innovative technology
More informationA Hierarchical SOM based Intrusion Detection System
* Text + Figure(s) + Table(s) A Hierarchical SOM based Intrusion Detection System H. Gunes Kayacik, A. Nur Zincir-Heywood, Malcolm I. Heywood Dalhousie University, Faculty of Computer Science, 6050 University
More informationATwo Stage Intrusion Detection Intelligent System
ATwo Stage Intrusion Detection Intelligent System Nevrus Kaja, Adnan Shaout and Di Ma The University of Michigan Dearborn, United States Abstract Security is becoming an inherited and amplified problem
More informationARTIFICIAL INTELLIGENCE APPROACHES FOR INTRUSION DETECTION.
ARTIFICIAL INTELLIGENCE APPROACHES FOR INTRUSION DETECTION. Dima Novikov (Rochester Institute of Technology, Rochester, NY, dima.novikov@gmail.com), Roman V. Yampolskiy (University at Bufalo, Buffalo,
More informationThe Caspian Sea Journal ISSN: A Study on Improvement of Intrusion Detection Systems in Computer Networks via GNMF Method
Available online at http://www.csjonline.org/ The Caspian Sea Journal ISSN: 1578-7899 Volume 10, Issue 1, Supplement 4 (2016) 456-461 A Study on Improvement of Intrusion Detection Systems in Computer Networks
More informationDiscriminant Analysis based Feature Selection in KDD Intrusion Dataset
Discriminant Analysis based Feature Selection in KDD Intrusion Dataset Dr.S.Siva Sathya Department of Computer Science Pondicherry University, Puducherry,India. Dr. R.Geetha Ramani Department of Computer
More informationA Software Tool for Network Intrusion Detection
A Software Tool for Network Intrusion Detection 4th Biennial Conference Presented by: Christiaan van der Walt Date:October 2012 Presentation Outline Need for intrusion detection systems Overview of attacks
More informationNetwork Security. Chapter 0. Attacks and Attack Detection
Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part
More informationCHAPTER 7 Normalization of Dataset
Introduction CHAPTER 7 7.1 Introduction Objective of this chapter is to address dataset normalization. From our detailed literature review and also from our previous experiments of [9], we found following
More informationHierarchical Adaptive FCM To Detect Attacks Using Layered Approach
Hierarchical Adaptive FCM To Detect Attacks Using Layered Approach J.Jensi Edith 1, Dr. A.Chandrasekar 1.Research Scholar,Sathyabama University, Chennai.. Prof, CSE DEPT, St.Joseph s College of Engg.,
More informationPing of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods
Ping of death Land attack Teardrop Syn flood Smurf attack DOS Attack Methods Ping of Death A type of buffer overflow attack that exploits a design flaw in certain ICMP implementations where the assumption
More informationIntrusion Detection Based On Clustering Algorithm
International Journal of Electronics and Computer Science Engineering 1059 Available Online at www.ijecse.org ISSN- 2277-1956 Intrusion Detection Based On Clustering Algorithm Nadya El MOUSSAID 1, Ahmed
More informationPerformance improvement of intrusion detection with fusion of multiple sensors
Complex Intell. Syst. (2017) 3:33 39 DOI 10.1007/s40747-016-0033-5 ORIGINAL PAPER Performance improvement of intrusion detection with fusion of multiple sensors An evidence-theory-based approach Vrushank
More informationIntrusion Detection System Based on K-Star Classifier and Feature Set Reduction
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661, p- ISSN: 2278-8727Volume 15, Issue 5 (Nov. - Dec. 2013), PP 107-112 Intrusion Detection System Based on K-Star Classifier and Feature
More informationINTRUSION DETECTION WITH TREE-BASED DATA MINING CLASSIFICATION TECHNIQUES BY USING KDD DATASET
INTRUSION DETECTION WITH TREE-BASED DATA MINING CLASSIFICATION TECHNIQUES BY USING KDD DATASET Bilal Ahmad Department of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics,
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationEvaluating Intrusion Detection Systems without Attacking your Friends: The 1998 DARPA Intrusion Detection Evaluation
Evaluating Intrusion Detection Systems without Attacking your Friends: The 1998 DARPA Intrusion Detection Evaluation R. K. Cunningham, R. P. Lippmann, D. J. Fried, S. L. Garfinkel, I. Graf, K. R. Kendall,
More informationA Rough Set Based Feature Selection on KDD CUP 99 Data Set
Vol.8, No.1 (2015), pp.149-156 http://dx.doi.org/10.14257/ijdta.2015.8.1.16 A Rough Set Based Feature Selection on KDD CUP 99 Data Set Vinod Rampure 1 and Akhilesh Tiwari 2 Department of CSE & IT, Madhav
More informationHands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last revised 10-4-17 KonBoot Get into any account without the password Works on Windows and Linux No longer free Link Ch 5r From the
More informationIDuFG: Introducing an Intrusion Detection using Hybrid Fuzzy Genetic Approach
International Journal of Network Security, Vol.17, No.6, PP.754-770, Nov. 2015 754 IDuFG: Introducing an Intrusion Detection using Hybrid Fuzzy Genetic Approach Ghazaleh Javadzadeh 1, Reza Azmi 2 (Corresponding
More informationHands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last revised 1-11-17 KonBoot Get into any account without the password Works on Windows and Linux No longer free Link Ch 5r From the
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationSingle Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking
1 Review of TCP/IP working Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Frame Path Chapter 3 Client Host Trunk Link Server Host Panko, Corporate
More informationDenial of Service and Distributed Denial of Service Attacks
Denial of Service and Distributed Denial of Service Attacks Objectives: 1. To understand denial of service and distributed denial of service. 2. To take a glance about DoS techniques. Distributed denial
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationComputer Security and Privacy
CSE P 590 / CSE M 590 (Spring 2010) Computer Security and Privacy Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for
More informationAttack Prevention Technology White Paper
Attack Prevention Technology White Paper Keywords: Attack prevention, denial of service Abstract: This document introduces the common network attacks and the corresponding prevention measures, and describes
More informationComparative Analysis of Classification Algorithms on KDD 99 Data Set
I. J. Computer Network and Information Security, 2016, 9, 34-40 Published Online September 2016 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2016.09.05 Comparative Analysis of Classification
More informationUnsupervised clustering approach for network anomaly detection
Unsupervised clustering approach for network anomaly detection Iwan Syarif 1,2, Adam Prugel-Bennett 1, Gary Wills 1 1 School of Electronics and Computer Science, University of Southampton, UK {is1e08,apb,gbw}@ecs.soton.ac.uk
More informationFast Feature Reduction in Intrusion Detection Datasets
MIPRO 2012, May 21-25,2012, Opatija, Croatia Fast Feature Reduction in Intrusion Detection Datasets Shafigh Parsazad *, Ehsan Saboori **, Amin Allahyar * * Department Of Computer Engineering, Ferdowsi
More informationUsing Domain Knowledge to Facilitate Cyber Security Analysis
Association for Information Systems AIS Electronic Library (AISeL) AMCIS 2012 Proceedings Proceedings Using Domain Knowledge to Facilitate Cyber Security Analysis Peng He Information Systems, UMBC, Baltimore,
More informationCSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
More informationData Mining Approaches for Network Intrusion Detection: from Dimensionality Reduction to Misuse and Anomaly Detection
Data Mining Approaches for Network Intrusion Detection: from Dimensionality Reduction to Misuse and Anomaly Detection Iwan Syarif 1,2, Adam Prugel-Bennett 1, Gary Wills 1 1 School of Electronics and Computer
More informationKeywords Intrusion Detection System, Artificial Neural Network, Multi-Layer Perceptron. Apriori algorithm
Volume 3, Issue 6, June 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Detecting and Classifying
More informationAnalysis of KDD 99 Intrusion Detection Dataset for Selection of Relevance Features
Analysis of KDD 99 Intrusion Detection Dataset for Selection of Relevance Features Adetunmbi A.Olusola., Adeola S.Oladele. and Daramola O.Abosede Abstract - The rapid development of business and other
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2630 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationCooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems
Cooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems Kai Hwang, Fellow IEEE, Hua Liu, Student Member and Ying Chen, Student Member Abstract: Network-centric
More informationSecBlade Firewall Cards Attack Protection Configuration Example
SecBlade Firewall Cards Attack Protection Configuration Example Keywords: Attack protection, scanning, blacklist Abstract: This document describes the attack protection functions of the SecBlade firewall
More informationEvaluating the Strengths and Weaknesses of Mining Audit Data for Automated Models for Intrusion Detection in Tcpdump and Basic Security Module Data
Journal of Computer Science 8 (10): 1649-1659, 2012 ISSN 1549-3636 2012 Science Publications Evaluating the Strengths and Weaknesses of Mining Audit Data for Automated Models for Intrusion Detection in
More informationCommon Network Attacks
Common Network Attacks David J. Marchette dmarchette@gmail.com Common Network Attacks p.1/96 Outline Some Common Attacks SHADOW EMERALD ADAM Utilities Common Network Attacks p.2/96 Terminology Active.
More informationData Reduction and Ensemble Classifiers in Intrusion Detection
Second Asia International Conference on Modelling & Simulation Data Reduction and Ensemble Classifiers in Intrusion Detection Anazida Zainal, Mohd Aizaini Maarof and Siti Mariyam Shamsuddin Faculty of
More informationA Study on Intrusion Detection Techniques in a TCP/IP Environment
A Study on Intrusion Detection Techniques in a TCP/IP Environment C. A. Voglis and S. A. Paschos Department of Computer Science University of Ioannina GREECE Abstract: The TCP/IP protocol suite is the
More informationComparison of variable learning rate and Levenberg-Marquardt back-propagation training algorithms for detecting attacks in Intrusion Detection Systems
Comparison of variable learning rate and Levenberg-Marquardt back-propagation training algorithms for detecting attacks in Intrusion Detection Systems Tummala Pradeep 1 IV th Year Student, Department of
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 8 Denial of Service First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Denial of Service denial of service (DoS) an action
More informationAlfonso Valdes Keith Skinner SRI International
Adaptive, Model-Based Monitoring And Threat Detection Alfonso Valdes Keith Skinner SRI International http://www.sdl.sri.com/emerald/adaptbn-paper/adaptbn.html 2 Outline Objectives Approach Bayes net models
More informationDIMENSIONALITY REDUCTION FOR DENIAL OF SERVICE DETECTION PROBLEMS USING RBFNN OUTPUT SENSITIVITY
Proceedings of the Second International Conference on Machine Learning and Cybernetics, Wan, 2-5 November 2003 DIMENSIONALITY REDUCTION FOR DENIAL OF SERVICE DETECTION PROBLEMS USING RBFNN OUTPUT SENSITIVITY
More informationSnort Rules Classification and Interpretation
Snort Rules Classification and Interpretation Pop2 Rules: Class Type Attempted Admin(SID: 1934, 284,285) GEN:SID 1:1934 Message POP2 FOLD overflow attempt Summary This event is generated when an attempt
More informationModel Redundancy vs. Intrusion Detection
Model Redundancy vs. Intrusion Detection Zhuowei Li, Amitabha Das, and Sabu Emmanuel School of Computer Engineering, Nanyang Technological University, 50, Nanyang Avenue, Singapore 639798 zhwei.li@pmail.ntu.edu.sg
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationApplication of Case-Based Reasoning to Multi-Sensor Network Intrusion Detection
Application of Case-Based Reasoning to Multi-Sensor Network Intrusion Detection Jidong Long, Daniel Schwartz, and Sara Stoecklin Department of Computer Science Florida State University Tallahassee, Florida
More informationModeling Intrusion Detection Systems With Machine Learning And Selected Attributes
Modeling Intrusion Detection Systems With Machine Learning And Selected Attributes Thaksen J. Parvat USET G.G.S.Indratrastha University Dwarka, New Delhi 78 pthaksen.sit@sinhgad.edu Abstract Intrusion
More informationJournal of Asian Scientific Research EFFICIENCY OF SVM AND PCA TO ENHANCE INTRUSION DETECTION SYSTEM. Soukaena Hassan Hashem
Journal of Asian Scientific Research journal homepage: http://aessweb.com/journal-detail.php?id=5003 EFFICIENCY OF SVM AND PCA TO ENHANCE INTRUSION DETECTION SYSTEM Soukaena Hassan Hashem Computer Science
More informationComputer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key
Computer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key DAY CLASS Dr. William M. Farmer DURATION OF EXAMINATION: 2 Hours MCMASTER UNIVERSITY FINAL EXAMINATION April 2008 THIS EXAMINATION
More informationCISCO CONTEXT-BASED ACCESS CONTROL
51-10-41 DATA COMMUNICATIONS MANAGEMENT CISCO CONTEXT-BASED ACCESS CONTROL Gilbert Held INSIDE Operation; Intersection; The Inspect Statement; Applying the Inspection Rules; Using CBAC OVERVIEW Until 1999,
More information