Real-Time Risk Assessment with Network Sensors and Intrusion Detection Systems (original) (raw)
Related papers
Lecture Notes in Computer Science, 2006
Security-oriented risk assessment tools are used to determine the impact of certain events on the security status of a network. Most existing approaches are generally limited to manual risk evaluations that are not suitable for real-time use. In this paper, we introduce an approach to network risk assessment that is novel in a number of ways. First of all, the risk level of a network is determined as the composition of the risks of individual hosts, providing a more precise, fine-grained model. Second, we use Hidden Markov models to represent the likelihood of transitions between security states. Third, we tightly integrate our risk assessment tool with an existing framework for distributed, large-scale intrusion detection, and we apply the results of the risk assessment to prioritize the alerts produced by the intrusion detection sensors. We also evaluate our approach on both simulated and real-world data.
A Real-Time Risk Assessment Model for Intrusion Detection Systems Using Pattern Matching
2017
Intrusion Detection Systems (IDS) are one of the most important tools in security field. The main aim of an IDS is to gather and analyze events from networks and hosts to identify signs of suspicious traffic. Having detected such signs, they generate alerts to report them. IDSs are known to generate a large number of false alerts, especially false alerts during the detection. Analyzing the alerts manually by security administrator need more time and makes it extremely difficult to correctly identify alerts related to attacks (true positives). In this paper, we introduce an approach to Intrusion Risk Assessment. The objective is to determine the impact of certain events on the security status of a network. In this approach, we evaluate the risk as a composition of certain parameters of alerts. Then we tightly integrate the Risk Assessment model with an existing framework, and we apply the results of the risk assessment to prioritize the alerts produced by the IDS.
A systematic review on intrusion detection based on the Hidden Markov Model
Statistical Analysis and Data Mining: The ASA Data Science Journal, 2018
Apart from using traditional security solutions in software systems such as firewalls and access control mechanisms, utilizing intrusion detection systems are also necessary. Intrusion detection is a process in which a set of methods are used to detect malicious activities against the victims. Many techniques for detecting potential intrusions in software systems have already been introduced. One of the most important techniques for intrusion detection based on machine learning is using Hidden Markov Models (HMM). In recent decades, many research communities have been working toward HMM-based intrusion detection. Therefore, a large volume of research works has been published and hence, various research areas have emerged in this field. However, until now, there has been no systematic and up-to-date review of research works within the field. This paper aims to survey the research in this field and provide open problems and challenges based on the analysis of advantages, limitations, types of architectural models, and applications of current techniques. Six various architecture models for intrusion detection purposes are proposed in the literature. We compare these models based on performance criteria in order to select an appropriate type for a specific application. The results show that HMM-based intrusion detection techniques have 6 main advantages-precise intrusion detection, ability to detect new and unknown intrusions, prediction of the intruder's potential next steps, usage in real-time applications by processing data streams on-the-fly, usage of heterogeneous data sources as input, and visual representation of acquired knowledge relative to the other techniques of machine learning.
System approach to intrusion detection using hidden Markov model
2006
In an era of cooperating ad hoc networks and pervasive wireless connectivity, we are becoming more vulnerable to malicious attacks. Many of these attacks are silent in nature and cannot be detected by the conventional intrusion detection system (IDS) methods such as traffic monitoring, port scanning, or protocol violations. These sophisticated attacks operate under the threshold boundaries during an intrusion attempt and can only be identified by profiling the complete system activity in relation to a normal behavior. In this paper we discuss a hidden Markov model (HMM) strategy for intrusion detection using a multivariate Gaussian model for observations that are then used to predict an attack that exists in a form of a hidden state. This model is comprised of a self-organizing network for event clustering, an observation classifier, a drift detector, a profile estimator, a Gaussian mixture model (GMM) accelerator, and an HMM engine. We use this method to predict the intrusion states based on observation deviation from normal profiles or by fitting it into an appropriate attack profile.
Intrusion Detection System and Hidden Markov Models
IJARCSSE, 2014
— Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking sources. We need an Intrusion Detection System to detect intrusion. HMM is a random, probabilistic and stochastic process with an underlying probabilistic process that is not observable, but can be observed through another set of stochastic or random process that produces the sequences of observed symbols. HMM can be used to model an IDS. In this paper, we have discussed how different number of HMMs trained affects the performance of IDS modelled using HMMs. Keywords—Intrusion Detection System, Hidden Markov Model, system security, normal behaviour modelling, accuracy I. INTRODUCTION An intrusion detection system (IDS) is used to monitor network traffic, check for suspicious activities and notifies the network administrator or the system. In some instances, the IDS might also react to malicious or anomalous traffic and will take action such as barring the user or perhaps the IP address source from accessing the system. IDS are available in many different types and will approach the mission of uncovering shady traffic in various ways [8]. We have modelled IDS using alternative number of HMMs and compared the accuracy obtained.
Fuzzy Online Risk Assessment for Distributed Intrusion Prediction and Prevention Systems
2008
A Distributed Intrusion Prediction and Prevention Systems (DIPPS) not only detects and prevents possible intrusions but also possesses the capability to predict possible intrusions in a distributed network. Based on the DIPS sensors, instead of merely preventing the attackers or blocking traffic, we propose a fuzzy logic based online risk assessment scheme. The key idea of DIPPS is to protect the network(s) linked to assets, which are considered to be very risky. To implement DIPPS we used a Distributed Intrusion Detection System (DIDS) with extended real time traffic surveillance and online risk assessment. To model and predict the next step of an attacker, we used a Hidden Markov Model (HMM) that captures the interaction between the attacker and the network. The interaction between various DIDS and integration of their output are achieved through a HMM. The novelty of this paper is the detailed development of Fuzzy Logic Controllers to estimate the various risk(s) that are dependent on several other variables based on the inputs from HMM modules and the DIDS agents. To develop the fuzzy risk expert system, if-then fuzzy rules were formulated based on interviews with security experts and network administrators. Preliminary results indicate that such a system is very practical for protecting assets which are prone to attacks or misuse, i.e. highly at risk.
Incorporating Hidden Markov Model into Anomaly Detection Technique for Network Intrusion Detection
International Journal of Computer Applications, 2012
Now-a-days to increase the computation efficiency distributed systems are used in which the computing resources are shared among several systems. Such openness of distributed system leads to increase in potential attacks on the hardware and software by exploration of system vulnerability. This paper presents implementation of Intrusion Detection System (IDS) to model the behavior of users using Hidden Markov Model (HMM). This model attempts to detect intrusive attack efficiently. The IDS is an identification system which can be characterized by probabilities of false acceptance and false rejection. False acceptance means that the IDS allow intruders to continue their activity. False rejection means that the IDS stops the activity of a legitimate user. IDS can be developed by adoption of an appropriate mathematical model that allows us to generate user profiles efficiently and facilitates an effective and accurate decision-making process for intrusion detection. Due to the nondeterministic nature of user behavior, the decision about intrusive or nonintrusive behavior must take into account all evidence for and against the claim. So the probabilistic approach is to be implemented to model user profile to detect attack.
Intrusion Detection System using Bayesian Network and Hidden Markov Model
Procedia Technology, 2012
Across the globe, billions of dollars are spending every year to provide security to the network systems to prevent the intrusions. Some consider the disruption of the vital systems as a serious threat which disables the work of hospitals, banks, military and various internet services across the world. To avert this impending threat, there are many possible solutions: one of these solutions is intrusion detection systems (IDS). The paper proposes to discuss the IDS model in its elaboration using Bayesian Network and the Hidden Markov Model (HMM) approach with KDDCUP dataset. The IDS framework has been designed with various levels of processing such as model learning with training data and constructing the Bayesian Network and this structure has been used as HMM state transition diagram. The preprocessed KDDCUP dataset has been used to train and test the model. The IDS model has been trained and tested for normal and attack type connection records separately. The results evince that the performance of the model is of high order for classification of normal and intrusions attacks.
Modelling Intrusion Detection System using Hidden Markov Model: A Review
IJARCSSE, 2014
— Information security has become a major concern to various businesses and organizations and requires an intelligent security system that can automatically detect the intrusions. An Intrusion Detection System (IDS) is used for this purpose. An Intrusion Detection System has become popular tool for observing patterns of activities in user accounts and detects malicious behaviour. Hidden Markov Model (HMM) is a finite set of states, each of which is associated with a probability distribution. Transitions among these states are governed by a set of probabilities called state transition probabilities. In a particular state an outcome or observation can be generated, according to the associated probability distribution. It is only the outcome, not the state visible to an external observer and therefore states are " hidden " to the outside. HMM has been widely used in knowledge discovery, pattern classification, speech recognition, DNA sequence modelling but use of HMM in intrusion detection is still in its infancy. This paper presents an overview (not exhaustive) of HMM and its applications in intrusion detection. Keywords— Hidden Markov Models (HMMs), Intrusion Detection System (IDS), Anomaly Detection, Normal Behaviour Modelling, Computer security.