Intrusion Detection Research Papers - Academia.edu (original) (raw)

Automated response to intrusions has become a major issue in defending critical systems. Because the adversary can take actions at computer speeds, systems need the capability to react without human intervention. An infrastructure that... more

Automated response to intrusions has become a major issue in defending critical systems. Because the adversary can take actions at computer speeds, systems need the capability to react without human intervention. An infrastructure that supports development of automated response systems is critically needed. This infrastructure must allow easy integration of detection and response components to enable experimentation with automated response strategies. This paper provides an overview of the Intruder Detection and Isolation Protocol (IDIP) architecture and how it supports the need for an intrusion detection and response infrastructure.

— Today’s growing number of security threats to computers and networks also increase the importance of log inspections to support the detection of possible breaches. The investigation and assessment of security incidents becomes more and... more

— Today’s growing number of security threats to computers and networks also increase the importance of log inspections to support the detection of possible breaches. The investigation and assessment of security incidents becomes more and more a dai-ly business. Further, the manual log analysis is essentially in the context of developing signatures for intrusion detection systems (IDS), which allow for an automated defense against security attacks or incidents. But the analysis of log data in the context of fo-rensic investigations and IDS signature development is a tedious and time-consuming task, due to the large amount of textual data. Moreover, this task requires a skilled knowledge to differentiate between the important and the non-relevant information. In this paper, we propose an approach for log resp. audit data representation, which aims at simplifying the analysis process for the secu-rity officer. For this purpose audit data and existing relations between audit events are ...

In the view of escalating global threat in security, it is imperative to have an automated detection system that can pick up suspicious patterns of human movement in physical environments. It can give a forewarning before a planned attack... more

In the view of escalating global threat in security, it is imperative to have an automated detection system that can pick up suspicious patterns of human movement in physical environments. It can give a forewarning before a planned attack happens or an ultimate security is breached. In the past, significant research on the Intrusion Detection was established, but limited to virtual environments like computer networks and operating systems. In this paper, we proposed a general security model for detecting suspicious patterns in physical environment. Suspicious patterns are subtle and we showed that they can be detected via an experiment.

The implementation of Security Incident Event Management (SIEM) system in the IT infrastructure is the direction of the enterprise networks for monitoring malicious and anomalous traffic in Security Operation Centers (SOC). Log management... more

The implementation of Security Incident Event Management (SIEM) system in the IT infrastructure is the direction of the enterprise networks for monitoring malicious and anomalous traffic in Security Operation Centers (SOC). Log management is the challenge of SIEM solutions due to the voluminous amount of data collected from different types of devices daily. Another challenge is the classification of true alerts by analyzing the logs collected. The Project Coordinate (Correlation of Relevant Data in Network Access Technologies) explores different correlation techniques that identify patterns based on specific components in the logs. The researchers also present Tree Correlation, a newly-created correlation technique that can be used to aid in determining potential attacks that can happen by analyzing series of logs based on header, content and behavior. The system is tested in an isolated network environment where different attacks are executed to compare how the different correlation techniques summarize the logs.

As the Internet grows at a phenomenal rate email systems has become a widely used electronic form of communication. Everyday, a large number of people exchange messages in this fast and inexpensive way. With the excitement on electronic... more

As the Internet grows at a phenomenal rate email systems has become a widely used electronic form of communication. Everyday, a large number of people exchange messages in this fast and inexpensive way. With the excitement on electronic commerce growing, the usage of email will increase more exponential. In this paper we present our research in developing general method for intrusion detection in email system Internet-based. The main ideas are to use data mining techniques to discover consistent and useful patterns of email system that can recognize anomalies and known intrusions.

AIS based intrusion detection systems have traditionally performed self non-self discrimination and suffer from issues such as scalability, false positives, problems with detector generation/holes, need for an initial learning phase, etc.... more

AIS based intrusion detection systems have traditionally performed self non-self discrimination and suffer from issues such as scalability, false positives, problems with detector generation/holes, need for an initial learning phase, etc. A relatively newer immunological discovery, the Danger Theory, now paves the way for designing more efficient, 2nd generation artificial immune systems. In this paper, we develop a dendritic cell based distributed misbehavior detection system, BeeAIS-DC, for a Bio/Nature inspired MANET routing protocol, BeeAdHoc. In MANETs, the frequent node movements cause the system self to change, thus increasing the rate of false positives. Our proposed system inspires from the danger theory and models the behavior of the dendritic cells to detect the presence or absence of danger to provide a tolerogenic or immunogenic effect. We have implemented our proposed framework, BeeAIS-DC, in network simulator, ns-2, and evaluated its security and network performance. Our results indicate that modelling the dendritic cells allows the BeeAIS-DC to dynamically update its detector set to cater for a changing self due to node mobility, and at the same time provides protection against the routing attacks. The network performance evaluation shows that the AIS overhead of BeeAIS-DC does not cause significant degradation of its performance, which is vital for a battery/bandwidth constrained mobile node.

Safety critical, Internet of Things (IoT) and spacebased applications have recently begun to adopt wireless networks based on commercial off the shelf (COTS) devices and standardized protocols, which inherently establishes the security... more

Safety critical, Internet of Things (IoT) and spacebased applications have recently begun to adopt wireless networks based on commercial off the shelf (COTS) devices and standardized protocols, which inherently establishes the security challenge of malicious intrusions. Malicious intrusions can cause severe consequences if undetected, including, complete denial of services. Particularly, any safety critical application requires all services to operate correctly, as any loss can be detrimental to safety and/or privacy. Therefore, in order for these safety critical services to remain operational and available, any and all intrusions need to be detected and mitigated. Whilst intrusion detection is not a new research area, new vulnerabilities in wireless networks, especially wireless sensor networks (WSNs), can be identified. In this paper, a specific vulnerability of WSNs is explored, termed here the matched protocol attack. This malicious attack uses protocol-specific structures to compromise a network using that protocol. Through attack exploration, this paper provides evidence that traditional spectral techniques are not sufficient to detect an intrusion using this style of attack. Furthermore, a ZigBee cluster head network, which co-exists with ISM band services, consisting of XBee COTS devices is utilized, along with a real time spectrum analyzer, to experimentally evaluate the effect of matched protocol interference on a realistic network model. Results of this evaluation are provided in terms of device errors and spectrum use. This malicious challenge is also examined through Monte-Carlo simulations. A potential detection technique, based on coarse inter-node distance measurements, which can theoretically be used to detect matched protocol interference and localize the origin of the source, is also suggested as a future progression of this work. Insights into how this attack style preys on some of the main security risks of any WSN (interoperability, device limitations and operation in hostile environments) are also provided.

Today web servers are ubiquitous having become critical infrastructures of many organizations. However, they are still one of the most vulnerable parts of organizations infrastructure. Exploits are many times used by worms to fast... more

Today web servers are ubiquitous having become critical infrastructures of many organizations. However, they are still one of the most vulnerable parts of organizations infrastructure. Exploits are many times used by worms to fast propagate across the full Internet being web servers one of their main targets. New exploit techniques have arouse in the last few years that have rendered useless traditional IDS techniques based on signature identification. Exploits use polymorphism (code encryption) and metamorphism (code obfuscation) to evade detection from signature-based IDSs. In this paper, we address precisely the topic of how to protect web servers against zero-day (new), polymorphic, and metamorphic malware embedded in data streams (requests) that target web servers. We rely on a novel technique to detect harmful binary code injection (i.e., exploits) in HTTP requests that is more efficient than current techniques based on binary code emulation or instrumentation of virtual engines. The detection of exploits is done through sandbox processes. The technique is complemented by another set of techniques such as caching, and pooling, to reduce its cost to neglectable levels. Our technique has little assumptions regarding the exploit unlike previous approaches that assume the existence of sled or getPC code, loops, read of the payload, writes to different addresses, etc. The evaluation shows that caching is highly effective and that the average latency introduced by our system is neglectable.

SQL Injection attacks on web applications have become one of the most important information security concerns over the past few years. This paper presents a hybrid approach based on the Adaptive Intelligent Intrusion Detector Agent... more

SQL Injection attacks on web applications have become one of the most important information security concerns over the past few years. This paper presents a hybrid approach based on the Adaptive Intelligent Intrusion Detector Agent (AIIDA-SQL) for the detection of those attacks. The

Most intrusion detection system (IDS) with a single-level structure can only detect either misuse or anomaly attacks. Some IDSs with multi-level structure or multi-classifier are proposed to detect both attacks, but they are limited in... more

Most intrusion detection system (IDS) with a single-level structure can only detect either misuse or anomaly attacks. Some IDSs with multi-level structure or multi-classifier are proposed to detect both attacks, but they are limited in adaptively learning. In this paper, two hierarchical IDS frameworks using Radial Basis Functions (RBF) are proposed. A serial hierarchical IDS (SHIDS) is proposed to identify misuse attack accurately and anomaly attacks adaptively. A parallel hierarchical IDS (PHIDS) is proposed to enhance the SHIDSÕs functionalities and performance. The experiments show that the two proposed IDSs can detect network intrusions in real-time, train new classifiers for novel intrusions automatically, and modify their structures adaptively after new classifiers are trained.

Intrusion Detection is a topic that is of interest both in the corporate world as well as academia. In the advent of Big Data Analytics, multiple analytics techniques can be used on the enormous amounts of data that is being generated... more

Intrusion Detection is a topic that is of interest both in the corporate world as well as academia. In the advent of Big Data Analytics, multiple analytics techniques can be used on the enormous amounts of data that is being generated every single day in order to discover knowledge. This inherently poses a threat to the security and privacy of all the parties involved. Therefore, it is a necessity in today's world to reinforce the security systems with robust Intrusion Detection and Prevention Systems. A nominal Cybersecurity System can no longer suffice for detecting and minimizing the damage from cyber-attacks especially since many of the attacks do not fall under a pre-discovered category. In this paper we review the various works particularly concerning Big Heterogeneous Data as well as present opportunities for further research to be conducted in these areas.

Soft computing techniques are increasingly being used for problem solving. This paper addresses using ensemble approach of different soft computing techniques for intrusion detection. Due to increasing incidents of cyber attacks, building... more

Soft computing techniques are increasingly being used for problem solving. This paper addresses using ensemble approach of different soft computing techniques for intrusion detection. Due to increasing incidents of cyber attacks, building effective intrusion detection systems (IDSs) are essential for protecting information systems security, and yet it remains an elusive goal and a great challenge. Two classes of soft computing techniques are studied: Artificial Neural Networks (ANNs) and Support Vector Machines (SVMs). We show that ensemble of ANN and SVM is superior to individual approaches for intrusion detection in terms of classification accuracy.

The finding by Maier et al. [1] that Network News Transport Protocol (NNTP) traffic is responsible for up to 5 % of residential network traffic inspires us to revisit today's Usenet usage. For this purpose we have developed an NNTP... more

The finding by Maier et al. [1] that Network News Transport Protocol (NNTP) traffic is responsible for up to 5 % of residential network traffic inspires us to revisit today's Usenet usage. For this purpose we have developed an NNTP analyzer for the Bro network intrusion detection system. We find that NNTP is intensively used by a small fraction of the residential broadband lines that we study and that almost all traffic is to NNTP servers that require subscription for a monthly fee. The accessed content resembles what one might expect from file-sharing systemsarchives and multimedia files. Accordingly, it appears that NNTP is used by some as a high performance alternative to traditional P2P file-sharing options such as eDonkey or BitTorrent.

An implemented system for on-line analysis of multiple distributed data streams is presented. The system is conceptually universal since it does not rely on any particular platform feature and uses format adaptors to translate data... more

An implemented system for on-line analysis of multiple distributed data streams is presented. The system is conceptually universal since it does not rely on any particular platform feature and uses format adaptors to translate data streams into its own standard format. The system is as powerful as possible (from a theoretical standpoint) but still efficient enough for on-line analysis thanks to its novel rule-based language (RUSSEL) which is specifically designed for efficient processing of sequential unstructured data streams. The generic concepts are applied to security audit trail analysis. The resulting system provides powerful network security monitoring and sophisticated tools for intrusion/anomaly detection. The rule-based and command languages are described as well as the distributed architecture and the implementation. Performance measurements are reported, showing the effectiveness of the approach

This paper presents an extension of MOVICAB-IDS, a Hybrid Intelligent Intrusion Detection System characterized by incorporating temporal control to enable real-time processing and response. The original formulation of MOVICAB-IDS combines... more

This paper presents an extension of MOVICAB-IDS, a Hybrid Intelligent Intrusion Detection System characterized by incorporating temporal control to enable real-time processing and response. The original formulation of MOVICAB-IDS combines artificial neural networks and case-based reasoning within a multiagent system to perform Intrusion Detection in dynamic computer networks. The contribution of the anytime algorithm, one of the most promising to adapt Artificial Intelligent techniques to real-time requirements; is comprehensively presented in this work.

This paper proposes an intrusion detection and prediction system based on uncertain and imprecise inference networks and its implementation. Giving a historic of sessions, it is about proposing a method of supervised learning doubled of a... more

This paper proposes an intrusion detection and prediction system based on uncertain and imprecise inference networks and its implementation. Giving a historic of sessions, it is about proposing a method of supervised learning doubled of a classifier permitting to extract the necessary knowledge in order to identify the presence or not of an intrusion in a session and in the positive case to recognize its type and to predict the possible intrusions that will follow it. The proposed system takes into account the uncertainty and imprecision that can affect the statistical data of the historic. The systematic utilization of an unique probability distribution to represent this type of knowledge supposes a too rich subjective information and risk to be in part arbitrary. One of the first objectives of this work was therefore to permit the consistency between the manner of which we represent information and information which we really dispose.

Network traffic data is huge, varying and imbalanced because various classes are not equally distributed. Machine learning (ML) algorithms for traffic analysis uses the samples from this data to recommend the actions to be taken by the... more

Network traffic data is huge, varying and imbalanced because various classes are not equally distributed. Machine learning (ML) algorithms for traffic analysis uses the samples from this data to recommend the actions to be taken by the network administrators. Due to imbalances in dataset, machine learning algorithms may give biased or false results leading to serious degradation in performance of these algorithms. Since the network dataset is huge, during training machine learning algorithm takes more time and hence sampling should be used to reduce the training time. But using sampling may cause loss of information which should be taken care off while obtaining the samples. In this paper various sampling techniques have been analysed for loss of information and imbalances during sampling of network traffic data. Data set is collected from the Panjab University network. Various parameters like missing classes in samples, probability of sampling of the different instances have been considered for comparison.

The nature of clinical data makes it difficult to quickly select, tune and apply machine learning algorithms to clinical prognosis. As a result, a lot of time is spent searching for the most appropriate machine learning algorithms... more

The nature of clinical data makes it difficult to quickly select, tune and apply machine learning algorithms to clinical prognosis. As a result, a lot of time is spent searching for the most appropriate machine learning algorithms applicable in clinical prognosis that contains either binary-valued or multi-valued attributes. The study set out to identify and evaluate the performance of machine learning classification schemes applied in clinical prognosis of post-operative life expectancy in the lung cancer patients. Multilayer Perceptron, J48, and the Naive Bayes algorithms were used to train and test models on Thoracic Surgery datasets obtained from the University of California Irvine machine learning repository. Stratified 10-fold crossvalidation was used to evaluate baseline performance accuracy of the classifiers. The comparative analysis shows that multilayer perceptron performed best with classification accuracy of 82.3%, J48 came out second with classification accuracy of 81.8%, and Naive Bayes came out the worst with classification accuracy of 74.4%. The quality and outcome of the chosen machine learning algorithms depends on the ingenuity of the clinical miner.

A new empirical large-signal model for highpower GaN HEMTs utilizing an improved drain current (Ids) model is presented. The new Ids formulation accurately predicts the asymmetric bell-shaped transconductance (gm) over a large... more

A new empirical large-signal model for highpower GaN HEMTs utilizing an improved drain current (Ids) model is presented. The new Ids formulation accurately predicts the asymmetric bell-shaped transconductance (gm) over a large drain-source bias range which is crucial in modeling high-power GaN HEMTs. A method of utilizing a combination of pulsed-gate (PGIV) and pulsed-gate-and-drain (PIV) IV measurements to characterize the dispersive behavior of GaN HEMT nonlinear Ids characteristics is developed. Dispersion due to self heating is modeled by modifying Ids parameters as a function of the temperature change and drain-source bias. Dispersion due to trapping is modeled using an effective gate-source voltage model. Accurate predictions of the RF small-signal and large-signal performance are demonstrated for two quiescent biases.

Anomaly detection in a wireless sensor network (WSN) is an important aspect of data analysis in order to identify data items that significantly differ from normal data. A characteristic of the data generated by a WSN is that the data... more

Anomaly detection in a wireless sensor network (WSN) is an important aspect of data analysis in order to identify data items that significantly differ from normal data. A characteristic of the data generated by a WSN is that the data distribution may alter over the lifetime of the network due to the changing nature of the phenomenon being observed. Anomaly detection techniques must be able to adapt to a nonstationary data distribution in order to perform optimally. In this survey, we provide a comprehensive overview of approaches to anomaly detection in a WSN and their operation in a nonstationary environment.

The objective of object recognition algorithms in computer vision is to quantify the presence or absence of a certain class of objects, for e.g.: bicycles, cars, people, etc. which is highly useful in traffic estimation applications.... more

The objective of object recognition algorithms in computer vision is to quantify the presence or absence of a certain class of objects, for e.g.: bicycles, cars, people, etc. which is highly useful in traffic estimation applications. Sparse signal models and dictionary learning techniques can be utilized to not only classify images as belonging to one class or another, but also to detect the case when two or more of these classes co-occur with the help of augmented dictionaries. We present results comparing the classification accuracy when different image classes occur together. Practical scenarios where such an approach can be applied include forms of intrusion detection i.e., where an object of class B should not co-occur with objects of class A. An example is when there are bicyclists riding on prohibited sidewalks, or a person is trespassing a hazardous area. Mixed class detection in terms of determining semantic content can be performed in a global manner on downscaled versions of images or thumbnails. However to accurately classify an image as belonging to one class or the other, we resort to higher resolution images and localized content examination. With the help of blob tracking we can use this classification method to count objects in traffic videos. The method of feature extraction illustrated in this paper is highly suited to images obtained in practical cases, which are usually of poor quality and lack enough texture for the popular gradient based methods to produce adequate feature points. We demonstrate that by training different types of dictionaries appropriately, we can perform various tasks required for traffic monitoring.

Jim Anderson-u ranim osamdesetim godinama dvadesetog veka Anderson definiše upad kao svaki neovlašćen pokušaj da se informacijama pristupi, manipuliše, da se one izmene ili unište, ili da se sistem učini nepouzdanim ili neupotrebljivim... more

Jim Anderson-u ranim osamdesetim godinama dvadesetog veka Anderson definiše upad kao svaki neovlašćen pokušaj da se informacijama pristupi, manipuliše, da se one izmene ili unište, ili da se sistem učini nepouzdanim ili neupotrebljivim Sistem za detekciju upada pokušava da otkrije ovakav tip aktivnosti 6.1 Sistemi za otkrivanje upada (IDS)

This work focuses on infiltration methods, such as Address Resolution Protocol (ARP) spoofing, where adversaries sends fabricated ARP messages, linking their Media Access Control (MAC) address to a genuine device's Internet Protocol (IP)... more

This work focuses on infiltration methods, such as Address Resolution Protocol (ARP) spoofing, where adversaries sends fabricated ARP messages, linking their Media Access Control (MAC) address to a genuine device's Internet Protocol (IP) address. We developed a Software-Defined Networking (SDN)-based Intrusion Detection and Prevention System (IDPS), which defends against ARP spoofing and Blacklisted MAC Addresses. This is done by dynamically adjusting SDN's operating parameters to detect malicious network traffic. Bespoke software was written to conduct the attack tests and customise the IDPS; this was coupled to a specifically developed library to validate user input. Improvements were made to SDN in the areas of attack detection, firewall, intrusion prevention, packet dropping, and shorter timeouts. Our extensive experimental results show that the developed solution is effective and quickly responds to intrusion attempts. In the considered test scenarios, our measured detection and mitigation times are sufficiently low (in the order of a few seconds).

This paper investigates the effect of common network attacks on the performance, and security of several biometric readers. Experiments are conducted using Denial of Service attacks (DoSs) and the ARP cache poisoning attack. The... more

This paper investigates the effect of common network attacks on the performance, and security of several biometric readers. Experiments are conducted using Denial of Service attacks (DoSs) and the ARP cache poisoning attack. The experiments show that the tested biometric readers are vulnerable to DoS attacks, and their recognition performance is significantly affected after launching the attacks. However, the experiments show that the tested biometric readers are secure from the ARP cache poisoning attack. This work demonstrates that biometric readers are easy targets for malicious network users, lack basic security mechanisms, and are vulnerable to common attacks. The confidentiality, and integrity of the log files in the biometric readers, could be compromised with such attacks. It then becomes important to study these attacks in order to find flags that could aid in a network forensic investigation of a biometric device.

Identifying attackers is a major apprehension to both organizations and governments. Recently, the most used applications for prevention or detection of attacks are intrusion detection systems. Biometrics technology is simply the... more

Identifying attackers is a major apprehension to both organizations and governments. Recently, the most used applications for prevention or detection of attacks are intrusion detection systems. Biometrics technology is simply the measurement and use of the unique characteristics of living humans to distinguish them from one another and it is more useful as compare to passwords and tokens as they can be lost or stolen so we have choose the technique biometric authentication. The biometric authentication provides the ability to require more instances of authentication in such a quick and easy manner that users are not bothered by the additional requirements. In this paper, we have given a brief introduction about biometrics. Then we have given the information regarding the intrusion detection system and finally we have proposed a method which is based on fingerprint recognition which would allow us to detect more efficiently any abuse of the computer system that is running.

Complex event processing has become increasingly important in modern applications, ranging from supply chain management for RFID tracking to real-time intrusion detection. The goal is to extract patterns from such event streams in order... more

Complex event processing has become increasingly important in modern applications, ranging from supply chain management for RFID tracking to real-time intrusion detection. The goal is to extract patterns from such event streams in order to make informed decisions in real-time. However, networking latencies and even machine failure may cause events to arrive out-of-order at the event stream processing engine. In this work, we address the problem of processing event pattern queries specified over event streams that may contain out-of-order data. First, we analyze the problems state-of-the-art event stream processing technology would experience when faced with out-of-order data arrival. We then propose a new solution of physical implementation strategies for the core stream algebra operators such as sequence scan and pattern construction, including stackbased data structures and associated purge algorithms. Optimizations for sequence scan and construction as well as state purging to minimize CPU cost and memory consumption are also introduced. Lastly, we conduct an experimental study demonstrating the effectiveness of our approach.

Security incidents are becoming more serious and more common not only in computer networks, but also in automation networks. Automation devices are still more and more based on computers and they have the same weak points like standard... more

Security incidents are becoming more serious and more common not only in computer networks, but also in automation networks. Automation devices are still more and more based on computers and they have the same weak points like standard computers. Actual trends in automation networks are among others wide automation networks covering several manufacture divisions or remote controlling of automation networks

There are currently dozens of freely available tools to help combat phishing and other web-based scams. Many of these tools come in the form of web browser extensions that warn users when they are browsing a suspected phishing site. We... more

There are currently dozens of freely available tools to help combat phishing and other web-based scams. Many of these tools come in the form of web browser extensions that warn users when they are browsing a suspected phishing site. We used verified phishing URLs and legitimate URLs to test the effectiveness of 10 popular antiphishing toolbars. Overall, we found that the anti-phishing toolbars that were examined in this study left a lot to be desired. SpoofGuard did a very good job at identifying fraudulent sites, but it also incorrectly identified a large fraction of legitimate sites as fraudulent. EarthLink, Google, Netcraft, Cloudmark, and Internet Explorer 7 identified most fraudulent sites correctly and had few, if any, false positives, but they still missed more than 15% of fraudulent sites. The TrustWatch, eBay, and Netscape 8 toolbars could correctly identify less than half the fraudulent sites, and McAfee SiteAdvisor did not correctly identify any fraudulent sites. Many of the toolbars we tested were vulnerable to some simple exploits as well. In this paper we describe the anti-phishing toolbar test bed we developed, summarize our findings, and offer observations about the usability and overall effectiveness of these toolbars. Finally, we suggest ways to improve anti-phishing toolbars.

Wireless network has an exponential increase in various aspects of the human community. Accordingly, transmitting a vast volume of sensitive and non-sensitive data over the network puts them at risk of being attacked. To avoid this,... more

Wireless network has an exponential increase in various aspects of the human community. Accordingly, transmitting a vast volume of sensitive and non-sensitive data over the network puts them at risk of being attacked. To avoid this, Intrusion Detection System (IDS) security is intended to detect threats and protect devices from attacks. IDS usually uses one of the following alternative approaches: signature-based, anomaly-based, or hybrid of the two. In spite of the IDS has been the focus of much research in recent years, there is still space for improvement. Based on the anomalybased approach, this paper proposes a modified algorithm called a Multi-layer Feature Selection and Reduction IDS (MFSR-IDS) for providing high-level protection against Denial-of-Service (DoS) and Probe attacks. The MFSR-IDS framework makes three major contributions. First, it reduces the feature dimensionality of the network dataset across three layers. Second, it has a fast and accurate detection system. Third, it provides a mathematical model of the framework under consideration. The MFSR-IDS algorithm selects optimal number of features from KDDCUP'99 dataset which used to train the predictive model based on different learning classifiers and ensemble methodology. The performance of MFSR-IDS is evaluated in terms of Detection Rate (DR), False Positive Rate (FPR), FScore, ROC area, Accuracy (Acc) and Processing time. The experiments indicate that, the proposed MFSR-IDS outperforms some existing IDS frameworks in terms of DR, FPR, Acc and Processing time in detecting DoS and Probe attacks.

Intrusion detection is the problem of identifying unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. The proliferation of heterogeneous computer networks provides additional... more

Intrusion detection is the problem of identifying unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. The proliferation of heterogeneous computer networks provides additional implications for the intrusion detection problem. Namely, the increased connectivity of computer systems gives greater access to outsiders, and makes it easier for intruders to avoid detection. IDS's are based on the belief that an intruder's behavior will be noticeably different from that of a legitimate user. We are designing and implementing a prototype Distributed Intrusion Detection System (DIDS) that combines distributed monitoring and data reduction (through individual host and LAN monitors) with centralized data analysis (through the DIDS director) to monitor a heterogeneous network of computers. This approach is unique among current IDS's. A main problem considered in this paper is the Network-user Identification problem, which is concerned with tracking a user moving across the network, possibly with a new user-id on each computer. Initial system prototypes have provided quite favorable results on this problem and the detection of attacks on a network. This paper provides an overview of the motivation behind DIDS, the system architecture and capabilities, and a discussion of the early prototype.

The growing rate of network attacks including hacker, cracker, and criminal enterprises have been increasing, which impact to the availability, confidentiality, and integrity of critical information data. In this paper, we propose a... more

The growing rate of network attacks including hacker, cracker, and criminal enterprises have been increasing, which impact to the availability, confidentiality, and integrity of critical information data. In this paper, we propose a network-based Intrusion Detection and Classification System (IDCS) using well-known machine learning technique to classify an online network data that is preprocessed to have only 12 features. The number of features affects to the detection speed and resource consumption. Unlike other intrusion detection approaches where a few attack types are classified, our IDCS can classify normal network activities and identify 17 different attack types. Hence, our detection and classification approach can greatly reduce time to diagnose and prevent the network attacks.

Information security is a serious issue especially in present age because a solo attack may cause a big harm in computer and network systems. Several intrusion detection approaches exist to tackle this critical issue but the problem is... more

Information security is a serious issue especially in present age because a solo attack may cause a big harm in computer and network systems. Several intrusion detection approaches exist to tackle this critical issue but the problem is which one is more suitable in the field of intrusion. Further, these approaches are used in intrusion detection systems. Therefore, in this paper, we evaluated them so that a suitable approach may be advised to intrusion detection systems. This work describes the concepts, tool and methodology being used for evaluation analysis of different intrusion detection approaches using multi-criteria decision making technique. Moreover, conclusion on results is made and direction for future works is presented.

Different trust models have been developed for dealing with possible dishonest behavior and attacks from malicious peer Intrusion Detection Systems (IDSs) in a collaborative Intrusion Detection Network (IDN). For evaluating and comparing... more

Different trust models have been developed for dealing with possible dishonest behavior and attacks from malicious peer Intrusion Detection Systems (IDSs) in a collaborative Intrusion Detection Network (IDN). For evaluating and comparing these models, this paper introduces a simulation framework that incorporates different components namely expertise model, deception model, attack model, and evaluation metrics. The proposed framework offers flexibility for users to adjust the simulation parameters according to their needs. We then compare three existing trust models in this domain to demonstrate the effectiveness of our framework when used in analyzing their efficiency, robustness and scalability.

With an increased understanding of how systems work, intruders have become skilled at determining weaknesses in systems and exploiting them to obtain such increased privileges that they can do anything on the system. Intruders also use... more

With an increased understanding of how systems work, intruders have become skilled at determining weaknesses in systems and exploiting them to obtain such increased privileges that they can do anything on the system. Intruders also use patterns of intrusion that are difficult to trace and identify. They frequently use several levels of indirection before breaking into target systems and rarely indulge in sudden bursts of suspicious or anomalous activity. They also cover their tracks so that their activity on the penetrated system is not easily discovered. We must have measures in place to detect security breaches, i.e., identify intruders and intrusions. Intrusion detection systems fill this role and usually form the last line of defense in the overall protection scheme of a computer system. They are useful not only in detecting successful breaches of security, but also in monitoring attempts to breach security, which provides important information for timely countermeasures. This paper focused on how data mining is used for Intrusion detection System

Recently, computer networks faced a big challenge, which is that various malicious attacks are growing daily. Intrusion detection is one of the leading research problems in network and computer security. This paper investigates and... more

Recently, computer networks faced a big challenge, which is that various malicious attacks are growing daily. Intrusion detection is one of the leading research problems in network and computer security. This paper investigates and presents Deep Learning (DL) techniques for improving the Intrusion Detection System (IDS). Moreover, it provides a detailed comparison with evaluating performance, deep learning algorithms for detecting attacks, feature learning, and datasets used to identify the advantages of employing in enhancing network intrusion detection.

To protect computer systems it is important to consider the concept of CIA: confidentiality, integrity and availability. With respect to availability, hackers continue to focus on preventing access to online services and systems by... more

To protect computer systems it is important to consider the concept of CIA: confidentiality, integrity and availability. With respect to availability, hackers continue to focus on preventing access to online services and systems by crashing a service through exploitation or by flooding services to the point that the resource is no longer accessible. These types of denial-of-service or DoS attacks can come directly from one IP address or from a multitude of computers located in disparate locations, known as distributed denial-of-service (DDoS) attacks. A variety of academic viewpoints have been created that focus on the detection, prevention, and mitigation of DoS attacks. Some academic research shows potential for real-world application, while others merely advance theoretical viewpoints that cannot realistically be implemented in the current technological landscape. In this essay, three research papers are reviewed, and each paper focuses on a novel approach to detect, prevent or mitigate availability attacks through DoS. The resulting analysis provides perspective on the feasibility of each approach.

Among various cyber threats, a DDoS attack is one of the major Internet threats that can affect anyone and even cause tremendous financial damage to organization that uses cloud-based services, while the mitigation of this threat can be... more

Among various cyber threats, a DDoS attack is one of the major Internet threats that can affect anyone and even cause tremendous financial damage to organization that uses cloud-based services, while the mitigation of this threat can be highly difficult considering the complex infrastructure that it uses to perform its malicious activities. For that purpose it’s important to think proactively rather than reactively when addressing the protection against this type of attacks. The overview of botnets and some of the countermeasures against this threat were discussed in this paper.

I wrote this case study on 28 October 2002 for the book Hacking Exposed, Fourth Edition, published by McGraw-Hill Osborne Media on 25 February 2013. The book contained the first definition, in print, of the term "network security... more

I wrote this case study on 28 October 2002 for the book Hacking Exposed, Fourth Edition, published by McGraw-Hill Osborne Media on 25 February 2013. The book contained the first definition, in print, of the term "network security monitoring."

Cloud computing is an emerging technology that allows users to utilize on-demand computation, storage, data and services from around the world. However, Cloud service providers charge users for these services. Specifically, to access data... more

Cloud computing is an emerging technology that allows users to utilize on-demand computation, storage, data and services from around the world. However, Cloud service providers charge users for these services. Specifically, to access data from their globally distributed storage edge servers, providers charge users depending on the user's location and the amount of data transferred. When deploying data-intensive applications in a Cloud computing environment, optimizing the cost of transferring data to and from these edge servers is a priority, as data play the dominant role in the application's execution. In this paper, we formulate a non-linear programming model to minimize the data retrieval and execution cost of data-intensive workflows in Clouds. Our model retrieves data from Cloud storage resources such that the amount of data transferred is inversely proportional to the communication cost. We take an example of an 'intrusion detection' application workflow, where the data logs are made available from globally distributed Cloud storage servers. We construct the application as a workflow and experiment with Cloud based storage and compute resources. We compare the cost of multiple executions of the workflow given by a solution of our non-linear program against that given by Amazon CloudFront's 'nearest' single data source selection. Our results show a savings of three-quarters of total cost using our model.

Intrusion Detection System (IDS) is meant to be a software application which monitors the network or system activities and finds if any malicious operations occur. Tremendous growth and usage of internet raises concerns about how to... more

Intrusion Detection System (IDS) is meant to be a software application which monitors the network or system activities and finds if any malicious operations occur. Tremendous growth and usage of internet raises concerns about how to protect and communicate the digital information in a safe manner. Nowadays, hackers use different types of attacks for getting the valuable information. Many intrusion detection techniques, methods and algorithms help to detect these attacks. This main objective of this paper is to provide a complete study about the definition of intrusion detection, history, life cycle, types of intrusion detection methods, types of attacks, different tools and techniques, research needs, challenges and applications.

Denial of Service (DoS) attacks is one of the major threats to Internet sites and one of the major security problems Internet faces today. The nature of threats caused by Distributed Denial of Service (DDoS) attacks on networks. With... more

Denial of Service (DoS) attacks is one of the major threats to Internet sites and one of the major security problems Internet faces today. The nature of threats caused by Distributed Denial of Service (DDoS) attacks on networks. With little or no warning, a DDoS attack could easily destroy its victim's communication and network resources in a short period of time. This paper outlines the problem of DDoS attacks and developing a classification of DDoS attacks and DDoS defense mechanisms. Important features of each attack and defense system category are described and advantages and disadvantages of each proposed scheme are outlined. The goal of the paper is to set a certain order of existence methods of attack and defense mechanisms, for the better understanding DDoS attacks can be achieved with more effective methods and means of self-defense can be developed.

Wireless Sensor Networks (WSN) is a recent advanced technology of computer networks and electronics. The WSN increasingly becoming more practicable solution to many challenging applications. The sensor networks depend upon the sensed... more

Wireless Sensor Networks (WSN) is a recent advanced technology of computer networks and electronics. The WSN increasingly becoming more practicable solution to many challenging applications. The sensor networks depend upon the sensed data, which may depend upon the application. One of the major applications of the sensor networks is in military. So security is the greatest concern to deploy sensor network such hostile unattended environments, monitoring real world applications. But the limitations and inherent constraints of the sensor nodes does not support the existing traditional security mechanisms in WSN. Now the present research is mainly concentrated on providing security mechanism in sensor networks. In this context, security aspects of the sensor networks like requirements, classifications, and type of attacks etc., is analyzed in this survey paper.