To see the other types of publications on this topic, follow the link: Anomaly-based intrusion.
Dissertations / Theses on the topic 'Anomaly-based intrusion'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 47 dissertations / theses for your research on the topic 'Anomaly-based intrusion.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Satam, Shalaka Chittaranjan, and Shalaka Chittaranjan Satam. "Bluetooth Anomaly Based Intrusion Detection System." Thesis, The University of Arizona, 2017. http://hdl.handle.net/10150/625890.
Full textAbstract:
Bluetooth is a wireless technology that is used to communicate over personal area networks (PAN). With the advent of Internet of Things (IOT), Bluetooth is the technology of choice for small and short range communication networks. For instance, most of the modern cars have the capability to connect to mobile devices using Bluetooth. This ubiquitous presence of Bluetooth makes it important that it is secure and its data is protected. Previous work has shown that Bluetooth is vulnerable to attacks like the man in the middle attack, Denial of Service (DoS) attack, etc. Moreover, all Bluetooth devices are mobile devices and thus power utilization is an import performance parameter. The attacker can easily increase power consumption of a mobile device by launching an attack vector against that device.
As a part of this thesis we present an anomaly based intrusion detection system for Bluetooth network, Bluetooth IDS (BIDS). The BIDS uses Ngram based approach to characterize the normal behavior of the Bluetooth protocol. Machine learning algorithms were used to build the normal behavior models for the protocol during the training phase of the system, and thus allowing classification of observed Bluetooth events as normal or abnormal during the operational phase of the system. The experimental results showed that the models that were developed in this thesis had a high accuracy with precision of 99.2% and recall of 99.5%.
2
Balupari, Ravindra. "Real-time network-based anomaly intrusion detection." Ohio : Ohio University, 2002. http://www.ohiolink.edu/etd/view.cgi?ohiou1174579398.
Full text
3
Miller, Nicholas J. "Benchmarks for Evaluating Anomaly-Based Intrusion Detection Solutions." Thesis, California State University, Long Beach, 2018. http://pqdtopen.proquest.com/#viewpdf?dispub=10752128.
Full textAbstract:
<p> Anomaly-based Intrusion Detection Systems are critical components of modern security systems. They often rely on Machine Learning (ML) to detect potential attacks and have gained increased popularity over time, due to new technologies and dangers. There are many proposed anomaly-based systems using different ML algorithms and techniques, however there is no standard benchmark to compare these based on quantifiable measures. </p><p> We have proposed a benchmark that measures both accuracy and performance to produce objective metrics that can be used in the evaluation of each algorithm implementation. In this paper, the benchmark will be used to compare four different ML algorithms (Naive Bayes, Support Vector Machines, Neural Networks, and K-means Clustering) on the NSL-KDD dataset. The experimental results show the differences in accuracy and performance between these algorithms on the dataset, and also how this benchmark can be used to create useful metrics for comparisons.</p><p>
4
Al-Nashif, Youssif. "MULTI-LEVEL ANOMALY BASED AUTONOMIC INTRUSION DETECTION SYSTEM." Diss., The University of Arizona, 2008. http://hdl.handle.net/10150/195504.
Full textAbstract:
The rapid growth and deployment of network technologies and Internet services has made security and management of networks a challenging research problem. This growth is accompanied by an exponential growth in the number of network attacks, which have become more complex, more organized, more dynamic, and more severe than ever. Current network protection techniques are static, slow in responding to attacks, and inefficient due to the large number of false alarms. Attack detection systems can be broadly classified as being signature-based, classification-based, or anomaly-based. In this dissertation, I present a multi-level anomaly based autonomic network defense system which can efficiently detect both known and unknown types of network attacks with a high detection rate and low false alarms. The system uses autonomic computing to automate the control and management of multi-level intrusion detection system and integrate the different components of the system. The system defends the network by detecting anomalies in network operations that may have been caused by network attacks. Like other anomaly detection systems, AND captures a profile of normal network behavior.In this dissertation, I introduce experimental results that evaluate the effectiveness and performance of the multi-level anomaly based autonomic network intrusion detection system in detecting network attacks. The system consist of monitoring modules, feature aggregation and correlation modules, behavior analysis modules, decision fusion module, global visualization module, risk and impact analysis module, action module, attack classification module, and the adaptive learning module. I have successfully implemented a prototype system based on my multi-level anomaly based approach. The experimental results and evaluation of our prototype show that our multi-level intrusion detection system can efficiently and effectively detect and protect against any type of network attacks known or unknown in real-time. Furthermore, the overhead of our approach is insignificant on the normal network operations and services.
5
Labonne, Maxime. "Anomaly-based network intrusion detection using machine learning." Electronic Thesis or Diss., Institut polytechnique de Paris, 2020. http://www.theses.fr/2020IPPAS011.
Full textAbstract:
Ces dernières années, le piratage est devenu une industrie à part entière, augmentant le nombre et la diversité des cyberattaques. Les menaces qui pèsent sur les réseaux informatiques vont des logiciels malveillants aux attaques par déni de service, en passant par le phishing et l'ingénierie sociale. Un plan de cybersécurité efficace ne peut plus reposer uniquement sur des antivirus et des pare-feux pour contrer ces menaces : il doit inclure plusieurs niveaux de défense. Les systèmes de détection d'intrusion (IDS) réseaux sont un moyen complémentaire de renforcer la sécurité, avec la possibilité de surveiller les paquets de la couche 2 (liaison) à la couche 7 (application) du modèle OSI. Les techniques de détection d'intrusion sont traditionnellement divisées en deux catégories : la détection par signatures et la détection par anomalies. La plupart des IDS utilisés aujourd'hui reposent sur la détection par signatures ; ils ne peuvent cependant détecter que des attaques connues. Les IDS utilisant la détection par anomalies sont capables de détecter des attaques inconnues, mais sont malheureusement moins précis, ce qui génère un grand nombre de fausses alertes. Dans ce contexte, la création d'IDS précis par anomalies est d'un intérêt majeur pour pouvoir identifier des attaques encore inconnues.Dans cette thèse, les modèles d'apprentissage automatique sont étudiés pour créer des IDS qui peuvent être déployés dans de véritables réseaux informatiques. Tout d'abord, une méthode d'optimisation en trois étapes est proposée pour améliorer la qualité de la détection : 1/ augmentation des données pour rééquilibrer les jeux de données, 2/ optimisation des paramètres pour améliorer les performances du modèle et 3/ apprentissage ensembliste pour combiner les résultats des meilleurs modèles. Les flux détectés comme des attaques peuvent être analysés pour générer des signatures afin d'alimenter les bases de données d'IDS basées par signatures. Toutefois, cette méthode présente l'inconvénient d'exiger des jeux de données étiquetés, qui sont rarement disponibles dans des situations réelles. L'apprentissage par transfert est donc étudié afin d'entraîner des modèles d'apprentissage automatique sur de grands ensembles de données étiquetés, puis de les affiner sur le trafic normal du réseau à surveiller. Cette méthode présente également des défauts puisque les modèles apprennent à partir d'attaques déjà connues, et n'effectuent donc pas réellement de détection d'anomalies. C'est pourquoi une nouvelle solution basée sur l'apprentissage non supervisé est proposée. Elle utilise l'analyse de l'en-tête des protocoles réseau pour modéliser le comportement normal du trafic. Les anomalies détectées sont ensuite regroupées en attaques ou ignorées lorsqu'elles sont isolées. Enfin, la détection la congestion réseau est étudiée. Le taux d'utilisation de la bande passante entre les différents liens est prédit afin de corriger les problèmes avant qu'ils ne se produisent<br>In recent years, hacking has become an industry unto itself, increasing the number and diversity of cyber attacks. Threats on computer networks range from malware to denial of service attacks, phishing and social engineering. An effective cyber security plan can no longer rely solely on antiviruses and firewalls to counter these threats: it must include several layers of defence. Network-based Intrusion Detection Systems (IDSs) are a complementary means of enhancing security, with the ability to monitor packets from OSI layer 2 (Data link) to layer 7 (Application). Intrusion detection techniques are traditionally divided into two categories: signatured-based (or misuse) detection and anomaly detection. Most IDSs in use today rely on signature-based detection; however, they can only detect known attacks. IDSs using anomaly detection are able to detect unknown attacks, but are unfortunately less accurate, which generates a large number of false alarms. In this context, the creation of precise anomaly-based IDS is of great value in order to be able to identify attacks that are still unknown.In this thesis, machine learning models are studied to create IDSs that can be deployed in real computer networks. Firstly, a three-step optimization method is proposed to improve the quality of detection: 1/ data augmentation to rebalance the dataset, 2/ parameters optimization to improve the model performance and 3/ ensemble learning to combine the results of the best models. Flows detected as attacks can be analyzed to generate signatures to feed signature-based IDS databases. However, this method has the disadvantage of requiring labelled datasets, which are rarely available in real-life situations. Transfer learning is therefore studied in order to train machine learning models on large labeled datasets, then finetune them on benign traffic of the network to be monitored. This method also has flaws since the models learn from already known attacks, and therefore do not actually perform anomaly detection. Thus, a new solution based on unsupervised learning is proposed. It uses network protocol header analysis to model normal traffic behavior. Anomalies detected are then aggregated into attacks or ignored when isolated. Finally, the detection of network congestion is studied. The bandwidth utilization between different links is predicted in order to correct issues before they occur
6
Tjhai, Gina C. "Anomaly-based correlation of IDS alarms." Thesis, University of Plymouth, 2011. http://hdl.handle.net/10026.1/308.
Full textAbstract:
An Intrusion Detection System (IDS) is one of the major techniques for securing information systems and keeping pace with current and potential threats and vulnerabilities in computing systems. It is an indisputable fact that the art of detecting intrusions is still far from perfect, and IDSs tend to generate a large number of false IDS alarms. Hence human has to inevitably validate those alarms before any action can be taken. As IT infrastructure become larger and more complicated, the number of alarms that need to be reviewed can escalate rapidly, making this task very difficult to manage. The need for an automated correlation and reduction system is therefore very much evident. In addition, alarm correlation is valuable in providing the operators with a more condensed view of potential security issues within the network infrastructure. The thesis embraces a comprehensive evaluation of the problem of false alarms and a proposal for an automated alarm correlation system. A critical analysis of existing alarm correlation systems is presented along with a description of the need for an enhanced correlation system. The study concludes that whilst a large number of works had been carried out in improving correlation techniques, none of them were perfect. They either required an extensive level of domain knowledge from the human experts to effectively run the system or were unable to provide high level information of the false alerts for future tuning. The overall objective of the research has therefore been to establish an alarm correlation framework and system which enables the administrator to effectively group alerts from the same attack instance and subsequently reduce the volume of false alarms without the need of domain knowledge. The achievement of this aim has comprised the proposal of an attribute-based approach, which is used as a foundation to systematically develop an unsupervised-based two-stage correlation technique. From this formation, a novel SOM K-Means Alarm Reduction Tool (SMART) architecture has been modelled as the framework from which time and attribute-based aggregation technique is offered. The thesis describes the design and features of the proposed architecture, focusing upon the key components forming the underlying architecture, the alert attributes and the way they are processed and applied to correlate alerts. The architecture is strengthened by the development of a statistical tool, which offers a mean to perform results or alert analysis and comparison. The main concepts of the novel architecture are validated through the implementation of a prototype system. A series of experiments were conducted to assess the effectiveness of SMART in reducing false alarms. This aimed to prove the viability of implementing the system in a practical environment and that the study has provided appropriate contribution to knowledge in this field.
7
Wester, Philip. "Anomaly-based intrusion detection using Tree Augmented Naive Bayes Classifier." Thesis, KTH, Skolan för elektroteknik och datavetenskap (EECS), 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-295754.
Full textAbstract:
With the rise of information technology and the dependence on these systems, it becomes increasingly more important to keep the systems secure. The possibility to detect an intrusion with intrusion detection systems (IDS) is one of multiple fundamental technologies that may increase the security of a system. One of the bigger challenges of an IDS, is to detect types of intrusions that have previously not been encountered, so called unknown intrusions. These types of intrusions are generally detected by using methods collectively called anomaly detection methods. In this thesis I evaluate the performance of the algorithm Tree Augmented Naive Bayes Classifier (TAN) as an intrusion detection classifier. More specifically, I created a TAN program from scratch in Python and tested the program on two data sets containing data traffic. The thesis aims to create a better understanding of how TAN works and evaluate if it is a reasonable algorithm for intrusion detection. The results show that TAN is able to perform at an acceptable level with a reasonably high accuracy. The results also highlights the importance of using the smoothing operator included in the standard version of TAN.<br>Med informationsteknikens utveckling och det ökade beroendet av dessa system, blir det alltmer viktigt att hålla systemen säkra. Intrångsdetektionssystem (IDS) är en av många fundamentala teknologier som kan öka säkerheten i ett system. En av de större utmaningarna inom IDS, är att upptäcka typer av intrång som tidigare inte stötts på, så kallade okända intrång. Dessa intrång upptäcks oftast med hjälp av metoder som kollektivt kallas för avvikelsedetektionsmetoder. I denna uppsats utvärderar jag algoritmen Tree Augmented Naive Bayes Classifiers (TAN) prestation som en intrångsdetektionsklassificerare. Jag programmerade ett TAN-program, i Python, och testade detta program på två dataset som innehöll datatrafik. Denna uppsats ämnar att skapa en bättre förståelse för hur TAN fungerar, samt utvärdera om det är en lämplig algoritm för detektion av intrång. Resultaten visar att TAN kan prestera på en acceptabel nivå, med rimligt hög noggrannhet. Resultaten markerar även betydelsen av "smoothing operator", som inkluderas i standardversionen av TAN.
8
Nwanze, Nnamdi Chike. "Anomaly-based intrusion detection using using lightweight stateless payload inspection." Diss., Online access via UMI:, 2009.
Find full textAbstract:
Thesis (Ph. D.)--State University of New York at Binghamton, Thomas J. Watson School of Engineering and Applied Science, Department of Electrical and Computer Engineering, 2009.<br>Includes bibliographical references.
9
Söderström, Albin. "Anomaly-based Intrusion Detection Using Convolutional Neural Networks for IoT Devices." Thesis, Blekinge Tekniska Högskola, Institutionen för datavetenskap, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-21870.
Full textAbstract:
Background. The rapid growth of IoT devices in homes put people at risk of cyberattacks and the low power and computing capabilities in IoT devices make it difficultto design a security solution for them. One method of preventing cyber attacks isan Intrusion Detection System (IDS) that can identify incoming attacks so that anappropriate action can be taken. Previous attempts have been made using machinelearning and deep learning however these attempts have struggled at detecting newattacks.Objectives. In this work we use a convolutional neural network IoTNet designed forIoT devices to classify network attacks. In order to evaluate the use of deep learningin intrusion detection systems on IoT.Methods. The neural network was trained on the NF-UNSW-NB15-v2 datasetwhich contains 9 different types of attacks. We used a method that transformedthe network flow data into RGB images which were fed to the neural network forclassification. We compared IoTNet to a basic convolutional neural network as abaseline.Results. The results show that IoTNet did not perform better at classifying networkattacks when compared to a basic convolutional neural network. It also showed thatboth network had low precision for most classes.Conclusions. We found that IoTNet is unfit to be used as an intrusion detectionsystem in the general case and that further research must be done in order to improvethe precision of the neural network.
10
Zhou, Mian. "Network Intrusion Detection: Monitoring, Simulation and Visualization." Doctoral diss., University of Central Florida, 2005. http://digital.library.ucf.edu/cdm/ref/collection/ETD/id/4063.
Full textAbstract:
This dissertation presents our work on network intrusion detection and intrusion sim- ulation. The work in intrusion detection consists of two different network anomaly-based approaches. The work in intrusion simulation introduces a model using explicit traffic gen- eration for the packet level traffic simulation. The process of anomaly detection is to first build profiles for the normal network activity and then mark any events or activities that deviate from the normal profiles as suspicious. Based on the different schemes of creating the normal activity profiles, we introduce two approaches for intrusion detection. The first one is a frequency-based approach which creates a normal frequency profile based on the periodical patterns existed in the time-series formed by the traffic. It aims at those attacks that are conducted by running pre-written scripts, which automate the process of attempting connections to various ports or sending packets with fabricated payloads, etc. The second approach builds the normal profile based on variations of connection-based behavior of each single computer. The deviations resulted from each individual computer are carried out by a weight assignment scheme and further used to build a weighted link graph representing the overall traffic abnormalities. The functionality of this system is of a distributed personal IDS system that also provides a centralized traffic analysis by graphical visualization. It provides a finer control over the internal network by focusing on connection-based behavior of each single computer. For network intrusion simulation, we explore an alternative method for network traffic simulation using explicit traffic generation. In particular, we build a model to replay the standard DARPA traffic data or the traffic data captured from a real environment. The replayed traffic data is mixed with the attacks, such as DOS and Probe attack, which can create apparent abnormal traffic flow patterns. With the explicit traffic generation, every packet that has ever been sent by the victim and attacker is formed in the simulation model and travels around strictly following the criteria of time and path that extracted from the real scenario. Thus, the model provides a promising aid in the study of intrusion detection techniques.<br>Ph.D.<br>School of Computer Science<br>Engineering and Computer Science<br>Computer Science
11
Mikhail, Joseph W. "An Investigation of Anomaly-based Ensemble Models for Multi-domain Intrusion Detection." Thesis, The George Washington University, 2018. http://pqdtopen.proquest.com/#viewpdf?dispub=10977908.
Full textAbstract:
<p> Although the traditional intrusion detection problem has been well studied with the release of the KDD’99 and NSL-KDD datasets, recent intrusion detection has expanded to include wireless 802.11 networks and Industrial Control Systems & Supervisory Control and Data Acquisition (ICS/SCADA) systems. This research investigates the application of two novel models to multi-domain intrusion detection. The first model is hybrid ensemble that uses complementary-based diversity measures in an efficient greedy search pruning process. The proposed hybrid ensemble is constructed from a heterogeneous combination of decision tree and Naive Bayes classifiers and evaluated for intrusion detection performance on an 802.11 wireless system, a power generation system, and a gas pipeline system. The second model is based on a one-versus-all (OVA) binary framework comprising multiple nested sub-ensembles. To provide good generalization ability, each sub-ensemble contains a collection of sub-learners, and only a portion of the sub-learners implement boosting. A class weight based on the sensitivity metric (true positive rate), learned from the training data only, is assigned to the sub-ensembles of each class. The second model is applied to traditional and 802.11 wireless network intrusion detection. Overall, the proposed models achieve higher detection rates and good overall false positive performance when evaluating the model compared to state-of-the-art methods for effective multi-domain intrusion detection.</p><p>
12
Kazi, Shehab. "Anomaly based Detection of Attacks on Security Protocols." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2010. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-4806.
Full textAbstract:
Abstract. Security and privacy in digital communications is the need of the hour. SSL/TLS has become widely adopted to provide the same. Multiple application layer protocols can be layered on top of it. However protection is this form results in all the data being encrypted causing problems for an intrusion detection system which relies on a sniffer that analyses packets on a network. We thus hypothesise that a host based intrusion detection system that analyses packets after decryption would be able to detect attacks against security protocols. To this effect we conduct two experiments where we attack a web server and a mail server, collect data, analyse it and conclude with methods to detect such attacks. These methods are in the form of peudocode.
13
Taylor, Adrian. "Anomaly-Based Detection of Malicious Activity in In-Vehicle Networks." Thesis, Université d'Ottawa / University of Ottawa, 2017. http://hdl.handle.net/10393/36120.
Full textAbstract:
Modern automobiles have been proven vulnerable to hacking by security researchers. By exploiting vulnerabilities in the car's external interfaces, attackers can access a car's controller area network (CAN) bus and cause malicious effects. We seek to detect these attacks on the bus as a last line of defence against automotive cyber attacks. The CAN bus standard defines a low-level message structure, upon which manufacturers layer their own proprietary command protocols; attacks must similarly be tailored for their target. This variability makes intrusion detection methods difficult to apply to the automotive CAN bus. Nevertheless, the bus traffic is generated by machines; thus we hypothesize that it can be characterized with machine learning, and that attacks produce anomalous traffic. Our goals are to show that anomaly detection trained without understanding of the message contents can detect attacks, and to create a framework for understanding how the characteristics of a novel attack can be used to predict its detectability.
We developed a model that describes attacks based on their effect on bus traffic, informed by a review of published material on car hacking in combination with analysis of CAN traffic from a 2012 Subaru Impreza. The model specifies three high-level categories of effects: attacks that insert foreign packets, attacks that affect packet timing, and attacks that only modify data within packets. Foreign packet attacks are trivially detectable. For timing-based anomalies, we developed features suitable for one-class classification methods. For packet stream data word anomalies, we adapted recurrent neural networks and multivariate Markov model methods to sequence anomaly detection and compared their performance.
We conducted experiments to evaluate our detection methods with special attention to the trade-off between precision and recall, given that a practical system requires a very low false alarm rate. The methods were evaluated by synthesizing anomalies within each attack category, parameterized to adjust their covertness. We generalize from the results to enable prediction of detection rates for new attacks using these methods.
14
Jadidi, Zahra. "Flow-based Anomaly Detection in High-Speed Networks." Thesis, Griffith University, 2016. http://hdl.handle.net/10072/367890.
Full textAbstract:
With the advent of online services, the Internet has become extremely busy and demanding faster access. The increased dependency on the Internet obliges Internet service providers to make it reliable and secure. In this regard, researchers are tirelessly working on a number of technologies in order to ensure the continued viability of the Internet. Intrusion detection is one of the fields that enables secure operation of the Internet. An intrusion detection system (IDS) attempts to discover malicious activities in a network. However, with the increasing network throughput, IDSs should be able to analyse high volumes of traffic in real-time. Flow-based analysis is one of the methods capable of handling high-volume traffic. This method reduces the input traffic of IDSs because it analyses only packet headers. Flow-based anomaly detection can increase the reliability of the Internet, provided this method is functional at an early stage and complemented by packet-based IDSs at later stages.
Employing artificial intelligence (AI) methods in IDSs provides the capability to detect attacks with better accuracy. Compared with typical IDSs, AI-based systems are more inclined towards detecting unknown attacks. This thesis proposes an artificial neural network (ANN) based flow anomaly detector optimised with metaheuristic algorithms. The proposed method is evaluated using a number of flow-based datasets generated. An ANN-based flow anomaly detection enables a high detection rate; hence, this thesis investigates this system more thoroughly. The ANN-based system is a supervised method which needs labelled datasets; however, labelling of a large amount of data found in high-speed networks is difficult. Semi-supervised methods are the combination of supervised and unsupervised methods, which can work with both labelled and unlabelled data. A semi-supervised method can provide a high detection rate even when there is a small proportion of labelled data; therefore, the application of this method in flow-based anomaly detection is considered.<br>Thesis (PhD Doctorate)<br>Doctor of Philosophy (PhD)<br>School of Information and Cmmunication Technology<br>Science, Environment, Engineering and Technology<br>Full Text
15
Azumah, Sylvia w. "Deep Learning -Based Anomaly Detection System for Guarding Internet of Things Devices." University of Cincinnati / OhioLINK, 2021. http://rave.ohiolink.edu/etdc/view?acc_num=ucin1624917874580953.
Full text
16
Mathur, Nitin O. "Application of Autoencoder Ensembles in Anomaly and Intrusion Detection using Time-Based Analysis." University of Cincinnati / OhioLINK, 2020. http://rave.ohiolink.edu/etdc/view?acc_num=ucin161374876195402.
Full text
17
Ardolino, Kyle R. "Semi-supervised learning of bitmask pairs for an anomaly-based intrusion detection system." Diss., Online access via UMI:, 2008.
Find full textAbstract:
Thesis (M.S.)--State University of New York at Binghamton, Thomas J. Watson School of Engineering and Applied Science, Department of Electrical Engineering, 2008.<br>Includes bibliographical references.
18
Zhu, Xuejun. "Anomaly Detection Through Statistics-Based Machine Learning For Computer Networks." Diss., Tucson, Arizona : University of Arizona, 2006. http://etd.library.arizona.edu/etd/GetFileServlet?file=file:///data1/pdf/etd/azu%5Fetd%5F1481%5F1%5Fm.pdf&type=application/pdf.
Full text
19
Al, Tobi Amjad Mohamed. "Anomaly-based network intrusion detection enhancement by prediction threshold adaptation of binary classification models." Thesis, University of St Andrews, 2018. http://hdl.handle.net/10023/17050.
Full textAbstract:
Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the performance (accuracy) of anomaly-based network Intrusion Detection Systems (IDS) that are built using predictive models in a batch-learning setup. This thesis investigates how adapting the discriminating threshold of model predictions, specifically to the evaluated traffic, improves the detection rates of these Intrusion Detection models. Specifically, this thesis studied the adaptability features of three well known Machine Learning algorithms: C5.0, Random Forest, and Support Vector Machine. The ability of these algorithms to adapt their prediction thresholds was assessed and analysed under different scenarios that simulated real world settings using the prospective sampling approach. A new dataset (STA2018) was generated for this thesis and used for the analysis. This thesis has demonstrated empirically the importance of threshold adaptation in improving the accuracy of detection models when training and evaluation (test) traffic have different statistical properties. Further investigation was undertaken to analyse the effects of feature selection and data balancing processes on a model's accuracy when evaluation traffic with different significant features were used. The effects of threshold adaptation on reducing the accuracy degradation of these models was statistically analysed. The results showed that, of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates. This thesis then extended the analysis to apply threshold adaptation on sampled traffic subsets, by using different sample sizes, sampling strategies and label error rates. This investigation showed the robustness of the Random Forest algorithm in identifying the best threshold. The Random Forest algorithm only needed a sample that was 0.05% of the original evaluation traffic to identify a discriminating threshold with an overall accuracy rate of nearly 90% of the optimal threshold.
20
Salem, Maher [Verfasser]. "Adaptive Real-time Anomaly-based Intrusion Detection using Data Mining and Machine Learning Techniques / Maher Salem." Kassel : Universitätsbibliothek Kassel, 2014. http://d-nb.info/1060417847/34.
Full text
21
Hyla, Bret M. "Sample Entropy and Random Forests a methodology for anomaly-based intrusion detection and classification of low-bandwidth malware attacks /." Thesis, Monterey, Calif. : Springfield, Va. : Naval Postgraduate School ; Available from National Technical Information Service, 2006. http://library.nps.navy.mil/uhtbin/hyperion/06Sep%5FHyla.pdf.
Full textAbstract:
Thesis (M.S. in Computer Science)--Naval Postgraduate School, September 2006.<br>Thesis Advisor(s): Craig Martell, Kevin Squire. "September 2006." Includes bibliographical references (p.59-62). Also available in print.
22
Gill, Rupinder S. "Intrusion detection techniques in wireless local area networks." Thesis, Queensland University of Technology, 2009. https://eprints.qut.edu.au/29351/1/Rupinder_Gill_Thesis.pdf.
Full textAbstract:
This research investigates wireless intrusion detection techniques for detecting attacks on IEEE 802.11i Robust Secure Networks (RSNs). Despite using a variety of comprehensive preventative security measures, the RSNs remain vulnerable to a number of attacks. Failure of preventative measures to address all RSN vulnerabilities dictates the need for a comprehensive monitoring capability to detect all attacks on RSNs and also to proactively address potential security vulnerabilities by detecting security policy violations in the WLAN. This research proposes novel wireless intrusion detection techniques to address these monitoring requirements and also studies correlation of the generated alarms across wireless intrusion detection system (WIDS) sensors and the detection techniques themselves for greater reliability and robustness. The specific outcomes of this research are: A comprehensive review of the outstanding vulnerabilities and attacks in IEEE 802.11i RSNs. A comprehensive review of the wireless intrusion detection techniques currently available for detecting attacks on RSNs. Identification of the drawbacks and limitations of the currently available wireless intrusion detection techniques in detecting attacks on RSNs. Development of three novel wireless intrusion detection techniques for detecting RSN attacks and security policy violations in RSNs. Development of algorithms for each novel intrusion detection technique to correlate alarms across distributed sensors of a WIDS. Development of an algorithm for automatic attack scenario detection using cross detection technique correlation. Development of an algorithm to automatically assign priority to the detected attack scenario using cross detection technique correlation.
23
Gill, Rupinder S. "Intrusion detection techniques in wireless local area networks." Queensland University of Technology, 2009. http://eprints.qut.edu.au/29351/.
Full textAbstract:
This research investigates wireless intrusion detection techniques for detecting attacks on IEEE 802.11i Robust Secure Networks (RSNs). Despite using a variety of comprehensive preventative security measures, the RSNs remain vulnerable to a number of attacks. Failure of preventative measures to address all RSN vulnerabilities dictates the need for a comprehensive monitoring capability to detect all attacks on RSNs and also to proactively address potential security vulnerabilities by detecting security policy violations in the WLAN. This research proposes novel wireless intrusion detection techniques to address these monitoring requirements and also studies correlation of the generated alarms across wireless intrusion detection system (WIDS) sensors and the detection techniques themselves for greater reliability and robustness. The specific outcomes of this research are: A comprehensive review of the outstanding vulnerabilities and attacks in IEEE 802.11i RSNs. A comprehensive review of the wireless intrusion detection techniques currently available for detecting attacks on RSNs. Identification of the drawbacks and limitations of the currently available wireless intrusion detection techniques in detecting attacks on RSNs. Development of three novel wireless intrusion detection techniques for detecting RSN attacks and security policy violations in RSNs. Development of algorithms for each novel intrusion detection technique to correlate alarms across distributed sensors of a WIDS. Development of an algorithm for automatic attack scenario detection using cross detection technique correlation. Development of an algorithm to automatically assign priority to the detected attack scenario using cross detection technique correlation.
24
Soysal, Murat. "A Novel Method For The Detection Of P2p Traffic In The Network Backbone Inspired By Intrusion Detection Systems." Master's thesis, METU, 2006. http://etd.lib.metu.edu.tr/upload/3/12607315/index.pdf.
Full textAbstract:
The share of peer-to-peer (P2P) protocol in the total network traffic grows dayby-
day in the Turkish Academic Network (UlakNet) similar to the other networks in the
world. This growth is mostly because of the popularity of the shared content and the
great enhancement in the P2P protocol since it first came out with Napster. The shared
files are generally both large and copyrighted. Motivated by the problems of UlakNet
with the P2P traffic, we propose a novel method for P2P traffic detection in the network
backbone in this thesis. Observing the similarity between detecting traffic that belongs
to a specific protocol and detecting an intrusion in a computer system, we adopt an
Intrusion Detection System (IDS) technique to detect P2P traffic. Our method is a
passive detection procedure that uses traffic flows gathered from border routers. Hence,
it is scalable and does not have the problems of other approaches that rely on packet
payload data or transport layer ports.
25
Caulkins, Bruce. "SESSION-BASED INTRUSION DETECTION SYSTEM TO MAP ANOMALOUS NETWORK TRAFFIC." Doctoral diss., University of Central Florida, 2005. http://digital.library.ucf.edu/cdm/ref/collection/ETD/id/3466.
Full textAbstract:
Computer crime is a large problem (CSI, 2004; Kabay, 2001a; Kabay, 2001b). Security managers have a variety of tools at their disposal – firewalls, Intrusion Detection Systems (IDSs), encryption, authentication, and other hardware and software solutions to combat computer crime. Many IDS variants exist which allow security managers and engineers to identify attack network packets primarily through the use of signature detection; i.e., the IDS recognizes attack packets due to their well-known "fingerprints" or signatures as those packets cross the network's gateway threshold. On the other hand, anomaly-based ID systems determine what is normal traffic within a network and reports abnormal traffic behavior. This paper will describe a methodology towards developing a more-robust Intrusion Detection System through the use of data-mining techniques and anomaly detection. These data-mining techniques will dynamically model what a normal network should look like and reduce the false positive and false negative alarm rates in the process. We will use classification-tree techniques to accurately predict probable attack sessions. Overall, our goal is to model network traffic into network sessions and identify those network sessions that have a high-probability of being an attack and can be labeled as a "suspect session." Subsequently, we will use these techniques inclusive of signature detection methods, as they will be used in concert with known signatures and patterns in order to present a better model for detection and protection of networks and systems.<br>Ph.D.<br>Other<br>Arts and Sciences<br>Modeling and Simulation
26
Li, Zhe. "A Neural Network Based Distributed Intrusion Detection System on Cloud Platform." University of Toledo / OhioLINK, 2013. http://rave.ohiolink.edu/etdc/view?acc_num=toledo1364835027.
Full text
27
Sawant, Ankush. "Time-based Approach to Intrusion Detection using Multiple Self-Organizing Maps." Ohio University / OhioLINK, 2005. http://www.ohiolink.edu/etd/view.cgi?ohiou1113833809.
Full text
28
Al, Rawashdeh Khaled. "Toward a Hardware-assisted Online Intrusion Detection System Based on Deep Learning Algorithms for Resource-Limited Embedded Systems." University of Cincinnati / OhioLINK, 2018. http://rave.ohiolink.edu/etdc/view?acc_num=ucin1535464571843315.
Full text
29
Thames, John Lane. "Advancing cyber security with a semantic path merger packet classification algorithm." Diss., Georgia Institute of Technology, 2012. http://hdl.handle.net/1853/45872.
Full textAbstract:
This dissertation investigates and introduces novel algorithms, theories, and supporting frameworks to significantly improve the growing problem of Internet security. A distributed firewall and active response architecture is introduced that enables any device within a cyber environment to participate in the active discovery and response of cyber attacks. A theory of semantic association systems is developed for the general problem of knowledge discovery in data. The theory of semantic association systems forms the basis of a novel semantic path merger packet classification algorithm. The theoretical aspects of the semantic path merger packet classification algorithm are investigated, and the algorithm's hardware-based implementation is evaluated along with comparative analysis versus content addressable memory. Experimental results show that the hardware implementation of the semantic path merger algorithm significantly outperforms content addressable memory in terms of energy consumption and operational timing.
30
Gu, Guofei. "Correlation-based Botnet Detection in Enterprise Networks." Diss., Georgia Institute of Technology, 2008. http://hdl.handle.net/1853/24634.
Full textAbstract:
Most of the attacks and fraudulent activities on the Internet are carried out by malware. In particular, botnets, as state-of-the-art malware, are now considered as the largest threat to Internet security.
In this thesis, we focus on addressing the botnet detection problem in an enterprise-like network environment. We present a comprehensive correlation-based framework for multi-perspective botnet detection consisting of detection technologies demonstrated in four complementary systems: BotHunter, BotSniffer, BotMiner, and BotProbe. The common thread of these systems is correlation analysis, i.e., vertical correlation (dialog correlation), horizontal correlation, and cause-effect correlation. All these Bot* systems have been evaluated in live networks and/or real-world network traces. The evaluation results show that they can accurately detect real-world botnets for their desired detection purposes with a very low false positive rate.
We find that correlation analysis techniques are of particular value for detecting advanced malware such as botnets. Dialog correlation can be effective as long as malware infections need multiple stages. Horizontal correlation can be effective as long as malware tends to be distributed and coordinated. In addition, active techniques can greatly complement passive approaches, if carefully used. We believe our experience and lessons are of great benefit to future malware detection.
31
Zheng, Erkang. "Interactive assistance for anomaly-based intrusion detection." 2004. http://www.lib.ncsu.edu/theses/available/etd-04162004-150145/unrestricted/etd.pdf.
Full text
32
Phani, B. "Applications Of Machine Learning To Anomaly Based Intrusion Detection." Thesis, 2006. https://etd.iisc.ac.in/handle/2005/391.
Full textAbstract:
This thesis concerns anomaly detection as a mechanism for intrusion detection in a machine learning framework, using two kinds of audit data : system call traces and Unix shell command traces. Anomaly detection systems model the problem of intrusion detection as a problem of self-nonself discrimination problem. To be able to use machine learning algorithms for anomaly detection, precise definitions of two aspects namely, the learning model and the dissimilarity measure are required. The audit data considered in this thesis is intrinsically sequential. Thus the dissimilarity measure must be able to extract the temporal information in the data which in turn will be used for classification purposes. In this thesis, we study the application of a set of dissimilarity measures broadly termed as sequence kernels that are exclusively suited for such applications. This is done in conjunction with Instance Based learning algorithms (IBL) for anomaly detection. We demonstrate the performance of the system under a wide range of parameter settings and show conditions under which best performance is obtained. Finally, some possible future extensions to the work reported in this report are considered and discussed.
33
Phani, B. "Applications Of Machine Learning To Anomaly Based Intrusion Detection." Thesis, 2006. http://hdl.handle.net/2005/391.
Full textAbstract:
This thesis concerns anomaly detection as a mechanism for intrusion detection in a machine learning framework, using two kinds of audit data : system call traces and Unix shell command traces. Anomaly detection systems model the problem of intrusion detection as a problem of self-nonself discrimination problem. To be able to use machine learning algorithms for anomaly detection, precise definitions of two aspects namely, the learning model and the dissimilarity measure are required. The audit data considered in this thesis is intrinsically sequential. Thus the dissimilarity measure must be able to extract the temporal information in the data which in turn will be used for classification purposes. In this thesis, we study the application of a set of dissimilarity measures broadly termed as sequence kernels that are exclusively suited for such applications. This is done in conjunction with Instance Based learning algorithms (IBL) for anomaly detection. We demonstrate the performance of the system under a wide range of parameter settings and show conditions under which best performance is obtained. Finally, some possible future extensions to the work reported in this report are considered and discussed.
34
Helmrich, Daniel. "Comparing Anomaly-Based Network Intrusion Detection Approaches Under Practical Aspects." 2021. https://ul.qucosa.de/id/qucosa%3A75385.
Full textAbstract:
While many of the currently used network intrusion detection systems (NIDS) employ signature-based approaches, there is an increasing research interest in the examination of anomaly-based detection methods, which seem to be more suited for recognizing zero-day attacks. Nevertheless, requirements for their practical deployment, as well as objective and reproducible evaluation methods, are hereby often neglected. The following thesis defines aspects that are crucial for a practical evaluation of anomaly-based NIDS, such as the focus on modern attack types, the restriction to one-class classification methods, the exclusion of known attacks from the training phase, a low false detection rate, and consideration of the runtime efficiency. Based on those principles, a framework dedicated to developing, testing and evaluating models for the detection of network anomalies is proposed. It is applied to two datasets featuring modern traffic, namely the UNSW-NB15 and the CIC-IDS-2017 datasets, in order to compare and evaluate commonly-used network intrusion detection methods. The implemented approaches include, among others, a highly configurable network flow generator, a payload analyser, a one-hot encoder, a one-class support vector machine, and an autoencoder. The results show a significant difference between the two chosen datasets: While for the UNSW-NB15 dataset several reasonably well performing model combinations for both the autoencoder and the one-class SVM can be found, most of them yield unsatisfying results when the CIC-IDS-2017 dataset is used.<br>Obwohl viele der derzeit genutzten Systeme zur Erkennung von Netzwerkangriffen (engl. NIDS) signaturbasierte Ansätze verwenden, gibt es ein wachsendes Forschungsinteresse an der Untersuchung von anomaliebasierten Erkennungsmethoden, welche zur Identifikation von Zero-Day-Angriffen geeigneter erscheinen. Gleichwohl werden hierbei Bedingungen für deren praktischen
Einsatz oft vernachlässigt, ebenso wie objektive und reproduzierbare Evaluationsmethoden. Die folgende Arbeit definiert Aspekte, die für eine praxisorientierte Evaluation unabdingbar sind. Dazu zählen ein Schwerpunkt auf modernen Angriffstypen, die Beschränkung auf One-Class Classification Methoden, der Ausschluss von bereits bekannten Angriffen aus dem Trainingsdatensatz,
niedrige Falscherkennungsraten sowie die Berücksichtigung der Laufzeiteffizienz. Basierend auf diesen Prinzipien wird ein Rahmenkonzept vorgeschlagen, das für das Entwickeln, Testen und Evaluieren von Modellen zur Erkennung von Netzwerkanomalien bestimmt ist. Dieses wird auf zwei Datensätze mit modernem Netzwerkverkehr, namentlich auf den UNSW-NB15 und den CIC-IDS-
2017 Datensatz, angewendet, um häufig genutzte NIDS-Methoden zu vergleichen und zu evaluieren.
Die für diese Arbeit implementierten Ansätze beinhalten, neben anderen, einen weit konfigurierbaren Netzwerkflussgenerator, einen Nutzdatenanalysierer, einen One-Hot-Encoder, eine One-Class Support Vector Machine sowie einen Autoencoder. Die Resultate zeigen einen großen Unterschied zwischen den beiden ausgewählten Datensätzen: Während für den UNSW-NB15 Datensatz verschiedene angemessen gut funktionierende Modellkombinationen, sowohl für den Autoencoder als
auch für die One-Class SVM, gefunden werden können, bringen diese für den CIC-IDS-2017 Datensatz meist unbefriedigende Ergebnisse.
35
Hieb, Jeff. "Anomaly based intrusion detection for network monitoring using a dynamic honeypot." 2004. http://etd.louisville.edu/data/UofL0067t2004.pdf.
Full text
36
Kang, Inho. "Differentiated Intrusion Detection and SVDD-based Feature Selection for Anomaly Detection." 2007. http://trace.tennessee.edu/utk_graddiss/206.
Full textAbstract:
Most of existing intrusion detection techniques treat all types of attacks equally without any differentiation of the risk they pose to the information system. However, certain types of attacks are more harmful than others and their detection is critical to protection of the system. This study proposes a novel differentiated anomaly detection method that can more precisely detect intrusions of specific types of attacks.
Although many researchers have been developed many efficient intrusion detection methods, fewer efforts have been made to extract effective features for host-based intrusion detection. In this study, we propose a new framework based on new viewpoints about system activities to extract host-based features, which can guide further exploration for new features.
There are few feature selection methods for anomaly detections although lots of studies have been done for the feature selection both in classification and regression problems. This study proposes new support vector data description (SVDD)-based feature selection methods such as SVDD-R2-recursive feature elimination (RFE), SVDD-RFE and SVDDGradient method. Concrete experiments with both simulated and the Defense advanced research projects agency (DARPA) datasets shows promising performance of the proposed methods.
These achievements in this dissertation could significantly contribute to anomaly detection field. In addition, the proposed differentiated detection and SVDD-based feature selection methods would benefit even other application areas beyond intrusion detection
37
Teixeira, Jorge Amílcar Lopes. "Network traffic sampling for improved signature and anomaly based intrusion detection." Master's thesis, 2008. http://hdl.handle.net/10216/58365.
Full text
38
Teixeira, Jorge Amílcar Lopes. "Network traffic sampling for improved signature and anomaly based intrusion detection." Dissertação, 2008. http://hdl.handle.net/10216/58365.
Full text
39
Nwamuo, Onyekachi. "Hypervisor-based cloud anomaly detection using supervised learning techniques." Thesis, 2020. http://hdl.handle.net/1828/11503.
Full textAbstract:
Although cloud network flows are similar to conventional network flows in many ways, there are some major differences in their statistical characteristics. However, due to the lack of adequate public datasets, the proponents of many existing cloud intrusion detection systems (IDS) have relied on the DARPA dataset which was obtained by simulating a conventional network environment. In the current thesis, we show empirically that the DARPA dataset by failing to meet important statistical characteristics of real-world cloud traffic data centers is inadequate for evaluating cloud IDS. We analyze, as an alternative, a new public dataset collected through cooperation between our lab and a non-profit cloud service provider, which contains benign data and a wide variety of attack data. Furthermore, we present a new hypervisor-based cloud IDS using an instance-oriented feature model and supervised machine learning techniques. We investigate 3 different classifiers: Logistic Regression (LR), Random Forest (RF), and Support Vector Machine (SVM) algorithms. Experimental evaluation on a diversified dataset yields a detection rate of 92.08% and a false-positive rate of 1.49% for the random forest, the best performing of the three classifiers.<br>Graduate
40
Lin, Shih-Chieh, and 林世杰. "A Study of Intrusion Detection System Based on Anomaly Detection in Windows Environment." Thesis, 2003. http://ndltd.ncl.edu.tw/handle/50284166653456932652.
Full textAbstract:
碩士<br>國立雲林科技大學<br>資訊管理系碩士班<br>91<br>The network intrusion events increased year by year. With the various threaten attack technique, it’s the most concerned issue for MIS personnel to protect the information on the internet.
Most researcher developed their IDS based on the Linux platform regardless of the Windows platform. In this study, we proposed an integrated intrusion detection system which is running on the Windows platform, combined with network-based and host-based techniques. We adopted self-organizing map(SOM) method to extract the features of normal behaviors in order to distingwish with the abnormal behavior like intrusion or attack. Unlike other techniques, our method need not to be updated regularly. Therefore, our proposed system could insure the safety against intrusion and maintain easily.
41
Huang, Cheng-Pin, and 黃程斌. "Clustering-based Techniques for Anomaly Detection in Intrusion Detection System: a Comparative Study." Thesis, 2005. http://ndltd.ncl.edu.tw/handle/13013469783308921078.
Full textAbstract:
碩士<br>國立成功大學<br>資訊工程學系碩博士班<br>93<br>With the advance of diverse computer attack techniques, the misuse and anomaly detection methods employed in the intrusion detection system limited by nature can no longer catch up with the latest intrusions. Researches to date have been conducted mainly on the evaluation of clustering-based techniques for anomaly detection, but the cluster labeling techniques were less studied.
In this research, we compare different clustering-based techniques for anomaly detection in Intrusion Detection System, which cover the four design factors – distinct attribute combination, dissimilarity measurement, clustering techniques and labeling techniques. A series of experiments were performed to evaluate the impacts of each of the design factors on cluster quality, detection rate, and false alarm rate. It is expected that the outcome of such a comparative study will offer suggestive guidelines on the design of anomaly detection system.
42
Kuo, Yen-Feng, and 郭彥鋒. "The implementation of A Network Intrusion Detection System Based on Anomaly Data Stream Mining." Thesis, 2006. http://ndltd.ncl.edu.tw/handle/15210171209583186891.
Full textAbstract:
碩士<br>國立中興大學<br>資訊科學系所<br>94<br>In recent years, there has been a dramatic proliferation of internet applications and security issues of internet suffered severely. Hence, many defense techniques of network security were developed and the intrusion detection system was one of them. Research on intrusion detection systems, the major drawback of intrusion detection systems, which relied on a mechanism of matching the known attack signatures on network data stream, is unable to detect newly emerging anomalies without attack signatures. In order to overcome this shortcoming and improve the efficiency of anomaly detection, recent literatures show that data mining techniques could apply to intrusion detection. It is suitable to use dynamic intrusion detection techniques. Our thesis applies the data stream mining technique, which is a new class of data mining techniques introduced to handle streaming data, to build the anomaly detection system dynamically.
43
Dalmazo, Bruno Lopes. "A Prediction-based Approach for Anomaly Detection in the Cloud." Doctoral thesis, 2018. http://hdl.handle.net/10316/81235.
Full textAbstract:
PhD Thesis in Information Science and Technology submitted to the University of Coimbra<br>Computer networks are present everywhere, making them a key aspect to the proper functioning of products and services that are often served exclusively through the Internet. The pervasive nature of computer networks makes them particularly suitable to attacks. Therefore, more than just functional systems, we are also looking for systems that are reliable, available, scalable and secure.
A solution to meet the growing demands of industries and customers alike is cloud computing. Among several other advantages of this paradigm, the possibility of increased profits by reducing costs with infrastructure and software licenses, while allowing for virtually unlimited growth is particularly relevant. However, these advantages are many times shadowed by the increased security risks that steam from having different entities involved, with relationships and responsibilities not properly identified. This may lead to misuse or malicious attacks against cloud computing, which may compromise sensitive information that is stored in shared third party facilities, and many open issues still prevail.
Due to these and other issues, it is extremely important to devise new solutions that increase the trustworthiness of cloud computing environments and help to keep the continued growth in demand for virtualized resources. Facing this challenge, this work aims to study, analyze, propose, develop and evaluate several models and mechanisms to fill these gaps. Firstly, a systematic approach for selecting a group of candidate predictors that is suitable for cloud network traffic prediction is proposed. On the basis of this scenario, a predictor model for cloud network traffic that involves a tradeoff between prediction error, historical data dependence, computational costs, and timely response is proposed. Next, an Anomaly Detection System to support decision-making and counter attack malicious actions against cloud computing systems is presented. This contribution relies on network traffic prediction to obtain features that represent the expected appropriate behaviour of the cloud network traffic used jointly with a Support Vector Machine model for detecting anomalous events in the cloud environment. Finally, a mechanism for determining the similarity level between features of the alarms is proposed. This mechanism aims to optimize the efficiency for generating alarms, decreasing the network data traffic to manage the IDS and its associated transfer costs. The benefits and drawbacks of the contributions were demonstrated in realistic simulations using data from real network traces. Furthermore, the evaluations were conducted with well-known metrics and the results show that all the proposed mechanisms were able to outperform similar proposals in literature.<br>Redes de computadores estão presentes por todos os lados, se tornando um ponto chave para o funcionamento adequado de produtos e serviços que são oferecidos exclusivamente através da Internet. A natureza pervasiva das redes de computadores as tornam sujeitas a ataques. Desse modo, mais que apenas sistemas funcionais, também estamos a procura de sistemas que são confiáveis, disponíveis, escaláveis e seguros. Uma solução que vai de encontro com a crescente demanda da indústria e clientes é a computação em nuvem. Entre muitas outras vantagens desse paradigma, a possibilidade de aumentar lucros através da redução de custos com infraestrutura e licenças de software, ao mesmo tempo que permite um crescimento praticamente ilimitado é relevante. No entanto, essas vantagens são muitas vezes obstruídas pelo aumento dos riscos de segurança que cobrem as entidades envolvidas, com relacionamentos e responsabilidades não propriamente estabelecidos. Isso pode levar a abusos ou ataques maliciosos contra a computação em nuvem, o qual pode comprometer informação sensível que é armazenada e em instalações de terceiros compartilhada. Devido a esses e outros problemas, é de extrema importância conceber novas soluções que aumentem a confiança do ambiente de computação em nuvem e ajude a manter um crescimento contínuo na demanda por esses recursos. Diante deste desafio, esta tese tem como objetivo estudar, analisar, propor, desenvolver e avaliar vários modelos e mecanismos para preencher essas lacunas. Em primeiro lugar, uma abordagem sistemática para a seleção de um grupo de preditores candidatos adequados para a previsão do tráfego da rede em nuvem é proposta. Com base nesse cenário, um modelo de predição para o tráfego de rede em nuvem que envolve uma relação entre erro de predição, dependência histórica de dados, custos computacionais e tempo de resposta é proposto. Em seguida, um Sistema de Detecção de Anomalias para apoiar a tomada de decisões e combater ações mal intencionadas contra sistemas na nuvem é apresentado. Esta contribuição baseia-se na previsão de tráfego de rede para obter variáveis que representam o comportamento adequado esperado do tráfego de rede usado em conjunto com um modelo de Máquina de Vetores de Suporte para a detecção de eventos anômalos no ambiente da nuvem. Finalmente, um mecanismo para determinar o nível de similaridade entre as variáveis que descrevem um alarme é proposto. Este mecanismo visa otimizar a eficiência na geração de alarmes, diminuindo o tráfego de dados para gerenciar um IDS e seus custos de transferência associados. Os benefícios e desvantagens das contribuições foram demonstrados em simulações realistas usando dados de rede reais. Além disso, as avaliações foram realizadas com métricas bem conhecidas e os resultados mostram que os mecanismos propostos foram capazes de superar propostas similares na literatura.<br>Brazilian National Council of Technological and Scientific Development
(CNPq) under the grant 246645/2012-1.
44
Liu, Lei, X. L. Jin, Geyong Min, and L. Xu. "Anomaly diagnosis based on regression and classification analysis of statistical traffic features." 2013. http://hdl.handle.net/10454/10727.
Full textAbstract:
No<br>Traffic anomalies caused by Distributed Denial-of-Service (DDoS) attacks are major threats to both network service providers and legitimate customers. The DDoS attacks regularly consume and exhaust the resources of victims and hence result in abnormal bursty traffic through end-user systems. Additionally, malicious traffic aggregated into normal traffic often show dramatic changes in the traffic nature and statistical features. This study focuses on early detection of traffic anomalies caused by DDoS attacks in light of analyzing the network traffic behavior. Key statistical features including variance, autocorrelation, and self-similarity are employed to characterize the network traffic. Further, artificial neural network and support vector machine subject to the performance metrics are employed to predict and classify the abnormal traffic. The proposed diagnosis mechanism is validated through experiments where the datasets consist of two groups. The first group is the Massachusetts Institute of Technology Lincoln Laboratory dataset containing labeled DoS attack. The second group collected from DDoS attack simulation experiments covers three representative traffic shapes resulting from the dynamic attack rate configuration, namely, constant intensity, ramp-up behavior, and pulsing behavior. The experimental results demonstrate that the developed mechanism can effectively and precisely alert the abnormal traffic within short response period.
45
Tan, Z. "Detection of denial-of-service attacks based on computer vision techniques." Thesis, 2013. http://hdl.handle.net/10453/24176.
Full textAbstract:
University of Technology, Sydney. Faculty of Engineering and Information Technology.<br>A Denial-of-Service (DoS) attack is an intrusive attempt, which aims to force a designated resource (e.g., network bandwidth, processor time or memory) to be unavailable to its intended users. This attack is launched either by deliberately exploiting system vulnerabilities of a victim (e.g., a host, a router, or an entire network) or by flooding a victim with large volume of useless network traffic. Since 1990s, DoS attacks have emerged as a type of the most severe network intrusive behaviours and have posed serious threats to the infrastructures of computer networks and various network-based services.
This thesis aims to provide an intelligent and effective solution for DoS attack detection. Unlike the related works based on machine learning and statistical analysis, this thesis suggests to treat network traffic records as images and to redefine the DoS attack detection problem as a computer vision task.
To achieve the aforementioned objectives, this thesis first conducts a detailed literature review on the state of the art in DoS attack detection. Then, it analyses and chooses the most appropriate mechanisms for DoS attack detection. Afterwards, it designs a general system framework for DoS attack detection with respect to the chosen mechanisms. Furthermore, two Multivariate Correlation Analysis (MCA) approaches are proposed based on two techniques, namely Euclidean distance and triangle area. These two proposed MCA approaches provide accurate description for network traffic records and facilitate conversion of network traffic into the respective images.
In addition, this thesis proposes a DoS attack detection system, in which the images of network traffic are served as the observed objects and the task of DoS attack detection is reformulated as a computer vision problem, namely image retrieval. This proposed DoS attack detection system applies a widely used dissimilarity measure, namely the Earth Mover’s Distance (EMD), to object classification. The EMD takes cross-bin matching into account and provides a more accurate evaluation on the dissimilarity between distributions than some other well-known dissimilarity measures, such as Minkowski-form distance Lp and X² statistics. The merits of the EMD facilitate the capability of our proposed system with effective detection.
Last but not least, our intelligent and effective solutions, including the two proposed MCA approaches and the EMD-based DoS attack detection system, are evaluated using the KDD Cup 99 dataset. The evaluation results illustrate that our proposed MCA approaches provide accurate characterisation for network traffic, and the proposed detection system can detect unknown DoS attacks and outperforms two state-of-the-art approaches.
46
Lu, Wei. "Unsupervised anomaly detection framework for multiple-connection based network intrusions." Thesis, 2005. http://hdl.handle.net/1828/1949.
Full textAbstract:
In this dissertation, we propose an effective and efficient online unsupervised anomaly detection framework. The framework consists of new anomalousness metrics, named IP Weight, and a new hybrid clustering algorithm, named I-means. IP Weight metrics provide measures of anomalousness of IP packet flows on networks. A simple classification of network intrusions consists of distinguishing between single-connection based attacks and multiple-connection based attacks. The IP weight metrics proposed in this work characterize specifically multiple-connection based attacks. The definition of specific metrics for single-connection based attacks is left for future work. The I-means algorithm combines mixture resolving, a genetic algorithm automatically estimating the optimal number of clusters for a set of data, and the k-means algorithm for clustering.
Three sets of experiments are conducted to evaluate our new unsupervised anomaly detection framework. The first experiment empirically validates that IP Weight metrics reduce dimensions of feature space characterizing IP packets at a level comparable with the principal component analysis technique. The second experiment is an offline evaluation based on 1998 DARPA intrusion detection dataset. In the offline evaluation, we compare our framework with three other unsupervised anomaly detection approaches, namely, plain k-means clustering, univariate outlier detection and multivariate outlier detection. Evaluation results show that the detection framework based on I-means yields the highest detection rate with a low false alarm rate. Specifically, it detects 18 types of attacks out of a total of 19 multiple-connection based attack types. The third experiment is an online evaluation in a live networking environment. The evaluation result not only confirms the detection effectiveness observed with the DARPA dataset, but also shows a good runtime efficiency, with response times falling within few seconds ranges.
47
Zielinski, Marek Piotr. "Applying mobile agents in an immune-system-based intrusion detection system." Diss., 2004. http://hdl.handle.net/10500/1918.
Full textAbstract:
Nearly all present-day commercial intrusion detection systems are based on a hierarchical architecture. In such an architecture, the root node is responsible for detecting intrusions and for issuing responses. However, an intrusion detection system (IDS) based on a hierarchical architecture has many single points of failure. For example, by disabling the root node, the intrusion-detection function of the IDS will also be disabled.
To solve this problem, an IDS inspired by the human immune system is proposed. The proposed IDS has no single component that is responsible for detecting intrusions. Instead, the intrusion-detection function is divided and placed within mobile agents. Mobile agents act similarly to white blood cells of the human immune system and travel from host to host in the network to detect intrusions. The IDS is fault-tolerant because it can continue to detect intrusions even when most of its components have been disabled.<br>Computer Science (School of Computing)<br>M. Sc. (Computer Science)