To see the other types of publications on this topic, follow the link: Intrusion Detection Algorithm.
Dissertations / Theses on the topic 'Intrusion Detection Algorithm'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Intrusion Detection Algorithm.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Janagam, Anirudh, and Saddam Hossen. "Analysis of Network Intrusion Detection System with Machine Learning Algorithms (Deep Reinforcement Learning Algorithm)." Thesis, Blekinge Tekniska Högskola, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-17126.
Full text
2
Pillay, Manju Mohan. "Applying genetic algorithm techniques in network intrusion detection systems / Pillai, M.M." Thesis, North-West University, 2011. http://hdl.handle.net/10394/7030.
Full textAbstract:
he Internet has grown to an essential media for human beings that facilitate communication, information searching, banking, marketing, online education and advertising among the numerous use cases that it offers. The benefits that are offered by the Internet are negated due to the fact that the intruders abuse and compromise the Internet through sophisticated cybercrimes and computer crimes. Cybercrime and computer crime has caused great havoc and panic in the Internet usage and network security. As a result it has become very important to protect the information residing in the computer systems that are connected especially to the networks, as it is the primary target for criminal activities. It is impossible to build a completely secure system as intruders find new methods to compromise the system. The least that can be done is to detect the intrusions; in–order to either fix the vulnerability or to avoid the intrusions from re–occurring. One such tool that detects intrusions is an Intrusion Detection System (IDS). However IDSs have their own challenges such as the incapability of detecting new intrusions and generating a multitude of false alarms. The focus of this research is to alleviate the current issues in IDSs by designing a Network IDS using Genetic Algorithms (GAs). The study thus aims at making the intrusion detection process robust by detecting unknown intrusions with less number of false alarms using GA principles. Further, a prototype of an IDS using GAs was developed to substantiate the study and evaluate the effectiveness, uniqueness and flexibility. The results showed that the GA–NIDS proved to be flexible and unique in accepting any format of rule as well as detecting both known and unknown intrusions.Thesis (M.Ing. (Computer and Electronic Engineering))--North-West University, Potchefstroom Campus, 2012.
3
Pentukar, Sai Kiran. "OCLEP+: One-Class Intrusion Detection Using Length of Patterns." Wright State University / OhioLINK, 2017. http://rave.ohiolink.edu/etdc/view?acc_num=wright1496147438710588.
Full text
4
Al, Tobi Amjad Mohamed. "Anomaly-based network intrusion detection enhancement by prediction threshold adaptation of binary classification models." Thesis, University of St Andrews, 2018. http://hdl.handle.net/10023/17050.
Full textAbstract:
Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the performance (accuracy) of anomaly-based network Intrusion Detection Systems (IDS) that are built using predictive models in a batch-learning setup. This thesis investigates how adapting the discriminating threshold of model predictions, specifically to the evaluated traffic, improves the detection rates of these Intrusion Detection models. Specifically, this thesis studied the adaptability features of three well known Machine Learning algorithms: C5.0, Random Forest, and Support Vector Machine. The ability of these algorithms to adapt their prediction thresholds was assessed and analysed under different scenarios that simulated real world settings using the prospective sampling approach. A new dataset (STA2018) was generated for this thesis and used for the analysis. This thesis has demonstrated empirically the importance of threshold adaptation in improving the accuracy of detection models when training and evaluation (test) traffic have different statistical properties. Further investigation was undertaken to analyse the effects of feature selection and data balancing processes on a model's accuracy when evaluation traffic with different significant features were used. The effects of threshold adaptation on reducing the accuracy degradation of these models was statistically analysed. The results showed that, of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates. This thesis then extended the analysis to apply threshold adaptation on sampled traffic subsets, by using different sample sizes, sampling strategies and label error rates. This investigation showed the robustness of the Random Forest algorithm in identifying the best threshold. The Random Forest algorithm only needed a sample that was 0.05% of the original evaluation traffic to identify a discriminating threshold with an overall accuracy rate of nearly 90% of the optimal threshold.
5
Thames, John Lane. "Advancing cyber security with a semantic path merger packet classification algorithm." Diss., Georgia Institute of Technology, 2012. http://hdl.handle.net/1853/45872.
Full textAbstract:
This dissertation investigates and introduces novel algorithms, theories, and supporting frameworks to significantly improve the growing problem of Internet security. A distributed firewall and active response architecture is introduced that enables any device within a cyber environment to participate in the active discovery and response of cyber attacks. A theory of semantic association systems is developed for the general problem of knowledge discovery in data. The theory of semantic association systems forms the basis of a novel semantic path merger packet classification algorithm. The theoretical aspects of the semantic path merger packet classification algorithm are investigated, and the algorithm's hardware-based implementation is evaluated along with comparative analysis versus content addressable memory. Experimental results show that the hardware implementation of the semantic path merger algorithm significantly outperforms content addressable memory in terms of energy consumption and operational timing.
6
Kim, Jung Won. "Integrating artificial immune algorithms for intrusion detection." Thesis, University College London (University of London), 2002. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.398425.
Full text
7
Webster, Seth E. (Seth Emerson) 1975. "The development and analysis of intrusion detection algorithms." Thesis, Massachusetts Institute of Technology, 1998. http://hdl.handle.net/1721.1/50439.
Full text
8
Kannan, Anand. "Performance evaluation of security mechanisms in Cloud Networks." Thesis, KTH, Kommunikationssystem, CoS, 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-99464.
Full textAbstract:
Infrastructure as a Service (IaaS) is a cloud service provisioning model which largely focuses on data centre provisioning of computing and storage facilities. The networking aspects of IaaS beyond the data centre are a limiting factor preventing communication services that are sensitive to network characteristics from adopting this approach. Cloud networking is a new technology which integrates network provisioning with the existing cloud service provisioning models thereby completing the cloud computing picture by addressing the networking aspects. In cloud networking, shared network resources are virtualized, and provisioned to customers and end-users on-demand in an elastic fashion. This technology allows various kinds of optimization, e.g., reducing latency and network load. Further, this allows service providers to provision network performance guarantees as a part of their service offering. However, this new approach introduces new security challenges. Many of these security challenges are addressed in the CloNe security architecture. This thesis presents a set of potential techniques for securing different resource in a cloud network environment which are not addressed in the existing CloNe security architecture. The thesis begins with a holistic view of the Cloud networking, as described in the Scalable and Adaptive Internet Solutions (SAIL) project, along with its proposed architecture and security goals. This is followed by an overview of the problems that need to be solved and some of the different methods that can be applied to solve parts of the overall problem, specifically a comprehensive, tightly integrated, and multi-level security architecture, a key management algorithm to support the access control mechanism, and an intrusion detection mechanism. For each method or set of methods, the respective state of the art is presented. Additionally, experiments to understand the performance of these mechanisms are evaluated on a simple cloud network test bed. The proposed key management scheme uses a hierarchical key management approach that provides fast and secure key update when member join and member leave operations are carried out. Experiments show that the proposed key management scheme enhances the security and increases the availability and integrity. A newly proposed genetic algorithm based feature selection technique has been employed for effective feature selection. Fuzzy SVM has been used on the data set for effective classification. Experiments have shown that the proposed genetic based feature selection algorithm reduces the number of features and hence decreases the classification time, while improving detection accuracy of the fuzzy SVM classifier by minimizing the conflicting rules that may confuse the classifier. The main advantages of this intrusion detection system are the reduction in false positives and increased security.Infrastructure as a Service (IaaS) är en Cloudtjänstmodell som huvudsakligen är inriktat på att tillhandahålla ett datacenter för behandling och lagring av data. Nätverksaspekterna av en cloudbaserad infrastruktur som en tjänst utanför datacentret utgör en begränsande faktor som förhindrar känsliga kommunikationstjänster från att anamma denna teknik. Cloudnätverk är en ny teknik som integrerar nätverkstillgång med befintliga cloudtjänstmodeller och därmed fullbordar föreställningen av cloud data genom att ta itu med nätverkaspekten. I cloudnätverk virtualiseras delade nätverksresurser, de avsätts till kunder och slutanvändare vid efterfrågan på ett flexibelt sätt. Denna teknik tillåter olika typer av möjligheter, t.ex. att minska latens och belastningen på nätet. Vidare ger detta tjänsteleverantörer ett sätt att tillhandahålla garantier för nätverksprestandan som en del av deras tjänsteutbud. Men denna nya strategi introducerar nya säkerhetsutmaningar, exempelvis VM migration genom offentligt nätverk. Många av dessa säkerhetsutmaningar behandlas i CloNe’s Security Architecture. Denna rapport presenterar en rad av potentiella tekniker för att säkra olika resurser i en cloudbaserad nätverksmiljö som inte behandlas i den redan existerande CloNe Security Architecture. Rapporten inleds med en helhetssyn på cloudbaserad nätverk som beskrivs i Scalable and Adaptive Internet Solutions (SAIL)-projektet, tillsammans med dess föreslagna arkitektur och säkerhetsmål. Detta följs av en översikt över de problem som måste lösas och några av de olika metoder som kan tillämpas för att lösa delar av det övergripande problemet. Speciellt behandlas en omfattande och tätt integrerad multi-säkerhetsarkitektur, en nyckelhanteringsalgoritm som stödjer mekanismens åtkomstkontroll och en mekanism för intrångsdetektering. För varje metod eller för varje uppsättning av metoder, presenteras ståndpunkten för respektive teknik. Dessutom har experimenten för att förstå prestandan av dessa mekanismer utvärderats på testbädd av ett enkelt cloudnätverk. Den föreslagna nyckelhantering system använder en hierarkisk nyckelhantering strategi som ger snabb och säker viktig uppdatering när medlemmar ansluta sig till och medlemmarna lämnar utförs. Försöksresultat visar att den föreslagna nyckelhantering system ökar säkerheten och ökar tillgänglighet och integritet. En nyligen föreslagna genetisk algoritm baserad funktion valet teknik har använts för effektiv funktion val. Fuzzy SVM har använts på de uppgifter som för effektiv klassificering. Försök har visat att den föreslagna genetiska baserad funktion selekteringsalgoritmen minskar antalet funktioner och därmed minskar klassificering tiden, och samtidigt förbättra upptäckt noggrannhet fuzzy SVM klassificeraren genom att minimera de motstående regler som kan förvirra klassificeraren. De främsta fördelarna med detta intrångsdetekteringssystem är den minskning av falska positiva och ökad säkerhet.
9
Ozbey, Halil. "A Genetic-based Intelligent Intrusion Detection System." Master's thesis, METU, 2005. http://etd.lib.metu.edu.tr/upload/2/12606636/index.pdf.
Full textAbstract:
In this study we address the problem of detecting new types of intrusions to computer systems which cannot be handled by widely implemented knowledge-based mechanisms. The solutions offered by behavior-based prototypes either suffer low accuracy and low completeness or require use data eplaining abnormal behavior which actually is not available. Our aim is to develop an algorithm which can produce a satisfactory model of the target system&rsquos behavior in the absence of negative data. First, we design and develop an intelligent and behavior-based detection mechanism using genetic-based machine learning techniques with subsidies in the Bucket Brigade Algorithm. It classifies the possible system states to be normal and abnormal and interprets the abnormal state observations as evidences for the presence of an intrusion. Next we provide another algorithm which focuses on capturing normal behavior of the target system to detect intrusions again by identifying anomalies. A compact and highly complete rule set is generated by continuously inserting observed states as rules into the rule set and combining similar rule pairs in each step. Experiments conducted using the KDD-99 data set have produced fairly good results for both of the algorihtms.
10
Wan, Tao. "IntruDetector, a software platform for testing network intrusion detection algorithms." Thesis, National Library of Canada = Bibliothèque nationale du Canada, 2001. http://www.collectionscanada.ca/obj/s4/f2/dsk3/ftp04/MQ60258.pdf.
Full text
11
Botes, Frans Hendrik. "Ant tree miner amyntas for intrusion detection." Thesis, Cape Peninsula University of Technology, 2018. http://hdl.handle.net/20.500.11838/2865.
Full textAbstract:
Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2018.With the constant evolution of information systems, companies have to acclimatise to the vast increase of data flowing through their networks. Business processes rely heavily on information technology and operate within a framework of little to no space for interruptions. Cyber attacks aimed at interrupting business operations, false intrusion detections and leaked information burden companies with large monetary and reputational costs. Intrusion detection systems analyse network traffic to identify suspicious patterns that intent to compromise the system. Classifiers (algorithms) are used to classify the data within different categories e.g. malicious or normal network traffic. Recent surveys within intrusion detection highlight the need for improved detection techniques and warrant further experimentation for improvement. This experimental research project focuses on implementing swarm intelligence techniques within the intrusion detection domain. The Ant Tree Miner algorithm induces decision trees by using ant colony optimisation techniques. The Ant Tree Miner poses high accuracy with efficient results. However, limited research has been performed on this classifier in other domains such as intrusion detection. The research provides the intrusion detection domain with a new algorithm that improves upon results of decision trees and ant colony optimisation techniques when applied to the domain. The research has led to valuable insights into the Ant Tree Miner classifier within a previously unknown domain and created an intrusion detection benchmark for future researchers.
12
Abas, Ashardi B. "Non-intrusive driver drowsiness detection system." Thesis, University of Bradford, 2011. http://hdl.handle.net/10454/5521.
Full textAbstract:
The development of technologies for preventing drowsiness at the wheel is a major challenge in the field of accident avoidance systems. Preventing drowsiness during driving requires a method for accurately detecting a decline in driver alertness and a method for alerting and refreshing the driver. As a detection method, the authors have developed a system that uses image processing technology to analyse images of the road lane with a video camera integrated with steering wheel angle data collection from a car simulation system. The main contribution of this study is a novel algorithm for drowsiness detection and tracking, which is based on the incorporation of information from a road vision system and vehicle performance parameters. Refinement of the algorithm is more precisely detected the level of drowsiness by the implementation of a support vector machine classification for robust and accurate drowsiness warning system. The Support Vector Machine (SVM) classification technique diminished drowsiness level by using non intrusive systems, using standard equipment sensors, aim to reduce these road accidents caused by drowsiness drivers. This detection system provides a non-contact technique for judging various levels of driver alertness and facilitates early detection of a decline in alertness during driving. The presented results are based on a selection of drowsiness database, which covers almost 60 hours of driving data collection measurements. All the parameters extracted from vehicle parameter data are collected in a driving simulator. With all the features from a real vehicle, a SVM drowsiness detection model is constructed. After several improvements, the classification results showed a very good indication of drowsiness by using those systems.
13
Rastegari, Samaneh. "Intelligent network intrusion detection using an evolutionary computation approach." Thesis, Edith Cowan University, Research Online, Perth, Western Australia, 2015. https://ro.ecu.edu.au/theses/1760.
Full textAbstract:
With the enormous growth of users' reliance on the Internet, the need for secure and reliable computer networks also increases. Availability of effective automatic tools for carrying out different types of network attacks raises the need for effective intrusion detection systems.
Generally, a comprehensive defence mechanism consists of three phases, namely, preparation, detection and reaction. In the preparation phase, network administrators aim to find and fix security vulnerabilities (e.g., insecure protocol and vulnerable computer systems or firewalls), that can be exploited to launch attacks. Although the preparation phase increases the level of security in a network, this will never completely remove the threat of network attacks. A good security mechanism requires an Intrusion Detection System (IDS) in order to monitor security breaches when the prevention schemes in the preparation phase are bypassed. To be able to react to network attacks as fast as possible, an automatic detection system is of paramount importance. The later an attack is detected, the less time network administrators have to update their signatures and reconfigure their detection and remediation systems. An IDS is a tool for monitoring the system with the aim of detecting and alerting intrusive activities in networks. These tools are classified into two major categories of signature-based and anomaly-based. A signature-based IDS stores the signature of known attacks in a database and discovers occurrences of attacks by monitoring and comparing each communication in the network against the database of signatures. On the other hand, mechanisms that deploy anomaly detection have a model of normal behaviour of system and any significant deviation from this model is reported as anomaly.
This thesis aims at addressing the major issues in the process of developing signature based IDSs. These are: i) their dependency on experts to create signatures, ii) the complexity of their models, iii) the inflexibility of their models, and iv) their inability to adapt to the changes in the real environment and detect new attacks. To meet the requirements of a good IDS, computational intelligence methods have attracted considerable interest from the research community.
This thesis explores a solution to automatically generate compact rulesets for network intrusion detection utilising evolutionary computation techniques. The proposed framework is called ESR-NID (Evolving Statistical Rulesets for Network Intrusion Detection). Using an interval-based structure, this method can be deployed for any continuous-valued input data. Therefore, by choosing appropriate statistical measures (i.e. continuous-valued features) of network trafc as the input to ESRNID, it can effectively detect varied types of attacks since it is not dependent on the signatures of network packets.
In ESR-NID, several innovations in the genetic algorithm were developed to keep the ruleset small. A two-stage evaluation component in the evolutionary process takes the cooperation of rules into consideration and results into very compact, easily understood rulesets. The effectiveness of this approach is evaluated against several sources of data for both detection of normal and abnormal behaviour. The results are found to be comparable to those achieved using other machine learning methods from both categories of GA-based and non-GA-based methods. One of the significant advantages of ESR-NIS is that it can be tailored to specific problem domains and the characteristics of the dataset by the use of different fitness and performance functions. This makes the system a more flexible model compared to other learning techniques. Additionally, an IDS must adapt itself to the changing environment with the least amount of configurations. ESR-NID uses an incremental learning approach as new flow of traffic become available. The incremental learning approach benefits from less required storage because it only keeps the generated rules in its database. This is in contrast to the infinitely growing size of repository of raw training data required for traditional learning.
14
Kopek, Christopher Vincent. "Parallel intrusion detection systems for high speed networks using the divided data parallel method." Electronic thesis, 2007. http://dspace.zsr.wfu.edu/jspui/handle/10339/191.
Full text
15
Al, Rawashdeh Khaled. "Toward a Hardware-assisted Online Intrusion Detection System Based on Deep Learning Algorithms for Resource-Limited Embedded Systems." University of Cincinnati / OhioLINK, 2018. http://rave.ohiolink.edu/etdc/view?acc_num=ucin1535464571843315.
Full text
16
Petersen, Rebecca. "Data Mining for Network Intrusion Detection : A comparison of data mining algorithms and an analysis of relevant features for detecting cyber-attacks." Thesis, Mittuniversitetet, Avdelningen för informations- och kommunikationssystem, 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:miun:diva-28002.
Full textAbstract:
Data mining can be defined as the extraction of implicit, previously un-known, and potentially useful information from data. Numerous re-searchers have been developing security technology and exploring new methods to detect cyber-attacks with the DARPA 1998 dataset for Intrusion Detection and the modified versions of this dataset KDDCup99 and NSL-KDD, but until now no one have examined the performance of the Top 10 data mining algorithms selected by experts in data mining. The compared classification learning algorithms in this thesis are: C4.5, CART, k-NN and Naïve Bayes. The performance of these algorithms are compared with accuracy, error rate and average cost on modified versions of NSL-KDD train and test dataset where the instances are classified into normal and four cyber-attack categories: DoS, Probing, R2L and U2R. Additionally the most important features to detect cyber-attacks in all categories and in each category are evaluated with Weka’s Attribute Evaluator and ranked according to Information Gain. The results show that the classification algorithm with best performance on the dataset is the k-NN algorithm. The most important features to detect cyber-attacks are basic features such as the number of seconds of a network connection, the protocol used for the connection, the network service used, normal or error status of the connection and the number of data bytes sent. The most important features to detect DoS, Probing and R2L attacks are basic features and the least important features are content features. Unlike U2R attacks, where the content features are the most important features to detect attacks.
17
Yu, Xiaodong. "Algorithms and Frameworks for Accelerating Security Applications on HPC Platforms." Diss., Virginia Tech, 2019. http://hdl.handle.net/10919/93510.
Full textAbstract:
Typical cybersecurity solutions emphasize on achieving defense functionalities. However, execution efficiency and scalability are equally important, especially for real-world deployment. Straightforward mappings of cybersecurity applications onto HPC platforms may significantly underutilize the HPC devices' capacities. On the other hand, the sophisticated implementations are quite difficult: they require both in-depth understandings of cybersecurity domain-specific characteristics and HPC architecture and system model.
In our work, we investigate three sub-areas in cybersecurity, including mobile software security, network security, and system security. They have the following performance issues, respectively: 1) The flow- and context-sensitive static analysis for the large and complex Android APKs are incredibly time-consuming. Existing CPU-only frameworks/tools have to set a timeout threshold to cease the program analysis to trade the precision for performance. 2) Network intrusion detection systems (NIDS) use automata processing as its searching core and requires line-speed processing. However, achieving high-speed automata processing is exceptionally difficult in both algorithm and implementation aspects. 3) It is unclear how the cache configurations impact time-driven cache side-channel attacks' performance. This question remains open because it is difficult to conduct comparative measurement to study the impacts.
In this dissertation, we demonstrate how application-specific characteristics can be leveraged to optimize implementations on various types of HPC for faster and more scalable cybersecurity executions. For example, we present a new GPU-assisted framework and a collection of optimization strategies for fast Android static data-flow analysis that achieve up to 128X speedups against the plain GPU implementation. For network intrusion detection systems (IDS), we design and implement an algorithm capable of eliminating the state explosion in out-of-order packet situations, which reduces up to 400X of the memory overhead. We also present tools for improving the usability of Micron's Automata Processor. To study the cache configurations' impact on time-driven cache side-channel attacks' performance, we design an approach to conducting comparative measurement. We propose a quantifiable success rate metric to measure the performance of time-driven cache attacks and utilize the GEM5 platform to emulate the configurable cache.Doctor of Philosophy
Typical cybersecurity solutions emphasize on achieving defense functionalities. However, execution efficiency and scalability are equally important, especially for the real-world deployment. Straightforward mappings of applications onto High-Performance Computing (HPC) platforms may significantly underutilize the HPC devices’ capacities. In this dissertation, we demonstrate how application-specific characteristics can be leveraged to optimize various types of HPC executions for cybersecurity. We investigate several sub-areas, including mobile software security, network security, and system security. For example, we present a new GPU-assisted framework and a collection of optimization strategies for fast Android static data-flow analysis that achieve up to 128X speedups against the unoptimized GPU implementation. For network intrusion detection systems (IDS), we design and implement an algorithm capable of eliminating the state explosion in out-of-order packet situations, which reduces up to 400X of the memory overhead. We also present tools for improving the usability of HPC programming. To study the cache configurations’ impact on time-driven cache side-channel attacks’ performance, we design an approach to conducting comparative measurement. We propose a quantifiable success rate metric to measure the performance of time-driven cache attacks and utilize the GEM5 platform to emulate the configurable cache.
18
Moured, David Paul. "Dynamic Game-Theoretic Models to Determine the Value of Intrusion Detection Systems in the Face of Uncertainty." NSUWorks, 2015. http://nsuworks.nova.edu/gscis_etd/26.
Full textAbstract:
Firms lose millions of dollars every year to cyber-attacks and the risk to these companies is growing exponentially. The threat to monetary and intellectual property has made Information Technology (IT) security management a critical challenge to firms. Security devices, including Intrusion Detections Systems (IDS), are commonly used to help protect these firms from malicious users by identifying the presence of malicious network traffic. However, the actual value of these devices remains uncertain among the IT security community because of the costs associated with the implementation of different monitoring strategies that determine when to inspect potentially malicious traffic and the costs associated with false positive and negative errors. Game theoretic models have proven effective for determining the value of these devices under several conditions where firms and users are modeled as players. However, these models assume that both the firm and attacker have complete information about their opponent and lack the ability to account for more realistic situations where players have incomplete information regarding their opponent's payoffs. The proposed research develops an enhanced model that can be used for strategic decision making in IT security management where the firm is uncertain about the user's utility of intrusion. By using Harsanyi Transformation Analysis, the model provides the IT security research community with valuable insight into the value of IDS when the firm is uncertain of the incentives and payoffs available to users choosing to hack. Specifically, this dissertation considers two possible types of users with different utility for intrusion to gain further insights about the players' strategies. The firm's optimal strategy is to start the game with the expected value of the user's utility as an estimate. Under this strategy, the firm can determine the user's utility with certainty within one iteration of the game. After the first iteration, the game may be analyzed as a game of perfect information.
19
Hyla, Bret M. "Sample Entropy and Random Forests a methodology for anomaly-based intrusion detection and classification of low-bandwidth malware attacks /." Thesis, Monterey, Calif. : Springfield, Va. : Naval Postgraduate School ; Available from National Technical Information Service, 2006. http://library.nps.navy.mil/uhtbin/hyperion/06Sep%5FHyla.pdf.
Full textAbstract:
Thesis (M.S. in Computer Science)--Naval Postgraduate School, September 2006.Thesis Advisor(s): Craig Martell, Kevin Squire. "September 2006." Includes bibliographical references (p.59-62). Also available in print.
20
Della, Chiesa Enrico. "Implementazione Tensorflow di Algoritmi di Anomaly Detection per la Rilevazione di Intrusioni Mediante Signals of Opportunity (SoOP)." Master's thesis, Alma Mater Studiorum - Università di Bologna, 2021.
Abstract:
In questo elaborato viene presentata l’implementazione di algoritmi di machine learning di tipo supervised e unsupervised attraverso Python e Tensorflow. In particolare viene affrontato come caso di studio l’implementazione di algoritmi di Anomaly Detection. Nel Capitolo 1 vengono presentati gli algoritmi di machine learning implementati. Nel Capitolo 2 viene presentato e analizzato l’ambiente di sviluppo utilizzato, costituito da Python e Tensoflow. Infine è presentata l’implementazione degli algoritmi descritti al capitolo 1. Nel Capitolo 3 sono implementati come caso di studio due algoritmi tratti dall’articolo Anomaly Detection Using WiFi Signals of Opportunity. Il caso di studio prevede la rilevazione di cambiamenti della configurazione spaziale
di una stanza utilizzando i segnali WiFi presenti nell’ambiente ed algoritmi di Anomaly Detection. Gli algoritmi sono stati riprodotti attraverso Python e Tensorflow. Inoltre è presentata un’ulteriore soluzione basata su una rete neurale autoassociativa (autoencoder). Infine sono riportate le conclusioni, in cui viene fatto il resoconto dei risultati ottenuti ed effettuato un accenno a sviluppi futuri.
21
Stanek, Timotej. "Automatické shlukování regulárních výrazů." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2011. http://www.nusl.cz/ntk/nusl-235531.
Full textAbstract:
This project is about security of computer networks using Intrusion Detection Systems. IDS contain rules for detection expressed with regular expressions, which are for detection represented by finite-state automata. The complexity of this detection with non-deterministic and deterministic finite-state automata is explained. This complexity can be reduced with help of regular expressions grouping. Grouping algorithm and approaches for speedup and improvement are introduced. One of the approches is Genetic algorithm, which can work real-time. Finally Random search algorithm for grouping of regular expressions is presented. Experiment results with these approches are shown and compared between each other.
22
Khasgiwala, Jitesh. "Analysis of Time-Based Approach for Detecting Anomalous Network Traffic." Ohio University / OhioLINK, 2005. http://www.ohiolink.edu/etd/view.cgi?ohiou1113583042.
Full text
23
Andersson, Robin. "Combining Anomaly- and Signaturebased Algorithms for IntrusionDetection in CAN-bus : A suggested approach for building precise and adaptiveintrusion detection systems to controller area networks." Thesis, Malmö universitet, Fakulteten för teknik och samhälle (TS), 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:mau:diva-43450.
Full textAbstract:
With the digitalization and the ever more computerization of personal vehicles, new attack surfaces are introduced, challenging the security of the in-vehicle network. There is never such a thing as fully securing any computer system, nor learning all the methods of attack in order to prevent a break-in into a system. Instead, with sophisticated methods, we can focus on detecting and preventing attacks from being performed inside a system. The current state of the art of such methods, named intrusion detection systems (IDS), is divided into two main approaches. One approach makes its models very confident of detecting malicious activity, however only on activities that has been previously learned by this model. The second approach is very good at constructing models for detecting any type of malicious activity, even if never studied by the model before, but with less confidence. In this thesis, a new approach is suggested with a redesigned architecture for an intrusion detection system called Multi-mixed IDS. Where we take a middle ground between the two standardized approaches, trying to find a combination of both sides strengths and eliminating its weaknesses. This thesis aims to deliver a proof of concept for a new approach in the current state of the art in the CAN-bus security research field. This thesis also brings up some background knowledge about CAN and intrusion detection systems, discussing their strengths and weaknesses in further detail. Additionally, a brief overview from a handpick of research contributions from the field are discussed. Further, a simple architecture is suggested, three individual detection models are trained and combined to be tested against a CAN-bus dataset. Finally, the results are examined and evaluated. The results from the suggested approach shows somewhat poor results compared to other suggested algorithms within the field. However, it also shows some good potential, if better decision methods between the individual algorithms that constructs the model can be found.
24
Alkadi, Alaa. "Anomaly Detection in RFID Networks." UNF Digital Commons, 2017. https://digitalcommons.unf.edu/etd/768.
Full textAbstract:
Available security standards for RFID networks (e.g. ISO/IEC 29167) are designed to secure individual tag-reader sessions and do not protect against active attacks that could also compromise the system as a whole (e.g. tag cloning or replay attacks). Proper traffic characterization models of the communication within an RFID network can lead to better understanding of operation under “normal” system state conditions and can consequently help identify security breaches not addressed by current standards. This study of RFID traffic characterization considers two piecewise-constant data smoothing techniques, namely Bayesian blocks and Knuth’s algorithms, over time-tagged events and compares them in the context of rate-based anomaly detection.
This was accomplished using data from experimental RFID readings and comparing (1) the event counts versus time if using the smoothed curves versus empirical histograms of the raw data and (2) the threshold-dependent alert-rates based on inter-arrival times obtained if using the smoothed curves versus that of the raw data itself. Results indicate that both algorithms adequately model RFID traffic in which inter-event time statistics are stationary but that Bayesian blocks become superior for traffic in which such statistics experience abrupt changes.
25
Chen, Chung-Hung, and 陳忠鴻. "New Pattern Search Algorithm for Intrusion Detection." Thesis, 2004. http://ndltd.ncl.edu.tw/handle/22117646859803730483.
Full text
26
Chen, Tze-Hung, and 陳則宏. "A Hybrid Classification Algorithm for Intrusion Detection System." Thesis, 2019. http://ndltd.ncl.edu.tw/cgi-bin/gs32/gsweb.cgi/login?o=dnclcdr&s=id=%22107NCHU5394050%22.&searchmode=basic.
Full textAbstract:
碩士國立中興大學
資訊科學與工程學系所
107
The research of intrusion detection system (IDS) is mature. With the progress of science and technology, IDS needed to detect a general network of attack and novel attack on the device of IoT. Because cyber-attacks are getting more complicated, it must only need to rely on complex algorithms to accurately classify and not the traditional algorithm. Recent research will combine many algorithms to improve the performance of the intrusion detection system to detect cyber-attacks, like metaheuristic algorithm, clustering algorithm, classification algorithm, and other algorithms. In this paper, we will combine to three algorithms applying to the intrusion detection system and use to combine search economics algorithm and k-means algorithm to improve performance of classification for support vector machine. In experimental results, we compare the proposed algorithm with many different machine learning algorithms in terms of recall, false alarm rate, precision, and accuracy. The simulation results show that the proposed algorithm can effectively improve the classification effect of the classification algorithm.
27
Lin, Hou-Lung, and 林厚龍. "A Load Balancing Algorithm for Distributed Intrusion Detection Systems." Thesis, 2007. http://ndltd.ncl.edu.tw/handle/30771484338806241223.
Full textAbstract:
碩士國立臺灣海洋大學
資訊工程學系
95
Internet is used frequently in the modern world and it has become a crucial communication method for people. To protect the computers not to be hacked and intruded from the internet, Intrusion Detection Systems (IDSs) have become very important in the computer safety issue. How to enhance the efficiency and credibility of IDSs is a very important issue. The main part of my thesis is a load balancing algorithm for distributed IDSs. It is mostly based on the splitter and IDS sensors. Along with IDSs which are based on the change of variety of Internet to define the policy of splitter and distribute rules to the Snort Sensor. Finally all packets will be distributed to IDSs and be checked so IDSs can be evenly loaded and furthermore lowers the load to increase the efficiency and credibility of the Intrusion Detection Systems.
28
Kuang, Liwei. "DNIDS: A dependable network intrusion detection system using the CSI-KNN algorithm." Thesis, 2007. http://hdl.handle.net/1974/671.
Full textAbstract:
The dependability of an Intrusion Detection System (IDS) relies on two factors: ability to detect intrusions and survivability in hostile environments. Machine learning-based anomaly detection approaches are gaining increasing attention in the network intrusion detection community because of their intrinsic ability to discover novel attacks. This ability has become critical since the number of new attacks has kept growing in recent years. However, most of today’s anomaly-based IDSs generate high false positive rates and miss many attacks because of a deficiency in their ability to discriminate attacks from legitimate behaviors. These unreliable results damage the dependability of IDSs. In addition, even if the detection method is sound and effective, the IDS might still be unable to deliver detection service when under attack. With the increasing importance of the IDS, some attackers attempt to disable the IDS before they launch a thorough attack. In this thesis, we propose a Dependable Network Intrusion Detection System (DNIDS) based on the Combined Strangeness and Isolation measure K-Nearest Neighbor (CSI-KNN) algorithm. The DNIDS can effectively detect network intrusions while providing continued service even under attacks. The intrusion detection algorithm analyzes different characteristics of network data by employing two measures: strangeness and isolation. Based on these measures, a correlation unit raises intrusion alerts with associated confidence estimates. In the DNIDS, multiple CSI-KNN classifiers work in parallel to deal with different types of network traffic. An intrusion-tolerant mechanism monitors the classifiers and the hosts on which the classifiers reside and enables the IDS to survive component failure due to intrusions. As soon as a failed IDS component is discovered, a copy of the component is installed to replace it and the detection service continues. We evaluate our detection approach over the KDD’99 benchmark dataset. The experimental results show that the performance of our approach is better than the best result of KDD’99 contest winner’s. In addition, the intrusion alerts generated by our algorithm provide graded confidence that offers some insight into the reliability of the intrusion detection. To verify the survivability of the DNIDS, we test the prototype in simulated attack scenarios. In addition, we evaluate the performance of the intrusion-tolerant mechanism and analyze the system reliability. The results demonstrate that the mechanism can effectively tolerate intrusions and achieve high dependability.Thesis (Master, Computing) -- Queen's University, 2007-09-05 14:36:57.128
29
Tseng, Hung-Lin, and 曾鴻麟. "An Ensemble Based Classification Algorithm for Network Intrusion Detection System." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/16771777095571370354.
Full textAbstract:
碩士國防大學理工學院
資訊科學碩士班
99
In the environment of changing information security threats, an intrusion detection system (IDS) is an important line of defense. With the continuous progress of information technology, the network speed and throughput are also increasing. There are hundreds of thousands of packets per second in the network. Taking both information security and network quality into account are a very important issue. In recent years, data mining technology becomes very popular and is applied in various fields successfully. Data mining can discover the useful information from a large volume of data. The current research tends to apply data mining technology in constructing the IDSs. However, many challenges still exist to be overcomed in the field of data mining-based IDSs, such as the imbalanced data sets, poor detection rate of the minority class, and low accuracy rate, etc. Therefore, by integrating the data selection, sampling, and feature selection methods, this thesis proposes an “Enhanced Integrated Learning” algorithm and an “EIL-Algorithm Based Ensemble System” to strengthen the classification model and its performance. This thesis uses KDD99 data set as the experiment data source. A series of experiments are conducted to show that the proposed algorithms can enhance the classification performance of the minority class. For U2R attack class, Recall and F-measure are 57.01% and 38.98%, respectively, which shows the classification performance for U2R attack class is effectively improved. Meanwhile, the overall classification performance of anomaly network-based IDS is enhanced.
30
Hsu, Kai-Shuo, and 許凱碩. "Investigation and Simulation of an OTDR-based Perimeter Intrusion Detection System and Its Intrusion Locating Algorithm." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/pvpj8g.
Full textAbstract:
碩士國立清華大學
電機工程學系所
106
The fiber perimeter intrusion detection system based on the optical time domain reflectometer (OTDR) mainly uses the backscattering phenomenon in the light wave to analyze and locate the intrusion position. To analyze the signal of this fiber OTDR perimeter intrusion detection system, theoretical backscattered signal model of delta function approximated scatterers in [31] is studied. A Matlab program is developed to simulate backscattered OTDR light intensity signal under various intrusion disturbance and detector noise scenarios. The differential method and moving differential method are applied to the simulation signals to determine the intrusion location. Location errors of the two algorithms under various noise levels are compared and discussed. It is found that the moving differential method can locate the intrusion point from the signal accurately. An 8.8 km fiber OTDR prototype system is built in Professor Likarn Wang’s Lab. Real OTDR signals under various disturbances controlled by PZT at 0.5 km, 4.4 km, 4.9 km and 8.8 km are recorded. They are processed by moving differential method to determine the intrusion location. In addition to the moving differential method, the wavelet-lowpass differential method and sum of magnitude spectrum method are proposed to estimate the intrusion location. By comparing the location errors, it is found that the wavelet-lowpass differential method performed better than the other two methods in intrusion at 4.4 km, 4.9 km and 8.8 km cases.
31
Geta, Gemechu. "A HYBRID FUZZY/GENETIC ALGORITHM FOR INTRUSION DETECTION IN RFID SYSTEMS." 2011. http://hdl.handle.net/10222/14416.
Full textAbstract:
Various established and emerging applications of RFID technology have been and are being implemented by companies in different parts of the world. However, RFID technology is susceptible to a variety of security and privacy concerns, as it is prone to attacks such as eavesdropping, denial of service, tag cloning and user tracking. This is mainly because RFID tags, specifically low-cost tags, have low computational capability to support complex cryptographic algorithms. Tag cloning is a key problem to be considered since it leads to severe economic losses. One of the possible approaches to address tag cloning is using an intrusion detection system. Intrusion detection systems in RFID networks, on top of the existing lightweight cryptographic algorithms, provide an additional layer of protection where other security mechanisms may fail. This thesis presents an intrusion detection mechanism that detects anomalies caused by one or more cloned RFID tags in the system. We make use of a Hybrid Fuzzy Genetics-Based Machine Learning algorithm to design an intrusion detection model from RFID system-generated event logs. For the purpose of training and evaluation of our proposed approach, part of the RFID system-generated dataset provided by the University of Tasmania’s School of Computing and Information Systems was used, in addition to simulated datasets. The results of our experiments show that the model can achieve high detection rates and low false positive rates when identifying anomalies caused by one or more cloned tags. In addition, the model yields linguistically interpretable rules that can be used to support decision making during the detection of anomaly caused by the cloned tags.
32
Hsu, Ying-Che, and 徐英哲. "An Adaptive Rule Assignment Algorithm for Efficient Distributed Intrusion Detection System." Thesis, 2005. http://ndltd.ncl.edu.tw/handle/xw7767.
Full textAbstract:
碩士中原大學
資訊工程研究所
93
This thesis is mainly connected with Distribution Intrusion Detection System – NDIDS, and how to make each CPU Loading of Snort Clients or Snort sensors reach balance. Besides, this thesis is about two adaptive rule assignment algorithms. One is the increased and deleted principle of the Snort sensor rule. Another is the selected principle of the increased and deleted rule. Furthermore, there is synthetic discussing the differences and suitable time between each algorithm. Finally, this thesis aims at the effect differences and experiment results of the environment differences, as CPU, of each Snort sensor in the distribution system, and the effects of the number of Snort sensor in the linear growth. Key words: Distribution Intrusion Detection System – NDIDS, Adaptive rule assignment, Distribution System
33
Tseng, Jen-Chih, and 曾仁志. "A Static Rule Assignment Algorithm for Efficient Distributed Intrusion Detection System." Thesis, 2005. http://ndltd.ncl.edu.tw/handle/28811918020972188152.
Full textAbstract:
碩士中原大學
資訊工程研究所
93
In this paper, we propose a method to analyze the rule of intrusion. When having the intrusion, each snort sensor detect the intrusion according to its rules and can balance cpu loading between snort sensor. And we use the snort-verion 2.2.0. Snort has almost three thousand rules about intrusion signature. As many rules, and we how to pick rules to each snort sensor. According to the order of snort against packets, and sort with this order, then dispatch rules to snort sensor equally. Of course, each sensor’s ability is different, may cause some sensor are overloaded, couldn’t balance between snort sensor. So, give the weight to each rule, the snort sensor with higher ability would be dispatched the heavier rule. On the other hand, snort sensor with lower ability would be dispatched the lighter rule. And we also classify the snort rule according to Snort Rule Header. Snort rules would be dispatched to each snort sensor equally. Finally, we will illustrate how to give the rule weight and the influence about the algorithm.
34
Hung, Ching-You, and 洪精佑. "A Function-Parallelism Pattern-Matching Algorithm for Network Intrusion Detection Systems." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/09791445668449235501.
Full textAbstract:
碩士國立交通大學
電機與控制工程系所
97
Pattern-matching algorithms are the core of network intrusion detection systems (NIDS). The performance of a good pattern-matching algorithm hence dominates the processing time required for deep packet inspections. In this research, we discuss the factors that can affect the performance of a pattern-matching algorithm. Such factors include prefixes of rules and lengths of the longest rules in a ruleset. Previous work to improve the performance of matching patterns (Wu-Manber's and Aho-Corasick's algorithms) adopt either a hash table or finite automaton to store the rulesets. None of these algorithms considers the parallelization when running on multicore systems. Herein, we propose a new pattern-matching algorithm for NIDS that can be easily adapted to multi-core systems. Our algorithm is composed of a search mechanism based on the function-parallelism approach and a composite data structure, combining the hash table and finite state machines. We conduct a series of experiments to show that our algorithm is 2.2 times faster than the Aho-Corasick algorithm and 1.21 times than Wu-Manber's in a dual-processor system.
35
Yang, Jing Yao, and 楊景堯. "Using GPU to Improve Matching Algorithm for Network Intrusion Detection Systems." Thesis, 2014. http://ndltd.ncl.edu.tw/handle/54300985659005835704.
Full textAbstract:
碩士長庚大學
資訊工程學系
102
In order to protect networks from attacks, Network Intrusion Detection Systems (NIDS) have been widely utilized. These devices monitor packets in the network and scan packet payloads to detect malicious intrusions according to the predefined rules called patterns or signatures. However, NIDS requires a significant amount of time to check each packet to identify malicious patterns contained in the packets. With the advent of high-speed Internet era, it is a challenging work to design an NIDS which can operates at line speeds of 10 Gbps or beyond. Some studies have tried to solve this problem using multi-queue network interface cards (NICs), multiple central processing units (CPUs), and multiple graphics processing units (GPUs). In this thesis, we first identify the bottleneck of an NIDS that utilizes both CPUs and GPUs. We then purpose a pattern matching algorithm using CPU/GPU cooperation (CGC) to solve the bottleneck. The proposed algorithm efficiently balances the load between the CPUs and GPUs. All incoming packets are first scanned by the CPUs. Only those packets that may contain intrusive patterns will be forwarded to the GPUs for further scanning. The proposed algorithm was implemented and evaluated on Linux. Simulation results show that the proposed algorithm can operate at full line speed of 10 Gbps, which is significantly better than the compared algorithms.
36
YU, CHANG-CHING, and 游錦昌. "Design and Implementation of Highly Accurate Hierarchical Clustering Algorithm for Intrusion Detection." Thesis, 2005. http://ndltd.ncl.edu.tw/handle/63918180499345437958.
Full textAbstract:
碩士大葉大學
資訊管理學系碩士班
93
With the growth of Internet, the number of hackers is increasing. Therefore, how to protect information security and avoid intrusions is an important issue. In order to prevent the behavior of intrusion to Internet, many software tools or methods such as intrusion detection systems have been proposing. However, in the past twenty years, the operation of intrusion detection systems still cannot be efficient. The reason is that existing intrusion detection systems are still with low detection rate and high false positive. Especially, high false positive lets system managers refuse to use intrusion detection systems. Therefore, in order to increase the effectiveness of intrusion detection and reduce the false positive, we propose a hierarchical clustering algorithm for intrusion detection. Our proposed method is the highly accurate hierarchical clustering algorithm, which is suitable for clustering network packets. The proposed clustering algorithm can accurately generate normal and abnormal clusters, and is more efficient and accurate than existing clustering methods.
37
Chen, Yu-Shu, and 陳毓書. "Combining Incremental Hidden Markov Model and Adaboost Algorithm for Anomaly Intrusion Detection." Thesis, 2009. http://ndltd.ncl.edu.tw/handle/38799778297148881388.
Full textAbstract:
碩士國立中央大學
資訊管理研究所
97
Due to global malwares and intrusions grow sharply; hence it’s important to develop effective Intrusion Detection Systems (IDSs) to promote the accurate rate of intrusion detection. IDSs determine whether the current system is incurred intrusion by analyzing system call sequences, system logs or network packets. All of these data include the time series events. Traditional Hidden Markov Model (HMM), which has the great capability to describe the time series data, has been successfully applied to anomaly intrusion detection to model a normal profile. Incremental HMM (IHMM) further improves the training time of the HMM. However, both HMM and IHMM still have the problem of high false positive rate. In this thesis, we propose to combine IHMM and adaboost for anomaly intrusion detection and name it as Adaboost-IHMM. As Adaboost firstly uses many IHMMs to collectively classify samples, then decides the results of samples’ classifications, the Adaboost-IHMM can improve the accurate rate of classifications. Finally, we do experiments by using Stide and Sendmail system call datasets from UNM and Internet Explorer datasets collected by ourselves. Experimental results with Stide datasets show that the proposed method can significantly improve the false positive rate by 70% without decreasing the detection rate. Besides, we also propose a method to adjust the normal profile for avoiding erroneous detection caused by changes of normal behavior. We perform with experiments with realistic datasets extracted from the use of popular browsers. Compared with traditional HMM method, our method can improve the training time by 90% to build a new normal profile.
38
Chiu, Chi-Chang, and 邱啟彰. "Design a Two-Way Fast String-Matching Algorithm for Intrusion Detection System." Thesis, 2008. http://ndltd.ncl.edu.tw/handle/86518049918252358632.
Full textAbstract:
碩士義守大學
資訊工程學系碩士班
96
As proliferation of Internet applications increases, security becomes a serious problem within network solutions. Intrusion detection systems (IDS) have become widely recognized as the most effective ways for identifying and thwarting all kinds of known network attacks. Because most of the known attacks can be represented with strings or combinations of multiple substrings, string matching is one of the most critical components in IDS. String matching must check every byte of every packet to see if it matches one of a set of ten thousand suspicious strings. As a result, string matching has become the bottleneck in IDS as network speeds grow into the tens of gigabits/second. An efficient string matching algorithms are therefore important for identifying these packets at the line rate. In this study, we propose a two-way parallel structure to further improve the performance of the Aho-Corasick-based string matching algorithm. The proposed string matching algorithm will be implemented by modifying the source code of Snort. Our results showed that two-way Aho-Corasick-based string matching algorithm is superior to other algorithms, especially in detecting network packets with large data payload. Besides, multiway parallel structure can be developed based on the concept of this two way parallel structure, and then be expected to apply to a multiple Gbps intrusion detection system.
39
陳建麟. "A Parallel String Matching Algorithm for High Speed Network Intrusion Detection System." Thesis, 2007. http://ndltd.ncl.edu.tw/handle/57773162720790226759.
Full text
40
Chen, Jhao Han, and 陳昭翰. "An Effective Pattern Matching Algorithm for Network Intrusion Detection Using Network Processors." Thesis, 2011. http://ndltd.ncl.edu.tw/handle/36725737784923767693.
Full textAbstract:
碩士長庚大學
資訊工程學系
99
In order to protect networks from attacks, Network Intrusion Detection Systems (NIDS) have been widely deployed. These devices monitor packets in the network and scan packet payloads to detect malicious intrusions according to the predefined rules called patterns or signatures. It is time consuming for NIDS to check each packet to see if it contains any malicious patterns. Studies reveal that about 31% of the processing time in NIDS is spent on pattern matching. Since software-based NIDS suffer from speed limitation, hardware-based NIDS appear to a good choice for the future Internet. Network processors provide a scalable and flexible solution to implement NIDS. One distinct feature of network processors is that the size of on-chip memory is typical several 10 KB, which is too small to store the required data structures for the existing pattern matching algorithms. Thus, considerable amount of time has to be spent accessing external memory. In this thesis, we propose a pattern matching algorithm that uses scalable two-layer lookup tables to improve the performance in time. The key idea is to build a tiny and adjustable lookup table which can be fully stored in the on-chip memory of network processors, and reduce the probability of accessing the external memory. Since the latency of one on-chip memory access is far smaller than that of one external memory excess, the time required to process a packet payload can be greatly reduced. We use the well-known Snort rule sets to evaluate the proposed algorithm. Compared with the HMA, an efficient pattern matching algorithm designed for network processors, simulation results show that the proposed algorithm can reduce the processing time by 19% to 84%.
41
Subramanian, Ramanathan. "A Low-Complexity Algorithm For Intrusion Detection In A PIR-Based Wireless Sensor Network." Thesis, 2010. https://etd.iisc.ac.in/handle/2005/1384.
Full textAbstract:
This thesis investigates the problem of detecting an intruder in the presence of clutter in a Passive Infra-Red (PIR) based Wireless Sensor Network (WSN). As one of the major objectives in a WSN is to maximize battery life, data transmission and local computations must be kept to a minimum as they are expensive in terms of energy. But, as intrusion being a rare event and cannot be missed, local computations expend more energy than data transmission. Hence, the need for a low-complexity algorithm for intrusion detection is inevitable.
A low-complexity algorithm for intrusion detection in the presence of clutter arising from wind-blown vegetation, using PIR sensors is presented. The algorithm is based on a combination of Haar Transform (HT) and Support Vector Machine (SVM) based training. The amplitude and frequency of the intruder signature is used to differentiate it from the clutter signal. The HT was preferred to Discrete Fourier Transform (DFT) in computing the spectral signature because of its computational simplicity -just additions and subtractions suffice (scaling coefficients taken care appropriately). Intruder data collected in a laboratory and clutter data collected from various types of vegetation were fed into SVM for training. The optimal decision rule returned by SVM was then used to separate intruder from clutter. Simulation results along with some representative samples in which intrusions were detected and the clutter being rejected by the algorithm is presented.
The implementation of the proposed intruder-detection algorithm in a network setting comprising of 20 sensing nodes is discussed. The field testing performance of the algorithm is then discussed. The limitations of the algorithm is also discussed.
A closed-form analytical expression for the signature generated by a human moving along a straight line in the vicinity of the PIR sensor at constant velocity is provided. It is shown to be a good approximation by showing a close match with the real intruder waveforms. It is then shown how this expression can be exploited to track the intruder from the signatures of three well-positioned sensing nodes.
42
Subramanian, Ramanathan. "A Low-Complexity Algorithm For Intrusion Detection In A PIR-Based Wireless Sensor Network." Thesis, 2010. http://etd.iisc.ernet.in/handle/2005/1384.
Full textAbstract:
This thesis investigates the problem of detecting an intruder in the presence of clutter in a Passive Infra-Red (PIR) based Wireless Sensor Network (WSN). As one of the major objectives in a WSN is to maximize battery life, data transmission and local computations must be kept to a minimum as they are expensive in terms of energy. But, as intrusion being a rare event and cannot be missed, local computations expend more energy than data transmission. Hence, the need for a low-complexity algorithm for intrusion detection is inevitable.
A low-complexity algorithm for intrusion detection in the presence of clutter arising from wind-blown vegetation, using PIR sensors is presented. The algorithm is based on a combination of Haar Transform (HT) and Support Vector Machine (SVM) based training. The amplitude and frequency of the intruder signature is used to differentiate it from the clutter signal. The HT was preferred to Discrete Fourier Transform (DFT) in computing the spectral signature because of its computational simplicity -just additions and subtractions suffice (scaling coefficients taken care appropriately). Intruder data collected in a laboratory and clutter data collected from various types of vegetation were fed into SVM for training. The optimal decision rule returned by SVM was then used to separate intruder from clutter. Simulation results along with some representative samples in which intrusions were detected and the clutter being rejected by the algorithm is presented.
The implementation of the proposed intruder-detection algorithm in a network setting comprising of 20 sensing nodes is discussed. The field testing performance of the algorithm is then discussed. The limitations of the algorithm is also discussed.
A closed-form analytical expression for the signature generated by a human moving along a straight line in the vicinity of the PIR sensor at constant velocity is provided. It is shown to be a good approximation by showing a close match with the real intruder waveforms. It is then shown how this expression can be exploited to track the intruder from the signatures of three well-positioned sensing nodes.
43
Chien, Sheng-Wei, and 簡聖瑋. "Using Genetic Algorithm to Improve Network Intrusion Detection System Based on Incremental Mining." Thesis, 2010. http://ndltd.ncl.edu.tw/handle/72660456867463518111.
Full textAbstract:
碩士銘傳大學
資訊工程學系碩士班
98
Data mining is commonly used in attempts to induce association rules from transaction data. Most previous studies focused on mining from binary valued data. Transactions in real-world applications, however, usually consist of quantitative values. At the same time, Internet Seceurity is more and more important. In the Network Intrusion Detection System, we already had one which based on incremental mining with fuzzy association rules. This thesis thus proposes Genetic Algorithm to get the best membership functions for each feature from NIDS. In the method, the set of membership functions for all feature are encoded into a string of real numbers. At last, the experimental results show that the designed fitness functions can avoid the formation of bad kinds of membership functions and can provide important mining results to our NIDS.
44
Sajana, Abu R. "A Low-Complexity Intrusion Detection Algorithm For Surveillance Using PIR Sensors In A Wireless Sensor Network." Thesis, 2010. https://etd.iisc.ac.in/handle/2005/1282.
Full textAbstract:
A Wireless Sensor Network (WSN) is a dense network of autonomous devices (or motes) with sensors that cooperatively monitor some physical or environmental conditions. These devices are resource constrained -limited memory, power and computational resources. Thus, any algorithm developed for WSN should be deigned such that the algorithm consumes the resources as minimal as possible. The problem addressed in this thesis is developing a low-complexity algorithm for intrusion detection in the presence of clutter arising from moving vegetation, using Passive Infra-Red (PIR) sensors. The algorithm is based on a combination of Haar Transform (HT) and Support-Vector-Machine (SVM) based training. The spectral signature of the waveforms is used to separate between the intruder and clutter waveforms. The spectral signature is computed using HT and this is fed to SVM which returns an optimal hyperplane that separates the intruder and clutter signatures. This hyperplane obtained by offline training is used online in the mote for surveillance. The algorithm is field-tested in the Indian Institute of Science campus. Based on experimental observations about the PIR sensor and the lens system, an analytical model for the waveform generated by an intruder moving along a straight line with uniform velocity in the vicinity of the sensor is developed. Analysis on how this model can be exploited to track the intruder path by optimally positioning multiple sensor nodes is provided. Algorithm for tracking the intruder path using features of the waveform from three sensors mounted on a single mote is also developed.
45
Sajana, Abu R. "A Low-Complexity Intrusion Detection Algorithm For Surveillance Using PIR Sensors In A Wireless Sensor Network." Thesis, 2010. http://etd.iisc.ernet.in/handle/2005/1282.
Full textAbstract:
A Wireless Sensor Network (WSN) is a dense network of autonomous devices (or motes) with sensors that cooperatively monitor some physical or environmental conditions. These devices are resource constrained -limited memory, power and computational resources. Thus, any algorithm developed for WSN should be deigned such that the algorithm consumes the resources as minimal as possible. The problem addressed in this thesis is developing a low-complexity algorithm for intrusion detection in the presence of clutter arising from moving vegetation, using Passive Infra-Red (PIR) sensors. The algorithm is based on a combination of Haar Transform (HT) and Support-Vector-Machine (SVM) based training. The spectral signature of the waveforms is used to separate between the intruder and clutter waveforms. The spectral signature is computed using HT and this is fed to SVM which returns an optimal hyperplane that separates the intruder and clutter signatures. This hyperplane obtained by offline training is used online in the mote for surveillance. The algorithm is field-tested in the Indian Institute of Science campus. Based on experimental observations about the PIR sensor and the lens system, an analytical model for the waveform generated by an intruder moving along a straight line with uniform velocity in the vicinity of the sensor is developed. Analysis on how this model can be exploited to track the intruder path by optimally positioning multiple sensor nodes is provided. Algorithm for tracking the intruder path using features of the waveform from three sensors mounted on a single mote is also developed.
46
Stewart, IAN. "A Modified Genetic Algorithm and Switch-Based Neural Network Model Applied to Misuse-Based Intrusion Detection." Thesis, 2009. http://hdl.handle.net/1974/1720.
Full textAbstract:
As our reliance on the Internet continues to grow, the need for secure, reliable networks also increases. Using a modified genetic algorithm and a switch-based neural network model, this thesis outlines the creation of a powerful intrusion detection system (IDS) capable of detecting network attacks.
The new genetic algorithm is tested against traditional and other modified genetic algorithms using common benchmark functions, and is found to produce better results in less time, and with less human interaction. The IDS is tested using the standard benchmark data collection for intrusion detection: the DARPA 98 KDD99 set. Results are found to be comparable to those achieved using ant colony optimization, and superior to those obtained with support vector machines and other genetic algorithms.Thesis (Master, Computing) -- Queen's University, 2009-03-03 13:28:23.787
47
Ko, Wan-Pao, and 柯萬保. "Using Support Vector Machine and Genetic Algorithm to Reduce Asymmetric Cost in Intrusion Detection System." Thesis, 2006. http://ndltd.ncl.edu.tw/handle/90052706830973803219.
Full textAbstract:
碩士國立成功大學
資訊管理研究所
94
Owing to the development of Internet, system security problems and intrusion of hacker happened frequently. People begin to notice the importance of Internet information security gradually. Besides, intrusion detection system has also become main research field. In the past, most literature only focused on improving the accuracy of predicting intrusion detection. However, in practice, because of the hugeness and continuous growing of network packet, traditional rule bases and feature matching skills still couldn’t decrease the error rate. What’s more, managers are tired of investigating and tracking error signals, and it caused low efficiency of security equipment and information workers. Seeing that the situation of successful intrusion and wrong rejecting normal packet may lead to different influences, the business has to pay more for False Negative (FN) than False Positive (FP). Therefore, in the study, the intrusion detection dataset of UCI KDD’99 (Knowledge Discovery in Databases Archive) was used to choose meaningful features and representative instances with a view to reducing attribute dimensions. Then, Support Vector Machine (SVM) was applied to perform classification. Finally, use genetic algorithm (GA) by evaluating error cost to adjust SVM parameters with Radial Basis Function (RBF) as the kernel function. By doing so, it could reduce asymmetric error cost of intrusion detection system. The study reached major conclusion that it could effectively reduce the asymmetric error cost of intrusion detection, and meet business’ demand by setting weights.
48
Chang, Yu-Cheng, and 張育政. "A hybrid approach of rough set theory and genetic algorithm for SVM-based intrusion detection." Thesis, 2005. http://ndltd.ncl.edu.tw/handle/86699518854455525991.
Full textAbstract:
碩士中華大學
資訊管理學系
93
The key point of intrusion detection system is the detection efficiency. In this paper, we propose a hybrid approach of rough set theory and genetic algorithm for SVM-based intrusion detection. Discretizing values of quantitative attributes and attribute selection are important in rough set theory. This study develops a genetic algorithm system based on the rough set theory for simultaneously discretizing continuous valued attributes and selecting attributes to compute minimal reduct. Then, the reduct is used for intrusion detection classification by support vector machine. The feature reduction approach can also reduce data dimension and complexity. Our experiment result shows that using the minimal reduct that constructed by rough set theory and genetic algorithm can get better performance.
49
Cheng-FengKe and 柯埕峰. "Accelerating Aho-Corasick Algorithm using Odd-Even Sub Pattern to improve Snort Intrusion Detection System." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/487b46.
Full text
50
(6636224), Seunghee Lee. "Incremental Support Vector Machine Approach for DoS and DDoS Attack Detection." Thesis, 2019.
Abstract:
Support Vector Machines (SVMs) have generally been effective in detecting instances of network intrusion. However, from a practical point of view, a standard SVM is not able to handle large-scale data efficiently due to the computation complexity of the algorithm and extensive memory requirements. To cope with the limitation, this study presents an incremental SVM method combined with a k-nearest neighbors (KNN) based candidate support vectors (CSV) selection strategy in order to speed up training and test process. The proposed incremental SVM method constructs or updates the pattern classes by incrementally incorporating new signatures without having to load and access the entire previous dataset in order to cope with evolving DoS and DDoS attacks. Performance of the proposed method is evaluated with experiments and compared with the standard SVM method and the simple incremental SVM method in terms of precision, recall, F1-score, and training and test duration.