To see the other types of publications on this topic, follow the link: Network Intrusion Detection Systems (NIDS).
Dissertations / Theses on the topic 'Network Intrusion Detection Systems (NIDS)'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Network Intrusion Detection Systems (NIDS).'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Mahajan, Atul. "High speed circuit techniques for network intrusion detection systems (NIDS) /." Available to subscribers only, 2008. http://proquest.umi.com/pqdweb?did=1650508461&sid=1&Fmt=2&clientId=1509&RQT=309&VName=PQD.
Full text
2
Atakan, Mustafa. "Improving Performance Of Network Intrusion Detection Systems Through Concurrent Mechanisms." Master's thesis, METU, 2004. http://etd.lib.metu.edu.tr/upload/1061399/index.pdf.
Full textAbstract:
As the bandwidth of present networks gets larger than the past, the demand of Network Intrusion Detection Systems (NIDS) that function in real time becomes the major requirement for high-speed networks. If these systems are not fast enough to process all network traffic passing, some malicious security violations may take role using this drawback. In order to make that kind of applications schedulable, some concurrency mechanism is introduced to the general flowchart of their algorithm. The principal aim is to fully utilize each resource of the platform and overlap the independent parts of the applications. In the sense of this context, a generic multi-threaded infrastructure is designed and proposed. The concurrency metrics of the new system is analyzed and compared with the original ones.
3
Schier, Thomas. "NIDS im Campusnetz." Universitätsbibliothek Chemnitz, 2004. http://nbn-resolving.de/urn:nbn:de:swb:ch1-200400501.
Full text
4
Goh, Vik Tor. "Intrusion detection framework for encrypted networks." Thesis, Queensland University of Technology, 2010. https://eprints.qut.edu.au/41733/1/Vik_Tor_Goh_Thesis.pdf.
Full textAbstract:
Network-based Intrusion Detection Systems (NIDSs) monitor network traffic for signs of malicious activities that have the potential to disrupt entire network infrastructures and services. NIDS can only operate when the network traffic is available and can be extracted for analysis. However, with the growing use of encrypted networks such as Virtual Private Networks (VPNs) that encrypt and conceal network traffic, a traditional NIDS can no longer access network traffic for analysis. The goal of this research is to address this problem by proposing a detection framework that allows a commercial off-the-shelf NIDS to function normally in a VPN without any modification. One of the features of the proposed framework is that it does not compromise on the confidentiality afforded by the VPN. Our work uses a combination of Shamir’s secret-sharing scheme and randomised network proxies to securely route network traffic to the NIDS for analysis. The detection framework is effective against two general classes of attacks – attacks targeted at the network hosts or attacks targeted at framework itself. We implement the detection framework as a prototype program and evaluate it. Our evaluation shows that the framework does indeed detect these classes of attacks and does not introduce any additional false positives. Despite the increase in network overhead in doing so, the proposed detection framework is able to consistently detect intrusions through encrypted networks.
5
Andersson, Michael, and Andreas Mickols. "A study of Centralized Network Intrusion Detection System using low end single board computers." Thesis, Högskolan Dalarna, Datateknik, 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:du-25552.
Full textAbstract:
The use of Intrusion Detection Systems is a normal thing today in bigger companies, butthe solutions that are to be found in market is often too expensive for the smallercompany. Therefore, we saw the need in investigating if there is a more affordablesolution. In this report, we will show that it is possible to use low cost single boardcomputers as part of a bigger centralized Intrusion Detection System. To investigate this,we set up a test system including 2 Raspberry Pi 3 Model B, a cloud server and the use oftwo home networks, one with port mirroring implemented in firmware and the other withdedicated span port. The report will show how we set up the environment and the testingwe have done to prove that this is a working solution.
6
Silva, Eduardo Germano da. "A one-class NIDS for SDN-based SCADA systems." reponame:Biblioteca Digital de Teses e Dissertações da UFRGS, 2007. http://hdl.handle.net/10183/164632.
Full textAbstract:
Sistemas elétricos possuem grande influência no desenvolvimento econômico mundial. Dada a importância da energia elétrica para nossa sociedade, os sistemas elétricos frequentemente são alvos de intrusões pela rede causadas pelas mais diversas motivações. Para minimizar ou até mesmo mitigar os efeitos de intrusões pela rede, estão sendo propostos mecanismos que aumentam o nível de segurança dos sistemas elétricos, como novos protocolos de comunicação e normas de padronização. Além disso, os sistemas elétricos estão passando por um intenso processo de modernização, tornando-os altamente dependentes de sistemas de rede responsáveis por monitorar e gerenciar componentes elétricos. Estes, então denominados Smart Grids, compreendem subsistemas de geração, transmissão, e distribuição elétrica, que são monitorados e gerenciados por sistemas de controle e aquisição de dados (SCADA). Nesta dissertação de mestrado, investigamos e discutimos a aplicabilidade e os benefícios da adoção de Redes Definidas por Software (SDN) para auxiliar o desenvolvimento da próxima geração de sistemas SCADA. Propomos também um sistema de detecção de intrusões (IDS) que utiliza técnicas específicas de classificação de tráfego e se beneficia de características das redes SCADA e do paradigma SDN/OpenFlow. Nossa proposta utiliza SDN para coletar periodicamente estatísticas de rede dos equipamentos SCADA, que são posteriormente processados por algoritmos de classificação baseados em exemplares de uma única classe (OCC). Dado que informações sobre ataques direcionados à sistemas SCADA são escassos e pouco divulgados publicamente por seus mantenedores, a principal vantagem ao utilizar algoritmos OCC é de que estes não dependem de assinaturas de ataques para detectar possíveis tráfegos maliciosos. Como prova de conceito, desenvolvemos um protótipo de nossa proposta. Por fim, em nossa avaliação experimental, observamos a performance e a acurácia de nosso protótipo utilizando dois tipos de algoritmos OCC, e considerando eventos anômalos na rede SCADA, como um ataque de negação de serviço (DoS), e a falha de diversos dispositivos de campo.Power grids have great influence on the development of the world economy. Given the importance of the electrical energy to our society, power grids are often target of network intrusion motivated by several causes. To minimize or even to mitigate the aftereffects of network intrusions, more secure protocols and standardization norms to enhance the security of power grids have been proposed. In addition, power grids are undergoing an intense process of modernization, and becoming highly dependent on networked systems used to monitor and manage power components. These so-called Smart Grids comprise energy generation, transmission, and distribution subsystems, which are monitored and managed by Supervisory Control and Data Acquisition (SCADA) systems. In this Masters dissertation, we investigate and discuss the applicability and benefits of using Software-Defined Networking (SDN) to assist in the deployment of next generation SCADA systems. We also propose an Intrusion Detection System (IDS) that relies on specific techniques of traffic classification and takes advantage of the characteristics of SCADA networks and of the adoption of SDN/OpenFlow. Our proposal relies on SDN to periodically gather statistics from network devices, which are then processed by One- Class Classification (OCC) algorithms. Given that attack traces in SCADA networks are scarce and not publicly disclosed by utility companies, the main advantage of using OCC algorithms is that they do not depend on known attack signatures to detect possible malicious traffic. As a proof-of-concept, we developed a prototype of our proposal. Finally, in our experimental evaluation, we observed the performance and accuracy of our prototype using two OCC-based Machine Learning (ML) algorithms, and considering anomalous events in the SCADA network, such as a Denial-of-Service (DoS), and the failure of several SCADA field devices.
7
Akhlaq, Monis. "Improved performance high speed network intrusion detection systems (NIDS) : a high speed NIDS architectures to address limitations of packet loss and low detection rate by adoption of dynamic cluster architecture and traffic anomaly filtration (IADF)." Thesis, University of Bradford, 2011. http://hdl.handle.net/10454/5377.
Full textAbstract:
Intrusion Detection Systems (IDS) are considered as a vital component in network security architecture. The system allows the administrator to detect unauthorized use of, or attack upon a computer, network or telecommunication infrastructure. There is no second thought on the necessity of these systems however; their performance remains a critical question. This research has focussed on designing a high performance Network Intrusion Detection Systems (NIDS) model. The work begins with the evaluation of Snort, an open source NIDS considered as a de-facto IDS standard. The motive behind the evaluation strategy is to analyze the performance of Snort and ascertain the causes of limited performance. Design and implementation of high performance techniques are considered as the final objective of this research. Snort has been evaluated on highly sophisticated test bench by employing evasive and avoidance strategies to simulate real-life normal and attack-like traffic. The test-methodology is based on the concept of stressing the system and degrading its performance in terms of its packet handling capacity. This has been achieved by normal traffic generation; fussing; traffic saturation; parallel dissimilar attacks; manipulation of background traffic, e.g. fragmentation, packet sequence disturbance and illegal packet insertion. The evaluation phase has lead us to two high performance designs, first distributed hardware architecture using cluster-based adoption and second cascaded phenomena of anomaly-based filtration and signature-based detection. The first high performance mechanism is based on Dynamic Cluster adoption using refined policy routing and Comparator Logic. The design is a two tier mechanism where front end of the cluster is the load-balancer which distributes traffic on pre-defined policy routing ensuring maximum utilization of cluster resources. The traffic load sharing mechanism reduces the packet drop by exchanging state information between load-balancer and cluster nodes and implementing switchovers between nodes in case the traffic exceeds pre-defined threshold limit. Finally, the recovery evaluation concept using Comparator Logic also enhance the overall efficiency by recovering lost data in switchovers, the retrieved data is than analyzed by the recovery NIDS to identify any leftover threats. Intelligent Anomaly Detection Filtration (IADF) using cascaded architecture of anomaly-based filtration and signature-based detection process is the second high performance design. The IADF design is used to preserve resources of NIDS by eliminating large portion of the traffic on well defined logics. In addition, the filtration concept augment the detection process by eliminating the part of malicious traffic which otherwise can go undetected by most of signature-based mechanisms. We have evaluated the mechanism to detect Denial of Service (DoS) and Probe attempts based by analyzing its performance on Defence Advanced Research Projects Agency (DARPA) dataset. The concept has also been supported by time-based normalized sampling mechanisms to incorporate normal traffic variations to reduce false alarms. Finally, we have observed that the IADF has augmented the overall detection process by reducing false alarms, increasing detection rate and incurring lesser data loss.
8
Niyaz, Quamar. "Design and Implementation of a Deep Learning based Intrusion Detection System in Software-Defined Networking Environment." University of Toledo / OhioLINK, 2017. http://rave.ohiolink.edu/etdc/view?acc_num=toledo1501785493311223.
Full text
9
Alserhani, Faeiz. "A framework for correlation and aggregation of security alerts in communication networks : a reasoning correlation and aggregation approach to detect multi-stage attack scenarios using elementary alerts generated by Network Intrusion Detection Systems (NIDS) for a global security perspective." Thesis, University of Bradford, 2011. http://hdl.handle.net/10454/5430.
Full textAbstract:
The tremendous increase in usage and complexity of modern communication and network systems connected to the Internet, places demands upon security management to protect organisations' sensitive data and resources from malicious intrusion. Malicious attacks by intruders and hackers exploit flaws and weakness points in deployed systems through several sophisticated techniques that cannot be prevented by traditional measures, such as user authentication, access controls and firewalls. Consequently, automated detection and timely response systems are urgently needed to detect abnormal activities by monitoring network traffic and system events. Network Intrusion Detection Systems (NIDS) and Network Intrusion Prevention Systems (NIPS) are technologies that inspect traffic and diagnose system behaviour to provide improved attack protection. The current implementation of intrusion detection systems (commercial and open-source) lacks the scalability to support the massive increase in network speed, the emergence of new protocols and services. Multi-giga networks have become a standard installation posing the NIDS to be susceptible to resource exhaustion attacks. The research focuses on two distinct problems for the NIDS: missing alerts due to packet loss as a result of NIDS performance limitations; and the huge volumes of generated alerts by the NIDS overwhelming the security analyst which makes event observation tedious. A methodology for analysing alerts using a proposed framework for alert correlation has been presented to provide the security operator with a global view of the security perspective. Missed alerts are recovered implicitly using a contextual technique to detect multi-stage attack scenarios. This is based on the assumption that the most serious intrusions consist of relevant steps that temporally ordered. The pre- and post- condition approach is used to identify the logical relations among low level alerts. The alerts are aggregated, verified using vulnerability modelling, and correlated to construct multi-stage attacks. A number of algorithms have been proposed in this research to support the functionality of our framework including: alert correlation, alert aggregation and graph reduction. These algorithms have been implemented in a tool called Multi-stage Attack Recognition System (MARS) consisting of a collection of integrated components. The system has been evaluated using a series of experiments and using different data sets i.e. publicly available datasets and data sets collected using real-life experiments. The results show that our approach can effectively detect multi-stage attacks. The false positive rates are reduced due to implementation of the vulnerability and target host information.
10
Kabir-Querrec, Maëlle. "Cyber sécurité des systèmes industriels pour les smart-grids : détection d'intrusion dans les réseaux de communication IEC 61850." Thesis, Université Grenoble Alpes (ComUE), 2017. http://www.theses.fr/2017GREAT032/document.
Full textAbstract:
Les systèmes de contrôle et d'automatisation industriels (IACS - Industrial Control and Automation Systems) reposent largement et de plus en plus sur les Technologies de l'Information et de la Communication. A l'origine, les IACS utilisaient des protocoles propriétaires sur des réseaux fermés, assurant ainsi une sécurité par obscurité et isolement. Mais les technologies et les usages ont évolué et cette sécurité intrinsèque n'existe plus désormais. Cette évolution concerne entre autre le domaine électrique : le réseau électrique devenant le "smart grid".Le standard IEC 61850 est un pilier pour le développement du smart grid. Il a pour objectif de rendre possible l'interopérabilité dans les "Systèmes et réseaux de communication pour l'automatisation des services de distribution d'énergie". Pour cela, la norme définit un modèle de données commun ainsi qu'une pile de protocoles répondant à divers besoins de communication.Le standard IEC 61850 n'aborde pas la question de la cyber sécurité malgré une prise de conscience générale qu'un risque cyber pèse sur les IACS.Ces travaux de recherche proposent de répondre à cette question de la cyber sécurité par de la détection d'intrusion dans les réseaux IEC 61850, et plus précisément dans les communications temps-réel GOOSE. L'idée est d'exploiter au maximum les sources d'informations que sont les spécifications du protocole et la configuration du système pour développer un système de détection d'intrusion réseau (NIDS - Network Intrusion Detection System) sur mesure. Cette approche comportementale déterministe est un gage de précision de détection.Ce manuscrit compte quatre chapitres. Les deux premiers consistent en un état de l'art détaillé sur les NIDS pour les IACS d'une part, et l'analyse du risque cyber d'autre part. Les deux autres chapitres présentent les contributions proprement dites de ces travaux de thèse. Le chapitre 3 explore tout d'abord le risque cyber pesant sur un poste électrique et pouvant compromettre la sûreté de fonctionnement du système. Dans un deuxième temps, est proposée une extension du modèle de données IEC 61850 dédiées à la détection d'intrusion dans les communication GOOSE. Le chapitre 4 commence avec la démonstration expérimentale de la faisabilité d'une attaque de type injection de données sur le protocole GOOSE, puis explique comment utiliser les fichiers de configuration du système pour spécifier les règles de détection. Un analyseur syntaxique pour le protocole GOOSE a été intégré à l'analyseur de trafic open source Bro, permettant l'implémentation d'un algorithme de détectionInformation and Communication Technologies have been pervading Industrial Automation and Control Systems (IACS) for a few decades now. Initially, IACS ran proprietary protocols on closed networks, thus ensuring some level of security through obscurity and isolation. Technologies and usages have evolved and today this intrinsic security does not exist any longer, though. This transition is in progress in the electricity domain, the power infrastructure turning into the "smart grid".The IEC 61850 standard is key to the smart grid development. It is aimed at making interoperability possible in ``Communication networks and systems for power utility automation''. It thus defines a common data object model and a stack of protocols answering different purposes.Although the cyber risk in IACS is now widely acknowledged, IEC 61850 does not address cyber security in any way whatsoever.This work tackles the question of cyber security through network intrusion detection in IEC 61850 networks, and more specifically in real-time GOOSE communications. The idea is to get the most out of the protocol specifications and system configuration while developing a tailored NIDS. This enables detection accuracy
11
Heide, Richter, Riedel, Schier, Kratzert, and Ziegler. "Mitteilungen des URZ 2/2004." Universitätsbibliothek Chemnitz, 2004. http://nbn-resolving.de/urn:nbn:de:swb:ch1-200400568.
Full text
12
Stefanova, Zheni Svetoslavova. "Machine Learning Methods for Network Intrusion Detection and Intrusion Prevention Systems." Scholar Commons, 2018. https://scholarcommons.usf.edu/etd/7367.
Full textAbstract:
Given the continuing advancement of networking applications and our increased dependence upon software-based systems, there is a pressing need to develop improved security techniques for defending modern information technology (IT) systems from malicious cyber-attacks. Indeed, anyone can be impacted by such activities, including individuals, corporations, and governments. Furthermore, the sustained expansion of the network user base and its associated set of applications is also introducing additional vulnerabilities which can lead to criminal breaches and loss of critical data. As a result, the broader cybersecurity problem area has emerged as a significant concern, with many solution strategies being proposed for both intrusion detection and prevention. Now in general, the cybersecurity dilemma can be treated as a conflict-resolution setup entailing a security system and minimum of two decision agents with competing goals (e.g., the attacker and the defender). Namely, on the one hand, the defender is focused on guaranteeing that the system operates at or above an adequate (specified) level. Conversely, the attacker is focused on trying to interrupt or corrupt the system’s operation.
In light of the above, this dissertation introduces novel methodologies to build appropriate strategies for system administrators (defenders). In particular, detailed mathematical models of security systems are developed to analyze overall performance and predict the likely behavior of the key decision makers influencing the protection structure. The initial objective here is to create a reliable intrusion detection mechanism to help identify malicious attacks at a very early stage, i.e., in order to minimize potentially critical consequences and damage to system privacy and stability. Furthermore, another key objective is also to develop effective intrusion prevention (response) mechanisms. Along these lines, a machine learning based solution framework is developed consisting of two modules. Specifically, the first module prepares the system for analysis and detects whether or not there is a cyber-attack. Meanwhile, the second module analyzes the type of the breach and formulates an adequate response. Namely, a decision agent is used in the latter module to investigate the environment and make appropriate decisions in the case of uncertainty. This agent starts by conducting its analysis in a completely unknown milieu but continually learns to adjust its decision making based upon the provided feedback. The overall system is designed to operate in an automated manner without any intervention from administrators or other cybersecurity personnel. Human input is essentially only required to modify some key model (system) parameters and settings. Overall, the framework developed in this dissertation provides a solid foundation from which to develop improved threat detection and protection mechanisms for static setups, with further extensibility for handling streaming data.
13
Tucker, Christopher John. "Performance metrics for network intrusion systems." Thesis, University of Plymouth, 2013. http://hdl.handle.net/10026.1/1547.
Full textAbstract:
Intrusion systems have been the subject of considerable research during the past 33 years, since the original work of Anderson. Much has been published attempting to improve their performance using advanced data processing techniques including neural nets, statistical pattern recognition and genetic algorithms. Whilst some significant improvements have been achieved they are often the result of assumptions that are difficult to justify and comparing performance between different research groups is difficult. The thesis develops a new approach to defining performance focussed on comparing intrusion systems and technologies. A new taxonomy is proposed in which the type of output and the data scale over which an intrusion system operates is used for classification. The inconsistencies and inadequacies of existing definitions of detection are examined and five new intrusion levels are proposed from analogy with other detection-based technologies. These levels are known as detection, recognition, identification, confirmation and prosecution, each representing an increase in the information output from, and functionality of, the intrusion system. These levels are contrasted over four physical data scales, from application/host through to enterprise networks, introducing and developing the concept of a footprint as a pictorial representation of the scope of an intrusion system. An intrusion is now defined as “an activity that leads to the violation of the security policy of a computer system”. Five different intrusion technologies are illustrated using the footprint with current challenges also shown to stimulate further research. Integrity in the presence of mixed trust data streams at the highest intrusion level is identified as particularly challenging. Two metrics new to intrusion systems are defined to quantify performance and further aid comparison. Sensitivity is introduced to define basic detectability of an attack in terms of a single parameter, rather than the usual four currently in use. Selectivity is used to describe the ability of an intrusion system to discriminate between attack types. These metrics are quantified experimentally for network intrusion using the DARPA 1999 dataset and SNORT. Only nine of the 58 attack types present were detected with sensitivities in excess of 12dB indicating that detection performance of the attack types present in this dataset remains a challenge. The measured selectivity was also poor indicting that only three of the attack types could be confidently distinguished. The highest value of selectivity was 3.52, significantly lower than the theoretical limit of 5.83 for the evaluated system. Options for improving selectivity and sensitivity through additional measurements are examined.
14
Chatprechakul, Nattapron. "Improving performance of distributed network intrusion intrusion detection systems using mobile agents." Thesis, Cranfield University, 2005. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.423508.
Full text
15
Yang, Yi. "Intrusion detection for communication network security in power systems." Thesis, Queen's University Belfast, 2013. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.603572.
Full textAbstract:
In response to the emergence of cybersecurity issues in smarter grids, a number of IT security approaches have been presented. However, in practice, power networks with legacy systems are more difficult to update, patch and protect using conventional IT security techniques. This research presents a contribution to cybersecurity using Intrusion Detection Systems (IDS) in power systems. An intrusion detection methodology provides an approach to identify evidence of abnormal communication behaviours in a passive mode that does not impact normal operation of power systems but provides pre-emptive knowledge of potential threats and incidents. This thesis proposes and develops new intrusion detection approaches for Smart Grid cybersecurity that are applied in Supervisory Control and Data Acquisition (SCADA) and synchrophasor systems in order to monitor the operation of such systems and detect cyber threats against these systems resulting from malicious attacks or misuse by legitimate users. One of the proposed intrusion detection approaches combines whitelist categorisation with behaviour-based detection methods to identify known and unknown attacks by considering the operational features and the communication • protocols of SCADA and synchrophasor systems. Furthermore, SCADA-specific and synchrophasor-specific cybersecurity solutions are presented using test-beds to investigate, simulate and exemplify the impacts of cyber attacks on SCADA and synchrophasor systems. The proposed SCADA-specific IDS (SCADA-IDS) and Synchrophasor-Specific IDS (SSIDS) are implemented and verified using two lest-beds. In addition, a hybrid IDS is proposed for SCADA networks using the IEC 60870-5- 104 protocol, which contains signature-based, model-based and stateful detection methods. The proposed hybrid IDS is implemented and validated using the Internet Traffic and Content Analysis (ITACA) platform and the open source Snort tool. These new detection tools proposed in this thesis allow the cybersecurity of significant power systems communications networks to be improved, thus contribution 10 the security and reliability of the Smart Grid as a whole.
16
ANSARI, NAZLI. "MACHINE LEARNING METHODS TO IMPROVE NETWORK INTRUSION DETECTION SYSTEMS." OpenSIUC, 2019. https://opensiuc.lib.siu.edu/theses/2605.
Full text
17
Yun, Ronald E. "Network defense-in-dept : evaluating host-based intrusion detection systems /." Monterey, Calif. : Springfield, Va. : Naval Postgraduate School ; Available from National Technical Information Service, 2001. http://handle.dtic.mil/100.2/ADA395808.
Full text
18
Zhou, Ying. "M-AdaBoost-A Based Ensemble System for Network Intrusion Detection." Thesis, The George Washington University, 2021. http://pqdtopen.proquest.com/#viewpdf?dispub=28256014.
Full textAbstract:
Network intrusion detection remains a challenging research area as it involves learning from large-scale imbalanced multiclass datasets. While machine learning algorithms have been widely used for network intrusion detection, most standard techniques cannot achieve consistent good performance across multiple classes. In this dissertation, a novel ensemble system was proposed based on the Modified Adaptive Boosting with Area under the curve (M-AdaBoost-A) algorithm to detect network intrusions more effectively. Multiple M-AdaBoost-A-based classifiers were combined into an ensemble by employing various strategies, including particle swarm optimization. To the best of our knowledge, this study is the first to utilize the M-AdaBoost-A algorithm for addressing class imbalance in network intrusion detection. Compared with existing standard techniques, the proposed ensemble system achieved superior performance across multiple classes in both 802.11 wireless intrusion detection and traditional enterprise intrusion detection.
19
Pillay, Manju Mohan. "Applying genetic algorithm techniques in network intrusion detection systems / Pillai, M.M." Thesis, North-West University, 2011. http://hdl.handle.net/10394/7030.
Full textAbstract:
he Internet has grown to an essential media for human beings that facilitate communication, information searching, banking, marketing, online education and advertising among the numerous use cases that it offers. The benefits that are offered by the Internet are negated due to the fact that the intruders abuse and compromise the Internet through sophisticated cybercrimes and computer crimes. Cybercrime and computer crime has caused great havoc and panic in the Internet usage and network security. As a result it has become very important to protect the information residing in the computer systems that are connected especially to the networks, as it is the primary target for criminal activities. It is impossible to build a completely secure system as intruders find new methods to compromise the system. The least that can be done is to detect the intrusions; in–order to either fix the vulnerability or to avoid the intrusions from re–occurring. One such tool that detects intrusions is an Intrusion Detection System (IDS). However IDSs have their own challenges such as the incapability of detecting new intrusions and generating a multitude of false alarms. The focus of this research is to alleviate the current issues in IDSs by designing a Network IDS using Genetic Algorithms (GAs). The study thus aims at making the intrusion detection process robust by detecting unknown intrusions with less number of false alarms using GA principles. Further, a prototype of an IDS using GAs was developed to substantiate the study and evaluate the effectiveness, uniqueness and flexibility. The results showed that the GA–NIDS proved to be flexible and unique in accepting any format of rule as well as detecting both known and unknown intrusions.Thesis (M.Ing. (Computer and Electronic Engineering))--North-West University, Potchefstroom Campus, 2012.
20
Bul'ajoul, W. A. A. A. "Performance of network intrusion detection and prevention systems in highspeed environments." Thesis, Coventry University, 2017. http://curve.coventry.ac.uk/open/items/f3dfcb2a-df8a-4908-9202-e0ed758f86b2/1.
Full textAbstract:
Due to the numerous and increasingly malicious attacks on computer networks and systems, current security tools are often not enough to resolve the issues related to illegal users, reliability, and to provide robust network security. Recent research has indicated that although network security has developed, a major concern about an increase in illegal intrusions is still occurring. Addressing security on every occasion or in every place is a really important and sensitive matter for many users, businesses, governments and enterprises. A Network Intrusion Detection and Prevention System (NIDPS) is one of the most tested, reliable, and strongest forms of technology used to sniff out network packets, monitor incoming and outgoing network traffic, and identify the unauthorised usage and mishandling of computer system networks. It can provide a better understanding of the things that are really happening on the network. In addition, an NIDPS has the potential to detect, prevent, and report any evidence of attacks and malicious traffic. It is critical to implement an NIDPS in a computer network that has high traffic and high-speed connectivity. This thesis presents an investigation, involving literature review and intensive experiments, which shows that current NIDPSs have several shortcomings such as they are incapable to detect or prevent the rising attacks and threats to high-speed environments, such as flood attacks (UDP, TCP, ICMP and HTTP) or Denial and Distributed Denial of Service attacks (DoS/DDoS), because the main purpose of these types of attacks is basically to send heavy traffic to systems at high-speed to stop or slow down performance. To investigate the status of NIDPS performance and test the capability of NIDPS analysis, detection, and prevention modes when exposed to malicious attacks that come through highload and high-speed traffic, a prototype network has been designed. The prototype consisted of virtual and physical stations including six (6) PCs and three (3) switches (i.e two layer 2 switches and 1 layer 3 switch). Several tools were used to carry out the research experiments, implementation and evaluation. The research presents a study using Snort NIDPS open source software. It shows that NIDPS performance can be weak in the face of high-speed and high-load traffic in terms of packet drops, and outstanding packets without analysis and failing to detect/prevent unwanted traffic. The research has designed a novel QoS architecture to increase the analytical, detection, and prevention performance of NIDPS when deployed in high-speed networks. It has proposed and evaluated a solution using a novel QoS configuration in a multi-layer switch to organise and improve network traffic performance in order to reduce the packets dropped and then uses parallel techniques to increase packet processing speed. The novel architecture was tested under different traffic speeds, types, and tasks. The experimental results show that the novel architecture improves network and NIDPS performance.
21
Siddiqui, Abdul Jabbar. "Securing Connected and Automated Surveillance Systems Against Network Intrusions and Adversarial Attacks." Thesis, Université d'Ottawa / University of Ottawa, 2021. http://hdl.handle.net/10393/42345.
Full textAbstract:
In the recent years, connected surveillance systems have been witnessing an unprecedented
evolution owing to the advancements in internet of things and deep learning technologies. However,
vulnerabilities to various kinds of attacks both at the cyber network-level and at the physical worldlevel are also rising. This poses danger not only to the devices but also to human life and property. The goal of this thesis is to enhance the security of an internet of things, focusing on connected video-based surveillance systems, by proposing multiple novel solutions to address security issues at the cyber network-level and to defend such systems at the physical world-level.
In order to enhance security at the cyber network-level, this thesis designs and develops solutions to detect network intrusions in an internet of things such as surveillance cameras. The first solution is a novel method for network flow features transformation, named TempoCode. It introduces a temporal codebook-based encoding of flow features based on capturing the key patterns of benign traffic in a learnt temporal codebook. The second solution takes an unsupervised learning-based approach and proposes four methods to build efficient and adaptive ensembles of neural networks-based autoencoders for intrusion detection in internet of things such as surveillance cameras.
To address the physical world-level attacks, this thesis studies, for the first time to the best of
our knowledge, adversarial patches-based attacks against a convolutional neural network (CNN)-
based surveillance system designed for vehicle make and model recognition (VMMR). The connected video-based surveillance systems that are based on deep learning models such as CNNs
are highly vulnerable to adversarial machine learning-based attacks that could trick and fool the
surveillance systems. In addition, this thesis proposes and evaluates a lightweight defense solution
called SIHFR to mitigate the impact of such adversarial-patches on CNN-based VMMR systems,
leveraging the symmetry in vehicles’ face images.
The experimental evaluations on recent realistic intrusion detection datasets prove the effectiveness of the developed solutions, in comparison to state-of-the-art, in detecting intrusions of various
types and for different devices. Moreover, using a real-world surveillance dataset, we demonstrate
the effectiveness of the SIHFR defense method which does not require re-training of the target
VMMR model and adds only a minimal overhead. The solutions designed and developed in this
thesis shall pave the way forward for future studies to develop efficient intrusion detection systems
and adversarial attacks mitigation methods for connected surveillance systems such as VMMR.
22
Caulkins, Bruce. "SESSION-BASED INTRUSION DETECTION SYSTEM TO MAP ANOMALOUS NETWORK TRAFFIC." Doctoral diss., University of Central Florida, 2005. http://digital.library.ucf.edu/cdm/ref/collection/ETD/id/3466.
Full textAbstract:
Computer crime is a large problem (CSI, 2004; Kabay, 2001a; Kabay, 2001b). Security managers have a variety of tools at their disposal – firewalls, Intrusion Detection Systems (IDSs), encryption, authentication, and other hardware and software solutions to combat computer crime. Many IDS variants exist which allow security managers and engineers to identify attack network packets primarily through the use of signature detection; i.e., the IDS recognizes attack packets due to their well-known "fingerprints" or signatures as those packets cross the network's gateway threshold. On the other hand, anomaly-based ID systems determine what is normal traffic within a network and reports abnormal traffic behavior. This paper will describe a methodology towards developing a more-robust Intrusion Detection System through the use of data-mining techniques and anomaly detection. These data-mining techniques will dynamically model what a normal network should look like and reduce the false positive and false negative alarm rates in the process. We will use classification-tree techniques to accurately predict probable attack sessions. Overall, our goal is to model network traffic into network sessions and identify those network sessions that have a high-probability of being an attack and can be labeled as a "suspect session." Subsequently, we will use these techniques inclusive of signature detection methods, as they will be used in concert with known signatures and patterns in order to present a better model for detection and protection of networks and systems.Ph.D.
Other
Arts and Sciences
Modeling and Simulation
23
Cetin, Burak. "Wireless Network Intrusion Detection and Analysis using Federated Learning." Youngstown State University / OhioLINK, 2020. http://rave.ohiolink.edu/etdc/view?acc_num=ysu1588778320687729.
Full text
24
Williams, Lloyd. "Augmentation of Intrusion Detection Systems Through the Use of Bayesian Network Analysis." NCSU, 2006. http://www.lib.ncsu.edu/theses/available/etd-11292005-200153/.
Full textAbstract:
The purpose of this research has been to increase the effectiveness of Intrusion Detection Systems in the enforcement of computer security. Current preventative security measures are clearly inadequate as evidenced by constant examples of compromised computer security seen in the news. Intrusion Detection Systems have been created to respond to the inadequacies of existing preventative security methods. This research presents the two main approaches to Intrusion Detection Systems and the reasons that they too fail to produce adequate security. Promising new methods are attempting to increase the effectiveness of Intrusion Detection Systems with one of the most interesting approaches being that taken by the TIAA system. The TIAA system uses a method based on employing prerequisites and consequences of security attacks to glean cohesive collections of attack data from large data sets. The reasons why the TIAA approach ultimately fails are discussed, and the possibility of using the TIAA system as a preprocessor for recognizing novel attacks is then presented along with the types of data this approach will produce. In the course of this research the VisualBayes software package was created to make use of the data generated by the TIAA system. VisualBayes is a complete graphical system for the creation, manipulation, and evaluation of Bayesian networks. The VisualBayes also uses the Bayesian networks to create a visualization of observations and the probabilities that result from them. This is a new feature that has not been seen in other Bayesian systems up to this point.
25
Fogla, Prahlad. "Improving the Efficiency and Robustness of Intrusion Detection Systems." Diss., Georgia Institute of Technology, 2007. http://hdl.handle.net/1853/19772.
Full textAbstract:
With the increase in the complexity of computer systems, existing security measures are not enough to prevent attacks. Intrusion detection systems have become an integral part of computer security to detect attempted intrusions. Intrusion detection systems need to be fast in order to detect intrusions in real time. Furthermore, intrusion detection systems need to be robust against the attacks which are disguised to evade them.
We improve the runtime complexity and space requirements of a host-based anomaly detection system that uses q-gram matching. q-gram matching is often used for approximate substring matching problems in a wide range of application areas, including intrusion detection. During the text pre-processing phase, we store all the q-grams present in the text in a tree. We use a tree redundancy pruning algorithm to reduce the size of the tree without losing any information. We also use suffix links for fast linear-time q-gram search during query matching. We compare our work with the Rabin-Karp based hash-table technique, commonly used for multiple q-gram matching.
To analyze the robustness of network anomaly detection systems, we develop a new class of polymorphic attacks called polymorphic blending attacks, that can effectively evade payload-based network anomaly IDSs by carefully matching the statistics of the mutated attack instances to the normal profile. Using PAYL anomaly detection system for our case study, we show that these attacks are practically feasible. We develop a formal framework which is used to analyze polymorphic blending attacks for several network anomaly detection systems. We show that generating an optimal polymorphic blending attack is NP-hard for these anomaly detection systems. However, we can generate polymorphic blending attacks using the proposed approximation algorithms. The framework can also be used to improve the robustness of an intrusion detector. We suggest some possible countermeasures one can take to improve the robustness of an intrusion detection system against polymorphic blending attacks.
26
Huang, Yi-an. "Intrusion Detection and Response Systems for Mobile Ad Hoc Networks." Diss., Georgia Institute of Technology, 2006. http://hdl.handle.net/1853/14053.
Full textAbstract:
A mobile ad hoc network (MANET) consists of a group of autonomous mobile nodes with no infrastructure support. In this research, we develop a distributed intrusion detection and response system for MANET, and we believe it presents a second line of defense that cannot be replaced by prevention schemes.
We based our detection framework on the study of attack taxonomy. We then propose a set of detection methods suitable of detecting different attack categories. Our approaches are based on protocol specification analysis with categorical and statistical measures.
Node-based approaches may be too restrictive in scenarios where attack patterns cannot be observed by any isolated node. Therefore, we have developed cooperative detection approaches for a more effective detection model. One approach is to form IDS clusters by grouping nearby nodes, and information can be exchanged within clusters. The cluster-based scheme is more efficient in terms of power consumption and resource utilization, it is also proved resilient against common security compromises without changing the decentralized assumption.
We further address two response techniques, traceback and filtering. Existing traceback systems are not suitable for MANET because they rely on incompatible assumptions such as trustworthy routers and static route topology. Our solution, instead, adapts to dynamic topology with no infrastructure requirement. Our solution is also resilient in the face of arbitrary number of collaborative adversaries. We also develop smart filtering schemes to maximize the dropping rate of attack packets while minimizing the dropping rate of normal packets with real-time guarantee.
To validate our research, we present case study using both ns-2 simulation and MobiEmu emulation platform with three ad hoc routing protocols: AODV, DSR and OLSR. We implemented various representative attacks based on the attack taxonomy. Our experiments show very promising results using node-based and cluster-based approaches.
27
Pikoulas, John. "An agent-based Bayesian method for network intrusion detection." Thesis, Edinburgh Napier University, 2003. http://researchrepository.napier.ac.uk/Output/4057.
Full textAbstract:
Security is one of the major issues in any network and on the Internet. It encapsulates many different areas, such as protecting individual users against intruders, protecting corporate systems against damage, and protecting data from intrusion. It is obviously impossible to make a network totally secure, as there are so many areas that must be protected. This thesis includes an evaluation of current techniques for internal misuse of computer systems, and tries to propose a new way of dealing with this problem. This thesis proposes that it is impossible to fully protect a computer network from intrusion, and shows how different methods are applied at differing levels of the OSI model. Most systems are now protected at the network and transport layer, with systems such as firewalls and secure sockets. A weakness, though, exists in the session layer that is responsible for user logon and their associated password. It is thus important for any highly secure system to be able to continually monitor a user, even after they have successfully logged into the system. This is because once an intruder has successfully logged into a system, they can use it as a stepping-stone to gain full access (often right up to the system administrator level). This type of login identifies another weakness of current intrusion detection systems, in that they are mainly focused on detecting external intrusion, whereas a great deal of research identifies that one of the main problems is from internal intruders, and from staff within an organisation. Fraudulent activities can often he identified by changes in user behaviour. While this type of behaviour monitoring might not be suited to most networks, it could be applied to high secure installations, such as in government, and military organisations. Computer networks are now one of the most rapidly changing and vulnerable systems, where security is now a major issue. A dynamic approach, with the capacity to deal with and adapt to abrupt changes, and be simple, will provide an effective modelling toolkit. Analysts must be able to understand how it works and be able to apply it without the aid of an expert. Such models do exist in the statistical world, and it is the purpose of this thesis to introduce them and to explain their basic notions and structure. One weakness identified is the centralisation and complex implementation of intrusion detection. The thesis proposes an agent-based approach to monitor the user behaviour of each user. It also proposes that many intrusion detection systems cannot cope with new types of intrusion. It thus applies Bayesian statistics to evaluate user behaviour, and predict the future behaviour of the user. The model developed is a unique application of Bayesian statistics, and the results show that it can improve future behaviour prediction than existing ARIMA models. The thesis argues that the accuracy of long-term forecasting questionable, especially in systems that have a rapid and often unexpected evolution and behaviour. Many of the existing models for prediction use long-term forecasting, which may not be the optimal type for intrusion detection systems. The experiments conducted have varied the number of users and the time interval used for monitoring user behaviour. These results have been compared with ARIMA, and an increased accuracy has been observed. The thesis also shows that the new model can better predict changes in user behaviour, which is a key factor in identifying intrusion detection. The thesis concludes with recommendations for future work, including how the statistical model could be improved. This includes research into changing the specification of the design vector for Bayesian. Another interesting area is the integration of standard agent communication agents, which will make the security agents more social in their approach and be able to gather information from other agents
28
LUO, SONG. "CREATING MODELS OF INTERNET BACKGROUND TRAFFIC SUITABLE FOR USE IN EVALUATING NETWORK INTRUSION DETECTION SYSTEMS." Doctoral diss., University of Central Florida, 2005. http://digital.library.ucf.edu/cdm/ref/collection/ETD/id/2790.
Full textAbstract:
This dissertation addresses Internet background traffic generation and network intrusion detection. It is organized in two parts. Part one introduces a method to model realistic Internet background traffic and demonstrates how the models are used both in a simulation environment and in a lab environment. Part two introduces two different NID (Network Intrusion Detection) techniques and evaluates them using the modeled background traffic. To demonstrate the approach we modeled five major application layer protocols: HTTP, FTP, SSH, SMTP and POP3. The model of each protocol includes an empirical probability distribution plus estimates of application-specific parameters. Due to the complexity of the traffic, hybrid distributions (called mixture distributions) were sometimes required. The traffic models are demonstrated in two environments: NS-2 (a simulator) and HONEST (a lab environment). The simulation results are compared against the original captured data sets. Users of HONEST have the option of adding network attacks to the background. The dissertation also introduces two new template-based techniques for network intrusion detection. One is based on a template of autocorrelations of the investigated traffic, while the other uses a template of correlation integrals. Detection experiments have been performed on real traffic and attacks; the results show that the two techniques can achieve high detection probability and low false alarm in certain instances.Ph.D.
Engineering and Computer Science
Computer Science
29
Modi, Bala. "FPGA-based high throughput regular expression pattern matching for network intrusion detection systems." Thesis, University of Kent, 2015. https://kar.kent.ac.uk/56664/.
Full textAbstract:
Network speeds and bandwidths have improved over time. However, the frequency of network attacks and illegal accesses have also increased as the network speeds and bandwidths improved over time. Such attacks are capable of compromising the privacy and confidentiality of network resources belonging to even the most secure networks. Currently, general-purpose processor based software solutions used for detecting network attacks have become inadequate in coping with the current network speeds. Hardware-based platforms are designed to cope with the rising network speeds measured in several gigabits per seconds (Gbps). Such hardware-based platforms are capable of detecting several attacks at once, and a good candidate is the Field-programmable Gate Array (FPGA). The FPGA is a hardware platform that can be used to perform deep packet inspection of network packet contents at high speed. As such, this thesis focused on studying designs that were implemented with Field-programmable Gate Arrays (FPGAs). Furthermore, all the FPGA-based designs studied in this thesis have attempted to sustain a more steady growth in throughput and throughput efficiency. Throughput efficiency is defined as the concurrent throughput of a regular expression matching engine circuit divided by the average number of look up tables (LUTs) utilised by each state of the engine"s automata. The implemented FPGA-based design was built upon the concept of equivalence classification. The concept helped to reduce the overall table size of the inputs needed to drive the various Nondeterministic Finite Automata (NFA) matching engines. Compared with other approaches, the design sustained a throughput of up to 11.48 Gbps, and recorded an overall reduction in the number of pattern matching engines required by up to 75%. Also, the overall memory required by the design was reduced by about 90% when synthesised on the target FPGA platform.
30
Clark, Christopher R. "Design of Efficient FPGA Circuits For Matching Complex Patterns in Network Intrusion Detection Systems." Thesis, Georgia Institute of Technology, 2004. http://hdl.handle.net/1853/5137.
Full textAbstract:
The objective of this research is to design and develop a reconfigurable string matching co-processor using field-programmable gate array (FPGA) technology that is capable of matching thousands of complex patterns at gigabit network rates for network intrusion detection systems (NIDS). The motivation for this work is to eliminate the most significant bottleneck in current NIDS software, which is the pattern matching process. The tasks involved with this research include designing efficient, high-performance hardware circuits for pattern matching and integrating the pattern matching co-processor with other NIDS components running on a network processor. The products of this work include a system to translate standard intrusion detection patterns to FPGA pattern matching circuits that support all the functionality required by modern NIDS. The system generates circuits efficient enough to enable the entire ruleset of a popular NIDS containing over 1,500 patterns and 17,000 characters to fit into a single low-end FPGA chip and process data at an input rate of over 800 Mb/s. The capacity and throughput both scale linearly, so larger and faster FPGA devices can be used to further increase performance. The FPGA co-processor allows the task of pattern matching to be completely offloaded from a NIDS, significantly improving the overall performance of the system.
31
Soysal, Murat. "A Novel Method For The Detection Of P2p Traffic In The Network Backbone Inspired By Intrusion Detection Systems." Master's thesis, METU, 2006. http://etd.lib.metu.edu.tr/upload/3/12607315/index.pdf.
Full textAbstract:
The share of peer-to-peer (P2P) protocol in the total network traffic grows dayby-
day in the Turkish Academic Network (UlakNet) similar to the other networks in the
world. This growth is mostly because of the popularity of the shared content and the
great enhancement in the P2P protocol since it first came out with Napster. The shared
files are generally both large and copyrighted. Motivated by the problems of UlakNet
with the P2P traffic, we propose a novel method for P2P traffic detection in the network
backbone in this thesis. Observing the similarity between detecting traffic that belongs
to a specific protocol and detecting an intrusion in a computer system, we adopt an
Intrusion Detection System (IDS) technique to detect P2P traffic. Our method is a
passive detection procedure that uses traffic flows gathered from border routers. Hence,
it is scalable and does not have the problems of other approaches that rely on packet
payload data or transport layer ports.
32
Tevemark, Jonas. "Intrusion Detection and Prevention in IP Based Mobile Networks." Thesis, Linköping University, Department of Electrical Engineering, 2008. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-12015.
Full textAbstract:
Ericsson’s Packet Radio Access Network (PRAN) is a network solution for packet transport in mobile networks, which utilizes the Internet Protocol (IP). The IP protocol offers benefits in responsiveness and performance adaptation to data bursts when compared to Asynchronous Transfer Mode (ATM), which is still often used. There are many manufacturers / operators providing IP services, which reduce costs. The IP’s use on the Internet brings greater end-user knowledge, wider user community and more programs designed for use in IP environments. Because of this, the spectrum of possible attacks against PRAN broadens. This thesis provides information on what protection an Intrusion Prevention System (IPS) can add to the current PRAN solution.
A risk analysis is performed to identify assets in and threats against PRAN, and to discover attacks that can be mitigated by the use of an IPS. Information regarding placement of an IPS in the PRAN network is given and tests of a candidate system are performed. IPS features in hardware currently used by Ericsson as well as missing features are pinpointed . Finally, requirements for an IPS intended for use in PRAN are concluded.
33
Alipour, Hamid Reza. "An Anomaly Behavior Analysis Methodology for Network Centric Systems." Diss., The University of Arizona, 2013. http://hdl.handle.net/10150/305804.
Full textAbstract:
Information systems and their services (referred to as cyberspace) are ubiquitous and touch all aspects of our life. With the exponential growth in cyberspace activities, the number and complexity of cyber-attacks have increased significantly due to an increase in the number of applications with vulnerabilities and the number of attackers. Consequently, it becomes extremely critical to develop efficient network Intrusion Detection Systems (IDS) that can mitigate and protect cyberspace resources and services against cyber-attacks. On the other hand, since each network system and application has its own specification as defined in its protocol, it is hard to develop a single IDS which works properly for all network protocols. The keener approach is to design customized detection engines for each protocol and then aggregate the reports from these engines to define the final security state of the system. In this dissertation, we developed a general methodology based on data mining, statistical analysis and protocol semantics to perform anomaly behavior analysis and detection for network-centric systems and their protocols. In our approach, we develop runtime models of protocol's state transitions during a time interval ΔΤ. We consider any n consecutive messages in a session during the time interval ΔΤ as an n-transition pattern called n-gram. By applying statistical analysis over these n-gram patterns we can accurately model the normal behavior of any protocol. Then we use the amount of the deviation from this normal model to quantify the anomaly score of the protocol activities. If this anomaly score is higher than a well-defined threshold the system marks that activity as a malicious activity. To validate our methodology, we have applied it to two different protocols: DNS (Domain Name System) at the application layer and the IEEE 802.11(WiFi) at the data link layer, where we have achieved good detection results (>95%) with low detection errors (<0.1%).
34
Day, David Jonathan. "Mitigating the risk of buffer overflow attacks against forked daemon servers using network intrusion detection systems." Thesis, University of Derby, 2010. http://hdl.handle.net/10545/233391.
Full text
35
Al, Tobi Amjad Mohamed. "Anomaly-based network intrusion detection enhancement by prediction threshold adaptation of binary classification models." Thesis, University of St Andrews, 2018. http://hdl.handle.net/10023/17050.
Full textAbstract:
Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the performance (accuracy) of anomaly-based network Intrusion Detection Systems (IDS) that are built using predictive models in a batch-learning setup. This thesis investigates how adapting the discriminating threshold of model predictions, specifically to the evaluated traffic, improves the detection rates of these Intrusion Detection models. Specifically, this thesis studied the adaptability features of three well known Machine Learning algorithms: C5.0, Random Forest, and Support Vector Machine. The ability of these algorithms to adapt their prediction thresholds was assessed and analysed under different scenarios that simulated real world settings using the prospective sampling approach. A new dataset (STA2018) was generated for this thesis and used for the analysis. This thesis has demonstrated empirically the importance of threshold adaptation in improving the accuracy of detection models when training and evaluation (test) traffic have different statistical properties. Further investigation was undertaken to analyse the effects of feature selection and data balancing processes on a model's accuracy when evaluation traffic with different significant features were used. The effects of threshold adaptation on reducing the accuracy degradation of these models was statistically analysed. The results showed that, of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates. This thesis then extended the analysis to apply threshold adaptation on sampled traffic subsets, by using different sample sizes, sampling strategies and label error rates. This investigation showed the robustness of the Random Forest algorithm in identifying the best threshold. The Random Forest algorithm only needed a sample that was 0.05% of the original evaluation traffic to identify a discriminating threshold with an overall accuracy rate of nearly 90% of the optimal threshold.
36
Andersson, Robin. "CAN-bus Multi-mixed IDS : A combinatory approach for intrusion detection in the controller area network of personal vehicles." Thesis, Malmö universitet, Fakulteten för teknik och samhälle (TS), 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:mau:diva-43450.
Full textAbstract:
With the digitalization and the ever more computerization of personal vehicles, new attack surfaces are introduced, challenging the security of the in-vehicle network. There is never such a thing as fully securing any computer system, nor learning all the methods of attack in order to prevent a break-in into a system. Instead, with sophisticated methods, we can focus on detecting and preventing attacks from being performed inside a system. The current state of the art of such methods, named intrusion detection systems (IDS), is divided into two main approaches. One approach makes its models very confident of detecting malicious activity, however only on activities that has been previously learned by this model. The second approach is very good at constructing models for detecting any type of malicious activity, even if never studied by the model before, but with less confidence. In this thesis, a new approach is suggested with a redesigned architecture for an intrusion detection system called Multi-mixed IDS. Where we take a middle ground between the two standardized approaches, trying to find a combination of both sides strengths and eliminating its weaknesses. This thesis aims to deliver a proof of concept for a new approach in the current state of the art in the CAN-bus security research field. This thesis also brings up some background knowledge about CAN and intrusion detection systems, discussing their strengths and weaknesses in further detail. Additionally, a brief overview from a handpick of research contributions from the field are discussed. Further, a simple architecture is suggested, three individual detection models are trained and combined to be tested against a CAN-bus dataset. Finally, the results are examined and evaluated. The results from the suggested approach shows somewhat poor results compared to other suggested algorithms within the field. However, it also shows some good potential, if better decision methods between the individual algorithms that constructs the model can be found.
37
Sahin, Umit Burak. "A New Approach For The Scalable Intrusion Detection In High-speed Networks." Master's thesis, METU, 2007. http://etd.lib.metu.edu.tr/upload/12609053/index.pdf.
Full textAbstract:
As the networks become faster and faster, the emerging requirement is to improve the performance of the Intrusion Detection and Prevention Systems (IDPS) to keep up with the increased network throughput. In high speed networks, it is very difficult for the IDPS to process all the packets. Since the throughput of IDPS is not improved as fast as the throughput of the switches and routers, it is necessary to develop new detection techniques other than traditional techniques. In this thesis we propose a rule-based IDPS technique to detect Layer 2-4 attacks by just examining the flow data without inspecting packet payload. Our approach is designed to work as an additional component to existing IDPS as we acknowledge that the attacks at Layer 5 and above require payload inspection. The rule set is constructed and tested on a real network to evaluate the performance of the system.
38
Gustavsson, Vilhelm. "Machine Learning for a Network-based Intrusion Detection System : An application using Zeek and the CICIDS2017 dataset." Thesis, KTH, Hälsoinformatik och logistik, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-253273.
Full textAbstract:
Cyber security is an emerging field in the IT-sector. As more devices are connected to the internet, the attack surface for hackers is steadily increasing. Network-based Intrusion Detection Systems (NIDS) can be used to detect malicious traffic in networks and Machine Learning is an up and coming approach for improving the detection rate. In this thesis the NIDS Zeek is used to extract features based on time and data size from network traffic. The features are then analyzed with Machine Learning in Scikit-Learn in order to detect malicious traffic. A 98.58% Bayesian detection rate was achieved for the CICIDS2017 which is about the same level as the results from previous works on CICIDS2017 (without Zeek). The best performing algorithms were K-Nearest Neighbors, Random Forest and Decision Tree.IT-säkerhet är ett växande fält inom IT-sektorn. I takt med att allt fler saker ansluts till internet, ökar även angreppsytan och risken för IT-attacker. Ett Nätverksbaserat Intrångsdetekteringssystem (NIDS) kan användas för att upptäcka skadlig trafik i nätverk och maskininlärning har blivit ett allt vanligare sätt att förbättra denna förmåga. I det här examensarbetet används ett NIDS som heter Zeek för att extrahera parametrar baserade på tid och datastorlek från nätverkstrafik. Dessa parametrar analyseras sedan med maskininlärning i Scikit-Learn för att upptäcka skadlig trafik. För datasetet CICIDS2017 uppnåddes en Bayesian detection rate på 98.58% vilket är på ungefär samma nivå som resultat från tidigare arbeten med CICIDS2017 (utan Zeek). Algoritmerna som gav bäst resultat var K-Nearest Neighbors, Random Forest och Decision Tree.
39
Lennartsson, Alexander, and Hilda Melander. "Comparison of systems to detect rogue access points." Thesis, Linnéuniversitetet, Institutionen för datavetenskap och medieteknik (DM), 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-88592.
Full textAbstract:
A hacker might use a rogue access point to gain access to a network, this poses athreat to the individuals connected to it. The hacker might have the potential to leakcorporate data or steal private information. The detection of rogue access points istherefore of importance to prevent any damage to both businesses and individuals.Comparing different software that detects rogue access points increases the chanceof someone finding a solution that suits their network. The different type of softwarethat are compared are intrusion detection systems, wireless scanners and a Ciscowireless lan controller. The parameters that are being compared are; cost, compat-ibility, detection capability and implementation difficulty. In order to obtain resultssome of the parameters require testing. As there are three types of software, threeexperiment environments should be conducted. Our research indicates that alreadyexisting network equipment or the size of the network affects the results from theexperiments.
40
Qaisi, Ahmed Abdulrheem Jerribi. "Network Forensics and Log Files Analysis : A Novel Approach to Building a Digital Evidence Bag and Its Own Processing Tool." Thesis, University of Canterbury. Computer Science and Software Engineering, 2011. http://hdl.handle.net/10092/5999.
Full textAbstract:
Intrusion Detection Systems (IDS) tools are deployed within networks to monitor data that is transmitted to particular destinations such as MySQL,Oracle databases or log files. The data is normally dumped to these destinations without a forensic standard structure. When digital evidence is needed, forensic specialists are required to analyse a very large volume of data. Even though forensic tools can be utilised, most of this process has to be done manually, consuming time and resources. In this research, we aim to address this issue by combining several existing tools to archive the original IDS data into a new container (Digital Evidence Bag) that has a structure based upon standard forensic processes. The aim is to develop a method to improve the current IDS database function in a forensic manner. This database will be optimised for future, forensic, analysis.
Since evidence validity is always an issue, a secondary aim of this research is to develop a new monitoring scheme. This is to provide the necessary evidence to prove that an attacker had surveyed the network prior to the attack. To achieve this, we will set up a network that will be monitored by multiple IDSs. Open source tools will be used to carry input validation attacks into the network including SQL injection. We will design a new tool to obtain the original data in order to store it within the proposed DEB. This tool will collect the data from several databases of the different IDSs. We will assume that the IDS will not have been compromised.
41
Hedemalm, Daniel. "An empirical comparison of the market-leading IDS's." Thesis, Högskolan i Halmstad, Akademin för informationsteknologi, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-36087.
Full textAbstract:
In this day and age of the Internet, organizations need to address network threats, therefore more education material also needs to be established. An already established methodology for evaluating intrusion detection systems was chosen, and a selection of the market-leading intrusion detection systems are evaluated. The results show that all the systems were able to identify threats in 50% of the datasets, with different threat detection accuracies.
42
Bayou, Lyes. "Assessment and enforcement of wireless sensor network-based SCADA systems security." Thesis, Ecole nationale supérieure Mines-Télécom Atlantique Bretagne Pays de la Loire, 2018. http://www.theses.fr/2018IMTA0083/document.
Full textAbstract:
La sécurité des systèmes de contrôle industriel est une préoccupation majeure. En effet, ces systèmes gèrent des installations qui jouent un rôle économique important. En outre, attaquer ces systèmes peut non seulement entraîner des pertes économiques, mais aussi menacer des vies humaines. Par conséquent, et comme ces systèmes dépendent des données collectées, il devient évident qu’en plus des exigences de temps réel, il est important de sécuriser les canaux de communication entre ces capteurs et les contrôleurs principaux. Ces problèmes sont plus difficiles à résoudre dans les réseaux de capteurs sans fil (WSN). Cette thèse a pour but d’aborder les questions de sécurité des WSN. Tout d’abord, nous effectuons une étude de sécurité approfondie du protocole WirelessHART. Ce dernier est le protocole leader pour les réseaux de capteurs sans fil industriels (WISN). Nous évaluons ses forces et soulignons ses faiblesses et ses limites. En particulier, nous décrivons deux vulnérabilités de sécurité dangereuses dans son schéma de communication et proposons des améliorations afin d’y remédier. Ensuite, nous présentons wIDS, un système de détection d’intrusion (IDS) multicouches qui se base sur les spécifications, spécialement développé pour les réseaux de capteurs sans fil industriels. L’IDS proposé vérifie la conformité de chaque action effectuée par un noeud sans fil sur la base d’un modèle formel du comportement normal attenduThe security in Industrial Control Systems is a major concern. Indeed, these systems manage installations that play an important economical role. Furthermore, targeting these systems can lead not only to economical losses but can also threaten human lives. Therefore, and as these systems depend on sensing data, it becomes obvious that additionally to real-time requirement, it is important to secure communication channels between these sensors and the main controllers. These issues are more challenging inWireless Sensor Networks (WSN) as the use of wireless communications brings its own security weaknesses. This thesis aims to address WSN-based security issues. Firstly, we conduct an in-deep security study of the WirelessHART protocol. This latter is the leading protocol for Wireless Industrial Sensor Networks (WISN) and is the first international approved standard. We assess its strengths and emphasize its weaknesses and limitations. In particular, we describe two harmful security vulnerabilities in the communication scheme of WirelessHART and propose improvement in order to mitigate them. Secondly, we present wIDS, a multilayer specification based Intrusion Detection System (IDS) specially tailored for Wireless Industrial Sensor Networks. The proposed IDS checks the compliance of each action performed by a wireless node based on a formal model of the expected normal behavior
43
Andersson, Robin. "Combining Anomaly- and Signaturebased Algorithms for IntrusionDetection in CAN-bus : A suggested approach for building precise and adaptiveintrusion detection systems to controller area networks." Thesis, Malmö universitet, Fakulteten för teknik och samhälle (TS), 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:mau:diva-43450.
Full textAbstract:
With the digitalization and the ever more computerization of personal vehicles, new attack surfaces are introduced, challenging the security of the in-vehicle network. There is never such a thing as fully securing any computer system, nor learning all the methods of attack in order to prevent a break-in into a system. Instead, with sophisticated methods, we can focus on detecting and preventing attacks from being performed inside a system. The current state of the art of such methods, named intrusion detection systems (IDS), is divided into two main approaches. One approach makes its models very confident of detecting malicious activity, however only on activities that has been previously learned by this model. The second approach is very good at constructing models for detecting any type of malicious activity, even if never studied by the model before, but with less confidence. In this thesis, a new approach is suggested with a redesigned architecture for an intrusion detection system called Multi-mixed IDS. Where we take a middle ground between the two standardized approaches, trying to find a combination of both sides strengths and eliminating its weaknesses. This thesis aims to deliver a proof of concept for a new approach in the current state of the art in the CAN-bus security research field. This thesis also brings up some background knowledge about CAN and intrusion detection systems, discussing their strengths and weaknesses in further detail. Additionally, a brief overview from a handpick of research contributions from the field are discussed. Further, a simple architecture is suggested, three individual detection models are trained and combined to be tested against a CAN-bus dataset. Finally, the results are examined and evaluated. The results from the suggested approach shows somewhat poor results compared to other suggested algorithms within the field. However, it also shows some good potential, if better decision methods between the individual algorithms that constructs the model can be found.
44
SILVA, Rayane Meneses da. "UMA ONTOLOGIA DE APLICAÇÃO PARA APOIO À TOMADA DE DECISÕES EM SITUAÇÕES DE AMEAÇA À SEGURANÇA DA INFORMAÇÃO." Universidade Federal do Maranhão, 2015. http://tedebc.ufma.br:8080/jspui/handle/tede/1885.
Full textAbstract:
Submitted by Maria Aparecida (cidazen@gmail.com) on 2017-08-31T14:44:32Z
No. of bitstreams: 1
Rayane.pdf: 4026589 bytes, checksum: 7e6066416420555456030ab6db3a1231 (MD5)Made available in DSpace on 2017-08-31T14:44:32Z (GMT). No. of bitstreams: 1 Rayane.pdf: 4026589 bytes, checksum: 7e6066416420555456030ab6db3a1231 (MD5) Previous issue date: 2015-06-24
Many security mechanisms, such as Intrusion Detection Systems (IDSs) have been developed to approach the problem of information security attacks but most of them are traditional information systems in which their threats repositories are not represented semantically. Ontologies are knowledge representation structures that enable semantic processing of information and the construction of knowledge-based systems, which provide greater effectiveness compared to traditional systems. This paper proposes an application ontology called “Application Ontology for the Development of Case-based Intrusion Detection Systems” that formally represents the concepts related to information security domain of intrusion detection systems and “Case Based Reasoning”. The “Case Based Reasoning” is an approach for problem solving in which you can reuse the knowledge of past experiences to solve new problems. The evaluation of the ontology was performed by the development of an Intrusion Detection System that can detect attacks on computer networks and recommend solutions to these attacks. The ontology was specified using the “Ontology Web Language” and the Protégé ontology editor and. It was also mapped to a cases base in Prolog using the “Thea” tool. The results have shown that the developed Intrusion Detection System presented a good effectiveness in detecting attacks that the proposed ontology conceptualizes adequately the domain concepts and tasks.
Muitos mecanismos de segurança, como os Sistemas de Detecção de Intrusão têm sido desenvolvidos para abordar o problema de ataques à Segurança da Informação. Porém, a maioria deles são sistemas de informação tradicionais nos quais seus repositórios de ameaças não são representados semanticamente. As ontologias são estruturas de representação do conhecimento que permitem o processamento semântico das informações bem como a construção dos sistemas baseados em conhecimento, os quais fornecem uma maior efetividade em relação aos sistemas tradicionais. Neste trabalho propõe-se uma ontologia de aplicação denominada “Application Ontology for the Development of Case-based Intrusion Detection Systems” que representa formalmente os conceitos relacionados ao domínio de Segurança da Informação, dos sistemas de detecção de intrusão e do “Case-Based Reasoning”. O “Case-Based Reasoning” é uma abordagem para resolução de problemas nos quais é possível reutilizar conhecimentos de experiências passadas para resolver novos problemas. A avaliação da ontologia foi realizada por meio do desenvolvimento de um Sistema de Detecção de Intrusão que permite detectar ataques a redes de computadores e recomendar soluções a esses ataques. A ontologia foi especificada na linguagem “Ontology Web Language” utilizando o editor de ontologias Protegé e, logo após, mapeada a uma base de casos em Prolog utilizando o ferramenta “Thea”. Os resultados mostraram que o Sistema de Detecção de Intrusão desenvolvido apresentou boa efetividade na detecção de ataques e portanto, conclui-se que a ontologia proposta conceitualiza de forma adequada os conceitos de domínio e tarefa abordados.
45
Lima, Christiane Ferreira Lemos. "AGENTES INTELIGENTES PARA DETECÇÃO DE INTRUSOS EM REDES DE COMPUTADORES." Universidade Federal do Maranhão, 2002. http://tedebc.ufma.br:8080/jspui/handle/tede/316.
Full textAbstract:
Made available in DSpace on 2016-08-17T14:52:45Z (GMT). No. of bitstreams: 1
Cristiane Lima.pdf: 1837914 bytes, checksum: acce166dfcbb2c425c7249c9bd06c29d (MD5)
Previous issue date: 2002-05-10Recently, the interest for advanced techniques for network intrusion detection have been increased for protecting important information in computational environment. This research work presents a proposal of a new network intrusion detection system based on a society of intelligent agents whose reasoning are aupported by neural network paradigms, named NIDIA (Network Intrusion Detection System based on Intelligent Agents). A computational implementation has been carried out for the network and host sensors for dealing with task of capturing packets related to suspicious connections or abnormal behaviors within critical hosts.
Técnicas avançadas de detecção de intrusos em redes de computadores tornam-se cada vez mais importantes para prevenir abusos e proteger informações no ambiente. Esta dissertação apresenta uma proposta de um sistema de detecção de intrusos em redes de computadores, baseado na noção de sociedade de agentes inteligentes e redes neurais, denominado NIDIA. Uma implementação computacional é feita dos agentes sensores de rede e de host para realizar a tarefa de captura de pacotes associados às conexões suspeitas ou comportamentos anormais em servidores críticos.
46
Ferreira, Vinícius Oliveira [UNESP]. "Classificação de anomalias e redução de falsos positivos em sistemas de detecção de intrusão baseados em rede utilizando métodos de agrupamento." Universidade Estadual Paulista (UNESP), 2016. http://hdl.handle.net/11449/138755.
Full textAbstract:
Submitted by VINÍCIUS OLIVEIRA FERREIRA null (viniciusoliveira@acmesecurity.org) on 2016-05-18T20:29:41Z
No. of bitstreams: 1
Dissertação-mestrado-vinicius-oliveira-biblioteca-final.pdf: 1594758 bytes, checksum: 0dbb0d2dd3fca3ed2b402b19b73006e7 (MD5)Approved for entry into archive by Ana Paula Grisoto (grisotoana@reitoria.unesp.br) on 2016-05-20T16:27:30Z (GMT) No. of bitstreams: 1 ferreira_vo_me_sjrp.pdf: 1594758 bytes, checksum: 0dbb0d2dd3fca3ed2b402b19b73006e7 (MD5)
Made available in DSpace on 2016-05-20T16:27:30Z (GMT). No. of bitstreams: 1 ferreira_vo_me_sjrp.pdf: 1594758 bytes, checksum: 0dbb0d2dd3fca3ed2b402b19b73006e7 (MD5) Previous issue date: 2016-04-27
Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES)
Os Sistemas de Detecção de Intrusão baseados em rede (NIDS) são tradicionalmente divididos em dois tipos de acordo com os métodos de detecção que empregam, a saber: (i) detecção por abuso e (ii) detecção por anomalia. Aqueles que funcionam a partir da detecção de anomalias têm como principal vantagem a capacidade de detectar novos ataques, no entanto, é possível elencar algumas dificuldades com o uso desta metodologia. Na detecção por anomalia, a análise das anomalias detectadas pode se tornar dispendiosa, uma vez que estas geralmente não apresentam informações claras sobre os eventos maliciosos que representam; ainda, NIDSs que se utilizam desta metodologia sofrem com a detecção de altas taxas de falsos positivos. Neste contexto, este trabalho apresenta um modelo para a classificação automatizada das anomalias detectadas por um NIDS. O principal objetivo é a classificação das anomalias detectadas em classes conhecidas de ataques. Com essa classificação pretende-se, além da clara identificação das anomalias, a identificação dos falsos positivos detectados erroneamente pelos NIDSs. Portanto, ao abordar os principais problemas envolvendo a detecção por anomalias, espera-se equipar os analistas de segurança com melhores recursos para suas análises.
Network Intrusion Detection Systems (NIDS) are traditionally divided into two types according to the detection methods they employ, namely (i) misuse detection and (ii) anomaly detection. The main advantage in anomaly detection is its ability to detect new attacks. However, this methodology has some downsides. In anomaly detection, the analysis of the detected anomalies is expensive, since they often have no clear information about the malicious events they represent; also, it suffers with high amounts of false positives detected. In this context, this work presents a model for automated classification of anomalies detected by an anomaly based NIDS. Our main goal is the classification of the detected anomalies in well-known classes of attacks. By these means, we intend the clear identification of anomalies as well as the identification of false positives erroneously detected by NIDSs. Therefore, by addressing the key issues surrounding anomaly based detection, our main goal is to equip security analysts with best resources for their analyses.
47
Sikora, Marek. "Detekce slow-rate DDoS útoků." Master's thesis, Vysoké učení technické v Brně. Fakulta elektrotechniky a komunikačních technologií, 2017. http://www.nusl.cz/ntk/nusl-317019.
Full textAbstract:
This diploma thesis is focused on the detection and protection against Slow DoS and DDoS attacks using computer network traffic analysis. The reader is introduced to the basic issues of this specific category of sophisticated attacks, and the characteristics of several specific attacks are clarified. There is also a set of methods for detecting and protecting against these attacks. The proposed methods are used to implement custom intrusion prevention system that is deployed on the border filtering server of computer network in order to protect Web servers against attacks from the Internet. Then created system is tested in the laboratory network. Presented results of the testing show that the system is able to detect attacks Slow GET, Slow POST, Slow Read and Apache Range Header and then protect Web servers from affecting provided services.
48
(6790182), Francisco D. Vaca. "An Ensemble Learning Based Multi-level Network Intrusion Detection System for Wi-Fi Dominant Networks." Thesis, 2019.
Find full textAbstract:
Today, networks contribute signicantly to everyone's life. The enormous usefulness of networks for various services and data storage motivates adversaries to launch attacks on them. Network Intrusion Detection Systems (NIDSs) are used as security measure inside the organizational networks to identify any intrusions and generate alerts for them. The idea of deploying an NIDS is quite known and has been studied and adopted in both academia and industry. However, most of the NIDS literature have emphasized to detect the attacks that originate externally in a wired network infrastructure. In addition, Wi-Fi and wired networks are treated the same for the NIDSs. The open infrastructure in Wi-Fi network makes it different from the wired network. Several internal attacks that could happen in a Wi-Fi network are not pos-
sible in a wired network. The NIDSs developed using traditional approaches may fail to identify these internal attacks.
The thesis work attempts to develop a Multi-Level Network Intrusion Detection System (ML-NIDS) for Wi-Fi dominant networks that can detect internal attacks specic to Wi-Fi networks as well as the generic network attacks that are independent of network infrastructure. In Wi-Fi dominant networks, Wi-Fi devices (stations) are prevalent at the edge of campus and enterprise networks and integrated with the fixed wired infrastructure at the access. The implementation is proposed for Wi-Fi dominant networks; nevertheless, it aims to work for the wired network as well. We develop the ML-NIDS using an ensemble learning method that combines several weak
learners to create a strong learner.
49
Kumar, Pawan. "Memory Efficient Regular Expression Pattern Matching Architecture For Network Intrusion Detection Systems." Thesis, 2012. https://etd.iisc.ac.in/handle/2005/2321.
Full textAbstract:
The rampant growth of the Internet has been coupled with an equivalent growth in cyber crime over the Internet. With our increased reliance on the Internet for commerce, social networking, information acquisition, and information exchange, intruders have found financial, political, and military motives for their actions. Network Intrusion Detection Systems (NIDSs) intercept the traffic at an organization’s periphery and try to detect intrusion attempts. Signature-based NIDSs compare the packet to a signature database consisting of known attacks and malicious packet fingerprints. The signatures use regular expressions to model these intrusion activities.
This thesis presents a memory efficient pattern matching system for the class of regular expressions appearing frequently in the NIDS signatures. Proposed Cascaded Automata Architecture is based on two stage automata. The first stage recognizes the sub-strings and character classes present in the regular expression. The second stage consumes symbol generated by the first stage upon receiving input traffic symbols. The basic idea is to utilize the research done on string matching problem for regular expression pattern matching. We formally model the class of regular expressions mostly found in NIDS signatures. The challenges involved in using string matching algorithms for regular expression matching has been presented. We introduce length-bound transitions, counter-based states, and associated counter arrays in the second stage automata to address these challenges. The system uses length information along with counter arrays to keep track of overlapped sub-strings and character class based transition. We present efficient implementation techniques for counter arrays. The evaluation of the architecture on practical expressions from Snort rule set showed compression in number of states between 50% to 85%. Because of its smaller memory footprint, our solution is suitable for both software based implementations on network chips as well as FPGA based designs.
50
Kumar, Pawan. "Memory Efficient Regular Expression Pattern Matching Architecture For Network Intrusion Detection Systems." Thesis, 2012. http://etd.iisc.ernet.in/handle/2005/2321.
Full textAbstract:
The rampant growth of the Internet has been coupled with an equivalent growth in cyber crime over the Internet. With our increased reliance on the Internet for commerce, social networking, information acquisition, and information exchange, intruders have found financial, political, and military motives for their actions. Network Intrusion Detection Systems (NIDSs) intercept the traffic at an organization’s periphery and try to detect intrusion attempts. Signature-based NIDSs compare the packet to a signature database consisting of known attacks and malicious packet fingerprints. The signatures use regular expressions to model these intrusion activities.
This thesis presents a memory efficient pattern matching system for the class of regular expressions appearing frequently in the NIDS signatures. Proposed Cascaded Automata Architecture is based on two stage automata. The first stage recognizes the sub-strings and character classes present in the regular expression. The second stage consumes symbol generated by the first stage upon receiving input traffic symbols. The basic idea is to utilize the research done on string matching problem for regular expression pattern matching. We formally model the class of regular expressions mostly found in NIDS signatures. The challenges involved in using string matching algorithms for regular expression matching has been presented. We introduce length-bound transitions, counter-based states, and associated counter arrays in the second stage automata to address these challenges. The system uses length information along with counter arrays to keep track of overlapped sub-strings and character class based transition. We present efficient implementation techniques for counter arrays. The evaluation of the architecture on practical expressions from Snort rule set showed compression in number of states between 50% to 85%. Because of its smaller memory footprint, our solution is suitable for both software based implementations on network chips as well as FPGA based designs.