Biblio

Virtualization and Software-defined Networking (SDN) are emerging technologies that play a major role in cloud computing. Cloud computing provides efficient utilization, high performance, and resource availability on demand. However, virtualization environments are vulnerable to various types of intrusion attacks that involve installing malicious software and denial of services (DoS) attacks. Utilizing SDN technology, makes the idea of SDN-based security applications attractive in the fight against DoS attacks. Network intrusion detection system (IDS) which is used to perform network traffic analysis as a detection system implemented on SDN networks to protect virtualization servers from HTTP DoS attacks. The experimental results show that SDN-based IDS is able to detect and mitigate HTTP DoS attacks effectively.

The objective of this paper is to propose a model of a distributed intrusion detection system based on the multi-agent paradigm and the distributed file system (HDFS). Multi-agent systems (MAS) are very suitable to intrusion detection systems as they can address the issue of geographic data security in terms of autonomy, distribution and performance. The proposed system is based on a set of autonomous agents that cooperate and collaborate with each other to effectively detect intrusions and suspicious activities that may impact geographic information systems. Our system allows the detection of known and unknown computer attacks without any human intervention (Security Experts) unlike traditional intrusion detection systems that rely on knowledge bases as a mechanism to detect known attacks. The proposed model allows a real time detection of known and unknown attacks within large networks hosting geographic data.

Network Intrusion Detection System (NIDS) can help administrators of a server in detecting attacks by analyzing packet data traffic on the network in real-time. If an attack occurs, an alert to the administrator is provided by NIDS so that the attack can be known and responded immediately. On the other hand, the alerts cannot be monitored by administrators all the time. Therefore, a system that automatically sends notifications to administrators in real-time by utilizing social media platforms is needed. This paper provides an analysis of the notification system built using Snort as NIDS with WhatsApp and Telegram as a notification platform. There are three types of attacks that are simulated and must be detected by Snort, which are Ping of Death attacks, SYN flood attacks, and SSH brute force attacks. The results obtained indicate that the system successfully provided notification in the form of attack time, IP source of the attack, source of attack port and type of attack in real-time.

The increase of cyber attacks in both the numbers and varieties in recent years demands to build a more sophisticated network intrusion detection system (NIDS). These NIDS perform better when they can monitor all the traffic traversing through the network like when being deployed on a Software-Defined Network (SDN). Because of the inability to detect zero-day attacks, signature-based NIDS which were traditionally used for detecting malicious traffic are beginning to get replaced by anomaly-based NIDS built on neural networks. However, recently it has been shown that such NIDS have their own drawback namely being vulnerable to the adversarial example attack. Moreover, they were mostly evaluated on the old datasets which don't represent the variety of attacks network systems might face these days. In this paper, we present Reconstruction from Partial Observation (RePO) as a new mechanism to build an NIDS with the help of denoising autoencoders capable of detecting different types of network attacks in a low false alert setting with an enhanced robustness against adversarial example attack. Our evaluation conducted on a dataset with a variety of network attacks shows denoising autoencoders can improve detection of malicious traffic by up to 29% in a normal setting and by up to 45% in an adversarial setting compared to other recently proposed anomaly detectors.

With the advent of networking technologies and increasing network attacks, Intrusion Detection systems are apparently needed to stop attacks and malicious activities. Various frameworks and techniques have been developed to solve the problem of intrusion detection, still there is need for new frameworks as per the challenging scenario of enormous scale in data size and nature of attacks. Current IDS systems pose challenges on the throughput to work with high speed networks. In this paper we address the issue of high computational overhead of anomaly based IDS and propose the solution using discretization as a data preprocessing step which can drastically reduce the computation overhead. We propose method to provide near real time detection of attacks using only basic flow level features that can easily be extracted from network packets.

Intrusion Detection System is a well-known term in the domain of Network and Information Security. It's one of the important components of the Network and Information Security infrastructure. Host Intrusion Detection System (HIDS) helps to detect unauthorized use, abnormal and malicious activities on the host, whereas Network Intrusion Detection System (NIDS) helps to detect attacks and intrusion on networks. Various researchers are actively working on different approaches to improving the IDS performance and many improvements have been achieved. However, development in many other technologies and newly emerging techniques always opens the doors of opportunity to add a sharp edge to IDS and to make it more robust and reliable. This paper proposes the development of Distributed Intrusion Detection System (DIDS) using emerging and promising technologies like Blockchain upon a stable platform like cloud infrastructure.

This paper showcases multiclass classification baselines using different machine learning algorithms and neural networks for distinguishing legitimate network traffic from direct and obfuscated network intrusions. This research derives its baselines from Advanced Security Network Metrics & Tunneling Obfuscations dataset. The dataset captured legitimate and obfuscated malicious TCP communications on selected vulnerable network services. The multiclass classification NIDS is able to distinguish obfuscated and direct network intrusion with up to 95% accuracy.

Designing a machine learning based network intrusion detection system (IDS) with high-dimensional features can lead to prolonged classification processes. This is while low-dimensional features can reduce these processes. Moreover, classification of network traffic with imbalanced class distributions has posed a significant drawback on the performance attainable by most well-known classifiers. With the presence of imbalanced data, the known metrics may fail to provide adequate information about the performance of the classifier. This study first uses Principal Component Analysis (PCA) as a feature dimensionality reduction approach. The resulting low-dimensional features are then used to build various classifiers such as Random Forest (RF), Bayesian Network, Linear Discriminant Analysis (LDA) and Quadratic Discriminant Analysis (QDA) for designing an IDS. The experimental findings with low-dimensional features in binary and multi-class classification show better performance in terms of Detection Rate (DR), F-Measure, False Alarm Rate (FAR), and Accuracy. Furthermore, in this paper, we apply a Multi-Class Combined performance metric Combi ned Mc with respect to class distribution through incorporating FAR, DR, Accuracy, and class distribution parameters. In addition, we developed a uniform distribution based balancing approach to handle the imbalanced distribution of the minority class instances in the CICIDS2017 network intrusion dataset. We were able to reduce the CICIDS2017 dataset's feature dimensions from 81 to 10 using PCA, while maintaining a high accuracy of 99.6% in multi-class and binary classification.

In internet based communication, various types of attacks have been evolved. Hence, attacker easily breaches the securities. Traditional intrusion detection techniques to observe these attacks have failed and thus hefty systems are required to remove these attacks before they expose entire network. With the ability of artificial intelligence systems to adapt high computational speed, boost fault tolerance, and error resilience against noisy information, a hybrid particle swarm optimization(PSO) fuzzy rule based inference engine has been designed in this paper. The fuzzy logic based on degree of truth while the PSO algorithm based on population stochastic technique helps in learning from the scenario, thus their combination will increase the toughness of intrusion detection system. The proposed network intrusion detection system will be able to classify normal as well as anomalism behaviour in the network. DARPA-KDD99 dataset examined on this system to address the behaviour of each connection on network and compared with existing system. This approach improves the result on the basis of precision, recall and F1-score.

Distributed Denial of Service (DDoS) attacks have been the prominent attacks over the last decade. A Network Intrusion Detection System (NIDS) should seamlessly configure to fight against these attackers' new approaches and patterns of DDoS attack. In this paper, we propose a NIDS which can detect existing as well as new types of DDoS attacks. The key feature of our NIDS is that it combines different classifiers using ensemble models, with the idea that each classifier can target specific aspects/types of intrusions, and in doing so provides a more robust defense mechanism against new intrusions. Further, we perform a detailed analysis of DDoS attacks, and based on this domain-knowledge verify the reduced feature set [27, 28] to significantly improve accuracy. We experiment with and analyze NSL-KDD dataset with reduced feature set and our proposed NIDS can detect 99.1% of DDoS attacks successfully. We compare our results with other existing approaches. Our NIDS approach has the learning capability to keep up with new and emerging DDoS attack patterns.

Today, network security is a world hot topic in computer security and defense. Intrusions and attacks in network infrastructures lead mostly in huge financial losses, massive sensitive data leaks, thus decreasing efficiency, competitiveness and the quality of productivity of an organization. Network Intrusion Detection System (NIDS) is valuable tool for the defense-in-depth of computer networks. It is widely deployed in network architectures in order to monitor, to detect and eventually respond to any anomalous behavior and misuse which can threat confidentiality, integrity and availability of network resources and services. Thus, the presence of NIDS in an organization plays a vital part in attack mitigation, and it has become an integral part of a secure organization. In this paper, we propose to optimize a very popular soft computing tool widely used for intrusion detection namely Back Propagation Neural Network (BPNN) using a novel hybrid Framework (GASAA) based on improved Genetic Algorithm (GA) and Simulated Annealing Algorithm (SAA). GA is improved through an optimization strategy, namely Fitness Value Hashing (FVH), which reduce execution time, convergence time and save processing power. Experimental results on KDD CUP' 99 dataset show that our optimized ANIDS (Anomaly NIDS) based BPNN, called “ANIDS BPNN-GASAA” outperforms several state-of-art approaches in terms of detection rate and false positive rate. In addition, improvement of GA through FVH has saved processing power and execution time. Thereby, our proposed IDS is very much suitable for network anomaly detection.

A honeypot system is used to trapping hackers, track and analyze new hacking methods. However, it does not only take time for construction and deployment but also costs for maintenance because these systems are always online even when there is no attack. Since the main purpose of honeypot systems is to collect more and more attack trafc if possible, the limitation of system capacity is also a major problem. In this paper, we propose Dynamic Virtual Network Honeypot (DVNH) which leverages emerging technologies, Network Function Virtualization and Software-Defined Networking. DVNH redirects the attack to the honeypot system thereby protects the targeted system. Our experiments show that DVNH enables efficient resource usage and dynamic provision of the Honeypot system.

This paper presents the effects of problem based learning project on a high-school student in Technology school “Electronic systems” associated with Technical University Sofia. The problem is creating an intrusion detection system for Apache HTTP Server with duration 6 months. The intrusion detection system is based on a recurrent neural network classifier namely long-short term memory units.

Intrusion detection system (IDS) has become an essential layer in all the latest ICT system due to an urge towards cyber safety in the day-to-day world. Reasons including uncertainty in finding the types of attacks and increased the complexity of advanced cyber attacks, IDS calls for the need of integration of Deep Neural Networks (DNNs). In this paper, DNNs have been utilized to predict the attacks on Network Intrusion Detection System (N-IDS). A DNN with 0.1 rate of learning is applied and is run for 1000 number of epochs and KDDCup-`99' dataset has been used for training and benchmarking the network. For comparison purposes, the training is done on the same dataset with several other classical machine learning algorithms and DNN of layers ranging from 1 to 5. The results were compared and concluded that a DNN of 3 layers has superior performance over all the other classical machine learning algorithms.

Supervisory Control and Data Acquisition (SCADA)networks are widely deployed in modern industrial control systems (ICSs)such as energy-delivery systems. As an increasing number of field devices and computing nodes get interconnected, network-based cyber attacks have become major cyber threats to ICS network infrastructure. Field devices and computing nodes in ICSs are subjected to both conventional network attacks and specialized attacks purposely crafted for SCADA network protocols. In this paper, we propose a deep-learning-based network intrusion detection system for SCADA networks to protect ICSs from both conventional and SCADA specific network-based attacks. Instead of relying on hand-crafted features for individual network packets or flows, our proposed approach employs a convolutional neural network (CNN)to characterize salient temporal patterns of SCADA traffic and identify time windows where network attacks are present. In addition, we design a re-training scheme to handle previously unseen network attack instances, enabling SCADA system operators to extend our neural network models with site-specific network attack traces. Our results using realistic SCADA traffic data sets show that the proposed deep-learning-based approach is well-suited for network intrusion detection in SCADA systems, achieving high detection accuracy and providing the capability to handle newly emerged threats.

This paper introduces a new method of applying both an Intrusion Detection System (IDS) and an Intrusion Response System (IRS) to communications protected using Ciphertext-Policy Attribute-based Encryption (CP-ABE) in the context of the Internet of Things. This method leverages features specific to CP-ABE in order to improve the detection capabilities of the IDS and the response ability of the network. It also enables improved privacy towards the users through group encryption rather than one-to-one shared key encryption as the policies used in the CP-ABE can easily include the IDS as an authorized reader. More importantly, it enables different levels of detection and response to intrusions, which can be crucial when using anomaly-based detection engines.

This research was an experimental analysis of the Intrusion Detection Systems(IDS) with Honey Pot conducting through a study of using Honey Pot in tricking, delaying or deviating the intruder to attack new media broadcasting server for IPTV system. Denial of Service(DoS) over wire network and wireless network consisted of three types of attacks: TCP Flood, UDP Flood and ICMP Flood by Honey Pot, where the Honeyd would be used. In this simulation, a computer or a server in the network map needed to be secured by the inactivity firewalls or other security tools for the intrusion of the detection systems and Honey Pot. The network intrusion detection system used in this experiment was SNORT (www.snort.org) developed in the form of the Open Source operating system-Linux. The results showed that, from every experiment, the internal attacks had shown more threat than the external attacks. In addition, attacks occurred through LAN network posted 50% more disturb than attacks occurred on WIFI. Also, the external attacks through LAN posted 95% more attacks than through WIFI. However, the number of attacks presented by TCP, UDP and ICMP were insignificant. This result has supported the assumption that Honey Pot was able to help detecting the intrusion. In average, 16% of the attacks was detected by Honey Pot in every experiment.

We have recently seen an increasing number of attacks that are distributed, and span an entire wide area network (WAN). Today, typically, intrusion detection systems (IDSs) are deployed at enterprise scale and cannot handle attacks that cover a WAN. Moreover, such IDSs are implemented at a single entity that expects to look at all packets to determine an intrusion. Transferring copies of raw packets to centralized engines for analysis in a WAN can significantly impact both network performance and detection accuracy. In this paper, we propose Jaal, a framework for achieving accurate network intrusion detection at scale. The key idea in Jaal is to monitor traffic and construct in-network packet summaries. The summaries are then processed centrally to detect attacks with high accuracy. The main challenges that we address are (a) creating summaries that are concise, but sufficient to draw highly accurate inferences and (b) transforming traditional IDS rules to handle summaries instead of raw packets. We implement Jaal on a large scale SDN testbed. We show that on average Jaal yields a detection accuracy of about 98%, which is the highest reported for ISP scale network intrusion detection. At the same time, the overhead associated with transferring summaries to the central inference engine is only about 35% of what is consumed if raw packets are transferred.

This paper investigates the possibility of using ensemble learning methods to improve the performance of intrusion detection systems. We compare an ensemble of three ensemble learning methods, boosting, bagging and stacking in order to improve the detection rate and to reduce the false alarm rate. These ensemble methods use well-known and different base classification algorithms, J48 (decision tree), NB (Naïve Bayes), MLP (Neural Network) and REPTree. The comparison experiments are applied on UNSW-NB15 data set a recent public data set for network intrusion detection systems. Results show that using boosting, bagging can achieve higher accuracy than single classifier but stacking performs better than other ensemble learning methods.

The Internet of Things (IoT) increasingly demonstrates its role in smart services, such as smart home, smart grid, smart transportation, etc. However, due to lack of standards among different vendors, existing networked IoT devices (NoTs) can hardly provide enough security. Moreover, it is impractical to apply advanced cryptographic solutions to many NoTs due to limited computing capability and power supply. Inspired by recent advances in IoT demand, in this paper, we develop an IoT security architecture that can protect NoTs in different IoT scenarios. Specifically, the security architecture consists of an auditing module and two network-level security controllers. The auditing module is designed to have a stand-alone intrusion detection system for threat detection in a NoT network cluster. The two network-level security controllers are designed to provide security services from either network resource management or cryptographic schemes regardless of the NoT security capability. We also demonstrate the proposed IoT security architecture with a network based one-hop confidentiality scheme and a cryptography-based secure link mechanism.

The following topics are dealt with: feature extraction; data mining; support vector machines; mobile computing; photovoltaic power systems; mean square error methods; fault diagnosis; natural language processing; control system synthesis; and Internet of Things.

With an aim of provisioning fast, reliable and low cost services to the users, the cloud-computing technology has progressed leaps and bounds. But, adjacent to its development is ever increasing ability of malicious users to compromise its security from outside as well as inside. The Network Intrusion Detection System (NIDS) techniques has gone a long way in detection of known and unknown attacks. The methods of detection of intrusion and deployment of NIDS in cloud environment are dependent on the type of services being rendered by the cloud. It is also important that the cloud administrator is able to determine the malicious intensions of the attackers and various methods of attack. In this paper, we carry out the integration of NIDS module and Honeypot Networks in Cloud environment with objective to mitigate the known and unknown attacks. We also propose method to generate and update signatures from information derived from the proposed integrated model. Using sandboxing environment, we perform dynamic malware analysis of binaries to derive conclusive evidence of malicious attacks.

With the increasing scale of the network, the power information system has many characteristics, such as large number of nodes, complicated structure, diverse network protocols and abundant data, which make the network intrusion detection system difficult to detect real alarms. The current security technologies cannot meet the actual power system network security operation and protection requirements. Based on the attacker ability, the vulnerability information and the existing security protection configuration, we construct the attack sub-graphs by using the parallel distributed computing method and combine them into the whole network attack graph. The vulnerability exploit degree, attacker knowledge, attack proficiency, attacker willingness and the confidence level of the attack evidence are used to construct the security evaluation index system of the power information network system to calculate the attack probability value of each node of the attack graph. According to the probability of occurrence of each node attack, the pre-order attack path will be formed and then the most likely attack path and attack targets will be got to achieve the identification of attack intent.

Deep Learning has been proven more effective than conventional machine-learning algorithms in solving classification problem with high dimensionality and complex features, especially when trained with big data. In this paper, a deep learning binomial classifier for Network Intrusion Detection System is proposed and experimentally evaluated using the UNSW-NB15 dataset. Three different experiments were executed in order to determine the optimal activation function, then to select the most important features and finally to test the proposed model on unseen data. The evaluation results demonstrate that the proposed classifier outperforms other models in the literature with 98.99% accuracy and 0.56% false alarm rate on unseen data.

This work concerns distributed consensus algorithms and application to a network intrusion detection system (NIDS) [21]. We consider the problem of defending the system against multiple data falsification attacks (Byzantine attacks), a vulnerability of distributed peer-to-peer consensus algorithms that has not been widely addressed in its practicality. We consider both naive (independent) and colluding attackers. We test three defense strategy implementations, two classified as outlier detection methods and one reputation-based method. We have narrowed our attention to outlier and reputation-based methods because they are relatively light computationally speaking. We have left out control theoretic methods which are likely the most effective methods, however their computational cost increase rapidly with the number of attackers. We compare the efficiency of these three implementations for their computational cost, detection performance, convergence behavior and possible impacts on the intrusion detection accuracy of the NIDS. Tests are performed based on simulations of distributed denial of service attacks using the KSL-KDD data set.