scholarly journals Dynamical analysis of diversity in rule-based open source network intrusion detection systems

2021 ◽  
Vol 27 (1) ◽  
Author(s):  
Hafizul Asad ◽  
Ilir Gashi
Keyword(s):  
Intrusion Detection ◽  
Open Source ◽  
Functional Diversity ◽  
Network Traffic ◽  
Intrusion Detection Systems ◽  
Dynamical Analysis ◽  
Diversity Analysis ◽  
Real Network ◽  
Detection Systems ◽  
Network Intrusion

AbstractDiverse layers of defence play an important role in the design of defence-in-depth architectures. The use of Intrusion Detection Systems (IDSs) are ubiquitous in this design. But the selection of the “right” IDSs in various configurations is an important decision that the security architects need to make. Additionally, the ability of these IDSs to adapt to the evolving threat-landscape also needs to be investigated. To help with these decisions, we need rigorous quantitative analysis. In this paper, we present a diversity analysis of open-source IDSs, Snort and Suricata, to help security architects tune/deploy these IDSs. We analyse two types of diversities in these IDSs; configurational diversity and functional diversity. In the configurational diversity analysis, we investigate the diversity in the sets of rules and the Blacklisted IP Addresses (BIPAs) these IDSs use in their configurations. The functional diversity analysis investigates the differences in alerting behaviours of these IDSs when they analyse real network traffic, and how these differences evolve. The configurational diversity experiment utilises snapshots of the rules and BIPAs collected over a period of 5 months, from May to October 2017. The snapshots have been collected for three different off-the-shelf default configurations of the Snort IDS and the Emerging Threats (ET) configuration of the Suricata IDS. The functional diversity investigates the alerting behaviour of these two IDSs for a sample of the real network traffic collected in the same time window. Analysing the differences in these systems allows us to get insights into where the diversity in the behaviour of these systems comes from, how does it evolve and whether this has any effect on the alerting behaviour of these IDSs. This analysis gives insight to security architects on how they can combine and layer these systems in a defence-in-depth deployment.

scholarly journals A System to automate the development of anomaly-based network intrusion detection model

2021 ◽  
Vol 2089 (1) ◽  
pp. 012006
Author(s):  
B Padmaja ◽  
K Sai Sravan ◽  
E Krishna Rao Patro ◽  
G Chandra Sekhar
Keyword(s):  
Machine Learning ◽  
Intrusion Detection ◽  
Real Time ◽  
Network Traffic ◽  
Intrusion Detection Systems ◽  
Network Intrusion Detection ◽  
Support Vector ◽  
The Internet ◽  
Detection Systems ◽  
Network Intrusion

Abstract Cyber security is the major concern in today’s world. Over the past couple of decades, the internet has grown to such an extent that almost every individual living on this planet has the access to the internet today. This can be viewed as one of the major achievements in the human race, but on the flip side of the coin, this gave rise to a lot of security issues for every individual or the company that is accessing the web through the internet. Hackers have become active and are always monitoring the networks to grab every possible opportunity to attack a system and make the best fortune out of its vulnerabilities. To safeguard people’s and organization’s privacy in this cyberspace, different network intrusion detection systems have been developed to detect the hacker’s presence in the networks. These systems fall under signature based and anomaly based intrusion detection systems. This paper deals with using anomaly based intrusion detection technique to develop an automation system to both train and test supervised machine learning models, which is developed to classify real time network traffic as to whether it is malicious or not. Currently the best models by considering both detection success rate and the false positives rate are Artificial Neural Networks(ANN) followed by Support Vector Machines(SVM). In this paper, it is verified that Artificial Neural Network (ANN) based machine learning with wrapper feature selection outperforms support vector machine (SVM) technique while classifying network traffic as harmful or harmless. Initially to evaluate the performance of the system, NSL-KDD dataset is used to train and test the SVM and ANN models and finally classify real time network traffic using these models. This system can be used to carry out model building automatically on the new datasets and also for classifying the behaviour of the provided dataset without having to code.

scholarly journals Launching Adversarial Attacks against Network Intrusion Detection Systems for IoT

2021 ◽  
Vol 1 (2) ◽  
pp. 252-273
Author(s):  
Pavlos Papadopoulos ◽  
Oliver Thornewill von Essen ◽  
Nikolaos Pitropakis ◽  
Christos Chrysoulas ◽  
Alexios Mylonas ◽  
...  
Keyword(s):  
Machine Learning ◽  
Intrusion Detection ◽  
Intrusion Detection Systems ◽  
Learning Models ◽  
Detection Systems ◽  
Network Intrusion ◽  
Robust Model ◽  
Significant Probability ◽  
Adversarial Examples ◽  
Attack Surface

As the internet continues to be populated with new devices and emerging technologies, the attack surface grows exponentially. Technology is shifting towards a profit-driven Internet of Things market where security is an afterthought. Traditional defending approaches are no longer sufficient to detect both known and unknown attacks to high accuracy. Machine learning intrusion detection systems have proven their success in identifying unknown attacks with high precision. Nevertheless, machine learning models are also vulnerable to attacks. Adversarial examples can be used to evaluate the robustness of a designed model before it is deployed. Further, using adversarial examples is critical to creating a robust model designed for an adversarial environment. Our work evaluates both traditional machine learning and deep learning models’ robustness using the Bot-IoT dataset. Our methodology included two main approaches. First, label poisoning, used to cause incorrect classification by the model. Second, the fast gradient sign method, used to evade detection measures. The experiments demonstrated that an attacker could manipulate or circumvent detection with significant probability.

scholarly journals THE LOAD BALANCING OF SELF-SIMILAR TRAFFIC IN NETWORK INTRUSION DETECTION SYSTEMS

2020 ◽  
Vol 3 (7) ◽  
pp. 17-30
Author(s):  
Tamara Radivilova ◽  
Lyudmyla Kirichenko ◽  
Maksym Tawalbeh ◽  
Petro Zinchenko ◽  
Vitalii Bulakh
Keyword(s):  
Load Balancing ◽  
Intrusion Detection ◽  
Intrusion Detection System ◽  
Detection System ◽  
Intrusion Detection Systems ◽  
Deep Packet Inspection ◽  
Detection Systems ◽  
Network Intrusion ◽  
Load Imbalance ◽  
Packet Inspection

The problem of load balancing in intrusion detection systems is considered in this paper. The analysis of existing problems of load balancing and modern methods of their solution are carried out. Types of intrusion detection systems and their description are given. A description of the intrusion detection system, its location, and the functioning of its elements in the computer system are provided. Comparative analysis of load balancing methods based on packet inspection and service time calculation is performed. An analysis of the causes of load imbalance in the intrusion detection system elements and the effects of load imbalance is also presented. A model of a network intrusion detection system based on packet signature analysis is presented. This paper describes the multifractal properties of traffic. Based on the analysis of intrusion detection systems, multifractal traffic properties and load balancing problem, the method of balancing is proposed, which is based on the funcsioning of the intrusion detection system elements and analysis of multifractal properties of incoming traffic. The proposed method takes into account the time of deep packet inspection required to compare a packet with signatures, which is calculated based on the calculation of the information flow multifractality degree. Load balancing rules are generated by the estimated average time of deep packet inspection and traffic multifractal parameters. This paper presents the simulation results of the proposed load balancing method compared to the standard method. It is shown that the load balancing method proposed in this paper provides for a uniform load distribution at the intrusion detection system elements. This allows for high speed and accuracy of intrusion detection with high-quality multifractal load balancing.

Sign in / Sign up

Export Citation Format

Share Document