Building an Effective Intrusion Detection System using combined Signature and Anomaly Detection Techniques

Intrusion Detection Systems (IDS) are providing better solution to the current issues and thus became an important element of any security infrastructure to detect various threats so as to prevent widespread harm. The basic aim of IDS is to detect attacks and their nature and prevent damage to the computer systems. Several different approaches for intrusion detection have been reported in the literature. These approaches are broadly categorized into three approaches: I) Signature-based approach II) Anomaly based approach and III) Hybrid approach that combines signature and anomaly detection approaches. Hybrid approach has been found to be superior to either signature based or anomaly based approaches. Several different algorithms are available for hybrid approach. This paper suggests the combined approach using signature and anomaly detection techniques. The signature based is build using genetic algorithm as filter based feature selection and J48 as classifier and data mining approach is used to build anomaly based IDS. The performance of combined IDS is evaluated on well known datasets such as KDD Cup 99, UGR 16 and Kyoto 2006+ etc. The experimental results presented here are encouraging and show superiority of combined IDS to detect network anomalies with respect to time required building the model, detection rate, accuracy and false positive rate.

Download Full-text

Hybrid Internal Anomaly Detection System for IoT: Reactive Nodes with Cross-Layer Operation

Security and Communication Networks ◽

10.1155/2018/3672698 ◽

2018 ◽

Vol 2018 ◽

pp. 1-15 ◽

Cited By ~ 4

Author(s):

Nanda Kumar Thanigaivelan ◽

Ethiopia Nigussie ◽

Seppo Virtanen ◽

Jouni Isoaho

Keyword(s):

Anomaly Detection ◽

False Positive ◽

Detection System ◽

False Positive Rate ◽

Security Analysis ◽

Abnormal Behavior ◽

Test Bed ◽

Positive Rate ◽

Parent Node ◽

Anomaly Detection System

We present a hybrid internal anomaly detection system that shares detection tasks between router and nodes. It allows nodes to react instinctively against the anomaly node by enforcing temporary communication ban on it. Each node monitors its own neighbors and if abnormal behavior is detected, the node blocks the packets of the anomaly node at link layer and reports the incident to its parent node. A novel RPL control message, Distress Propagation Object (DPO), is formulated and used for reporting the anomaly and network activities to the parent node and subsequently to the router. The system has configurable profile settings and is able to learn and differentiate between the nodes normal and suspicious activities without a need for prior knowledge. It has different subsystems and operation phases that are distributed in both the nodes and router, which act on data link and network layers. The system uses network fingerprinting to be aware of changes in network topology and approximate threat locations without any assistance from a positioning subsystem. The developed system was evaluated using test-bed consisting of Zolertia nodes and in-house developed PandaBoard based gateway as well as emulation environment of Cooja. The evaluation revealed that the system has low energy consumption overhead and fast response. The system occupies 3.3 KB of ROM and 0.86 KB of RAM for its operations. Security analysis confirms nodes reaction against abnormal nodes and successful detection of packet flooding, selective forwarding, and clone attacks. The system’s false positive rate evaluation demonstrates that the proposed system exhibited 5% to 10% lower false positive rate compared to simple detection system.

Download Full-text

The Study of the Ontology and Context Verification Based Intrusion Detection Model

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.644-650.3338 ◽

2014 ◽

Vol 644-650 ◽

pp. 3338-3341 ◽

Cited By ~ 1

Author(s):

Guang Feng Guo

Keyword(s):

Intrusion Detection ◽

Knowledge Base ◽

False Positive ◽

Intrusion Detection System ◽

Detection System ◽

False Positive Rate ◽

False Positives ◽

The Real ◽

Detection Model ◽

Positive Rate

During the 30-year development of the Intrusion Detection System, the problems such as the high false-positive rate have always plagued the users. Therefore, the ontology and context verification based intrusion detection model (OCVIDM) was put forward to connect the description of attack’s signatures and context effectively. The OCVIDM established the knowledge base of the intrusion detection ontology that was regarded as the center of efficient filtering platform of the false alerts to realize the automatic validation of the alarm and self-acting judgment of the real attacks, so as to achieve the goal of filtering the non-relevant positives alerts and reduce false positives.

Download Full-text

Hybrid Intrusion Detection Framework for Ad hoc networks

International Journal of Information Security and Privacy ◽

10.4018/ijisp.2016100101 ◽

2016 ◽

Vol 10 (4) ◽

pp. 1-32 ◽

Cited By ~ 5

Author(s):

Abdelaziz Amara Korba ◽

Mehdi Nafaa ◽

Salim Ghanemi

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Ad Hoc Networks ◽

Intrusion Detection System ◽

Ad Hoc ◽

Detection System ◽

Security Framework ◽

Detection Techniques ◽

Wide Range ◽

Hoc Networks

In this paper, a cluster-based hybrid security framework called HSFA for ad hoc networks is proposed and evaluated. The proposed security framework combines both specification and anomaly detection techniques to efficiently detect and prevent wide range of routing attacks. In the proposed hierarchical architecture, cluster nodes run a host specification-based intrusion detection system to detect specification violations attacks such as fabrication, replay, etc. While the cluster heads run an anomaly-based intrusion detection system to detect wormhole and rushing attacks. The proposed specification-based detection approach relies on a set of specifications automatically generated, while anomaly-detection uses statistical techniques. The proposed security framework provides an adaptive response against attacks to prevent damage to the network. The security framework is evaluated by simulation in presence of malicious nodes that can launch different attacks. Simulation results show that the proposed hybrid security framework performs significantly better than other existing mechanisms.

Download Full-text

Association Rule-Mining-Based Intrusion Detection System With Entropy-Based Feature Selection

Handbook of Research on Intelligent Data Processing and Information Security Systems - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-1290-6.ch001 ◽

2020 ◽

pp. 1-24

Author(s):

Devaraju Sellappan ◽

Ramakrishnan Srinivasan

Keyword(s):

Intrusion Detection ◽

Association Rule ◽

Intrusion Detection System ◽

Association Rule Mining ◽

Detection System ◽

False Positive Rate ◽

Rule Mining ◽

Detection Rates ◽

Mining Algorithm ◽

Positive Rate

Intrusion detection system (IDSs) are important to industries and organizations to solve the problems of networks, and various classifiers are used to classify the activity as malicious or normal. Today, the security has become a decisive part of any industrial and organizational information system. This chapter demonstrates an association rule-mining algorithm for detecting various network intrusions. The KDD dataset is used for experimentation. There are three input features classified as basic features, content features, and traffic features. There are several attacks are present in the dataset which are classified into Denial of Service (DoS), Probe, Remote to Local (R2L), and User to Root (U2R). The proposed method gives significant improvement in the detection rates compared with other methods. Association rule mining algorithm is proposed to evaluate the KDD dataset and dynamic data to improve the efficiency, reduce the false positive rate (FPR) and provides less time for processing.

Download Full-text

A novel Ensemble of Hybrid Intrusion Detection System for Detecting Internet of Things Attacks

Electronics ◽

10.3390/electronics8111210 ◽

2019 ◽

Vol 8 (11) ◽

pp. 1210 ◽

Cited By ~ 11

Author(s):

Khraisat ◽

Gondal ◽

Vamplew ◽

Kamruzzaman ◽

Alazab

Keyword(s):

Internet Of Things ◽

Intrusion Detection ◽

Intrusion Detection System ◽

Detection System ◽

False Positive Rate ◽

Support Vector ◽

Detection Accuracy ◽

Lower False Positive Rate ◽

Positive Rate ◽

Iot Devices

The Internet of Things (IoT) has been rapidly evolving towards making a greater impact on everyday life to large industrial systems. Unfortunately, this has attracted the attention of cybercriminals who made IoT a target of malicious activities, opening the door to a possible attack to the end nodes. Due to the large number and diverse types of IoT devices, it is a challenging task to protect the IoT infrastructure using a traditional intrusion detection system. To protect IoT devices, a novel ensemble Hybrid Intrusion Detection System (HIDS) is proposed by combining a C5 classifier and One Class Support Vector Machine classifier. HIDS combines the advantages of Signature Intrusion Detection System (SIDS) and Anomaly-based Intrusion Detection System (AIDS). The aim of this framework is to detect both the well-known intrusions and zero-day attacks with high detection accuracy and low false-alarm rates. The proposed HIDS is evaluated using the Bot-IoT dataset, which includes legitimate IoT network traffic and several types of attacks. Experiments show that the proposed hybrid IDS provide higher detection rate and lower false positive rate compared to the SIDS and AIDS techniques.

Download Full-text

Research on Distributed Intrusion Detection Model Based on Information Fusion

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.121-122.528 ◽

2010 ◽

Vol 121-122 ◽

pp. 528-533

Author(s):

Ping Du ◽

Wei Xu

Keyword(s):

Intrusion Detection ◽

Information Fusion ◽

Detection System ◽

False Positive Rate ◽

Prototype System ◽

Security Risk ◽

Source Information ◽

Detection Model ◽

Distributed Intrusion Detection ◽

Positive Rate

The research actuality of Intrusion Detection System(IDS) were analyzed, Due to the defects of IDS such as high positive rate of IDS and incapable of effective detection of dispersed coordinated attacks on the time and space, the ideas of the multi-source information fusion were introduced in the paper, a multi-level IDS reasoning framework and prototype system were presented. The prototype adds analysis engine to the existing IDS Sensor, We used Bayesian Network as a tool for multi-source information fusion, and we used goal-tree to analyze the attempts of coordinated attacks and quantify the security risk of system. Compared to the existing IDS, the prototype is more integrated and more capable in finding coordinated attacks with lower false positive rate.

Download Full-text

IDSFS: A Signature Based Intrusion Detection System with High Pertinent Feature Selection Method

Asian Journal of Computer Science and Technology ◽

10.51983/ajcst-2019.8.2.2145 ◽

2019 ◽

Vol 8 (2) ◽

pp. 25-31

Author(s):

S. Latha ◽

Sinthu Janita Prakash

Keyword(s):

Feature Selection ◽

Intrusion Detection ◽

Intrusion Detection System ◽

Detection System ◽

False Positive Rate ◽

Feature Selection Method ◽

Selection Method ◽

Positive Rate ◽

Frame Work ◽

Pertinent Feature

Securing a network from the attackers is a challenging task at present as many users involve in variety of computer networks. To protect any individual host in a network or the entire network, some security system must be implemented. In this case, the Intrusion Detection System (IDS) is essential to protect the network from the intruders. The IDS have to deal with a lot of network packets with different characteristics. A signature-based IDS is a potential tool to understand former attacks and to define suitable method to conquest it in variety of applications. This research article elucidates the objective of IDS with a mechanism which combines the network and host-based IDS. The benchmark dataset for DARPA is considered to generate the IDS mechanism. In this paper, a frame work IDSFS – a signature-based IDS with high pertinent feature selection method is framed. This frame work consists of earlier proposed Feature Selection method (HPFSM), Artificial Neural Network for classification of nodes or packets in the network, then the signatures or attack rules are configured by implementing Association Rule mining algorithm and finally the rules are restructured using a pattern matching algorithm-Aho-Corasick to ease the rule checking. The metrics like number of features, classification accuracy, False Positive Rate (FPR), Precision, Number of rules, Running Time and Memory consumption are checked and proved the proposed frame work’s efficiency.

Download Full-text

Intrusion Detection System on Big data using Deep Learning Techniques

International Journal of Innovative Technology and Exploring Engineering - Special Issue ◽

10.35940/ijitee.d2011.029420 ◽

2020 ◽

Vol 9 (4) ◽

pp. 3242-3247

Keyword(s):

Big Data ◽

Deep Learning ◽

Intrusion Detection ◽

Intrusion Detection System ◽

Detection System ◽

False Positive Rate ◽

Gradient Boosting ◽

Detection Techniques ◽

Ensemble Techniques ◽

Reliable Classification

Big data is the huge amount of data with different types of V’s: Velocity, Variety as well as Volume. It can be semi-structured, unstructured or structured, due to which it is not easy to analyze the data. To extract the hidden knowledge and to detect the attacks on large amount of data new architecture, techniques, algorithms, and analytics are required. Using traditional techniques to detect attacks is very difficult. In this paper, the detailed review has been done on intrusion detection on various fields using deep learning and gives an idea of applications of deep learning. The number of attacks has been increased in computer networks. A powerful Intrusion Detection System (IDS) is required to ensure the security of a network. Based on review, it is found that some studies have been done in this field, but a deep and exhaustive work has still not been done. Many researchers proposed an IDS using deep learning for unforeseen and unpredictable attacks but not for Big Data. The proposed work is based on Deep learning based intrusion detection System for big datasets named hybrid-DeepResNet-RNN run till 1,000 epochs with learning rate varying range [0.01-0.5] and three ensemble techniques, Random Forest, Decision tree regression and Gradient Boosting Tree (GBT). It is used to develop the hybrid, secure, scalable NIDS which is based on deep learning and big data techniques. The proposed classifiers produce a more reliable classification than a single classifier. The experimental results are in terms of detection rate (98.86%), false positive rate (1.110%), accuracy (99.34%) and F-Measure (97.90%). The results illuminate the better performance than existing anomaly detection techniques in the big data environment.

Download Full-text