On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.

Machine Learning Approach for Intrusion Detection Systems as a Cyber Security Strategy for Small and Medium Enterprises

Small and medium enterprises (SMEs) are businesses that account for a large percentage of the economy in many countries, but they lack cyber security. The present study examines different supervised machine learning methods with a focus on intrusion detection systems (IDSs) that will help in improving SMEs’ security. The algorithms that are tested through a real dataset, are Naïve Bayes, Sequential minimal optimization (SMO), C4.5 decision tree, and Random Forest. The experiments are run using the Waikato Environment for Knowledge Analyses (WEKA) 3.8.4 tools and the metrics used to evaluate the results were: accuracy, false-positive rate (FPR), and total time to train and build a classification model. The results obtained from the original dataset with 130 features show a high value of accuracy, but the computation time to build the classification model was notably high for the cases of C4.5 (1 hr. and 20 mins) and SMO algorithm (4 hrs. and 20 mins). the Information Gain (IG) method was used and the result was impressive. The time needed to train the model was reduced in the order of a few minutes and the accuracy was high (above 95%). In the end, challenges that SMEs can have for choosing an IDS such as lack of scalability and autonomic self-adaptation, can be solved by using a correct methodology with machine learning techniques.

A Hybrid Classification Technique for Enhancing the Effectiveness of Intrusion Detection Systems Using Machine Learning

The objective of this paper is to propose and develop a hybrid intrusion detection system to handle series and non-series data by applying the two different concepts that are named clustering and autocorrelation function in a single architecture. There is a need to propose and build a system that can handle both types of data whether it is series or non-series. Therefore, the authors used two concepts to generate a robust approach to craft a hybrid intrusion detection system. The authors utilize an unsupervised clustering approach that is used to categorize the data based on domain similarity to handle non-series data and another approach is based on autocorrelation function to handle series data. The approach is consumed in single architecture where it carries data as input from both host-based intrusion detection systems and network-based intrusion detection systems. The result shows that the hybrid intrusion detection system is categorizing data based on the optimal number of clusters obtained through the elbow method in clustering.

A Compressive Compilation of Cyber Security for Internet of Energy (IoE)

Internet of energy (IoE) is the natural evolution of Smart Grid incorporating the paradigm of internet of things (IoT). This complicated environment has a lot of threats and vulnerabilities, so the security challenges are very complex and specialized. This chapter contains a compilation of the main threats, vulnerabilities, and attacks that can occur in the IoE environment and the critical structure of the electrical grid. The objective is to show the best cybersecurity practices that can support maintaining a safe, reliable, and available electrical network complying with the requirements of availability, integrity, and confidentially of the information. The study includes review of countermeasures, standards, and specialized intrusion detection systems, as mechanisms to solve security problems in IoE. Better understanding of security challenges and solutions in the IoE can be the light on future research work for IoE security.

A comparative study using supervised learning for anomaly detection in network traffic

A user connects to hundreds of remote networks daily, some of which can be corrupted by malicious sources. To overcome this problem, a variety of Network Intrusion Detection systems are built, which aim to detect harmful networks before they establish a connection with the user’s local system. This paper focuses on proposing a model for Anomaly based Network Intrusion Detection systems (NIDS), by performing comparisons of various Supervised Learning Algorithms on metric of their accuracy. Two datasets were used and analysed, each having different properties in terms of the volume of data they contain and their use cases. Feature engineering was done to retrieve the most optimum features of both the datasets and only the top 25% best features were used to build the models – a smaller subset of features not only aids in decreasing the capital required to collect the data but also gets rid of redundant and noisy information. Two different splicing methods were used to train the data and each method showed different trends on the ML models.