Applying Weighted PCA on Multiclass Classification for Intrusion Detection

In this chapter, application of Principal Component Analysis (PCA) and one of its extensions on intrusion detection is investigated. This extended version of PCA is modified to cover an important shortcoming of traditional PCA. In order to evaluate these modifications, it is mathematically proved that these modifications are beneficial and later on a known dataset such as the DARPA99 dataset is used to verify results experimentally. To verify this approach, initially the traditional PCA is used to preprocess the dataset. Later on, using a simple classifier such as KNN, the effectiveness of the multiclass classification is studied. In the reported work, instead of traditional PCA, a revised version of PCA named Weighted PCA (WPCA) will be used for feature extraction. The results from applying the aforementioned method to the DARPA99 dataset show that this approach results in better accuracy than the traditional PCA when a number of features are limited, a number of classes are large, and a population of classes is unbalanced. In some situations WPCA outperforms traditional PCA by more than 1% in accuracy.

Usage of Broadcast Messaging in a Distributed Hash Table for Intrusion Detection

In this chapter, the authors present a novel peer-to-peer based intrusion detection system called Komondor, more specifically, its internals regarding the utilized peer-to-peer transport layer. The novelty of our intrusion detection system is that it is composed of independent software instances running on different hosts and is organized into a peer-to-peer network. The maintenance of this overlay network does not require any user interaction. The applied P2P overlay network model enables the nodes to communicate evenly over an unstable network. The base of our Komondor NIDS is a P2P network similar to Kademlia. To achieve high reliability and availability, we had to modify the Kademlia overlay network in such a way so that it would be resistent to network failures and support broadcast messages. The main purpose of this chapter is to present our modifications and enhancements on Kademlia.

Botnet Behavior Detection using Network Synchronism

Botnets’ diversity and dynamism challenge detection and classification algorithms depend heavily on static or protocol-dependant features. Several methods showing promising results were proposed using behavioral-based approaches. The authors conducted an analysis of botnets’ and bots’ most inherent characteristics such as synchronism and network load within specific time windows to detect them more efficiently. By not relying on any specific protocol, our proposed approach detects infected computers by clustering bots’ network behavioral characteristics using the Expectation-Maximization algorithm. An encouraging false positive error rate of 0.7% shows that bots’ traffic can be accurately separated by our approach by analyzing several bots and non-botnet network captures and applying a detailed analysis of error rates.

A Structured Approach to Selecting Data Collection Mechanisms for Intrusion Detection

This chapter aims at providing a clear and concise picture of data collection for intrusion detection. It provides a detailed explanation of generic data collection mechanism components and the interaction with the environment, from initial triggering to output of log data records. Taxonomies of mechanism characteristics and deployment considerations are provided and discussed. Furthermore, guidelines and hints for mechanism selection and deployment are provided. The guidelines are aimed to assist intrusion detection system developers, designers, and operators in selecting mechanisms for resource efficient data collection.

An Entropy-Based Architecture for Intrusion Detection in LAN Traffic

Information security has become a primary concern in enterprise and government networks. In this respect, Network-based Intrusion Detection System (NIDS) is a critical component of an organization’s security strategy. This chapter is the result of the effort to design an Anomaly-based Network Intrusion Detection System (A-NIDS), which is capable of detecting network attacks using entropy-based behavioral traffic profiles. These profiles are used as a baseline to define the normal behavior of certain traffic features. The Method of Remaining Elements (MRE) is the core for the task of traffic profiling. In this method, a new measure of uncertainty called Proportional Uncertainty (PU) is proposed, which provides an important characteristic: the exposure of anomalies for those traffic slots related to anomalous behavior. Moreover, PU increases the sensitivity for early detection, and allows detection of a wide range of attacks with respect to naïve entropy estimation. The performance evaluation of the proposed architecture was accomplished through MIT-DARPA dataset and also on an academic LAN by implementing real attacks. The results show that this architecture is effective in the early detection of intrusions, as well as some attacks designed to bypass detection measures.

Protecting Enterprise Networks

Our new IDS, which employs both signature-based and anomaly detection as its analysis strategies, will be able to detect both known and unknown attacks and further isolate them. An auto-reclosing technique used on long rural power lines and multi-resolution techniques were used in developing these IDS, which will help update existing IPSs. It should effectively block SYN-flood attacks; distributed denial of service attacks (DDoS) based on SYN-flood attacks, and helps eliminate four out of the five major limitations of existing IDSs and IPSs.

Detecting Denial of Service Attacks on SIP Based Services and Proposing Solutions

One of the main goals of employing Next Generation Networks (NGN) is an integrated access to the multimedia services like Voice over IP (VoIP), and IPTV. The primary signaling protocol in these multimedia services is Session Initiation Protocol (SIP). This protocol, however, is vulnerable to attacks, which may impact the Quality of Service (QoS), which is an important feature in NGN. One of the most frequent attacks is Denial of Service (DoS) attack, which is generated easily, but its detection is not trivial. In this chapter, a framework is proposed to detect Denial of Service attacks and a few other forms of intrusions, and then we react accordingly. The proposed detection engine combines the specification- and anomaly-based intrusion detection techniques. The authors set up a test-bed and generate a labeled dataset. The traffic generated for the test-bed is composed of two types of SIP packets: attack and normal. They then record the detection rates and false alarms based on the labeled dataset. The experimental results demonstrate that the proposed approach can successfully detect intruders and limit their accesses. The results also confirm that the framework is scalable and robust.

A Subspace-Based Analysis Method for Anomaly Detection in Large and High-Dimensional Network Connection Data Streams

A great deal of research attention has been paid to data mining on data streams in recent years. In this chapter, the authors carry out a case study of anomaly detection in large and high-dimensional network connection data streams using Stream Projected Outlier deTector (SPOT) that is proposed in (Zhang et al. 2009) to detect anomalies from data streams using subspace analysis. SPOT is deployed on the 1999 KDD CUP anomaly detection application. Innovative approaches for training data generation, anomaly classification, and false positive reduction are proposed in this chapter as well. Experimental results demonstrate that SPOT is effective and efficient in detecting anomalies from network data streams and outperforms existing anomaly detection methods.

Dimension Reduction and its Effects on Clustering for Intrusion Detection

With recent advances in network based technology and the increased dependency of our every day life on this technology, assuring reliable operation of network based systems is very important. During recent years, a number of attacks on networks have dramatically increased and consequently interest in network intrusion detection has increased among the researchers. During the past few years, different approaches for collecting a dataset of network features, each with its own assumptions, have been proposed to detect network intrusions. Recently, many research works have been focused on better understanding of the network feature space so that they can come up with a better detection method. The curse of dimensionality is still a big obstacle in front of the researchers in network intrusion detection. In this chapter, DARPA’99 dataset is used for the study. Features in that dataset are analyzed with respect to their information value. Using the information value of the features, the number of dimensions in the data is reduced. Later on, using several clustering algorithms, effects of the dimension reduction on the dataset are studied and the results are reported.