Design and development of innovative techniques for intrusion detection

To determine whether or not an intrusion has occurred, we can distinguish between two major categories of approaches:

–      signature detection (e.g. Snort [9] and Bro [10]), comparing data computed from the traffic with well-known attack signatures to identify, in case of exact match, an activity as an attack instance.

–      anomaly detection (e.g. ADMIT [11] and EMERALD [12]), discovering anomalous activities by comparing traffic related metrics with a model of the normal behaviour in a particular networking scenario; the IDS (Intrusion Detection System) evaluates the deviation of the monitored traffic model from the normal behaviour model and, every time it exceeds a certain threshold, an alert is raised.

Anomaly detection is an essential component of the protection mechanisms against novel attacks [13]. Determining the normal behaviour model is a difficult task due to the presence of different trends in data, which might be influenced by the time of day, the day of week and seasonal variations. Creating the baseline distribution without taking these trends into account can lead to unacceptably high false alarm counts and slow detection times. To avoid these effects, Bayesian networks [14] can be used, which produce the baseline distribution by taking the joint distribution of the data and conditioning on attributes that are responsible for the trends. The methods should be selected by taking into account features such as time consumption [15] [16] [17], flexibility and adaptability, and performance measures. It may be desirable, furthermore, to deploy systems, which can adapt their detection ability to the changes in the network traffic model. Such systems can be developed by exploiting Artificial Intelligence techniques [18] [19]. In particular, genetic algorithms [20], neural networks [21] and Boosting algorithms [22] [23] can be used due to their high generalization capability in developing models for describing the analyzed data.

The INTERSECTION project will focus on the following complementary techniques to detect intrusions within the network of interest.

References

[9] M. Roesch, “Snort: Lightweight Intrusion Detection for Networks”, Proceedings of LISA ’99: 13^th Systems Administration Conference, Seattle, Washington, USA, November 1999

[10] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time”, Proceedings of the 7^th USENIX Security Symposium, San Antonio, Texas, Januaury 1998

[11] K. Sequeira, M. Zaki, “ADMIT: Anomaly-base Data Mining for Intrusions”, Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Edmonton, July 2002

[12] P.A. Porras and P.G. Neumann, “EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances”, Proceedings of the Nineteenth National Computer Security Conference, pages 353-365, Baltimore, Maryland, 22-25 October 1997. NIST/NCSC

[13] W. Lee, D. Xiang, “Information-theoretic Measures for Anomaly Detection“, Proceedings of The 2001 IEEE Symposium on Security and Privacy, Oakland, CA, May 2001

[14] C. Kruegel, D. Mutz, W. Robertson, F. Valeur, "Bayesian event classification for intrusion detection," Proceedings of  Computer Security Applications Conference, 2003, Las Vegas, NV, December 2003

[15] A. L. Narasimha Reddy, Marina Vannucci, Seong Soo Kim, "Detecting Traffic Anomalies Using Discrete Wavelet Transform", Proceedings of ICOIN 2004

[16] Vladimir Gudkov, Joseph E. Johnson, "New Approach for Network Monitoring and Intrusion Detection", CoRR: Cryptography and Security Journal, 2001

[17] Paul Barford, David Plonka, "Characteristics of Network Traffic Flow Anomalies", Proceedings of Internet Measurement Workshop 2001

[18] D. Barbara, J. Couto, S. Jajodia, L. Popyack, N. Wu, “ADAM: Detecting intrusion by data mining”, Proceedings of IEEE Workshop on Information Assurance and Security, 2001

[19] W. Lee, S. J. Stolfo, “A framework for constructing features and models for intrusion detection systems”, ACM Transactions on Information and System Security (TISSEC), 3(4):227–261, November 2000

[20] D. Dasgupta, F. González, “An Immunity-Based Technique to Characterize Intrusions in Computer Networks”, IEEE Transactions on Evolutionary Computation, Vol. 6, No. 3, June 2002

[21] S. C. Lee, D. V. Heinbuch, “Training a Neural-Network Based Intrusion Detector to Recognize Novel Attacks”, IEEE Transactions on Systems, Man, and Cybernetics – Part A: Systems and Humans, Vol. 31, No. 4, July 2001

[22] T. Oezyer, R. Alhajj, K. Barker, “A boosting genetic fuzzy classifier for intrusion detection using data mining techniques for rule pre-screening”, Design and application of hybrid intelligent systems, pages 983 – 992, 2003, IOS Press, Amsterdam, The Netherlands

[23] W. Cohen, Y. Singer, “Simple, fast, and effective rule learner”, Proceedings of the Sixteenth National Conference on Artificial Intelligence, 1999

Back to Project Detail