Adaptive network intrusion detection system using a hybrid approach

Any activity aimed at disrupting a service or making a resource unavailable or gaining unauthorized access can be termed as an intrusion. Examples include buffer overflow attacks, flooding attacks, system break-ins, etc. Intrusion detection systems (IDSs) play a key role in detecting such malicious activities and enable administrators in securing network systems. Two key criteria should be met by an IDS for it to be effective: (i) ability to detect unknown attack types, (ii) having very less miss classification rate. In this paper we describe an adaptive network intrusion detection system, that uses a two stage architecture. In the first stage a probabilistic classifier is used to detect potential anomalies in the traffic. In the second stage a HMM based traffic model is used to narrow down the potential attack IP addresses. Various design choices that were made to make this system practical and difficulties faced in integrating with existing models are also described. We show that this system achieves good performance empirically.

[1]  Dirk Ourston,et al.  Applications of hidden Markov models to detecting multi-stage network attacks , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[2]  Juan E. Tapiador,et al.  Detection of Web-based attacks through Markovian protocol parsing , 2005, 10th IEEE Symposium on Computers and Communications (ISCC'05).

[3]  Xin Xu,et al.  Defending DDoS Attacks Using Hidden Markov Models and Cooperative Reinforcement Learning , 2007, PAISI.

[4]  WEIJIE CAI,et al.  NETWORK TRAFFIC ANOMALY DETECTION USING TCP HEADER INFORMATION , 2006 .

[5]  Rajagopalan Vijayasarathy,et al.  A system approach to network modeling for DDoS detection using a Naìve Bayesian classifier , 2011, 2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011).

[6]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[7]  Vishwas Sharma,et al.  Usefulness of DARPA dataset for intrusion detection system evaluation , 2008, SPIE Defense + Commercial Sensing.

[8]  Reda Alhajj,et al.  Data stream mining architecture for network intrusion detection , 2004, Proceedings of the 2004 IEEE International Conference on Information Reuse and Integration, 2004. IRI 2004..

[9]  Salvatore J. Stolfo,et al.  Real time data mining-based intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[10]  Hong Huang,et al.  Network Traffic Anomaly Detection , 2014, ArXiv.