Using the pattern-of-life in networks to improve the effectiveness of intrusion detection systems

As the complexity of cyber-attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measureable network traffic, but also on the available highlevel information related to the protected network to improve their detection results. We make use of the Pattern-of-Life (PoL) of a network as the main source of high-level information, which is correlated with the time of the day and the usage of the network resources. We propose the use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. The main aim of this work is to evidence the improved the detection performance of an IDS using an FCM to leverage on network related contextual information. The results that we present verify that the proposed method improves the effectiveness of our IDS by reducing the total number of false alarms; providing an improvement of 9.68% when all the considered metrics are combined and a peak improvement of up to 35.64%, depending on particular metric combination.

[1]  Takashi Okuda,et al.  Computational intelligence for distributed fault management in networks using fuzzy cognitive maps , 1996, Proceedings of ICC/SUPERCOMM '96 - International Conference on Communications.

[2]  Mahmoud Jazzar,et al.  Towards real-time intrusion detection using fuzzy cognitive maps modeling and simulation , 2008, 2008 International Symposium on Information Technology.

[3]  Jesús García,et al.  Context-based Information Fusion: A survey and discussion , 2015, Inf. Fusion.

[4]  Rashaad E. T. Jones,et al.  Modeling Situation Awareness for Army Infantry Platoon Leaders Using Fuzzy Cognitive Mapping Techniques , 2010 .

[5]  Geethapriya Thamilarasu,et al.  A Cross-layer Approach to Detect Jamming Attacks in Wireless Ad hoc Networks , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[6]  Mourad Debbabi,et al.  Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[7]  Kyoung-Yun Kim,et al.  Systematic causal knowledge acquisition using FCM Constructor for product design decision support , 2011, Expert Syst. Appl..

[8]  José M. Fernandez,et al.  Semantic-based context-aware alert fusion for distributed Intrusion Detection Systems , 2013, 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS).

[9]  Tansu Alpcan,et al.  Network Security , 2010 .

[10]  Konstantinos G. Kyriakopoulos,et al.  Manual and Automatic assigned thresholds in multi-layer data fusion intrusion detection system for 802.11 attacks , 2014, IET Inf. Secur..

[11]  Jonathon A. Chambers,et al.  Adding contextual information to Intrusion Detection Systems using Fuzzy Cognitive Maps , 2016, 2016 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA).

[12]  Chrysostomos D. Stylios,et al.  Modeling complex systems using fuzzy cognitive maps , 2004, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[13]  A. K. Bhattacharjee,et al.  IDS alerts classification using knowledge-based evaluation , 2012, 2012 Fourth International Conference on Communication Systems and Networks (COMSNETS 2012).

[14]  William Saunders,et al.  Generic Pattern of Life and behaviour analysis , 2016, 2016 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA).

[15]  Om Prakash Yadav,et al.  Modeling cognitive network of a physical system using design knowledge base , 2014, 2014 IEEE International Conference on Industrial Engineering and Engineering Management.

[16]  Mieczyslaw M. Kokar,et al.  Situation Awareness and Cognitive Modeling , 2012, IEEE Intelligent Systems.

[17]  Xia Wang,et al.  Cross-Layer Based Anomaly Detection in Wireless Mesh Networks , 2009, 2009 Ninth Annual International Symposium on Applications and the Internet.