Enhancing effectiveness of intrusion detection systems: A hybrid approach

Intrusion Detection Systems (IDSs) proposed in the literature can broadly be classified as either signature based or anomaly based. Although both these classes of IDSs effectively detect wide range of network attacks, they have their own set of drawbacks. Signature based IDSs are incapable of detecting new attacks and produce a large number of false positive alarms when operated with default settings. On the other hand, anomaly based IDSs require extensive training before deployment and are computationally expensive. In this paper, we aim to address these issues by proposing an efficient hybrid intrusion detection framework with high detection rate and low false alarm rate. A novel false alarm minimization technique is used to reduce the false alarm rate of the signature based component and a simple header based anomaly detection module is used to minimize the computational overhead of the anomaly based component. Experimental results on the benchmark DARPA IDEVAL dataset and an in-house test bed dataset show that the proposed framework achieves a high detection rate and accuracy across a wide range of network attacks, while at the same time minimizes the overall computational overhead.

[1]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[2]  Philip K. Chan,et al.  PHAD: packet header anomaly detection for identifying hostile network traffic , 2001 .

[3]  Alfonso Valdes,et al.  Adaptive, Model-Based Monitoring for Cyber Attack Detection , 2000, Recent Advances in Intrusion Detection.

[4]  Bernd Eggers Nessus Network Auditing , 2016 .

[5]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[6]  Jacinth Salome,et al.  Fuzzy Data Mining and Genetic Algorithms Applied to Intrusion Detection , 2007 .

[7]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[8]  K.Q. Yan,et al.  Hybrid Intrusion Detection System for enhancing the security of a cluster-based Wireless Sensor Network , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[9]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[10]  Salvatore J. Stolfo,et al.  A Geometric Framework for Unsupervised Anomaly Detection , 2002, Applications of Data Mining in Computer Security.

[11]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[12]  Lionel C. Briand,et al.  Model-driven, network-context sensitive intrusion detection , 2007, MODELS'07.

[13]  Marina Vannucci,et al.  Detecting Traffic Anomalies through Aggregate Analysis of Packet Header Data , 2004, NETWORKING.

[14]  A. Qayyum,et al.  Taxonomy of statistical based anomaly detection techniques for intrusion detection , 2005, Proceedings of the IEEE Symposium on Emerging Technologies, 2005..

[15]  Han Wu,et al.  Anomaly intrusion detection based upon data mining techniques and fuzzy logic , 2012, 2012 IEEE International Conference on Systems, Man, and Cybernetics (SMC).

[16]  Rodrigo Roman,et al.  On the Vital Areas of Intrusion Detection Systems in Wireless Sensor Networks , 2013, IEEE Communications Surveys & Tutorials.

[17]  Shrisha Rao,et al.  A Threat-Aware Anomaly-Based Intrusion-Detection Approach for Obtaining Network-Specific Useful Alarms , 2009, ICDCN.

[18]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[19]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[20]  Julie A. Dickerson,et al.  Fuzzy network profiling for intrusion detection , 2000, PeachFuzz 2000. 19th International Conference of the North American Fuzzy Information Processing Society - NAFIPS (Cat. No.00TH8500).

[21]  Yvan Labiche,et al.  Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases , 2005, PST.