NetSTAT: A Network-based Intrusion Detection System
Network-based attacks are becoming more common and sophisticated. For this reason, intrusion detection systems are now shifting their focus from the hosts and their operating systems to the network itself. Network-based intrusion detection is challenging because network auditing produces large amounts of data, and different events related to a single intrusion may be visible in different places on the network. This paper presents a new approach that applies the State Transition Analysis Technique (STAT) to network intrusion detection. Network-based intrusions are modeled using state transition diagrams in which states and transitions are characterized in a networked environment. The target network environment itself is represented using a model based on hypergraphs. By using a formal model of both the network to be protected and the attacks to be detected the approach is able to determine which network events have to be monitored and where they can be monitored, providing automatic support for configuration and placement of intrusion detection components.
Testing network-based intrusion detection signatures using mutant exploits
Misuse-based intrusion detection systems rely on models of attacks to identify the manifestation of intrusive behavior. Therefore, the ability of these systems to reliably detect attacks is strongly affected by the quality of their models, which are often called "signatures." A perfect model would be able to detect all the instances of an attack without making mistakes, that is, it would produce a 100% detection rate with 0 false alarms. Unfortunately, writing good models (or good signatures) is hard. Attacks that exploit a specific vulnerability may do so in completely different ways, and writing models that take into account all possible variations is very difficult. For this reason, it would be beneficial to have testing tools that are able to evaluate the "goodness" of detection signatures. This work describes a technique to test and evaluate misuse detection models in the case of network-based intrusion detection systems. The testing technique is based on a mechanism that generates a large number of variations of an exploit by applying mutant operators to an exploit template. These mutant exploits are then run against a victim host protected by a network-based intrusion detection system. The results of the systems in detecting these variations provide a quantitative basis for the evaluation of the quality of the corresponding detection model.
NETWORK-BASED INTRUSION DETECTION USING NEURAL NETWORKS
With the growth of computer networking, electronic commerce, and web services, security of networking systems has become very important. Many companies now rely on web services as a major source of revenue. Computer hacking poses significant problems to these companies, as distributed attacks can render their cyber-storefront inoperable for long periods of time. This happens so often, that an entire area of research, called Intrusion Detection, is devoted to detecting this activity. We show that evidence of many of these attacks can be found by a careful analysis of network data. We also illustrate that neural networks can efficiently detect this activity. We test our systems against denial of service attacks, distributed denial of service attacks, and portscans. In this work, we explore network based intrusion detection using classifying, self-organizing maps for data clustering and MLP neural networks for detection.
SnortView: visualization system of snort logs
False detection is a major issue in deploying and maintaining Network-based Intrusion Detection Systems (NIDS). Traditionally, it is recommended to customize its signature database (DB) to reduce false detections. However, it requires quite deep knowledge and skills to appropriately customize the signature DB. Inappropriate customization causes the increase of false negatives as well as false positives. In this paper, we propose a visualization system of a NIDS log, named SnortView, which supports administrators in analyzing NIDS alerts much faster and much more easily. Instead of customizing the signature DB, we propose to utilize visualization to recognize not only each alert but also false detections. The system is based on a 2-D time diagram and alerts are shown as icons with different styles and colors. In addition, the system introduces some visualization techniques such as overlayed statistical information, source-destination matrix, and so on. The system was used to detect real attacks while recognizing some false detections.
Network-Based Intrusion Detection with Support Vector Machines
This paper proposes a method of applying Support Vector Machines to network-based Intrusion Detection System (SVM IDS). Support vector machines(SVM) is a learning technique which has been successfully applied in many application areas. Intrusion detection can be considered as two-class classification problem or multi-class classification problem. We used dataset from 1999 KDD intrusion detection contest. SVM IDS was learned with triaing set and tested with test sets to evaluate the performance of SVM IDS to the novel attacks. And we also evaluate the importance of each feature to improve the overall performance of IDS. The results of experiments demonstrate that applying SVM in Intrusion Detection System can be an effective and efficient way for detecting intrusions.
neural network support vector machine monte carlo numerical simulation deep neural network intrusion detection feature selection deep neural proposed algorithm image retrieval intrusion detection system magnetic resonance metric space magnetic resonance imaging resonance imaging level set matrix factorization nearest neighbor social science solid state missing datum cluster analysi content-based image retrieval two-phase flow steel frame mixed reality k-nearest neighbor functional connectivity functional magnetic resonance autism spectrum disorder autism spectrum branch and bound spectrum disorder brain network algorithm for computing reality environment functional mri job satisfaction classification performance functional magnetic braced frame brain region functional network functional brain wasserstein distance bound algorithm islamic azad university human connectome project head motion azad university neighbor algorithm functional brain network islamic azad cerebral cortex markov network large margin neighbor classifier maximum margin gray matter k-nearest neighbor algorithm political science mode network parallel job minority clas default mode default mode network mixed reality environment concentrically braced frame knn classifier concentrically braced dynamic functional resting-state functional resting-state fmri distance computation human connectome resting-state functional connectivity network-based intrusion detection dynamic functional connectivity solid state device k-nearest neighbor classifier volume of fluid common mistake monte carlo test healthcare management vof method resting-state functional magnetic resting-state functional mri synthetic minority over-sampling incompressible two-phase flow state device minority over-sampling technique k-nearest neighbor classification fuzzy k-nearest neighbor connectome project science literature mri signal steel braced frame fluid method network-based intrusion steel braced cingulate cortex job scheduler self-attention network state functional connectivity carlo test functional connectivity pattern wasserstein barycenter made practical k-nearest neighbor search global signal complete data set resting-state fmri datum hierarchical text classification gray matter volume poultry meat over-sampling technique margin clustering functional connectivity mri resting-state network intrinsic connectivity maximum margin clustering avoiding common obsessive-compulsive disorder connectivity mri neighbor model global signal regression margin method social science literature functional connectivity datum maximum margin matrix margin matrix factorization margin matrix functional connectivity study tree water k-nearest neighbor model functional connectivity magnetic job stream basal ganglia disease cognition disorder interphase cell conflict (psychology) job syndrome data set