Combining dynamic and static host intrusion detection features using variational long short-term memory recurrent autoencoder

Traffic classification is an automated technique that divides computer network traffic into several categories depending on different factors like protocol or port number. In a complicated context, traffic categorization is an important tool for network and system security. A monitoring system called intrusion detection looks for abnormal activity and sends out notifications. In order to safeguard a system from network-based attacks, Network Intrusion Detection Systems (NIDS) play a crucial role in monitoring and analyzing network traffic. Active and passive intrusion detection systems (IDS), network intrusion detection systems (NIDS), host intrusion detection systems (HIDS), knowledge-based (signature-based) IDS, and behaviorbased (anomaly-based) IDS are some of the numerous types of intrusion detection systems (IDS). Passive IDS is just designed to monitor and analyze network traffic behaviour and notify an operator of potential vulnerabilities and attacks, whereas Active IDS is also known as Intrusion Detection and Prevention System. A network's malicious traffic is identified using a network-based intrusion detection system (NIDS). A host-based IDS monitors system activity and seeks for indications of abnormal behaviour. For networks with unidentified traffic, the intrusion detection system designed using flow and payload statistical characteristics and clustering approach needs additional clusters. The present intrusion detection system however is affected by false alarm rate, poor detection rate, imbalanced datasets and response time which lead to misclassification of intrusions in various scenarios. Hence, there is a requirement for developing an automated intrusion detection system that works well in different scenarios. The proposed system uses supervised and unsupervised intrusion detection and classification methods to increase the classification accuracy. To categorize the intrusions, dimensionality reduction strategies are used in conjunction with the classification procedure of logistic regression. Performance of intrusion detection system using PCA as dimensionality reduction algorithm has been evaluated with different classifiers such as Logistic Regression (LR), K-Nearest Neighbors (K-NN), Random Forest (RF), Support Vector Machine (Kernel SVM), Decision Tree (DT) using CIC IDS 2022 dataset. An automated way to detect intrusions has been proposed with cluster formation using adaptive weight butterfly optimization algorithm.

The Internet of Things (IoT) introduces significant security vulnerabilities, raising concerns about cyber-attacks. Attackers exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks, compromising availability and causing financial damage to digital infrastructure. This study focuses on mitigating DDoS attacks in corporate local networks by developing a model that operates closer to the attack source. The model utilizes Host Intrusion Detection Systems (HIDS) to identify anomalous behaviors in IoT devices and employs network-based intrusion detection approaches through a Network Intrusion Detection System (NIDS) for comprehensive attack identification. Additionally, a Host Intrusion Detection and Prevention System (HIDPS) is implemented in a fog computing infrastructure for real-time and precise attack detection. The proposed model integrates NIDS with federated learning, allowing devices to locally analyze their data and contribute to the detection of anomalous traffic. The distributed architecture enhances security by preventing volumetric attack traffic from reaching internet service providers and destination servers. This research contributes to the advancement of cybersecurity in local network environments and strengthens the protection of IoT networks against malicious traffic. This work highlights the efficiency of using a federated training and detection procedure through deep learning to minimize the impact of a single point of failure (SPOF) and reduce the workload of each device, thus achieving accuracy of 89.753% during detection and increasing privacy issues in a decentralized IoT infrastructure with a near-real-time detection and mitigation system.

The security over data is now a major concern for all applications. Attacks over data are going to be increasing day by day. Therefore, there is a need of security mechanism over all devices responsible for transfer of data over the network. An Intrusion Detection System (IDS) has been designed in order to detect different types of attacks over the system. IDS may be categorized Network Intrusion Detection System (NIDS) and Host Intrusion Detection System (HIDS). NIDS and HIDS are employed by the user depending on the requirement such as whether the user aims to find attacks over the whole network or just over a host. An IDS best works over Software Defined Networks (SDN) rather than traditional networks. Many of today’s applications reside over SDN. SDN is preferred over traditional because of its flexibility and agile property. This chapter mainly introduces various algorithms of intrusion detection like support vector machine (SVM), random forest (RF), K-means, Principal Component Analysis (PCA) and Self-Organizing Map (SOM), which are basically machine learning (ML) algorithms. ML algorithms may be supervised, unsupervised and semi-supervised learning algorithms. Besides ML algorithms, this chapter also introduces some deep learning algorithms used for intrusion detection. Examples are Recurrent Neural Network (RNN) and Deep Belief Network (DBN) etc.

Original Equipment Manufacturers now embed hardware virtualization in car equipment to reduce costs and hardware complexity, while allowing more functionalities, such as connectivity. This evolution forces the cohabitation of distinct criticality domains on the same hardware, reaffirming the need for security. Because of the trade-off between performance and system overall complexity, deploying security becomes a challenging balancing act. Host Intrusion Detection Systems (HIDS) security protects the behavior of a program at run-time: it monitors the program execution flow to distinguish threats from benign activity. This paper presents a novel run-time security solution for embedded mixed-criticality systems, which integrates HIDS in a partitioned system based on Multiple Independent Levels of Security (MILS) architecture. Our HIDS monitors a program's execution by observing both hardware and software signals; there is to our knowledge no HIDS providing such precise representation of program execution.

Chapter 9 - Implementing Intrusion Detection Systems

The Internet of Things (IoT) has been increasingly adopted in domains such as smart infrastructure, healthcare, supply chain, transportation, and many others. However, the constrained computational resources of these devices make conventional security approaches against security threats not applicable. This limitation emphasizes the need to explore new approaches, specifically tailored to these kinds of devices. To increase protection against cyberattacks in IoT devices, Intrusion Detection Systems (IDSs) are considered an effective approach. Machine Learning (ML) techniques can be combined with Federated Learning to enhance the privacy and scalability of these systems. Many IDSs have been introduced, but there is a research gap concerning Host Intrusion Detection System (HIDS), which is the primary focus of our current work. Additionally, existing research predominantly focuses on the application of ML techniques and their evaluation, with limited attention to real-world implementation. We propose a lightweight HIDS that relies on the analysis of system call traces to detect malicious activities. The proposed HIDS achieved an accuracy rate of approximately 98%. Finally, by using eXplainable Artificial Intelligence methods, we sought to provide explanations for these these results.

SummaryCloud's operating‐system‐level virtualization has introduced a new phase of lightweight virtualization through containers. The architecture of cloud‐native and microservices‐based application development strongly advocates for the use of containers due to their swift and convenient deployment capabilities. However, the security of applications within containers is important, as malicious or vulnerable content could jeopardize the container and the host system. This vulnerability also extends to neighboring containers and may compromise data integrity and confidentiality. The article focuses on developing an intrusion detection system tailored to containerized cloud environments by identifying system call analysis techniques and also proposes an anomaly‐based host intrusion detection system (Ab‐HIDS). This system employs the frequency of N‐grams system calls as distinctive features. To enhance performance, two ensemble learning models, namely voting‐based ensemble learning and XGBoost ensemble learning, are employed for training and testing the data. The proposed system is evaluated using the Leipzig Intrusion Detection Data Set (LID‐DS), demonstrating substantial performance compared to existing state‐of‐the‐art methods. Ab‐HIDS is validated for class imbalance using the imbalance ratio and synthetic minority over‐sampling technique methods. Our system achieved significant improvements in detection accuracy with 4% increase for the voting‐based ensemble model and 6% increase for the XGBoost ensemble model. Additionally, we observed reductions in the false positive rate by 0.9% and 0.8% for these models, respectively, compared to existing state‐of‐the‐art methods. These results illustrate the potential of our proposed approach in improving security measures within containerized environments.

Network and host Intrusion Detection Systems (IDS) have become a standard component in security infrastructures. As the action of intrusion represents variable, complicated, and uncertainty characteristic, they face so many problems to resolve for intrusion detection. Each approach has its strengths and weaknesses. A truly effective intrusion detection system will employ both technologies. We discusses the differences in host- and network-based intrusion detection techniques to demonstrate how the two can work together to provide additionally effective intrusion detection and protection. We propose a hybrid IDS, which combines network and host IDS, with anomaly and misuse detection mode, utilizes auditing programs to extract an extensive set of features that describe each network connection or host session, and applies data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities.

Intrusion detection is an important aspect of modern cyber-enabled infrastructure in identifying threats to digital assets. Intrusion detection encompasses tools, techniques and strategies to recognize evolving threats thereby contributing to a secure and trustworthy computing framework. There are two primary intrusion detection paradigms, signature pattern matching and anomaly detection. The paradigm of signature pattern matching encompasses the identification of known threat sequences of causal events and matching it to incoming events. If the pattern of incoming events matches the signature of an attack there is a positive match which can be labeled for further processing of countermeasures. The paradigm of anomaly detection is based on the premise that an attack signature is unknown. Events can deviate from normal digital behavior or can inadvertently give out information in normal event processing. These stochastic events have to be evaluated by variety of techniques such as artificial intelligence, prediction models etc. before identifying potential threats to the digital assets in a cyber-enabled system. Once a pattern is identified in the evaluation process after excluding false positives and negative this pattern can be classified as a signature pattern. This paper highlights a setup in an educational environment to effectively flag threats to the digital assets in the system using an intrusion detection framework. Intrusion detection framework comes in two primary formats a network intrusion detection system and a host intrusion detection system. In this paper we identify different publicly available tools of intrusion detection and their effectiveness in a test environment. This paper also looks at the mix of tools that can be deployed to effectively flag threats as they evolve. The effect of encryption in such setup and threat identification with encryption is also studied.

The high computational power of graphics processing units (GPU) is used for several purposes nowadays. Factoring integers, computing discrete logarithms, and pattern matching in network intrusion detection systems (IDS) are popular tasks in the field of information security where GPUs are used for acceleration. GPUs are commodity components and are widely available in computer systems which would make them an ideal platform for a wide-spread IDS. We investigate the feasibility to use current GPUs for asynchronous host intrusion detection as proposed in a former work and come to the conclusion that several constraints of GPUs limit the use for concurrent and asynchronous off-CPU processing in host IDSs. GPUs have restrictions in terms of continuity, asynchronism, and unrestricted access to perform this task. We propose an observation mechanism and discuss current constraints on autonomous use of standard GPU components for intrusion detection. Finally, we come to the conclusion that several modifications to graphics cards are necessary to enable our approach.

Intrusion detection is a familiar phrase in the information and network security domain. An Intrusion Detection System (IDS) is a device or software that will keep track of the networks, for unlawful movements, and policy breaches that arise within the network. There are different forms of IDS, Host Intrusion Detection System (HIDS) helps in identifying unauthorized activities on the host, Network Intrusion Detection System (NIDS) helps in identifying attacks in the network, whereas Distributed Intrusion Detection System (DIDS) consists of multiple IDS over a large area of network where individual IDS communicates with each other or with the central the authorized central server. The proposed work has a three-layered architecture for DIDS for securing data sharing among different IDS. The bottom layer uses multiple IDS, the fog layer is supported with Blockchain functionality, and the cloud service at the upper layer stores required data permanently for future analysis. The fog computing-based architecture for DIDS tries to implement the application in a scalable and trustless environment using distributed ledger technology. The evaluation of the proposed work is carried out for fog, cloud, and integrated fog-cloud with the Blockchain functionality and without Blockchain functionality in measuring performance metrics related to throughput, service latency, response time, block creation time, and block execution time.

In the cyber domain, situational awareness of the critical assets is extremely important. For achieving comprehensive situational awareness, accurate sensor information is required. An important branch of sensors are Intrusion Detection Systems (IDS), especially anomaly based intrusion detection systems applying artificial intelligence or machine learning for anomaly detection. This millennium has seen the transformation of industries due to the developments in data based modelling methods. The most crucial bottleneck for modelling the IDS is the absence of publicly available datasets compliant to modern equipment, system design standards and cyber threat landscape. The predominant dataset, the KDD Cup 1999, is still actively used in IDS modelling research despite the expressed criticism. Other, more recent datasets, tend to record data only either from the perimeters of the testbed environment’s network traffic or from the effects that malware has on a single host machine. Our study focuses on forming a set of requirements for a holistic Network and Host Intrusion Detection System (NHIDS) dataset by reviewing existing and studied datasets within the field of IDS modelling. As a result, the requirements for state-of-the-art NHIDS dataset are presented to be utilised for research and development of NHIDS applying machine learning and artificial intelligence.

Network and host Intrusion Detection Systems (IDS) have become a standard component in security infrastructures. As the action of intrusion represents variable, complicated, and uncertainty characteristic, they face so many problems to resolve for intrusion detection. Each approach has its strengths and weaknesses. We propose a hybrid IDS, which combines network and host IDS, with anomaly and misuse detection mode, utilizes auditing programs to extract an extensive set of features that describe each network connection or host session, and applies data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities. We use an association rule to track all relevant data dependency rule sets for different access roles using a hierarchical structure. We identify malicious transactions from the transaction logs in the database using the data dependency rule sets. These rule sets are continuously updated and stored in a repository. The optimized algorithm actually improves the performance of IDS. Our approach is shown to reduce data access bottlenecks, and ensures minimal manual intervention for maintaining a secure database.

Security has a significant influence in network management. One of the most common way to secure information in the computer from malicious use is IDS Intrusion detection system(IDS) is most prominent to secure a computer and network against intrusion. IDSs primarily intended to preserve the availability, confidentiality and Integrity(CAI)of network and computer. IDS can be broadly classified in two categories: Network intrusion detection system (NIDS) and Host intrusion detection system(HIDS). NIDS is main part of any network security architecture, which monitors network traffic for predefined suspicious activity or patterns and alert system administrators. Nowadays, many IDSs tools are available such as commercial as well as open source tools. Open source tools promotes a global access through free license. In paper we found study of three popular NIDS tools : Snort, Suricata, Bro.

Network security is the process of preventing and protecting against unauthorized access from the Internet. Intrusion detection is a basic part of security tools e.g., intrusion detection systems, adaptive security appliances, firewalls and intrusion prevention systems. There are several types of intrusion Detection System (IDS) exists e.g. Network IDS (NIDS), Host IDS, signature-based IDS, Anomaly based IDS. As huge amount of information in the form of packet flow across network may contains vulnerable information which lead to security threats. Many standard IDS datasets are available for researchers to measure their attack type detection/classification method's performance. In this paper we have done survey on classification methods applied on KDD99 and NSL-KDD. Most of the existing work focused on performance of classifier based on time and overall accuracy. we have shown the results of these papers to do collective study. The detection rate of majority classes (DoS and Probe) are good but not the same case with minority classes (U2R and R2L) when base classifier are used alone. It has been studied that there is as improvement in minority classes detection rate with pre-processing or hybrid classifier. By doing comparative study on results given by existing research papers shows that ABC-AFS [25] perform best among all.