Computer Network Intrusion Research Articles

Survey paper on intrusion detection techniques

Network security has been one of the most important problems in Computer Network Management and Intrusion is the most publicized threats to security. In recent years, intrusion detection has emerged as an important field for network security. IDSs obtain better results when each class ofattacks is treated as a separate problem and handled by specialized algorithms. Now in days various model and method are available for intrusion detection. In this paper, we present a study of intrusion detection. Detection method to improve the detection rate & helping the users to develop secure information systems.

Modelling distributed network attacks with constraints

NeMODe is a declarative system for computer network intrusion detection, providing a declarative domain specific language for describing network intrusion signatures which can span several network packets, by stating constraints over network packets, describing relations between several packets in a declarative and expressive way. It provides several back-end detection mechanisms, all based on a constraint programming framework, to perform the detection of the desired signatures. In this work, we demonstrate how to model and perform the detection of distributed network attacks using each of the detection mechanisms provided by NeMODe, based in Gecode, adaptive search and MiniSat to perform the detection of the specific intrusions. We also use the sliding network traffic window version of the adaptive search back-end detection mechanism to simulate live network traffic and evaluate the performance of the system in conditions near to real life networks.

GNIDS: rule-based network intrusion detection system using genetic algorithms

Detection of intrusions in computer networks has been a growing problem motivating widespread research in computer science to develop better Intrusion Detecting Systems IDS. The existing IDS have been quite static and lack the ability to adjust themselves to the new network traffic and hence new kinds of attack. In this paper, we present a genetic algorithm GA based machine learning approach to identify such harmful/attack type of connections. The algorithm takes into consideration different features in network connections such as source and destination IP, type of protocol and status of the connection to generate a classification rule set. The proposed method is efficient with respect to good detection rate and low false positives. The experimental results demonstrate the lower execution time of the proposed algorithm. The 1999 DARPA IDS dataset is used as the evaluation dataset for both training and testing.

Effect of Network Traffic on IPS Performance

The importance of network security has grown tremendously and intrusion prevention/detection systems (IPS/IDS) have been widely developed to insure the security of network against suspicious threat. Computer network intrusion detection and prevention system consist of collecting traffic data, analyzing them based on detection rules and generate alerts or dropping them if necessary. However IPS has problems such as accuracy signature, the traffic volume, topology design, monitoring sensors. In this paper, we practically examine the traffic effect on performance of IPS. We first examine the detection of DOS attack on a web server by IPS and then we generate network traffic to see how the behavior of IPS has influenced on detection of DOS attack.

The Development of Computer Network Intrusion Detection System Based on Data Mining

In this paper, data mining algorithms have been refined and optimized to achieve the intelligent detection of network data. Winsock2 SPI used in the design of interception of network data, and use "session filtering" approach to network packet filtering. System is divided into control rules and intelligent detection module. Through practical testing, the system can display real-time network connection status on the application procedures can be effective control of network data can also be intelligent detection.

RT-MOVICAB-IDS: Addressing real-time intrusion detection

This study presents a novel Hybrid Intelligent Intrusion Detection System (IDS) known as RT-MOVICAB-IDS that incorporates temporal control. One of its main goals is to facilitate real-time Intrusion Detection, as accurate and swift responses are crucial in this field, especially if automatic abortion mechanisms are running. The formulation of this hybrid IDS combines Artificial Neural Networks (ANN) and Case-Based Reasoning (CBR) within a Multi-Agent System (MAS) to detect intrusions in dynamic computer networks. Temporal restrictions are imposed on this IDS, in order to perform real/execution time processing and assure system response predictability. Therefore, a dynamic real-time multi-agent architecture for IDS is proposed in this study, allowing the addition of predictable agents (both reactive and deliberative). In particular, two of the deliberative agents deployed in this system incorporate temporal-bounded CBR. This upgraded CBR is based on an anytime approximation, which allows the adaptation of this Artificial Intelligence paradigm to real-time requirements. Experimental results using real data sets are presented which validate the performance of this novel hybrid IDS.

Neural projection techniques for the visual inspection of network traffic

A crucial aspect in network monitoring for security purposes is the visual inspection of the traffic pattern, mainly aimed to provide the network manager with a synthetic and intuitive representation of the current situation. Towards that end, neural projection techniques can map high-dimensional data into a low-dimensional space adaptively, for the user-friendly visualization of monitored network traffic. This work proposes two projection methods, namely, cooperative maximum likelihood Hebbian learning and auto-associative back-propagation networks, for the visual inspection of network traffic. This set of methods may be seen as a complementary tool in network security as it allows the visual inspection and comprehension of the traffic data internal structure. The proposed methods have been evaluated in two complementary and practical network-security scenarios: the on-line processing of network traffic at packet level, and the off-line processing of connection records, e.g. for post-mortem analysis or batch investigation. The empirical verification of the projection methods involved two experimental domains derived from the standard corpora for evaluation of computer network intrusion detection: the MIT Lincoln Laboratory DARPA dataset.

Developing expertise for network intrusion detection

PurposeThe paper seeks to provide a foundational understanding of the socio‐technical system that is computer network intrusion detection, including the nature of the knowledge work, situated expertise, and processes of learning as supported by information technology.Design/methodology/approachThe authors conducted a field study to explore the work of computer network intrusion detection using multiple data collection methods, including semi‐structured interviews, examination of security tools and resources, analysis of information security mailing list posts, and attendance at several domain‐specific user group meetings.FindingsThe work practice of intrusion detection analysts involves both domain expertise of networking and security and a high degree of situated expertise and problem‐solving activities that are not predefined and evolve with the dynamically changing context of the analyst's environment. This paper highlights the learning process needed to acquire these two types of knowledge, contrasting this work practice with that of computer systems administrators.Research limitations/implicationsThe research establishes a baseline for future research into the domain and practice of intrusion detection, and, more broadly, information security.Practical implicationsThe results presented here provide a critical examination of current security practices that will be useful to developers of intrusion detection support tools, information security training programs, information security management, and for practitioners themselves.Originality/valueThere has been no research examining the work or expertise development processes specific to the increasingly important information security practice of intrusion detection. The paper provides a foundation for future research into understanding this highly complex, dynamic work.

MOVIH-IDS: A mobile-visualization hybrid intrusion detection system

A novel hybrid artificial intelligent system for intrusion detection, called MObile-VIsualization Hybrid IDS (MOVIH-IDS), is presented in this study. A hybrid model built by means of a multiagent system that incorporates an unsupervised connectionist intrusion detection system (IDS) has been defined to guaranty an efficient computer network security architecture. This hybrid IDS facilitates the intrusion detection in dynamic networks, in a more flexible and adaptable manner. The proposed improvement of the system in this paper includes deliberative agents characterized by the use of an unsupervised connectionist model to identify intrusions in computer networks. This hybrid IDS has been probed through several real anomalous situations related to the simple network management protocol as it is potentially dangerous. Experimental results probed the successful detection of such attacks through MOVIH-IDS.

Multidecision Quickest Change-Point Detection: Previous Achievements and Open Problems

The following multidecision quickest detection problem, which is of importance for a variety of applications, is considered. There are N populations that are either statistically identical or where the change occurs in one of them at an unknown point in time. Alternatively, there may be N “isolated” points/hypotheses associated with a change. It is necessary to detect the change in distribution as soon as possible and indicate which population is “corrupted” or which hypothesis is true after a change occurs. Both the false alarm rate and misidentification rate should be controlled by given (usually low) levels. We discuss performance of natural multihypothesis/multipopulation generalizations of the Page and Shiryaev-Roberts procedures, including certain asymptotically optimal properties of these tests when both the false alarm and the misidentification rates are low. Specifically, we show that under certain conditions the proposed multihypothesis detection-identification procedures asymptotically minimize the trade-off between any positive moment of the detection lag and the false alarm/misclassification rates in the worst-case scenario. At the same time, the corresponding sequential detection-identification procedures are computationally simple and can be easily implemented online in a variety of applications such as rapid detection of intrusions in large-scale distributed computer networks, target detection in cluttered environment, and detection of terrorist' malicious activity. Limitations of the existing and proposed solutions to this challenging problem are also discussed.

Supporting the Cognitive Work of Information Analysis and Synthesis: A Study of the Military Intelligence Domain

Information Analysis and Synthesis (henceforth “IAS”) is a type of cognitive work that plays a key role in many high-performance, complex, and mission-critical domains. These can range from tactical military intelligence to scientific or technological forecasting, business and financial intelligence to national strategic counterterrorism, and include areas as disparate as geopolitical policy analysis to computer network intrusion detection. The specific subject of this study is the military intelligence domain as one instantiation of IAS. Several innovative ethnographic and cognitive task analysis methods were used to observe team-based distributed work done by actual domain practitioners. The main investigative effort took the form of a scaled-world study, leveraging a real world tactical intelligence training exercise as a natural laboratory for investigating the contrasts between weaker and stronger IAS. Specifically, we examined the role of instructors in providing broadening checks to the team analytic process, and mapped the findings to an existing framework.

A decisional framework system for computer network intrusion detection

This paper presents a multi-attribute decisional framework for computer network intrusion detection. First, a cost model that allows to estimate accurately the damage resulting from a security incident is described. Then, a multi-attribute optimization algorithm is applied to select the optimal decision based on alternatives to remedy such incidents. The major interest is that the proposed approach can be applied in collaborative reactive intrusion detection where human experts are assisted by automated tools to find the best response. The approach would allow the possibility to assess the performance of the whole system depending on the performance of each constituents’ leading to a definition of optimality conditions on the introduced framework.

An analysis of distributed sensor data aggregation for network intrusion detection

A current trend in computer network intrusion detection is to deploy a network of traffic sensors, or agents, throughout the network and forward sensed information back to a central processor. As these systems start to incorporate hundreds, even thousands, of sensors, managing and presenting the information from these sensors is becoming an increasingly difficult task. This paper explores the use of conversation exchange dynamics (CED) to integrate and display sensor information from multiple nodes. We present an experimental setup consisting of multiple sensors reporting individual findings to a central server for aggregated analysis. Different scenarios of network attacks and intrusions were planned to investigate the effectiveness of the distributed system. The network attacks were taken from the M.I.T. Lincoln Lab 1999 Data Sets. The distributed system was subjected to different combinations of network attacks in various parts of the network. The results were then analyzed to understand the behavior of the distributed system in response to the different attacks. In general, the distributed system detected all attacks under each scenario. Some surprising observations also indicated attack responses occurring in unanticipated scenarios.

A multi-stage classification system for detecting intrusions in computer networks

A serial multi-stage classification system for facing the problem of intrusion detection in computer networks is proposed. The whole decision process is organized into successive stages, each one using a set of features tailored for recognizing a specific attack category. All the stages employ suitable criteria for estimating the reliability of the performed classification, so that, in case of uncertainty, information related to a possible attack are only logged for further processing, without raising an alert for the system manager. This permits to reduce the number of false alarms. On the other hand, in order to keep low the number of missed detections, the proposed system declares a connection as normal traffic only if all the stages do not detect an attack. The proposed multi-stage intrusion detection system has been tested on three different services (http, telnet and ftp) of a standard database used for benchmarking intrusion detection systems and also on real network traffic data. The experimental analysis highlights the effectiveness of the approach: the proposed system behaves significantly better than other multiple classifier systems performing classification in a single stage.

A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods

Large-scale computer network attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic. In the early stage of an attack, however, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. Rapid response, a minimal false-alarm rate, and the capability to detect a wide spectrum of attacks are the crucial features of intrusion detection systems. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks that lead to changes in network traffic, such as denial-of-service attacks, worm-based attacks, port-scanning, and man-in-the-middle attacks. These methods employ a statistical analysis of data from multiple layers of the network protocol to detect very subtle traffic changes. The algorithms are based on change-point detection theory and utilize a thresholding of test statistics to achieve a fixed rate of false alarms while allowing us to detect changes in statistical models as soon as possible. There are three attractive features of the proposed approach. First, the developed algorithms are self-learning, which enables them to adapt to various network loads and usage patterns. Secondly, they allow for the detection of attacks with a small average delay for a given false-alarm rate. Thirdly, they are computationally simple and thus can be implemented online. Theoretical frameworks for detection procedures are presented. We also give the results of the experimental study with the use of a network simulator testbed as well as real-life testing for TCP SYN flooding attacks

An Analysis of Computer-related Crime: Comparing Police Officer Perceptions with Empirical Data

The rate of computer-related crime continues to escalate, while the rate of most index crimes has modestly declined. Computer network intrusions such as DoS attacks or fraud perpetrated over the Internet annually cost American society billions of dollars. Municipal police responses to this modern crime problem are varied. Future responses remain uncertain, but will require the formulation of more effective local law enforcement strategies. This article is an exploratory study of police officer perceptions of computer-related crime. Officers (n = 251) from four municipal jurisdictions in a single western state were surveyed to examine their perceptions of computer crime. The findings indicate that what police officers believe about computer crime reflects media-driven stereotypes, and may be influenced by moral considerations. Officer perceptions are inconsistent with the empirical facts on computer crime as reported in the peer-reviewed literature on the subject.

An immunity-based technique to characterize intrusions in computer networks

This paper presents a technique inspired by the negative selection mechanism of the immune system that can detect foreign patterns in the complement (nonself) space. In particular, the novel pattern detectors (in the complement space) are evolved using a genetic search, which could differentiate varying degrees of abnormality in network traffic. The paper demonstrates the usefulness of such a technique to detect a wide variety of intrusive activities on networked computers. We also used a positive characterization method based on a nearest-neighbor classification. Experiments are performed using intrusion detection data sets and tested for validation. Some results are reported along with analysis and concluding remarks.

Cooperating security managers: a peer-based intrusion detection system

The need for increased security measures in computer systems and networks is apparent through the frequent media accounts of computer system and network intrusions. One attempt at increasing security measures is in the area of intrusion detection packages. These packages use a variety of means to detect intrusive activities and have been applied to both individual computer systems and networks. Cooperating security managers (CSM) is one such package. Applied to a network, CSM is designed to perform intrusion detection and reporting functions in a distributed environment without requiring a designated central site or server to perform the analysis of network audit data. In addition, it is designed to handle intrusions as opposed to simply detecting and reporting on them, resulting in a comprehensive approach to individual system and network intrusions. Tests of the initial prototype have shown the cooperative methodology to perform favourably.

Simulation Research on Optimal Detection of Intrusion Node Information in Network

The optimal detection of intrusion node information in the network can guarantee the safe and stable operation of the network. When the intrusion node information is detected, it is necessary to obtain the optimal parameters of SVM according to the optimal acquisition path of the node to complete the detection of intrusion node information. The traditional method uses the ant colony to find the network node path, get the support vector machine parameters, but ignores the optimization of the parameters, resulting in the information detection results are not accurate. An improved detection method of intrusion node information based on attribute attack graph is proposed. The intrusion signal with intrusion node information is decomposed into IMF single frequency intrusion signal, and the state transition equation of the network intrusion detection system is obtained. The ant colony theory and the support vector machine parameters are merged, and the network intrusion check rate is used as the objective function, and the ant is changed to the ant, and the nodes on the optimal path are connected to get the SVM optimal parameters. Based on this parameter, the intrusion node information detection is completed. The experimental results show that the proposed method has high accuracy and can improve the accuracy of embedded computer network intrusion detection.