Visible to the public Network Intrusion Detection

SoS Newsletter- Advanced Book Block

Network Intrusion Detection

Network intrusion detection is one of the chronic problems in cybersecurity. The growth of cellular and ad hoc networks has increased the threat and risks. Research into this area of concern reflects its importance. The articles cited here were presented or published between January and August of 2014.

  • Weiming Hu; Jun Gao; Yanguo Wang; Ou Wu; Maybank, S., "Online Adaboost-Based Parameterized Methods for Dynamic Distributed Network Intrusion Detection," Cybernetics, IEEE Transactions on, vol.44, no.1, pp.66,82, Jan. 2014. doi: 10.1109/TCYB.2013.2247592 Current network intrusion detection systems lack adaptability to the frequently changing network environments. Furthermore, intrusion detection in the new distributed architectures is now a major requirement. In this paper, we propose two online Adaboost-based intrusion detection algorithms. In the first algorithm, a traditional online Adaboost process is used where decision stumps are used as weak classifiers. In the second algorithm, an improved online Adaboost process is proposed, and online Gaussian mixture models (GMMs) are used as weak classifiers. We further propose a distributed intrusion detection framework, in which a local parameterized detection model is constructed in each node using the online Adaboost algorithm. A global detection model is constructed in each node by combining the local parametric models using a small number of samples in the node. This combination is achieved using an algorithm based on particle swarm optimization (PSO) and support vector machines. The global model in each node is used to detect intrusions. Experimental results show that the improved online Adaboost process with GMMs obtains a higher detection rate and a lower false alarm rate than the traditional online Adaboost process that uses decision stumps. Both the algorithms outperform existing intrusion detection algorithms. It is also shown that our PSO, and SVM-based algorithm effectively combines the local detection models into the global model in each node; the global model in a node can handle the intrusion types that are found in other nodes, without sharing the samples of these intrusion types. Keywords: Gaussian processes; computer architecture; computer network security; distributed processing; learning (artificial intelligence);particle swarm optimisation; support vector machines; GMM; PSO;SVM-based algorithm; distributed architectures; dynamic distributed network intrusion detection; local parameterized detection model; network attack detection; network information security; online Adaboost process; online Adaboost-based intrusion detection algorithms; online Adaboost-based parameterized methods; online Gaussian mixture models; particle swarm optimization; support vector machines; weak classifiers; Dynamic distributed detection; network intrusions; online Adaboost learning; parameterized model (ID#:14-2437) URL:
  • Al-Jarrah, O.; Arafat, A, "Network Intrusion Detection System Using Attack Behavior Classification," Information and Communication Systems (ICICS), 2014 5th International Conference on , vol., no., pp.1,6, 1-3 April 2014. doi: 10.1109/IACS.2014.6841978 Intrusion Detection Systems (IDS) have become a necessity in computer security systems because of the increase in unauthorized accesses and attacks. Intrusion Detection is a major component in computer security systems that can be classified as Host-based Intrusion Detection System (HIDS), which protects a certain host or system and Network-based Intrusion detection system (NIDS), which protects a network of hosts and systems. This paper addresses Probes attacks or reconnaissance attacks, which try to collect any possible relevant information in the network. Network probe attacks have two types: Host Sweep and Port Scan attacks. Host Sweep attacks determine the hosts that exist in the network, while port scan attacks determine the available services that exist in the network. This paper uses an intelligent system to maximize the recognition rate of network attacks by embedding the temporal behavior of the attacks into a TDNN neural network structure. The proposed system consists of five modules: packet capture engine, preprocessor, pattern recognition, classification, and monitoring and alert module. We have tested the system in a real environment where it has shown good capability in detecting attacks. In addition, the system has been tested using DARPA 1998 dataset with 100% recognition rate. In fact, our system can recognize attacks in a constant time. Keywords: computer network security; neural nets; pattern classification; HIDS; NIDS; TDNN neural network structure; alert module; attack behavior classification; computer security systems; host sweep attacks; host-based intrusion detection system; network intrusion detection system; network probe attacks; packet capture engine; pattern classification; pattern recognition; port scan attacks; preprocessor; reconnaissance attacks; unauthorized accesses; IP networks; Intrusion detection; Neural networks; Pattern recognition; Ports (Computers); Probes; Protocols; Host sweep; Intrusion Detection Systems; Network probe attack; Port scan; TDNN neural network (ID#:14-2438) URL:
  • Jaic, K.; Smith, M.C.; Sarma, N., "A Practical Network Intrusion Detection System For Inline FPGAs On 10gbe Network Adapters," Application-specific Systems, Architectures and Processors (ASAP), 2014 IEEE 25th International Conference on, pp.180,181, 18-20 June 2014. doi: 10.1109/ASAP.2014.6868655 A network intrusion detection system (NIDS), such as SNORT, analyzes incoming packets to identify potential security threats. Pattern matching is arguably the most important and most computationally intensive component of a NIDS. Software-based NIDS implementations drop up to 90% of packets during increased network load even at lower network bandwidth. We propose an alternative hybrid-NIDS that couples an FPGA with a network adapter to provide hardware support for pattern matching and software support for post processing. The proposed system, SFAOENIDS, offers an extensible open-source NIDS for Solarflare AOE devices. The pattern matching engine-the primary component of the hardware architecture was designed based on the requirements of typical NIDS implementations. In testing on a real network environment, the SFAOENIDS hardware implementation, operating at 200 MHz, handles a 10Gbps data rate without dropping packets while simultaneously minimizing the server CPU load. Keywords: field programmable gate arrays; security of data; SFAOENIDS; SNORT; Solarflare AOE devices ;inline FPGA; lower network bandwidth; network adapters; network load; open-source NIDS; pattern matching; pattern matching engine; practical network intrusion detection system; real network environment; security threats; software based NIDS implementations; Engines; Field programmable gate arrays; Hardware; Intrusion detection; Memory management; Pattern matching; Software (ID#:14-2439) URL:
  • Valgenti, V.C.; Hai Sun; Min Sik Kim, "Protecting Run-Time Filters for Network Intrusion Detection Systems," Advanced Information Networking and Applications (AINA), 2014 IEEE 28th International Conference on , vol., no., pp.116,122, 13-16 May 2014. doi: 10.1109/AINA.2014.19 Network Intrusion Detection Systems (NIDS) examine millions of network packets searching for malicious traffic. Multi-gigabit line-speeds combined with growing databases of rules lead to dropped packets as the load exceeds the capacity of the device. Several areas of research have attempted to mitigate this problem through improving packet inspection efficiency, increasing resources, or reducing the examined population. A popular method for reducing the population examined is to employ run-time filters that can provide a quick check to determine that a given network packet cannot match a particular rule set. While this technique is an excellent method for reducing the population under examination, rogue elements can trivially bypass such filters with specially crafted packets and render the run-time filters effectively useless. Since the filtering comes at the cost of extra processing a filtering solution could actually perform worse than a non-filtered solution under such pandemic circumstances. To defend against such attacks, it is necessary to consider run-time filters as an independent anomaly detector capable of detecting attacks against itself. Such anomaly detection, together with judicious rate-limiting of traffic forwarded to full packet inspection, allows the detection, logging, and mitigation of attacks targeted at the filters while maintaining the overall improvements in NIDS performance garnered from using run-time filters. Keywords: filters; security of data; telecommunication traffic; NIDS performance; anomaly detector; crafted packets; filtering solution; malicious traffic; multigigabit line-speeds; network intrusion detection systems; network packets; packet inspection; run-time filters; run-time filters protection; Automata; Detectors; Inspection; Intrusion detection; Limiting; Matched filters; Sociology; Deep Packet Inspection; Filters; IDS; Intrusion Detection; Network Security; Run-time Filters; Security (ID#:14-2440) URL:
  • Chakchai So-In; Mongkonchai, N.; Aimtongkham, P.; Wijitsopon, K.; Rujirakul, K., "An Evaluation Of Data Mining Classification Models For Network Intrusion Detection," Digital Information and Communication Technology and it's Applications (DICTAP), 2014 Fourth International Conference on , vol., no., pp.90,94, 6-8 May 2014. doi: 10.1109/DICTAP.2014.6821663 Due to a rapid growth of Internet, the number of network attacks has risen leading to the essentials of network intrusion detection systems (IDS) to secure the network. With heterogeneous accesses and huge traffic volumes, several pattern identification techniques have been brought into the research community. Data Mining is one of the analyses which many IDSs have adopted as an attack recognition scheme. Thus, in this paper, the classification methodology including attribute and data selections was drawn based on the well-known classification schemes, i.e., Decision Tree, Ripper Rule, Neural Networks, Naive Bayes, k-Nearest-Neighbour, and Support Vector Machine, for intrusion detection analysis using both KDD CUP dataset and recent HTTP BOTNET attacks. Performance of the evaluation was measured using recent Weka tools with a standard cross-validation and confusion matrix. Keywords: Internet; computer network security; data mining; invasive software; pattern classification; telecommunication traffic; HTTP BOTNET attacks; IDS; Internet; KDD CUP dataset; Weka tools; attack recognition scheme; attribute selection; confusion matrix; data mining classification models; data selection; network attack; network intrusion detection system; pattern identification techniques; traffic volumes; Accuracy; Computational modeling; Data mining; Internet; Intrusion detection; Neural networks; Probes; BOTNET; Classification; Data Mining; Intrusion Detection; KDD CUP dataset; Network Security (ID#:14-2441) URL:
  • do Carmo, R.; Hollick, M., "Analyzing Active Probing For Practical Intrusion Detection in Wireless Multihop Networks," Wireless On-demand Network Systems and Services (WONS), 2014 11th Annual Conference on , vol., no., pp.77,80, 2-4 April 2014. doi: 10.1109/WONS.2014.6814725 Practical intrusion detection in Wireless Multihop Networks (WMNs) is a hard challenge. It has been shown that an active-probing-based network intrusion detection system (AP-NIDS) is practical for WMNs. However, understanding its interworking with real networks is still an unexplored challenge. In this paper, we investigate this in practice. We identify the general functional parameters that can be controlled, and by means of extensive experimentation, we tune these parameters and analyze the trade-offs between them, aiming at reducing false positives, overhead, and detection time. The traces we collected help us to understand when and why the active probing fails, and let us present countermeasures to prevent it. Keywords: frequency hop communication; security of data; wireless mesh networks; active-probing-based network intrusion detection system; wireless mesh network; wireless multihop networks; Ad hoc networks; Communication system security; Intrusion detection; Routing protocols; Testing; Wireless communication; Wireless sensor networks (ID#:14-2442) URL:
  • Al-Obeidat, F.N.; El-Alfy, E.-S.M., "Network Intrusion Detection Using Multi-Criteria PROAFTN Classification," Information Science and Applications (ICISA), 2014 International Conference on , vol., no., pp.1,5, 6-9 May 2014. doi: 10.1109/ICISA.2014.6847436 Network intrusion is recognized as a chronic and recurring problem. Hacking techniques continually change and several countermeasure methods have been suggested in the literature including statistical and machine learning approaches. However, no single solution can be claimed as a rule of thumb for the wide spectrum of attacks. In this paper, a novel methodology is proposed for network intrusion detection based on the multicriteria PROAFTN classification. The algorithm is evaluated and compared on a publicly available and widely used dataset. The results in this paper show that the proposed algorithm is promising in detecting various types of intrusions with high classification accuracy. Keywords: computer crime; learning (artificial intelligence); statistical analysis; hacking techniques; machine learning approach; multicriteria PROAFTN classification; network intrusion detection; statistical approach; Accuracy; Computers; Decision making; Educational institutions; Intrusion detection; Prototypes; Support vector machines (ID#:14-2443) URL:
  • Weller-Fahy, D.; Borghetti, B.J.; Sodemann, AA, "A Survey of Distance and Similarity Measures used within Network Intrusion Anomaly Detection," Communications Surveys & Tutorials, IEEE, vol. PP, no.99, pp.1, 1, July 2014. doi: 10.1109/COMST.2014.2336610 Anomaly Detection (AD) use within the Network Intrusion Detection (NID) field of research, or Network Intrusion Anomaly Detection (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple k-means clustering through advanced multi-agent distributed anomaly detection systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures, and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas which require further focus on improving distance measure rigor in the NIAD field are presented. Key words: (not provided) (ID#:14-2444) URL:
  • Kumar, G.V.P.; Reddy, D.K., "An Agent Based Intrusion Detection System for Wireless Network with Artificial Immune System (AIS) and Negative Clone Selection," Electronic Systems, Signal Processing and Computing Technologies (ICESC), 2014 International Conference on , vol., no., pp.429,433, 9-11 Jan. 2014. doi: 10.1109/ICESC.2014.73 Intrusion in Wireless network differs from IP network in a sense that wireless intrusion is both of packet level as well as signal level. Hence a wireless intrusion signature may be as simple as say a changed MAC address or jamming signal to as complicated as session hijacking. Therefore merely managing and cross verifying the patterns from an intrusion source are difficult in such a network. Beside the difficulty of detecting the intrusion at different layers, the network credential varies from node to node due to factors like mobility, congestion, node failure and so on. Hence conventional techniques for intrusion detection fail to prevail in wireless networks. Therefore in this work we device a unique agent based technique to gather information from various nodes and use this information with an evolutionary artificial immune system to detect the intrusion and prevent the same via bypassing or delaying the transmission over the intrusive paths. Simulation results show that the overhead of running AIS system does not vary and is consistent for topological changes. The system also proves that the proposed system is well suited for intrusion detection and prevention in wireless network. keywords: {access protocols; artificial immune systems; jamming; packet radio networks; radio networks; security of data; AIS system; IP network; MAC address; agent based intrusion detection system; artificial immune system; jamming signal; negative clone selection; network topology; session hijacking; wireless intrusion signature; wireless network; Bandwidth; Delays ;Immune system; Intrusion detection; Mobile agents; Wireless networks; Wireless sensor networks; AIS; congestion; intrusion detection; mobility (ID#:14-2445) URL:
  • Junho Hong; Chen-Ching Liu; Govindarasu, M., "Detection Of Cyber Intrusions Using Network-Based Multicast Messages For Substation Automation," Innovative Smart Grid Technologies Conference (ISGT), 2014 IEEE PES , vol., no., pp.1,5, 19-22 Feb. 2014. doi: 10.1109/ISGT.2014.6816375 This paper proposes a new network-based cyber intrusion detection system (NIDS) using multicast messages in substation automation systems (SASs). The proposed network-based intrusion detection system monitors anomalies and malicious activities of multicast messages based on IEC 61850, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Value (SV). NIDS detects anomalies and intrusions that violate predefined security rules using a specification-based algorithm. The performance test has been conducted for different cyber intrusion scenarios (e.g., packet modification, replay and denial-of-service attacks) using a cyber security testbed. The IEEE 39-bus system model has been used for testing of the proposed intrusion detection method for simultaneous cyber attacks. The false negative ratio (FNR) is the number of misclassified abnormal packets divided by the total number of abnormal packets. The results demonstrate that the proposed NIDS achieves a low fault negative rate. Keywords: power engineering computing; security of data; substation automation; FNR;GOOSE;IEC 61850;IEEE 39-bus system model; NIDS; SAS;S V; anomaly detection; cyber security testbed; denial-of-service attacks; false negative ratio; generic object-oriented substation event; low-fault negative rate; misclassified abnormal packets; network-based cyber intrusion detection system; network-based multicast messages; packet modification; predefined security rules; replay; sampled value ;simultaneous cyber attacks;specification-based algorithm; substation automation systems; Computer security; Educational institutions; IEC standards; Intrusion detection; Substation automation; Cyber Security of Substations; GOOSE and SV; Intrusion Detection System; Network Security (ID#:14-2446) URL:
  • Arya, A; Kumar, S., "Information theoretic feature extraction to reduce dimensionality of Genetic Network Programming based intrusion detection model," Issues and Challenges in Intelligent Computing Techniques (ICICT), 2014 International Conference on , vol., no., pp.34,37, 7-8 Feb. 2014.doi: 10.1109/ICICICT.2014.6781248 Intrusion detection techniques require examining high volume of audit records so it is always challenging to extract minimal set of features to reduce dimensionality of the problem while maintaining efficient performance. Previous researchers analyzed Genetic Network Programming framework using all 41 features of KDD cup 99 dataset and found the efficiency of more than 90% at the cost of high dimensionality. We are proposing a new technique for the same framework with low dimensionality using information theoretic approach to select minimal set of features resulting in six attributes and giving the accuracy very close to their result. Feature selection is based on the hypothesis that all features are not at same relevance level with specific class. Simulation results with KDD cup 99 dataset indicates that our solution is giving accurate results as well as minimizing additional overheads. Keywords: feature extraction; feature selection; genetic algorithms; information theory; security of data; KDD cup 99 dataset; audit records; dimensionality reduction; feature selection; genetic network programming based intrusion detection model; information theoretic feature extraction; Artificial intelligence; Correlation; Association rule; Discretization; Feature Selection; GNP (ID#:14-2447) URL:
  • Nafir, Abdenacer; Mazouzi, Smaine; Chikhi, Salim, "Collective intrusion detection in wide area networks," Innovations in Intelligent Systems and Applications (INISTA) Proceedings, 2014 IEEE International Symposium on , vol., no., pp.46,51, 23-25 June 2014.doi: 10.1109/INISTA.2014.6873596 We present in this paper a collective approach for intrusion detection in wide area networks. We use the multi-agent paradigm to model the proposed distributed system. In this system, an agent, which plays several roles, is situated on each node of the net. The first role of an agent is to perform the work of a local intrusion detection system (IDS). Periodically, it proceeds to exchange security data within its local neighbouring. The agent neighbouring consists of IDS agents of local neighbour nodes. The goal of such an approach is to consolidate the decision, regarding every suspected security event. Unlike previous works having proposed distributed systems for intrusion detection, our system is not restricted to data sharing. It proceeds in the case of a conflict to a negotiation between neighbouring agents in order to produce a consensual decision. So, the proposed system is fully distributed. It does not require any central or hierarchical control, which compromises its scalability, specially in wide area networks such as Internet. Indeed, in this kind of networks, some attacks like distributed denial of service (DDoS) require fully distributed defence. Experiments on our system show its potential for satisfactory DDoS attack detection. Keywords: Computer crime; Computer hacking; Internet; Intrusion detection; Multi-agent systems; Wide area networks; DDoS; IDS; Intrusion detection; Multi-agent systems; Network security (ID#:14-2448) URL:
  • Soo Young Moon; Ji Won Kim; Tae Ho Cho, "An Energy-Efficient Routing Method With Intrusion Detection And Prevention For Wireless Sensor Networks," Advanced Communication Technology (ICACT), 2014 16th International Conference on , vol., no., pp.467,470, 16-19 Feb. 2014. doi: 10.1109/ICACT.2014.6779004 Because of the features such as limited resources, wireless communication and harsh environments, wireless sensor networks (WSNs) are prone to various security attacks. Therefore, we need intrusion detection and prevention methods in WSNs. When the two types of schemes are applied, heavy communication overhead and resulting excessive energy consumption of nodes occur. For this reason, we propose an energy efficient routing method in an environment where both intrusion detection and prevention schemes are used in WSNs. We confirmed through experiments that the proposed scheme reduces the communication overhead and energy consumption compared to existing schemes. Keywords: security of data; telecommunication network routing; wireless sensor networks; energy-efficient routing method; excessive energy consumption; heavy communication overhead; intrusion detection scheme; intrusion prevention scheme; security attacks; wireless communication; wireless sensor networks; Energy consumption; Intrusion detection; Network topology; Routing; Sensors; Topology; Wireless sensor networks; intrusion detection; intrusion prevention; network layer attacks; wireless sensor network (ID#:14-2449) URL:
  • Chaudhary, A; Tiwari, V.N.; Kumar, A, "Design an Anomaly Based Fuzzy Intrusion Detection System For Packet Dropping Attack In Mobile Ad Hoc Networks," Advance Computing Conference (IACC), 2014 IEEE International , vol., no., pp.256,261, 21-22 Feb. 2014. doi: 10.1109/IAdCC.2014.6779330 Due to the advancement in communication technologies, mobile ad hoc network increases the ability in terms of ad hoc communication between the mobile nodes. Mobile ad hoc networks do not use any predefined infrastructure during the communication so that all the present mobile nodes which are want to communicate with each other immediately form the topology and initiates the request for data packets to send or receive. In terms of security perspectives, communication via wireless links makes mobile ad hoc networks more vulnerable to attacks because any one can join and move the networks at any time. Particularly, in mobile ad hoc networks one of very common attack is packet dropping attack through the malicious node (s). This paper developed an anomaly based fuzzy intrusion detection system to detect the packet dropping attack from mobile ad hoc networks and this proposed solution also save the resources of mobile nodes in respect to remove the malicious nodes. For implementation point of view, qualnet simulator 6.1 and sugeno-type fuzzy inference system are used to make the fuzzy rule base for analyzing the results. From the simulation results it's proved that proposed system is more capable to detect the packet dropping attack with high positive rate and low false positive under each level (low, medium and high) of speed of mobile nodes. Keywords: fuzzy logic; fuzzy reasoning; fuzzy set theory; mobile ad hoc networks; telecommunication network topology; telecommunication security; anomaly based fuzzy intrusion detection system; data packets; fuzzy rule base ;malicious nodes; mobile ad hoc networks; mobile nodes; network topology; packet dropping attack; qualnet simulator 6.1;sugeno-type fuzzy inference system; wireless communication; Fuzzy logic; Intrusion detection; Mobile ad hoc networks; Mobile computing; Mobile nodes; MANETs security issues; detection methods; fuzzy logic; intrusion detection system (IDS);mobile ad hoc networks (MANETs);packet dropping attack (ID#:14-2450) URL:
  • Holm, H., "Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?," System Sciences (HICSS), 2014 47th Hawaii International Conference on , vol., no., pp.4895,4904, 6-9 Jan. 2014.doi: 10.1109/HICSS.2014.600 A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days' to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days' (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days' are detected, how prone the corresponding signatures are to false alarms, and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snort is 8.2%. Keywords: computer network security; digital signatures ; SNIDS; false alarm; signature based network intrusion detection; zero day attacks; zero day detection ;Computer architecture; Payloads; Ports (Computers); Reliability; Servers; Software; Testing; Computer security; NIDS; code injection; exploits (ID#:14-2451) URL:


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.