Visible to the public Host-based Intrusion Detection

SoS Newsletter- Advanced Book Block


SoS Logo

Host-based Intrusion Detection

The research presented here on host-based intrusion detection systems addresses semantic approaches, power grid substation protection, an architecture for modular mobile IDS, and a hypervisor based system.  All works cited are from 2014.


Creech, G.; Jiankun Hu, "A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguous and Discontiguous System Call Patterns," Computers, IEEE Transactions on, vol. 63, no. 4, pp.807, 819, April 2014. doi: 10.1109/TC.2013.13 Host-based anomaly intrusion detection system design is very challenging due to the notoriously high false alarm rate. This paper introduces a new host-based anomaly intrusion detection methodology using discontiguous system call patterns, in an attempt to increase detection rates whilst reducing false alarm rates. The key concept is to apply a semantic structure to kernel level system calls in order to reflect intrinsic activities hidden in high-level programming languages, which can help understand program anomaly behaviour. Excellent results were demonstrated using a variety of decision engines, evaluating the KDD98 and UNM data sets, and a new, modern data set. The ADFA Linux data set was created as part of this research using a modern operating system and contemporary hacking methods, and is now publicly available. Furthermore, the new semantic method possesses an inherent resilience to mimicry attacks, and demonstrated a high level of portability between different operating system versions.

Keywords: high level languages; operating systems (computers); security of data;KDD98 data sets; UNM data sets; contemporary hacking methods; contiguous system call patterns; discontiguous system call patterns; false alarm rates; high-level programming languages; host-based anomaly intrusion detection system design; modern operating system; program anomaly behaviour; semantic structure; Clocks; Complexity theory; Computer architecture; Cryptography; Gaussian processes; Logic gates; Registers; ADFA-LD; Intrusion detection; anomaly detection; computer security; host-based IDS; system calls (ID#: 15-3612)



Al-Jarrah, O.; Arafat, A., "Network Intrusion Detection System Using Attack Behavior Classification," Information and Communication Systems (ICICS), 2014 5th International Conference on, pp. 1, 6, 1-3 April 2014. doi: 10.1109/IACS.2014.6841978 Intrusion Detection Systems (IDS) have become a necessity in computer security systems because of the increase in unauthorized accesses and attacks. Intrusion Detection is a major component in computer security systems that can be classified as Host-based Intrusion Detection System (HIDS), which protects a certain host or system and Network-based Intrusion detection system (NIDS), which protects a network of hosts and systems. This paper addresses Probes attacks or reconnaissance attacks, which try to collect any possible relevant information in the network. Network probe attacks have two types: Host Sweep and Port Scan attacks. Host Sweep attacks determine the hosts that exist in the network, while port scan attacks determine the available services that exist in the network. This paper uses an intelligent system to maximize the recognition rate of network attacks by embedding the temporal behavior of the attacks into a TDNN neural network structure. The proposed system consists of five modules: packet capture engine, preprocessor, pattern recognition, classification, and monitoring and alert module. We have tested the system in a real environment where it has shown good capability in detecting attacks. In addition, the system has been tested using DARPA 1998 dataset with 100% recognition rate. In fact, our system can recognize attacks in a constant time.

Keywords: computer network security; neural nets; pattern classification; HIDS; NIDS; TDNN neural network structure; alert module; attack behavior classification; computer security systems; host sweep attacks; host-based intrusion detection system; network intrusion detection system; network probe attacks; packet capture engine; pattern classification; pattern recognition; port scan attacks; preprocessor; reconnaissance attacks; unauthorized accesses; IP networks; Intrusion detection; Neural networks; Pattern recognition; Ports (Computers); Probes; Protocols; Host sweep; Intrusion Detection Systems; Network probe attack; Port scan; TDNN neural network (ID#: 15-3613)



Junho Hong; Chen-Ching Liu; Govindarasu, M., "Integrated Anomaly Detection for Cyber Security of the Substations," Smart Grid, IEEE Transactions on, vol. 5, no. 4, pp. 1643, 1653, July 2014. doi: 10.1109/TSG.2013.2294473 Cyber intrusions to substations of a power grid are a source of vulnerability since most substations are unmanned and with limited protection of the physical security. In the worst case, simultaneous intrusions into multiple substations can lead to severe cascading events, causing catastrophic power outages. In this paper, an integrated Anomaly Detection System (ADS) is proposed which contains host- and network-based anomaly detection systems for the substations, and simultaneous anomaly detection for multiple substations. Potential scenarios of simultaneous intrusions into the substations have been simulated using a substation automation testbed. The host-based anomaly detection considers temporal anomalies in the substation facilities, e.g., user-interfaces, Intelligent Electronic Devices (IEDs) and circuit breakers. The malicious behaviors of substation automation based on multicast messages, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Measured Value (SMV), are incorporated in the proposed network-based anomaly detection. The proposed simultaneous intrusion detection method is able to identify the same type of attacks at multiple substations and their locations. The result is a new integrated tool for detection and mitigation of cyber intrusions at a single substation or multiple substations of a power grid.

Keywords: computer network security; power engineering computing; power grids; power system reliability; substation automation; ADS; GOOSE; IED; SMV; catastrophic power outages; circuit breakers; cyber intrusions; generic object oriented substation event; host-based anomaly detection systems; integrated anomaly detection system; intelligent electronic devices; malicious behaviors; multicast messages; network-based anomaly detection systems; physical security; power grid; sampled measured value; severe cascading events; simultaneous anomaly detection; simultaneous intrusion detection method; substation automation testbed; substation facilities; substations; temporal anomalies; user-interfaces; Circuit breakers ;Computer security; Intrusion detection; Power grids; Substation automation; Anomaly detection; GOOSE anomaly detection; SMV anomaly detection and intrusion detection; cyber security of substations (ID#: 15-3614)



Nikolai, J.; Yong Wang, "Hypervisor-Based Cloud Intrusion Detection System," Computing, Networking and Communications (ICNC), 2014 International Conference on, pp. 989, 993, 3-6 Feb 2014. doi: 10.1109/ICCNC.2014.6785472 Shared resources are an essential part of cloud computing. Virtualization and multi-tenancy provide a number of advantages for increasing resource utilization and for providing on demand elasticity. However, these cloud features also raise many security concerns related to cloud computing resources. In this paper, we propose an architecture and approach for leveraging the virtualization technology at the core of cloud computing to perform intrusion detection security using hypervisor performance metrics. Through the use of virtual machine performance metrics gathered from hypervisors, such as packets transmitted/received, block device read/write requests, and CPU utilization, we demonstrate and verify that suspicious activities can be profiled without detailed knowledge of the operating system running within the virtual machines. The proposed hypervisor-based cloud intrusion detection system does not require additional software installed in virtual machines and has many advantages compared to host-based and network based intrusion detection systems which can complement these traditional approaches to intrusion detection.

Keywords: cloud computing; computer network security; software architecture; software metrics; virtual machines; virtualisation; CPU utilization; block device read requests; block device write requests; cloud computing resources; cloud features; hypervisor performance metrics; hypervisor-based cloud intrusion detection system; intrusion detection security; multitenancy; operating system; packet transmission; received packets; shared resource utilization; virtual machine performance metrics; virtualization; virtualization technology; Cloud computing; Computer crime; Intrusion detection; Measurement; Virtual machine monitors; Virtual machining; Cloud Computing; hypervisor; intrusion detection (ID#: 15-3615)



Salman, A.; Elhajj, I.H.; Chehab, A.; Kayssi, A., "DAIDS: An Architecture for Modular Mobile IDS," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on, pp.328, 333, 13-16 May 2014. doi: 10.1109/WAINA.2014.54 The popularity of mobile devices and the enormous number of third party mobile applications in the market have naturally lead to several vulnerabilities being identified and abused. This is coupled with the immaturity of intrusion detection system (IDS) technology targeting mobile devices. In this paper we propose a modular host-based IDS framework for mobile devices that uses behavior analysis to profile applications on the Android platform. Anomaly detection can then be used to categorize malicious behavior and alert users. The proposed system accommodates different detection algorithms, and is being tested at a major telecom operator in North America. This paper highlights the architecture, findings, and lessons learned.

Keywords: Android (operating system); mobile computing; mobile radio; security of data; Android platform; DAIDS; North America; anomaly detection; behavior analysis; detection algorithms; intrusion detection system; malicious behavior; mobile devices; modular mobile IDS; profile applications; telecom operator; third party mobile applications; Androids; Databases; Detectors; Humanoid robots; Intrusion detection; Malware; Monitoring; behavior profiling; dynamic analysis; intrusion detection (ID#: 15-3616)



Can, O., "Mobile Agent Based Intrusion Detection System," Signal Processing and Communications Applications Conference (SIU), 2014 22nd, pp.1363, 1366, 23-25 April 2014. doi: 10.1109/SIU.2014.6830491 An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. A network based system, or NIDS, the individual packets flowing through a network are analyzed. In a host-based system, the IDS examines at the activity on each individual computer or host. IDS techniques are divided into two categories including misuse detection and anomaly detection. In recently years, Mobile Agent based technology has been used for distributed systems with having characteristic of mobility and autonomy. In this working we aimed to combine IDS with Mobile Agent concept for more scale, effective, knowledgeable system.

Keywords: mobile agents; security of data; NIDS; anomaly detection; host-based system; misuse detection; mobile agent based intrusion detection system; network activity; network-based system; suspicious patterns identification;Computers;Conferences;Informatics;Internet;Intrusion detection; Mobile agents; Signal processing;cyber attack; intrusion detection; mobile agent (ID#: 15-3617)



Sridhar, S.; Govindarasu, M., "Model-Based Attack Detection and Mitigation for Automatic Generation Control ,” Smart Grid, IEEE Transactions on, vol. 5, no. 2, pp. 580, 591, March 2014. doi: 10.1109/TSG.2014.2298195 Cyber systems play a critical role in improving the efficiency and reliability of power system operation and ensuring the system remains within safe operating margins. An adversary can inflict severe damage to the underlying physical system by compromising the control and monitoring applications facilitated by the cyber layer. Protection of critical assets from electronic threats has traditionally been done through conventional cyber security measures that involve host-based and network-based security technologies. However, it has been recognized that highly skilled attacks can bypass these security mechanisms to disrupt the smooth operation of control systems. There is a growing need for cyber-attack-resilient control techniques that look beyond traditional cyber defense mechanisms to detect highly skilled attacks. In this paper, we make the following contributions. We first demonstrate the impact of data integrity attacks on Automatic Generation Control (AGC) on power system frequency and electricity market operation. We propose a general framework to the application of attack resilient control to power systems as a composition of smart attack detection and mitigation. Finally, we develop a model-based anomaly detection and attack mitigation algorithm for AGC. We evaluate the detection capability of the proposed anomaly detection algorithm through simulation studies. Our results show that the algorithm is capable of detecting scaling and ramp attacks with low false positive and negative rates. The proposed model-based mitigation algorithm is also efficient in maintaining system frequency within acceptable limits during the attack period.

Keywords: data integrity; frequency control; power system control; power system reliability; power system stability; security of data; AGC; attack mitigation algorithm; attack resilient control; automatic generation control; critical assets protection; cyber layer; cyber security measures; cyber systems; cyber-attack-resilient control techniques; data integrity attacks; electricity market operation; electronic threats; host-based security technologies; model-based anomaly detection algorithm; model-based mitigation algorithm; network-based security technologies; physical system; power system frequency; power system operation reliability; ramp attacks; scaling attacks; smart attack detection; smart attack mitigation; Automatic generation control; Electricity supply industry; Frequency measurement; Generators; Power measurement; Power system stability; Anomaly detection; automatic generation control; intrusion detection systems; kernel density estimation; supervisory control and data acquisition (ID#: 15-3618)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.