Santosh Aditham,Nagarajan Ranganathan,Srinivas Katkoori

DOI: https://doi.org/10.48550/arXiv.1611.07392

2016-11-22

Cryptography and Security

Abstract:Big data platforms such as Hadoop and Spark are being widely adopted both by academia and industry. In this paper, we propose a runtime intrusion detection technique that understands and works according to the properties of such distributed compute platforms. The proposed method is based on runtime analysis of system and library calls and memory access patterns of tasks running on the datanodes (slaves). First, the primary datanode of a big data system creates a behavior profile for every task it executes. A behavior profile includes (a) trace of the system & library calls made, and (b) sequence representing the sizes of private and shared memory accesses made during task execution. Then, the process behavior profile is shared with other replica datanodes that are scheduled to execute the same task on their copy of the same data. Next, these replica datanodes verify their local tasks with the help of the information embedded in the received behavior profiles. This is realized in two steps: (i) comparing the system & library calls metadata, and (ii) statistical matching of the memory access patterns. Finally, datanodes share their observations for consensus and report an intrusion to the namenode (master) if they find any discrepancy. The proposed solution was tested on a small hadoop cluster using the default MapReduce examples and the results show that our approach can detect insider attacks that cannot be detected with the traditional analysis metrics.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

Dr.D.S. John Deva Prasanna,Dr.K. Punitha,Dr.M. Naga Raju,Dr.F. Rahman,Kamlesh Kumar Yadav

DOI: https://doi.org/10.58346/jisis.2024.i3.024

2024-08-30

Abstract:One crucial thing that hackers always do is gather information about the state of networks by breaking into files and systems that are used in defense models. Threats can get into these platforms. Much information is constantly coming into and going out of systems and people. To find potentially harmful security trends, the Intrusion Detection System (IDS) has to look through this growing amount of data. Our surroundings and choices now make it very hard to quickly and correctly find intrusions. To find people who try to get into a communication system without permission, creating an intrusion detection system (IDS) that uses big data techniques to handle large amounts of complex data is essential. This work uses artificial intelligence (AI), which is aware of a vast amount of data, to make an IDS that is very good at dealing with these problems. The study created a unique structure for the Long Short-Term Memory (LSTM) method, which can find complex links and long-lasting patterns in arriving at network traffic data. By using this method, the system can successfully lower the number of false warnings and improve the accuracy of the IDS that was created. Big Data Analysis (BDA) could make the AI methods discussed in this study more useful. These methods are currently slow because they are very complicated. Using these techniques makes running the complicated model go more quickly. The researchers used the tool on the Spark platform for in-depth studies. The NSL-KDD database was used to train for the tests. The results show that the algorithm is better than other IDS systems regarding how often it finds problems, how usually it sets off fake alarms, how accurate it is, how efficiently it works, and how long it takes to train.

Yogendra Kumar,Vijay Kumar,Basant Subba

DOI: https://doi.org/10.1142/s0218126624502281

2024-03-13

Journal of Circuits Systems and Computers

Abstract:Journal of Circuits, Systems and Computers, Ahead of Print. Network Intrusion Detection Systems (NIDSs) have been proposed in the literature as security tools for detecting anomalous and intrusive network data traffic. However, the existing NIDS frameworks are computation-intensive, thereby making them unsuitable for deployment in resource-constrained networks with limited computational capabilities. This paper aims to address this issue by proposing computationally efficient NIDS framework for detecting anomalous data traffic in resource-constrained networks. The proposed NIDS framework uses an ensemble-based classifier model comprising multiple classifiers, which enables it to achieve high accuracy and detection rate across a wide range of low-footprint and stealth network attacks. The proposed framework also uses feature scaling and dimensionality reduction techniques to minimize the overall computational overhead. The proposed framework consists of two stages. In the first stage, four distinct base-level classifiers are utilized. The classification probabilities of the first stage are used in the modified meta-level classifier. The modified meta-level classifier is trained on the class probabilities of the base-level classifiers combined using a novel proposed probability function. The performance of the proposed NIDS framework is evaluated on a proprietary testbed dataset and two benchmark datasets namely CICIDS-2017 and UNSW-NB15. The results reveal that the proposed NIDS framework provides better performance than the existing NIDS frameworks in terms of false positive rate, despite using a significantly lower number of input features for its analysis.

engineering, electrical & electronic,computer science, hardware & architecture

Santosh Kumar Sahu,Durga Prasad Mohapatra,Jitendra Kumar Rout,Kshira Sagar Sahoo,Ashish Kr. Luhach

DOI: https://doi.org/10.1089/big.2020.0201

IF: 4.426

2021-08-01

Big Data

Abstract:In this study, we set up a scalable framework for large-scale data processing and analytics using the big data framework. The popular classification methods are implemented, tuned, and evaluated by using intrusion datasets. The objective is to select the best classifier after optimizing the hyper-parameters. We observed that the decision tree (DT) approach outperforms compared with other methods in terms of classification accuracy, fast training time, and improved average prediction rate. Therefore, it is selected as a base classifier in our proposed ensemble approach to study class imbalance. As the intrusion datasets are imbalanced, most of the classification techniques are biased toward the majority class. The misclassification rate is more in the case of the minority class. An ensemble-based method is proposed by using K-Means, RUSBoost, and DT approaches to mitigate the class imbalance problem; empirically investigate the impact of class imbalance on classification approaches' performance; and compare the result by using popular performance metrics such as Balanced Accuracy, Matthews Correlation Coefficient, and F-Measure, which are more suitable for the assessment of imbalanced datasets.

computer science, theory & methods, interdisciplinary applications

DOI: https://doi.org/10.36652/0869-4931-2024-78-5-230-234

2024-01-01

Abstract:Attack graphs are a popular area of research that display all the paths an trespasser can take to penetrate a network. Existing graph generation methods rely heavily on expert opinion regarding network vulnerabilities and topology. An intrusion detection system based on graph-directed analytics of the big data analytics, which is based on machine learning, is proposed, which made it possible to obtain good accuracy results and a high level of attack detection during its testing. Keywords attack, graph, detection, machine learning, network

Schuartz, Fábio César

DOI: https://doi.org/10.1007/s12243-024-01046-0

2024-06-09

Annals of Telecommunications

Abstract:With the growth of computer networks worldwide, there has been a greater need to protect local networks from malicious data that travel over the network. The increase in volume, speed, and variety of data requires a more robust, accurate intrusion detection system capable of analyzing a huge amount of data. This work proposes the creation of an intrusion detection system using stream classifiers and three classification layers—with and without a reduction in the number of features of the records and three classifiers in parallel with a voting system. The results obtained by the proposed system are compared against other models proposed in the literature, using two datasets to validate the proposed system. In all cases, gains in accuracy of up to 18.52% and 3.55% were obtained, using the datasets NSL-KDD and CICIDS2017, respectively. Reductions in classification time up to 35.51% and 94.90% were also obtained using the NSL-KDD and CICIDS2017 datasets, respectively.

telecommunications

Qi Zhang,Ramaprabhu Janakiraman

DOI: https://doi.org/10.7936/K7M043N3

2001-01-01

Abstract: While advances in computer and communications technologyhave made the network ubiquitous, they have also rendered networked systemsvulnerable to malicious attacks orchestrated from a distance. Theseattacks, usually called cracker attacks or intrusions, start with crackers infiltratinga network through a vulnerable host and then going on to launchfurther attacks. Crackers depend on increasingly sophisticated techniqueslike using distributed attack sources. On the other hand, software ...

Shilpa Narasimhan,Matthew J. Ellis,Nael H. El-Farra

DOI: https://doi.org/10.3390/pr12020327

IF: 3.5

2024-02-03

Processes

Abstract:A fundamental problem at the intersection of process control and operations is the design of detection schemes monitoring a process for cyberattacks using operational data. Multiplicative false data injection (FDI) attacks modify operational data with a multiplicative factor and could be designed to be detection evading without in-depth process knowledge. In a prior work, we presented a control mode switching strategy that enhances the detection of multiplicative FDI attacks in processes operating at steady state (when process states evolve within a small neighborhood of the steady state). Control mode switching on the attack-free process at steady-state may induce transients and generate false alarms in the detection scheme. To minimize false alarms, we subsequently developed a control mode switch-scheduling condition for processes with an invertible output matrix. In the current work, we utilize a reachable set-based detection scheme and use randomized control mode switches to augment attack detection capabilities. The detection scheme eliminates potential false alarms occurring from control mode switching, even for processes with a non-invertible output matrix, while the randomized switching helps bolster the confidentiality of the switching schedule, preventing the design of a detection-evading "smart" attack. We present two simulation examples to illustrate attack detection without false alarms, and the merits of randomized switching (compared with scheduled switching) for the detection of a smart attack.

engineering, chemical

XIA Nai,GUO Ming-song,Bing Mao,Li Xie

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.02.038

2007-01-01

Abstract:Attacks to program vulnerabilities is a severe problem nowadays.This paper puts forward a new simplified approach based on programs' runtime control flow monitoring.Compared to the methods based on system call sequence analysis,this approach has better granularity;Compared to the methods using whole call graph verification,it has the same effectiveness but more applicable.The results show that this approach can detect many kinds of known attacks to program vulnerabilities.

Khloud Al Jallad,Mohamad Aljnidi,Mohammad Said Desouki

DOI: https://doi.org/10.48550/arXiv.2209.13961

2022-09-28

Cryptography and Security

Abstract:With the growing use of information technology in all life domains, hacking has become more negatively effective than ever before. Also with developing technologies, attacks numbers are growing exponentially every few months and become more sophisticated so that traditional IDS becomes inefficient detecting them. This paper proposes a solution to detect not only new threats with higher detection rate and lower false positive than already used IDS, but also it could detect collective and contextual security attacks. We achieve those results by using Networking Chatbot, a deep recurrent neural network: Long Short Term Memory (LSTM) on top of Apache Spark Framework that has an input of flow traffic and traffic aggregation and the output is a language of two words, normal or abnormal. We propose merging the concepts of language processing, contextual analysis, distributed deep learning, big data, anomaly detection of flow analysis. We propose a model that describes the network abstract normal behavior from a sequence of millions of packets within their context and analyzes them in near real-time to detect point, collective and contextual anomalies. Experiments are done on MAWI dataset, and it shows better detection rate not only than signature IDS, but also better than traditional anomaly IDS. The experiment shows lower false positive, higher detection rate and better point anomalies detection. As for prove of contextual and collective anomalies detection, we discuss our claim and the reason behind our hypothesis. But the experiment is done on random small subsets of the dataset because of hardware limitations, so we share experiment and our future vision thoughts as we wish that full prove will be done in future by other interested researchers who have better hardware infrastructure than ours.

Jiayin Wang,Teng Wang,Zhengyu Yang,Ying Mao,Ningfang Mi,Bo Sheng

DOI: https://doi.org/10.1109/iccnc.2017.7876183

2017-01-01

Abstract:Big data processing frameworks such as Hadoop [1] are now widely adopted, however the security issues in large scale systems have not been well studied yet. Unlike prior work on data privacy and protection, this paper investigates a potential attack from a compromised internal node against the overall system performance. We develop an effective attack launched from the compromised node that can significantly degrade the data processing performance of the cluster without being detected and blacklisted for job execution, also present a mitigation scheme that protects a Hadoop system from such attack. The results of experiments show that this attack greatly slows down the job executions in the native Hadoop system even with some basic defense mechanisms, however, our mitigation schem can keep the whole cluster running efficiently under such attack.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Amod Pandit,R Joe Stanley,Bruce McMillin

Abstract:Intrusion detection systems (IDS) attempt to address the vulnerability of computer-based systems for abuse by insiders and to penetration by outsiders. An IDS is required to examine an enormous amount of data generated by computer networks to assist in the abuse detection process. Thus, there is a need to develop automated tools that address these requirements to assist system operators in the detection of violations of existing security policies. In this research, an automated IDS is proposed for insider threats in a distributed system. The proposed IDS functions as an anomaly detector for insider system operations based on the analysis of the system's log files. The approach integrates dynamic programming and adaptive resonance theory (ART1) clustering. The integrated approach aligns sequences of log events with prototypical sequences of events for performing tasks and classifies the aligned sequences for intrusion detection. The system examined for this research is a Boots System for controlling the movement of boots from one place to another under specific security restrictions related to the boot orders. We present the proposed model, the results achieved and the analysis of an implemented prototype.

Wei Wang,Xiaohong Guan,Xiangliang Zhang

DOI: https://doi.org/10.1007/978-3-540-28648-6_105

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer security in recent years. In this paper, a new intrusion detection method based on Principle Component Analysis (PCA) with low overhead and high efficiency is presented. System call data and command sequences data are used as information sources to validate the proposed method. The frequencies of individual system calls in a trace and individual commands in a data block are computed and then data column vectors which represent the traces and blocks of the data are formed as data input. PCA is applied to reduce the high dimensional data vectors and distance between a vector and its projection onto the subspace reduced is used for anomaly detection. Experimental results show that the proposed method is promising in terms of detection accuracy, computational expense and implementation for real-time intrusion detection.

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Ashish Kamra,Evimaria Terzi,Elisa Bertino

DOI: https://doi.org/10.1007/s00778-007-0051-4

2007-05-17

The VLDB Journal

Abstract:A considerable effort has been recently devoted to the development of Database Management Systems (DBMS) which guarantee high assurance and security. An important component of any strong security solution is represented by Intrusion Detection (ID) techniques, able to detect anomalous behavior of applications and users. To date, however, there have been few ID mechanisms proposed which are specifically tailored to function within the DBMS. In this paper, we propose such a mechanism. Our approach is based on mining SQL queries stored in database audit log files. The result of the mining process is used to form profiles that can model normal database access behavior and identify intruders. We consider two different scenarios while addressing the problem. In the first case, we assume that the database has a Role Based Access Control (RBAC) model in place. Under a RBAC system permissions are associated with roles, grouping several users, rather than with single users. Our ID system is able to determine role intruders, that is, individuals while holding a specific role, behave differently than expected. An important advantage of providing an ID technique specifically tailored to RBAC databases is that it can help in protecting against insider threats. Furthermore, the existence of roles makes our approach usable even for databases with large user population. In the second scenario, we assume that there are no roles associated with users of the database. In this case, we look directly at the behavior of the users. We employ clustering algorithms to form concise profiles representing normal user behavior. For detection, we either use these clustered profiles as the roles or employ outlier detection techniques to identify behavior that deviates from the profiles. Our preliminary experimental evaluation on both real and synthetic database traces shows that our methods work well in practical situations.

computer science, information systems, hardware & architecture

Zhilong Wang,Haizhou Wang,Hong Hu,Peng Liu

2024-05-02

Abstract:As control-flow protection gets widely deployed, it is difficult for attackers to corrupt control-data and achieve control-flow hijacking. Instead, data-oriented attacks, which manipulate non-control data, have been demonstrated to be feasible and powerful. In data-oriented attacks, a fundamental step is to identify non-control, security-critical data. However, critical data identification processes are not scalable in previous works, because they mainly rely on tedious human efforts to identify critical data. To address this issue, we propose a novel approach that combines traditional program analysis with deep learning. At a higher level, by examining how analysts identify critical data, we first propose dynamic analysis algorithms to identify the program semantics (and features) that are correlated with the impact of a critical data. Then, motivated by the unique challenges in the critical data identification task, we formalize the distinguishing features and use customized program dependence graphs (PDG) to embed the features. Different from previous works using deep learning to learn basic program semantics, this paper adopts a special neural network architecture that can capture the long dependency paths (in the PDG), through which a critical variable propagates its impact. We have implemented a fully-automatic toolchain and conducted comprehensive evaluations. According to the evaluations, our model can achieve 90% accuracy. The toolchain uncovers 80 potential critical variables in Google FuzzBench. In addition, we demonstrate the harmfulness of the exploits using the identified critical variables by simulating 7 data-oriented attacks through GDB.

Cryptography and Security

Shivi Sharma,Ashish Sharma,Hemraj Saini

DOI: https://doi.org/10.35940/ijitee.j9369.0881019

2019-08-10

VOLUME 8 ISSUE 10, AUGUST 2019, REGULAR ISSUE

Abstract:Big Data has caught the attention of research, science, and business world due to the advancement in digitalization. With the evolution of the Internet of Things (IoT), data is increasing by massive amounts every day. In the big data environment, securing a large amount of data has become a challenging issue in both security and research industry. In this paper, a framework has been proposed to inspect malignant information and suspicious activities traveling over the networks by utilizing Hive Queries. This framework’s procedure loads activity information into Hadoop Distributed File System (HDFS) through a Hive database thus examining the information. This information is sorted as IP Wise, Port Wise, and Protocol Wise. Hive queries will help to achieve these three goals:- 1) Traffic classification 2) Interrupt Identification 3) analyzing of network traffic. Using this framework provides users’ a benefit of being able to investigate Big Data and helps them to detect attacks. Therefore, this framework will allow prevention of network attacks and enable real-time detection in a Big Data environment.

N. D. Patel,B. M. Mehtre,Rajeev Wankar

DOI: https://doi.org/10.1007/s10207-023-00792-x

2024-04-26

International Journal of Information Security

Abstract:An intrusion detection system (IDS) is a system that monitors network traffic for malicious activity and generates alerts. In anomaly-based detection, machine learning (ML) algorithms exploit various statistical and probabilistic methods to learn from past or historical experience and detect valuable patterns from large, unstructured, and complex datasets. ML-based network intrusion detection aims to identify malicious behavior and alert a system administrator when an intruder tries to penetrate the network. This paper deals with the study, strategic construction, and implementation of a network intrusion detection model based on ML methods. Among the available IDS datasets, five of the most relevant are chosen for the experimental analysis, which are NSL-KDD-2009, CIC-IDS2017, CIC-IDS2018, IoTID20, and UNSW-NB15 datasets. In order to reduce the computation time in the training sample and achieve computational complexity , we propose a computationally efficient and feasible algorithmic framework for analyzing the network traffic data. The developed approach mainly consists of two phases, i.e., "Scatter Matrices and Eigenvalue Computation based feature Selection" and "Classification procedure for the reduced dimension data." Experimental evaluation of various test case scenarios for the chosen datasets is carried out in the simulation setting. It is observed that the test results outperform the existing intrusion detection methods for detecting certain attack categories.

computer science, information systems, theory & methods, software engineering