A survey of IT early warning systems: architectures, challenges, and solutions

Ramaki, Ali Ahmadian; Atani, Reza Ebrahimi

doi:10.1002/sec.1647

Cited by 25 publications

(30 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Recently, researchers started focusing on networking and computational systems. In [6], Ramaki and Atani presented a survey of architectures and techniques for early warning threats in Information Technology (IT). The authors classified the early warning systems (EWS) in commercial or under research and development.…”

Section: Related Workmentioning

confidence: 99%

“…The authors classified the early warning systems (EWS) in commercial or under research and development. They pointed out a set of challenges, such as data collection, data correlation, and postevent data correlation [6]. The authors reinforced the need of designing proactive solutions to predict threats and attacks before they occur, using data analytics.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Distributed Architecture for DDoS Prediction and Bot Detection

2020

View full text Add to dashboard Cite

Distributed Denial-of-Service (DDoS) attacks disrupt servers, services and the network, overloading the target resources and denying normal traffic. In order to defend from this attack, mitigation actions usually overprovision and sinkhole malicious traffic. Sooner the attack is detected, better is the mitigation. Hence, we advocate for using a prediction technique aiming to anticipate actions against the possible attack, before it effectively starts. Then, this article contributes to advance the state-of-the-art presenting a distributed architecture that identifies early signals of a possible DDoS attack and detects bots composing a botnet. The architecture identifies the malicious actors (bots) participating in the attack. The bot detection technique is triggered by the prediction of DDoS supported by early signals. Prediction identifies signals of attack on the network before it reaches advanced stages. Based on the metastability theory, it provides unsupervised statistical learning and identifies the imminence of DDoS attacks. The botnet detection is challenging because of the high dimension of data involved and because of resource constraints (memory and processing) in network devices. Network devices are clustered based on features extracted from the traffic and based on the causality between devices. Detection is performed per cluster. Performance evaluations took as input the CTU-13 Czech Republic University, CAIDA and Botnet 2014 datasets, efficiently detecting the bots in the dataset with an accuracy of 99.9%.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

A Distributed Architecture for DDoS Prediction and Bot Detection

2020

View full text Add to dashboard Cite

show abstract

“…Therefore, we need to create a higher-level view of the system's security state. Alert correlation accomplishes this high-level view of systems or networks by processing the alerts of the intrusion detection system [88,89]. In general, 2 or more IDS may cooperate to accomplish the following objectives:…”

Section: Multistep Attack Detection and Predictionmentioning

confidence: 99%

A systematic review on intrusion detection based on the Hidden Markov Model

Ramaki

Rasoolzadegan

Jafari

2018

Statistical Analysis

View full text Add to dashboard Cite

Apart from using traditional security solutions in software systems such as firewalls and access control mechanisms, utilizing intrusion detection systems are also necessary. Intrusion detection is a process in which a set of methods are used to detect malicious activities against the victims. Many techniques for detecting potential intrusions in software systems have already been introduced. One of the most important techniques for intrusion detection based on machine learning is using Hidden Markov Models (HMM). In recent decades, many research communities have been working toward HMM-based intrusion detection. Therefore, a large volume of research works has been published and hence, various research areas have emerged in this field. However, until now, there has been no systematic and up-to-date review of research works within the field. This paper aims to survey the research in this field and provide open problems and challenges based on the analysis of advantages, limitations, types of architectural models, and applications of current techniques. Six various architecture models for intrusion detection purposes are proposed in the literature. We compare these models based on performance criteria in order to select an appropriate type for a specific application. The results show that HMM-based intrusion detection techniques have 6 main advantages-precise intrusion detection, ability to detect new and unknown intrusions, prediction of the intruder's potential next steps, usage in real-time applications by processing data streams on-the-fly, usage of heterogeneous data sources as input, and visual representation of acquired knowledge relative to the other techniques of machine learning. KEYWORDSHidden Markov Model, intrusion detection, intrusion detection system, statistical learning, system and network security

show abstract

“…Methods of predictive analytics are a promising research direction in cybersecurity that would allow for a more proactive approach to security operations [2]. Predictions may serve as an early warning so that the defenders may learn about the threats in advance, set up proper countermeasures, and preemptively mitigate or completely prevent security incidents [6]. Numerous methods and approaches were proposed in the previous work with wildly * Corresponding author, email: husakm@ics.muni.cz varying goals and results [1].…”

Section: Introductionmentioning

confidence: 99%