Proposals on Assessment Environments for Anomaly-Based Network Intrusion Detection Systems

Bermúdez-Edo, María; Hernández, Rolando Salazar; Díaz-Verdejo, Jesús E.; García-Teodoro, Pedro

doi:10.1007/11962977_17

Cited by 11 publications

(5 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Real traffic, on the other hand, should be stripped of confidential data, carefully labeled and rigorously sanitized in order to meet the established criteria. Several studies contributed approaches to sanitization of traffic [13,25,47,100] in order to not only label embedded attacks and benign traces, but also to pre-select the most representative instances. Automated sanitization uses such methods as entropy analysis and signature-based attack labeling, which may result in erroneous ground-truth.…”

Section: Representative Datasets and Ground Truthmentioning

confidence: 99%

Open-World Network Intrusion Detection

Rimmer

Nadeem

Verwer

et al. 2022

Security and Artificial Intelligence

View full text Add to dashboard Cite

This chapter contributes to the ongoing discussion of strengthening security by applying AI techniques in the scope of intrusion detection. The focus is set on open-world detection of attacks through data-driven network traffic analysis. This research topic is complementary to the earlier chapter on intelligent malware detection.In this chapter, we revisit the foundations of machine learning-based solutions for network security, which aim to make network defense tools more autonomous, adaptive, proactive and responsive. Specifically, we give a comprehensive introduction to the research on anomaly detection for network intrusion detection -that is, defensive schemes that do not assume complete prior knowledge of malicious patterns and instead learn the notion of normality from benign traffic. Along with outlining the recent advances in the field, we provide insights and reflect on the current limitations and research challenges. Therefore, this chapter presents compelling research opportunities to advance machine learning techniques in network security and push the boundaries of open-world network intrusion detection.

show abstract

Section: Representative Datasets and Ground Truthmentioning

confidence: 99%

Open-World Network Intrusion Detection

Rimmer

Nadeem

Verwer

et al. 2022

Security and Artificial Intelligence

View full text Add to dashboard Cite

show abstract

“…However, and additional challenge appear in this process. In order to use these models for intrusion detection, a "clean" training set [14] should be used, i.e., data without attacks to train the models. In other words, as the system is attempting to model the normal behavior of the instances of the protocol, the training set must be representative of this normal operation and should not contain attack instances.…”

Section: Challenges and Strategies For The Use Of S3m In P2p Promentioning

confidence: 99%

“…As a consequence, if there is no control on the traffic from users, it is very difficult to obtain a trace with no attack instances. Various approaches to this problem have been proposed in the literature [14][16], but they all rely on the use of a S-NIDS to filter out the attacks in the captured traffic, which can be inaccurate due to false positives and to detection errors in the process. In our approach, for dealing with such issue, during the noncontrolled environment phase, given the fact that preliminary FSAs are built in the first phases, we try to get advantage of this information to filter possible attack instances that appear in the traces.…”

Section: Challenges and Strategies For The Use Of S3m In P2p Promentioning

confidence: 99%

Anomaly Detection in P2P Networks Using Markov Modelling

Díaz-Verdejo

Maciá‐Fernández

García-Teodoro

et al. 2009

2009 First International Conference on Advances in P2P Systems

View full text Add to dashboard Cite

The popularity of P2P networks makes them an attractive target for hackers. Potential vulnerabilities in the software used in P2P networking represent a big threat for users and the whole community. To prevent and mitigate the risks, intrusion detection techniques have been traditionally applied. In this work in progress, a Markov based technique is applied to the detection of anomalies in the usage of P2P protocols. The detector searches for two kinds of anomalies: those that appear in the structure, grammar and semantics of each of the messages in the protocol, and those associated to the sequence of messages (protocol sessions). Previous results from other protocols, as HTTP and DNS, confirm the potentialities of the approach.

show abstract

“…However, the workload associated with this process grows linearly with the size of the trace. And, although unsupervised sanitization approaches have been suggested (e.g., analysis of entropy [11], or filtering known-attacks with signature-based IDS [12]), manual supervision may be unavoidable in order to discover attacks (e.g., 0-day) unnoticed by fully automated methods [13], [14].…”

Section: Introductionmentioning

confidence: 99%

How Much Training Data is Enough? A Case Study for HTTP Anomaly-Based Intrusion Detection

et al. 2020

View full text Add to dashboard Cite

Most anomaly-based intrusion detectors rely on models that learn from training datasets whose quality is crucial in their performance. Albeit the properties of suitable datasets have been formulated, the influence of the dataset size on the performance of the anomaly-based detector has received scarce attention so far. In this work, we investigate the optimal size of a training dataset. This size should be large enough so that training data is representative of normal behavior, but after that point, collecting more data may result in unnecessary waste of time and computational resources, not to mention an increased risk of overtraining. In this spirit, we provide a method to find out when the amount of data collected at the production environment is representative of normal behavior in the context of a detector of HTTP URI attacks based on 1-grammar. Our approach is founded on a set of indicators related to the statistical properties of the data. These indicators are periodically calculated during data collection, producing time series that stabilize when more training data is not expected to translate to better system performance, which indicates that data collection can be stopped. We present a case study with real-life datasets collected at the University of Seville (Spain) and a public dataset from the University of Saskatchewan. The application of our method to these datasets showed that more than 42% of one trace, and almost 20% of another were unnecessarily collected, thereby showing that our proposed method can be an efficient approach for collecting training data at the production environment. INDEX TERMS Anomaly-based intrusion detection, dataset assessment, training.

show abstract

Proposals on Assessment Environments for Anomaly-Based Network Intrusion Detection Systems

Cited by 11 publications

References 10 publications

Open-World Network Intrusion Detection

Open-World Network Intrusion Detection

Anomaly Detection in P2P Networks Using Markov Modelling

How Much Training Data is Enough? A Case Study for HTTP Anomaly-Based Intrusion Detection

Contact Info

Product

Resources

About