Artificially Augmented Training for Anomaly-based Network Intrusion Detection Systems

Full Text (PDF, 1174KB), PP.1-14

Views: 0 Downloads: 0

Author(s)

Chockalingam Karuppanchetty 1,* William Edmonds 1 Sun-il Kim 1 Nnamdi Nwanze 1

1. Department of Computer Science, University of Alabama in Huntsville, USA * iDEA Hub, Nigeria

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2015.10.01

Received: 23 Jan. 2015 / Revised: 3 Apr. 2015 / Accepted: 11 Jul. 2015 / Published: 8 Sep. 2015

Index Terms

Network security, Anomaly detection, Intrusion detection, Web server security, Training

Abstract

Attacks on web servers are becoming increasingly prevalent; the resulting social and economic impact of successful attacks is also exacerbated by our dependency on web-based applications. There are many existing attack detection and prevention schemes, which must be carefully configured to ensure their efficacy. In this paper, we present a study challenges that arise in training network payload anomaly detection schemes that utilize collected network traffic for tuning and configuration. The advantage of anomaly-based intrusion detection is in its potential for detecting zero day attacks. These types of schemes, however, require extensive training to properly model the normal characteristics of the system being protected. Usually, training is done through the use of real data collected by monitoring the activity of the system. In practice, network operators or administrators may run into cases where they have limited availability of such data. This issue can arise due to the system being newly deployed (or heavily modified) or due to the content or behavior that leads to normal characterization having been changed. We show that artificially generated packet payloads can be used to effectively augment the training and tuning. We evaluate the method using real network traffic collected at a server site; We illustrate the problem at first (use of highly variable and unsuitable training data resulting in high false positives of 3.6∼10%), then show improvements using the augmented training method (false positives as low as 0.2%). We also measure the impact on network performance, and present a lookup based optimization that can be used to improve latency and throughput.

Cite This Paper

Chockalingam Karuppanchetty, William Edmonds, Sun-il Kim, Nnamdi Nwanze,"Artificially Augmented Training for Anomaly-based Network Intrusion Detection Systems", International Journal of Computer Network and Information Security(IJCNIS), vol.7, no.10, pp.1-14, 2015.DOI: 10.5815/ijcnis.2015.10.01

Reference

[1] Gartner says worldwide information security spending will grow almost 8 percent in 2014 as organizations become more threat-aware. August 22, 2014. [Online]. Available: http://www.gartner.com/newsroom/id/2828722

[2] S. Kim, W. Edmonds, and N. Nwanze, "On gpu accelerated tuning for a payload anomaly-based network intrusion detection scheme," in ACM Proceedings of the 9th Annual Cyber and Information Security Research Conference, 2014.

[3] F. M. Cheema, A. Akram, and Z. Iqbal, "Comparative evaluation of header vs. payload based network anomaly detectors," in Proceedings of the World Congress on Engineering, 2009.

[4] H. S. Javits and A. Valdes, "The nides statistical component: Description and justification," Technical report, SRI International, Computer Science Laboratory, 1993.

[5] P. K. C. M. Mahoney, "Learning nonstationary models of normal network traffic for detecting novel attacks," Proc. SIGKDD, pp. 376–385, 2002.

[6] C. Azad and V.K. Jha, "Genetic Algorithm to Solve the Problem of Small Disjunct In the Decision Tree Based Intrusion Detection System," International Journal of Computer Network and Information Security (IJCNIS), vol. 7, no. 8, pp. 56–71, July 2015.

[7] F. Geramiraz, A. S. Memaripour, and M. Abbaspour, "Adaptive anomaly-based intrusion detection system using fuzzy controller." I. J. Network Security, vol. 14, no. 6, pp. 352–361, 2012.

[8] P. Mafra, V. Moll, J. da Silva Fraga, and A. Santin, "Octopus-iids: An anomaly based intelligent intrusion detection system," in IEEE Symposium on Computers and Communications, June 2010, pp. 405–410.

[9] C. Krügel, T. Toth, and E. Kirda, "Service specific anomaly detection for network intrusion detection," in Proceedings of the 2002 ACM Symposium on Applied Computing.

[10] K. Tomar and S.S. Tyagi, "HTTP Packet Inspection Policy for Improvising Internal Network Security," International Journal of Computer Network and Information Security (IJCNIS), vol. 6, no. 11, pp. 35–42, Oct. 2014.

[11] M. Almgren and U. Lindqvist, "Application-integrated data collection for security monitoring," Recent Advances in Intrusion Detection, 2001.

[12] M. Zolotukhin, T. Hamalainen, T. Kokkonen, and J. Siltanen, "Analysis of http requests for anomaly detection of web attacks," IEEE Dependable, Autonomic and Secure Computing (DASC), Aug 2014, pp. 406–411.

[13] T. Threepak and A. Watcharapupong, "Web attack detection using entropy-based analysis," in Information Networking (ICOIN), 2014 International Conference on, Feb 2014, pp. 244–247.

[14] C. Kruegel and G. Vigna, "Anomaly detection of web-based attacks," in Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003.

[15] F. Maggi, W. Robertson, C. Kruegel, and G. Vigna, "Protecting a moving target: Addressing web application concept drift," International Symposium on Recent Advances in Intrusion Detection, 2009.

[16] M. Tavallaee, N. Stakhanova, and A. Ghorbani, "Toward credible evaluation of anomaly-based intrusion-detection methods," Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions on, vol. 40, no. 5, pp. 516–524, Sept 2010.

[17] M. Bhuyan, D. Bhattacharyya, and J. Kalita, "Network anomaly detection: Methods, systems and tools," IEEE Communications Surveys Tutorials, vol. 16, no. 1, pp. 303–336, 2014.

[18] K. Wang and S. J. Stolfo, "Anomalous payload-based network intrusion detection," International Symposium on Recent Advances in Intrusion Detection, 2004.

[19] S. Kim and N. Nwanze, "Noise-resistant payload anomaly detection for network intrusion detection systems," in IEEE International Performance, Computing and Communications Conference, 2008.

[20] Browser statistics. [Online]. Available: http://www.w3schools.com/browsers/browsers_stats.asp

[21] Usage share of web browsers. [Online]. Available: http://en.wikipedia.org/wiki/Usage_share_of_web_browses

[22] Net market share. [Online]. Available: http://www.netmarketshare.com/

[23] Search engine spider. June. 12, 2014. [Online]. Available: http://www.webconfs.com/search-engine-spider-simulator.php

[24] Search engine webmaster. June. 12, 2014. [Online]. Available:http://freetools.webmasterworld.com/tools/crawler-google-sitemap-generator/