Intrusion Detection Based on Normal Traffic Specifications

Full Text (PDF, 445KB), PP.32-38

Views: 0 Downloads: 0

Author(s)

Zeinab Heidarian 1,* Naser Movahedinia 1 Neda Moghim 2 Payam Mahdinia 3

1. Department of Computer Engineering, University of Isfahan, Isfahan, Iran

2. Department of Information Technology Engineering, Faculty of Computer Engineering, University of Isfahan, Isfahan, Iran

3. Department of Electrical and Computer Engineering, Isfahan University of Technology, Isfahan, Iran

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2015.09.04

Received: 22 Nov. 2014 / Revised: 16 Feb. 2015 / Accepted: 15 Apr. 2015 / Published: 8 Aug. 2015

Index Terms

Anomaly detection, one class support vector machine, false positive, GPU, OpenMp

Abstract

As intrusion detection techniques based on malicious traffic signature are unable to detect unknown attacks, the methods derived from characterizing the behavior of the normal traffic are appropriate in case of detecting unseen intrusions. Based on such a technique, one class Support Vector Machine (SVM) is employed in this research to learn http regular traffic characteristics for anomaly detection. First, suitable features are extracted from the normal and abnormal http traffic; then the system is trained by the normal traffic samples. To detect anomaly, the actual traffic (including normal and abnormal packets) is compared to the deduced normal traffic. An anomaly alert is generated if any deviation from the regular traffic model is inferred. Examining the performance of the proposed algorithm using ISCX data set has delivered high accuracy of 89.25% and low false positive of 8.60% in detecting attacks on port 80. In this research, online step speed has reached to 77 times faster than CPU using GPU for feature extraction and OpenMp for parallel processing of packets.

Cite This Paper

Zeinab Heidarian, Naser Movahedinia, Neda Moghim, Payam Mahdinia, "Intrusion Detection Based on Normal Traffic Specifications", International Journal of Computer Network and Information Security(IJCNIS), vol.7, no.9, pp.32-38, 2015. DOI:10.5815/ijcnis.2015.09.04

Reference

[1]Brugger, S. Terry, and Ch. Jedadiah, "An Assessment of the DARPA IDS Evaluation Dataset Using Snort," Dept. Electrical Eng., Univ. California, 8th November 2005.
[2]The UNB ISCX 2012 dataset [Online]. Available: http://www.iscx.ca/dataset. [Accessed: 10 April 2013].
[3]J. Stolfo, K. Wang, and J. Salvatore, "Anomalous Payload-Based Network Intrusion Detection," in proc. 2004 Symposium on Recent Advances in Intrusion Detection., pp. 203-221.
[4]K. Wang, J. Parekh, and J. Stolfo, "Anagram: A Content Anomaly Detector Resistant to Mimicry Attack," in proc .2006 Recent Advances in Intrusion Detection., pp. 020-06.
[5]D.Bolzoni, S.Etalle, and P.Hartel, "POSEIDON: a 2-tier Anomaly-based Network Intrusion Detection System," in proc. 2006 IEEE International Workshop on Information Assurance., pp. 10-156.
[6]R.Perdisci, D.Ariu, P.Fogla, G.Giacinto, and W. Lee, "McPAD: A Multiple Classifier System for Accurate Payload-based Anomaly Detection," in proc. 2009 Computer Network, Special Issue on Traffic Classification and Its Applications to Modern Networks, pp. 864-881.
[7]Y. Song, D. Keromytis, and J. Stolfo, "Spectrogram: A Mixture-of-Markov-Chains Model for Anomaly Detection in Web Traffic," in proc. 2009 Annual Network and Distributed System Security Symposium.
[8]A. Jamdagni, Z. Tan, P.Nanda, X .He, and R. Liu, "Intrusion detection using geometrical structure," IEEE Frontier of Computer Science and Technology, pp. 327-333, December 2009.
[9]N. Boggs, S.Hiremagalore, A.Stavrou, and J.Stolfo, "Cross-domain Collaborative Anomaly Detection: So Far Yet So Close," in proc. 2011 International Conference on Recent Advances in Intrusion Detection, pp. 142-160.
[10]K. Burbeck, "Adaptive Real-time Anomaly Detection for Safeguarding Critical Networks," Ph.D. dissertation, Dept. Computer and Information Science., Univ. Link?pings., February 2006.
[11]Y. B. Bhavsar and K. C. Waghmare, "Intrusion Detection System Using Data Mining Technique: Support Vector Machine," International Journal of Emerging Technology and Advanced Engineering, vol. 3, Issue 3, March 2013.
[12]H. Chih-Wei, Ch. Chih-Chung and L. Chih-Jen, "A Practical Guide to Support Vector Classification," Dept. Computer Science, Univ. National Taiwan, April 2010.
[13]W.G.J. Halfond, J.Viegas, and A. Orso, "A Classification of SQL Injection Attacks and Countermeasures," in proc. 2006 IEEE International Symposium on Secure Software Engineering.
[14]C. H. Lin, C. H. Liu, L. S. Chien, and S. C. Chang, "Accelerating Pattern Matching Using a Novel Parallel Algorithm on GPUs", IEEE Transactions on Computers, vol. 62, no. 10, PP. 1906-1916, October 2013.
[15]G. Vasiliadis, S. Antonatos, M. Polychronakis, E. P. Markatos, and S. Ioannidis, "Gnort: High performance network intrusion detection using graphics processors," Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, 2008.