Improved performance high speed network intrusion detection systems (NIDS). A high speed NIDS architectures to address limitations of Packet Loss and Low Detection Rate by adoption of Dynamic Cluster Architecture and Traffic Anomaly Filtration (IADF).
Publication date
2012-02-10Author
Akhlaq, MonisSupervisor
Mellor, John E.Awan, Irfan U.
Keyword
Intrusion Detection Systems (IDS)Dynamic Cluster Architecture
Low detection rate
Packet loss
Network security
Telecommunication infrastructure
Network performance
Traffic Anomaly Filtration (IADF)
Denial of Service (DoS)
Increasing detection rate
Rights
The University of Bradford theses are licenced under a Creative Commons Licence.
Institution
University of BradfordDepartment
School of Computing, Informatics and MediaAwarded
2011
Metadata
Show full item recordAbstract
Intrusion Detection Systems (IDS) are considered as a vital component in network security architecture. The system allows the administrator to detect unauthorized use of, or attack upon a computer, network or telecommunication infrastructure. There is no second thought on the necessity of these systems however; their performance remains a critical question. This research has focussed on designing a high performance Network Intrusion Detection Systems (NIDS) model. The work begins with the evaluation of Snort, an open source NIDS considered as a de-facto IDS standard. The motive behind the evaluation strategy is to analyze the performance of Snort and ascertain the causes of limited performance. Design and implementation of high performance techniques are considered as the final objective of this research. Snort has been evaluated on highly sophisticated test bench by employing evasive and avoidance strategies to simulate real-life normal and attack-like traffic. The test-methodology is based on the concept of stressing the system and degrading its performance in terms of its packet handling capacity. This has been achieved by normal traffic generation; fussing; traffic saturation; parallel dissimilar attacks; manipulation of background traffic, e.g. fragmentation, packet sequence disturbance and illegal packet insertion. The evaluation phase has lead us to two high performance designs, first distributed hardware architecture using cluster-based adoption and second cascaded phenomena of anomaly-based filtration and signature-based detection. The first high performance mechanism is based on Dynamic Cluster adoption using refined policy routing and Comparator Logic. The design is a two tier mechanism where front end of the cluster is the load-balancer which distributes traffic on pre-defined policy routing ensuring maximum utilization of cluster resources. The traffic load sharing mechanism reduces the packet drop by exchanging state information between load-balancer and cluster nodes and implementing switchovers between nodes in case the traffic exceeds pre-defined threshold limit. Finally, the recovery evaluation concept using Comparator Logic also enhance the overall efficiency by recovering lost data in switchovers, the retrieved data is than analyzed by the recovery NIDS to identify any leftover threats. Intelligent Anomaly Detection Filtration (IADF) using cascaded architecture of anomaly-based filtration and signature-based detection process is the second high performance design. The IADF design is used to preserve resources of NIDS by eliminating large portion of the traffic on well defined logics. In addition, the filtration concept augment the detection process by eliminating the part of malicious traffic which otherwise can go undetected by most of signature-based mechanisms. We have evaluated the mechanism to detect Denial of Service (DoS) and Probe attempts based by analyzing its performance on Defence Advanced Research Projects Agency (DARPA) dataset. The concept has also been supported by time-based normalized sampling mechanisms to incorporate normal traffic variations to reduce false alarms. Finally, we have observed that the IADF has augmented the overall detection process by reducing false alarms, increasing detection rate and incurring lesser data loss.Type
ThesisQualification name
PhDCollections
Related items
Showing items related by title, author, creator and subject.
-
A novel intrusion detection system (IDS) architecture. Attack detection based on snort for multistage attack scenarios in a multi-cores environment.Mellor, John E.; Cullen, Andrea J.; Pagna Disso, Jules F. (University of BradfordComputing, 2011-12-02)Recent research has indicated that although security systems are developing, illegal intrusion to computers is on the rise. The research conducted here illustrates that improving intrusion detection and prevention methods is fundamental for improving the overall security of systems. This research includes the design of a novel Intrusion Detection System (IDS) which identifies four levels of visibility of attacks. Two major areas of security concern were identified: speed and volume of attacks; and complexity of multistage attacks. Hence, the Multistage Intrusion Detection and Prevention System (MIDaPS) that is designed here is made of two fundamental elements: a multistage attack engine that heavily depends on attack trees and a Denial of Service Engine. MIDaPS were tested and found to improve current intrusion detection and processing performances. After an intensive literature review, over 25 GB of data was collected on honeynets. This was then used to analyse the complexity of attacks in a series of experiments. Statistical and analytic methods were used to design the novel MIDaPS. Key findings indicate that an attack needs to be protected at 4 different levels. Hence, MIDaPS is built with 4 levels of protection. As, recent attack vectors use legitimate actions, MIDaPS uses a novel approach of attack trees to trace the attacker¿s actions. MIDaPS was tested and results suggest an improvement to current system performance by 84% whilst detecting DDOS attacks within 10 minutes.
-
A new model for worm detection and response. Development and evaluation of a new model based on knowledge discovery and data mining techniques to detect and respond to worm infection by integrating incident response, security metrics and apoptosis.Cullen, Andrea J.; Woodward, Mike E.; Mohd Saudi, Madihah (University of BradfordDepartment of Computing, School of Computing, Informatics and Media, 2012-04-17)Worms have been improved and a range of sophisticated techniques have been integrated, which make the detection and response processes much harder and longer than in the past. Therefore, in this thesis, a STAKCERT (Starter Kit for Computer Emergency Response Team) model is built to detect worms attack in order to respond to worms more efficiently. The novelty and the strengths of the STAKCERT model lies in the method implemented which consists of STAKCERT KDD processes and the development of STAKCERT worm classification, STAKCERT relational model and STAKCERT worm apoptosis algorithm. The new concept introduced in this model which is named apoptosis, is borrowed from the human immunology system has been mapped in terms of a security perspective. Furthermore, the encouraging results achieved by this research are validated by applying the security metrics for assigning the weight and severity values to trigger the apoptosis. In order to optimise the performance result, the standard operating procedures (SOP) for worm incident response which involve static and dynamic analyses, the knowledge discovery techniques (KDD) in modeling the STAKCERT model and the data mining algorithms were used. This STAKCERT model has produced encouraging results and outperformed comparative existing work for worm detection. It produces an overall accuracy rate of 98.75% with 0.2% for false positive rate and 1.45% is false negative rate. Worm response has resulted in an accuracy rate of 98.08% which later can be used by other researchers as a comparison with their works in future.
-
Fast and Accurate Image Feature Detection for On-The-Go Field Monitoring Through Precision Agriculture. Computer Predictive Modelling for Farm Image Detection and Classification with Convolution Neural Network (CNN)Abd-Alhameed, Raed; Sheriff, Ray E.; Mahieddine, Fatima; Abdullahi, Halimatu S. (University of BradfordFaculty of Engineering and Informatics, School of Electrical Engineering and Computer Science, 2020)This study aimed to develop a novel end-to-end plant diagnosis model for the analysis of plant health conditions in near real-time to optimize the rate of production on farmlands for an intensive, yet environmentally safe farming production to preserve the natural environment. First, field research was conducted to determine the extent of the problems faced by farmers in agricultural production. This allowed us to refine the research statement and the level of technology involved in the production processes. The advantages of unmanned aerial systems were exploited in the continuous monitoring of farm plantations to develop automated and accurate measures of farm conditions. To this end, this thesis applies the Precision Agricultural technology as a data based management system that takes into account spatial variations by using the Global Positioning System, Geographical Information System, remote sensing, yield monitors, mapping, and guidance system for variable rate applications. An unmanned aerial vehicle embedded with an optic and radiometric sensor was used to obtain high spectral resolution images of plantation status during normal production/growth cycle. Then, an ensemble of classifiers with Convolution Neural Networks (CNN) was used as off the shelf feature extractor to train images to develop an end-to-end feature detection and multiclass classification system for plant overall health’s conditions. Whereby previous works have concentrated on using CNN as off the shelf feature extractor and model training to detect only plant diseases from plants. To date, no research has yet been carried out to develop an end-to-end model for the overall plant diagnosis system. Previous studies focused on the detection of diseases at any given time, making it difficult to implement comprehensive real-time PA systems. Applying the pretrained model to the new images showed that the model can accurately predict any plant condition with an average of 97% accuracy.