Improved performance high speed network intrusion detection systems (NIDS). A high speed NIDS architectures to address limitations of Packet Loss and Low Detection Rate by adoption of Dynamic Cluster Architecture and Traffic Anomaly Filtration (IADF).
SupervisorMellor, John E.
Awan, Irfan U.
KeywordIntrusion Detection Systems (IDS)
Dynamic Cluster Architecture
Low detection rate
Traffic Anomaly Filtration (IADF)
Denial of Service (DoS)
Increasing detection rate
The University of Bradford theses are licenced under a Creative Commons Licence.
InstitutionUniversity of Bradford
DepartmentSchool of Computing, Informatics and Media
MetadataShow full item record
AbstractIntrusion Detection Systems (IDS) are considered as a vital component in network security architecture. The system allows the administrator to detect unauthorized use of, or attack upon a computer, network or telecommunication infrastructure. There is no second thought on the necessity of these systems however; their performance remains a critical question. This research has focussed on designing a high performance Network Intrusion Detection Systems (NIDS) model. The work begins with the evaluation of Snort, an open source NIDS considered as a de-facto IDS standard. The motive behind the evaluation strategy is to analyze the performance of Snort and ascertain the causes of limited performance. Design and implementation of high performance techniques are considered as the final objective of this research. Snort has been evaluated on highly sophisticated test bench by employing evasive and avoidance strategies to simulate real-life normal and attack-like traffic. The test-methodology is based on the concept of stressing the system and degrading its performance in terms of its packet handling capacity. This has been achieved by normal traffic generation; fussing; traffic saturation; parallel dissimilar attacks; manipulation of background traffic, e.g. fragmentation, packet sequence disturbance and illegal packet insertion. The evaluation phase has lead us to two high performance designs, first distributed hardware architecture using cluster-based adoption and second cascaded phenomena of anomaly-based filtration and signature-based detection. The first high performance mechanism is based on Dynamic Cluster adoption using refined policy routing and Comparator Logic. The design is a two tier mechanism where front end of the cluster is the load-balancer which distributes traffic on pre-defined policy routing ensuring maximum utilization of cluster resources. The traffic load sharing mechanism reduces the packet drop by exchanging state information between load-balancer and cluster nodes and implementing switchovers between nodes in case the traffic exceeds pre-defined threshold limit. Finally, the recovery evaluation concept using Comparator Logic also enhance the overall efficiency by recovering lost data in switchovers, the retrieved data is than analyzed by the recovery NIDS to identify any leftover threats. Intelligent Anomaly Detection Filtration (IADF) using cascaded architecture of anomaly-based filtration and signature-based detection process is the second high performance design. The IADF design is used to preserve resources of NIDS by eliminating large portion of the traffic on well defined logics. In addition, the filtration concept augment the detection process by eliminating the part of malicious traffic which otherwise can go undetected by most of signature-based mechanisms. We have evaluated the mechanism to detect Denial of Service (DoS) and Probe attempts based by analyzing its performance on Defence Advanced Research Projects Agency (DARPA) dataset. The concept has also been supported by time-based normalized sampling mechanisms to incorporate normal traffic variations to reduce false alarms. Finally, we have observed that the IADF has augmented the overall detection process by reducing false alarms, increasing detection rate and incurring lesser data loss.
Showing items related by title, author, creator and subject.
Current Based Fault Detection and Diagnosis of Induction Motors. Adaptive Mixed-Residual Approach for Fault Detection and Diagnosis of Rotor, Stator, Bearing and Air-Gap Faults in Induction Motors Using a Fuzzy Logic Classifier with Voltage and Current Measurement only.Ebrahimi, Kambiz M.; Wood, Alastair S.; Pestell, Charles; Bradley, William J. (University of BradfordSchool of Engineering, Design and Technology, 2015-06-16)Induction motors (IM) find widespread use in modern industry and for this reason they have been subject to a significant amount of research interest in recent times. One particular aspect of this research is the fault detection and diagnosis (FDD) of induction motors for use in a condition based maintenance (CBM) strategy; by effectively tracking the condition of the motor, maintenance action need only be carried out when necessary. This type of maintenance strategy minimises maintenance costs and unplanned downtime. The benefits of an effective FDD for IM is clear and there have been numerous studies in this area but few which consider the problem in a practical sense with the aim of developing a single system that can be used to monitor motor condition under a range of different conditions, with different motor specifications and loads. This thesis aims to address some of these problems by developing a general FDD system for induction motor. The solution of this problem involved the development and testing of a new approach; the adaptive mixed-residual approach (AMRA). The main aim of the AMRA system is to avoid the vast majority of unplanned failures of the machine and therefore as opposed to tackling a single induction motor fault, the system is developed to detect all four of the most statistically prevalent induction motor fault types; rotor fault, stator fault, air-gap fault and bearing fault. The mixed-residual fault detection algorithm is used to detect these fault types which includes a combination of spectral and model-based techniques coupled with particle swarm optimisation (PSO) for automatic identification of motor parameters. The AMRA residuals are analysed by a fuzzy-logic classifier and the system requires only current and voltage inputs to operate. Validation results indicate that the system performs well under a range of load torques and different coupling methods proving it to have significant potential for use in industrial applications.
A new model for worm detection and response. Development and evaluation of a new model based on knowledge discovery and data mining techniques to detect and respond to worm infection by integrating incident response, security metrics and apoptosis.Cullen, Andrea J.; Woodward, Mike E.; Mohd Saudi, Madihah (University of BradfordDepartment of Computing, School of Computing, Informatics and Media, 2012-04-17)Worms have been improved and a range of sophisticated techniques have been integrated, which make the detection and response processes much harder and longer than in the past. Therefore, in this thesis, a STAKCERT (Starter Kit for Computer Emergency Response Team) model is built to detect worms attack in order to respond to worms more efficiently. The novelty and the strengths of the STAKCERT model lies in the method implemented which consists of STAKCERT KDD processes and the development of STAKCERT worm classification, STAKCERT relational model and STAKCERT worm apoptosis algorithm. The new concept introduced in this model which is named apoptosis, is borrowed from the human immunology system has been mapped in terms of a security perspective. Furthermore, the encouraging results achieved by this research are validated by applying the security metrics for assigning the weight and severity values to trigger the apoptosis. In order to optimise the performance result, the standard operating procedures (SOP) for worm incident response which involve static and dynamic analyses, the knowledge discovery techniques (KDD) in modeling the STAKCERT model and the data mining algorithms were used. This STAKCERT model has produced encouraging results and outperformed comparative existing work for worm detection. It produces an overall accuracy rate of 98.75% with 0.2% for false positive rate and 1.45% is false negative rate. Worm response has resulted in an accuracy rate of 98.08% which later can be used by other researchers as a comparison with their works in future.
Automated dust storm detection using satellite images. Development of a computer system for the detection of dust storms from MODIS satellite images and the creation of a new dust storm database.Ipson, Stanley S.; Qahwaji, Rami S.R.; El-Ossta, Esam E.A. (University of BradfordDigital Imaging, School of Computing, Informatics and Media, 2013-12-09)Dust storms are one of the natural hazards, which have increased in frequency in the recent years over Sahara desert, Australia, the Arabian Desert, Turkmenistan and northern China, which have worsened during the last decade. Dust storms increase air pollution, impact on urban areas and farms as well as affecting ground and air traffic. They cause damage to human health, reduce the temperature, cause damage to communication facilities, reduce visibility which delays both road and air traffic and impact on both urban and rural areas. Thus, it is important to know the causation, movement and radiation effects of dust storms. The monitoring and forecasting of dust storms is increasing in order to help governments reduce the negative impact of these storms. Satellite remote sensing is the most common method but its use over sandy ground is still limited as the two share similar characteristics. However, satellite remote sensing using true-colour images or estimates of aerosol optical thickness (AOT) and algorithms such as the deep blue algorithm have limitations for identifying dust storms. Many researchers have studied the detection of dust storms during daytime in a number of different regions of the world including China, Australia, America, and North Africa using a variety of satellite data but fewer studies have focused on detecting dust storms at night. The key elements of this present study are to use data from the Moderate Resolution Imaging Spectroradiometers on the Terra and Aqua satellites to develop more effective automated method for detecting dust storms during both day and night and generate a MODIS dust storm database.