Sharif Digital Repository

The growing number of Internet users and the prevalence of web applications make it necessary to deal with very complex software and applications in the network. This results in an increasing number of new vulnerabilities in the systems, and leading to an increase in cyber threats and, in particular, zero-day attacks. The cost of generating appropriate signatures for these attacks is a potential motive for using machine learning-based methodologies. Although there are many studies on using learning-based methods for attack detection, they generally use extracted features and overlook raw contents. This approach can lessen the performance of detection systems against content-based attacks... 

Cloud computing environments provide users with Internet-based services and one of their main challenges is security issues. Hence, using Intrusion Detection Systems (IDSs) as a defensive strategy in such environments is essential. Multiple parameters are used to evaluate the IDSs, the most important aspect of which is the feature selection method used for classifying the malicious and legitimate activities. We have organized this research to determine an effective feature selection method to increase the accuracy of the classifiers in detecting intrusion. A Hybrid Ant-Bee Colony Optimization (HABCO) method is proposed to convert the feature selection problem into an optimization problem. We... 

The growing number of Internet users and the prevalence of web applications make it necessary to deal with very complex software and applications in the network. This results in an increasing number of new vulnerabilities in the systems, and leading to an increase in cyber threats and, in particular, zero-day attacks. The cost of generating appropriate signatures for these attacks is a potential motive for using machine learning-based methodologies. Although there are many studies on using learning-based methods for attack detection, they generally use extracted features and overlook raw contents. This approach can lessen the performance of detection systems against content-based attacks... 

This paper presents a simple yet efficient method for an anomaly-based Intrusion Detection System (IDS). In reality, IDSs can be defined as a one-class classification system, where the normal traffic is the target class. The high diversity of network attacks in addition to the need for generalization, motivate us to propose a semi-supervised method. Inspired by the successes of Generative Adversarial Networks (GANs) for training deep models in semi-unsupervised setting, we have proposed an end-to-end deep architecture for IDS. The proposed architecture is composed of two deep networks, each of which trained by competing with each other to understand the underlying concept of the normal... 

Sophisticated and targeted malwares, which today are known as Advanced Persistent Threats (APTs), use multi-step, distributed, hybrid and low-level patterns to leak and exfiltrate information, manipulate data, or prevent progression of a program or mission. Since current intrusion detection systems (IDSs) and alert correlation systems do not correlate low-level operating system events with network events and use alert correlation instead of event correlation, the intruders use low and hybrid events in order to distribute the attack vector, hide malwares behaviors, and therefore make detection difficult for such detection systems. In this paper, a new approach for detecting hybrid and... 

Characteristics and way of behavior of attacks and infiltrators on computer networks are usually very difficult and need an expert. In addition; the advancement of computer networks, the number of attacks and infiltrations is also increasing. In fact, the knowledge coming from expert will lose its value over time and must be updated and made available to the system and this makes the need for expert person always felt. In machine learning techniques, knowledge is extracted from the data itself which has diminished the role of the expert. Various methods used to detect intrusions, such as statistical models, safe system approach, neural networks, etc., all weaken the fact that it uses all the... 

The aim of this paper is to model and evaluate the performance of intrusion detection systems (IDSs) facing black-hole and grey-hole attacks within wireless ad hoc networks (WANETs). The main performance metric of an IDS in a WANET can be defined as the mean time required for the IDS to detect an attack. To evaluate this measure, two types of stochastic models are used in this paper. In the first step, two different continuous time Markov chains (CTMCs) are proposed to model the attacks, and then, the method of computing the mean time to attack detection is presented. Since the number of states in the proposed CTMCs grows rapidly with increasing the number of intermediate nodes and the... 

Software Defined Networking (SDN) provides a logically centralized view of the state of the network, and as a result opens up new ways to manage and monitor networks. In this paper we introduce a novel approach to network intrusion detection in SDNs that takes advantage of these attributes. Our approach can detect compromised routers that produce faulty messages, copy or steal traffic or maliciously drop certain types of packets. To identify these attacks and the affected switches, we correlate the forwarding state of network - i.e. installed forwarding rules - with the forwarding status of packets - i.e. the actual route packets take in the network and detect anomaly in routes. Thus, our... 

Today, from information security perspective, prevention methods are not enough solely. Early Warning Systems (EWSs) are in the category of reactive methods. These systems are complementing Intrusion Detection Systems (IDSs) where their main goals include early detection of potential malicious behavior in large scale environments such as national level. An important process in EWSs is the analysis and correlation of alerts aggregated from the installed sensors (e.g., IDSs, IP telescopes, and botnet detection systems). In this paper, an efficient framework for alert correlation in EWSs is proposed. The framework includes a correlation scheme based on a combination of statistical and stream... 

In this paper, we propose a hybrid approach for designing Intrusion Detection Systems. This approach is based on a Fuzzy Genetic Machine Learning Algorithm to generate fuzzy rules. The rules are able to solve the classification problem in designing an anomaly IDS. The proposed approach supports multiple attack classification. It means that, it is able to detect five classes consist of Denial of Service, Remote to Local, User to Root, Probing and normal classes. We present a two-layer optimization approach based on Pittsburgh style and then combine it with Michigan style. To improve the performance of the proposed system, we take advantages of memetic approach and proposed an enhanced version... 

The capability of fuzzy systems to solve different kinds of problems has been demonstrated in several previous investigations. Genetic fuzzy systems (GFSs) hybridize the approximate reasoning method of fuzzy systems with the learning capability of evolutionary algorithms. The objective of this paper is to design and analysis of various kinds of genetic fuzzy systems to deal with intrusion detection problem as a new real-world application area which is not previously tackled with GFSs. The resulted intrusion detection system would be capable of detecting normal and abnormal behaviors in computer networks. We have presented three kinds of genetic fuzzy systems based on Michigan, Pittsburgh and... 

Wireless sensor networks (WSNs) are a new technology, foreseen to be used increasingly in the near future, and security is an important issue for them. However because of the nodes resource limitations, other schemes proposed for securing general ad hoc networks, are not appropriate for WSNs. Usually some nodes act maliciously and they are able to do different kinds of DoS attacks. In order to make the network more secure, malicious nodes should be isolated from the network. In this paper, we model the interaction of nodes in WSN and intrusion detection system (IDS) as a Bayesian game formulation and use this idea to make a secure routing protocol. By this approach nodes are motivated to act... 

The growth of intelligent attacks has prompted the designers to envision the intrusion detection as a built-in process in operating systems. This paper investigates a novel anomaly-based intrusion detection mechanism which utilizes the manner of interactions between users and kernel processes. An adequate feature list has been prepared for distinction between normal and anomalous behavior. The method used is introducing a new component to Linux kernel as a wrapper module with necessary hook function to log initial data for preparing desired features list. SVM neural network was applied to classify and recognize input vectors. The sequence of delayed input vectors of features was appended to... 

In this paper, we use simulated annealing heuristics for constructing an intrusion detection system (IDS). The proposed IDS combines the learning ability of simulated annealing heuristics with the approximate reasoning method of fuzzy systems. The use of simulated annealing is an effort to effectively explore the large search space related to intrusion detection problems, and find the optimum set of fuzzy if-then rules. The aim of this paper is to present the capability of simulated annealing based fuzzy system to deal with intrusion detection classification problem as a new real-world application area. Experiments were performed with KDD-Cup99 intrusion detection benchmark data set. © 2008... 

The process of scanning the events occurring in a computer system or network and analyzing them for warning of intrusions is known as intrusion detection system (IDS). This paper presents a new intrusion detection system based on tabu search based fuzzy system. Here, we use tabu search algorithm to effectively explore and exploit the large state space associated with intrusion detection as a complicated classification problem. Experiments were performed on KDD-Cup99 data set which has information about intrusive and normal behaviors on computer networks. Results show that the proposed method obtains notable accuracy and lower cost in comparison with several renowned algorithms  

The process of monitoring the events occurring in a computer system or network and analyzing them for sign of intrusions is known as intrusion detection system (IDS). The objective of this paper is to extract fuzzy classification rules for intrusion detection in computer networks. The proposed method is based on the iterative rule learning approach (IRL) to fuzzy rule base system design. The fuzzy rule base is generated in an incremental fashion, in that the evolutionary algorithm optimizes one fuzzy classifier rule at a time. The performance of final fuzzy classification system has been investigated using intrusion detection problem as a high-dimensional classification problem. Results show... 

With the growing rate of network attacks, intelligent methods for detecting new attacks have attracted increasing interest. The RT-UNNID system, introduced in this paper, is one such system, capable of intelligent real-time intrusion detection using unsupervised neural networks. Unsupervised neural nets can improve their analysis of new data over time without retraining. In previous work, we evaluated Adaptive Resonance Theory (ART) and Self-Organizing Map (SOM) neural networks using offline data. In this paper, we present a real-time solution using unsupervised neural nets to detect known and new attacks in network traffic. We evaluated our approach using 27 types of attack, and observed... 

Although the prevention of Distributed Denial of Service (DDoS) attacks is not possible, detection of such attacks plays main role in preventing their progress. In the flooding attacks, especially new sophisticated DDoS, the attacker floods the network traffic toward the target computer by sending pseudo-normal packets. Therefore, multi-purpose IDSs do not offer a good performance (and accuracy) in detecting such kinds of attacks. In this paper, a novel method for detection of DDoS attacks has been introduced based on a statistical pre-processor and an unsupervised artificial neural net. In addition, SPUNNID system has been designed based on the proposed method. The statistical...