Sharif Digital Repository

Software Defined Networking (SDN) provides a logically centralized view of the state of the network, and as a result opens up new ways to manage and monitor networks. In this paper we introduce a novel approach to network intrusion detection in SDNs that takes advantage of these attributes. Our approach can detect compromised routers that produce faulty messages, copy or steal traffic or maliciously drop certain types of packets. To identify these attacks and the affected switches, we correlate the forwarding state of network - i.e. installed forwarding rules - with the forwarding status of packets - i.e. the actual route packets take in the network and detect anomaly in routes. Thus, our... 

The growing number of Internet users and the prevalence of web applications make it necessary to deal with very complex software and applications in the network. This results in an increasing number of new vulnerabilities in the systems, and leading to an increase in cyber threats and, in particular, zero-day attacks. The cost of generating appropriate signatures for these attacks is a potential motive for using machine learning-based methodologies. Although there are many studies on using learning-based methods for attack detection, they generally use extracted features and overlook raw contents. This approach can lessen the performance of detection systems against content-based attacks... 

The growth of intelligent attacks has prompted the designers to envision the intrusion detection as a built-in process in operating systems. This paper investigates a novel anomaly-based intrusion detection mechanism which utilizes the manner of interactions between users and kernel processes. An adequate feature list has been prepared for distinction between normal and anomalous behavior. The method used is introducing a new component to Linux kernel as a wrapper module with necessary hook function to log initial data for preparing desired features list. SVM neural network was applied to classify and recognize input vectors. The sequence of delayed input vectors of features was appended to... 

Cloud computing environments provide users with Internet-based services and one of their main challenges is security issues. Hence, using Intrusion Detection Systems (IDSs) as a defensive strategy in such environments is essential. Multiple parameters are used to evaluate the IDSs, the most important aspect of which is the feature selection method used for classifying the malicious and legitimate activities. We have organized this research to determine an effective feature selection method to increase the accuracy of the classifiers in detecting intrusion. A Hybrid Ant-Bee Colony Optimization (HABCO) method is proposed to convert the feature selection problem into an optimization problem. We... 

A web attack is an attack against a web server through the HTTP Protocol. By analyzing known web attacks, we find out that each one has its own behavior. Vestiges of their behavior could be detected in non-body parts of the HTTP Protocol. Such information can be used to verify web alerts generated by Web Application Firewalls (WAFs) and Web Intrusion Detection Systems (Web IDSs). In this paper, we propose a method to verify web alerts generated by mentioned sensors. The goal of the alert verification component is to eliminate or tag alerts that do not represent successful attacks. Our approach is based on analyzing HTTP Transaction metadata, including Request method, Request Headers, Status... 

Today, from information security perspective, prevention methods are not enough solely. Early Warning Systems (EWSs) are in the category of reactive methods. These systems are complementing Intrusion Detection Systems (IDSs) where their main goals include early detection of potential malicious behavior in large scale environments such as national level. An important process in EWSs is the analysis and correlation of alerts aggregated from the installed sensors (e.g., IDSs, IP telescopes, and botnet detection systems). In this paper, an efficient framework for alert correlation in EWSs is proposed. The framework includes a correlation scheme based on a combination of statistical and stream... 

This paper presents a simple yet efficient method for an anomaly-based Intrusion Detection System (IDS). In reality, IDSs can be defined as a one-class classification system, where the normal traffic is the target class. The high diversity of network attacks in addition to the need for generalization, motivate us to propose a semi-supervised method. Inspired by the successes of Generative Adversarial Networks (GANs) for training deep models in semi-unsupervised setting, we have proposed an end-to-end deep architecture for IDS. The proposed architecture is composed of two deep networks, each of which trained by competing with each other to understand the underlying concept of the normal... 

Sophisticated and targeted malwares, which today are known as Advanced Persistent Threats (APTs), use multi-step, distributed, hybrid and low-level patterns to leak and exfiltrate information, manipulate data, or prevent progression of a program or mission. Since current intrusion detection systems (IDSs) and alert correlation systems do not correlate low-level operating system events with network events and use alert correlation instead of event correlation, the intruders use low and hybrid events in order to distribute the attack vector, hide malwares behaviors, and therefore make detection difficult for such detection systems. In this paper, a new approach for detecting hybrid and... 

The process of scanning the events occurring in a computer system or network and analyzing them for warning of intrusions is known as intrusion detection system (IDS). This paper presents a new intrusion detection system based on tabu search based fuzzy system. Here, we use tabu search algorithm to effectively explore and exploit the large state space associated with intrusion detection as a complicated classification problem. Experiments were performed on KDD-Cup99 data set which has information about intrusive and normal behaviors on computer networks. Results show that the proposed method obtains notable accuracy and lower cost in comparison with several renowned algorithms  

The problem of surveillance for intrusion detection in a camera sensor network is addressed in this paper. In order to save limited resources, a sensing task should involve just the right number of sensors. For a wide enough coverage area random and uniform distribution can be applied. We propose a novel method which allows reduction of number of sensors and guarantees a desired surveillance against aerial intrusion. Enhancement of the method is also offered to further reduce the number of sensors and improve the performance. ©2008 IEEE  

This paper presents a novel hybrid approach for intrusion detection in computer networks. The proposed approach combines an evolutionary based fuzzy system with an artificial immune system to generate high quality fuzzy classification rules. The performance of final fuzzy classification system has been investigated using the KDD-Cup99 benchmark dataset. The results indicate that in comparison to several traditional techniques, such as C4.5, Naïve Bayes, k-NN and SVM, the proposed hybrid approach achieves better classification accuracies for most of the classes of the intrusion detection classification problem. Therefore, the resulted fuzzy classification rules can be used to produce a... 

In this paper, we propose a solution to the problem of capturing an intruder in a product network. This solution is derived based on the assumption of existing algorithms for basic member graphs of a graph product. In this problem, a team of cleaner agents are responsible for capturing a hostile intruder in the network. While the agents can move in the network one hop at a time, the intruder is assumed to be arbitrarily fast in a way that it can traverse any number of nodes contiguously as far as no agents reside in those nodes. Here, we consider a version of the problem where each agent can replicate new agents. Thus, the algorithm starts with a single agent and new agents are created on... 

Intrusion Detection Systems (IDS) for Mobile Ad hoc NETworks (MANETs) are necessary when they are deployed in reality. In This paper, we have presented a combined method of selecting IDS agent nodes in mobile ad hoc networks. Since, the IDS agents in MANET due to more activities need to more battery power. In our method, first, compromised nodes are detected and then the nodes with the highest energy power from among valid nodes as IDS agent nodes are considered. So, with this method, some valid nodes contribute in intrusion detection activities and costs of the network monitoring will be reduced and the network lifetime will be increased. © 2009 IEEE  

The aim of this paper is to model and evaluate the performance of intrusion detection systems (IDSs) facing black-hole and grey-hole attacks within wireless ad hoc networks (WANETs). The main performance metric of an IDS in a WANET can be defined as the mean time required for the IDS to detect an attack. To evaluate this measure, two types of stochastic models are used in this paper. In the first step, two different continuous time Markov chains (CTMCs) are proposed to model the attacks, and then, the method of computing the mean time to attack detection is presented. Since the number of states in the proposed CTMCs grows rapidly with increasing the number of intermediate nodes and the... 

The growing number of Internet users and the prevalence of web applications make it necessary to deal with very complex software and applications in the network. This results in an increasing number of new vulnerabilities in the systems, and leading to an increase in cyber threats and, in particular, zero-day attacks. The cost of generating appropriate signatures for these attacks is a potential motive for using machine learning-based methodologies. Although there are many studies on using learning-based methods for attack detection, they generally use extracted features and overlook raw contents. This approach can lessen the performance of detection systems against content-based attacks... 

Cloud Internet of Things (CIoT) environments, as the essential basis for computing services, have been subject to abuses and cyber threats. The adversaries constantly search for vulnerable areas in such computing environments to impose their damages and create complex challenges. Hence, using intrusion detection and prevention systems (IDPSs) is almost mandatory for securing CIoT environments. However, the existing IDPSs in this area suffer from some limitations, such as incapability of detecting unknown attacks and being vulnerable to the single point of failure. In this paper, we propose a novel distributed multi-agent IDPS (DMAIDPS) that overcomes these limitations. The learning agents in...