Anomaly detection in computer networks using hierarchically organized teams of learning automata
Master thesis
Permanent lenke
http://hdl.handle.net/11250/137523Utgivelsesdato
2011Metadata
Vis full innførselSamlinger
Sammendrag
With the increasing number of computer systems connected to the Internet,
security becomes a critical issue. To combat this problem, several attack detection
methods have emerged in the past years, such as the rule based Intrusion
Detection System (IDS) Snort - or anomaly based alternatives that are able
to detect novel attacks without any prior knowledge about them.
Most current anomaly based IDS require labeled attacks or extensively filtered
training data, such that certain attack types, which generate large amounts of
noise in terms of false positives, are effectively removed.
This thesis describes a novel anomaly based scheme for detecting attacks, using
frequent itemset mining, without performing extensive filtering of the input
data. In brief, the scheme, which is named the Grimstad Data Classifier (GRIDAC),
uses teams of hierarchically organized Learning Automata to generate
a rule tree with a set of linked nodes – where the granularity of each node
increases along with the current level in the tree.
In turn, GRIDAC was implemented as an anomaly based IDS called Inspectobot,
and evaluated using the 1999 DARPA IDS Evaluation Sets. At best,
the prototype was able to detect 51 out of 62 attacks in the 1999 DARPA IDS
Evaluation Sets with 56 false alarms, giving a detection rate of 82 %, after
training on one week of attack-free traffic, and classifying another full week of
data containing attacks.
The empirical results are quite conclusive, demonstrating that the prototype
shows an excellent ability to mine frequent itemsets from network packets, such
that normal behavior can be modeled. With an average detection rate of 73 %
of all attacks in the DARPA set, and a fairly low amount of false positives, it
is also shown that Inspectobot can be used for IDS purposes.
In its current state, Inspectobot requires a high processing capacity to perform
the rule matching. When compared to the popular IDS Snort, it is currently
not as useful outside of a testbed environment. Nonetheless, the scheme has
the potential of serving as a complementary anomaly based IDS alongside
Snort for detecting novel attacks, given a more optimized implementation.
Beskrivelse
Masteroppgave i informasjons- og kommunikasjonsteknologi 2011 – Universitetet i Agder, Grimstad