Abstract
It has become increasingly difficult to monitor computer networks as they have grown in scale and complexity. This lack of awareness makes responding to, or even recognizing, attacks a challenge. As a result, organizations’ reactions to attacks are delayed, typically leaving them to address the situation long after an incident has taken place. The central idea behind this research is to provide earlier notification of potential network attacks by using deceptive network service information as bait. These “decoy” or “honeyservices” will indicate system vulnerabilities which do not actually exist when suspicious network circumstances are detected. That is, although up-to-date versions of programs are installed and running, vulnerable software versions will be advertised when a potential attack or reconnaissance effort is detected. Exploits launched against these services will be unsuccessful, yet may provide valuable information about attacks. Our system uses a decision tree based learning algorithm to detect anomalous attack traffic and change its behavior to advertise honeyservices in response. By indicating the existence of fake vulnerabilities, our system is capable of collecting information about attacks earlier in the reconnaissance phase, potentially catching adversaries in the act without exposing any actual system weaknesses. Our solution effectively transforms any legitimate server into a honeypot without the added overhead of setting up and maintaining fake network infrastructure.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Beale, J., Baker, A.R., Esler, J.: Snort: IDS and IPS Toolkit. Syngress, Burlington (2007)
Biles, S.: Detecting the unknown with snort and the statistical packet anomaly detection engine (spade). Computer Security Online Ltd., Technical report (2003)
Brugger, T.: KDD cup’99 dataset (network intrusion) considered harmful. KDnuggets Newsletter 7(18), 15 (2007)
Deng, L., Li, D., Yao, X., Cox, D., Wang, H.: Mobile network intrusion detection for IoT system based on transfer learning algorithm. Cluster Comput. 1–16 (2018)
Dewa, Z., Maglaras, L.: Data mining and intrusion detection systems. Int. J. Adv. Comput. Sci. Appl. 7(1), 62–71 (2016)
Drimer, S., Murdoch, S.J., et al.: Keep your enemies close: distance bounding against smartcard relay attacks. In: USENIX Security Symposium, vol. 312 (2007)
Eibe, F., Hall, M., Witten, I., Pal, J.: The weka workbench. In: Online Appendix for Data Mining: Practical Machine Learning Tools and Techniques, 4th edn. (2016)
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The weka data mining software: an update. ACM SIGKDD Explor. Newsl. 11(1), 10–18 (2009)
Hamed, T., Dara, R., Kremer, S.C.: Network intrusion detection system based on recursive feature addition and bigram technique. Comput. Secur. 73, 137–155 (2018)
Iglesias, F., Zseby, T.: Analysis of network traffic features for anomaly detection. Mach. Learn. 101(1–3), 59–84 (2015)
Khamphakdee, N., Benjamas, N., Saiyod, S.: Network traffic data to ARFF converter for association rules technique of data mining. In: Conference on Open Systems, pp. 89–93. IEEE (2014)
Lakhina, S., Joseph, S., Verma, B.: Feature reduction using principal component analysis for effective anomaly–based intrusion detection on NSL-KDD (2010)
Luo, Y., Wang, B., Cai, G.: Analysis of port hopping for proactive cyber defense. Int. J. Secur. Appl. 9(2), 123–134 (2015)
Maynor, D.: Metasploit toolkit for penetration testing, exploit development, and vulnerability research (2011)
McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln laboratory. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(4), 262–294 (2000)
O’Gorman, J., Kearns, D., Aharoni, M.: Metasploit: The Penetration Tester’s Guide. No Starch Press, San Francisco (2011)
Paliwal, S., Gupta, R.: Denial-of-service, probing & remote to user (R2L) attack detection using genetic algorithm. Int. J. Comput. Appl. 60(19), 57–62 (2012)
Pham, N.T., Foo, E., Suriadi, S., Jeffrey, H., Lahza, H.F.M.: Improving performance of intrusion detection system using ensemble methods and feature selection. In: Proceedings of the Australasian Computer Science Week Multiconference, p. 2. ACM (2018)
Quinlan, J.: C4.5: Programs for Machine Learning (1993)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th Conference on System Administration. USENIX Association (1999)
Serbanescu, A., Obermeier, S., Yu, D.-Y.: A scalable honeynet architecture for industrial control systems. In: International Conference on E-business and Telecommunications, pp. 179–200. Springer (2015)
Shimamura, M., Ikenaga, T., Tsuru, M.: A design and prototyping of in-network processing platform to enable adaptive network services. Trans. Inf. Syst. 96(2), 238–248 (2013)
Shone, N., Ngoc, T., Phai, V., Shi, Q.: A deep learning approach to network intrusion detection. Trans. Emerg. Top. Comput. Intell. 2(1), 41–50 (2018)
Spitzner, L.: Honeypots: catching the insider threat. In: 19th Annual Computer Security Applications Conference, pp. 170–179. IEEE (2003)
Subba, B., Biswas, S., Karmakar, S.: A neural network based system for intrusion detection and attack classification. In: Twenty Second National Conference on Communication, pp. 1–6. IEEE (2016)
Swamy, K., Lakshmi, K.V.: Network intrusion detection using improved decision tree algorithm. Int. J. Comput. Sci. Inf. Secur. 10(8), 26 (2012)
Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the KDD cup 99 data set. In: Symposium on Computational Intelligence for Security and Defense Applications, pp. 1–6. IEEE (2009)
Tran, T., Aib, I., Al-Shaer, E., Boutaba, R.: An evasive attack on snort flowbits. In: Network Operations and Management Symposium, pp. 351–358. IEEE (2012)
Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: International Workshop on Recent Advances in Intrusion Detection, pp. 203–222. Springer (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Assawakomenkool, N., Patel, Y., Voris, J. (2019). Network Aware Defenses for Intrusion Recognition and Response (NADIR). In: Arai, K., Bhatia, R., Kapoor, S. (eds) Proceedings of the Future Technologies Conference (FTC) 2018. FTC 2018. Advances in Intelligent Systems and Computing, vol 881. Springer, Cham. https://doi.org/10.1007/978-3-030-02683-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-02683-7_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02682-0
Online ISBN: 978-3-030-02683-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)