Advertisement

Wireless Networks

, Volume 19, Issue 3, pp 301–321 | Cite as

Divided two-part adaptive intrusion detection system

  • Nawal A. Elfeshawy
  • Osama S. FaragallahEmail author
Article

Abstract

The main objective of this paper is to design a more complete intrusion detection system solution. The paper presents an efficient approach for reducing the rate of alerts using divided two-part adaptive intrusion detection system (DTPAIDS). The proposed DTPAIDS has a high degree of autonomy in tracking suspicious activity and detecting positive intrusions. The proposed DTPAIDS is designed with the aim of reducing the rate of detected false positive intrusion through two achievements. The first achievement is done by implementing adaptive self-learning neural network in the proposed DTPAIDS to gives it the ability to be automatic adaptively system based on Radial Basis Functions (RBF) neural network. The second achievement is done through dividing the proposed intrusion detection system IDS into two parts. The first part is IDS1, which is installed in the front of firewall and responsible for checking each entry user’s packet and deciding if the packet considered is an attack or not. The second is IDS2, which is installed behind the firewall and responsible for detecting only the attacks which passed the firewall. This proposed approach for IDS exhibits a lower false alarm rate when detects novel attacks. The simulation tests are conducted using DARPA 1998 dataset. The experimental results show that the proposed DTPAIDS [1] reduce false positive rate, [2] detects intrusion occurrence sensitively and precisely, [3] accurately self–adapts diagnoser model, thus improving its detection accuracy.

Keywords

Intrusion detection system (IDS) FPs RBF neural network Anomaly intrusion detection system Misuse detection Intrusion prevention system (IPS) Neural network 

References

  1. 1.
    Symantec-Internet Security threat report highlights (Symantec.com), http://www.prdomain.com/companies/Symantec/newreleases/Symantec_internet_205032.htm.
  2. 2.
    Ulvila, J., & Gaffney, J. (2003). Evaluation of intrusion detection systems. Journal of Research of the National Institute of Standards and Technology, 108(6), 453–473.CrossRefGoogle Scholar
  3. 3.
    Guofei, G., Fogla, P., Dagon, D., Lee, W., & Skoric, B. (2006). Measuring intrusion detection capability: an information-theoretic approach. In proceedings of the, computer and communications security, pp. 90–101.Google Scholar
  4. 4.
    Durst, R., Champion, T., & Witten, B. (1999). Testing and evaluating computer intrusion detection systems. Communications of the ACM, 42(7), 53–61.CrossRefGoogle Scholar
  5. 5.
    Linda, O., Vollmer, T., & Manic, M. (2009). Neural network based intrusion detection system for critical infrastructures, IJCNN’09, international joint INNS-IEEE conference on neural networks, Atlanta, Georgia, pp. 15–23.Google Scholar
  6. 6.
    Drum, R. (2006). IDS and IPS placement for network protection, CISSP, pp. 152–160.Google Scholar
  7. 7.
    Zhou, J., Carlson, A. J., & Bishop, N. (2005). Verify results of network intrusion alerts using lightweight protocol analysis, computer security applications conference IEEE computer society, pp. 52–60.Google Scholar
  8. 8.
    Hooper, E. (2006). An intelligent detection and response strategy to false positives and network attacks. In proceedings of the fourth IEEE international Workshop on information assurance, University of London, Royal Holloway, United Kingdom, IEEE Computer Society Press, pp. 12–31.Google Scholar
  9. 9.
    Al-Allouni, H., Shaarawy, M., & Taha, I. (2003). An intrusion detection approach to computer networks, Technical report, Department of Computer Engineering, Military Technical College, pp. 90–120.Google Scholar
  10. 10.
    Georgios, P, & Sokratis, K. (2009). Reducing false positives in intrusion detection systems, Department of Computer Science and Biomedical Informatics, University of Central Greece, available on Science Direct Search.Google Scholar
  11. 11.
    Lippmann, R., Haines, J. W., & Fried, D. J. (2000). The 1999 DARPA Off-line intrusion detection evaluation. The International Journal of Computer and Telecommunications Networking, 34(4), 579–595.Google Scholar
  12. 12.
    Kurose, J., & Ross, K. (2001). Computer networking: A top-down approach featuring the internet. Boston: Addison-Wesley.Google Scholar
  13. 13.
    Saaty, T. L., (2000). Fundamentals of decision making and priority theory with the analytic hierarchy process, 2nd edn, RWS Publications, Pittsburgh, PA. 478 pp., ISBN 0-9620317-6-3.Google Scholar
  14. 14.
    Alghamdi, A. S. (2009). Evaluating defense architecture frameworks for C4I system using analytic hierarchy process. Journal of Computer Science, 5(12), 1075–1081.CrossRefGoogle Scholar
  15. 15.
    Forman, E. H., & Gass, S. I. The analytical hierarchy process-an exposition. Operations Research 49, 469–487, doi: 10.1287/opre.49.4.469.11231.
  16. 16.
    Bhushan, N., & Rai, K. (2004). Strategic decision making: Applying the analytic hierarchy process. Springer, London, ISBN: 1-8523375-6-7, p. 171.Google Scholar
  17. 17.
    Ahmad, I., Abdullah, A. B., Alghamdi, A. S. (2009). Application of artificial neural network in detection of DOS attacks. In proceedings of the 2nd international conference on security of information and Networks (Famagusta, North Cyprus, October 06–10, 2009). SIN ‘09. ACM, New York, NY, pp. 229–234.Google Scholar
  18. 18.
    Javitz, H. S., & Valdes, A. (1993). The NIDES statistical component: Description and justification, SRI International.Google Scholar
  19. 19.
    Kai, H., Zhengwei, Q., & Liu, B. (2009). Network anomaly detection based on statistical approach and time series analysis, waina, pp. 205–211, 2009 IEEE international conference on advanced information networking and applications workshops, Bradford, United Kingdom, May 26–May 29, ISBN: 978-0-7695-3639-2.Google Scholar
  20. 20.
    Lee, W., Stolfo, S. J., & Mok, K. W. (1999). A data mining framework for building intrusion detection models. Proceedings of the 20th IEEE symposium on security and privacy, Oakland, CA.Google Scholar
  21. 21.
    Lee, W., & Stolfo, S. J. (1998). Data mining approaches for Intrusion detection system. Proceedings of the 7th USENIX security symposium, San Antonio, TX.Google Scholar
  22. 22.
    Portier, B., & Froment, J. (2000). Data mining techniques for Intrusion detection,” Data mining term paper, The University of Texas, Spring 2000.Google Scholar
  23. 23.
    Marin, J., Ragsdale, D., & Surdu, J. (2001). A hybrid approach to the profile creation and intrusion detection, DARPA information survivability conference and exposition (DISCEX II’01), Vol I.Google Scholar
  24. 24.
    Shieh, S.-P. & Gligor, V. D. (1997). On a patter-oriented model for intrusion detection, IEEE transactions on knowledge and data engineering, Vol. 9, No. 4.Google Scholar
  25. 25.
    Shieh, S. -P., & Gligor, V. D. (1991). A pattern-oriented intrusion detection system and its applications. Proceedings of IEEE symposium research in security and privacy. Oakland, CA. pp. 327–342.Google Scholar
  26. 26.
    Kumar, S. (1995). Classification and detection of computer intrusions, Ph.D. dissertation, Purdue University.Google Scholar
  27. 27.
    Ilgun, R., Kemmerer, A., & Porras, P. A. (1995). State transition analysis: A rule- based intrusion detection approach, IEEE transactions on software engineering, pp. 181–199.Google Scholar
  28. 28.
    Lindqvist, U., & Porras, P. A. (1999). Detecting computer and network misuse through the production based expert system toolset (P-BEST). Proceedings of the 1999 IEEE symposium on security and privacy, Oakland, California.Google Scholar
  29. 29.
    Lindqvist, U., & Porras, P. A. (2001). Expert -BSM: A hostbased intrusion detection solution for sun solaris. Proceedings of the 17th annual computer security applications conference, pp. 240–251, New Orleans, Louisiana Dec. 10–14, published by the IEEE Computer Society.Google Scholar
  30. 30.
    Golovko, V., & Kochurko, P. (2005). Intrusion recognition using neural networks, IEEE workshop on intelligent data acquisition and advanced computing systems: Technology and applications, Sofia, Bulgaria, pp. 108–111, 5–7 September.Google Scholar
  31. 31.
    Zhong, J., Li, Z., Feng, Y., & Ye, C. (2006). Intrusion detection based on adaptive RBF neural network. IEEE proceedings of the sixth international conference on intelligent systems design and applications, pp. 1081–1084.Google Scholar
  32. 32.
    Montazer, G. A., Sabzevari, R., & Khatir, H. G. (2007). Improvement of learning algorithms for RBF neural networks in a helicopter sound identification system. Neurocomputing, 71(1–3), 167–173.CrossRefGoogle Scholar
  33. 33.
    Kruegel, C., Robertson, W., & Vigna, G. (2004). Using alert verification to identify successful intrusion attempts (pp. 80–89). Munchen: K.G. Saur Verlag.Google Scholar
  34. 34.
    Alfantookh, A. (2006). DoS attacks intelligent detection using neural networks. Journal of King Saud University, 18(12), 27–45.Google Scholar
  35. 35.
    Kruegel, C., Toth, T., & Kirda, E. (2008). Anomaly intrusion detection system. International Journal of Computer Science and Network Security, 8(8), 258–264.Google Scholar
  36. 36.
    Vollmer, T., & Manic, M. (2009). Human interface for cyber security anomaly detection systems. Second IEEE conference on human system interaction, Catania, Italy, pp. 121–129.Google Scholar
  37. 37.
    Julisch, K. (2003). Clustering intrusion detection alarms to support root cause analysis. TISSEC, 6(4), 443–471.CrossRefGoogle Scholar
  38. 38.
    Ranum, M. J. (2003). False positives: A user’s guide to making sense of IDS alarms, ICSA Labs IDSC.Google Scholar
  39. 39.
    Pietraszek, T. (2004). Using adaptive alert classification to reduce false positives in intrusion detection,” RAID, Vol. 3224 of LNCS, Springer, pp. 102–124.Google Scholar
  40. 40.
    Hooper, E. (2006). An intelligent detection and response strategy to false positives and network attacks. In proceedings of the fourth IEEE international workshop on information assurance, University of London, Royal Holloway, United Kingdom, IEEE Computer Society Press, pp. 12–31.Google Scholar
  41. 41.
    Georgios, P., & Sokratis, K. (2009). Reducing false positives in intrusion detection systems, Deptartment of Computer Science and Biomedical Informatics, University of Central Greece, Science Direct Search.Google Scholar
  42. 42.
    Al-Allouni, H., Shaarawy, M., & Taha, I. (2003). An intrusion detection approach to computer networks. Technical report, Deptartmet of Computer Engineering, Military Technical College, pp. 90–120.Google Scholar
  43. 43.
    Kurose, J., & Ross, K. (2001). Computer networking: A top-down approach featuring the internet. Boston: Addison-Wesley.Google Scholar
  44. 44.
    Lippmann, R., Haines, J., & Fried, D. (2000). Analysis and results of the 1999 DARPA off-line intrusion detection evaluation. Proceedings of the 3rd international workshop on recent advances in intrusion detection, pp. 162–182.Google Scholar
  45. 45.
    Levin, I. (2000). KDD classifier learning contest. SIGKDD Explorations, ACM, SIGKDD, pp. 67–75.Google Scholar
  46. 46.
    Bolzoni, D., Crispo, B., & Etalle, S. (2007). An architecture for alert verification in network intrusion detection systems. 21st large installation system administration conference, pp. 141–152.Google Scholar
  47. 47.
    Kayacik, H., Heywood, A., & Heywood, I. (2006). A hierarchical SOM based intrusion detection system. Technical report, Faculty of Computer Science, Dalhousie University, pp. 11–150.Google Scholar
  48. 48.
    Golovko, V., & Vaitsekhovich, L. (2009). Intrusion detection in TCP/IP networks using immune systems paradigm and neural network detectors. PhD thesis, Brest State Technical University, Brest, Belarus, pp. 15–169.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  1. 1.Deptartment of Computer Science and Engineering, Faculty of Electronic EngineeringMinufiya UniversityMenoufEgypt

Personalised recommendations