William Edmonds scite author profile

Attacks on web servers are becoming increasingly prevalent; the resulting social and economic impact of successful attacks is also exacerbated by our dependency on web-based applications. There are many existing attack detection and prevention schemes, which must be carefully configured to ensure their efficacy. In this paper, we present a study challenges that arise in training network payload anomaly detection schemes that utilize collected network traffic for tuning and configuration. The advantage of anomaly-based intrusion detection is in its potential for detecting zero day attacks. These types of schemes, however, require extensive training to properly model the normal characteristics of the system being protected. Usually, training is done through the use of real data collected by monitoring the activity of the system. In practice, network operators or administrators may run into cases where they have limited availability of such data. This issue can arise due to the system being newly deployed (or heavily modified) or due to the content or behavior that leads to normal characterization having been changed. We show that artificially generated packet payloads can be used to effectively augment the training and tuning. We evaluate the method using real network traffic collected at a server site; We illustrate the problem at first (use of highly variable and unsuitable training data resulting in high false positives of 3.6∼10%), then show improvements using the augmented training method (false positives as low as 0.2%). We also measure the impact on network performance, and present a lookup based optimization that can be used to improve latency and throughput.

show abstract

On GPU accelerated tuning for a payload anomaly-based network intrusion detection scheme

Nwanze

2014

In network intrusion detection, anomaly-based solutions complement signature-based solutions in mitigating zero-day attacks, but require extensive training and learning to effectively model what the normal pattern for a given system (or service) looks like. Though the training typically happens off-line, and the processing speed is not as important as the detection stage (which occurs on-line in real-time), continuous analysis and retuning may be attractive depending on the deployment scenarios. The different types of computation required to perform automatic retuning (or retraining) of the system may result in resource competition for other important system tasks. Thus, a mechanism by which the retuning can take place without affecting the actual system workload is important. In this paper, we describe a layered, simple statistics based anomaly detection algorithm with parallel implementation of the training algorithm. We focus on the use of graphic processing units (GPU) to allow cost-efficient implementation with minimal impact on CPU loads so as to minimize affecting the day to day server workloads. Our results show potential for significant performance improvements.

show abstract

On network intrusion detection for deployment in the wild

Nwanze

et al. 2012

Efficient tuning methodologies for a network payload anomaly inspection scheme

MacIntyre

et al. 2016

Consumers and service providers are both becoming increasingly concerned about new, never-before-seen attacks. Anomaly-based intrusion prevention is an important part of cybersecurity, which offers the possibility of detecting some zeroday attacks. Typically, detection speed and efficacy (in terms of true and false positives) are considered in evaluating intrusion detection schemes. However, effective configuration (training and tuning) is critical for deployment of such schemes in practice. As network traffic may shift over time, the ability to perform fast reconfiguration is needed to provide the level of security necessary for future applications. We present parallel mapping and genetic algorithms-based approaches, which can be used to achieve rapid training and tuning for a highly efficient payload-based anomaly detection algorithm.

show abstract

Using artificial packets for training network payload anomaly detection systems

Karuppanchetty

2015