Anomaly‐based intrusion detection systems: The requirements, methods, measurements, and datasets

Hajj, Suzan; Sibai, Rayane El; Abdo, Jacques Bou; Demerjian, Jacques; Makhoul, Abdallah; Guyeux, Christophe

doi:10.1002/ett.4240

Cited by 30 publications

(11 citation statements)

References 112 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They used Edited Nearest Neighbor (ENN) to identify the difficult set then applied the K-means algorithm to compress the majority in the difficult set, and finally augmented the data of the clusters to obtain the final sample. A more thorough discussion can be seen in our previous survey [ 28 ] and benchmarking [ 4 ] works where we investigated all data sampling strategies, their impact on detecting various attacks, and the behavior and robustness of features under various sampling strategies. We also looked at how the estimation of network features varies depending on the sampling method, sample size, and other factors, and how this affects statistical inference from these data.…”

Section: Related Workmentioning

confidence: 99%

Cross-Layer Federated Learning for Lightweight IoT Intrusion Detection Systems

Hajj

Azar

Abdo

et al. 2023

Sensors

Self Cite

View full text Add to dashboard Cite

With the proliferation of IoT devices, ensuring the security and privacy of these devices and their associated data has become a critical challenge. In this paper, we propose a federated sampling and lightweight intrusion-detection system for IoT networks that use K-meansfor sampling network traffic and identifying anomalies in a semi-supervised way. The system is designed to preserve data privacy by performing local clustering on each device and sharing only summary statistics with a central aggregator. The proposed system is particularly suitable for resource-constrained IoT devices such as sensors with limited computational and storage capabilities. We evaluate the system’s performance using the publicly available NSL-KDD dataset. Our experiments and simulations demonstrate the effectiveness and efficiency of the proposed intrusion-detection system, highlighting the trade-offs between precision and recall when sharing statistics between workers and the coordinator. Notably, our experiments show that the proposed federated IDS can increase the true-positive rate up to 10% when the workers and the coordinator collaborate.

show abstract

Section: Related Workmentioning

confidence: 99%

Cross-Layer Federated Learning for Lightweight IoT Intrusion Detection Systems

Hajj

Azar

Abdo

et al. 2023

Sensors

Self Cite

View full text Add to dashboard Cite

show abstract

“…Ahmed et al (2016) presented an in-depth analysis of four major categories of anomaly detection techniques, which include classification, statistical, information theory and clustering. Hajj et al (2021) gave a comprehensive overview of anomaly-based intrusion detection systems. Their article gives an overview of the requirements, methods, measurements and datasets that are used in an intrusion detection system.…”

Section: Literature Reviewsmentioning

confidence: 99%

Cyber risk and cybersecurity: a systematic review of data availability

Cremer

Sheehan

Fortmann

et al. 2022

Geneva Pap Risk Insur Issues Pract

145

View full text Add to dashboard Cite

Cybercrime is estimated to have cost the global economy just under USD 1 trillion in 2020, indicating an increase of more than 50% since 2018. With the average cyber insurance claim rising from USD 145,000 in 2019 to USD 359,000 in 2020, there is a growing necessity for better cyber information sources, standardised databases, mandatory reporting and public awareness. This research analyses the extant academic and industry literature on cybersecurity and cyber risk management with a particular focus on data availability. From a preliminary search resulting in 5219 cyber peer-reviewed studies, the application of the systematic methodology resulted in 79 unique datasets. We posit that the lack of available data on cyber risk poses a serious problem for stakeholders seeking to tackle this issue. In particular, we identify a lacuna in open databases that undermine collective endeavours to better manage this set of risks. The resulting data evaluation and categorisation will support cybersecurity researchers and the insurance industry in their efforts to comprehend, metricise and manage cyber risks.

show abstract

“…Unfortunately, AIDS tend to generate a high rate of false alarms since defining and updating the normal behaviors' profiles is not an easy task. Indeed, it is a serious challenge that has raised numerous research efforts [6][7][8]. At any rate, anomaly detection has the potential to detect unknown attacks, which makes AIDS a natural complement of SIDS in hybrid systems [9] able to detect known and 0-day attacks [8].…”

Section: Introductionmentioning

confidence: 99%

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

et al. 2022

View full text Add to dashboard Cite

Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.

show abstract

Anomaly‐based intrusion detection systems: The requirements, methods, measurements, and datasets

Cited by 30 publications

References 112 publications

Cross-Layer Federated Learning for Lightweight IoT Intrusion Detection Systems

Cross-Layer Federated Learning for Lightweight IoT Intrusion Detection Systems

Cyber risk and cybersecurity: a systematic review of data availability

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

Contact Info

Product

Resources

About