Faeiz Alserhani

MARS: Multi-stage Attack Recognition System

Network Intrusion Detection Systems (NIDS) are considered as essential mechanisms to ensure reliable security. Intrusive model is used in signature-based NIDS by defining attack patterns and applying signature-matching on incoming traffic packets. Thousands of signatures and rules are created to specify different attacks and variations of a single attack. As a result, enormous data with less efficiency is produced that overwhelms the network administrator. Most of the generated alerts are false-positives; this is due to the redundancy caused by the detection techniques, and due to low-level processing capacity. Moreover, detection of novel and multi-stage attacks are not efficiently achieved by the current systems. Hence, high-level view of the attacker’s behaviour has become a stressing demand. Alerts correlation techniques have been widely used to provide intelligent and stateful detection methodologies. This is to understand attack steps and predict the expected sequence of events. However, most of the proposed systems are based on rules libraries specified by security experts, which is a cumbersome and error prone task. Other methods are based on statistical models; these are unable to identify causal relationships between the events. In this paper, we identify the limitations of the current techniques and propose a framework for alert correlation that overcomes these shortcomings. An improved “cause and effect” model will be presented cooperating with statistical model to achieve higher detection rate with minimum false positives. Knowledge-based model with vulnerability and extensional consequences parameters has been developed to provide manageable and meaningful graph. The proposed system is evaluated using DARPA 2000 and collected real life data sets. The results have shown an improvement in respect to detection rate and reduction of false positives.

Evaluating Intrusion Detection Systems in High Speed Networks

The recent era has witnessed tremendous increase in the usage of computer network applications. Users of any type and requirement are compelled to be on a network. Today, the computer has become a network machine rather than a standalone system. This has generated challenges to the network security devices in terms of accuracy and reliability.Intrusion Detection Systems (IDS) are designed for the security needs of networks. Existing Network Intrusion Detection Systems (NIDS) are found to be limited in performance and utility especially once subjected to heavy traffic conditions. It has been observed that NIDS become less effective even when presented with a bandwidth of a few hundred megabits per second. In this work, we have endeavored to identify the causes which lead to unsatisfactory performance of NIDSs. In this regard, we have conducted an extensive performance evaluation of an open source intrusion detection system (Snort). This has been done on a highly sophisticated test-bench with different traffic conditions. We have also used different hardware and software platforms to determine the efficacy of the NIDS under test. Finally, in our results/ analysis, we have identified the factors responsible for the limited performance of Snort. We have also recommended few solutions for improving the performance of Snort.

Detection of coordinated attacks using alert correlation model

Alerts correlation techniques have been widely used to provide intelligent and stateful detection methodologies. This is to understand attack steps and predict the expected sequence of events. However, most of the proposed systems are based on rule-based mechanisms which are tedious and error prone. Other methods are based on statistical modeling; these are unable to identify causal relationships between the events. In this paper, an improved “requires/provides” model is presented which established a cooperation between statistical and knowledge-based model, to achieve higher detection rate with the minimal false positives. A knowledge-based model with vulnerability and extensional conditions provide manageable and meaningful attack graphs. The proposed model has been implemented in real-time and has successfully generated security events on establishing a correlation between attack signatures. The system has been evaluated to detect one of the most serious multi-stage attacks in cyber crime - Botnet. Zeus Botnet is analyzed within the realm of simulated malicious activities normally used by cyber criminals.

Empowered Certification Authority in VANETs

The current research on privacy assurance in Vehicular Ad hoc Networks (VANETs) by pseudonym generation and network accountability through revocation has not achieved the desired results. Our research has identified the problems associated with the current techniques. We have revisited the pseudonym generation concept to address the privacy need of the network. In order to improve the efficiency of network and restricting misbehaving / faulty nodes, we have also proposed a more practical approach for certificate revocation. The work has enhanced the role of a certification authority in all network activities. This has restricted the disputed independence of network nodes and now the nodes are bound to approach certification authority regularly for necessary updates and changes. This would also ensure timely revocation of faulty nodes and increase network security.

Implementation and evaluation of network intrusion detection systems

Performance evaluation of Network Intrusion Detection Systems (NIDS) has been carried out to identify its limitations in high speed environment. This has been done by employing evasive and avoidance strategies simulating real-life normal and attack traffic flows on a sophisticated Test-Bench. Snort, an open source Intrusion Detection System, has been selected as an evaluation platform. In this paper, Snort has been evaluated on host and virtual configurations using different operating systems and hardware implementations. Evaluation methodology is based on the concept of stressing the system by injecting various traffic loads (packet sizes, bandwidth and attack signatures) and analyzing its packet handling and detection capacity. We have observed few performance issues with Snort which has resulted into packet drop and low detection rate. Finally, we have analyzed the factors responsible for it and have recommended techniques to improve systems packet handling and detection capability.

High Speed NIDS using Dynamic Cluster and Comparator Logic

Cluster technology has witnessed a tremendous inception in computing world. The technique integrates the standard computing resources to generate more processing power and other hardware strengths. The collection of interconnected stand-alone computers ensures high availability, increased throughput, scalability and improved performance. We have developed a dynamic cluster based approach for high speed Network Intrusion Detection Systems (NIDS) using refined policy based routing. The front end of the cluster is the loadbalancer which distributes the traffic among cluster nodes on a predefined policy. Our proposed logic ensured maximum utilization of cluster resources by exchanging state information, load sharing, reducing data loss and performing recovery evaluation procedure to maximize overall efficiency. Our rule based loadbalancing technique which uses switchovers to prevent system overloading has shown quality results. We have further integrated the concept of Comparator Logic to recover the lost traffic in case of switchovers etc. The retrieved data is re-evaluated by recovery NIDS thus maximizing the system efficiency. Snort, an open source NIDS has been used on account of being a de-facto IDS standard. Finally, our results ratify the adoption of cluster based approach in NIDS environment using commodity hardware. We have validated the concept by analyzing the performance in different traffic conditions, packet sizes, configurations and bandwidths. Our results showed a significant improvement of the system in terms of packet handling/analyzing capacity and can be considered as good contribution in cluster based adoption of NIDS

Virtualization Efficacy for Network Intrusion Detection Systems in High Speed Environment

The virtualization concept was developed a few decades back to facilitate the sharing of expensive and robust main-frame hardware among different applications. In the current scenario, virtualization has gone through a conceptual transformation from cost effectiveness to resource sharing. The research community has found virtualization to be reliable, multipurpose and adaptable. This has enabled a single system to dynamically map its resources among multiple instances of operating systems running numerous applications. The concept has been adopted on platforms dealing with network performance, application analysis, system design, network security and storage issues. This research work has focussed on analysing the efficacy of the virtualization concept for Network Intrusion Detection Systems (NIDS) in the high-speed environment. We have selected an open source NIDS, Snort for evaluation. Snort has been evaluated on virtual systems built on Windows XP SP2, Linux 2.6 and Free BSD 7.1 platforms. The test-bench is considered to be extremely sophisticated, ensuring current day network requirements. The evaluation has been targeted at the packet-handling capacity of operating systems/ applications (Snort) under different traffic conditions and on similar hardware platforms. Our results have identified a strong performance limitation of NIDS running on virtual platforms. It can be easily ascertained that virtual platforms are not ideal for NIDS in high-speed environments. Finally, the analysis has also identified the factors responsible for the unsatisfactory performance of IDS (Snort) on a virtual platform.

Smart Logic - Preventing Packet Loss in High Speed Network Intrusion Detection Systems

Network Intrusion Detection Systems (NIDS) have gained substantial importance in today’s network security infrastructure. The performance of these devices in modern day traffic conditions is however found limited. It has been observed that the systems could hardly stand effective for the bandwidth of few hundred mega bits per second. Packet drop has been considered as the major bottleneck in the performance. We have identified a strong performance limitation of an open source Intrusion Detection System (IDS), Snort in [1, 2]. Snort was found dependent on host machine configuration. The response of Snort under heavy traffic conditions has opened a debate on its implementation and usage. We have developed the Smart Logic component to reduce the impact of packet drop in NIDS when subjected to heavy traffic volume. The proposed architecture utilizes packet capturing techniques applied at various processing stages shared between NIDS and packet handling applications. The designed architecture regains the lost traffic by a comparison between the analysed packets and the input stream using Smart Logic. The recaptured packets are then re-evaluated by a serialized IDS mechanism thus reducing impact of packet loss incurred in the routine implementation. The designed architecture has been implemented and tested on a scalable and sophisticated test bench replicating modern day network traffic. Our effort has shown noticeable improvement in the performance of Snort and has significantly improved its detection capacity.

Virtualization in Network Intrusion Detection Systems

This research work has focussed on analysing the efficacy of the virtualization concept for Network Intrusion Detection Systems (NIDS) in the high-speed environment. We have selected an open source NIDS, Snort for evaluation. Snort has been evaluated on virtual systems built on Windows XP SP2, Linux 2.6 and Free BSD 7.1 platforms. Our results have identified a strong performance limitation of NIDS running on virtual platforms. This can be concluded that virtualization is not an ideal solution for NIDS in high-speed environments.