Hassen Sallay

Anomaly Intrusion Detection Using Incremental Learning of an Infinite Mixture Model with Feature Selection

We propose an incremental nonparametric Bayesian approach for clustering. Our approach is based on a Dirichlet process mixture of generalized Dirichlet GD distributions. Unlike classic clustering approaches, our model does not require the number of clusters to be pre-defined. Moreover, an unsupervised feature selection scheme is integrated into the proposed nonparametric framework to improve clustering performance. By learning the proposed model using an incremental variational framework, the number of clusters as well as the features weights can be automatically and simultaneously computed. The effectiveness and merits of the proposed approach are investigated on a challenging application namely anomaly intrusion detection.

A Real Time Adaptive Intrusion Detection Alert Classifier for High Speed Networks

With the emergence of High Speed Network (HSN), the manual intrusion alert detection become an extremely laborious and time-consuming task since it requires an experienced skilled staff in security fields and need a deep analysis. In addition, the batch model of alert management is no longer adequate given that labeling is a continuous time process since incoming intrusion alerts are often collected continuously in time. Furthermore, the static model is no longer appropriate due to the fluctuation nature of the number of alerts incurred by Internet traffic fluctuation nature. This paper proposes an efficient real time adaptive intrusion detection alert classifier dedicated for high speed network. Our classifier is based an online self-trained SVM algorithm with several learning strategies and execution modes. We evaluate our classifier against three different data-sets and the performance study shows an excellent results in term of accuracy and efficiency. The predictive local learning strategy presents a good tradeoff between accuracy and time processing. In addition, it does not involve a human intervention which make it an excellent solution that satisfy high speed network alert management challenges.

Survey on Architectures and Communication Libraries dedicated for High Speed Networks

This paper studies the evolution of high performance computing (HPC) and its trends. It exposes the different architectures used in HPC, the common high-speed networks, the programming models, the communications models, and the communication libraries.

An Efficient Intrusion Alerts Miner for Forensics Readiness in High Speed Networks

Intrusion Detection System is considered as a core tool in the collection of forensically relevant evidentiary data in real or near real time from the network. The emergence of High Speed Network (HSN) and Service oriented architecture/Web Services (SOA/WS) putted the IDS in face of a typical big data management problem. The log files that IDS generates are very enormous making very fastidious and both compute and memory intensive the forensics readiness process. Furthermore the high level rate of wrong alerts complicates the forensics expert alert analysis and it disproves its performance, efficiency and ability to select the best relevant evidences to attribute attacks to criminals. In this context, we propose Alert Miner (AM), an intrusion alert classifier, which classifies efficiently in near real-time the intrusion alerts in HSN for Web services. AM uses an outlier detection technique based on an adaptive deduced association rules set to classify the alerts automatically and without human assistance. AM reduces false positive alerts without losing high sensitivity (up to 95%) and accuracy up to (97%). Therefore AM facilitates the alert analysis process and allows the investigators to focus their analysis on the most critical alerts on near real-time scale and to postpone less critical alerts for an off-line log analysis.

RESTful Web Services for High Speed Intrusion Detection Systems

Since current heterogeneous Intrusion Detection Systems (IDSs) have not been designed to work in a cooperative manner, sharing security information among them poses a serious challenge especially in large-scale High Speed Networks (HSN) environment. The integration become more difficult when we should reduce computing and memory costs incurred by the high speed IDSs communication. Fortunately Web Services technology represents a good choice for IDSs integration thanks to its characteristics such as platform transparency and loose coupling. In this context, this paper presents a lightweight RESTful Communication model for coordinating different high speed distributed IDSs. Experimental results show an important gain in terms of data exchanged size and transmission time.

Wild-Inspired Intrusion Detection System Framework for High Speed Networks f

While the rise of the Internet and the high speed networks made information easier to acquire, faster to exchange and more flexible to share, it also made the cybernetic attacks and crimes easier to perform, more accurate to hit the target victim and more flexible to conceal the crime evidences. Although people are in an unsafe digital environment, they often feel safe. Being aware of this fact and this fiction, the authors draw in this paper a security framework aiming to build real-time security solutions in the very narrow context of high speed networks. This framework is called f|p since it is inspired by the elefant self-defense behavior which yields p 22 security tasks for 7 security targets.

Web Service Intrusion Detection Using a Probabilistic Framework

In this paper, we propose an anomaly-based approach to detect intrusions attempts that may target web services. These intrusions (or attacks) are modeled as outliers (or noise) within a principled probabilistic framework. The proposed framework is based on finite Gaussian mixtures and allows the detection of both previously seen and unknown attacks against web services. The main idea of our framework is based on the consideration of malicious requests as outliers within our finite mixture model. Using this idea the intrusion detection problem is reduced to an adversarial classification problem. The merits of the proposed approach are shown using a data set containing both normal and intrusive requests, which were collected from a large real-life web service.

A service oriented communication model for high speed intrusion detection systems

The growing need for information sharing among different networks poses a great security challenge. One of the key aspects of this challenge is deploying intrusion detection systems (IDSs) that can operate in heterogeneous and large scale environments. This is particularly difficult because the majority of existing IDSs are not designed to work in a cooperative fashion. The integration becomes more difficult when we should reduce computing and memory costs incurred by the high speed IDSs communication. Service oriented architecture (SOA) is one of the key paradigms that enables the deployment of services at large-scale over the internet domain and its integration with IDSs may open new pathways for novel applications and research. Characteristics such as platform transparency and loose coupling make the web services technology a good choice for IDS integration. In this context, this paper presents a lightweight RESTful communication model for coordinating different entities of a high speed distributed IDS.

A semantic QoS-aware web services composition framework

Composition of web services has received much interest to support business-to-business or enterprise application integration. However, for this composition to be effective, web services should be semantically described and developed tools must enable to select appropriate services based on functional requirements that deal with the desired functionality of the composite service, and non-functional concerns that relate to issues like performance and availability. This presents a challenging task due to the increasing number of available web services with their descriptions remaining in the syntactic level. In this paper, we propose a semantic QoS-aware web services composition framework. This framework considers a two-stage composition process. An abstract composition stage consists in semantically constructing a composition of available services that provides the desired functionality. Then, a concrete composition stage turns the abstract plan into an executable composition by selecting the appropriate web service instances based on QoS parameters.