Konstantinos G. Kyriakopoulos

Manual and Automatic assigned thresholds in multi-layer data fusion intrusion detection system for 802.11 attacks

Abuse attacks on wireless networks are becoming increasingly sophisticated. Most of the recent research on intrusion detection systems for wireless attacks either focuses on just one layer of observation or uses a limited number of metrics without proper data fusion techniques. However, the true status of a network is rarely accurately detectable by examining only one network layer. The goal of this study is to detect injection types of attacks in wireless networks by fusing multi-metrics using the Dempster–Shafer (D–S) belief theory. When combining beliefs, an important step to consider is the automatic and self-adaptive process of basic probability assignment (BPA). This study presents a comparison between manual and automatic BPA methods using the D–S technique. Custom tailoring BPAs in an optimum manner under specific network conditions could be extremely time consuming and difficult. In contrast, automatic methods have the advantage of not requiring any prior training or calibration from an administrator. The results show that multi-layer techniques perform more efficiently when compared with conventional methods. In addition, the automatic assignment of beliefs makes the use of such a system easier to deploy while providing a similar performance to that of a manual system.

A live system for wavelet compression of high speed computer network measurements

Monitoring high-speed networks for a long period of time produces a high volume of data, making the storage of this information practically inefficient. To this end, there is a need to derive an efficient method of data analysis and reduction in order to archive and store the enormous amount of monitored traffic.

Automatic Dataset Labelling and Feature Selection for Intrusion Detection Systems

Correctly labelled datasets are commonly required. Three particular scenarios are highlighted, which showcase this need. When using supervised Intrusion Detection Systems (IDSs), these systems need labelled datasets to be trained. Also, the real nature of the analysed datasets must be known when evaluating the efficiency of the IDSs when detecting intrusions. Another scenario is the use of feature selection that works only if the processed datasets are labelled. In normal conditions, collecting labelled datasets from real networks is impossible. Currently, datasets are mainly labelled by implementing off-line forensic analysis, which is impractical because it does not allow real-time implementation. We have developed a novel approach to automatically generate labelled network traffic datasets using an unsupervised anomaly based IDS. The resulting labelled datasets are subsets of the original unlabelled datasets. The labelled dataset is then processed using a Genetic Algorithm (GA) based approach, which performs the task of feature selection. The GA has been implemented to automatically provide the set of metrics that generate the most appropriate intrusion detection results.

An automatic and self-adaptive multi-layer data fusion system for WiFi attack detection

Wireless networks are becoming susceptible to increasingly more sophisticated threats. Most of the current intrusion detection systems IDSs that employ multi-layer techniques for mitigating network attacks offer better performance than IDSs that employ single layer approach. However, few of the current multi-layer IDSs could be used off-the-shelf without prior thorough training with completely clean datasets or a fine tuning period. Dempster-Shafer theory has been used with the purpose of combining beliefs of different metric measurements across multiple layers. However, an important step to be investigated remains open; this is to find an automatic and self-adaptive process of basic probability assignment BPA. This paper describes a novel BPA methodology able to automatically adapt its detection capabilities to the current measured characteristics, without intervention from the IDS administrator. We have developed a multi-layer-based application able to classify individual network frames as normal or malicious with perfect detection accuracy.

Fusing multi-layer metrics for detecting security attacks in 802.11 networks

Computer networks and more specifically wireless communication networks are increasingly becoming susceptible to more sophisticated and untraceable attacks. Most of the current Intrusion Detection Systems either focus on just one layer of observation or use a limited number of metrics without proper data fusion techniques. However, the true status of a network, is rarely accurately detectable by examining only one network layer or metric. Ideally, a synergistic approach would require knowledge from various layers to be fused and, collectively, an ultimate decision to be taken. To this aim, the Dempster-Shafer (D-S) approach is examined as a data fusion algorithm that combines beliefs of multiple metrics across multiple layers. This paper describes the methodology of using metrics from multiple layers of wireless communication networks for detecting wireless security breaches. The metrics are analysed and compared to historical data and each gives a belief of whether an attack takes place or not. The beliefs from different metrics are fused with the D-S technique with the ultimate goal of limiting false alarms by combining beliefs from various network layers. The results show that cross-layer techniques and data fusion perform more efficiently in a variety of situations compared to conventional methods.

An on-line wireless attack detection system using multi-layer data fusion

Computer networks and more specifically wireless communication networks are increasingly becoming susceptible to more sophisticated and untraceable attacks. Most of the current Intrusion Detection Systems either focus on just one layer of observation or use a limited number of metrics without proper data fusion techniques. However, the true status of a network is rarely accurately detectable by examining only one network layer. This paper describes a synergistic approach of fusing decisions of whether an attack takes place by using multiple measurements from different layers of wireless communication networks. The described method is implemented on a live system that monitors a wireless network in real time and gives an indication of whether a malicious frame exists or not. This is achieved by analysing specific metrics and comparing them against historical data. The proposed system assigns for each metric a belief of whether an attack takes place or not. The beliefs from different metrics are fused with the Dempster-Shafer technique with the ultimate goal of limiting false alarms by combining beliefs from various network layers. The on-line experimental results show that cross-layer techniques and data fusion perform more efficiently compared to conventional methods.

Challenges in the capture and dissemination of measurements from high-speed networks

The production of a large-scale monitoring system for a high-speed network leads to a number of challenges. These challenges are not purely technical but also socio-political and legal. The number of stakeholders in such monitoring activity is large including the network operators, the users, the equipment manufacturers and, of course, the monitoring researchers. The MASTS project (measurement at all scales in time and space) was created to instrument the high-speed JANET Lightpath network and has been extended to incorporate other paths supported by JANET(UK). Challenges the project has faced included: simple access to the network; legal issues involved in the storage and dissemination of the captured information, which may be personal; the volume of data captured and the rate at which these data appear at store. To this end, the MASTS system will have established four monitoring points each capturing packets on a high-speed link. Traffic header data will be continuously collected, anonymised, indexed, stored and made available to the research community. A legal framework for the capture and storage of network measurement data has been developed which allows the anonymised IP traces to be used for research purposes.

Using the pattern-of-life in networks to improve the effectiveness of intrusion detection systems

As the complexity of cyber-attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measureable network traffic, but also on the available highlevel information related to the protected network to improve their detection results. We make use of the Pattern-of-Life (PoL) of a network as the main source of high-level information, which is correlated with the time of the day and the usage of the network resources. We propose the use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. The main aim of this work is to evidence the improved the detection performance of an IDS using an FCM to leverage on network related contextual information. The results that we present verify that the proposed method improves the effectiveness of our IDS by reducing the total number of false alarms; providing an improvement of 9.68% when all the considered metrics are combined and a peak improvement of up to 35.64%, depending on particular metric combination.

A Framework for Cross-Layer Measurements in Wireless Networks

This paper formulates a framework for wireless network performance measurements with the scope of being as generic as possible. The methodology utilises a cross-layer approach in order to address the limitations of traditional layered techniques. A lot of work in the research community uses the channel power (Cp) to predict performance metrics in higher layers. There are currently two methods to measure Cp; either by using a spectrum analyser or from WiFi card information (RSSI). The paper discusses the correct configuration of a spectrum analyser (SA), to measure Cp. This paper, also provides a comparison of both SA and RSSI results produced inside an anechoic chamber for three different applications. The behaviour of the RSSI values showed significant discrepancy with both the SA results and what was intuitively expected. The results pinpoint the necessity of a cross-layer approach and the importance of carefully selected and positioned equipment for the accuracy of the measurements.

Using Pattern-of-Life as Contextual Information for Anomaly-Based Intrusion Detection Systems

As the complexity of cyber-attacks keeps increasing, new robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measureable network traffic, but also on the available high-level information related to the protected network. To this end, we make use of the Pattern-of-Life (PoL) of a computer network as the main source of high-level information. We propose two novel approaches that make use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. There are four main aims of the work. First, to evaluate the efficiency of the proposed approaches in identifying the presence of attacks. Second, to identify which of the proposed approaches to integrate an FCM into the IDS framework produces the best results. Third, to identify which of the metrics used in the design of the FCM produces the best detection results. Fourth, to evidence the improved detection performance that contextual information can offer in IDSs. The results that we present verify that the proposed approaches improve the effectiveness of our IDS by reducing the total number of false alarms; providing almost perfect detection rate (i.e., 99.76%) and only 6.33% false positive rate, depending on the particular metric combination.