Norbik Bashah Idris

Improved Intrusion Detection System Using Fuzzy Logic for Detecting Anamoly and Misuse Type of Attacks

Currently available intrusion detection systems focus mainly on determining uncharacteristic system events in distributed networks using signature based approach. Due to its limitation of finding novel attacks, we propose a hybrid model based on improved fuzzy and data mining techniques, which can detect both misuse and anomaly attacks. The aim of our research is to reduce the amount of data retained for processing i.e., attribute selection process and also to improve the detection rate of the existing IDS using data mining technique. We then use improved Kuok fuzzy data mining algorithm, which in turn a modified version of APRIORI algorithm, for implementing fuzzy rules, which allows us to construct if-then rules that reflect common ways of describing security attacks. We applied fuzzy inference engine using mamdani inference mechanism with three variable inputs for faster decision making. The proposed model has been tested and benchmarked against DARPA 1999 data set for its efficiency and also tested against the “live” networking environment inside the campus and the results has been discussed.

A parallel technique for improving the performance of signature-based network intrusion detection system

Nowadays, organizations discover that it is essential to protect their valuable information and internal resources from unauthorized access like deploying firewall. Firewall could prevent unauthorized access, but it cannot monitor network attacks. Another network security tool such as intrusion detection system is necessary to perform network activities monitoring. With the recent trend of high-speed networks, a large volume of data should be analyzed and processed with high-speed infrastructure. To promote the performance of network intrusion detection system and reduce the processing time of the traffic, present studies on network intrusion detection system for high-speed network focus on parallel techniques as an alternative. In this paper, a kind of parallelism is proposed to improve the performance of signature based intrusion detection system. The experimental results show that by the use of two signature based network intrusion detection systems running Snort in parallel with a portion of packets and a subset of rules, and distributing the traffic between them, the processing time of the traffic will be reduced. Consequently, the performance of the system will be improved.

Alert Correlation Using a Novel Clustering Approach

Since the birth of Intrusion Detection System (IDS) technology, the most significant implementation problem is the enormous number of alerts generated by the IDS sensors. Moreover due to this obtrusive predicament, two other problems have emerged which are the difficulty in processing the alerts accurately and also the decrease in performance rate in terms of time and memory capacity while processing these alerts. Thus, based on the specified problems, the purpose of our overall research is to construct a holistic solution that is able to reduce the number of alerts to be processed and at the same time to produce a high quality attack scenarios that are meaningful to the administrators in a timely manner. However for the purpose of this paper we will present our proposed clustering method, architectured solely with the intention of reducing the amount of alerts generated by IDS. The clustering method was tested against a live data from a cyber attack monitoring unit that uses SNORT engine to capture the alerts. The result obtained from the experiment is very promising, the clustering algorithm was able to reduce about 86.9% of the alerts used in the experiment. From the result we are able to highlight the contribution to practitioners in an actual working environment.

Hybrid Intrusion Detection Systems (HIDS) using Fuzzy Logic

The rapid growth of the computers that are interconnected, the crime rate has also increased and the ways to mitigate those crimes has become the important problem now. In the entire globe, organizations, higher learning institutions and governments are completely dependent on the computer networks which plays a major role in their daily operations. Hence the necessity for protecting those networked systems has also increased. Cyber crimes like compromised server, phishing and sabotage of privacy information has increased in the recent past. It need not be a massive intrusion, instead a single intrusion can result in loss of highly privileged and important data. Intusion behaviour can be classified based on different attack types. Smart intruders will not attack using a single attack, instead, they will perform the attack by combining few different attack types to deceive the detection system at the gateway. As a countermeasure, computational intelligence can be applied to the intrusion detection systems to realize the attacks, alert the administrator about the form and severity, and also to take any predetermined or adaptive measures dissuade the intrusion.

Re-documenting, visualizing and understanding software system using DocLike Viewer

Visualizing the artifacts of a software system graphically has proven to improve the cognitive strategies and understanding of the subject system by programmers. This is more crucial when they need to maintain a software system with out-dated documentation or without system documentation at all. Many tools have emerged and they predominantly consist of a reverse engineering environment and a viewer to visualize software artifacts such as in the form of graphs. The tools also grant structural redocumentation of existing software system but they do not directly utilize document-like software visualization in their approaches. We propose DocLike modularized graph (DMG) method that represents the software architectures of a reverse engineered subject system graphically in a modularized and standardized document-like manner. To realize this method, we have built a prototype tool called DocLike Viewer that enables a user to redocument, visualize and comprehend a subject system written in C language that is parsed by an existing parser. From the experiment conducted we found that our method managed to statistically improve cognition of a subject system in terms of productivity and quality to solve certain types of maintenance tasks.

An Operational Framework for Alert Correlation using a Novel Clustering Approach

Intrusion Detection System (IDS) is a well known security feature and widely implemented among practitioners. However, since the creation of IDS the enormous number of alerts generated by the detection sensors has always been a setback in the implementation environment. Moreover due to this obtrusive predicament, two other problems have emerged which are the difficulty in processing the alerts accurately and also the decrease in performance rate in terms of time and memory capacity while processing these alerts. Thus, based on the specified problems, the purpose of our overall research is to construct a holistic solution that is able to reduce the number of alerts to be processed and at the same time to produce a high quality attack scenarios that are meaningful to the administrators in a timely manner. In this paper we will present our proposed framework together with the result of our novel clustering method, architectured solely with the intention of reducing the amount of alerts generated by IDS. The clustering method was tested against two dataset; a globally used dataset, DARPA and a live dataset from a cyber attack monitoring unit that uses SNORT engine to capture the alerts. The result obtained from the experiment is very promising; the clustering algorithm was able to reduce about 86.9% of the alerts used in the experiment. From the result we are able to highlight the contribution to practitioners in an actual working environment.

Analysis and detection of P2P Botnet connections based on node behaviour

Fast development of computer and especially Internet caused many issues for its users as well as its benefits. Nowadays, cyber criminals are utilizing Botnets to reach their goals. They have noticed that centralized structure is detected quickly. Hence the Peer to Peer Botnets are the most recent kind of Botnets that, they are applying encryption as well as rootkit capabilities to not being detected. In addition they mimic the performance of P2P software such as BitTorrent to make hard distinguishing the healthy packet from malicious packet in a large dataset. The proposed method is based on the correlation of Process Name besides the Ports as well as the Network Traffic. In the existing Operating Systems, every process is assigned a number that is called Port. By using this unique port and the process name, our experimental results show an acceptable rate of detection.

A unified trust model for pervasive environments - simulation and analysis

Ubiquitous interaction in a pervasive environment is the main attribute of smart spaces. Pervasive systems are weaving themselves in our daily life, making it possible to collect user information invisibly, in an unobtrusive manner by known and even unknown parties. Huge number of interactions between users and pervasive devices necessitate a comprehensive trust model which unifies different trust factors like context, recommendation, and history to calculate the trust level of each party precisely. Trusted computing enables effective solutions to verify the trustworthiness of computing platforms. In this paper, we elaborate Unified Trust Model (UTM) which calculates entity’s trustworthiness based on history, recommendation, context and platform integrity measurement, and formally use these factors in trustworthiness calculation. We evaluate UTM behaviour by simulating in different scenario experiments using a Trust and Reputation Models Simulator for Wireless Sensor Networks. We show that UTM offers responsive behaviour and can be used effectively in the low interaction environments.

A case study for the cloud computing security threats in a governmental organization

Cloud computing is not just a service of computing or how the computing service is delivered. It is transforming the computing landscape, which means many big technical, economic and business changes will happen. Cloud computing has emerged with a promise to decrease the cost of computing implementation and deliver the computing as service, where the client pay only for what he needed and used. On the other hand, many security concerns arise with cloud computing. This paper introduces a practical study for cloud computing security threats. This study was conducted on a real SaaS provider with more than one thousand and five hundred clients for 285 days.

A Brief Introduction to Intrusion Detection System

Intrusion Detection System (IDS) is a security system that acts as a protection layer to the infrastructure. Throughout the years, the IDS technology has grown enormously to keep up with the advancement of computer crime. Since the beginning of the technology in mid 80’s, researches have been conducted to enhance the capability of detecting attacks without jeopardizing the network performance. In this paper we hope to provide a critical review of the IDS technology, issues that transpire during its implementation and the limitation in the IDS research endeavors. Lastly we will proposed future work while exploring maturity of the topic, the extent of discussion, the value and contribution of each research to the domain discussed. At the end of this paper, readers would be able to clearly distinguish the gap between each sub-area of research and they would appreciate the importance of these research areas to the industry.