Waqas Haider

Towards reliable data feature retrieval and decision engine in host-based anomaly detection systems

Host-based anomaly detection systems (HADS) serves as the second line of defense after cyber attacks have penetrated the network level defense. The major components of reliable HADS includes enriched data source (DS), computational efficient data feature retrieval (DFR), accurate and fast decision engine (DE). ADFA-LD is a recently published data set which reflects the invisible threat environment of modern computer system. The existing HADS utilizing ADFA-LD as DS, exhibits high computational DFR and inferior performance of the DE at real-time. The major drawback is inability to acquire representative features from host activities. Confronting this drawback in this paper, at DFR a character data zero watermark inspired statistical based strategy is developed for integer data to extract hidden reliable or representative features from system calls of the trace. At DE, three supervised machine learning classifiers such as support vector machine (SVM) with linear and radial bases function (RBF) kernels and k-nearest neighbor (KNN) are evaluated across detection rate (DR), false alarm rate (FAR) and computational time. The numerical trials validates that the suggested statistical feature extraction strategy at DFR and KNN at DE can attain acceptable performance at real-time.

Integer Data Zero-Watermark Assisted System Calls Abstraction and Normalization for Host Based Anomaly Detection Systems

The generation of representative computer system behavior profile from system calls in LINUX environments to establish reliable Host Based Anomaly Detection Systems (HADS) against Next Generation of Attacks (NGA) is a challenge due to two major reasons. Firstly, NGA causes a low footprint upon host activities and consequently, attack activities are difficult to detect from normal computer processes in terms of accuracy and processing time. Secondly, there is no effective method to extract the natural difference from the two different types of traces (e.g. normal or abnormal) of system calls. Following these reasons, a semi-supervised model is proposed, which is comprised of two parts. Firstly, to establish an unsupervised computer behavior classification, an integer data zero-watermarking algorithm is developed to extract abstract hidden representation of system calls. This hidden representation constitutes the natural difference between attack and normal computer system behavior in real-time. Secondly, various supervised Machine Learning (ML) algorithms and normalizations are realized with proposed hidden representation of the system calls to evaluate the semi-supervised model in HADS. To evaluate the performance in terms of accuracy and processing time, the publicly available bench mark host based data sets: ADFA-LD and KDD 98 have been utilized. Each data set is the collection of traces of processes and each trace comprises of processs system calls. Experimental results shows that the suggested semi-supervised model outperforms existing methodologies in terms of accuracy and processing time for the detection of low and high foot print attacks.

Windows Based Data Sets for Evaluation of Robustness of Host Based Intrusion Detection Systems (IDS) to Zero-Day and Stealth Attacks

The Windows Operating System (OS) is the most popular desktop OS in the world, as it has the majority market share of both servers and personal computing necessities. However, as its default signature-based security measures are ineffectual for detecting zero-day and stealth attacks, it needs an intelligent Host-based Intrusion Detection System (HIDS). Unfortunately, a comprehensive data set that reflects the modern Windows OS’s normal and attack surfaces is not publicly available. To fill this gap, in this paper two open data sets generated by the cyber security department of the Australian Defence Force Academy (ADFA) are introduced, namely: Australian Defence Force Academy Windows Data Set (ADFA-WD); and Australian Defence Force Academy Windows Data Set with a Stealth Attacks Addendum (ADFA-WD: SAA). Statistical analysis results based on these data sets show that, due to the low foot prints of modern attacks and high similarity of normal and attacked data, both these data sets are complex, and highly intelligent Host based Anomaly Detection Systems (HADS) design will be required.

Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling

Prior to deploying any intrusion detection system, it is essential to obtain a realistic evaluation of its performance. However, the major problems currently faced by the research community is the lack of availability of any realistic evaluation dataset and systematic metric for assessing the quantified quality of realism of any intrusion detection system dataset. It is difficult to access and collect data from real-world enterprise networks due to business continuity and integrity issues. In response to this, in this paper, firstly, a metric using a fuzzy logic system based on the Sugeno fuzzy inference model for evaluating the quality of the realism of existing intrusion detection system datasets is proposed. Secondly, based on the proposed metric results, a synthetically realistic next generation intrusion detection systems dataset is designed and generated, and a preliminary analysis conducted to assist in the design of future intrusion detection systems. This generated dataset consists of both normal and abnormal reflections of current network activities occurring at critical cyber infrastructure levels in various enterprises. Finally, using the proposed metric, the generated dataset is analyzed to assess the quality of its realism, with its comparison with publicly available intrusion detection system datasets for verifying its superiority. HighlightsA fuzzy qualitative modeling based metric is proposed for evaluating the quality of an IDS dataset.A new IDS dataset is generated over multimillion scale Cyberrange testbed and provided publically.The proposed fuzzy qualitative modeling based metric is applied to proposed and existing major public IDS datasets to assess their quality of realism and to demonstrate the capability of proposed metric in examining the quality of an IDS dataset.

Detecting Anomalous Behavior in Cloud Servers by Nested Arc Hidden SEMI-Markov Model with State Summarization

Anomaly detection for cloud servers is important for detecting zero-day attacks. However, it is very challenging due to the large amount of accumulated data. In this paper, a new mathematical model for modeling dynamic usage behavior and detecting anomalies is proposed. It is constructed using state summarization and a novel nested-arc hidden semi-Markov model (NAHSMM). State summarization is designed to extract usage behavior reflective states from a raw sequence. The NAHSMM is comprised of exterior and interior hidden Markov chains. The exterior controls the propagation of raw sequences of system calls and, conditional on it, the interior one controls the summarized observation process from the transition less usage behavior reflective states. An anomaly detection algorithm is derived by integrating state summarization and NAHSMM. During training the algorithm is assisted by a forensic module to tune the behavioral threshold. Experimental data is collected using IXIA Perfect Storm in conjunction with the commercial security-test hardware platform cyber range. To evaluate the reliability of the proposed model, first, its accuracy and training costs are compared with those of existing machine-learning models and then its scalability and resistance capabilities are tested. The results indicate that this model could be used as a method for detecting anomalies in cloud servers.