Intelligent intrusion detection system
Autor(a) principal: | |
---|---|
Data de Publicação: | 2021 |
Tipo de documento: | Dissertação |
Idioma: | eng |
Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
Texto Completo: | http://hdl.handle.net/10773/33939 |
Resumo: | Currently, multiple personal machines and network systems suffer some type of computer attack with possible motivations related to computer power abuse, information tampering or vandalism. Despite the existence of intrusion detection systems, there are some barriers to their application in real scenarios, such as the difficulty in tracing user behavioral profiles, the ability to camouflage various attacks in the network and the time it takes to recognize the signatures used by new attacks. In the case of studying behavioral profiles, there is research and work in various areas such as social networks, recommendation systems, medical health and user authentication. This dissertation proposes an anomaly detection system based on the behavioral analysis of a user on the network. After extracting network traffic metrics related to the network and transport layers of the OSI model, the calculation of features that will be used as input for learning models, such as the One-Class Support Vector Machine, is performed. The work was developed using two types of network traffic: user traffic and anomaly traffic. Considered normal traffic, user traffic was captured using a switch with port mirroring in a corporate environment. To test the models in the detection task, two types of anomalies were considered: manipulation of information by transferring files and executing commands remotely in the terminal via an SSH session. In a first phase, the anomaly traffic was generated in an isolated way, to simulate a scenario in which the intrusion is the only active traffic in the network. For the case of file transfer anomaly, the results obtained have perfect F1-score with no percentage of false positives. In a second phase, anomaly traffic is camouflaged with the user’s normal traffic, in a scenario where anomaly occurs when there is external activity on the network. The results demonstrate that the anomaly is clearly more difficult to detect, for the case of the mixed file transfer anomaly, with F1-score of 0.010 and percentage of false positives of 0.86 %. |
id |
RCAP_728297a161bc882720f5f1576f53764a |
---|---|
oai_identifier_str |
oai:ria.ua.pt:10773/33939 |
network_acronym_str |
RCAP |
network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository_id_str |
7160 |
spelling |
Intelligent intrusion detection systemMonitoringNetwork traffic analysisUser behavior analysisIntrusion detection systemsMachine learningAnomaly detectionCurrently, multiple personal machines and network systems suffer some type of computer attack with possible motivations related to computer power abuse, information tampering or vandalism. Despite the existence of intrusion detection systems, there are some barriers to their application in real scenarios, such as the difficulty in tracing user behavioral profiles, the ability to camouflage various attacks in the network and the time it takes to recognize the signatures used by new attacks. In the case of studying behavioral profiles, there is research and work in various areas such as social networks, recommendation systems, medical health and user authentication. This dissertation proposes an anomaly detection system based on the behavioral analysis of a user on the network. After extracting network traffic metrics related to the network and transport layers of the OSI model, the calculation of features that will be used as input for learning models, such as the One-Class Support Vector Machine, is performed. The work was developed using two types of network traffic: user traffic and anomaly traffic. Considered normal traffic, user traffic was captured using a switch with port mirroring in a corporate environment. To test the models in the detection task, two types of anomalies were considered: manipulation of information by transferring files and executing commands remotely in the terminal via an SSH session. In a first phase, the anomaly traffic was generated in an isolated way, to simulate a scenario in which the intrusion is the only active traffic in the network. For the case of file transfer anomaly, the results obtained have perfect F1-score with no percentage of false positives. In a second phase, anomaly traffic is camouflaged with the user’s normal traffic, in a scenario where anomaly occurs when there is external activity on the network. The results demonstrate that the anomaly is clearly more difficult to detect, for the case of the mixed file transfer anomaly, with F1-score of 0.010 and percentage of false positives of 0.86 %.Atualmente, múltiplas máquinas pessoais e sistemas de rede sofrem algum tipo de ataque informático com possiveis motivações relacionadas com abuso de poder computacional, adulteração de informação ou vandalismo. Apesar da existência de sistemas de deteção de intrusões, existem algumas barreiras à sua aplicação em cenários reais, tais como dificuldade em traçar perfis comportamentais de utilizadores, a capacidade de camuflamento na rede de diversos ataques e o tempo de demora no reconhecimento de assinaturas usadas por novos ataques. No caso de estudo dos perfis comportamentais, existe pesquisa e trabalhos em diversas áreas como redes sociais, sistemas de recomendação, saúde médica e autenticação de utilizadores. Esta dissertação propõe um sistema de deteção de anomalias baseado na análise comportamental de um utilizador na rede. Após a extração de métricas do tráfego de rede relativas à camadas de rede e transporte do modelo OSI, é feito o cálculo de features que serão usadas como entrada para aprendizagem de modelos, tais como One-Class Support Vector Machine. O trabalho foi desenvolvido com a utilização de dois tipos de tráfego de rede: tráfego do utilizador e tráfego das anomalias. Considerado o tráfego normal, o tráfego do utilizador foi capturado com recurso a um switch com port mirroring num ambiente empresarial. Para testar os modelos na tarefa de deteção, foram considerados dois tipos de anomalias: manipulação de informação através da transferência de ficheiros e execução de comandos no terminal de forma remota atráves de uma sessão SSH. Numa primeira fase, o tráfego das anomalias foi gerado de forma isolada, para simular um cenário em que a intrusão é o único tráfego ativo na rede. Para o caso da anomalia de tranferência de ficheiros, os resultados obtidos tem o F1-score perfeito sem deteção de falsos positivos. Numa segunda fase, o tráfego das anomalias é camuflado com o tráfego normal do utilizador, num cenário em que anomalia ocorre quando existe atividades externas na rede. Os resultados demonstram que a anomalia fica claramente mais difícil de detetar, para caso da anomalia de transferência de ficheiros misturada, com F1-score de 0.010 e percentagem de falsos positivos de 0.86 %.2022-05-23T10:17:04Z2021-12-22T00:00:00Z2021-12-22info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10773/33939engMarques, Fernando Emanuel Ferreirainfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-02-22T12:05:18Zoai:ria.ua.pt:10773/33939Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T03:05:17.248181Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
dc.title.none.fl_str_mv |
Intelligent intrusion detection system |
title |
Intelligent intrusion detection system |
spellingShingle |
Intelligent intrusion detection system Marques, Fernando Emanuel Ferreira Monitoring Network traffic analysis User behavior analysis Intrusion detection systems Machine learning Anomaly detection |
title_short |
Intelligent intrusion detection system |
title_full |
Intelligent intrusion detection system |
title_fullStr |
Intelligent intrusion detection system |
title_full_unstemmed |
Intelligent intrusion detection system |
title_sort |
Intelligent intrusion detection system |
author |
Marques, Fernando Emanuel Ferreira |
author_facet |
Marques, Fernando Emanuel Ferreira |
author_role |
author |
dc.contributor.author.fl_str_mv |
Marques, Fernando Emanuel Ferreira |
dc.subject.por.fl_str_mv |
Monitoring Network traffic analysis User behavior analysis Intrusion detection systems Machine learning Anomaly detection |
topic |
Monitoring Network traffic analysis User behavior analysis Intrusion detection systems Machine learning Anomaly detection |
description |
Currently, multiple personal machines and network systems suffer some type of computer attack with possible motivations related to computer power abuse, information tampering or vandalism. Despite the existence of intrusion detection systems, there are some barriers to their application in real scenarios, such as the difficulty in tracing user behavioral profiles, the ability to camouflage various attacks in the network and the time it takes to recognize the signatures used by new attacks. In the case of studying behavioral profiles, there is research and work in various areas such as social networks, recommendation systems, medical health and user authentication. This dissertation proposes an anomaly detection system based on the behavioral analysis of a user on the network. After extracting network traffic metrics related to the network and transport layers of the OSI model, the calculation of features that will be used as input for learning models, such as the One-Class Support Vector Machine, is performed. The work was developed using two types of network traffic: user traffic and anomaly traffic. Considered normal traffic, user traffic was captured using a switch with port mirroring in a corporate environment. To test the models in the detection task, two types of anomalies were considered: manipulation of information by transferring files and executing commands remotely in the terminal via an SSH session. In a first phase, the anomaly traffic was generated in an isolated way, to simulate a scenario in which the intrusion is the only active traffic in the network. For the case of file transfer anomaly, the results obtained have perfect F1-score with no percentage of false positives. In a second phase, anomaly traffic is camouflaged with the user’s normal traffic, in a scenario where anomaly occurs when there is external activity on the network. The results demonstrate that the anomaly is clearly more difficult to detect, for the case of the mixed file transfer anomaly, with F1-score of 0.010 and percentage of false positives of 0.86 %. |
publishDate |
2021 |
dc.date.none.fl_str_mv |
2021-12-22T00:00:00Z 2021-12-22 2022-05-23T10:17:04Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
format |
masterThesis |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10773/33939 |
url |
http://hdl.handle.net/10773/33939 |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
instacron_str |
RCAAP |
institution |
RCAAP |
reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
repository.mail.fl_str_mv |
|
_version_ |
1799137707828445184 |