Intelligent intrusion detection system

Detalhes bibliográficos
Autor(a) principal: Marques, Fernando Emanuel Ferreira
Data de Publicação: 2021
Tipo de documento: Dissertação
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10773/33939
Resumo: Currently, multiple personal machines and network systems suffer some type of computer attack with possible motivations related to computer power abuse, information tampering or vandalism. Despite the existence of intrusion detection systems, there are some barriers to their application in real scenarios, such as the difficulty in tracing user behavioral profiles, the ability to camouflage various attacks in the network and the time it takes to recognize the signatures used by new attacks. In the case of studying behavioral profiles, there is research and work in various areas such as social networks, recommendation systems, medical health and user authentication. This dissertation proposes an anomaly detection system based on the behavioral analysis of a user on the network. After extracting network traffic metrics related to the network and transport layers of the OSI model, the calculation of features that will be used as input for learning models, such as the One-Class Support Vector Machine, is performed. The work was developed using two types of network traffic: user traffic and anomaly traffic. Considered normal traffic, user traffic was captured using a switch with port mirroring in a corporate environment. To test the models in the detection task, two types of anomalies were considered: manipulation of information by transferring files and executing commands remotely in the terminal via an SSH session. In a first phase, the anomaly traffic was generated in an isolated way, to simulate a scenario in which the intrusion is the only active traffic in the network. For the case of file transfer anomaly, the results obtained have perfect F1-score with no percentage of false positives. In a second phase, anomaly traffic is camouflaged with the user’s normal traffic, in a scenario where anomaly occurs when there is external activity on the network. The results demonstrate that the anomaly is clearly more difficult to detect, for the case of the mixed file transfer anomaly, with F1-score of 0.010 and percentage of false positives of 0.86 %.
id RCAP_728297a161bc882720f5f1576f53764a
oai_identifier_str oai:ria.ua.pt:10773/33939
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling Intelligent intrusion detection systemMonitoringNetwork traffic analysisUser behavior analysisIntrusion detection systemsMachine learningAnomaly detectionCurrently, multiple personal machines and network systems suffer some type of computer attack with possible motivations related to computer power abuse, information tampering or vandalism. Despite the existence of intrusion detection systems, there are some barriers to their application in real scenarios, such as the difficulty in tracing user behavioral profiles, the ability to camouflage various attacks in the network and the time it takes to recognize the signatures used by new attacks. In the case of studying behavioral profiles, there is research and work in various areas such as social networks, recommendation systems, medical health and user authentication. This dissertation proposes an anomaly detection system based on the behavioral analysis of a user on the network. After extracting network traffic metrics related to the network and transport layers of the OSI model, the calculation of features that will be used as input for learning models, such as the One-Class Support Vector Machine, is performed. The work was developed using two types of network traffic: user traffic and anomaly traffic. Considered normal traffic, user traffic was captured using a switch with port mirroring in a corporate environment. To test the models in the detection task, two types of anomalies were considered: manipulation of information by transferring files and executing commands remotely in the terminal via an SSH session. In a first phase, the anomaly traffic was generated in an isolated way, to simulate a scenario in which the intrusion is the only active traffic in the network. For the case of file transfer anomaly, the results obtained have perfect F1-score with no percentage of false positives. In a second phase, anomaly traffic is camouflaged with the user’s normal traffic, in a scenario where anomaly occurs when there is external activity on the network. The results demonstrate that the anomaly is clearly more difficult to detect, for the case of the mixed file transfer anomaly, with F1-score of 0.010 and percentage of false positives of 0.86 %.Atualmente, múltiplas máquinas pessoais e sistemas de rede sofrem algum tipo de ataque informático com possiveis motivações relacionadas com abuso de poder computacional, adulteração de informação ou vandalismo. Apesar da existência de sistemas de deteção de intrusões, existem algumas barreiras à sua aplicação em cenários reais, tais como dificuldade em traçar perfis comportamentais de utilizadores, a capacidade de camuflamento na rede de diversos ataques e o tempo de demora no reconhecimento de assinaturas usadas por novos ataques. No caso de estudo dos perfis comportamentais, existe pesquisa e trabalhos em diversas áreas como redes sociais, sistemas de recomendação, saúde médica e autenticação de utilizadores. Esta dissertação propõe um sistema de deteção de anomalias baseado na análise comportamental de um utilizador na rede. Após a extração de métricas do tráfego de rede relativas à camadas de rede e transporte do modelo OSI, é feito o cálculo de features que serão usadas como entrada para aprendizagem de modelos, tais como One-Class Support Vector Machine. O trabalho foi desenvolvido com a utilização de dois tipos de tráfego de rede: tráfego do utilizador e tráfego das anomalias. Considerado o tráfego normal, o tráfego do utilizador foi capturado com recurso a um switch com port mirroring num ambiente empresarial. Para testar os modelos na tarefa de deteção, foram considerados dois tipos de anomalias: manipulação de informação através da transferência de ficheiros e execução de comandos no terminal de forma remota atráves de uma sessão SSH. Numa primeira fase, o tráfego das anomalias foi gerado de forma isolada, para simular um cenário em que a intrusão é o único tráfego ativo na rede. Para o caso da anomalia de tranferência de ficheiros, os resultados obtidos tem o F1-score perfeito sem deteção de falsos positivos. Numa segunda fase, o tráfego das anomalias é camuflado com o tráfego normal do utilizador, num cenário em que anomalia ocorre quando existe atividades externas na rede. Os resultados demonstram que a anomalia fica claramente mais difícil de detetar, para caso da anomalia de transferência de ficheiros misturada, com F1-score de 0.010 e percentagem de falsos positivos de 0.86 %.2022-05-23T10:17:04Z2021-12-22T00:00:00Z2021-12-22info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10773/33939engMarques, Fernando Emanuel Ferreirainfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-02-22T12:05:18Zoai:ria.ua.pt:10773/33939Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T03:05:17.248181Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv Intelligent intrusion detection system
title Intelligent intrusion detection system
spellingShingle Intelligent intrusion detection system
Marques, Fernando Emanuel Ferreira
Monitoring
Network traffic analysis
User behavior analysis
Intrusion detection systems
Machine learning
Anomaly detection
title_short Intelligent intrusion detection system
title_full Intelligent intrusion detection system
title_fullStr Intelligent intrusion detection system
title_full_unstemmed Intelligent intrusion detection system
title_sort Intelligent intrusion detection system
author Marques, Fernando Emanuel Ferreira
author_facet Marques, Fernando Emanuel Ferreira
author_role author
dc.contributor.author.fl_str_mv Marques, Fernando Emanuel Ferreira
dc.subject.por.fl_str_mv Monitoring
Network traffic analysis
User behavior analysis
Intrusion detection systems
Machine learning
Anomaly detection
topic Monitoring
Network traffic analysis
User behavior analysis
Intrusion detection systems
Machine learning
Anomaly detection
description Currently, multiple personal machines and network systems suffer some type of computer attack with possible motivations related to computer power abuse, information tampering or vandalism. Despite the existence of intrusion detection systems, there are some barriers to their application in real scenarios, such as the difficulty in tracing user behavioral profiles, the ability to camouflage various attacks in the network and the time it takes to recognize the signatures used by new attacks. In the case of studying behavioral profiles, there is research and work in various areas such as social networks, recommendation systems, medical health and user authentication. This dissertation proposes an anomaly detection system based on the behavioral analysis of a user on the network. After extracting network traffic metrics related to the network and transport layers of the OSI model, the calculation of features that will be used as input for learning models, such as the One-Class Support Vector Machine, is performed. The work was developed using two types of network traffic: user traffic and anomaly traffic. Considered normal traffic, user traffic was captured using a switch with port mirroring in a corporate environment. To test the models in the detection task, two types of anomalies were considered: manipulation of information by transferring files and executing commands remotely in the terminal via an SSH session. In a first phase, the anomaly traffic was generated in an isolated way, to simulate a scenario in which the intrusion is the only active traffic in the network. For the case of file transfer anomaly, the results obtained have perfect F1-score with no percentage of false positives. In a second phase, anomaly traffic is camouflaged with the user’s normal traffic, in a scenario where anomaly occurs when there is external activity on the network. The results demonstrate that the anomaly is clearly more difficult to detect, for the case of the mixed file transfer anomaly, with F1-score of 0.010 and percentage of false positives of 0.86 %.
publishDate 2021
dc.date.none.fl_str_mv 2021-12-22T00:00:00Z
2021-12-22
2022-05-23T10:17:04Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10773/33939
url http://hdl.handle.net/10773/33939
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799137707828445184

Registros relacionados