ACTIDS: an active strategy for detecting and localizing network attacks

Authors:
Eitan Menahem;Yuval Elovici;Nir Amar;Gabi Nakibly
Affiliations:
Ben-Gurion University of the Negev, Be'er Sheva, Israel;Ben-Gurion University of the Negev, Be'er Sheva, Israel;Ben-Gurion University of the Negev, Be'er Sheva, Israel;Rafael -- Advanced Defense Systems Ltd., Hifa, Israel
Venue:
Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Year:
2013

Citing 29
Cited 0

The Strength of Weak Learnability

Machine Learning
On the self-similar nature of Ethernet traffic (extended version)

IEEE/ACM Transactions on Networking (TON)
A heuristic approach for solving decentralized-POMDP: assessment on the pursuit problem

Proceedings of the 2002 ACM symposium on Applied computing
Measuring ISP topologies with rocketfuel

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
The Complexity of Decentralized Control of Markov Decision Processes

Mathematics of Operations Research
Combining One-Class Classifiers

MCS '01 Proceedings of the Second International Workshop on Multiple Classifier Systems
Change-Point Monitoring for the Detection of DoS Attacks

IEEE Transactions on Dependable and Secure Computing
Sensor management using an active sensing approach

Signal Processing
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Impact of packet sampling on anomaly detection metrics

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)

Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
Robust monitoring of link delays and faults in IP networks

IEEE/ACM Transactions on Networking (TON)
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes

IEEE Transactions on Dependable and Secure Computing
Intrusion detection in computer networks by a modular ensemble of one-class classifiers

Information Fusion
An overview of the OMNeT++ simulation environment

Proceedings of the 1st international conference on Simulation tools and techniques for communications, networks and systems & workshops
Energy-Efficient Area Monitoring for Sensor Networks

Computer
Troika - An improved stacking schema for classification tasks

Information Sciences: an International Journal
Taming decentralized POMDPs: towards efficient policy computation for multiagent settings

IJCAI'03 Proceedings of the 18th international joint conference on Artificial intelligence
Intrusion Detection Based on One-class SVM and SNMP MIB Data

IAS '09 Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 02
Layered Approach Using Conditional Random Fields for Intrusion Detection

IEEE Transactions on Dependable and Secure Computing
Efficient active probing for fault diagnosis in large scale and noisy networks

INFOCOM'10 Proceedings of the 29th conference on Information communications
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
A scalable, efficient and informative approach for anomaly-based intrusion detection systems: theory and practice

International Journal of Network Management
A Framework for Monitoring SIP Enterprise Networks

NSS '10 Proceedings of the 2010 Fourth International Conference on Network and System Security
A distributed and privacy-preserving method for network intrusion detection

OTM'10 Proceedings of the 2010 international conference on On the move to meaningful internet systems: Part II
Joint optimization of monitor location and network anomaly detection

LCN '10 Proceedings of the 2010 IEEE 35th Conference on Local Computer Networks
Metric anomaly detection via asymmetric risk minimization

SIMBAD'11 Proceedings of the First international conference on Similarity-based pattern recognition
The ORCHIDS intrusion detection tool

CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
Combining one-class classifiers via meta learning

Proceedings of the 22nd ACM international conference on Conference on information & knowledge management

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this work we investigate a new approach for detecting attacks which aim to degrade the network's Quality of Service (QoS). To this end, a new network-based intrusion detection system (NIDS) is proposed. Most contemporary NIDSs take a passive approach by solely monitoring the network's production traffic. This paper explores a complementary approach in which distributed agents actively send out periodic probes. The probes are continuously monitored to detect anomalous behavior of the network. The proposed approach takes away much of the variability of the network's production traffic that makes it so difficult to classify. This enables the NIDS to detect more subtle attacks which would not be detected using the passive approach alone. Furthermore, the active probing approach allows the NIDS to be effectively trained using only examples of the network's normal states, hence enabling an effective detection of zero day attacks. Using realistic experiments, we show that an NIDS which also leverages the active approach is considerably more effective in detecting attacks which aim to degrade the network's QoS when compared to an NIDS which relies solely on the passive approach.