Design of Network Intrusion Detection Systems: An Effective Alarm Generation Perspective

dc.contributor.authorHubballi, Neminath
dc.date.accessioned2015-09-16T10:09:48Z
dc.date.accessioned2023-10-20T04:36:39Z
dc.date.available2015-09-16T10:09:48Z
dc.date.available2023-10-20T04:36:39Z
dc.date.issued2011
dc.descriptionSupervisor: Sukumar Nandi AND Santosh Biswasen_US
dc.description.abstractIntrusion Detection System, a hardware or software that monitors network or host activities for malicious behavior, is an indispensable component of system security. If an IDS deals with network activities (host activities) then it is called network based IDS (host based IDS). While signature and event based IDSs can detect known attacks only, anomaly based systems can detect both known and unknown attacks. An IDS is characterized by many parameters namely, effectiveness, efficiency, ease of use, security, transparency, interoperability etc. The thesis focusses at effectiveness, also called effective alarm generation, for all variants of network based IDSs namely, signature based, event based, header anomaly based and payload anomaly based systems. In signature based IDS, most of the alarms generated are false positives because signatures are generic and alarms are generated for all attack traffic which match some signature irrespective of the fact whether the attack could successfully exploit any vulnerability. To address this issue a false positive filtering scheme for signature based IDS has been proposed, which correlates alarms with network context information. As an enhancement to this filter, criticality of the application being targeted by an attack is examined, before eliminating the corresponding alarm estimated to be false positive. There is certain class of known attacks for which signatures cannot be written and so signature based IDSs cannot detect them. A novel event based IDS has been proposed for such attacks using the failure detection and diagnosis theory of discrete event systems. The working of the event based IDS has been illustrated on address resolution protocol based attacks. In header anomaly based IDSs, fairly high Detection Rate and Accuracy can be achieved for attacks detectable by header statistics. When the datasets to be processed by such systems are large, data summarization algorithms are applied. However, Detection Rate and Accuracy are not high in the systems that use data summarization algorithms compared to the ones which do not. A header anomaly based IDS for handling voluminous network traffic yet maintaining high Detection Rate and Accuracy has been proposed. Issues of effective alarm generation are more involved in payload anomaly based IDSs compared to the header based counterparts, which become more severe when training dataset has impurities. An impurity tolerant payload anomaly based IDS has been proposed using n-gram based statistical models. Tolerance is achieved by higher order n-grams and keeping their frequency information..en_US
dc.identifier.otherROLL NO.06610105
dc.identifier.urihttps://gyan.iitg.ac.in/handle/123456789/249
dc.language.isoenen_US
dc.relation.ispartofseriesTH-1076;
dc.subjectCOMPUTER SCIENCE AND ENGINEERINGen_US
dc.titleDesign of Network Intrusion Detection Systems: An Effective Alarm Generation Perspectiveen_US
dc.typeThesisen_US
Files
Original bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
TH-1076_NHUBBALLI.pdf
Size:
9.26 MB
Format:
Adobe Portable Document Format
License bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
1.71 KB
Format:
Plain Text
Description: