Data Driven Countermeasures in Computer Networks

  • Author / Creator
    Mostafa, Ahmed M
  • Network connectivity is an indispensable component of any computer related activities. Any computer-like machine is connected to some kind of a network, which is further connected to another computer network. Technological advances allow users to connect any devices and use multiple applications. As the result, the complexity of network systems is constantly growing. The fact that almost all devices are connected means that any attempt to break into a device or a system is occurring via a computer network. In other words, networks and their connected devices are targets of intrusions. The increased dependency on computer systems and the growing number of malicious activities increase a pressure on governmental, industrial and private institutions to utilize security systems capable of monitoring and analyzing network traffic, and detecting malicious or suspicious activities. The research topic of Intrusion Detection becomes of special importance. Intrusion Detection involves two processes: detecting cyber attacks using well-know attack patterns – Signature Detection (Signature ID), or identifying anomalous behaviour of network traffic – Anomaly Detection (Anomaly ID). Recently, a hybrid approach has emerged that tries to harvest advantages of both signature and anomaly detection methods. Despite the promising prospects, hybrid Intrusion Detection System (IDS)s still need to demonstrate their usefulness and good performance. Some ii of problems and unsolved issues are related to the lack of: 1) a detailed representation of network traffic that allows to recognize small differences in a traffic or detect non-standard cyber attacks; and 2) an accurately labeled data that contain different cases of anomalies and attacks. In this thesis, we propose a Two-stage Hybrid Intrusion Detection System able to detect anomalies and attacks, and reporting its findings to a security administrator. The system includes three sub-systems: 1) Network Data Collecting and Processing (NetDataCoP) Module; 2) Anomaly Detection Module; and 3) Signature DetectionModule. In order to design this system, a novel, comprehensive and multi-perspective description of network traffic has been proposed. It includes more than hundred features representing a traffic at different levels of granularity, at different layers, involving different protocols, all determined over different temporal intervals. One of essential aspects of the system is its ability to identify and categorize application connections that utilize UDP – a connection-less protocol. The processes of detecting anomalies and attacks are built using algorithms of Machine Learning. The system utilize elements of Evidence Theory not only to detect anomaly/attack but also to identify a degree of confidence in its detection outcomes. The results are highly promising. The implemented and tested system provides a very good performance, i.e., a number of false negatives (assuming anomaly/attack as a positive event) is zero, with a minimal number of false positives at the same time.

  • Subjects / Keywords
  • Graduation date
    Fall 2017
  • Type of Item
  • Degree
    Doctor of Philosophy
  • DOI
  • License
    This thesis is made available by the University of Alberta Libraries with permission of the copyright owner solely for non-commercial purposes. This thesis, or any portion thereof, may not otherwise be copied or reproduced without the written consent of the copyright owner, except to the extent permitted by Canadian copyright law.