Dataset generation and network intrusion detection based on flow-level information

The growth of the Internet and networking has made securing networks against attacks a very challenging task. For high-speed networks, flow meta-data inspection can replace conventional Deep Packet Inspection but with the cost of low precision of identifying attacks since the former deals with an ag...

Full description

Saved in:
Bibliographic Details
Main Author: Mohamedali Abdalla, Ahmed Abdalla
Format: Thesis
Language:English
Published: 2015
Subjects:
Online Access:http://eprints.utm.my/id/eprint/54879/1/AhmedAbdallaMohamedaliAbdallaPFKE2015.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
id my-utm-ep.54879
record_format uketd_dc
spelling my-utm-ep.548792020-11-11T06:21:14Z Dataset generation and network intrusion detection based on flow-level information 2015-09-17 Mohamedali Abdalla, Ahmed Abdalla TK Electrical engineering. Electronics Nuclear engineering The growth of the Internet and networking has made securing networks against attacks a very challenging task. For high-speed networks, flow meta-data inspection can replace conventional Deep Packet Inspection but with the cost of low precision of identifying attacks since the former deals with an aggregated version of the traffic. The first part of this research addresses the problem of the lack in benchmarking datasets for developing new Network Intrusion Detection Systems (NIDSs) or comparing existing NIDSs. The aim in the second part is to design a near real-time NIDS without degrading the detection accuracy when compared to conventional misuse packet-based approaches. To achieve the first objective, a NIDS dataset creation framework had been developed. Based on that framework, a flow-level NIDS dataset had been created. The traces were collected from campus main routers in NetFlow format while malicious traffic of different attack scenarios was generated by Nmap and BoNesi tools. In the second part a flow-based software-based system were developed to detect and identify network volume-level attacks in near real-time. Attack detection is based on statistical time-aggregated features of the exported NetFlow version of the traffic to detect several scan and Denial-of-Service (DoS) attacks. A validation for the designed system is done using Defense Advanced Research Projects Agency (DARPA) datasets. The timeline performance outperformed all relevant software-based systems and suited for up to one gigabit per second links with an average detection delay of less than one minute. The proposed method achieved 95% True Positive Rate (TPR) and almost zero False Positive Rate (FPR). Compared to relevant methods when operated in the same conditions, the proposed method improved the TPR by 4% and improved FPR by 1%. In addition, the capability of flow-based approach in detecting packet-level attacks was experimentally demonstrated. The results against Snort were benchmarked and 75% TPR and almost zero FPR were achieved. 2015-09 Thesis http://eprints.utm.my/id/eprint/54879/ http://eprints.utm.my/id/eprint/54879/1/AhmedAbdallaMohamedaliAbdallaPFKE2015.pdf application/pdf en public http://dms.library.utm.my:8080/vital/access/manager/Repository/vital:96166 phd doctoral Universiti Teknologi Malaysia, Faculty of Electrical Engineering Faculty of Electrical Engineering
institution Universiti Teknologi Malaysia
collection UTM Institutional Repository
language English
topic TK Electrical engineering
Electronics Nuclear engineering
spellingShingle TK Electrical engineering
Electronics Nuclear engineering
Mohamedali Abdalla, Ahmed Abdalla
Dataset generation and network intrusion detection based on flow-level information
description The growth of the Internet and networking has made securing networks against attacks a very challenging task. For high-speed networks, flow meta-data inspection can replace conventional Deep Packet Inspection but with the cost of low precision of identifying attacks since the former deals with an aggregated version of the traffic. The first part of this research addresses the problem of the lack in benchmarking datasets for developing new Network Intrusion Detection Systems (NIDSs) or comparing existing NIDSs. The aim in the second part is to design a near real-time NIDS without degrading the detection accuracy when compared to conventional misuse packet-based approaches. To achieve the first objective, a NIDS dataset creation framework had been developed. Based on that framework, a flow-level NIDS dataset had been created. The traces were collected from campus main routers in NetFlow format while malicious traffic of different attack scenarios was generated by Nmap and BoNesi tools. In the second part a flow-based software-based system were developed to detect and identify network volume-level attacks in near real-time. Attack detection is based on statistical time-aggregated features of the exported NetFlow version of the traffic to detect several scan and Denial-of-Service (DoS) attacks. A validation for the designed system is done using Defense Advanced Research Projects Agency (DARPA) datasets. The timeline performance outperformed all relevant software-based systems and suited for up to one gigabit per second links with an average detection delay of less than one minute. The proposed method achieved 95% True Positive Rate (TPR) and almost zero False Positive Rate (FPR). Compared to relevant methods when operated in the same conditions, the proposed method improved the TPR by 4% and improved FPR by 1%. In addition, the capability of flow-based approach in detecting packet-level attacks was experimentally demonstrated. The results against Snort were benchmarked and 75% TPR and almost zero FPR were achieved.
format Thesis
qualification_name Doctor of Philosophy (PhD.)
qualification_level Doctorate
author Mohamedali Abdalla, Ahmed Abdalla
author_facet Mohamedali Abdalla, Ahmed Abdalla
author_sort Mohamedali Abdalla, Ahmed Abdalla
title Dataset generation and network intrusion detection based on flow-level information
title_short Dataset generation and network intrusion detection based on flow-level information
title_full Dataset generation and network intrusion detection based on flow-level information
title_fullStr Dataset generation and network intrusion detection based on flow-level information
title_full_unstemmed Dataset generation and network intrusion detection based on flow-level information
title_sort dataset generation and network intrusion detection based on flow-level information
granting_institution Universiti Teknologi Malaysia, Faculty of Electrical Engineering
granting_department Faculty of Electrical Engineering
publishDate 2015
url http://eprints.utm.my/id/eprint/54879/1/AhmedAbdallaMohamedaliAbdallaPFKE2015.pdf
_version_ 1747817745893818368