Autonomous, signals-based intrusion detection

Abstract

The two methods for Network Intrusion Detection Systems (NIDS) are misuse detection - that compares network traffic to known attack signatures; and anomaly detection - that compares traffic to expected normal behavior and raises alerts for anomalous traffic. Both approaches require continuous attention from administrators, either in the form of signature creation or the provision of samples of normal traffic. Incidentally, both attack and normal traffic are highly dynamic. The aim of this project is to explore an experimental detection method, signals-based detection, in order to produce a NIDS that is more autonomous. This method focuses on the effects of attacks - the signals, rather than the content, which are expected to be less dynamic. As a consequence this should lead to an increase in the level of autonomy exhibited by the NIDS. The Dendritic Cell Algorithm (DCA) is the most widely explored technique that takes this approach, and therefore the aim is to explore how to build a 'low-maintenance' NIDS based on it. Moreover, the project also aims for a fully autonomous NIDS also based on the DCA, where signals are configured in a fully automated manner from past normal and attack traffic samples. When applied to network intrusion detection, the DCA uses a population of agents to correlate network connections an aggregation of signals. These signals reflect the effect on the system when either normal or attack traffic is processed. The low maintenance approach assists the administrator in selecting the most effective signals configuration. The fully autonomous approach explores how Principal Component Analysis (PCA) can assist in fully automating signal selection based on the intuition that attack traffic produces highly-variable signal levels, identifiable through a PCA-based ranking of traffic features, while normal traffic produces more stable levels. The low-maintenance NIDS returned an 82% true positives rate, while the fully autonomous NIDS produced an 86% rate, both at an accuracy level comparable to typical NIDS. Presently, this approach can be useful in shifting man-power to filter false positives as opposed to waste it on routine NIDS configuration.