An Intrusion Detection System for Network Security Situational Awareness based on Conditional Random Fields

Abstract

Network security has been a widely researched topic in the literature. It is about protecting network resources from unauthorized and illegal accesses. Network security situational awareness is one form of protecting our network resources. It involves perceiving any threat situations, understanding the threat methodology and consequences and deal with the threat scenario. newlineOne of the crucial factors for the proper functioning of a network security situational awareness system is its ability to detect threat situations. An intrusion detection system is security tool used for detecting intrusions into a network. An accurate input to a network security situational awareness system by an intrusion detection system goes a long way in providing protection to the network. newlineThe primary objective of this research is to develop an intrusion detection system for the efficient operation of a network security situational awareness system. In order to aid in efficient protection the IDS should not only be capable of detecting attacks but also categorize them into suitable attack categories so that the situational awareness system is able to undertake proper remedial actions. newlinevii newlineThe research was carried out by analyzing experiments using state of the art machine learning techniques and assessing its performance with respect to intrusion detection. Analyzing the results of the intrusion detection system and ascertaining its suitability to the situational awareness system. In this pursuit, three types of intrusion detection systems were experimented with. newlineThe first experimentation involved in using fuzzy logic coupled with dynamic learning to minimize false alarm rate in an intrusion detection system. The experimentation was done by identifying parameters widely used by Network Analyzer tools to detect any anomaly in the connection. newlineBased on the activity of the network, the values of the chosen parameters are graded and converted to a fuzzy score. This fuzzy score was then used to frame fuzzy rules for identifying intrusions. The system exhibited reasonable accuracy in the detection of attacks and resulted in low false positive rate. newlineThe next attempt was in clustering the connection information using probability clomp algorithm into related groups based on its parameters. The groups were then analyzed using intrusion unearthing algorithms employing decision trees. The identification of intrusion in a cluster helps in relating the other connections in the cluster to intrusions. newlineviii newlineThis helps in generalizing intrusion parameters and there by identifying new attacks unseen in the training data. By analyzing the patterns in the clusters, the system was able to distinguish an attack from a normal connection. The system exhibited good precision and accuracy in detecting the attacks and also showed reduced false positive rate. newlineThe third system researched used the linear chain conditional random field (CRF) for classifying whether a connection is a normal one or an attack. Since the complexity of the CRF increases with the increase in the number of features used to train it, we have used OneR algorithm to select the most appropriate features for classifying the connections as attack or normal. newlineThe system performed significantly better than most of the systems in the literature. It was able to detect all kinds of attacks in the input connections with reasonable accuracy. Hence, this was found to be the most suitable system for network security situational awareness. newline