Frequent Attack Dictionary Decision Tree Method for Advanced Signature-Based Intrusion Detection
Zamanizadeh, Sepideh (2017-02-25)
Frequent Attack Dictionary Decision Tree Method for Advanced Signature-Based Intrusion Detection
Zamanizadeh, Sepideh
(25.02.2017)
Tätä artikkelia/julkaisua ei ole tallennettu UTUPubiin. Julkaisun tiedoissa voi kuitenkin olla linkki toisaalle tallennettuun artikkeliin / julkaisuun.
Turun yliopisto
Tiivistelmä
Cyber-Physical Systems (CPS) are advanced intelligent systems that consist of networked or distributed computational elements, sensors and actuators that control physical entities and mechanisms. Nowadays, CPS have attracted much attention due to their vast applications. The precursor generation of CPS can be found in a variety of areas including aerospace, industrial infrastructures, health care, transportation, energy, Supervisory Control And Data Acquisition (SCADA) and autonomous automobile systems. The development of safe CPS needs a thorough understanding of the potential impacts of successful malicious cyber-attacks. CPS security-related concerns include attacker's efforts to intercept information captured by sensors and manipulate rules sent to actuators to disrupt, defeat and eventually cause the system to fail. Since there are physical actuators included in CPS, the damages could be vital as in autonomous automobile systems.
With the increasing utilization of CPS in infrastructural and vital areas of industry, securing the CPS has become essential. One of the techniques that are used in these systems is signature-based intrusion detection. One of the main problems in signature-based intrusion detection is the difficulty of maintaining the attack dictionary due to memory constraints in storing of the signatures. The second issue is the low speed in detecting the attacks since packets need to be checked by each signature in the dictionary of attacks one by one.
This thesis proposes and evaluates a method to increase the speed and performance of the signature-based intrusion detection and eventually increase the CPU availability. As the first step in this work, the least valuable information is found and removed from the attack dictionary. Then the dictionary is divided to two sub-dictionaries based on the most numerous attacks and finally, it is classified in a decision tree. Removing the least valuable information and searching for the rules inside the decision tree reduces processing time. Also since the probability of each rule’s occurrence is increased when an incoming packet is matched with a signature, it will enhance the accuracy compared with the traditional ID3 (Iterative Dichotomiser 3) method. The proposed method is simulated using Python based on data sets that have been gathered from real-world networks (KDD-99). The performance enhancement and resource availability improvement are demonstrated as results of the proposed method.
With the increasing utilization of CPS in infrastructural and vital areas of industry, securing the CPS has become essential. One of the techniques that are used in these systems is signature-based intrusion detection. One of the main problems in signature-based intrusion detection is the difficulty of maintaining the attack dictionary due to memory constraints in storing of the signatures. The second issue is the low speed in detecting the attacks since packets need to be checked by each signature in the dictionary of attacks one by one.
This thesis proposes and evaluates a method to increase the speed and performance of the signature-based intrusion detection and eventually increase the CPU availability. As the first step in this work, the least valuable information is found and removed from the attack dictionary. Then the dictionary is divided to two sub-dictionaries based on the most numerous attacks and finally, it is classified in a decision tree. Removing the least valuable information and searching for the rules inside the decision tree reduces processing time. Also since the probability of each rule’s occurrence is increased when an incoming packet is matched with a signature, it will enhance the accuracy compared with the traditional ID3 (Iterative Dichotomiser 3) method. The proposed method is simulated using Python based on data sets that have been gathered from real-world networks (KDD-99). The performance enhancement and resource availability improvement are demonstrated as results of the proposed method.