english german

innovative Anomaly and Intrusion-Detection


Anomaly detection in network data has already been practiced in many different forms. For example, methods from areas of time series analysis are used. Other approaches use techniques from the field of machine learning. Among other things, cluster or classification methods will be applied.

Anomaly detection on the basis of the packet header data is focused on a smaller set of properties resulting from a concentration on specific threats. Partly, the IP address information of packets are used, which is a privacy issue and it will be mostly limited to the protocols to OSI Layer 4 (IP, TCP / UDP). But there are also approaches to the analysis of data at the application layer, which are responsible for the discovery of exploits of particular importance. Next to the employment of regular expressions in the area of misuse detection, in particular statistical descriptions of payloads are used. One example is the n-gram analysis.

A series of publications dealed with how the intrusion-detection-systems handle with an amount of data in real time. Many works exist on the use of FPGA-based system to speed up the evaluation. At the same time, there will be focused on misuse detection by matching regular expressions or pattern-matching. Beside the FPGA based on implementations will be already researched on a use of graphic-processing-units (GPUs) as an relative cost-efficient version for the acceleration. In this case, a concentration on misuse-detection-approaches is determined.

Besides the classical techniques such as firewalls and anti-virus solutions, especially intrusion detection systems, like Snort, can be used. This only applies to 40% of the companies, and even then won't be achieved an optimal protection. More engraving is seen on the other side: 60% of the companies until now do not employ an intrusion-detection-system at all. If detection systems are used, they often work on the principle of misuse detection. However, such solutions are used only to a limit and have only been partly practical. To sum up, the actual spreading employment of misuse detection could just mostly found known threats.

So far, the described objectives divided into different areas. First, the description of the network traffic will be discussed. As part of several supports (including the BSI and the BMBF) at the Westfälische Hochschule in Gelsenkirchen, the internet analysis system was developed. It's like an early warning system that gathers counter-based data over the network and stores it in a central database. The evaluation is performed on other tools that have access to the database.

By means of different methods to evaluate the collecting data, one method will be presented that is based on probabilistic neural network (PNN) for anomaly-detection. It is a statistical method which appreciates the division of the available data and based on this, it makes decisions if a data point is normal or anomalous (a data point is a physical point in the signal connecting chain, to which a message or the current value of a signal is visible). An application to the flow-based data is investigated within the project. Another method doesn't deal with anomaly detection, but uses a misuse detection approach to the flow-based data. These neural networks are used to learn what to discriminate when the flow data, whether they are normal or from a malware. It's not about a anomaly detection but the results show a general description thickness of an approach. With the efficient evaluation of large amounts of data using the above procedure that describes GPUs for the implementation, whether GPUs are suitable for the acceleration of sensor technology of IAS.

Generated test data is stored in a database, which are used for the testing of the detection method of attacks. An attack simulator has already been developed.

iAID logo Top