Abstract
Anomaly-based detection techniques have a high number of false positives, which degrades the detection performance. To address this issue, we propose a distributed intrusion detection system, named ISM-AC, based on anomaly detection using artificial immune system and attack graph correlation. To analyze network traffic, we use negative selection, clonal selection, and immune network algorithms to implement an agent-based detection system. ISM-AC leverages the programmability of software-defined networking to reduce the false positive rate. Our findings show that ISM-AC achieves better detection performance for denial of service, user to root, remote to local, and probe attack classes. Alert correlation plays a key role in this achievement.
Similar content being viewed by others
Notes
This paper is an extended version of our previous work [41] (a short 6-pages paper). In [41], we propose the initial model of the system and a preliminary evaluation for DoS attacks. In this paper, we introduce the complete architecture of ISM-AC and a thorough discussion and evaluation, including U2R, R2L, and probe attacks.
In DoS Land attacks, the attacker sends TCP SYN spoofed packets with the same source and destination IPs and ports. This attack causes the target machine to crash by sending replies to itself [48].
In the DoS Pod the target machine is flooded with ICMP packets [20].
The TCP flooding consists of sending floods of TCP packets to the victim.
Flooding the HTTP server with HTTP requests at the application layer.
Anoter HTTP-based DoS attach against the Apache service. Slowloris establishes multiple connections to the target server and keeps them open for as long as possible. As soon as the connections are open, Slowloris sends HTTP headers intended to overload the Web server [20].
References
Ahmad, A., Idris, N.B., Kama, M.N.: Cloudids: cloud intrusion detection model inspired by dendritic cell mechanism. Int. J. Commun. Netw. Inf. Secur. (IJCNIS) 9(1), 1–5 (2017)
Alidoosti, M., Nowroozi, A., Nickabadi, A.: Evaluating the web-application resiliency to business-layer DoS attacks. ETRI J. 42, 433–445 (2020)
Ambedkar, Ch., Kishore Babu, V.: Detection of probe attacks using machine learning techniques. Int. J. Res. Stud. Comput. Sci. Eng. (IJRSCSE) 2(3), 25–29 (2015)
Barik, M.S., Sengupta, A., Mazumdar, C.: Attack graph generation and analysis techniques. Defence Sci. J. 66(6), (2016)
Buragohain, C., Medhi, N.: Flowtrapp: an SDN based architecture for ddos attack detection and mitigation in data centers. In: 2016 3rd International Conference on Signal Processing and Integrated Networks (SPIN), pp. 519–524. IEEE, (2016)
Chen, M.-H., Chang, P.-C., Jheng-Long, W.: A population-based incremental learning approach with artificial immune system for network intrusion detection. Eng. Appl. Artif. Intel. 51, 171–181 (2016)
Chung, C.-J., Khatkar, P., Xing, T., Lee, J., Huang, D.: Nice: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. Depend. Secure Comput. 10(4), 198–211 (2013)
Dong, S., Abbas, K., Jain, R.: A survey on distributed denial of service (ddos) attacks in SDN and cloud computing environments. IEEE Access 7, 80813–80828 (2019)
Elhaj, M.M.K., Hamrawi, H., Suliman, M.M.A.: A multi-layer network defense system using artificial immune system. In: 2013 International Conference on Computing, Electrical and Electronics Engineering (ICCEEE), pp. 232–236. IEEE, (2013)
Farid, D., Darmont, J., Harbi, N., Nguyen, H.H., Rahman, M.Z.: Adaptive network intrusion detection learning: attribute selection and classification. In: International Conference on Computer Systems Engineering (ICCSE 2009), p. TH60000, (2009)
Fogel, D.B.: Evolutionary Computation: Toward a New Philosophy of Machine Intelligence. Wiley-IEEE Press (2005)
Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: 1994 IEEE Computer Society Symposium on Research in Security and Privacy, 1994. Proceedings, pp. 202–212. Ieee, (1994)
Fredj, O.B.: A realistic graph-based alert correlation system. Secur. Commun. Netw. 8(15), 2477–2493 (2015)
Frigault, M., Wang, L.: Measuring network security using bayesian network-based attack graphs. In: Annual IEEE International Computer Software and Applications Conference, pp. 698–703. IEEE, (2008)
Garcia-Teodoro, P., Diaz-Verdejo, J., Maciá-Fernández, G., Vázquez, E.: Anomaly-based network intrusion detection: techniques, systems and challenges. Comput. Secur. 28(1–2), 18–28 (2009)
Gogoi, P., Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Packet and flow based network intrusion dataset. In: International Conference on Contemporary Computing, pp. 322–334. Springer, (2012)
Halvaiee, N.S., Akbari, M.K.: A novel model for credit card fraud detection using artificial immune systems. Appl. Soft Comput. 24, 40–49 (2014)
Hubballi, N., Suryanarayanan, V.: False alarm minimization techniques in signature-based intrusion detection systems: a survey. Comput. Commun. 49, 1–17 (2014)
Igbe, O., Darwish, I., Saadawi, T.: Distributed network intrusion detection systems: an artificial immune system approach. In: 2016 IEEE First International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE), pp. 101–106. IEEE, (2016)
Imperva: Imperva incapsula, (2019). https://www.incapsula.com/
Janeway Jr, C.A., Travers, P., Walport, M., Shlomchik, M.J.: The complement system and innate immunity. In: Immunobiology: The Immune System in Health and Disease. 5th edition. Garland Science, (2001)
Jensen, F.V.: An Introduction to Bayesian Networks. UCL press London (1996)
Jerne, N.K.: Towards a network theory of the immune system. Ann. Immunol. 125, 373–389 (1974)
Jeya, G.P., Ravichandran, M., Ravichandran, C.S.: Efficient classifier for r2l and u2r attacks. Int. J. Comput. Appl. 45(21), 29 (2012)
Jha, M., Acharya, R.: An immune inspired unsupervised intrusion detection system for detection of novel attacks. In: 2016 IEEE Conference on Intelligence and Security Informatics (ISI), pp. 292–297. IEEE, (2016)
Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15, pp. 49–63. IEEE, (2002)
Kalliola, A., Lee, K., Lee, H., Aura, T.: Flooding ddos mitigation and traffic management with software defined networking. In: 2015 IEEE 4th International Conference on Cloud Networking (CloudNet), pp. 248–254. IEEE, (2015)
King, R.L., Russ, S.H., Lambert, A.B., Reese, D.S.: An artificial immune system model for intelligent agents. Fut. Gen. Comput. Syst. 17(4), 335–343 (2001)
Kreutz, D., Ramos, F.M.V., Veríssimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)
Kreutz, D., Malichevskyy, O., Feitosa, E., Cunha, H., da Rosa Righi, R., de Macedo, D.D.J.: A cyber-resilient architecture for critical security services. J. Netw. Comput. Appl. 63, 173–189 (2016)
Kreutz, D., Ramos, F.M.V., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)
Kwon, K., Ahn, S., Chung, J.W.: Network security management using arp spoofing. In: International Conference on Computational Science and Its Applications, pp. 142–149. Springer, (2004)
Lei, J., Li, Z.: Using Network Attack Graph to Predict the Future Attacks. In: Second International Conference on Communications and Networking in China, pp. 403–407, (2007)
Lim, S., Ha, J., Kim, H., Kim, Y., Yang, S.: A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp. 63–68. IEEE, (2014)
Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: Analysis and results of the 1999 darpa off-line intrusion detection evaluation. In: International Workshop on Recent Advances in Intrusion Detection, pp. 162–182. Springer, (2000)
Mahoney, M.V., Chan, P.K.: An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In: International Workshop on Recent Advances in Intrusion Detection, pp. 220–237. Springer, (2003)
Massachusetts Institute of Technology. 1999 darpa intrusion detection evaluation data set, 2019. https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-data-set/
McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(4), 262–294 (2000)
Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Privacy 4(6), 85–89 (2006)
Melo, R.V., de Macedo, D.D.J., Dantas, M.A.R., de Bona, L.C.E.: A novel immune detection approach enhanced by attack graph based correlation. In: 24th IEEE Symposium on Computers and Communications (ISCC). IEEE, (2019)
Melo, R.V., Macedo, D.D.J.: A cloud immune security model based on alert correlation and software defined network. In: 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 52–57. IEEE, (2019)
Moustafa, N., Slay, J.: Unsw-nb15: a comprehensive data set for network intrusion detection systems (unsw-nb15 network data set). In: Military Communications and Information Systems Conference (MilCIS), 2015, pp. 1–6. IEEE, (2015)
Moussaid, N.El., Toumanari, A., Azhari, M.El: Security analysis as software-defined security for SDN environment. In: 2017 Fourth International Conference on Software Defined Systems (SDS), pp. 87–92. IEEE, (2017)
National Institute of Standards and Technology. National vulnerability database, (2019). https://nvd.nist.gov/
Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: USENIX Security Symposium, p. 8. Baltimore, MD, (2005)
Pearl, J.: Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Elsevier (2014)
Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)
Radware: Ddos warriors, (2019). https://security.radware.com/
Ramakrishnan, S., Srinivasan, S.: Intelligent agent based artificial immune system for computer security-a review. Artif. Intell. Rev. 32(1–4), 13 (2009)
Rammig, F., Stahl, K., Vaz, G.: A framework for enhancing dependability in self-x systems by artificial immune systems. In: 2013 IEEE 16th International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing (ISORC), pp. 1–10. IEEE, (2013)
Ramos, F.M.V., Kreutz, D., Verissimo, P.: Software-defined networks: On the road to the softwarization of networking. Cutter IT journal, (2015)
Roschke, S., Cheng, F., Meinel, C.: High-quality attack graph-based ids correlation. Logic J. IGPL 21(4), 571–591 (2013)
Roschke, S., Cheng, F., Meinel, C.: A new alert correlation algorithm based on attack graph. In: Computational Intelligence in Security for Information Systems, pp. 58–67. Springer, (2011)
Seresht, N.A., Azmi, R.: MAIS-IDS: a distributed intrusion detection system using multi-agent AIS approach. Eng. Appl. Artif. Intell. 35, 286–298 (2014)
Singh, R., Kumar, H., Singla, R.K., Ketti, R.R.: Internet attacks and intrusion detection system: A review of the literature. Online Inf. Rev. (2017)
Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the kdd cup 99 data set. In: IEEE Symposium on Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009, pp. 1–6. IEEE, (2009)
University of California, Irvine. Kdd cup 1999 data, (2019). http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html/
University of New Brunswick. Nsl-kdd dataset, (2019). http://www.unb.ca/cic/datasets/nsl.html/
Vasudevan, A., Harshini, E., Selvakumar, S.: Ssenet-2011: a network intrusion detection system dataset and its comparison with kdd cup 99 dataset. In: 2011 Second Asian Himalayas International Conference on Internet (AH-ICI), pp. 1–5. IEEE, (2011)
Viet, H.N., Van, Q.N., Trang, L.L.T., Nathan, S.: Using deep learning model for network scanning detection. In: Proceedings of the 4th International Conference on Frontiers of Educational Technologies, ICFET ’18, pp. 117–121, New York, NY, USA, (2018). Association for Computing Machinery
Vishwakarma, R., Jain, A.K.: A survey of ddos attacking techniques and defence mechanisms in the iot network. Telecommun. Syst. 73(4), 3–25 (2020)
Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: IFIP Annual Conference on Data and Applications Security and Privacy, pp. 283–296. Springer, (2008)
Yusof, R., Selamat, S.R., Sahib, S.: Intrusion alert correlation technique analysis for heterogeneous log. IJCSNS Int. J. Comput. Sci. Netw. Secur. 8(9), 132–138 (2008)
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (ddos) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)
Acknowledgements
The authors would like to thank CAPES (Coordenação de Aperfeiçoamento de Pessoal de Nível Superior) for the financial support. Last we would like to thank Bruno V. Melo for help designing the figures used in this paper.
Funding
Part of this study was funded by CAPES (Coordenação de Aperfeiçoamento de Pessoal de Nível Superior).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
Author A has received research grants from CAPES (Coordenação de Aperfeiçoamento de Pessoal de Nível Superior). Author A declares that he has no conflict of interest.
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Melo, R.V., de Macedo, D.D.J., Kreutz, D. et al. ISM-AC: an immune security model based on alert correlation and software-defined networking. Int. J. Inf. Secur. 21, 191–205 (2022). https://doi.org/10.1007/s10207-021-00550-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-021-00550-x