Anomaly-Based Intrusion Detection by Modeling Probability Distributions of Flow Characteristics

 |  Login

Show simple item record

dc.contributor Aalto-yliopisto fi
dc.contributor Aalto University en
dc.contributor.advisor Miche, Yoan Atli, Buse 2017-10-30T07:58:26Z 2017-10-30T07:58:26Z 2017-10-23
dc.description.abstract In recent years, with the increased use of network communication, the risk of compromising the information has grown immensely. Intrusions have evolved and become more sophisticated. Hence, classical detection systems show poor performance in detecting novel attacks. Although much research has been devoted to improving the performance of intrusion detection systems, few methods can achieve consistently efficient results with the constant changes in network communications. This thesis proposes an intrusion detection system based on modeling distributions of network flow statistics in order to achieve a high detection rate for known and stealthy attacks. The proposed model aggregates the traffic at the IP subnetwork level using a hierarchical heavy hitters algorithm. This aggregated traffic is used to build the distribution of network statistics for the most frequent IPv4 addresses encountered as destination. The obtained probability density functions are learned by the Extreme Learning Machine method which is a single-hidden layer feedforward neural network. In this thesis, different sequential and batch learning strategies are proposed in order to analyze the efficiency of this proposed approach. The performance of the model is evaluated on the ISCX-IDS 2012 dataset consisting of injection attacks, HTTP flooding, DDoS and brute force intrusions. The experimental results of the thesis indicate that the presented method achieves an average detection rate of 91% while having a low misclassification rate of 9%, which is on par with the state-of-the-art approaches using this dataset. In addition, the proposed method can be utilized as a network behavior analysis tool specifically for DDoS mitigation, since it can isolate aggregated IPv4 addresses from the rest of the network traffic, thus supporting filtering out DDoS attacks. en
dc.format.extent 12+79
dc.format.mimetype application/pdf en
dc.language.iso en en
dc.title Anomaly-Based Intrusion Detection by Modeling Probability Distributions of Flow Characteristics en
dc.type G2 Pro gradu, diplomityö fi Sähkötekniikan korkeakoulu fi
dc.subject.keyword intrusion detection en
dc.subject.keyword network behavior analysis en
dc.subject.keyword probability distribution en
dc.subject.keyword hierarchical clustering en
dc.subject.keyword ELM en
dc.identifier.urn URN:NBN:fi:aalto-201710307348
dc.programme.major Signal, Speech and Language Processing fi
dc.programme.mcode ELEC3031 fi
dc.type.ontasot Master's thesis en
dc.type.ontasot Diplomityö fi
dc.contributor.supervisor Asokan, Nadarajah
dc.programme CCIS - Master’s Programme in Computer, Communication and Information Sciences (TS2013) fi
dc.ethesisid Aalto 9698
dc.location P1 fi

Files in this item

This item appears in the following Collection(s)

Show simple item record

Search archive

Advanced Search

article-iconSubmit a publication


My Account