AU2021106268A4 - Nature-inspired adaptive defense system for early intrusion detection - Google Patents
Nature-inspired adaptive defense system for early intrusion detection Download PDFInfo
- Publication number
- AU2021106268A4 AU2021106268A4 AU2021106268A AU2021106268A AU2021106268A4 AU 2021106268 A4 AU2021106268 A4 AU 2021106268A4 AU 2021106268 A AU2021106268 A AU 2021106268A AU 2021106268 A AU2021106268 A AU 2021106268A AU 2021106268 A4 AU2021106268 A4 AU 2021106268A4
- Authority
- AU
- Australia
- Prior art keywords
- node
- intrusion detection
- network
- suspicious
- list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 61
- 230000003044 adaptive effect Effects 0.000 title claims abstract description 22
- 230000007123 defense Effects 0.000 title abstract description 6
- 238000000034 method Methods 0.000 claims abstract description 46
- 230000036541 health Effects 0.000 claims abstract description 38
- 238000012544 monitoring process Methods 0.000 claims abstract description 26
- 238000012545 processing Methods 0.000 claims abstract description 9
- 238000013507 mapping Methods 0.000 claims abstract description 5
- 238000010801 machine learning Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 8
- 230000006399 behavior Effects 0.000 claims description 6
- 230000008901 benefit Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 238000005457 optimization Methods 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 241000254158 Lampyridae Species 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The present invention generally relates to an adaptive network monitoring
system and method for early intrusion detection in an intrusion detection
system (IDS). The system comprises a node selection unit for receiving a
network data based on all the nodes present in the network and randomly
selecting a node from a priority list. The system further comprises a health
determination unit for determining a health attribute and a node mapping
unit for identification of suspicious nodes by behavior comparison of nodes
and generating a suspicious node list. Lastly, the system comprises a
notification unit connected to the intrusion detection system for sending the
suspicious node list to the intrusion detection system for further processing.
The system establishes a robust defense for existing intrusion detection
systems by alerting IDS about suspicious nodes promptly.
15
I~00
0
a
a4a a 0
D 0 D 2 0
Description
I~00
0
a a4a a 0
D 0 D 2 0
FIELD OF THE INVENTION The present invention relates to intrusion detection system. In particular, the present invention relates to an adaptive network monitoring system and nature-inspired method for early intrusion detection of network attacksin an Intrusion Detection System.
BACKGROUND OF THE INVENTION An Intrusion Detection System (IDS) ensures network security by constantly monitoring unusual activities that may lead to an attack. Conventional IDSs are based on a feature selection approach to identify and classify malicious activities, which provide moderate security. Existing works provide optimized features to machine learning and artificial intelligence-based systems but they do not adapt to changing environments. They are also resource-heavy and decrease the expected performance of the overall network by considering all nodes for scanning and detection. As the first line of defense, IDS needs to be strengthened via an optimized network health monitoring. Therefore, there is a need for an adaptive and autonomous network monitoring functionality to support IDS that pre-processes the network monitoring parameters and reduces the burden of further processing and analysis resulting in early detection.
In the view of the forgoing discussion, it is clearly portrayed that there is a need to have an adaptive network monitoring system and method for early intrusion detection of network attacks. The present invention harnesses a novel health determination unit to alert intrusion detection on suspicious nodes promptly. For this, the system implements priority-based nature inspired optimization algorithm for proactive network protection. Such a system establishes a robust defense against the network attacks.
SUMMARY OF THE INVENTION The present disclosure seeks to provide an adaptive network monitoring system and method for early intrusion detection. The present invention harnesses a novel health determination unit to alert intrusion detection on suspicious nodes promptly. The health is accurately estimated by analyzing the throughput, end-to-end delay, and packet delivery ratio for the entire network traffic. For this, the system implements priority-based optimization algorithm for managing real-time alerts and events in the network. The system focuses on proactive network protection measures for accurate network health monitoring. Such a system establishes a robust defense by utilizing nature-inspired computing algorithms to analyze and monitor networks for intrusion detection.
In an embodiment, the adaptive network monitoring system for early intrusion detectionin an intrusion detection system comprises a node selection unit for receiving a network data based on all the nodes present in the network and randomly selecting a node from a priority list. The priority list consists of list of nodes based on a priority. The system further comprises a health determination unit for determining a health attribute of the selected node based on a set of metrics. The system further comprises a node mapping unit for identification of suspicious nodes by behavior comparison of nodes based on health attribute and priority list and generating a suspicious node list. Lastly, the system comprises a notification unit connected to the intrusion detection for sending the suspicious node list to the intrusion detection system for further processing.
In an embodiment, the adaptive network monitoring method for early intrusion detectioncomprises receiving a network data based on all the nodes present in the network. The method further comprises initializing each node of the network. Here, each node is associated with a set of metrics and the initialization of node leads to initialization of the set of metrics associated with the node. Also, the set of metrics comprises throughput, packet delivery ratio, end-to-end delay and a priority. The method further comprises randomly selecting a node from a priority list. Here, the priority list consists of list of nodes based on the priority of the nodes. The method further comprises determining a health attribute of the selected node based on the set of metrics for the selected node. The method further comprises determining the selected node as a suspicious node based on the health attribute and adding the suspicious node to a suspicious node list based on the priority of the suspicious node. The method further comprises updating the priority of the selected node based on the health attribute, updating the priority list and updating the suspicious node list. The method further comprises determining if all nodes of the network are selected, if no, then the process is repeated again else the suspicious node list is generated. Lastly, the method comprises sending the suspicious node list to the intrusion detection system for further processing.
In another embodiment, the intrusion detection system used in the present invention is a generic system employing standard algorithms for intrusion detection.
In another embodiment, the health determination unit of the present invention is configured as a Machine Learning (ML) model and the ML model forms a part of the intrusion detection system.
In another embodiment, the network data used in the method comprises ofdata relating to number of nodes in a network, the type of deployment, type of service, type of network and performance of the network.
To further clarify advantages and features of the present disclosure, a more particular description of the invention will be rendered by reference to specific embodiments thereof, which is illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail with the accompanying drawings.
BRIEF DESCRIPTION OF FIGURES These and other features, aspects, and advantages of the present disclosure will become better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein:
Figure lillustrates a block diagram of an adaptive network monitoring system for early intrusion detection in IDS in accordance with an embodiment of the present disclosure.
Figure 2illustrates a flow chart of an adaptive network monitoring method for early intrusion detection in IDS in accordance with an embodiment of the present disclosure.
Figure 3illustrates a comparison between the existing IDS and the present invention along with the generic IDS in accordance with an embodiment of the present disclosure.
Figure 4illustrates a data flow diagram of the adaptive network monitoring method in accordance with an embodiment of the present disclosure.
Further, skilled artisans will appreciate that elements in the drawings are illustrated for simplicity and may not have necessarily been drawn to scale. For example, the flow charts illustrate the method in terms of the most prominent steps involved to help to improve understanding of aspects of the present disclosure. Furthermore, in terms of the construction of the device, one or more components of the device may have been represented in the drawings by conventional symbols, and the drawings may show only those specific details that are pertinent to understanding the embodiments of the present disclosure so as not to obscure the drawings with details that will be readily apparent to those of ordinary skill in the art having benefit of the description herein.
DETAILED DESCRIPTION For the purpose of promoting an understanding of the principles of the invention, reference will now be made to the embodiment illustrated in the drawings and specific language will be used to describe the same. It will nevertheless be understood that no limitation of the scope of the invention is thereby intended, such alterations and further modifications in the illustrated system, and such further applications of the principles of the invention as illustrated therein being contemplated as would normally occur to one skilled in the art to which the invention relates.
It will be understood by those skilled in the art that the foregoing general description and the following detailed description are exemplary and explanatory of the invention and are not intended to be restrictive thereof.
Reference throughout this specification to "an aspect", "another aspect" or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. Thus, appearances of the phrase "in an embodiment", "in another embodiment" and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
The terms "comprises", "comprising", or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps but may include other steps not expressly listed or inherent to such process or method. Similarly, one or more devices or sub-systems or elements or structures or components proceeded by "comprises...a" does not, without more constraints, preclude the existence of other devices or other sub systems or other elements or other structures or other components or additional devices or additional sub-systems or additional elements or additional structures or additional components.
Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The system, methods, and examples provided herein are illustrative only and not intended to be limiting.
Embodiments of the present disclosure will be described below in detail with reference to the accompanying drawings.
Referring to Figure 1, illustrating a block diagram of an adaptive network monitoring system for early intrusion detection in IDSin accordance with an embodiment of the present disclosure.
The adaptive network monitoring system 100 for early intrusion detection in an intrusion detection system, comprises a node selection unit 102 for receiving a network data based on all the nodes present in the network and randomly selecting a node from a priority list. The priority list consists of list of nodes based on a priority. The system 100 further comprises a health determination unit 104 for determining a health attribute of the selected node based on a set of metrics. The system 100 further comprises a node mapping unit 106 for identification of suspicious nodes by behavior comparison of nodes based on health attribute and priority list and generating a suspicious node list. Lastly, the system 100 comprises a notification unit 108 connected to the intrusion detection for sending the suspicious node list to the intrusion detection system for further processing.
Figure 2 illustrates a flow chart of an adaptive network monitoring method for early intrusion detection in IDS in accordance with an embodiment of the present disclosure. Theadaptive network monitoring method 200 for early intrusion detection in an intrusion detection systemcomprises at step 202 receiving a network data based on all the nodes present in the network. The method 200 further comprises at step 204 initializing each node of the network. Here, each node is associated with a set of metrics and the initialization of node leads to initialization of the set of metrics associated with the node. Also, the set of metrics comprises throughput, packet delivery ratio, end-to-end delay and a priority.The method 200 further comprises at step 206 randomly selecting a node from a priority list. Here, the priority list consists of list of nodes based on the priority of the nodes. The method 200 further comprises at step 208 determining a health attribute of the selected node based on the set of metrics for the selected node. The method 200 further comprises at step 210 determining the selected node as a suspicious node based on the health attribute and adding the suspicious node to a suspicious node list based on the priority of the suspicious node. The method 200 further comprises at step 212 updating the priority of the selected node based on the health attribute, updating the priority list and updating the suspicious node list. The method 200 further comprises at step 214 determining if all nodes of the network are selected, if no, then the process is repeated again else the suspicious node list is generated. Lastly, the method 200 comprises at step 216 sending the suspicious node list to the intrusion detection system for further processing.
In another embodiment, the intrusion detection system used in the present invention is a generic system employing standard algorithms for intrusion detection.
In another embodiment, the health determination unit of the present invention is configured as an ML model and the ML model forms a part of the intrusion detection system.
In another embodiment, the network data used in the method comprises ofdata relating to number of nodes in a network, the type of deployment, type of service, type of network and performance of the network.
Figure 3 illustrates a comparison between the existing IDS and the present invention along with the generic IDS in accordance with an embodiment of the present disclosure.
Throughput is considered the most appropriate parameter for analyzing the network performance. Still, considering additional network parameters such as end-to-end delay and packet delivery ratio can help build an even more effective IDS. Furthermore, the parameters can be readily customized to suit specific applications and types of networks. The proposed system focuses on observations based on available network information to curtail the number of nodes to be given attention to the intrusion detection process. The nodes in a network deviate significantly from their normal behavior under attack or certain conditions/loads. Therefore, it can be a good indicator for observing the abnormal behavior of nodes in detail. The system identifies node(s) is/are suspicious and which node(s) require(s) observation based on this information.
The system notifies the IDS to observe suspicious nodes for load balancing or intrusion analysis.IDS then observes the activities of suspicious nodes and take appropriate actions
Figure 4 illustrates a data flow diagram of the adaptive network monitoring method in accordance with an embodiment of the present disclosure.
The method uses a nature-inspired stochastic global optimization algorithm (Firefly Optimization). The core idea of this swarm-based meta-heuristic algorithm which is to design an objective function for the given problem of suspicious node identification. The algorithm depends on multiple parameters such as the number of nodes in a network, and the type of deployment also plays a significant role, as it defines the network structure and how nodes are mapped in the grid. Type of service provided via network will define how much tolerance we can have for error. Type of network or the type of data transmitted across the network along with general performance priority of the network significantly influences the determination of the health of the nodes.
To implement the proposed method, the nodes are assumed to be arranged in a 2-dimensional grid in the network with one unit distance apart. Each node has the following base properties: node name, health value, X coordinate, and Y coordinate.
After each cycle of the scan, the health of the nodes is determined to identify nodes that require attention. The health attribute for nodes with unwanted behaviours(i.e., suspicious activities, performance drops) will be high and for normal behaviours will be low.The proposed method also determines and utilizes previous scan cycles for a more realistic identification of suspicious nodes. A comprehensive analysis of the health of specific nodes by analyzing the three most important network parameters: throughput, end-to-end delay, and packet delivery ratio is the novel and most vital feature of the system. It helps in determining the actual performance of each node contributing to the overall network performance while also notifying the IDS to give more attention to the suspicious nodes. Based on the values of the health attribute, the suspicious nodes are compared and appended in the suspicious node list. This list is then used to notify the IDS of appropriate measures. This list can also be applied to various other tasks, such as the white-listing of certain nodes or prioritizing incident responses. These suspicious nodes can be under attack or overloaded nodes that require load-balancing.
The proposed method is adaptive and efficient for optimizing and assisting network monitoring for IDS, even for large networks.
The results of the proposed invention were investigated on multiple test cases and determined to be promising in all simulated attack scenarios. The proposed method can detect suspicious nodes early, irrespective of their location.
The drawings and the forgoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, certain elements may be split into multiple functional elements. Elements from one embodiment may be added to another embodiment. For example, orders of processes described herein may be changed and are not limited to the manner described herein. Moreover, the actions of any flow diagram need not be implemented in the order shown; nor do all of the acts necessarily need to be performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of embodiments is by no means limited by these specific examples. Numerous variations, whether explicitly given in the specification or not, such as differences in structure, dimension, and use of material, are possible. The scope of embodiments is at least as broad as given by the following claims.
Benefits, other advantages, and solutions to problems have been described above with regard to specific embodiments. However, the benefits, advantages, solutions to problems, and any component(s) that may cause any benefit, advantage, or solution to occur or become more pronounced are not to be construed as a critical, required, or essential feature or component of any or all the claims.
Claims (6)
1. An nature-inspired adaptive network monitoring system for early intrusion detection in an intrusion detection system, comprises: a node selection unit for receiving a network data based on all the nodes present in the network and randomly selecting a node from a priority list, wherein the priority list consists of list of nodes based on a priority;
a health determination unit for determining a health attribute of the selected node based on a set of metrics;
a node mapping unit for identification of suspicious nodes by behavior comparison of nodes based on health attribute and priority list and generating a suspicious node list; and
a notification unit connected to the intrusion detection for sending the suspicious node list to the intrusion detection system for further processing.
2. The adaptive network monitoring system for early intrusion detection in an intrusion detection systemas claimed in claim 1, wherein the intrusion detection system is a generic system employing standard algorithms for intrusion detection.
3. The adaptive network monitoring system for early intrusion detection in an intrusion detection systemas claimed in claim 1, wherein the health determination unit is configured as Machine Learning (ML) model, wherein the ML model forms a part of the intrusion detection system.
4. Anadaptive network monitoring method for early intrusion detection in an intrusion detection systemcomprises steps: a. receiving a network data based on all the nodes present in the network; b. initializing each node of the network, wherein each node is associated with a set of metrics and wherein the initialization of node leads to initialization of the set of metrics associated with the node, wherein the set of metrics comprises throughput, packet delivery ratio, end-to-end delay and a priority; c. randomly selecting a node from a priority list, wherein the priority list consists of list of nodes based on the priority of the nodes; d. determining a health attribute of the selected node based on the set of metrics for the selected node; e. determining the selected node as a suspicious node based on the health attribute and adding the suspicious node to a suspicious node list based on the priority of the suspicious node; f. updating the priority of the selected node based on the health attribute, updating the priority list and updating the suspicious node list; g. determining if all nodes of the network are selected, if no, then continue with step c. else generate the suspicious node list; and h. sending the suspicious node list to the intrusion detection system for further processing.
5. The adaptive network monitoring method for early intrusion detection in an intrusion detection system as claimed in claim 4, wherein the intrusion detection system is a generic system employing standard algorithms for intrusion detection.
6. The adaptive network monitoring method for early intrusion detection in an intrusion detection system as claimed in claim 4,wherein the network data comprises of data relating to number of nodes in a network, the type of deployment, type of service, type of network and performance of the network.
Node Selection Unit 102
Health Determination Unit 104
Node mapping Unit 106
Notification Unit 108
Figure 1 receiving a network data based on all the nodes present in the network 2 202 initializing each node of the network 204 2 randomly selecting a node from a priority list 206 determining a health attribute of the selected node based on the set of metrics for the selected node 2 208 determining the selected node as a suspicious node based on the health attribute and adding the 2 210 suspicious node to a suspicious node list based on the priority of the suspicious node updating the priority of the selected node based on the health attribute, updating the priority list and 2 212 updating the suspicious node list determining if all nodes of the network are selected, if no, then the process is repeated again else the suspicious node list is generated 2 214 sending the suspicious node list to the intrusion detection system for further processing 2 216
Figure 2
Figure 3
Figure 4
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2021106268A AU2021106268A4 (en) | 2021-08-21 | 2021-08-21 | Nature-inspired adaptive defense system for early intrusion detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2021106268A AU2021106268A4 (en) | 2021-08-21 | 2021-08-21 | Nature-inspired adaptive defense system for early intrusion detection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| AU2021106268A4 true AU2021106268A4 (en) | 2021-11-25 |
Family
ID=78610587
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2021106268A Ceased AU2021106268A4 (en) | 2021-08-21 | 2021-08-21 | Nature-inspired adaptive defense system for early intrusion detection |
Country Status (1)
| Country | Link |
|---|---|
| AU (1) | AU2021106268A4 (en) |
-
2021
- 2021-08-21 AU AU2021106268A patent/AU2021106268A4/en not_active Ceased
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2487860B1 (en) | Method and system for improving security threats detection in communication networks | |
| US20070289013A1 (en) | Method and system for anomaly detection using a collective set of unsupervised machine-learning algorithms | |
| CN101702660B (en) | abnormal domain name detection method and system | |
| US7903657B2 (en) | Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor | |
| US9203857B2 (en) | Method and system for detecting anomaly of user behavior in a network | |
| EP3329640B1 (en) | Network operation | |
| EP2951753A1 (en) | Targeted security alerts | |
| Elshoush et al. | Reducing false positives through fuzzy alert correlation in collaborative intelligent intrusion detection systems—A review | |
| CN102447707B (en) | DDoS (Distributed Denial of Service) detection and response method based on mapping request | |
| Årnes et al. | Using Hidden Markov Models to evaluate the risks of intrusions: system architecture and model validation | |
| US20100150008A1 (en) | Apparatus and method for displaying state of network | |
| EP1410565A2 (en) | Method and apparatus of detecting network activity | |
| CN112385196A (en) | System and method for reporting computer security incidents | |
| JP2013150083A (en) | Network abnormality detection device and network abnormality detection method | |
| EP3278501A1 (en) | Network operation | |
| US11509670B2 (en) | Detecting anomalous network activity | |
| US11146447B2 (en) | Method and apparatus of establishing computer network monitoring criteria | |
| CN110719286A (en) | Network optimization scheme sharing system and method based on big data | |
| CN114362994A (en) | Multilayer different-granularity intelligent aggregation railway system operation behavior safety risk identification method | |
| AU2021106268A4 (en) | Nature-inspired adaptive defense system for early intrusion detection | |
| EP3278536A1 (en) | Network operation | |
| CN108171265A (en) | A kind of label preparation method, device and electronic equipment | |
| Gates et al. | Host anomalies from network data | |
| CN101651583B (en) | Monitoring information management method and device | |
| CN109462503A (en) | A kind of data detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FGI | Letters patent sealed or granted (innovation patent) | ||
| MK22 | Patent ceased section 143a(d), or expired - non payment of renewal fee or expiry |