Usefulness of DARPA dataset for intrusion detection system evaluation

The MIT Lincoln Laboratory IDS evaluation methodology is a practical solution in terms of evaluating the performance of Intrusion Detection Systems, which has contributed tremendously to the research progress in that field. The DARPA IDS evaluation dataset has been criticized and considered by many as a very outdated dataset, unable to accommodate the latest trend in attacks. Then naturally the question arises as to whether the detection systems have improved beyond detecting these old level of attacks. If not, is it worth thinking of this dataset as obsolete? The paper presented here tries to provide supporting facts for the use of the DARPA IDS evaluation dataset. The two commonly used signature-based IDSs, Snort and Cisco IDS, and two anomaly detectors, the PHAD and the ALAD, are made use of for this evaluation purpose and the results support the usefulness of DARPA dataset for IDS evaluation.

Selection of intrusion detection system threshold bounds for effective sensor fusion

The motivation behind the fusion of Intrusion Detection Systems was the realization that with the increasing traffic and increasing complexity of attacks, none of the present day stand-alone Intrusion Detection Systems can meet the high demand for a very high detection rate and an extremely low false positive rate. Multi-sensor fusion can be used to meet these requirements by a refinement of the combined response of different Intrusion Detection Systems. In this paper, we show the design technique of sensor fusion to best utilize the useful response from multiple sensors by an appropriate adjustment of the fusion threshold. The threshold is generally chosen according to the past experiences or by an expert system. In this paper, we show that the choice of the threshold bounds according to the Chebyshev inequality principle performs better. This approach also helps to solve the problem of scalability and has the advantage of failsafe capability. This paper theoretically models the fusion of Intrusion Detection Systems for the purpose of proving the improvement in performance, supplemented with the empirical evaluation. The combination of complementary sensors is shown to detect more attacks than the individual components. Since the individual sensors chosen detect sufficiently different attacks, their result can be merged for improved performance. The combination is done in different ways like (i) taking all the alarms from each system and avoiding duplications, (ii) taking alarms from each system by fixing threshold bounds, and (iii) rule-based fusion with a priori knowledge of the individual sensor performance. A number of evaluation metrics are used, and the results indicate that there is an overall enhancement in the performance of the combined detector using sensor fusion incorporating the threshold bounds and significantly better performance using simple rule-based fusion.

A Low-Complexity Algorithm for Intrusion Detection in a PIR-Based Wireless Sensor Network

We present a low-complexity algorithm for intrusion detection in the presence of clutter arising from wind-blown vegetation, using Passive Infra-Red (PIR) sensors in a Wireless Sensor Network (WSN). The algorithm is based on a combination of Haar Transform (HT) and Support-Vector-Machine (SVM) based training and was field tested in a network setting comprising of 15-20 sensing nodes. Also contained in this paper is a closed-form expression for the signal generated by an intruder moving at a constant velocity. It is shown how this expression can be exploited to determine the direction of motion information and the velocity of the intruder from the signals of three well-positioned sensors.

Distributed intrusion detection in the presence of correlated sensor readings: Signal-space and communication-complexity view-point

The problem of sensor-network-based distributed intrusion detection in the presence of clutter is considered. It is argued that sensing is best regarded as a local phenomenon in that only sensors in the immediate vicinity of an intruder are triggered. In such a setting, lack of knowledge of intruder location gives rise to correlated sensor readings. A signal-space view-point is introduced in which the noise-free sensor readings associated to intruder and clutter appear as surfaces f(s) and f(g) and the problem reduces to one of determining in distributed fashion, whether the current noisy sensor reading is best classified as intruder or clutter. Two approaches to distributed detection are pursued. In the first, a decision surface separating f(s) and f(g) is identified using Neyman-Pearson criteria. Thereafter, the individual sensor nodes interactively exchange bits to determine whether the sensor readings are on one side or the other of the decision surface. Bounds on the number of bits needed to be exchanged are derived, based on communication-complexity (CC) theory. A lower bound derived for the two-party average case CC of general functions is compared against the performance of a greedy algorithm. Extensions to the multi-party case is straightforward and is briefly discussed. The average case CC of the relevant greaterthan (CT) function is characterized within two bits. Under the second approach, each sensor node broadcasts a single bit arising from appropriate two-level quantization of its own sensor reading, keeping in mind the fusion rule to be subsequently applied at a local fusion center. The optimality of a threshold test as a quantization rule is proved under simplifying assumptions. Finally, results from a QualNet simulation of the algorithms are presented that include intruder tracking using a naive polynomial-regression algorithm. 2010 Elsevier B.V. All rights reserved.

Optimal Sleep-Wake Scheduling for Quickest Intrusion Detection using wireless sensor Networks

We consider the problem of quickest detection of an intrusion using a sensor network, keeping only a minimal number of sensors active. By using a minimal number of sensor devices,we ensure that the energy expenditure for sensing, computation and communication is minimized (and the lifetime of the network is maximized). We model the intrusion detection (or change detection) problem as a Markov decision process (MDP). Based on the theory of MDP, we develop the following closed loop sleep/wake scheduling algorithms: 1) optimal control of Mk+1, the number of sensors in the wake state in time slot k + 1, 2) optimal control of qk+1, the probability of a sensor in the wake state in time slot k + 1, and an open loop sleep/wake scheduling algorithm which 3) computes q, the optimal probability of a sensor in the wake state (which does not vary with time),based on the sensor observations obtained until time slot k.Our results show that an optimum closed loop control onMk+1 significantly decreases the cost compared to keeping any number of sensors active all the time. Also, among the three algorithms described, we observe that the total cost is minimum for the optimum control on Mk+1 and is maximum for the optimum open loop control on q.

Mathematical Analysis of Sensor Fusion for Intrusion Detection Systems

Fusion of multiple intrusion detection systems results in a more reliable and accurate detection for a wider class of intrusions. The paper presented here introduces the mathematical basis for sensor fusion and provides enough support for the acceptability of sensor fusion in performance enhancement of intrusion detection systems. The sensor fusion system is characterized and modeled with no knowledge of the intrusion detection systems and the intrusion detection data. The theoretical analysis is supported with an experimental illustration with three of the available intrusion detection systems using the DARPA 1999 evaluation data set.

Efficient Regular Expression Pattern Matching for Network Intrusion Detection Systems using Modified Word-based Automata

Network Intrusion Detection Systems (NIDS) intercept the traffic at an organization's network periphery to thwart intrusion attempts. Signature-based NIDS compares the intercepted packets against its database of known vulnerabilities and malware signatures to detect such cyber attacks. These signatures are represented using Regular Expressions (REs) and strings. Regular Expressions, because of their higher expressive power, are preferred over simple strings to write these signatures. We present Cascaded Automata Architecture to perform memory efficient Regular Expression pattern matching using existing string matching solutions. The proposed architecture performs two stage Regular Expression pattern matching. We replace the substring and character class components of the Regular Expression with new symbols. We address the challenges involved in this approach. We augment the Word-based Automata, obtained from the re-written Regular Expressions, with counter-based states and length bound transitions to perform Regular Expression pattern matching. We evaluated our architecture on Regular Expressions taken from Snort rulesets. We were able to reduce the number of automata states between 50% to 85%. Additionally, we could reduce the number of transitions by a factor of 3 leading to further reduction in the memory requirements.

Parametric Studies on Saltwater Intrusion into Coastal Aquifers for Anticipate Sea Level Rise

Saltwater intrusion into coastal aquifers is a global issue, exacerbated by increasing demands for freshwater in coastal regions. This study investigates into the parametric analysis on saltwater intrusion in a conceptual, coastal, unconfined aquifer considering wide range of freshwater draft and anticipated sea level rise. The saltwater intrusion under various circumstances is simulated through parametric studies using MODFLOW, MT3DMS and SEAWAT. The MODFLOW is used to simulate the groundwater flow system under changing hydro-dynamics in coastal aquifer. To simulate solute transport MT3DMS and SEAWAT is used. The saltwater intrusion process has direct bearing on hydraulic conductivity and inversely related to porosity. It may also be noted that increase in recharge rate considered in the study does not have much influence on saltwater intrusion. Effect of freshwater draft at locations beyond half of the width of the aquifer considered has marginal effect and hence can be considered as safe zone for freshwater withdrawals. Due to the climate change effect, the anticipated rise in sea level of 0.88 m over a century is considered in the investigation. This causes increase in salinity intrusion by about 25%. The combined effect of sea level rise and freshwater draft (C) 2015 The Authors. Published by Elsevier B.V.

A solution to the upward migration of an intrusion

The evolution of the upward migration of the magma is a nonlinear and unstable problem in mathematics. It is difficult to solve it. And using the numerical method, the solution is relatively tedious and time-consuming. This paper introduces a method of the instantaneous point source to solve the linear and unstable heat conduction equation during the infinite period of time instead of the solution of the nonlinear and unstable heat conduction equation. The results obtained by this method coincide with those by the numerical method, meaning that this method offers a simple way to solve the nonlinear and unstable heat conduction equation.

Saline water intrusion from deep artesian sources in McGregor Isles area of Lee County, Florida

Upward leakage of saline water from an artesian aquifer below 1,500 feet has caused an increase in chloride concentration in the lower Hawthorn aquifer from less than 1,000 mg/1 (milligrams per liter) to values ranging from about 1,300 to 15,000 mg/1. Similarly the higher temperatures of the intruding water has caused an increase in water temperatures in the aquifer from 82"F to values ranging from 83 to 93"F. The intruding water moves upward either through the open bore hole of deep wells or test holes, or along a fault or fracture system, which has been identified in the area. From these points of entry into the lower Hawthorn aquifer, the saline water spreads laterally toward the south and southeast, but is generally confined to components of the fault system. The saline water moves upward from the lower Hawthorn aquifer into the upper Hawthorn aquifer through the open bore hole of wells, which connect the aquifers. This movement has resulted in an increase in chloride from less than 200 mg/1 in the unaffected parts of the upper Hawthorn aquifer to values commonly ranging from about 300 to more than 3,000 mg/1 in parts of the aquifer affected by upward leakage. The upper Hawthorn aquifer is the principal source of ground-water supply for public water-supply systems in western Lee County. Similar effects have been noted in the water-table aquifer, where chloride increased from less than 100 to concentrations ranging from about 500 to more than 5,000 mg/1. This was caused by the downward infiltration of water discharged at land surface from wells tapping the lower Hawthorn aquifer. The spread of saline water throughout most of the McGregor Isles area is continuing as of 1971. (40 page document)

Study on Water Resources Regulation and Reservoir Operating Prediction for Suppression of Salt Water Intrusion in the Pearl River Estuary

Salt water intrusion occurred frequently during dry season in Modaomen waterway of the Pearl River Estuary. With the development of region's economy and urbanization, the salt tides affect the region's water supply more and more seriously in recent years. Regulation and allocation of freshwater resources of the upper rivers of the estuary to suppress the salt tides is becoming important measures for ensuring the water supply security of the region in dry season. The observation data analysis showed that the flow value at the Wuzhou hydrometric station on the upper Xijiang river had a good correlation with the salinity in Modaomen estuary. Thus the flow rate of Wuzhou has been used as a control variable for suppression of salt tides in Modaomen estuary. However, the runoff at Wuzhou mainly comes from the discharge of Longtan reservoir on the upper reaches of Xijiang river and the runoff in the interval open valley between Longtan and Wuzhou sections. As the long distance and many tributaries as well as the large non-controlled watershed between this two sections, the reservoir water scheduling has a need for reasonable considering of interaction between the reservoir regulating discharge and the runoff process of the interval open watershed while the deployment of suppression flow at Wuzhou requires longer lasting time and high precision for the salt tide cycles. For this purpose, this study established a runoff model for Longtan - Wuzhou interval drainage area and by model calculations and observation data analysis, helped to understand the response patterns of the flow rate at Wuzhou to the water discharge of Longtan under the interval water basin runoff participating conditions. On this basis, further discussions were taken on prediction methods of Longtan reservoir discharge scheduling scheme for saline intrusion suppression and provided scientific and typical implementation programs for effective suppression flow process at the Wuzhou section.