Conference PaperPDF Available

A Comparative Study of Different Fuzzy Classifiers for Cloud Intrusion Detection Systems' Alerts

Authors:

Abstract and Figures

The use of Internet has been increasing day by day and the internet traffic is exponentially increasing. The services providers such as web services providers, email services providers, and cloud service providers have to deal with millions of users per second; and thus, the level of threats to their growing networks is also very high. To deal with this much number of users is a big challenge but detection and prevention of such kinds of threats is even more challenging and vital. This is due to the fact that those threats might cause a severe loss to the service providers in terms of privacy leakage or unavailability of the services to the users. To incorporate this issue, several Intrusion Detections Systems (IDS) have been developed that differ in their detection capabilities, performance and accuracy. In this study, we have used SNORT and SURICATA as well-known IDS systems that are used worldwide. The aim of this paper is to analytically compare the functionality, working and the capability of these two IDS systems in order to detect the intrusions and different kinds of cyber-attacks within M yCloud network. Furthermore, this study also proposes a Fuzzy-Logic engine based on these two IDSs in order to enhances the performance and accuracy of these two systems in terms of increased accuracy, specificity, sensitivity and reduced false alarms. Several experiments in this compatrative study have been conducted by using and testing ISCX dataset, which results that fuzzy logic based IDS outperforms IDS alone whereas FL-SnortIDS system outperforms FL-SuricataIDS.
Content may be subject to copyright.
IEEE SSCI 2016
December 06-09, 2016 || Athens, Greece
A Comparative Study of Different Fuzzy Classifiers
for Cloud Intrusion Detection Systems’ Alerts
Saeed M. Alqahtani
School of Computer Science
PhD Student, ASAP and LUCID Groups
Nottingham University
Email: psxsa22@nottingham.ac.uk
Robert John
School of Computer Science
ASAP and LUCID Groups
Nottingham University
Email: robert.john@nottingham.ac.uk
Abstract—The use of Internet has been increasing day by
day and the internet traffic is exponentially increasing. The
services providers such as web services providers, email services
providers, and cloud service providers have to deal with millions
of users per second; and thus, the level of threats to their growing
networks is also very high. To deal with this much number of
users is a big challenge but detection and prevention of such kinds
of threats is even more challenging and vital. This is due to the
fact that those threats might cause a severe loss to the service
providers in terms of privacy leakage or unavailability of the
services to the users. To incorporate this issue, several Intrusion
Detections Systems (IDS) have been developed that differ in their
detection capabilities, performance and accuracy. In this study,
we have used SNORT and SURICATA as well-known IDS systems
that are used worldwide. The aim of this paper is to analytically
compare the functionality, working and the capability of these
two IDS systems in order to detect the intrusions and different
kinds of cyber-attacks within MyCloud network. Furthermore,
this study also proposes a Fuzzy-Logic engine based on these
two IDSs in order to enhances the performance and accuracy
of these two systems in terms of increased accuracy, specificity,
sensitivity and reduced false alarms. Several experiments in
this compatrative study have been conducted by using and
testing ISCX dataset, which results that fuzzy logic based IDS
outperforms IDS alone whereas FL-SnortIDS system outperforms
FL-SuricataIDS.
Index Terms—Cloud Computing; IDS; Fuzzy Logic; Snort;
Suricata; ISCX dataset.
I. INTRODUCTION
With the fast growing digital technology, computer networks
have been extensively developed and deployed world widely,
allowing the users to communicate with each other [1]. In this
modern age, digital communication is no more a big task and
thus every single internet user can have an access to on-line
information pool or can interact with anyone without worrying
about the distance between them. According to the statistics
reported in [2], the total estimated internet users in the year of
2016 are approximately over 3,424,971,237, which is 46.1%
of the world population. Hence, we can conclude that internet
has now become a part of modern age. Computer networks are
being attacked every day and therefore they are unreliable and
unsafe, which means that the users may experience malicious
activities and may lose their privacy, personal data or any other
important information that is available on-line, depending on
the nature of attacks. For a normal user, this may not possess
any real concern, but for people and firms which want their
data to be private. Similarly, corporate offices, banks, hospitals,
law enforcement organisations, emails services providers and
millions of other organisations take extreme care of their
privacy and availability of their services on-line [3],[4],[5].
Computer network attack, also known as Cyber-Attack was
defined by Waxman that refers to any unwanted or unethical
activity that is intended to disturb, alter or hit someones
privacy or to steal others important data either secretly or
publically [6]. These types of attacks are usually performed
by anonymous hackers and it is very difficult to recognise
the hackers or to catch them [7]. Cyber-attacks are performed
using multiple methods such as, secretly installing spy soft-
ware in the targeted systems [8], secretly attempting to log
in the targeted system successfully [9] or secretly monitoring
the internet traffic of the targeted system [10]. Cyber-attacks
include, but are not limited to Malware, Phishing, Password
Attack, Denial-of-Service (DoS) Attack, Man in the Middle
(MITM) Attack, Drive by Downloads, Malvertising, Rogue
Software and many more [11].
II. REL ATED WORK
Cyber-attacks are the modern age way of warfare accessing
and exploiting private and secret data of a country, and
therefore the cyber war has taken over the nuclear war in
this modern age [12]. Thus, many international rules have
been created by the law enforcement agencies including USAs
[13], [14], [15]. It has also attracted the attentions of many
researchers and a lot of work has been done in literature to
protect the systems from cyber-attacks such as, inventory of
authorised and unauthorised software and devices, to make
configurations of hardware and software secure, to install in-
telligent firewalls, to install anti-malware software, to develop
intrusion detection systems and to develop malware defensive
systems. The most followed strategy to prevent such kind of
cyber-attacks is the development of intrusion detection system
(IDS) [16].
IDS systems are basically hardware or software systems that
are deployed along with the main systems to monitor all the
digital activities and the incoming as well as outgoing network
traffic. These systems are made intelligent enough to detect
the malware or suspicious activities by monitoring the whole
http://ssci2016.cs.surrey.ac.uk/ 1 |Page
IEEE SSCI 2016
December 06-09, 2016 || Athens, Greece
system; and therefore, they produce alarms or reports against
such activities. IDS system acts as a firewall and keeps the
main system safe from the malwares. Hence, it is deployed
along with almost every critical system that is exposed to
threats, making the organisation reliable and trustworthy.
The capability of IDS systems to detect the suspicious
activities depends on how they have been developed. Stronger
the IDS system would be, safer the main system would
be, leading the organisation to win the trust of its clients.
Moreover, IDS systems are consistently upgraded due to the
fact that the cyber-attacks are becoming crucial and stronger
day by day. A great deal of work has been done in literature
in making intelligent and strong IDS systems. For example,
reputation services have been added in the IDS systems. These
services gather information about the suspicious protocols, IP
addresses, domains and finally make a decision that either the
traffic is malicious or not [17]. Transforming the wired IDS
systems to wireless systems has also increased the safety level
of the critical systems [18]. With the fast growing HTTPS
traffic, the SSL traffic inspection feature has also been added
in the IDS systems to stay up to date [19]. Klir stated that fuzzy
logic has been widely used in the IDS systems because it helps
increase the intrusion detection rates and thus significantly
strengthens the IDS systems [20].
The paper of [21] presents a new Fuzzy-Genetics based
hybrid approach that is considered to be superior then pre-
viously developed Genetic-Algorithm (GA) based approaches
which do not have high capability of intrusion detection.
The proposed approach adds in the GA based system, an
ability to change according to the networking environment,
to handle the noise and to detect intrusions in the system
with significant accuracy. It is based on two major steps,
including GA algorithm as an initial step to produce subset of
the communication features by using traditional dimensional
reduction technique and the next step as defining a set of fuzzy
logic rules such as trapezoidal fuzzy sets that allow complete
membership over all ranges. This approach has been tested by
KDD Cup 1999 Dataset, and results show that the intrusion
detection rate accuracy is above 90% whereas the false positive
rate is below 1%.
The paper of [22] discusses a very major and most common
security challenge such as blackhole attack in Mobile Ad
hoc Networks (MANETs) and also presents the correspond-
ing solution by utilising the strengths of fuzzy logics. The
proposed approach is comprised of four stages including fuzzy
parameter extraction where the initial parameters are extracted
based on the incoming network traffic, fuzzy computation
which calculates the fidelity level on the bases of extracted
parameters where the fidelity level defines the intrusion level
of the packet, fuzzy verification module where a decision is
made that either the blackhole attack exists or not; finally,
an alarm module generates an alarm in case of blackhole
identification. The approach has been applied on routing
protocol and is simulated by varying the input parameters such
as, mobility of nodes and traffic speed. It has been found that
the blackhole attack detection is more accurate and the false
detection ratio was also very low.
The paper of [23] introduces different kinds of attacks
on internet including, Probe Assaults, DoS Attacks, R2L
Attacks, U2R Attacks, Checking Attacks, Dissent of Service
Attack, Infiltration Attack and describes the kinds intrusion
detection systems that are, grouping, example mining, infor-
mation mining procedures, computerised reasoning systems
and delicate registering methods. The paper also presents a
fuzzy logic enabled, oddity based intrusion detection system
that is developed using information mining procedures to
increase the intrusion detection rate as well as accuracy. The
proposed approach has been divided into four steps including,
classification of preparing information where the interested
information is gathered, strategy for era of fuzzy guidelines
where all the fuzzy sets are generated, fuzzy choice module,
where a decision is taken about the nature of incoming traffic
and the last step is to find the suitable order for a test
information where the final decision is taken that either the
incoming packet is assaulted or not. The approach is applied in
a network and tested by introducing different kinds of attacks
and results shows that the assaults detection rate is very high
as well as accurate.
Denial of Service (DoS) attack has been addressed in the
paper of [24] where such a study utilises fuzzy logic based
intrusion detection approach in order to deal with this attack.
The proposed approach leverages the fuzzy logic by applying it
over an already developed IDS System with an aim to improve
the detection rate of such attack whereas the IDS system is
based on MCA-based DoS attack detection system. The MCA-
based system works on triangle based MCA-based technique
that involves the extraction of geometrical correlation of the
mutually exclusive features. The proposed approach is tested
by exposing it to KDD CUP99 data set and results indicate that
the DoS attack detection rate has been considerably improved
after applying fuzzy logic.
Several different tools are also available that perform Intru-
sion Detection. For instance, Security Onion system has the
capability to monitor vLANs and virtualised networks but it
cannot be used as an intrusion prevention system [25], [24].
OSSEC system can generate real-time alarms and has the ca-
pability of monitoring the files integrity [26]. OpenWIPS-NG
system is dependent on network interfaces, devices, servers
and other infrastructures [24]. BRO system is an alternative
to Security Onion but has more defined rules to detect the
malicious activities [27]. Among all IDS systems, Snort is
considered to be the most efficient tool that performs real-time
protection, real-time traffic analysis, protocol analysis, content
matching, packets logging on IP networks and possesses many
kinds of attacks detection capability [28].
This study discusses Snort and Suricata as IDS systems,
which are namely SnortIDS/SuricataIDS, its strengths and
capabilities, a demonstration of SnortIDS/SuricataIDS system
using ISCX datasets[29] and finally proposes a new technique
to increase the SnortIDS/SuricataIDS malicious activities de-
tection rate by utilising the strengths of fuzzy logic. ISCX
datasets are sets of malicious activities that are offered to the
http://ssci2016.cs.surrey.ac.uk/ 2 |Page
IEEE SSCI 2016
December 06-09, 2016 || Athens, Greece
IDS systems to analyse the capability of IDS systems to detect
them [30]. If the detection rate is high and accurate, we can
conclude that the IDS system is stronger enough to be used
for live traffic. Several other datasets are also available for
testing IDS systems such as, KDD CUP-1999, but they are
not realistic [31].
Similarly, the statistical parameters that are used to describe
the overall performance of MyCloud as well as the capability
of the underlying IDS system are: (1) specificity and (2)
sensitivity. Specificity, commonly termed as true negative
rate, is a parameter whose value represents the proportion of
negatives that have been correctly identified as true. On the
contrary, sensitivity, commonly termed as true positive rate, is
a parameter whose value represents the proportion of positives
that has been correctly identified as true.
III. AN INVESTIGATIVE APP ROAC H
A. ISCX Dataset
ISCX dataset is provided with a set of complete traffic
of real-time network, carefully acquired for the applications
which include web browsing (HTTP, HTTPS), mails (SMTP,
POP, IMAP) and file sharing (FTP). It is simulated to provide
real time network traffic for IDS from which IDS can detect
different anomalies in the pattern of traffic, and generate
different alerts ISCX data set is traffic of 7 days of activity of
an agent that contains these five types of traffic, that needs to
be analysed, 1) Normal Traffic 2) Infiltrating Network from
Inside 3) HTTP Denial of Service 4) Distributed Denial of
Service 5) Brute force SSH This traffic is divided into 7
days of real-time traffic, each day file ranging from 4 GBs
to 23.4 GBs. In order to analyse such a traffic, we had to
run SnortIDS/SuricataIDS in offline mode, which have their
limits as they cannot read a trace file greater than 200MBs
which varies depending on the system. Therefore, the only
option was to split the per day files into different small files,
which then read by them; and thus, they can provide alerts.
An important feature of IDS is, in a single run, can read
multiple files provided in the folder while maintaining states
of previous connections. Until now, we have ISCX Dataset
which is categorised with respect to dates in folder, and is
split, ranging 50+files/day -450+files/day.
B. MyC loud
The hardware and software that were utilised to run
MyC loud in our experiment are 4 PCs that were used in
this experiment as two of them running ESXi5.5 servers, one
was run for vCenter Server and the last one was run Active
Directory, vShield Server and vCloud namely M yC loud. We
also used the following software: VMware Workstations for
IDS Server, IPS Server, and Syslog Server, VMware Cloud
Suite that includes vCenter Server, vShield Manager, Active
Directory and vCloud, VMware Convertor Machines (VMs) in
order to deploy above servers into MyCloud. For efficiency
matter, router and switch were used. After performing several
attempts, Table 1 shows the requirements to build a virtual
cloud as we identified these servers to be the configuration
of choice to run MyC loud. Subsequently, we performed
installation and configuration for the above servers and the fol-
lowing machines: vIDS Server, vIPS Server, vSyslog Server,
vAttcker, vCenter Server, vShield Manager, Active Directory
and vCloud as well as two of ESXi5.5 servers.
TABLE I: MyC loud Lab Specifications
C. IDS Systems
There is a great deal of open source Intrusion Detection
tools available. The use of these tools depends on the user or
administrator. Some of them for monitoring hosts and others
are for the networks connecting them to identify the latest
threats. The IDS systems: Snort[32] and Suricata[33] were
utilised for comparison purposes as they are considered one
of the most effective and accurate open source tools. In this
study, we implemented these tools in order to pre-process the
fuzzy classifiers: FL-SnortIDS/FL-SuricataIDS.
SnortIDS is an open source, rule based Intrusion Detection
System provided by Cisco. It is now also being used as
Intrusion Detection and Prevention System. SuricataIDS is
also another open source IDS system that has been developed
by a foundation i.e., Information Security Foundation (OISF).
Both the above mentioned IDSs are widely used around
the globe making any network infrastructure safe and reliable
by detecting and resisting the well-known cyber-attacks or
malwares by evaluating the incoming network traffic. These
both IDSs use rule-based language and their working can be
classified into four major stages which are packet decoding,
packet preprocessing, intrusion detection and alerts genera-
tion. Alternatively they also possess other important features
including packet logging and packet sniffing. These IDSs are
usually deployed right next to firewall or gateway router.
These IDSs makes decisions about the activities either to be
regular or malicious, on the bases of some predefined rules.
These rules have been set by the respective community and
are applied for the evaluation of incoming network traffic.
With the ever growing on-line communication technologies,
the network traffic is becoming more and more complex day
by day; hence the results obtained by applying such predefined
rules and keeping track of the changes is a very tiresome effort
and might become outdated up to some extent.
http://ssci2016.cs.surrey.ac.uk/ 3 |Page
IEEE SSCI 2016
December 06-09, 2016 || Athens, Greece
D. IDS Fuzzy Classifier
Once SnortIDS/SuricataIDS demonstrated the experimental
results against ISCX dataset, it concludes that the false de-
tection rate is high enough that it cannot be ignored; and
thus, it requires a serious attention. In order to deal with
this issue, IDS fuzzy classifiers were built for these IDS
called FL-SnortIDS/FL-SuricataIDS. The fuzzy logic based
IDS approaches have been presented in this section which
refurnishes the alerts generated by the SnortIDS/SuricataIDS
systems; and then it takes extra-cautious decisions that either
the incoming traffic is actually a regular traffic or malicious.
These approaches enhance the performance and accuracy
of these two systems considerably. In terms of increased
accuracy, specificity and sensitivity and reduced false alarms.
The alerts generated by SnortIDS are not categorised in any
manner, which may help us identify the real threats vs. alerts
generated by bad network or sometimes a simple mistake in
credentials that can cause an alert. Thus, these alerts need to
be categorised by the types of attack they represent. The alerts
generated by SuricataIDS is much like SnortIDS that is a list
of long unsorted lines, which is very difficult for any network
administrator to understand. Therefore, it is very important to
learn to read the log provided by SnortIDS or SuricataIDS so
the attack classifications can be arranged as desired.
After extensive analysis of the alert files which were gener-
ated by SnortIDS/SuricataIDS, these alerts were programmati-
cally categorised on the basis of alert classification. Unknown
Traffic alert of SnortIDS contains 46% of alerts. This alert was
being generated against HTTP INSPECT rules, where size of
transferred data was not the same as already communicated.
For SuricataIDS system, it shows that GENERIC Proto-
col Command Decode alert contains 97% of alerts. These
alerts were being generated against HTTP INSPECT and
TCP INSPECT rules, where size of transferred data was not
the same as already communicated or the window size was
different. There are many reasons for these alerts to be gener-
ated. It may be due to a bad network, or wrong configuration of
HTTP server, but as the communication between server and
client is established legitimately, so these are the alerts we
can remove from the alert files of SnortIDS or SuricataIDS,
as these are not the work of any intruder. It is just some server
error. The table II shows the alerts classified in both systems
and removing any unwanted and false alerts which are green
coloured .
Potentially Bad Traffic alert generated by SnortIDS is 18%
of the alerts. This alert was being generated by an FTP server
that used to generate an extra reset flag to make sure the
connection was terminated, a services hosted on servers like
AKAMI and such servers generate extra resets making sure
that connection is terminated, where SnortIDS deals it as an
unknown connection packet as SnortIDS has already removed
that connection from its memory. Hence, SnortIDS classifies
this alert as Potentially Bad Traffic. One more reason for the
alert to be generated for SuricataIDS is an ill configure FTP
server, which was generating an extra reset flag to make sure
the connection was terminated, a services hosted on servers
like AKAMI will cause these issues, where SuricataIDS deals
it as application error packet as SuricataIDS has already
removed that connection from its memory. Hence, SuricataIDS
will generate per packet threat. The table below shows the
alerts before removing any unwanted and false alerts.
Similarly working on the alert files for both systems: Snor-
tIDS/SuricataIDS, the following types of alerts were discarded
by carefully analysis of the traffic of ISCX Dataset. This
exercise is always done by network administrators when
installing new IDS. We configured the rules of IDSs with
respect to the traffic but SnortIDS/SuricataIDS were not a
network aware IDS, hence the administrators cannot remove
some rules randomly. For this reason, we used a fuzzy logic
controller to carefully remove the rules. The unwanted alerts
types for SnortIDS/SuricataIDS are shown in the table below
These alerts for both systems: SnortIDS/SuricataIDS were
generated mostly due to ill-configured services. Some alerts
were being generated due to network congestion and drop
packets. Besides these alerts, all other alerts posed a real threat
to network and devices by injecting some kind of malware, or
trying to access password protected files.
IV. HOW DOES FUZZY CLASSI FIE R WORK
First of all, we have a fuzzifier that makes the alerts gen-
erated by SnortIDS or SuricataIDS into understandable alerts.
Fuzzifier classifies the alerts into different categories. These
categorised alerts are the inputs of the FL controller where
on the basis of alert types; these alerts are further categorised
as threat or false alerts. We have a basic minimum amount
of 3 alerts per generated alert, to call it an illegal activity
e.g. Network policy dictates, a user gets 3 passwords attempts
per day over domain. Thus, if in case, a user mistakenly put
the password wrong, an alarm is generated but it is not a
threat because he/she is a legitimate user. If the retries count
increased to 3, then the user gets blocked for that day. This
means that if the total numbers of attempts to log in by a
user are greater than allocated retries, it will be considered as
a potential threat and will be presented on the threat screen;
due to the fact that an authorised user can never miss hit the
password thrice and still be unblocked. The whole process of
accurate threat detection has been divided into three major
stages: 1. Alert classification 2. Threat detection 3. Threat
severity
The initial stages intends to refurnish the already gener-
ate alerts, as generated by the typical SnortIDS/SuricataIDS
systems. This stage helps increase the accuracy of true threat
detection and mitigates the inaccuracy of false threat detection.
Afterwards, these classified alerts are passed through the threat
detection engine which detects the potential threats. Finally,
we checked the total number of potential threats generated
against single activity such as, login. It helps us differentiate
from alert and threat. For instance, if this number exceeds
three, which is the predefined threshold, the potential threat
is marked as a genuine threat; otherwise it is considered as a
mistake and thus ignored.
http://ssci2016.cs.surrey.ac.uk/ 4 |Page
IEEE SSCI 2016
December 06-09, 2016 || Athens, Greece
TABLE II: Alerts Classified for IDS Systems Including Unwanted Alerts Types
V. EXPERIMENTAL RESU LTS
A. Methodology
Final results for all these systems were compiled and the
comparison of these systems was done on the basis of these
matrices:
1) Numbers of threats detected (Accuracy)
2) False positives and false negatives ratio per system
(False Alarms Ratio)
3) Sensitivity Ratio
4) Specificity Ratio
5) Threat Detection Rate (DR)
Accuracy of any system is determined by the ratio of true
positives and true negatives detected vs. all connections; this
provides us with a matrix that how accurate threats and non-
threats are differentiated. It can be calculated by:
AccuracyRatio =(N umberof cor rectassessment)
(Number of allassessments)
False Alarm ratio tells us how many connections are falsely
categorised as threats or legitimate connections. False Alarm
Ratio can be measured by the following equation:
F alseAlarmRatio =(Number of falsepositiv eassessment)
(Number of allnegativeassessment)
Sensitivity ratio tells us that our IDS detected how many
threats vs. actual threats, while specificity ratio tells us our IDS
treated legitimate connections as threats vs. all clean traffic.
Sensitivity and specificity of a system can be measured using
the following equation:
SensitivityRatio =(N umberof truepositiveassessment)
(Number of allpositiveassessment)
Specif icityRatio =(N umberof truenegativ eassessment)
(Number of allnegativeassessment)
Threat detection rate is the rate of detection of threats per
system, classified as low, medium, and high. In this study, our
aim was to identify the performance of which of these systems:
SnortIDS, SuricataIDS, FL-SnortIDS/FL-SuricataIDS is better
than others. In order to do this, we set two hypotheses based
on the comparison matrices above. The first hypothesis was
designed for sensitivity, specificity, and accuracy while the
other one was for the false alarm ratio. The first hypothesis
was as a follows;
Null Hypothesis : Performance of two methods are iden-
tical (i.e. µ1 = µ2).
Alternative Hypothesis : Performance for one method
significantly improves over other methods (i.e. µ1> µ2).
For false alarm ratio, we set the following hypothesis;
Null Hypothesis : False Alarm ratio of two methods are
identical (i.e. µ1 = µ2).
Alternative Hypothesis : False Alarm ratio for one method
significantly lesser than the other methods (i.e. µ1< µ2).
Our approach for testing the ISCX dataset against 4 systems
is to compare the two independent results of each sensitivity,
specificity, false alarm ratio and accuracy for SnortIDS vs
FL-SnortIDS, SuricataIDS vs FL-SuricataIDS, SnortIDS vs
SuricataIDS, SnortIDS vs FL-SuricataIDS respectively. As an
essential criteria, we checked for the normality assumption
with Shapiro Test for each of the category above and figure
out that none of our sample data does satisfy the normality
assumption, so we applied then the non-parametric test for
two sample comparison for each category above viz. Mann-
Whitney Test. Mann-Whitney Test was used to compare two
population means that come from same population by using
this equation.
U=n1n2+n2(n2+1)
(2)
n2
X
i=n1+1
Ri
where,
n1: sample size of sample 1
n2: sample size of sample 2
Ri : Rank of sample (whose rank is greater)
http://ssci2016.cs.surrey.ac.uk/ 5 |Page
IEEE SSCI 2016
December 06-09, 2016 || Athens, Greece
TABLE III: Generated Alerts Classification on MyC loud
For detection rate, our approach was to calculate the detec-
tion rate number of threats detected vs total stream and then get
them categorised in high, medium, low priority classes. This
will be calculated overall of each system. We then normalised
the 3 steps of detection rate from 0-1. After getting these
values for each system, we obtained a final result for each
system. We defined the threshold for law, medium, and high
as a follows;
high > 0.2
0.2> medium > 0.01
low < 0.01
B. Descriptive Statistics
Figure 1 shows the overall results of both IDS and FL
Systems. SnortIDS system analysed the total of 1268735
connection streams of the ISCX Dataset, out of which
SnortIDS generated 251,074 alerts connections for SnortIDS
and 342,649 alerts connections for SuricataIDS. These alerts
for both systems contain malicious or anomaly alerts. The
numbers show that SnortIDS classifies 19.78% of traffic as
malicious while SuricataIDS classifies 27.01% of traffic as
malicious. With regards to FL based IDS systems,
As it can be seen in the figures below the overall re-
sults of all systems: SnortIDS, SuricataIDS, FL-SnortIDS/FL-
SuricataIDS. The first figure shows that IDS systems anal-
ysed the total of 1268735 connection streams of the ISCX
Dataset, out of which SnortIDS generated 251,074 alerts
connections for SnortIDS and 342,649 alerts connections for
SuricataIDSout while FL-SnortIDS generated 65,066 alerts
connections and 2743 alerts connections for FL-SuricataIDS.
These alerts for all systems contain malicious or anomaly
alerts. The numbers show that SnortIDS classifies 19.78%
of traffic as malicious while SuricataIDS classifies 27.01%
of traffic as malicious, while in case of FL-SnortIDS these
numbers reduces to 5% and when FL is applied on SuricataIDS
this number is less than 1%.
Figure I shows the ratio analysis for these four systems in
terms of sensitivity, specificity, accuracy and false alarm. The
detection rate tells the network administrator that at what rate
the alerts are generated the greater the detection rate means
the higher numbers of alerts are generated. In both the cases
on average more than 20% of traffic is marked malicious,
generating a high detection rate.
The total generated alert types for these IDS systems were
34 alert types: 19 for SnortIDS and 15 for SuricataIDS. The
alerts then were classified into attack classifications. 203 of
which for SnortIDS and 152 for SuricataIDS. Based on these
Fig. 1: Overall Ratio Analysis on MyCloud
Fig. 2: MyC loud Alerts Generated by IDS vs FL Based IDS
classifications, attacks were prioritised based on its priority.
This priority shows how dangerous this attack can be for
MyC loud, 1 being highest and 4 being the lowest. We went a
step further to categories these alerts for each system into four
attack classes that are DoS, Probe, U2R and R2L. In terms of
fuzzy classifiers, the total generated alert types for them were 9
types: 5 for FL-SnortIDS and 4 for FL-SuricataIDS. The alerts
then were classified into attack classifications. 77 of which
for FL-SnortIDS and 46 for FL-SuricataIDS. Based on these
classifications, attacks were prioritised based on its severity 1
as a high, 2 as a medium and 3 as a low. We then categorised
these alerts classifications for each system into four attack
classes that are DoS, Probe, U2R and R2L. Figure 2 shows
the number of these alerts in each day for each dataset.
VI. COMPARATIVE ANALYS IS
Based on the experimental MyCloud datasets, we have
conducted 5 comparisons: SnortIDS vs FL-SnortIDS, Suri-
cataIDS vs FL-SuricataIDS, SnortIDS vs SuricataIDS, Snor-
http://ssci2016.cs.surrey.ac.uk/ 6 |Page
IEEE SSCI 2016
December 06-09, 2016 || Athens, Greece
tIDS vs FL-SuricataIDS, and SnortIDS vs SuricataIDS vs FL-
SnortIDs vs FL-SuricataIDS respectively.
A. SnortIDS vs FL-SnortIDS
Figure 3 states the alternative hypothesis as the true location
shift is greater than 0. In sensitivity, the level of significance
was greater than 0.5(pvalue > 0.05). Hence, we do
not have sufficient evidence to reject our null hypothesis i.e.
sensitivity performances on both methods are the same. This
is can be clearly seen from the box-plot visualisation as well
as Mann-Whitney test that there is no difference in perfor-
mance of sensitivity between two methods. For specificity and
accuracy, the level of confidence was pvalue < 0.05, and
therefore, we have sufficient evidence to reject our null hypoth-
esis i.e. specificity and accuracy performances for SnortIDS is
better than FL-SnortIDS. For false alarm performance, the true
location shift is less than 0 and the level of confidence was
pvalue < 0.05. Therefore, we have sufficient evidence to
reject our null hypothesis i.e. false alarm ratio for FL-SnortIDS
is lesser than the SnortIDS.
B. SuricataIDS vs FL-SuircataIDS
Figure 4 states the alternative hypothesis as the true location
shift is greater than 0. In sensitivity, pvalue > 0.05,
hence we do not have sufficient evidence to reject our null
hypothesis i.e. sensitivity performances on both methods are
identical. The box-plot visualisation and Mann-Whitney test
show that there is no difference in performance of sensitivity
between two methods. For specificity and accuracy, the level
of confidence was pvalue < 0.05, and therefore, we have
sufficient evidence to reject our null hypothesis i.e. specificity
and accuracy performances for FL-SnortIDS is better than
SnortIDS. For false alarm performance, the true location shift
is less than 0 and the level of confidence was pvalue < 0.05.
Therefore, we have sufficient evidence to reject our null
hypothesis i.e. false alarm ratio for FL-SuricataIDS is lesser
than the SuricataIDS.
C. SnortIDS vs SuircataIDS
Figure 5 states the alternative hypothesis as the true location
shift is greater than 0. In sensitivity, pvalue < 0.05,
hence we have sufficient evidence to reject our null hypothesis
i.e. sensitivity performance for SnortIDS is better than the
SuricataIDS. The box-plot visualisation and Mann-Whitney
test show that sensitivity performance is better for SnortIDS is
better than the SuricataIDS. For specificity and accuracy, the
level of confidence was pvalue > 0.05, and therefore, we
do not have sufficient evidence to reject our null hypothesis
i.e. specificity and accuracy performances for SnortIDS are
similar to SuricataIDS. For false alarm performance, the true
location shift is less than 0 and the level of confidence was
pvalue > 0.05. Therefore, we do not have sufficient
evidence to reject our null hypothesis i.e. false alarm ratio
for SnortIDS is same as of SuricataIDS.
Fig. 3: SnortIDS vs FL-SnortIDS
Fig. 4: SuricataIDS vs FL-SuricataIDS
D. FL-SnortIDS vs FL-SuircataIDS
Figure 6 states the alternative hypothesis as the true location
shift is greater than 0. In sensitivity, specificity and accuracy,
pvalue < 0.05, hence we have sufficient evidence to reject
our null hypothesis i.e. sensitivity, specificity and accuracy
performances for FL-SnortIDS are better than FL-SuricataIDS.
The box-plot visualisation and Mann-Whitney test show that
sensitivity, specificity and accuracy performances are better
for FL-SnortIDS than FL-SuricataIDS. For false alarm per-
formance, the true location shift is greater than 0 and the
level of confidence was pvalue < 0.05. Therefore, we
have sufficient evidence to reject our null hypothesis i.e. false
alarm ratio for FL-SuricataIDS is lesser than FL-SnortIDS.
Fig. 5: SnortIDS vs SuricataIDS
http://ssci2016.cs.surrey.ac.uk/ 7 |Page
IEEE SSCI 2016
December 06-09, 2016 || Athens, Greece
Fig. 6: FL-SnortIDS vs FL-SuricataIDS
TABLE IV: Final Comparison
E. Final Results
We did pair-wise comparison as it can be seen in the
graphical representation of all four methods in figure 7. On
analysing the below result, we can see for the first three
comparisons we have clear results:
FL-SnortIDS is better than SnortIDS
FL-SuricataIDS is better than SuricataIDS
SnortIDS is better than SuricataIDS
For the fourth comparison between FL-SnortIDS vs FL-
SuricataIDS, we found FL-SnortIDS is better in terms of
sensitivity while the other criteria are other way round. So to
come up with the conclusion, the graph of specificity, false
alarm ratio and accuracy and also the descriptive statistics
show that there was a difference in these criteria; yet it is not
too much comparing to the criterion of sensitivity. Therefore,
the FL-SnortIDS is better than FL-SuricataIDS to get false
alarm rather than not getting the alarm when actually it should.
FL-SnortIDS is better than FL-SuricataIDS (Based on
sensitivity performance).
SnortIDS is better than FL-SuricataIDS (Based on sensi-
tivity performance).
Combining results of all five category viz. sensitivity, speci-
ficity, False Alarm ratio, accuracy and detection rate, we have
the following result ranked according to their performance:
1) FL-SnortIDS which detects the threat with Medium
detection rate.
2) SnortIDS which detects the threat with High detection
rate.
3) FL-SuricataIDS which detects the threat with Low de-
tection rate.
4) SuricatIDS which detects the threat with High detection
rate.
VII. CONCLUSION
The focus of this research was to understand and find the
best approach towards cloud security and its availability. We
initially found the best rated open source intrusion detection
systems on which we could run a simulated dataset and find
where these systems lack or supersede others. The Information
Security Centre of Excellence (ISCX) provided the dataset
what was required. The data consisted of 7 days activity
carefully simulated to run on network intrusion detection
systems and check the performance of system against the
data. The proposed approach was simulated to demonstrate the
higher level of accuracy, sensitivity and specificity achieved.
The substantial decrease in false alarms was also achieved.
By using fuzzy technique, unwanted alerts were removed
while the others were categorised into 4 types of cyber-
attacks; DoS, R2L, U2R and Probe. This improvement on
SnortIDS/SuricataIDS were named to be FL-SnortIDS/FL-
SuricataIDS respectively.
Results showed that the capabilities of IDSs were
considerably increased after applying fuzzy logic over the
alerts generated by any of the IDS systems. In particular, the
main focus of this study was on the comparison between alerts
generated by typical SnortIDS/SuricataIDS and similarly the
alerts generate by Fuzzy Logic based SnortIDS/SuricataIDS
system. Experimental results showed the attainment of
satisfactory detection rates based on the recent and most
evaluated benchmark ISCX dataset on intrusions. The
statistical values of accuracy, sensitivity, specificity and false
alarm ratios justified that fuzzy logic based SnortIDS works
the best than any other IDS system. These results were
further analysed using tools such as Mann-Whitney Test.
These analyses showed these results:
FL-SnortIDS is better than FL-SuricataIDS
FL-SnortIDS is better than SnortIDS
FL-SuricataIDS is better than SuricataIDS
SnortIDS is better than SuricataIDS
This goes a long way in understanding different emerging
attacks and techniques used by network or forensic analyst to
try to determine and restrict the intrusion in their networks.
It can be seen that fuzzy logic along with the legacy intru-
sion detection systems yields better results and facilitates the
network administrators to mitigate the issues.
New Genetic algorithms are being developed and extensive
researches are being carried out to analyse the huge amount
of data being transported over the networks. In the future,
FL Based IDS incorporated with genetics algorithm can be
designed and implemented. A network aware IDS is the only
solution for the ever changing network traffic. Both SnortIDS
and SuricataIDS systems with the current design will not be
able to understand the changing networks and complex attacks.
http://ssci2016.cs.surrey.ac.uk/ 8 |Page
IEEE SSCI 2016
December 06-09, 2016 || Athens, Greece
Fig. 7: Final Results for All Systems
REFERENCES
[1] F. Halsall and D. Links, “Computer networks and open systems,
Addison-Wesley Publishers, pp. 112–125, 1995.
[2] I. L. Stats. (2016) Internet Users in the World. [Online]. Available:
http://http://goo.gl/9zCfjv
[3] R. L. Rivest, L. Adleman, and M. L. Dertouzos, “On data banks and
privacy homomorphisms, Foundations of secure computation, vol. 4,
no. 11, pp. 169–180, 1978.
[4] P. M. Schwartz, “Internet privacy and the state, Conn. L. Rev., vol. 32,
p. 815, 1999.
[5] M. Talwar, “Security issues in internet of things,” International Journal
on Emerging Technologies, 2015.
[6] M. C. Waxman, “Cyber-attacks and the use of force: Back to the future
of article 2 (4),” Yale Journal of International Law, vol. 36, 2011.
[7] S. Levy, Hackers: Heroes of the computer revolution. Penguin Books
New York, 2001, vol. 4.
[8] A. Runthala, “Hacking: A threat to industrial work forces.” CURIE
Journal, vol. 3, no. 1, 2010.
[9] A. V. K. V. G. Puzmanova, Rita and A. A. Mikhailovsky, “Review of
wi-foo: The secrets of wireless hacking,” Queue, vol. 2, no. 8, pp. 70–70,
2004.
[10] L. Garber, “Denial-of-service attacks rip the internet, IEEE Computer,
vol. 33, no. 4, pp. 12–17, 2000.
[11] K. Pipyros, L. Mitrou, D. Gritzalis, and T. Apostolopoulos, A cyber at-
tack evaluation methodology,” in Proc. of the 13th European Conference
on Cyber Warfare and Security, 2014, pp. 264–270.
[12] S. Shackelford, “From nuclear war to net war: analogizing cyber attacks
in international law, Berkley Journal of International Law (BJIL),
vol. 25, no. 3, 2009.
[13] K. Burkadze, “Cyber security and international law, Journal of Techni-
cal Science and Technologies, vol. 4, no. 2, pp. 5–10, 2016.
[14] D. E. Graham, “Cyber threats and the law of war, J. Nat’l Sec. L. &
Pol’y, vol. 4, p. 87, 2010.
[15] O. A. Hathaway, R. Crootof, P. Levitz, H. Nix, A. Nowlan, W. Perdue,
and J. Spiegel, “The law of cyber-attack, California Law Review,
2012. [Online]. Available: www.californialawreview.org
[16] W. . Richland. (2016) Protecting Organizations from Cyber Attack.
[Online]. Available: https://http://goo.gl/H8W6cu
[17] K. Hwang, S. Kulkareni, and Y. Hu, “Cloud security with virtualized de-
fense and reputation-based trust mangement,” in Dependable, Autonomic
and Secure Computing, 2009. DASC’09. Eighth IEEE International
Conference on. IEEE, 2009, pp. 717–722.
[18] P. Brutch and C. Ko, “Challenges in intrusion detection for wireless
ad-hoc networks,” in Applications and the Internet Workshops, 2003.
Proceedings. 2003 Symposium on. IEEE, 2003, pp. 368–373.
[19] M. Augustin and A. Bal´
aˇ
z, “Intrusion detection with early recognition
of encrypted application,” in 2011 15th IEEE International Conference
on Intelligent Engineering Systems. IEEE, 2011, pp. 245–247.
[20] G. Klir and B. Yuan, Fuzzy sets and fuzzy logic. Prentice hall New
Jersey, 1995, vol. 4.
[21] T. P. Fries, A fuzzy-genetic approach to network intrusion detection,
in Proceedings of the 10th annual conference companion on Genetic
and evolutionary computation. ACM, 2008, pp. 2141–2146.
[22] A. V. Katherine and K. Alagarsamy, A fuzzy mathematical model for
peformance testing in cloud computing using user defined parameters.”
[23] D. N. P. S. Kumar and D. G. P. Ramesh, “Intrusion detection analysis
by implementing fuzzy logic,” 2016.
[24] S. Bezborodov et al., “Intrusion detection systems and intrusion preven-
tion system with snort provided by security onion.” 2016.
[25] D. Burks. (2012) 229 Doug Burks Security Onion
Network Security monitoring in minutes. [Online]. Available:
https://www.youtube.com/watch?v=mazSRVFYmLQ
[26] R. Bray, D. Cid, and A. Hay, OSSEC host-based intrusion detection
guide. Syngress, 2008.
[27] V. Paxson, S. Campbell, J. Lee et al., “Bro intrusion detection system,”
Lawrence Berkeley National Laboratory, Tech. Rep., 2006.
[28] M. Roesch et al., “Snort: Lightweight intrusion detection for networks.”
in LISA, vol. 99, no. 1, 1999, pp. 229–238.
[29] I. S. C. o. E. I. ISCX. (2012) UNB ISCX In-
trusion Detection Evaluation DataSet. [Online]. Available:
http://www.unb.ca/research/iscx/dataset/iscx-IDS-dataset.html
[30] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward
developing a systematic approach to generate benchmark datasets for
intrusion detection,” Computers & Security, vol. 31, no. 3, pp. 357–374,
2012.
[31] H. Chauhan, V. Kumar, S. Pundir, and E. S. Pilli, “A comparative study
of classification techniques for intrusion detection,” in Computational
and Business Intelligence (ISCBI), 2013 International Symposium on.
IEEE, 2013, pp. 40–43.
[32] Snort. [Online]. Available: https://snort.org/
[33] Suricata. [Online]. Available: https://suricata-ids.org
http://ssci2016.cs.surrey.ac.uk/ 9 |Page
... Furthermore, our study focuses on benefits of using the IDSs together rather than a comparison against each other. Other studies investigating accuracy and performance when presented with a larger network traffic report similar results [22,23]-i.e., Suricata with it's multi-threaded capabilities performs better in terms of processing speed and packet drop rates, however with reduced accuracy in traffic labeling. These findings are also reflected in our experiments, where Suricata has lower runtimes when compared to Snort, but the sensitivity and specificity values are not ideal when processing the larger dataset. ...
Article
Full-text available
The signature-based network intrusion detection systems (IDSs) entail relying on a pre-established signatures and IP addresses that are frequently updated to keep up with the rapidly evolving threat landscape. To effectively evaluate the efficacy of these updates, a comprehensive, long-term assessment of the IDSs' performance is required. This article presents a perspective-retrospective analysis of the Snort and Suricata IDSs using rules that were collected over a 4-year period. The study examines how these IDSs perform when monitoring malicious traffic using rules from the past, as well as how they behave when monitoring the same traffic using updated rules in the future. To accomplish this, a set of Snort Subscribed and Suricata Emerging Threats rules were collected from 2017 to 2020, and a labeled PCAP data from 2017 to 2018 was analyzed using past and future rules relative to the PCAP date. In addition to exploring the evolution of Snort and Suricata IDSs, the study also analyses the functional diversity that exists between these IDSs. By examining the evolutionary behavior of signature-based IDSs and their diverse configurations, the research provides valuable insights into how their performance can be impacted. These insights can aid security architects in combining and layering IDSs in a defence-in-depth deployment.
... Furthermore, our study focuses on benefits of using the IDSs together rather than a comparison against each other. Other studies investigating accuracy and performance when presented with a larger network traffic report similar results [22], [23]-i.e. Suricata with it's multi-threaded capabilities performs better in terms of processing speed and packet drop rates, however with reduced accuracy in traffic labelling. ...
Preprint
Full-text available
The signature-based network Intrusion Detection Systems (IDSs) entails relying on a pre-established signatures and IP addresses that are frequently updated to keep up with the rapidly evolving threat landscape. To effectively evaluate the efficacy of these updates, a comprehensive, long-term assessment of the IDSs' performance is required. This article presents a perspective-retrospective analysis of the Snort and Suricata IDSs using rules that were collected over a four-year period. The study examines how these IDSs perform when monitoring malicious traffic using rules from the past, as well as how they behave when monitoring the same traffic using updated rules in the future. To accomplish this, a set of Snort Subscribed and Suricata Emerging Threats rules were collected from 2017 to 2020, and a labelled PCAP data from 2017-2018 was analysed using past and future rules relative to the PCAP date. In addition to exploring the evolution of Snort and Suricata IDSs, the study also analyses the functional diversity that exists between these IDSs. By examining the evolutionary behaviour of signature-based IDSs and their diverse configurations, the research provides valuable insights into how their performance can be impacted. These insights can aid security architects in combining and layering IDSs in a defence-in-depth deployment.
... In Shah and Issac (2018), the authors showed that the speed and packet-loss performance of Suricata exceeded that of Snort with a reduced accuracy, however. In Alqahtani and John (2016), the authors have used detection accuracy as the metric to compare Snort and Suricata in a cloud network. They have proposed the use of fuzzy logic in conjunction with these two IDS for improved performance. ...
Article
Full-text available
Diverse layers of defence play an important role in the design of defence-in-depth architectures. The use of Intrusion Detection Systems (IDSs) are ubiquitous in this design. But the selection of the "right" IDSs in various configurations is an important decision that the security architects need to make. Additionally, the ability of these IDSs to adapt to the evolving threat-landscape also needs to be investigated. To help with these decisions, we need rigorous quantitative analysis. In this paper, we present a diversity analysis of open-source IDSs, Snort and Suricata, to help security architects tune/deploy these IDSs. We analyse two types of diversities in these IDSs; configurational diversity and functional diversity. In the configurational diversity analysis, we investigate the diversity in the sets of rules and the Blacklisted IP Addresses (BIPAs) these IDSs use in their configurations. The functional diversity analysis investigates the differences in alerting behaviours of these IDSs when they analyse real network traffic, and how these differences evolve. The configura-tional diversity experiment utilises snapshots of the rules and BIPAs collected over a period of 5 months, from May to October 2017. The snapshots have been collected for three different off-the-shelf default configurations of the Snort IDS and the Emerging Threats (ET) configuration of the Suricata IDS. The functional diversity investigates the alerting behaviour of these two IDSs for a sample of the real network traffic collected in the same time window. Analysing the differences in these systems allows us to get insights into where the diversity in the behaviour of these systems comes from, how does it evolve and whether this has any effect on the alerting behaviour of these IDSs. This analysis gives insight to security architects on how they can combine and layer these systems in a defence-in-depth deployment.
... According to them, Suricata achieves lower average RAM and CPU usage. Alqahtani and John [7] analyzed the performance of Snort and Suricata IDSs within a cloud network created locally using MyCloud Server, vCenter Server, etc. The authors also used a Fuzzy-Logic classifier integrated with Snort and Suricata. ...
Conference Paper
Cloud computing services are widely used nowadays and need to be more secured for an effective exploitation by the users. One of the most challenging issues in these environments is the security of the hosted data. Many cloud computing providers offer web applications for their clients, this is why the most handling attacks in cloud computing are Distributed Denial of Service (DDoS). In this paper, we provide a comparative performance analysis of intrusion detection systems (IDSs) in a real world lab. The aim is to provide an up to date study for researchers and practitioners to understand the issues related to intrusion detection and to deal with DDoS attacks. This analysis includes intrusion detection rates, time running, etc. In the experiments, we configured a cloud platform using OpenStack and an IDS monitoring the whole network traffic of the web server configured. The results show that Suricata drops fewer packets than Bro and Snort successively when a DDoS attack is happening and detect more malicious packets.
Chapter
Network protection becomes the key concern of all organizations in defending them from cyber threats of all kinds. The analysis of traffic in the network is an important activity for this reason. Network traffic analysis is achieved via the implementation of various intrusion detection systems. A honeypot is one of the most critical instruments to detect network intrusions. Honeypots communicate with the attacker and gather data that can be analyzed to collect information about the attacks and network attackers. Honeypots are security tools by which the attacker targets and generates attack data logs. Honeypots provide small quantities of relevant data so that security vigilance can easily understand, and future research can be carried out. To resolve the issues of new attacks in the network, this paper is focused to focus on the integration of honeypot to identify and treat suspicious network traffic flow. This paper gives a brief overview of the implementation of honeypot in the cloud. In this work, deep learning trained IDS is proposed on the honeypot server for network traffic analysis.KeywordsCybersecurityIntrusion detection system (IDS)HoneypotSecurity threatsMachine learningDeep learningCloud computing
Article
Full-text available
This is a systematic review of over one hundred research papers about machine learning methods applied to defensive and offensive cybersecurity. In contrast to previous reviews, which focused on several fragments of research topics in this area, this paper systematically and comprehensively combines domain knowledge into a single review. Ultimately, this paper seeks to provide a base for researchers that wish to delve into the field of machine learning for cybersecurity. Our findings identify the frequently used machine learning methods within supervised, unsupervised, and semi-supervised machine learning, the most useful data sets for evaluating intrusion detection methods within supervised learning, and methods from machine learning that have shown promise in tackling various threats in defensive and offensive cybersecurity.
Chapter
Nowadays, the foremost optimal choice of every IT organization is cloud computing. Cloud computing technology is very flexible and scalable in nature. The prime concern in cloud computing is its security and privacy, because intruders are trying to breach it. The main reason for breaching is its open and distributed architecture. For detection of various attacks on cloud, the most common mechanism used is Intrusion Detection System (IDS). We have presented a comparative analysis of some existing cloud based intrusion detection systems and different methods of deploying the IDS are used for overcoming the security challenges. In spite of the fact that there are various existing literatures in this area of study, we endeavor to give more intricate picture of a thorough analysis. This paper shares an overview of different intrusions in cloud. The metrics, which are used for comparative analysis, are of various types like positioning, detection time, detection techniques, data source and attacks. The comparative analysis also shows the limitations of each technique that tells whether the cloud-computing environment is secure or not.
Article
Full-text available
The article explores water security from an international law point of view. The article argues that in order to better understand water security it is important to focus on the function of international water law. Even though water security is a relatively recent concept it was latent in the process of the evolution of international water law. In addition, the article examines the relationship between man and water from the point of view of water security. The article seeks to answer the question: how does international water law deal with that relationship? Is water only an object to be utilised and protected or has the relationship become more complex and ambivalent through the occurrence of various extreme events. Furthermore, the article places the concept of water security into a historiographical and substantive context. It explores three broad approaches by international law to water issues: general international law, the regulatory approach and the management approach. The article argues that they are all relevant to water security. Finally, the article seeks to demonstrate that even though water security has emerged as a new notion, this does not mean that international law does not include rules and principles relevant for water security. Indeed, many general principles of international law are applicable in the context of water security. In addition, specific regulations dealing with water quantity and quality issues have been developed in international environmental law, although they are not necessarily labelled as water security rules. Moreover, various risk management methods have been elaborated to deal with water-related disasters and crises. Reciprocally, water security arguments are not necessarily new notions but rather reflect already existing concepts and principles.
Conference Paper
Full-text available
Following the identification on an international basis of cyberspace as a new “domain of warfare”, it has become widely (though not fully) accepted that the traditional rules of International Humanitarian Law are also applicable to Computer Network Attacks (CNAs). Despite the fact that there has been considerable progress at the European and International level towards the development of National Cyber Security Strategies and the adoption of an effective comprehensive legal framework of prevention measures against cyber attacks, there is confusion regarding the application of these rules. More specifically, it has not been clarified: a) in which cases do cyber attacks constitute a ‘threat or use of force’ so that the prohibition of article 2(4) of the UN Charter can apply, b) in which cases do cyber attacks constitute a ‘threat to the peace, breach of the peace, or act of aggression’ so that the Security Council may decide upon measures to restore international peace and security under Article 42 of the UN Charter, and c) in which cases cyber attacks can be treated as an “armed attack”, making it possible for a UN Member State to respond by exercising its legitimate right of self-defense under Article 51 of the UN Charter. The difficulty in applying the traditional rules of International Humanitarian Law to categorize cyber attacks stems from a number of factors. The most important of them is the failure to estimate properly the impact of a cyber attack in the host country and in the international environment. Additionally, the inability to positively identify the key actor of an attack makes it often quite hard to handle the issue of ‘attribution’. The aim of this paper is to propose a model for detecting the effects of cyber attacks and for enabling their categorization on the basis of their type and intensity. The above method requires the identification of the Critical Information and Communication Infrastructures of each State and their ranking in terms of their intensity and seriousness.
Article
Full-text available
Software product development life cycle has software testing as an integral part. Conventional testingrequires dedicated infrastructure and resources that are expensive and only used sporadically. In thegrowing complexity of business applications it is harder to build in-house testing facilities and also tomaintain that mimic real-time environments. By nature, cloud computing provides resources which areunlimited in nature along with flexibility, scalability and availability of distributed testing environment,thus it has opened up new opportunities for software testing. It leads to cost-effective solutions by reducingthe execution time of large application testing. As a part of infrastructure resource, cloud testing can attainits efficiency by taking care of the parameters like network traffic, Disk Storage and RAM speed. In thispaper we propose a new fuzzy mathematical model to attain better scope for the above parameters.
Article
Full-text available
Cyber-attacks have become increasingly common in recent years. Capable of shutting down nuclear centrifuges, air defense systems, and electrical grids, cyber-attacks pose a serious threat to national security. As a result, some have suggested that cyber-attacks should be treated as acts of war. Yet the attacks look little like the armed attacks that the law of war has traditionally regulated. This Article examines how existing law may be applied — and adapted and amended — to meet the distinctive challenge posed by cyber-attacks. It begins by clarifying what cyber-attacks are and how they already are regulated by existing bodies of law, including the law of war, international treaties, and domestic criminal law. This review makes clear that existing law effectively addresses only a small fraction of potential cyber-attacks. The law of war, for example, provides a useful framework for only the very small number of cyber-attacks that amount to an armed attack or that take place in the context of an ongoing armed conflict. This Article concludes that a new, comprehensive legal framework at both the domestic and international levels is needed to more effectively address cyber-attacks. The United States could strengthen its domestic law by giving domestic criminal laws addressing cyber-attacks extra-territorial effect and by adopting limited, internationally permissible countermeasures to combat cyber-attacks that do not rise to the level of armed attacks or that do not take place during an ongoing armed conflict. Yet the challenge cannot be met by domestic reforms alone. International cooperation will be essential to a truly effective legal response. New international efforts to regulate cyber-attacks must begin with agreement on the problem — which means agreement on the definition of cyber-attack, cyber-crime, and cyber-warfare. This would form the foundation for greater international cooperation on information sharing, evidence collection, and criminal prosecution of those involved in cyber-attacks — in short, for a new international law of cyber-attack.
Article
Intrusion detection is the demonstration of recognizing undesirable movement on a system or a gadget. An intrusion detection system gives a layer of safeguard which screens system movement for predefined suspicious action or examples, and ready system directors when potential threatening activity is distinguished. Intrusion detection confronts various difficulties; an intrusion detection system should dependably identify vindictive exercises in a system and must perform productively to adapt to the vast measure of system movement. System based intrusion detection are the most sent IDS. An intrusion detection system can be a bit of introduced programming or a physical apparatus. Numerous IDS devices will likewise store a recognized occasion in a log to be inspected at a later date or will join occasions with other information to settle on choices in regards to arrangements or harm control. This paper talks about the different sorts of assaults and computerized technique for era of fuzzy principles, which are acquired from the distinct standards utilizing successive things. The investigations and assessments of the proposed intrusion detection system are performed with the diverse intrusion detection dataset. The trial comes about plainly demonstrate that the proposed system accomplished higher accuracy in recognizing whether the records are typical or assault one.
Conference Paper
Intrusion detection is one of the major research problems in network security. It is the process of monitoring and analyzing network traffic data to detect security violations. Mining approach can play very important role in developing an intrusion detection system. The network traffic can be classified into normal and anomalous in order to detect intrusions. In our paper, top-ten classification algorithms namely J48, BayesNet, Logistic, SGD, IBK, JRip, PART, Random Forest, Random Tree and REPTree were selected after experimenting with more than twenty most widely used classification algorithms. The comparison of these top-ten classification algorithms is presented in this paper based upon their performance metrics to find out the best suitable algorithm available. Performance of the classification models is measured using 10-fold cross validation. Experiments and assessments of these methods are performed in WEKA environment using NSL-KDD dataset.
Article
In network intrusion detection, anomaly-based approaches in particular suffer from accurate evaluation, comparison, and deployment which originates from the scarcity of adequate datasets. Many such datasets are internal and cannot be shared due to privacy issues, others are heavily anonymized and do not reflect current trends, or they lack certain statistical characteristics. These deficiencies are primarily the reasons why a perfect dataset is yet to exist. Thus, researchers must resort to datasets that are often suboptimal. As network behaviors and patterns change and intrusions evolve, it has very much become necessary to move away from static and one-time datasets toward more dynamically generated datasets which not only reflect the traffic compositions and intrusions of that time, but are also modifiable, extensible, and reproducible. In this paper, a systematic approach to generate the required datasets is introduced to address this need. The underlying notion is based on the concept of profiles which contain detailed descriptions of intrusions and abstract distribution models for applications, protocols, or lower level network entities. Real traces are analyzed to create profiles for agents that generate real traffic for HTTP, SMTP, SSH, IMAP, POP3, and FTP. In this regard, a set of guidelines is established to outline valid datasets, which set the basis for generating profiles. These guidelines are vital for the effectiveness of the dataset in terms of realism, evaluation capabilities, total capture, completeness, and malicious activity. The profiles are then employed in an experiment to generate the desirable dataset in a testbed environment. Various multi-stage attacks scenarios were subsequently carried out to supply the anomalous portion of the dataset. The intent for this dataset is to assist various researchers in acquiring datasets of this kind for testing, evaluation, and comparison purposes, through sharing the generated datasets and profiles.