This adverse effect of the data skewness is also illustrated with Figure 2. Also, the increasing size and complexity of the Internet along with the end host operating systems, make it more prone to vulnerabilities. The perceived false alarm rate can be increased if the intruder finds a flaw in any of the signatures of an IDS that allows the intruder to send maliciously crafted packets that trigger alarms at the IDS but that look benign to the IDS operator. The lack of in-depth understanding of the intrusion activities due to many privacy issues is yet another problem. Considering the performance of a single IDS over the years, it will be seen that the performance significantly deteriorate with time. In that case, the observations are over dispersed with respect to the Poisson model. Through out this thesis we use the term sensor to denote a component that mon- itors the network traffic or the audit logs for indications of suspicious activity in a network or on a system, according to a detection algorithm and produces alerts as a result.
Mahoney and Chan  comments on the irregularities in the data, like the obvious dif- ference in the TTL value for the attacks as well as the normal packets, which makes even a trivial detector showing appreciable detection rate. Also, the increasing size and complexity of the Internet along with the end host operating systems, make it more prone to vulnerabilities. Attack-detector relationship has been modeled. Applications, Issues and Major Research Trends.. Additionally, there is the need for analysis techniques that support the identification of attacks against whole networks. PHAD has the disadvantage that it classifies attacks based on a single packet.
(PDF) CizaThomas PhD Thesis | mithen mostafizur –
However, it was identified that it requires tremendous effort to modify those generic rules and we have succeeded only to a very small extent. Mahoney and Chan  suggest that, because their IDSs use technique that has significant non-overlap with other IDSs, combining their technique with others should increase detection coverage.
The parametric approach assumes that the data comes from a family of known distributions, such as the normal distri- bution and certain parameters are calculated to fit this distribution. The security threats have ex- ploited all kinds of networks ranging from traditional computers to point-to- point and distributed networks. Doing so and being able to compare and contrast the results should help alle- viate most of the criticism against work based solely on the DARPA data, and still allow work to be xiza compared.
It can be noted in table 3. Most of the IDSs will try to minimize the overall error rate, but this leads to increase in the error rate of rare classes. These quantities can be controlled by the intruder to a certain extent. The thesis also incorporates a theoretical basis for tehsis in performance of IDSs using sensor fusion techniques. The plot of F-score over a period of yhomas, as shown in Figure 2. The exploitation of vulnerabilities in reported security inci- dents is very common.
Not a member yet? Chapter 1 6 Figure 1. Thomaas the densities of the attacks and the detectors; namely At and Dtthe parameters of the system are non-negative values.
Even with intense analysis the prediction can never be percent accurate because of the stealthiness and sophistication of the at- tacks and the unpredictability of the non-malicious user.
He was the best choice I could have made for an advisor. With the attack-detector scenario better understood, the future evolution of attacks can be estimated in a certain way thereby aid- ing better attack detection and in turn reduced false negatives. My father-inlaw could not see me reach this stage of my research and I acknowledge him in front of his memory. The most basic of these factors are the false alarm rate and the detection rate, and their tradeoff can be intuitively analyzed with the help of the Receiver Operating Characteristic ROC curve , , , , .
Ciza Thomas Thesis Paper
Sensor Fusion and its Applications, edited by Dr. This is mainly because of the patches and ghesis advanced security measures that the security developers intro- duce from time-to-time. In Ap- pendix C we consider an initial assumption with no prior knowledge on the probable attacks that happen on the Internet. Sekhar, SERC security staff and a few others who have in some way or the other helped me at various stages during my research life.
They note in the work of Lee and Stolfo  that combining evidence from multiple base classifiers is likely to improve the effectiveness in detecting intru- sions. Response cost RCost is the cost of acting upon an alarm or log entry that indicates a potential intrusion . Tjesis security threats have also exploited the vulnerable protocols and operating systems extending attacks to operating sys- tem on various kinds of applications, such as database and web servers.
Ciza Thomas – Google Scholar Citations
List of Publications — Dr. The growth of attacks has roughly par- alleled the growth of Internet . Appendix A includes an involved study of the attacks on the Internet for further reference. Also, the increasing size and complexity of the Internet along with the end host operating systems, make it more prone to vulnerabilities. It is also difficult to train an anomaly detection system in highly dynamic environments. This adverse effect of the data skewness is also illustrated with Figure 2.
The attack-detector model- ing helps in enriching the understanding and to further the design and research of IDSs. I am fortunate to have a friend like Sharmili Roy who has opened her heart and her problems to me in turn motivating me many a times with her extraordinary brilliance and analytical perceptions. If a system is evaluated on the DARPA data set, then it cannot claim anything more in terms of its performance on the real network traffic.
Performance enhancement of intrusion detection systems using advances in sensor fusion C Thomas, N Balakrishnan 11th International Conference on Information Fusion, It is natural that the detector searches for certain traffic features for signs of attack.