Many computational intelligence techniques for anomaly based network intrusion detection can be found in literature. Translating a newly discovered intrusion recognition criteria into a distributable rule can be a human intensive effort. This paper explores a multi-modal genetic algorithm solution for autonomous rule creation. This algorithm focuses on the process of creating rules once an intrusion has been identified, rather than the evolution of rules to provide a solution for intrusion detection. The algorithm was demonstrated on anomalous ICMP network packets (input) and Snort rules (output of the algorithm). Output rules were sorted according to a fitness value and any duplicates were removed. The experimental results on ten test cases demonstrated a 100 percent rule alert rate. Out of 33,804 test packets 3 produced false positives. Each test case produced a minimum of three rule variations that could be used as candidates for a production system.
Resiliency and security in critical infrastructure control systems in the modern world of cyber terrorism constitute a relevant concern. Developing a network security system specifically tailored to the requirements of such critical assets is of a primary importance. This paper proposes a novel learning algorithm for anomaly based network security cyber sensor together with its hardware implementation. The presented learning algorithm constructs a fuzzy logic rule base modeling the normal network behavior. Individual fuzzy rules are extracted directly from the stream of incoming packets using an online clustering algorithm. This learning algorithm was specifically developed to comply with the constrained computational requirements of low-cost embedded network security cyber sensors. The performance of the system was evaluated on a set of network data recorded from an experimental test-bed mimicking the environment of a critical infrastructure control system.
Solving multi-modal optimization problems are of interest to researchers solving real world problems in areas such as control systems and power engineering tasks. Extensions of simple Genetic Algorithms, particularly types of crowding, have been developed to help solve these types of problems. This paper examines the performance of two distance measures, Mahalanobis and Euclidean, exercised in the processing of two different crowding type implementations against five minimization functions. Within the context of the experiments, empirical evidence shows that the statistical based Mahalanobis distance measure when used in Deterministic Crowding produces equivalent results to a Euclidean measure. In the case of Restricted Tournament selection, use of Mahalanobis found on average 40% more of the global optima, maintained a 35% higher peak count and produced an average final best fitness value that is 3 times better.
Resiliency and security in control systems such as SCADA and Nuclear plant's in today's world of hackers and malware are a relevant concern. Computer systems used within critical infrastructures to control physical functions are not immune to the threat of cyber attacks and may be potentially vulnerable. Tailoring an intrusion detection system to the specifics of critical infrastructures can significantly improve the security of such systems. The IDS-NNM - Intrusion Detection System using Neural Network based Modeling, is presented in this paper. The main contributions of this work are: 1) the use and analyses of real network data (data recorded from an existing critical infrastructure); 2) the development of a specific window based feature extraction technique; 3) the construction of training dataset using randomly generated intrusion vectors; 4) the use of a combination of two neural network learning algorithms - the Error-Back Propagation and Levenberg- Marquardt, for normal behavior modeling. The presented algorithm was evaluated on previously unseen network data. The IDS-NNM algorithm proved to be capable of capturing all intrusion attempts presented in the network communication while not generating any false alerts.
Abstract—An enhanced version of an algorithm to provide anomaly based intrusion detection alerts for cyber security state awareness is detailed. A unique aspect is the training of an error back-propagation neural network with intrusion detection rule features to provide a recognition basis. Ethernet network packet details are subsequently provided to the trained network to produce a classification. This leverages rule knowledge sets to produce classifications for anomaly based systems. Several test cases executed on ICMP protocol revealed a 60% identification rate of true positives. This rate matched the previous work, but 70% less memory was used and the run time was reduced to less than 1 second from 37 seconds.
Low-level network traffic information is often times beyond the understanding of common system operators (byte counts, port numbers, packet data, etc.). However, anomaly based Intrusion Detection Systems (IDS) often provide such low-level, difficult to comprehend information. This paper details a Human Interface for Security Awareness (HISA) algorithm for interpreting cyber incident information to human operators from anomaly based intrusion detections systems. A similarity algorithm mapping anomaly results to signature based intrusion system rules is developed. Categorizations of attacks found in rules created for the Snort intrusion system were used as a basis of information to present to the user. A proof of concept system was developed using Perl native functions and custom modules. Testing with generated ICMP packets resulted in an identification accuracy of 60% proving the efficacy of the presented HISA algorithm.
In an ideal case physically oriented vehicle models can reduce the required practical knowledge of a vehicle designer. These types of models are effective cost reducing tools used in industrial development cycles. There are many variables that can be used as input both internal and external to model automobile performance. The focus of this paper is on those external variable factors such as environment conditions that are not controllable by a human but are instantaneously measurable and affect performance. This paper presents CI-PASM, A Computational Intelligence Based Prognostic Automotive System Model. Initial feature reduction was accomplished by a human expert. Principal Component Analysis was performed to further reduce the input set. Using expert chosen features, the CI-PASM algorithm produced results having an error at worst in the hundredths of a second. These output results were compared against a support vector machine implementation and were shown to be superior. The CI-PASM mean error was half that of the support vector machine error. Results from using PCA attributes and a support vector machine indicated that these are relevant alternative methods given different requirements.
The navigation of mobile robots or unmanned autonomous vehicles (UAVs) in an environment full of obstacles has a significant impact on its safety. If the robot maneuvers too close to an obstacle, it increases the probability of an accident. Preventing this is crucial in dynamic environments, where the obstacles, such as other UAVs, are moving. This kind of safe navigation is needed in any autonomous movement application but it is of a vital importance in applications such as automated transportation of nuclear or chemical waste. This paper presents the Maximum Margin Search using a Convex Hull construction (MMS-CH), an algorithm for a fast construction of a maximum margin between sets of obstacles and its maintenance as the input data are dynamically altered. This calculation of the safest path is inspired by the Support Vector Machines (SVM). It utilizes the convex hull construction to preprocess the input data and uses the boundaries of the hulls to search for the optimal margin. The MMS-CH algorithm takes advantage of the elementary geometrical properties of the 2-dimensional Euclidean space resulting in 1) significant reduction of the problem complexity by eliminating irrelevant data; 2) computationally less expensive approach to maximum margin calculation than standard SVM- based techniques; and 3) inexpensive recomputation of the solution suitable for real time dynamic applications.