تطويع و تطوير تقنيات التنقيب عن البيانات لنظم كشف الاختراق في الشبكات

                "Adaptation and Development of Data Mining Techniques for Network Intrusion Detection

                                                "As more sensitive information is being stored and processed on organizations' private networks, the volume and severity of the risks against such systems increases. So, it is necessary that the organizations incorporate strong security policies as an integral part of their infrastructures. Intrusion detection is a security mechanism that is concerned with monitoring and analyzing the system activities to identify whether an attack is taking place and reacting in an appropriate way to mitigate the attack effects, usually by reporting the incident to a security administrator.

Among the data analysis techniques used for intrusion detection, data mining has emerged as a promising tool that can process and analyze large data volumes and identify rare occurrences (intrusions). Data mining can also be used to generate rules of intrusive behavior and gain meaningful knowledge about its characteristics. However, data mining-based intrusion detection systems produce high false alarms rates and do not perform further analysis of anomalies to determine their nature.

This thesis proposes a framework for a data mining-based network intrusion detection system. This framework has the following characteristics:

•             It defines a network intrusion detection system specifically designed for the Egyptian e-government network, but can be deployed for corporate network with similar network architectures.

•             It combines misuse and anomaly analysis techniques to find intrusions.

•             It gradually filters out network activities that can be classified in advance. It filters out activities that match predefined attacks’ signatures, then the activities that match a predefined normal profile. This gradual filtering leaves a small set of anomalous activities to be thoroughly analyzed.

•             Analysis of anomalous activities is done by an incremental clustering scheme that creates new clusters from the anomalous activities and assesses what each cluster’s behavior represents (modified attacks, novel attacks, or new updates to the existing normal profile) based on the duration and rate of its creation.

The proposed framework defines a network intrusion detection system that achieves the following goals:

•             Maintaining a high intrusion detection rate while keeping the false alarms low.

•             Adapting to the changes in the network normal behavior.

•             Detecting novel as well as known intrusions and attacks.

•             Scalable in the sense that it can be extended without affecting its current operations.

A proof of concept implementation of the proposed framework was performed using subsets of the DARPA 1999 intrusion detection evaluation dataset. The system maintained the following results:

•             An average detection rate of 95.85% and an average false positives rate (false alarms) of 7.06%.

•             An average accuracy (correct classifications) of 93.17%.

•             New clusters that were labeled normal were representing normal instances with a 100% percentage.

•             Novel attacks were detected with an average percentage 95.82%.

When the proposed framework was tested against other traditional clustering techniques, the Expectation Maximization algorithm produced a detection rate of 100%, achieving the highest detection rate among the test algorithms. However, it produced 34.88% false alarms rate, lowering its accuracy to 67.9%. The results showed that the proposed system has a better performance in terms of the tradeoff between achieving a high detection rate and a low false alarms rate. Overall, the proposed framework achieved its intended goals; with the scalability goal to be validated through extending the framework functionality in the future work.

Keywords: Intrusion detection, data mining, incremental clustering, anomaly detection, Egyptian e-government."