To provide an accurate and timely response to different types of attacks, intrusion detection systems collect and analyze a large amount of data, which may include information with limited access, such as personal data or trade secrets. Consequently, such systems can be seen as an additional source of risks associated with handling sensitive information and breaching its security. Applying the federated learning paradigm to build analytical models for attack and anomaly detection can significantly reduce such risks because locally generated data is not transmitted to any third party, and model training is done locally - on the data sources. Using federated training for intrusion detection solves the problem of training on data that belongs to different organizations, and which, due to the need to protect commercial or other secrets, cannot be placed in the public domain. Thus, this approach also allows us to expand and diversify the set of data on which machine learning models are trained, thereby increasing the level of detectability of heterogeneous attacks. Due to the fact that this approach can overcome the aforementioned problems, it is actively used to design new approaches for intrusion and anomaly detection. The authors systematically explore existing solutions for intrusion and anomaly detection based on federated learning, study their advantages, and formulate open challenges associated with its application in practice. Particular attention is paid to the architecture of the proposed systems, the intrusion detection methods and models used, and approaches for modeling interactions between multiple system users and distributing data among them are discussed. The authors conclude by formulating open problems that need to be solved in order to apply federated learning-based intrusion detection systems in practice.
The paper considers a generalized hybrid approach for constructing a set of classification rules through the example of detection of anomalous network connections. There are five stages in the proposed technique. The first stage involves the setting of adaptive classifiers. At the second stage the signature analysis, creation of network connections and formation of network parameters are performed. The third stage is preprocessing of network parameters. At the fourth stage bypassing of a classifier tree in width is performed together with training or testing. The fifth stage is a detection of anomalous network connections. The distinctive features of the proposed technique are the possibility to set an arbitrary nesting of classifiers in each other and a lazy involvement of classifiers due to descending cascade learning of a general classifier fusion. The results of the experiments with the use of an open data set for calculating the performance rates of detection and classification of network anomalies are provided.
This paper considers the problem of a choice of algorithms and data structures to achieve the effective processing of events generated by intrusion detection systems. The proposed approach is based on balanced binary trees and speeds up the operations of adding and searching records in the structure. The paper provides the theoretical and experimental confirmation of the efficiency of the developed approach
An approach to creating normal functioning profiles (NFP) of monitored objects is considered. NFP creation is one of the key steps in solving problems of network anomalies detection. Common issues of NFP creation and ways of overcoming these issues are considered. Iteration methods, Shiskin–Eisenpress method in particular, are proposed as a mathematical tool for NFP creation procedure. Described NFP creation method is verified on empirical network monitoring data and suggested suitable for network anomalies detection.
The paper describes the general architecture of the system of verification of filter rules firewall and discusses aspects of the software implementation. The implementation is based on the method of "model checking". SPIN software system is used as a verifier. Also designed user interface is described in the paper. It allows to download data on verifiable system and filtering policy rules. The user interface includes elements for management verification process and presentation of its results. In addition, the proposed system allows using different strategies to resolve the anomalies.
The paper outlines an approach to verification of filtering rules of firewalls. The approach is intended for detection and resolution of filtering anomalies in the specification of the security policy of computer networks. It is based on Model Checking technique. The paper proposes the models of computer networks, the models of firewalls and filtering anomalies, as well as the algorithm of detection of such anomalies. The main peculiarities of the approach consist in using Model Checking exactly to detect the anomalies of filtering rules and in ability to specify temporal parameters in filtering rules.
1 - 6 of 6 items