الفهرس 
IntroductionOnly 14 pages are availabe for public view
 |  | from | 201 |  |  |
| | | from | 201 | | |
Abstract
In recent years, computer networks are exposed to vast number of intrusions which badly affect services availability. Different anomaly-based intrusion detection systems (IDSs) are proposed to protect these networks against these vulnerabilities. Despite of this, proposing IDSs with higher accuracy and lower error rates are considered a challenging task. Towards solving this challenge, a new intrusion detection approach is proposed in this thesis. Two versions of this approach are presented. First, Hybrid Anomaly Detection (HAD) approach is proposed as a basic intrusion detection approach. This approach is distinguished by its high accuracy and its lower error rate. Second, an enhanced hybrid anomaly detection approach (E-HAD) is presented for the sake of improving the processing overhead of the previously proposed version. Moreover, E-HAD is considered more accurate and more automated compared to the first version HAD. In addition to the previously proposed approach, this thesis presents a new fast clustering algorithm called Dimension-based Partitioning and Merging (DPM). This algorithm is characterized by its extreme fastness in clustering large scale datasets compared to other clustering competitors. DPM is included in the proposed E-HAD approach as one of the added enhancements for improving the overall performance. Finally, intrusion detection dataset is built to reflect recent network traffic behavior and to be used for performance evaluation of the proposed intrusion detection approach. Hybrid Anomaly Detection (HAD) approach is proposed for detecting anomalies in large scale datasets using detectors generated based on multi-start metaheuristic method and genetic algorithms. This approach has been inspired by negative selection-based detector generation. In addition, clustering with k-means algorithm is used as a way for selecting good initial start points of multi-start methods. The evaluation of this approach was performed using NSL-KDD dataset which is a -iimodified version of the widely used KDDCup99 intrusion detection dataset. Different parameters values, affecting the performance of detector generation process, are investigated. Recommendations about selecting their best values are stated. The results show its effectiveness in generating suitable number of detectors with high accuracy compared to other competitors of machine learning algorithms. In addition, this work proposes fast clustering algorithm called Dimension-based Partitioning and Merging (DPM). As stated before, clustering is used as an early stage in detector generation process. Clustering large scale datasets (e.g. intrusion detection datasets) is a challenging task due to the high processing overhead of most clustering algorithms. Unfortunately, k-means is one of these algorithms that cannot handle these large datasets. So, DPM is presented to quickly cluster such datasets. In DPM, First, data is divided into small dense partitions during the successive processing of dataset dimensions. Then, noise is filtered out using dimensional densities of the generated partitions. Finally, merging process is invoked to construct clusters based on boundary samples of the remaining partitions. DPM algorithm automatically detects the number of data clusters based on three insensitive tuning parameters which decrease the burden of its usage. Performance evaluation of the proposed algorithm using different datasets shows its fastness and accuracy compared to other clustering competitors. Furthermore, an enhanced anomaly detection approach (E-HAD) is presented to improve the processing overhead. E-HAD is developed based on a modified version of the earlier proposed anomaly detection approach (HAD) along with using DPM as a clustering algorithm. Moreover, the selection of some of E-HAD parameters value is automated. E-HAD Performance evaluation shows enhancement in processing overhead while maintaining its high accuracy. Finally, a recent network traffic is captured and analyzed to build a new intrusion detection dataset which reflects the current behavior of normal and malicious network activities. Although KDDCUP99 is the most widely used dataset for evaluating -iiiintrusion detection systems, it is considered out of date. So, the built dataset is used for evaluating the proposed intrusion detection approach to ensure its high performance for recent networks.