A hybrid intelligent intrusion detection system for advanced persistent threats

Abstract

RESEARCH MOTIVATION: The objective of this research is to investigate how to increase the detection rate and increase the tracking rate of APT and TA in their early attack phases within an environment of distributed networks.

ABSTRACT: Today's world has networks without clear frontiers, where employees can and do work outside the company protection systems. Furthermore, they use two or more devices providing many possible entry points for attackers. Large scale attacks are often unknowingly initiated by these users.

Large scale Targeted Attacks (TA) are slow, fragmented, distributed, seemingly unrelated, and very sophisticated attacks targeting high-value organisations, and these attacks are often executed over long periods. When nations or states back these attacks, they are known as Advanced Persistent Threat (APT).

This research focuses on developing a methodology capable of detecting an APT in its early stages combining an Artificial Immune System (AIS) methodology known as Dendritic Cell Algorithm (DCA) with Genetic Algorithm (GA) and Support Vector Machine (SVM) classifiers. This Hybrid Model uses GA for feature extraction and SVM for DCA Signal Selection during the pre-processing stage, and DCA is the classifier for the Traffic Processing and Decision Modules during the processing phase. The Signal Selection process applies a cumulative distribution function of the Pareto distribution model to the results obtained with SVM to produce the DCA Safe and Danger signals. The Traffic Processing stage presents two linear equations and their weights for implementation on different types of datasets. Finally, the Decision Module calculates the Anomaly Threshold required for the dataset classification by obtaining the intersection of the distribution of the training normal and abnormal scores.