A network intrusion detection system (NIDS) based on information centrality to identify systemic cyber attacks in large systems

Abstract

This thesis proposes a new approach to intrusion detection in networks. This approach is based on Information Centrality (IC) using which systemic attacks can perform the same level of intrusion detection using approximately 50% of the total nodes. IC labels network nodes with better vantage points for detecting network-based anomalies as central nodes. The main idea is that since these central nodes already ”observe” most of the data flowing through the network, they are in a good position to detect anomalous behavior much before other nodes.

This research first dives into the important role played by graphs in understanding the topology and flow of information. We then introduce the usage of an existing concept in the field of social networks - information centrality, a centrality based index, to minimize data collection in existing communication networks. IC identifies important nodes that can accelerate anomaly detection when armed with a suitable anomaly detection technique. We also come up with a heuristics approach that can be used instead of Information centrality in order to gather a similar outcome for very large networks. Finally, we demonstrate that in the case of systemic anomalies, central nodes are capable of identifying them much faster than other non-central nodes.

Modern networked systems are in perpetual need of novel tools that can diagnose suspicious activities and thwart cyber attacks arising from diverse threats and vulnerabilities. The massive upsurge in the number of devices connected to a network and associated traffic volume, as well as an addition of new, complex technologies to existing ones have intensified the need to have a deep understanding of systems. From a security perspective, we are noticing that the user behavior is bordering high on anxiety, which is further increasing the quantum measure of data collection before rightfully understanding the legitimate need behind it. Mirroring this is the rapid inclusion of security experts as part of the core team that designs and builds platforms and networks. This increases the awareness of potential attack vectors that may impact these systems. However, data analytics (not necessarily security-related) has further intensified the need to gather as much data as possible, leaving it to the security experts to come up with tools to analyze them. While this is a daunting task for all involved parties and cannot be excused from, it is critical to scale these monitoring and analysis infrastructures to meet the demands and purpose of collecting data.

Existing technologies come in the form of intrusion detection systems like anti-virus tools, and intrusion prevention systems like firewalls. They deploy various approaches to succeed in detecting and preventing intrusions. Generally, intrusion detection techniques are classified into two categories: misuse detection and anomaly detection. However, the implementation has been ever-changing keeping the types of systems, data analysis, increasing attack surface and intrusions in mind. And with the rapid evolution in the digital milieu and an explosion in data collected, there is a need to propose novel approaches that address the big data problem in security.