Improving Real-Time Intrusion Detection in Dynamic Networks with Highly Imbalanced Data Using a Multi-Agent Architecture Approach

Author

Anh-Hong Nguyen Rucker, Nova Southeastern UniversityFollow

Date of Award

2019

Document Type

Dissertation - NSU Access Only

Degree Name

Doctor of Philosophy (PhD)

Department

College of Computing and Engineering

Advisor

James L. Cannady

Committee Member

Glyn T. Gowing

Committee Member

Timothy J. Ellis

Keywords

Computer science, cybersecurity, IDS, information security, information technology, intrusion detection, intrusion response, network security

Abstract

One of the most important security measures in any organization’s Cybersecurity program is its ability to detect and prevent cyberattacks effectively. As cyberattacks continue to present major concerns for modern society, intrusion prevention techniques alone are not enough to successfully combat today’s cyber threats. Intrusion detection techniques need to be continuously enhanced to meet new demands and challenges. They need to process massive data in real-time with great accuracy. The focus of this research was in developing a novel architecture for real-time intrusion detection. Its goal was to address the limited labeled data problem in highly imbalanced data. The proposed Multi- Agent Decentralized Architecture for Intrusion Detection System (MADA4IDS) was designed with the following seven key factors in mind: accuracy, overhead, scalability, resiliency, self-configuration, interoperability, and privacy. The architecture consisted of six key modules: network sensor management and logging, host agent management and logging, offline data storage, policies, intrusion detection, and intrusion response. MADA4IDS has the root node at the top of the hierarchy, which continuously receives aggregated and corelated intrusion detection information from the entire network using a Security Information and Event Management (SIEM). MADA4IDS was deployed and evaluated in a Cybersecurity test lab using two experiments. To demonstrate the efficacy of the proposed architecture in real-world environment, these experiments were performed using real data sources from the operational environment. The first experiment demonstrated that MADA4IDS was able to achieve approximately 99.8% reduction in comparison with Palo Alto Network Firewall and Snort IDS. The second experiment demonstrated its ability to achieve early detection of lateral movement reconnaissance. Overall, the experimentation results demonstrated that MADA4IDS was able to improve the detection accuracy in high-speed network.

NSUWorks Citation

Anh-Hong Nguyen Rucker. 2019. Improving Real-Time Intrusion Detection in Dynamic Networks with Highly Imbalanced Data Using a Multi-Agent Architecture Approach. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, College of Computing and Engineering. (1102)
https://nsuworks.nova.edu/gscis_etd/1102.