Cross Layer Anomaly Based Intrusion Detection System

Since the start of the 21st century, computer networks have been through an exponential growth in terms of the network capacity, the number of the users and the type of tasks that are performed over the network. With the resent boom of mobile devices (e.g., Tablet computers, smart phones, smart devices, and wearable computing), the number of network users is bound to increase exponentially. But, most of the communications protocols, that span over the 7 layers of the OSI model, were designed in the late 1980's or 90's. Although most of these protocols have had subsequent updates over time, most of these protocols still remain largely unsecure and open to attacks. Hence it is critically important to secure these protocols across the 7 layers of the OSI model. As a part of my PhD research, I am working on a cross layer anomaly behavior detection system for various protocols. This system will be comprised of intrusion detection systems (IDS) for each of the protocols that are present in each layer. The behavior analysis of each protocol will be carried out in two phases. In the first phase (training), the features that accurately characterize the normal operations of the protocol are identified using data mining and statistical techniques and then use them to build a runtime model of protocol normal operations. In addition, some known attacks against the studied protocol are also studied to develop a partial attack model for the protocol. The anomaly behavior analysis modules of each layer are then fused to generate a highly accurate detection system with low false alarms. In the second phase, the cross-layer anomaly based IDS is used to detect attacks against any communication protocols. We have already developed anomaly behavior modules for TCP, UDP, IP, DNS and Wi-Fi protocols. Our experimental results show that our approach can detect attacks accurately and with very low false alarms.