• No results found

On improving the efficiency of intrusion detection systems using game theoretic approaches


Academic year: 2023

Share "On improving the efficiency of intrusion detection systems using game theoretic approaches"


Full text

Gautam Biswas (current director), all deans and administrative staff of the department for all their support. Playing badminton with all of you has been one of the most enriching experiences of my life.

Network Security

They require pure attack-free training data to develop the normal base profile of the network. ARP spoofing attack does not cause any change in the pattern of network communication.

Game Theory preliminaries

Alarms generated by the signature-based IDS are initially correlated with vulnerabilities in the Threat Profile to identify the potential true positive alarms. These alarms are then correlated with vulnerabilities in the SVS to determine the final TP alarms.

Game Theory based IDSs and their issues

An IDS framework based on Bayesian game theory for analyzing the interaction between malicious node (attacker) and IDS (defender) in Ad-hoc wireless networks is proposed in [27]. An IDS game theoretic framework that models the interaction between the service provider and the attacker as a zero-sum intrusion detection game is proposed in [29].

Game theory-based false alarm minimization scheme for signature based IDS 15

Consequently, the proposed framework significantly reduces the false alarm rate of the signature-based IDS, without degrading its overall detection rate. To address these issues, a new Bayesian game theory-based intrusion detection framework for MANET is proposed as a second contribution of the thesis.

A game theory-based multi layered IDS framework for VANET

Organization of Thesis

On the other hand, event-based IDSs can detect those known attacks for which attack signatures cannot be generated. Event-based IDSs use the difference in the sequence of events that occur under normal and compromised conditions to detect these known attacks.

IDS Taxonomy

Signature based IDS

Signature-based IDSs (also known as abuse-based IDSs) correlate the network's data traffic with a set of known attack signatures stored in their rule databases to detect network intrusions. Many signature-based detection systems use regular expressions for pattern matching and to identify different variations of the same attack.

Event based IDS

An event-based IDS detects an ARP spoofing attack by monitoring the sequence of data packet events. An event-based IDS essentially acts as a state evaluator and observes the sequence of events of data packets in the network to decide whether the observed progression of states corresponds to a normal scenario or an attack scenario.

Anomaly based IDS

Clustering is another major data mining technique that has been successfully applied to detect anomalies in network traffic [15] [48]. A machine learning-based anomaly detection system that uses a Bayesian network model to detect Distributed Denial of Service (DDoS) attacks is proposed in [20].

Issues with the existing IDS frameworks and motivation for thesis

Issues with the signature based IDSs

The severity of this issue can be gauged by the fact that sometimes up to 98% of alerts generated by signature-based IDSs are FP [58] [59]. Some of the alerts generated by signature-based IDS may not have valid reference numbers [64].

Issues with event based IDSs

However, the effectiveness of these schemes largely depends on the threshold values ​​chosen to distinguish between the TP and FP alarms. On the other hand, setting a high threshold value decreases the detection rate, since most of the alarms corresponding to real attacks are dropped as FPs.

Issues with anomaly based IDSs

On the other hand, wireless networks such as Mobile Ad-hoc Networks (MANETs) and Wireless Senor Networks (WSNs) are usually energy and resource constrained. Therefore, IDS frameworks proposed for wireless networks must not generate large amounts of intrusion detection-related traffic.

Game Theory

  • Prisoner’s dilemma
  • Matching pennies
  • Non cooperative games
  • Cooperative games
  • Cooperation enforcement games

In addition, there is a class of incomplete information game called Bayesian game in which each player has a belief value about a set of other players with a certain a priori probability distribution. Such imposed cooperative behavior may not be in the best interests of coalition actors.

Game theory-based IDS frameworks and their issues

A game theory-based intrusion detection framework to prevent Denial of Service (DoS) attacks in WSNs is proposed in [32]. Game theory-based IDS frameworks proposed for VANETs generate a significant volume of intrusion detection-related traffic.

Scope and contribution of thesis

Reducing the volume of IDS traffic: Wireless networks such as VANETs operate in a narrow-band wireless radio spectrum. The aforementioned non-cooperative game is then used to derive a probabilistic IDS monitoring strategy that significantly reduces the amount of IDS traffic injected into the vehicle network without degrading the overall performance of the IDS framework.


Although signature-based IDSs are effective at detecting a wide variety of network attacks, they are prone to high false alarm rates, where normal data traffic is misclassified as intrusion by the IDS. In general, improving the accuracy of the IDS by minimizing its FP alarm rate will also reduce its detection rate by increasing its overall FN rate.

Related Works

They showed that their proposed mechanism improves the overall performance of the signature-based IDS. The detailed description of the proposed false alarm minimization scheme is discussed in Section 3.3.

Proposed false alarm minimization scheme

  • Network’s Threat profile
  • Global Vector Table
  • Intrusion detection game model to generate the Sensible Vulnerability
  • Sensible Vulnerability Set

The SVS is a subset of the network threat profile and includes vulnerability sets with a high critical weight. Table 3.4 shows the payoff matrix of the attacker and the IDS (defender) interacting via the network vulnerabilityvi ∈Vi in the strategic form.

Performance Analysis

Analysis on the IDEVAL dataset

Therefore, the Nash equilibrium (NE) for the first case corresponds to the strategy combination, where both the defender and the attacker only defend and attack the vulnerabilities in the SVS with a certain probability distribution. For the second case, the SVS consists of the top 4 vulnerability sets from Table 3.5 with a critical weight between 0.70 and 1.0.

Analysis on the in-house testbed dataset

This implies that the proposed framework successfully filters out most of the FP alarms generated by Snorten. We compare the performance of the proposed false alarm minimization scheme with various other frameworks to validate its effectiveness.


As shown in the figure, mobile devices in MANET are connected to the access network (which provides various quality of service (QoS), multimedia and access to security applications) through an access router. Therefore, nodes in MANET must cooperate among themselves and adopt a distributed intrusion detection mechanism to address various security threats to their overall well-being.

Related Works

Summarizing our studies on related works, we found that most MANET IDS frameworks that are not based on game theory are computationally intensive. Furthermore, most game theory-based MANET IDS frameworks are static in nature, where players' strategies and services are fixed and repeated over a period of time.

Proposed MANET IDS Framework

Bayesian game model for proposed MANET IDS framework

If the Pi type is evil and plays its pure strategy attack, then the expected. However, when Pj plays his pure strategy Monitor, Pi's best response would be to play his pure strategy Not Attack.

Energy efficient MANET cluster leader node election mechanism

The primary objective of the leader node election mechanism is to select the nodeni with the least cost function value (Csti) as the cluster leader node. Finally, the node with the least cost function value is selected as the leader node by the algorithm.

Proposed Hybrid MANET IDS

Similarly, (1 - αL) and (1 - γL) represent the false negative (FN) rate and the true negative (TN) rate of the LIDs, respectively. Likewise, let αL and γL be the detection rate and FP rate, respectively, of the lightweight IDS.

Experimental Results

MANET leader election mechanism analysis

Malicious nodes avoid being selected as the leader node by exaggerating their cost function value. This shows that the normal nodes are often chosen as the leader node and die out faster as the number of selfish nodes increases in the cluster.

Hybrid MANET IDS analysis

The association rules derived from these traces are then used to construct the normal network profile. The ERO of the proposed IDS scheme is mainly due to the exchange of election messages during the election process of the leading nodes and the controlling nodes.


Security challenges in VANET

Therefore, any intrusion detection framework proposed for VANET must consider the following key issues. Therefore, any intrusion detection framework proposed for VANET must adopt an appropriate clustering algorithm to generate stable vehicle clusters to maintain network stability.

Related Works

REST-Net, a novel intrusion detection system for mitigating the authenticity and integrity problems in VANET, is proposed in [143]. We aim to address these issues in existing intrusion detection frameworks by proposing a game theory-based multi-layer intrusion detection framework for VANET.

Multi layered game theory-based hybrid intrusion detection framework

Attack types in VANET

Selective forwarding and black hole attacks: In the selective forwarding attack, the malicious vehicle selectively forwards data packets while dropping others. A malicious vehicle performing a DoS attack can be detected by calculating its Duplicate Packet Rate (DPR) and Packet Forwarding Rate (PFR) values.

Distributed cluster formation and CH election algorithms

In the proposed clustering algorithm, the vehicles can be in one of the following four states, namely Undecided (UD) state, Group Member (CM) state, Group Head (CH) state and Group Gateway (CG) state. In this subsection, we provide a detailed description about the PCH election process of the proposed clustering algorithm.

VCG mechanism based payment structure for CH

The value ofRth is set to one-fourth of the average reputation value of the agent nodes in the cluster. The primary objective of the proposed CH election mechanism is to choose the vehicle vi ∈ C with the lowest cost function value (Cstvi) as CH.

Agent node’s Local Intrusion Detection System (LIDS) module

The SCF table of the agent node also stores the identities of vehicles blacklisted by the RSU and CH. When the agent node detects that the CH is malicious, it reports to the RSU.

CH’s Cluster Intrusion Detection System (CIDS) module

The strategy space for the CH and the malicious vehicle are SD = {Monitor, Not Monitor} and SA = {Attack, Wait}, respectively. The malicious vehicle chooses to play its strategy Attack when UA(Attack) >UA(Wait), i.e. when the monitoring probability of CH (q) < (1−α−δ)α+β.

RSU’s Global Decision System (GDS) module

Therefore, the mixed strategy NE for the non-cooperative game between the malicious vehicle and CH corresponds to the strategy combination (p∗,q∗), wherep∗= (2+α+β+δ−γ)(β+δ ) andq∗= (1−α−δ)α+β is the probability that the malicious vehicle and the CH play their strategy AttackandMonitor, respectively. It can be observed that both the attack and surveillance probabilities of the malicious vehicle and CH are inversely proportional to the detection rate (α) of CH, i.e. p∗∝ α1 andq∗.

Experimental Results

Simulated vehicular network traffic

It can be observed from the figure that the DR of the proposed framework increases as the number of agent nodes per group increases. It can be observed from the figure that the FAR of the proposed framework increases with the increase in the number of agent nodes.

Real time vehicular network traffic


Scope of Future Work


Related documents

Thus it can be generalized that the main reasons for the poor performance of the IDSs with the DARPA 1999 IDS evaluation dataset are: • The training and testing datasets are not

No 6 12 9 Insist on same brand Yes 20 40 No 30 60 10 Is self medication increasing in society Yes 42 84 No 8 16 11 Preferred medium for receiving information on rational use of

The study highlights the positive and negative consequences of COVID-19 on the education sector and the necessity for all educational institutions, teachers, and students to accept

The technical program consists of various events including: Paper Presentation Rostrum Poster Presentation Urdhvaa Project Expo Antharya Technical Quiz Technocrats v v v v v v Two

In other words, effective alarm generation for payload based anomaly detection systems requires attack detection i.e., improvement in Detection Rate when the training dataset has

It also encompasses the detection of FABP3 using the developed aptamers on a specially designed paper based microfluidic device µPAD.. For generating specific aptamers for FABP3,

Rajesh Kumar Updhayay Thesis Submitted to the Department/ Center : Chemical Engineering Date of completion of Thesis Viva-Voce Exam : 11/5/2017 Key words for description of Thesis

The present thesis deals with the microscopic nature of interaction of two major water contaminants, namely selenium Se and arsenic As, restricting largely to their relevant inorganic

As the final contribution of the thesis, a novel clustering algorithm and a game theory-based multi-layered intrusion detection framework for Vehicular Ad-hoc Networks VANETs are