Reflective-Cognitive Adaptation for Network Intrusion Detection SystemsCAMNEP Project

The goal of the CAMNEP project was to design and implement network intrusion detection system for high-speed networks. System observes network traffic using hardware-accelerated FlowMon probes, detects network anomalies using agent technologies and visualizes malicious traffic.

Main Features

  • High performance and ability to analyze network traffic in Gb/s.
  • High effectiveness with low rate of false detections (false positives and false negatives).
  • Minimal configuration upon deployment thanks to the self-adaptation features.
  • Intuitive and unobtrusive user interface for network administrators.

CAMNEP analyzes network traffic behavior using flow statistics (system doesn't perform deep packet inspection). Such way CAMNEP preserves end-users privacy, is able to detect anomalies in encrypted traffic and doesn't rely on detection signatures. CAMNEP is able to detect new and unknown attacks.

Demonstration Videos

Presentations

Selected Publications

Project Team

U.S. Army proposed in 2005 to form a research team composed of Institute of Computer Science, Masaryk University and Agent Technology Center, Department of Cybernetics, Czech Technical University in Prague. The goal of a joint research effort in CAMNEP I project was to propose intrusion detection system for high-speed networks. Group from Institute of Computer Science was involved in network traffic measurement and data visualization. Group from Agent Technology Center was involved in anomaly detection and reduction of false detections.

Both research partners continued with CAMNEP II project in 2008. The main goals were distributed attack detection on computer network and adaptation of detection layer.

Technology

The CAMNEP system is based on combination of existing open-source technologies (e.g. A-Globe agent platform, NfSen NetFlow collector, visualization tools Prefuse and Walrus) together with new components used for network traffic processing and attack detection.

The network traffic is processed with FlowMon probes based on COMBO cards. Dedicated hardware-accelerated probes (FPGA technology) allow network traffic measurement with no packet loss on multi-gigabit backbone links.

Attack detection is performed by a set of detection agents, using a multi-stage collaboration process based on extended trust modeling. The trust modeling stage of the algorithm gathers the anomaly scores assigned by individual anomaly models (embedded into respective agents), combines the anomalies into a single anomaly value per flow and allows each agent to update its trust model with the anomalies of current set of flows. The trust models then return the trustfulness of each flow, which is based on the anomaly of similar flows in the past and is combined to obtain final system output.

Project Results

CAMNEP project results are used by university startup companies INVEA-TECH (MU), AdvaICT (MU) and Cognitive Security (ČVUT).