Electronic Thesis and Dissertation Repository


Master of Engineering Science


Electrical and Computer Engineering


Samarabandu, Jagath

2nd Supervisor

Wang, Xianbin



A network intrusion is any unauthorized activity on a computer network. There are host-based and network-based Intrusion Detection Systems (IDS's), of which there are each signature-based and anomaly-based detection methods. An anomalous network behavior can be defined as an intentional violation of the expected sequence of packets. In a real-time network-based IDS, incoming packets are treated as a stream of data. A stream processor takes any stream of data or events and extracts interesting patterns on the fly. This representation allows applying statistical anomaly detection using sequence prediction algorithms as well as using a stream processor to perform signature-based intrusion detection and sequence extraction from a stream of packets. In this thesis, a Multidimensional Sequence to Multidimensional Sequence (MSeq2MSeq) encoder-decoder model is proposed to predict sequences of packets and an adaptive and functionally auto-scaling stream processor: "Wisdom" is proposed to process streams of packets. The proposed MSeq2MSeq model trained on legitimate traffic is able to detect Neptune Denial of Service (DoS) attacks, and Port Scan probes with 100% detection rate using the DARPA 1999 dataset. A hybrid algorithm using Particle Swarm Optimization (PSO) and Bisection algorithms was developed to optimize Complex Event Processing (CEP) rules in "Wisdom". Adaptive CEP rules optimized by the above algorithm was able to detect FTP Brute Force attack, Slow Header DoS attack, and Port Scan probe with 100% detection rate while processing over 2.5 million events per second. An adaptive and functionally auto-scaling IDS was built using the MSeq2MSeq model and "Wisdom" stream processor to detect and prevent attacks based on anomalies and signature in real-time. The proposed IDS adapts itself to obtain best results without human intervention and utilizes available system resources in functionally auto-scaling deployment. Results show that the proposed IDS detects FTP Brute Force attack, Slow Header DoS attack, HTTP Unbearable Load King (HULK) DoS attack, SQL Injection attack, Web Brute Force attack, Cross-site scripting attack, Ares Botnet attack, and Port Scan probe with a 100% detection rate in a real-time environment simulated from the CICIDS 2017 dataset.