Our objective in this work has been to develop a proactive intrusion detection and recovery system. In order to achieve pro-activity, we focused on improving detection effectiveness in terms of performance and accuracy. We believe that early detection is the key for quick reaction.


The growth of Internet activities has led to a dramatic increase in the number of network and computer system attacks. Tools to “sniff” passwords off the network are publicly available, and commonly used by hackers and thieves.

Many of the protocols used in the Internet are inherently flawed and, thereby, do not provide any security whatsoever. In contrast to the early 80s where most of the attacks originated from few people and were motivated only by intellectual challenges, todays attacks are predominantly driven by financial, military, and political goals, and are conducted by an increasingly large number of perpetrators. It is therefore essential to strengthen the security defense of networked systems.

Building a completely secure system is unfeasible, and even if that were possible, the system would be unusable. It has been shown that the level of practicality decreases as that of access control increases. However, even if it is impossible to stop the attacks, it is possible to monitor and detect them, in order to take appropriate measures that would prevent or avoid the consequences.


In order to improve detection accuracy, we investigated two different categories of detectors, host-based and network-based, specialized on a wide range of threats. The following types of detectors were developed:

  • At the host level, we proposed an innovative approach to intrusion detection based on behavioral biometrics such as mouse dynamics biometrics and keystroke dynamics biometrics, which is particularly effective against masquerade attack. We also developed a metrics suite derived from queuing theory for detecting and protecting a computer host against DoS attacks.
  • At the network level, we developed a metrics suite called IP Weight metrics to capture the level of normalcy/anomalousness of network traffic, along with a new clustering algorithm, named I-means, which addresses the deficiencies of the K-means clustering algorithm. By extracting IP Weights from network traffic and applying the I-means allow us to detect various network intrusions with excellent detection effectiveness and efficiency.


  • Dr Issa Traore, Coordinator
  • Ms. Suraiya Khan, Investigator
  • Dr. Ahmed Awad E Ahmed, Investigator
  • Dr. Ahmad Almulhem, Investigator
  • Dr. Wei Lu, Investigator
  • Mr. Akif Nazar, Investigator