基于IPv6入侵检测的IP分片重组研究

IP分片重组是入侵检测系统应具备的重要功能之一。在提出IPv6环境下入侵检测模型的基础上,利用Linux和Snort构建了IPv6入侵检测系统平台,在该平台下对IPv6分片及其重组机制进行了深入地分析,并初步实现了IPv6分片的重组。     

海底管道检测机器人智能控制器的研制

设计了以嵌入式PC104工控机为核心的海底管道检测机器人智能控制器,以嵌入式Linux操作系统作为该智能控制器的软件运行平台,根据控制任务的实时性和计算量的不同,开发的控制程序分别运行于系统实时内核和原Linux内核,满足了控制系统具有实时性、多任务并行处理等要求。详细介绍了管道检测机器人CAN通信应用层协议的定制规则,通过把报文的内容类别信息和节点信息纳入数据帧标识符来规定报文优先级,保证在多个数据帧同时竞争总线时,优先传送紧急程度高的报文。采用RS232-CAN协议转换器构建了具有检验智能控制器功能的试验平台,方便了控制程序的设计与验证。在实验室模拟油气管道台架上和工程现场的应用结果表明,该智能控制器实现了各种工况下的控制决策等功能,达到了设计要求,所设计的通信协议满足系统通讯要求。     

数字图书馆网络入侵检测策略研究

计算机网络技术的迅速发展使得图书馆网络、用户认证系统、网络管理系统、Internet接入系统等成为一个整体,真正实现了图书馆资源的数字化,方便读者用户随时随地访问图书资源。综合型的网络是数字化图书馆网络发展的必然,但随着其应用的深入,图书馆网络的安全问题不断暴露出来,直接影响着网络的正常运行、技术人员的维护工作和读者用户的即时资源访问。因此,怎样保障网络安全并使之能够正常运行成为一个无法避免的问题。本文以构建图书馆网络安全体系为出发点,提出一种全新的入侵检测策略,用于图书馆网络的入侵检测。入侵检测(Intrusion Detection,ID)是一种主动的网络安全防护措施,是网络安全防护体系的重要组成部分,它从系统内部和各种网络资源中主动采集信息,从中分析可能的网络入侵或攻击。本文中提出的入侵检测策略基于无线局域网的数据链路层,采用协议分析技术和伪装设备辨识技术,通过对传输在数据链路层信息关键字段的检测与统计,实现接入设备的身份检测与行为统计。模拟实验结果显示,该策略能有效地检测网络恶意入侵,同时不会降低网络的性能。     

利用SNMP代理实现基于状态机的入侵检测

在分析现有入侵检测方法及其缺陷的基础上，提出了一种基于状态机的入侵检测的SNMP代理方案。该方案利用基于有限状态自动机的协议轨迹规范语言PISL描述入侵和攻击特征，利用Script MIB实现代理的配置，利用扩展的RMON2 MIB存储入侵检测的统计信息。最后通过试验表明，这个方案规范了攻击特征的精确描述，有效的减少了误报，实现了入侵检测系统和网络管理系统的有机结合。     

矿井应急移动通讯系统应用与研究

矿井应急通讯系统是专门根据煤矿井下环境和巷道电磁波的传输特性设计研制的矿用无线通讯系统，本系统利用公众通信PHs系统技术，采用数字移动通信技术，使用TDMA／TDD作为无线电通讯接口，以32K的ADPCM作为声音传送编码，按照“煤安标办”标准进行设计，实现了有线、无线一体化调度。该系统为地面和井下之间的及时信息传递提供了稳定可靠的解决方案，是地面与井下真正成为一个整体通讯系统，极大的改善了井下的通讯环境，为煤矿安全生产提供了有力的通讯保障，实现了生产指挥调度、抢险救灾、安全救护、安全检测、移动数据传输等功能，弥补了固定通讯的不足。     

一种基于概率统计的网络异常检测方法

目前的入侵检测系统（IDS）采用的分析技术主要为两种,误用检测（Misuse Detection）与异常检测（Anomaly Detection）[1-2]。误用检测的不足是无法检测未知的异常行为或恶意代码。异常入侵检测不需要事先知道入侵行为的特征,其假设当用户系统被攻击或者入侵时,会表现出不同往常的行为特点,作为检测依据。检测效率高,不依赖先验知识库,能够检测未知异常。本文提出了一种通过统计分析IP、端口、流量、周期、时间等因子来判定网络行为异常的检测方法。通过算法优化和实验验证,该方法针对常见的DDOS攻击、蠕虫扫描、木马窃密等网络行为都有较高的检测准确度。     

H.323和SIP协议的安全防范浅析

阐述VoIP通讯所面临的安全威胁及H.323和SIP协议各自具有的安全机制。提出不同的企业用户只要为VoIP系统采用恰当的安全认证和加密机制,该系统是可以满足企业的网络通讯安全需求。     

基于北斗的短报文离线语音技术

随着北斗卫星导航系统在军用以及民用方面的大力推行,Android市场上出现了许多分体式或者一体式的北斗通讯终端,本文分析现有用户终端输入输出方式的不足与缺陷,提出一种离线语音技术,能够在基于Android系统开发的北斗短报文通讯APP软件中,利用"讯飞语音+"实现北斗短报文信息的离线语音识别输入与离线语音合成功能。     

基于数据挖掘的入侵检测技术

入侵检测技术是通过对计算机网络和主机系统中的关键信息进行实时采集和分析,从而判断出非法用户入侵和合法用户滥用资源的行为,并做出适当反应的网络安全技术,是继数据加密、防火墙等措施之后的又一种安全措施,随着计算机网络技术的不断发展,需要分析的数据急剧膨胀,如何提高检测的效率成为当务之急,而数据挖掘正是解决此问题的一剂良药,首先介绍入侵检测和数据挖掘的相关概念,接着分析采用数据挖掘技术的入侵检测系统的优势和缺点,最后提出一些改进的方向。     

基于中间件规范的容侵应用服务器研究与实现

针对现有的容忍入侵应用系统的构建需要针对不同的业务类型进行不同的个性化设计和开发以及系统或部件的可重用性较差的问题,在研究基于规范的容忍入侵中间件方法的基础上,提出了一种基于拦截器的容侵中间件模型,从逻辑上将系统分为容忍入侵服务提供者和容忍入侵服务管理者,可在满足既有规范情况下实现用户应用的业务逻辑与容忍入侵特性所依赖的非功能性服务的分离。对涉及的容忍入侵框架、容忍入侵策略组件、安全群组通信管理器、安全群组通信系统等进行了详细设计,在一个开源的J2EE应用服务器JBoss中实现了对容忍入侵功能的支持,可利用Java类加载机制完成容忍入侵服务的动态加载。     

A New Database Intrusion Detection Approach Based on Hybrid Meta-Heuristics

A new secured database management system architecture using intrusion detection systems (IDS) is proposed in this paper for organizations with no previous role mapping for users. A simple representation of Structured Query Language queries is proposed to easily permit the use of the worked clustering algorithm. A new clustering algorithm that uses a tube search with adaptive memory is applied to database log files to create users’ profiles. Then, queries issued for each user are checked against the related user profile using a classifier to determine whether or not each query is malicious. The IDS will stop query execution or report the threat to the responsible person if the query is malicious. A simple classifier based on the Euclidean distance is used and the issued query is transformed to the proposed simple representation using a classifier, where the Euclidean distance between the centers and the profile’s issued query is calculated. A synthetic data set is used for our experimental evaluations. Normal user access behavior in relation to the database is modelled using the data set. The false negative (FN) and false positive (FP) rates are used to compare our proposed algorithm with other methods. The experimental results indicate that our proposed method results in very small FN and FP rates.     

Adaptive RS codes for message delivery over an encrypted mobile network

The authors present a hybrid automatic repeat request technique using adaptive Reed-Solomon (RS) codes with packet erasure. This technique suits the transport layer in tactical mobile wireless networks with type I encryption, where encryption erasures the entire Internet protocol packet. The novelty of the presented technique is the multifaceted optimisation of Reed-Solomon codes at the transport layer for delivery assurance, speed of service (SoS) and network throughput. With this technique, the transport layer in tactical networks can meet the stringent requirements of quality of service imposed by the tactical network user, even under adverse conditions. These requirements define a high level of reliability (delivery assurance), a specific SoS and optimum use of the limited bandwidth (BW) of the wireless network, where the probability of packet erasure can be very high. The provided probabilistic analysis shows that focusing on network throughput alone will result in violating SoS and delivery assurance requirements. On the other hand, focusing on SoS and delivery assurance requirements can result in poor network throughput. The multifaceted optimisation technique, which utilises hybrid ARQ for message delivery, is described using a homogeneous Markov chain.     

Deep Semisupervised Learning-Based Network Anomaly Detection in Heterogeneous Information Systems

The extensive proliferation of modern information services and ubiquitous digitization of society have raised cybersecurity challenges to new levels. With the massive number of connected devices, opportunities for potential network attacks are nearly unlimited. An additional problem is that many low-cost devices are not equipped with effective security protection so that they are easily hacked and applied within a network of bots (botnet) to perform distributed denial of service (DDoS) attacks. In this paper, we propose a novel intrusion detection system (IDS) based on deep learning that aims to identify suspicious behavior in modern heterogeneous information systems. The proposed approach is based on a deep recurrent autoencoder that learns time series of normal network behavior and detects notable network anomalies. An additional feature of the proposed IDS is that it is trained with an optimized dataset, where the number of features is reduced by 94% without classification accuracy loss. Thus, the proposed IDS remains stable in response to slight system perturbations, which do not represent network anomalies. The proposed approach is evaluated under different simulation scenarios and provides a 99% detection accuracy over known datasets while reducing the training time by an order of magnitude.     

SBOOSP for Massive Devices in 5G WSNs Using Conformable Chaotic Maps

The commercialization of the fifth-generation (5G) wireless network has begun. Massive devices are being integrated into 5G-enabled wireless sensor networks (5G WSNs) to deliver a variety of valuable services to network users. However, there are rising fears that 5G WSNs will expose sensitive user data to new security vulnerabilities. For secure end-to-end communication, key agreement and user authentication have been proposed. However, when billions of massive devices are networked to collect and analyze complex user data, more stringent security approaches are required. Data integrity, non-repudiation, and authentication necessitate special-purpose subtree-based signature mechanisms that are pretty difficult to create in practice. To address this issue, this work provides an efficient, provably secure, lightweight subtree-based online/offline signature procedure (SBOOSP) and its aggregation (Agg-SBOOSP) for massive devices in 5G WSNs using conformable chaotic maps. The SBOOSP enables multi-time offline storage access while reducing processing time. As a result, the signer can utilize the pre-stored offline information in polynomial time. This feature distinguishes our presented SBOOSP from previous online/offline-signing procedures that only allow for one signature. Furthermore, the new procedure supports a secret key during the pre-registration process, but no secret key is necessary during the offline stage. The suggested SBOOSP is secure in the logic of unforgeability on the chosen message attack in the random oracle. Additionally, SBOOSP and Agg-SBOOSP had the lowest computing costs compared to other contending schemes. Overall, the suggested SBOOSP outperforms several preliminary security schemes in terms of performance and computational overhead.     

A Hybrid Model Using Bio-Inspired Metaheuristic Algorithms for Network Intrusion Detection System

Network Intrusion Detection System (IDS) aims to maintain computer network security by detecting several forms of attacks and unauthorized uses of applications which often can not be detected by firewalls. The features selection approach plays an important role in constructing effective network IDS. Various bio-inspired metaheuristic algorithms used to reduce features to classify network traffic as abnormal or normal traffic within a shorter duration and showing more accuracy. Therefore, this paper aims to propose a hybrid model for network IDS based on hybridization bio-inspired metaheuristic algorithms to detect the generic attack. The proposed model has two objectives; The first one is to reduce the number of selected features for Network IDS. This objective was met through the hybridization of bio-inspired metaheuristic algorithms with each other in a hybrid model. The algorithms used in this paper are particle swarm optimization (PSO), multi-verse optimizer (MVO), grey wolf optimizer (GWO), moth-flame optimization (MFO), whale optimization algorithm (WOA), firefly algorithm (FFA), and bat algorithm (BAT). The second objective is to detect the generic attack using machine learning classifiers. This objective was met through employing the support vector machine (SVM), C4.5 (J48) decision tree, and random forest (RF) classifiers. UNSW-NB15 dataset used for assessing the effectiveness of the proposed hybrid model. UNSW-NB15 dataset has nine attacks type. The generic attack is the highest among them. Therefore, the proposed model aims to identify generic attacks. My data showed that J48 is the best classifier compared to SVM and RF for the time needed to build the model. In terms of features reduction for the classification, my data show that the MFO-WOA and FFA-GWO models reduce the features to 15 features with close accuracy, sensitivity and F-measure of all features, whereas MVO-BAT model reduces features to 24 features with the same accuracy, sensitivity and F-measure of all features for all classifiers.     

Fuzzy Based Latent Dirichlet Allocation for Intrusion Detection in Cloud Using ML

The growth of cloud in modern technology is drastic by provisioning services to various industries where data security is considered to be common issue that influences the intrusion detection system (IDS). IDS are considered as an essential factor to fulfill security requirements. Recently, there are diverse Machine Learning (ML) approaches that are used for modeling effectual IDS. Most IDS are based on ML techniques and categorized as supervised and unsupervised. However, IDS with supervised learning is based on labeled data. This is considered as a common drawback and it fails to identify the attack patterns. Similarly, unsupervised learning fails to provide satisfactory outcomes. Therefore, this work concentrates on semi-supervised learning model known as Fuzzy based semi-supervised approach through Latent Dirichlet Allocation (F-LDA) for intrusion detection in cloud system. This helps to resolve the aforementioned challenges. Initially, LDA gives better generalization ability for training the labeled data. Similarly, to handle the unlabelled data, Fuzzy model has been adopted for analyzing the dataset. Here, pre-processing has been carried out to eliminate data redundancy over network dataset. In order to validate the efficiency of F-LDA towards ID, this model is tested under NSL-KDD cup dataset is a common traffic dataset. Simulation is done in MATLAB environment and gives better accuracy while comparing with benchmark standard dataset. The proposed F-LDA gives better accuracy and promising outcomes than the prevailing approaches.     

Probe Attack Detection Using an Improved Intrusion Detection System

The novel Software Defined Networking (SDN) architecture potentially resolves specific challenges arising from rapid internet growth of and the static nature of conventional networks to manage organizational business requirements with distinctive features. Nevertheless, such benefits lead to a more adverse environment entailing network breakdown, systems paralysis, and online banking fraudulence and robbery. As one of the most common and dangerous threats in SDN, probe attack occurs when the attacker scans SDN devices to collect the necessary knowledge on system susceptibilities, which is then manipulated to undermine the entire system. Precision, high performance, and real-time systems prove pivotal in successful goal attainment through feature selection to minimize computation time, optimize prediction performance, and provide a holistic understanding of machine learning data. As the extension of astute machine learning algorithms into an Intrusion Detection System (IDS) through SDN has garnered much scholarly attention within the past decade, this study recommended an effective IDS under the Grey-wolf optimizer (GWO) and Light Gradient Boosting Machine (LightGBM) classifier for probe attack identification. The InSDN dataset was employed to train and test the proposed IDS, which is deemed to be a novel benchmarking dataset in SDN. The proposed IDS assessment demonstrated an optimized performance against that of peer IDSs in probe attack detection within SDN. The results revealed that the proposed IDS outperforms the state-of-the-art IDSs, as it achieved 99.8% accuracy, 99.7% recall, 99.99% precision, and 99.8% F-measure.     

Intrusion Detection System Using FKNN and Improved PSO

Intrusion detection system (IDS) techniques are used in cybersecurity to protect and safeguard sensitive assets. The increasing network security risks can be mitigated by implementing effective IDS methods as a defense mechanism. The proposed research presents an IDS model based on the methodology of the adaptive fuzzy k-nearest neighbor (FKNN) algorithm. Using this method, two parameters, i.e., the neighborhood size (k) and fuzzy strength parameter (m) were characterized by implementing the particle swarm optimization (PSO). In addition to being used for FKNN parametric optimization, PSO is also used for selecting the conditional feature subsets for detection. To proficiently regulate the indigenous and comprehensive search skill of the PSO approach, two control parameters containing the time-varying inertia weight (TVIW) and time-varying acceleration coefficients (TVAC) were applied to the system. In addition, continuous and binary PSO algorithms were both executed on a multi-core platform. The proposed IDS model was compared with other state-of-the-art classifiers. The results of the proposed methodology are superior to the rest of the techniques in terms of the classification accuracy, precision, recall, and f-score. The results showed that the proposed methods gave the highest performance scores compared to the other conventional algorithms in detecting all the attack types in two datasets. Moreover, the proposed method was able to obtain a large number of true positives and negatives, with minimal number of false positives and negatives.     

粒子群算法和时间序列分析在入侵检测系统中的应用

入侵检测系统是一种被动的安全防御方法。它是通过分析各种收集到的数据来发现可能的入侵行为。常用的入侵检测分类方法不仅算法复杂而且效率还偏低。本文提出一种基于粒子群算法和时间序列相结合的半监督入侵检测方法来提高入侵检测的分类效率。实验结果表明,该方法用于入侵检测系统具有较高的检测率。     

Evaluation of Intrusion Detection Systems

This paper presents a comprehensive method for evaluating intrusion detection systems (IDSs). It integrates and extends ROC (receiver operating characteristic) and cost analysis methods to provide an expected cost metric. Results are given for determining the optimal operation of an IDS based on this expected cost metric. Results are given for the operation of a single IDS and for a combination of two IDSs. The method is illustrated for: 1) determining the best operating point for a single and double IDS based on the costs of mistakes and the hostility of the operating environment as represented in the prior probability of intrusion and 2) evaluating single and double IDSs on the basis of expected cost. A method is also described for representing a compound IDS as an equivalent single IDS. Results are presented from the point of view of a system administrator, but they apply equally to designers of IDSs.