基于数据挖掘的分布式入侵检测系统

构建了一个基于数据挖掘的分布式入侵检测系统模型。采用误用检测技术与异常检测技术相结合的方法,利用数据挖掘技术如关联分析、序列分析、分类分析、聚类分析等对安全审计数据进行智能检测,分析来自网络的入侵攻击或未授权的行为,提供实时报警和自动响应,实现一个自适应、可扩展的分布式入侵检测系统。实验表明,该模型对已知的攻击模式具有很高的检测率,对未知攻击模式也具有一定的检测能力。     

基于灰色关联事件融合的入侵检测模型

使用异常情况或标识的传统入侵检测模型,检测粒度较大,精度较差,且占用系统资源较多。针对上述问题,提出了分布式异常事件融合入侵检测模型。该模型通过事件跟踪等方法降低检测粒度;采用分布式的多节点灰度关联度算法,进行异常事件的信息融合,进行异常事件分析处理。仿真实验证明,该模型的入侵检测精度较高,而系统资源消耗较少。     

基于Chi-square检验的分布式网络入侵检测系统

针对网络攻击的新特点,本文提出了一种基于Chi-square检验的分布式网络入侵检测系统模型CTDIDS。设计并实现了一个基于异常检测的入侵分析引擎。通过对网络数据包的分析,运用Chi-square值比较对系统的行为进行检测。与现有的入侵检测方法相比,本文提出的方法具有更好的环境适应性和数据协同分析能力。实验证明,分布式入侵检测系统CTDIDS具有更高的准确性和扩展性。     

基于分布式智能代理的入侵检测方法研究

在分析和研究通用入侵检测框架理论和传统入侵检测系统实现策略的基础上，提出融合了滥用检测和异常检测两种方法的检测模型——基于分布式智能代理的网络入侵检测模型，并对检测引擎和检测算法进行了改进，使之具有更高的准确性和对潜在的入侵行为的识别和预测等智能化能力。     

基于多智能Agent的移动自组织网络入侵检测模型

根据MANET的特点,提出了一种基于多移动代理的MANET的入侵检测方法,它能够同时检测主机行为和网络行为,又采用了一种分布式算法,选择数目很少的节点收集网络数据、检测网络行为,减少了其它节点的系统资源和电量的消耗.     

基于数据挖掘的Snort系统改进模型

针对Snort系统对新的入侵行为无能为力的缺点,设计了一种基于数据挖掘理论的Snort网络入侵检测系统的改进模型。该模型在Snort入侵检测系统的基础上增加了正常行为模式挖掘模块、异常检测引擎模块和新规则生成模块,使得系统具有从新的入侵行为中学习新规则和从正常数据中学习正常行为模式的双重能力。实验结果表明,新模型不仅能够有效地检测到新的入侵行为,降低了Snort系统的漏报率,而且提高了系统的检测效率。     

Ad hoc网络中一种基于学习Petri网的入侵检测模型

移动自组织网络是由无线移动节点组成的复杂分布式通信系统.研究了移动自组织网络的入侵检测问题,对当前Ad hoc网络上的入侵行为和入侵检测技术进行了分析,论述了学习Petri网络应用于入侵检测系统中的优势,给出了一个基于学习Petri网络的入侵检测实施模型,并在网络仿真软件ns2中对其进行了评估.     

基于自适应卷积滤波的网络近邻入侵检测算法

深度无线传感组合网络中的近邻路由节点入侵具有载荷快速变化性,难以对新出现的攻击类型和网络异常行为进行有效识别,因此提出一种基于自适应卷积滤波的网络近邻入侵检测算法。在深度无线传感组合网络的传输信道中进行网络流量采集,构建网络入侵信号模型,在时间和频率上分析网络入侵信号的能量密度和攻击强度等特征信息,构建自适应卷积滤波器进行网络传输信息的盲源滤波和异常特征提取;采用联合时频分析方法进行网络近邻入侵特征信息的频谱参量估计,根据频谱特征的异常分布状态进行无线传感组合网络近邻入侵检测。仿真实验结果表明,采用该方法进行网络入侵检测的准确率较高,对未知的网络流量样本序列具有较高的识别能力和泛化能力,且所提算法优于传统的HHT检测算法、能量管理检测方法。     

基于数据挖掘的城市轨道交通信息安全检测

针对列车运行控制系统的通信网络安全问题,提出了一种基于数据挖掘的信息安全检测方案.以数据流为研究对象,结合轨道交通信息系统中异常数据占比少的特点,提出单分类支持向量机模型,采用超平面法,将正常数据和入侵数据进行分类,实现网络入侵行为的有效检测.仿真结果表明,在不同数据流量情况下,检测模型均能表现出较强的检测能力.     

基于隐Markov模型的协议异常检测

入侵检测是网络安全领域的研究热点,协议异常检测更是入侵检测领域的研究难点.提出一种新的基于隐Markov模型(HMM)的协议异常检测模型.这种方法对数据包的标志位进行量化,得到的数字序列作为HMM的输入,从而对网络的正常行为建模.该模型能够区分攻击和正常网络数据.模型的训练和检测使用DARPA1999年的数据集,实验结果验证了所建立模型的准确性,同现有的基于Markov链(Markov chain)的检测方法相比,提出的方法具有较高的检测率.     

Flow-based anomaly detection in high-speed links using modified GSA-optimized neural network

Ever growing Internet causes the availability of information. However, it also provides a suitable space for malicious activities, so security is crucial in this virtual environment. The network intrusion detection system (NIDS) is a popular tool to counter attacks against computer networks. This valuable tool can be realized using machine learning methods and intrusion datasets. Traditional datasets are usually packet-based in which all network packets are analyzed for intrusion detection in a time-consuming process. On the other hand, the recent spread of 1–10-Gbps-technologies have clearly pointed out that scalability is a growing problem. In this way, flow-based solutions can help to solve the problem by reduction of data and processing time, opening the way to high-speed detection on large infrastructures. Besides, NIDS should be capable of detecting new malicious activities. Artificial neural network-based NIDSs can detect unseen attacks, so a multi-layer perceptron (MLP) neural classifier is used in this study to distinguish benign and malicious traffic in a flow-based NIDS. In this way, a modified gravitational search algorithm (MGSA), as a modern heuristic technique, is employed to optimize the interconnection weights of the neural anomaly detector. The proposed scheme is trained using an enhanced version of the first labeled flow-based dataset for intrusion detection introduced in 2009. In addition, the particle swarm optimization (PSO) algorithm and traditional error back-propagation (EBP) algorithm are employed to train MLP, so performance comparison becomes possible. The experimental results based on the actual network data show that the MGSA-optimized neural anomaly detector is effective for monitoring abnormal traffic flows in the gigabytes traffic environment, and the accuracy is about 97.8 %.     

基于机器学习的移动自组织网络入侵检测方法

移动自组织网络是由无线移动节点组成的复杂分布式通信系统。研究了移动自组织网络的入侵检测问题,采用了一种新型的基于机器学习算法的异常入侵检测方法。该方法获取正常事件的内部特征的相互关系模式,并将该模式作为轮廓检测异常事件。在Ad hoc 按需距离向量协议上实现了该方法,并在网络仿真软件QualNet中对其进行了评估。     

基于强化学习的无线传感器网络入侵检测攻防博弈研究

无线传感器网络易遭到各种内部攻击,入侵检测系统需要消耗大量能量进行攻击检测以保障网络安全。针对无线传感器网络入侵检测问题,建立恶意节点（malicious node,MN）与簇头节点（cluster head node,CHN）的攻防博弈模型,并提出一种基于强化学习的簇头入侵检测算法——带有近似策略预测的策略加权学习算法（weighted policy learner with approximate policy prediction,WPL-APP）。实验表明,簇头节点采用该算法对恶意节点进行动态检测防御,使得博弈双方快速达到演化均衡,避免了网络出现大量检测能量消耗和网络安全性能的波动。     

移动自组织网络中内部丢包的检测模型

无线移动自组织网络中数据的传输是基于中间节点的合作转发的,但由于内部自私节点为了节省带宽和电量或者网络受到恶意节点的攻击,导致丢包行为发生,网络性能严重降低。基于无线自组织网络常用的路由协议AODV,提出了一种新的针对内部丢包攻击的检测模型。该检测模型引入旁信道概念,旁信道节点和看门狗共同检测并记录节点转发报文行为,采用邻居信息表存放检测结果,当相应节点的记录值达到一定下限时就被隔离出网络。由于旁信道可以发送警报报文,该模型能够同时检测到自私节点或合作攻击节点引起的内部丢包攻击。     

Video transmission enhancement in presence of misbehaving nodes in MANETs

Mobile Ad-hoc NETworks (MANET) are infrastructureless networks where self-configuring mobile nodes are connected by wireless links. Because of its decentralized operation, these nodes rely on each other to store and forward packets. Video transmission over MANETs is more challenging than over conventional wireless networks due to rapid topology changes and lack of central administration. Most of the proposed MANET protocols assume that all nodes are working within a cooperative and friendly network context. However, misbehaving nodes that exhibit abnormal behaviors can disrupt the network operation and affect the network availability by refusing to cooperate to route packets due to their selfish or malicious behavior. In this paper, we examine the effect of packet dropping attacks on video transmission over MANETs. We also study the effects of mitigation using intrusion detection systems to MANET in presence of video traffic. To the best of our knowledge, this is the first attempt to study multimedia over such environments. We propose a novel intrusion detection system, which is an adaptive acknowledgment scheme (AACK) with the ability to detect misbehaved nodes and avoid them in other transmissions. The aim of AACK scheme is to overcome watchdog weaknesses due to collisions and limited transmission power and also to improve TWOACK scheme. To demonstrate the performance of our proposed scheme, simulation experiments are performed. The results of our experiments show that MPEG4 is more suitable for our simulation environment than H264 video traffic. The simulation results show that AACK scheme provides better network performance with less overhead than other schemes; it also shows that AACK outperforms both TWOACK and watchdog in video transmission applications in the presence of misbehaving nodes.     

RepCIDN: A Reputation-based Collaborative Intrusion Detection Network to Lessen the Impact of Malicious Alarms

Distributed and coordinated attacks in computer networks are causing considerable economic losses worldwide in recent years. This is mainly due to the transition of attackers’ operational patterns towards a more sophisticated and more global behavior. This fact is leading current intrusion detection systems to be more likely to generate false alarms. In this context, this paper describes the design of a collaborative intrusion detection network (CIDN) that is capable of building and sharing collective knowledge about isolated alarms in order to efficiently and accurately detect distributed attacks. It has been also strengthened with a reputation mechanism aimed to improve the detection coverage by dropping false or bogus alarms that arise from malicious or misbehaving nodes. This model will enable a CIDN to detect malicious behaviors according to the trustworthiness of the alarm issuers, calculated from previous interactions with the system. Experimental results will finally demonstrate how entities are gradually isolated as their behavior worsens throughout the time.     

A swarm-based efficient distributed intrusion detection system for mobile ad hoc networks (MANET)

In mobile ad hoc network (MANET), the issues such as limited bandwidth availability, dynamic connectivity and so on cause the process of intrusion detection to be more complex. The nodes that monitor the malicious nodes should have necessary residual bandwidth and energy and should be trustable. In order to overcome these drawbacks, in this paper, we propose a swarm-based efficient distributed intrusion detection system for MANET. In this technique, swarm agents are utilised to select the nodes with highest trust value, residual bandwidth and residual energy as active nodes. Each active node monitors its neighbour nodes within its transmission range and collects the trust value from all monitored nodes. The active nodes adaptively change as per the trust thresholds. Upon collaborative exchange of the trust values of the monitored nodes among the active nodes, if the active node finds any node below a minimum trust threshold, then the node is marked as malicious. When the source receives alert message about the malicious node, a defence technique is deployed to filter the corresponding malicious node from the network. By simulation results, we show that the proposed approach is efficient intrusion detection mechanism for MANET.     

移动自组网络路由行为检测技术的研究

移动自组网是一种具有自治、多跳等特性的特殊无线移动通信网络,广泛应用在战场、救灾等特殊场合,而它的特性又使之容易遭受各种攻击。该文提出了移动自组网面临的安全问题,阐述了引入入侵检测技术的必要性。在综述了入侵检测技术及其在移动自组网已开展的研究工作后,该文针对路由行为检测问题提出了基于特征值检测与基于异常行为检测相结合的检测技术RBDT。基于AODV协议,该文具体分析了RBDT技术的实现细节。该技术的应用将有效提高路由行为检测的效率和准确性。     

A novel intrusion detection framework for wireless sensor networks

Vehicle cloud is a new idea that uses the benefits of wireless sensor networks (WSNs) and the concept of cloud computing to provide better services to the community. It is important to secure a sensor network to achieve better performance of the vehicle cloud. Wireless sensor networks are a soft target for intruders or adversaries to launch lethal attacks in its present configuration. In this paper, a novel intrusion detection framework is proposed for securing wireless sensor networks from routing attacks. The proposed system works in a distributed environment to detect intrusions by collaborating with the neighboring nodes. It works in two modes: online prevention allows safeguarding from those abnormal nodes that are already declared as malicious while offline detection finds those nodes that are being compromised by an adversary during the next epoch of time. Simulation results show that the proposed specification-based detection scheme performs extremely well and achieves high intrusion detection rate and low false positive rate.     

基于移动代理的移动Ad Hoc网络入侵检测系统

移动Ad Hoc网络作为一种新型的无线移动通信网络,在军事和民用上都有广泛的应用。由于其动态拓扑、无线通信的特点,易于遭受各种安全威胁。入侵检测是解决移动Ad Hoc网络安全问题的最重要技术之一。本文在分析了当前入侵检测系统体系结构的基础上,给出了一种基于移动代理的移动Ad Hoc网络入侵检测系统模型。该系统联合采用误用检测和异常检测方法,具有较高的检测效率和较低的误报率。