一种基于移动Agent的抗攻击性IDS模型

随着入侵检测系统(Inhusion Detection System——IDS)性能的逐步提高，攻击者往往在入侵目标网络之前攻击IDS，使其丧失保护功能。在当前常用的分布式入侵检测系统的基础上，提出了一种能够对抗拒绝服务(Denial of Service——DoS)攻击的IDS模型，并指出了将当前的分布式IDS转换成此模型的配置方法。     

IDS和IPS的比较

1引言 由于现在有了因特网,网络安保已经成了工业企业最关注的话题。入侵检测系统（IDS）用于检测那些不需要对工业自动化控制系统（IACS）访问和操作,特别是通过网络。它是一种专用工具,知道如何分析和解释网络流量和主机活动。IDS的主要目标是对IACS网络检测入侵和入侵企图,让网络管理员采取适当的缓解和补救措施。IDS不会阻止这些攻击,但会让用户知道什么时候发生了攻击。     

一种基于代理的分布式抗攻击的入侵检测体系结构

提出了一种基于代理(Agent)的入侵检测体系结构。该体系克服了当前入侵检测系统(IDS)的部分缺陷，具有分布式检测、响应入侵的能力，并能对单一主机、检测区域和整个网络进行多层次的检测。利用移动代理，整个检测体系可以灵活、动态地配置和方便地扩展。针对IDS日益成为攻击目标的现状，结合现有保护IDS的研究成果，给出了相应的方法，使该体系能有效地抵抗攻击，有更强的生存能力。     

IDS测试中复合攻击测试数据的生成

从近几年的趋势来看,蠕虫以及DDOS等复合攻击将成为今后网络入侵的主要表现形式.入侵检测系统对复合攻击的检测能力逐渐成为入侵检测系统(IDS)能力测试中的一个重要方面.当前的测试方法主要采用搜集实际的攻击工具来进行攻击测试数据的生成.该方法受实际攻击形式的限制,所生成的数据集无法完成对IDS复合攻击检测能力的完备测试,并且不支持攻击的形式化描述与自动生成,使得测试数据集的生成效率很低.为此提出采用人工构造的完备入侵场景库来生成攻击流量,并在攻击流量中混合入噪声流量增加测试的准确性和公平性.基于这些改进,设计了一种针对滥用入侵检测系统评估的复合攻击测试数据生成系统,并应用在实际的IDS评估系统中.     

实时入侵检测系统的优化问题研究

实时入侵检测系统试图检测并响应实时的攻击。当网络中的数据量不大时,普通的IDS系统便可胜任,当网络中出现海量数据(事件)或者遇到过载攻击时,需采用优化处理的方法。文章研究了实时入侵检测系统规则集的选取规则,在此基础上,提出了一种实时入侵检测系统的优化方法,能有效地增强IDS系统在海量数据情况下的入侵检测功能。     

探讨本体工程方法在分布式IDS中的应用

随着网络的大规模应用．变形攻击和协同攻击等复杂攻击方法层出不穷．而传统的单纯基于主机或基于网络的入侵检测系统(IDS)对这种复杂攻击的检测常常是无能为力的。主机的IDS只能监视其所安装了的系统、只能在外部入侵者侵入系统后才能检测到。基于网络的IDS虽然能够对某个网络段进行监视．以及在入侵到达主机前就能检测到．但不能     

无线传感器网络中基于博弈论的入侵检测系统

由于无线链路的开放性,节点生存周期有限,网络拓扑结构动态变化,传统的基于防火墙的安全策略作用有限,使得无线传感器网络（WSNs）存在严重的安全性问题。入侵检测系统IDS（Intrusion Detection System）作为一种主动防御方式,成为了当前研究的热点问题之一。论文针对目前IDS发展现状,采用基于博弈论的分析方法,建立可应对多目标、多攻击源和多攻击强度的IDS模型,使在对攻击的防御成功率和延长网络生存周期上都有所改进。     

9种 IDS 入侵检测系统方法

入侵检测系统,英文简写为IDS,顾名思义,它是用来实时检测攻击行为以及报告攻击的。如果把防火墙比作守卫网络大门的门卫的话,那么入侵检测系统（IDS）就是可以主动寻找罪犯的巡警。因而寻求突破IDS的技术对漏洞扫描、脚本注入、URL攻击等有着非凡的意义,同时也是为了使IDS进一步趋向完善。     

网络安全战略预警系统的攻击检测技术研究

攻击检测系统是网络安全战略预警系统的重要组成部分，它从现有的入侵检测系统（IDS）出发，应用当前的民用技术来发展更先进的入侵检测系统（IDS），又将数据输入从逻辑入侵拓展到物理、心理和情报攻击，这些都是信息战进攻的一部分，本文主要探讨适合大范围协同攻击的检测技术。     

拉紧IPS的两根弦

网络数据处理性能、攻击检测阻断准确性,这是IPS产品当前的突破所在。在网络安全领域,IDS(入侵检测系统)与IPS(入侵防御系统)都是热门的话题。如果说IDS主要是注重全面检测、有效呈现,那么IPS则更专长于深层防     

状态协议分析技术在TCP中的应用

入侵检测系统已经日益成为网络安全系统的重要组成部分,成为网络安全必不可少的的一部分。其核心技术就是针对攻击所采用的检测技术。就目前而言网络攻击以拒绝服务攻击居多,而拒绝服务攻击大多数都与TCP相关,因此,应根据TCP的有关特性设计出相应的检测方法。文中介绍了TCP报文的封装情况、TCP报文段格式规定和TCP连接中的“三次握手”协议。然后在此基础上,从状态协议分析的角度出发,对与TCP相关的“TCP SYN洪水”攻击进行描述,并提出了相应的解决办法。     

Detecting and preventing replay attacks in industrial automation networks operated with profinet IO

Modern industrial facilities consist of controllers, actuators and sensors that are connected via traditional IT equipment. The ongoing integration of these systems into the communication network yields to new threats and attack possibilities. In industrial networks, often distinct communication protocols like Profinet IO (PNIO) are used. These protocols are often not supported by typical network security tools. In this work, we present two attack techniques that allow to take over the control of a PNIO device, enabling an attacker to replay previously recorded traffic. We model attack detection rules and propose an intrusion detection system (IDS) for industrial networks which is capable of detecting those replay attacks by correlating alerts from traditional IT IDS with specific PNIO alarms. As an additional effort, we introduce defense in depth mechanisms in order to prevent those attacks from taking effect in the physical world. Thereafter, we evaluate our IDS in a physical demonstrator and compare it with another IDS dedicated to securing PNIO networks. In a conceptual design, we show how network segmentation with flow control allows for preventing some, but not all of the attacks.     

基于攻击描述语言的IDS基准测试技术研究

从最早利用协议分析仪发送攻击特征,采用黑客工具,到网络攻击数据的录播重放,IDS测试方法和工具随着入侵检测技术和网络攻击的发展而不断发展。论文提出了一种新的基准测试技术,它基于全新设计的网络攻击描述语言,对各种网络攻击进行统一规范的描述形成测试脚本库,然后通过模拟攻击机和牺牲主机的一体化结构,产生各种网络攻击会话,从而达到测试的目的。     

Optimizing the Scalability of Network Intrusion Detection Systems Using Mobile Agents

Modern Intrusion Detection Systems (IDSs) are distributed real-time systems that detect unauthorized use or attacks upon an organization's network and/or hosts. The components of most distributed IDSs are arranged in a hierarchical tree structure, where the sensor nodes pass information to the analyzer nodes. Optimal placement of the analyzer nodes results in an improved response time for the IDS, and isolation of attacks within the IDS network. Since the network topology and workload are constantly changing, we are able to maintain near-optimal placement of the analyzer nodes by instantiating them as mobile agents. The analyzer nodes may then relocate, reproduce or be deleted as necessary. Such flexibility improves the response times and the stability of an IDS. The movement of the analyzer nodes also offers some protection against denial-of-service attacks, since secure analyzer nodes will be relocated to take over some of the functionality of the host under attack.     

基于蜜罐的入侵检测系统的设计与实现*

传统的入侵检测系统无法识别未知的攻击,提出在入侵检测系统中引入蜜罐技术来弥补其不足,并设计和实现了一个基于人工神经网络的入侵检测系统HoneypotIDS。该系统应用感知器学习方法构建FDM检测模型和SDM检测模型两阶段检测模型来对入侵行为进行检测。其中,FDM检测模型用于划分正常类和攻击类,SDM检测模型则在此基础上对一些具体的攻击类型进行识别。最后,设计实验对HoneypotIDS的检测能力进行了测试。实验结果表明,HoneypotIDS对被监控网络中的入侵行为具有较好的检测率和较低的误报率。     

计算机网络脆弱性浅析

针对Internet日益增多的攻击现状,防火墙、入侵检侧系统等网络安全技术发展日益成熟。但是现实中总有一些攻击能够成功,我们就有必要研究在遭受攻击情况下分析网络的脆弱性技术及及时的恢复技术,最小化对于网络不利影响。本文提出了计算机网络脆弱性的概念。分析脆弱性存在的深层原因,对网络脆弱性提供了初步的了解。     

A hybrid intrusion detection system design for computer network security

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.     

分层协作入侵检测系统研究

互联网在给广大互联网用户提供方便的同时也更加方便了黑客在不同地点、不同时刻发起对远程网络或主机的攻击。针对这些分布式攻击模式，该文提出并论述了一个基于Agent的分布式入侵检测系统的框架及其实现。引入这种分层协作IDS的主要目的是为了克服单一的主机入侵检测系统以及网络入侵检测系统的某些缺陷。在分布式网络环境中，不同的系统主体在各自安全域中执行彼此的独立安全策略；同时，这些系统主体通过相互协作构成上一级安全域。系统框架参考目前流行的通用入侵检测框架CIDF构建，通过经过扩展的CISL实现不同组件间的通讯及协作。     

警报信息实时融合处理技术研究与实现

针对分布式入侵检测和网络安全预警所需要解决的问题,对多传感器数据融合技术进行了研究.在分析IDS警报信息之间各种复杂关系的基础上,提出了一个警报信息实时融合处理模型,并根据该模型建立警报信息融合处理系统.实时融合来自多异构IDS传感器的警报信息,形成关于入侵事件的攻击序列图,并在此基础上进行威胁评估及攻击预测.该模型中...     

Human perspective to anomaly detection for cybersecurity

Traditionally signature-based network Intrusion Detection Systems (IDS) rely on inputs from domain experts and can only identify the attacks if they occur as individual event. IDS generate large number of alerts and it becomes very difficult for human users to go through each message. Previous researches have proposed analytics based approaches to analyze IDS alert patterns based on anomaly detection models, multi-steps models or probabilistic approaches. However, due to the complexities of network intrusions, it is impossible to develop all possible attack patterns or to avoid false positives. With the advance in technologies and popularity of networks in our daily life, it is becoming more and more difficult to detect network intrusions. However, no matter how rapid the technologies change, the human behaviors behind the cyber attacks stay relatively constant. This provides us an opportunity to develop an improved system to detect the unusual cyber attacks. In this paper, we developed four network intrusion models based on consideration of human factors. We then tested these models on ITOC Cyber Defense Competition (CDX) 2009 data. Our results are encouraging. These Models are not only able to recognize most network attacks identified by SNORT log alerts, they are also able to distinguish the non-attack network traffic that was potentially missed by SNORT as indicated by ground truth validation of the data.