基于增量式GHSOM神经网络模型的入侵检测研究

传统的网络入侵检测方法利用已知类型的攻击样本以离线的方式训练入侵检测模型,虽然对已知攻击类型具有较高的检测率,但是不能识别网络上新出现的攻击类型.这样的入侵检测系统存在着建立系统的速度慢、模型更新代价高等不足,面对规模日益扩大的网络和层出不穷的攻击,缺乏自适应性和扩展性,难以检测出网络上新出现的攻击类型.文中对GHSOM(Growing Hierarchical Self-Organizing Maps)神经网络模型进行了扩展,提出了一种基于增量式GHSOM神经网络模型的网络入侵检测方法,在不破坏已学习过的知识的同时,对在线检测过程中新出现的攻击类型进行增量式学习,实现对入侵检测模型的动态扩展.作者开发了一个基于增量式GHSOM神经网络模型的在线网络入侵检测原型系统,在局域网环境下开展了在线入侵检测实验.实验结果表明增量式GHSOM入侵检测方法具有动态自适应性,能够实现在线检测过程中对GHSOM模型的动态更新,而且对于网络上新出现的攻击类型,增量式GHSOM算法与传统GHSOM算法的检测率相当.     

基于异常的无线移动网络入侵检测系统

论文介绍了无线移动网络中的各种可能的入侵手段,分析了在无线移动环境下的入侵检测技术及实现思想,给出了一个无线移动网络入侵检测系统的基本概念框架,并对其中的各个模块进行了分析。     

基于异质信息的入侵检测警报过滤机制

通常误用检测所定义的攻击特征仅限于单一信息,如网络信息或主机信息,而由单一信息所产生的警报,由于针对某些攻击无法精确做出判断,所以误报比例相对较高。针对基于误用检测的网络入侵检测系统,建立了一个警报过滤机制。经过分析,可以找出攻击成功时所需具备的环境条件以及所会呈现的各种不同来源性质的攻击特征,入侵检测系统可据此在发现可疑入侵时,加以及时确认核查。通过运用这些异质信息,可明显减少误报的发生,提高了入侵检测报警的正确率。     

大数据环境下网络非法入侵检测系统设计

大数据环境下,非法入侵检测是保证计算机安全的重要手段。通过非法入侵检测,保证计算机免遭网络中木马病毒等的攻击,因此对大数据环境下网络非法入侵检测进行系统设计是必要的。目前大多数网络非法入侵检测系统是通过归纳当前网络非法入侵检测系统存在的优缺点,指出网络非法入侵检测系统存在的问题,确定其发展方向。但这种方法存在系统结构复杂,不利于维护和使用的问题。为此,提出一种基于PB神经网络的大数据环境下网络非法入侵检测系统设计方法,首先在分析大数据环境下网络非法入侵检测系统功能的基础上,对系统的模块进行设计,并分析各模块所实现的功能,在此基础上,对大数据环境下网络非法入侵检测系统的性能指标、采样芯片、USB接口控制芯片、FPGA、电源管理芯片等硬件进行设计选型,完成系统的硬件设计,并且通过PB神经网络算法提高大数据环境下网络非法入侵检测系统检测的准确性,并给出基于BP神经网络算法的入侵检测实现过程,从而实现大数据环境下网络非法入侵检测系统设计。实验证明,所提方法设计的大数据环境下网络非法入侵检测系统运行速度较快,能够及时准确对网络非法入侵行为进行检测,推动该领域的研究发展。     

基于TCP/IP的入侵检测评测技术研究

入侵检测系统的评测是入侵检测研究的一个重要方面。论文研究TCP/IP协议下如何利用协议的脆弱性按层次生成评测数据,在此基础上提出了分段混合评测的入侵检测评测方法。该方法的主要思想是数据混合和评测分段。相对以往的评测方法,由于数据混合,它的评测数据更丰富、更接近现实环境,而且可以自由添加;由于评测分段,简化了评测的实现,对正常网络的干扰很小,能够生成一些特定网络中无法生成的攻击。     

决策树算法在入侵检测中的应用研究

随着计算机和网络在人们生活和工作中的普遍应用,网络环境下数据的传输不断受到攻击和篡改,网络安全已变得越来越重要。网络安全风险防范的要求不断提高,针对目前的入侵检测系统准确度不高、自适应性差、检测效率低等问题,该文基于决策树分类算法,设计了一个基于决策树的入侵检测系统模型,将决策树算法作为分类器应用于入侵检测的过程中,提高了入侵检测系统的性能。     

基于环境信息降低入侵检测误报率

采用单包分析技术的网络入侵检测系统常具有较高的误报率,影响其实用性。本文针对误用网络型入侵检测系统建立一个警报过滤机制,该机制找出攻击成功时所需具备的环境条件。当入侵检测系统发现可疑入侵时,依据环境条件加以实时确认查核,从而减少误报。     

分布式网络入侵检测系统NetNumen的设计与实现

详细介绍了在Linux环境下基于规则的分布式网络入侵检测系统NetNumen.同现有的网络入侵检测系统相比,NetNumen将异常检测(检测包到达频度的异常)和特征检测(检测特定攻击和攻击工具的固有特征)有机地结合起来,对DoS(denial of service),DdoS(distributed denial of service)攻击的检测效果较现有方法有明显的改善.     

组合电磁攻击干扰下的入侵检测模型仿真分析

组合电磁攻击下的入侵检测对网络安全意义重大.组合网络由多个不同网络组成,多采用变结构拓扑方式,组合网络中电磁攻击干扰形式呈现多样化和随机性,造成其入侵检测的难度加大.传统的组合电磁攻击干扰下的入侵检测依靠组合网络自身的固有性质抵御网络过载和恶意攻击等分析,一旦组合网络中子网络过多,电磁攻击干扰种类迅速复杂化,存在较大漏检风险.首先提出一种基于神经网络最优决策控制的变结构组合电磁攻击干扰下的入侵检测建模方案,并进行结构电磁攻击干扰分析,对组合网络的网络拓扑电磁攻击干扰下的入侵检测模型采用多元统计法和时间序列模型法进行建模,然后提出采用变加权拓扑结构对复杂网络的电磁攻击干扰下的入侵进行度量,得到了可调参数的网络演化电磁攻击干扰下的入侵检测分析模型.最后对恶意攻击模式下网络度的分布和节点效率等参数仿真,分析电磁攻击干扰性能.实验结果表明,设计的入侵检测模型能够准确地检测到在组合电磁攻击干扰下的入侵,其组合网络拓扑结构具有优质的抗毁性和抗攻击性,能有效抵抗电磁攻击干扰,在遭受电磁攻击干扰下有快速响应能力.     

攻击分类研究与高速网络环境下的攻击分类

对网络攻击进行分类研究,有助于构造高效的检测方法,提高系统检测性能.对现有的攻击分类技术进行了分析和总结,针对高速网络环境下入侵检测系统的特点,提出了面向分层检测的攻击分类方法,并对每层进行了描述.根据系统能及时检测攻击的先后顺序进行了攻击分类,采用攻击分类、检测分层的方法,具有良好的普适性、全面性和可扩展性.同时由于分类是从检测的角度进行的,所以有良好的实用性,可有效地提高入侵检测效率,该方法为下一步研究提供了技术和理论依据.     

A neuro-genetic based short-term forecasting framework for network intrusion prediction system

Information systems are one of the most rapidly changing and vulnerable systems, where security is a major issue. The number of security-breaking attempts originating inside organizations is increasing steadily. Attacks made in this way, usually done by ＂authorized＂ users of the system, cannot be immediately traced. Because the idea of filtering the traffic at the entrance door, by using firewalls and the like, is not completely successful, the use of intrusion detection systems should be considered to increase the defense capacity of an information system. An intrusion detection system （IDS） is usually working in a dynamically changing environment, which forces continuous tuning of the intrusion detection model, in order to maintain sufficient performance. The manual tuning process required by current IDS depends on the system operators in working out the tuning solution and in integrating it into the detection model. Furthermore, an extensive effort is required to tackle the newly evolving attacks and a deep study is necessary to categorize it into the respective classes. To reduce this dependence, an automatically evolving anomaly IDS using neuro-genetic algorithm is presented. The proposed system automatically tunes the detection model on the fly according to the feedback provided by the system operator when false predictions are encountered. The system has been evaluated using the Knowledge Discovery in Databases Conference （KDD 2009） intrusion detection dataset. Genetic paradigm is employed to choose the predominant features, which reveal the occurrence of intrusions. The neuro-genetic IDS （NGIDS） involves calculation of weightage value for each of the categorical attributes so that data of uniform representation can be processed by the neuro-genetic algorithm. In this system unauthorized invasion of a user are identified and newer types of attacks are sensed and classified respectively by the neuro-genetic algorithm. The experimental results obtained in this work show that the system achieves improvement in terms of misclassification cost when compared with conventional IDS. The results of the experiments show that this system can be deployed based on a real network or database environment for effective prediction of both normal attacks and new attacks.     

结合优化支持向量机与K-means++的工控系统入侵检测方法

针对工业控制系统传统单一检测算法模型对不同攻击类型检测率和检测速度不佳的问题，提出一种优化支持向量机和K-means++算法结合的入侵检测模型。首先利用主成分分析法（PCA）对原始数据集进行预处理，消除其相关性；其次在粒子群优化（PSO）算法的基础上加入自适应变异过程避免在训练的过程中陷入局部最优解；然后利用自适应变异粒子群优化（AMPSO）算法优化支持向量机的核函数和惩罚参数；最后利用密度中心法改进K-means算法与优化后的支持向量机组合成入侵检测模型，从而实现工业控制系统的异常检测。实验结果表明，所提方法在检测速度和对各类攻击的检测率上得到明显提升。     

A differentiated one-class classification method with applications to intrusion detection

Intrusion detection has become an indispensable tool to keep information systems safe and reliable. Most existing anomaly intrusion detection techniques treat all types of attacks as equally important without any differentiation of the risk they pose to the information system. Although detection of all intrusions is important, certain types of attacks are more harmful than others and their detection is critical to protection of the system. This paper proposes a new one-class classification method with differentiated anomalies to enhance intrusion detection performance for harmful attacks. We also propose new extracted features for host-based intrusion detection based on three viewpoints of system activity such as dimension, structure, and contents. Experiments with simulated dataset and the DARPA 1998 BSM dataset show that our differentiated intrusion detection method performs better than existing techniques in detecting specific type of attacks. The proposed method would benefit even other applications in anomaly detection area beyond intrusion detection.     

An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection

Intrusion detection system (IDS) is to monitor the attacks occurring in the computer or networks. Anomaly intrusion detection plays an important role in IDS to detect new attacks by detecting any deviation from the normal profile. In this paper, an intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection is proposed. The key idea is to take the advantage of support vector machine (SVM), decision tree (DT), and simulated annealing (SA). In the proposed algorithm, SVM and SA can find the best selected features to elevate the accuracy of anomaly intrusion detection. By analyzing the information from using KDD’99 dataset, DT and SA can obtain decision rules for new attacks and can improve accuracy of classification. In addition, the best parameter settings for the DT and SVM are automatically adjusted by SA. The proposed algorithm outperforms other existing approaches. Simulation results demonstrate that the proposed algorithm is successful in detecting anomaly intrusion detection.     

基于支持向量数据描述的异常检测方法

提出了一种基于支持向量数据描述算法的异常检测方法。该方法将入侵检测看作是一种单值分类问题,建立正常行为的支持向量描述模型,通过该模型可以检测各种已知和未知的攻击行为。该方法是一种无监督的异常检测方法,能够在包含噪声的数据集进行模型训练,降低了训练集的要求。在KDD CUP99标准入侵检测数据集上进行实验,并与无监督聚类异常检测实验结果相比较,证实该方法能够获得较高检测率和较低误警率。     

A hybrid artificial immune system and Self Organising Map for network intrusion detection

Network intrusion detection is the problem of detecting unauthorised use of, or access to, computer systems over a network. Two broad approaches exist to tackle this problem: anomaly detection and misuse detection. An anomaly detection system is trained only on examples of normal connections, and thus has the potential to detect novel attacks. However, many anomaly detection systems simply report the anomalous activity, rather than analysing it further in order to report higher-level information that is of more use to a security officer. On the other hand, misuse detection systems recognise known attack patterns, thereby allowing them to provide more detailed information about an intrusion. However, such systems cannot detect novel attacks.A hybrid system is presented in this paper with the aim of combining the advantages of both approaches. Specifically, anomalous network connections are initially detected using an artificial immune system. Connections that are flagged as anomalous are then categorised using a Kohonen Self Organising Map, allowing higher-level information, in the form of cluster membership, to be extracted. Experimental results on the KDD 1999 Cup dataset show a low false positive rate and a detection and classification rate for Denial-of-Service and User-to-Root attacks that is higher than those in a sample of other works.     

入侵检测系统技术特点分析

入侵检测系统是一类网络安全产品.通过归纳目前常见的网络攻击行为及对入侵检测系统的功能要求,而分析入侵检测系统应当具备的技术特点.     

An overview of anomaly detection techniques: Existing solutions and latest technological trends

As advances in networking technology help to connect the distant corners of the globe and as the Internet continues to expand its influence as a medium for communications and commerce, the threat from spammers, attackers and criminal enterprises has also grown accordingly. It is the prevalence of such threats that has made intrusion detection systems—the cyberspace’s equivalent to the burglar alarm—join ranks with firewalls as one of the fundamental technologies for network security. However, today’s commercially available intrusion detection systems are predominantly signature-based intrusion detection systems that are designed to detect known attacks by utilizing the signatures of those attacks. Such systems require frequent rule-base updates and signature updates, and are not capable of detecting unknown attacks. In contrast, anomaly detection systems, a subset of intrusion detection systems, model the normal system/network behavior which enables them to be extremely effective in finding and foiling both known as well as unknown or “zero day” attacks. While anomaly detection systems are attractive conceptually, a host of technological problems need to be overcome before they can be widely adopted. These problems include: high false alarm rate, failure to scale to gigabit speeds, etc. In this paper, we provide a comprehensive survey of anomaly detection systems and hybrid intrusion detection systems of the recent past and present. We also discuss recent technological trends in anomaly detection and identify open problems and challenges in this area.     

数据挖掘技术在入侵检测系统中的应用研究

随着以太网的快速发展,基于网络的攻击方式越来越多,传统的入侵检测系统越来越难以应付;将数据挖掘技术引入到入侵检测系统中来,分析网络中各种行为记录中潜在的攻击信息,自动辨别出网络入侵的模式,从而提高系统的检测效率;将K- MEANS算法及DBSCAN算法相综合,应用到入侵检测系统,并针对K- MEANS算法的一些不足进行了改进,提出了通过信息嫡理论的使用解决K- MEANS算法选择初始簇中心问题,然后利用其分类结果完善DBSCAN算法两个关键参数(Eps,Minpts)的设置,通过DB-SCAN算法,进一步地分析可疑的异常聚类,提高聚类的准确度.     

基于Snort的混合入侵检测系统的研究与实现

在分析研究snon系统的优缺点的基础上,利用其开源性和支持插件的优势,针对其对无法检测到新出现的入侵行为、漏报率较高以及检测速度较低等问题,在snon系统的基础上结合入侵检测中的数据挖掘技术,提出一种基于snort系统的混合入侵检测系统模型。该系统模型在snort系统原有系统模型基础上增加了正常行为模式构建模块、异常检测模块、分类器模块、规则动态生成模块等扩展功能模块。改进后的混合入侵检测系统能够实时更新系统的检测规则库,进而检测到新的入侵攻击行为;同时,改进后的混合入侵检测系统具有误用检测和异常检测的功能,从而提高检测系统检测效率。