Performance analysis of hierarchical group key management integrated with adaptive intrusion detection in mobile ad hoc networks

We develop a mathematical model to quantitatively analyze a scalable region-based hierarchical group key management protocol integrated with intrusion detection to deal with both outsider and insider security attacks for group communication systems (GCSs) in mobile ad hoc networks (MANETs). Our proposed adaptive intrusion detection technique is based on majority voting by nodes in a geographical region to cope with collusion of compromised nodes, with each node preloaded with anomaly-based or misuse-based intrusion detection techniques to diagnose compromised nodes in the same region. When given a set of parameter values characterizing operational and environmental conditions, we identify the optimal intrusion detection rate and the optimal regional area size under which the mean time to security failure of the system is maximized and/or the total communication cost is minimized for GCSs in MANET environments. The tradeoff analysis in performance versus security is useful in identifying and dynamically applying optimal settings to maximize the system lifetime for scalable mobile group applications while satisfying application-specific performance requirements.     

Alert correlation in collaborative intelligent intrusion detection systems—A survey

As complete prevention of computer attacks is not possible, intrusion detection systems (IDSs) play a very important role in minimizing the damage caused by different computer attacks. There are two intrusion detection methods: namely misuse- and anomaly-based. A collaborative, intelligent intrusion detection system (CIIDS) is proposed to include both methods, since it is concluded from recent research that the performance of an individual detection engine is rarely satisfactory. In particular, two main challenges in current collaborative intrusion detection systems (CIDSs) research are highlighted and reviewed: CIDSs system architectures and alert correlation algorithms. Different CIDSs system, architectures are explained and compared. The use of CIDSs together with other multiple security systems raise certain issues and challenges in, alert correlation. Several different techniques for alert correlation are discussed. The focus will be on correlation of CIIDS alerts. Computational, Intelligence approaches, together with their applications on IDSs, are reviewed. Methods in soft computing collectively provide understandable, and autonomous solutions to IDS problems. At the end of the review, the paper suggests fuzzy logic, soft computing and other AI techniques, to be exploited to reduce the rate of false alarms while keeping the detection rate high. In conclusion, the paper highlights opportunities for an integrated solution to large-scale CIIDS.     

基于模糊数据挖掘和遗传算法的网络入侵检测技术

文章通过开发一套新的网络入侵检测系统来证实应用模糊逻辑和遗传算法的数据挖掘技术的有效性;这个系统联合了基于模糊数据挖掘技术的异常检测和基于专家系统的滥用检测,在开发异常检测的部分时,利用模糊数据挖掘技术来从正常的行为存储模式中寻找差异,遗传算法用来调整模糊隶属函数和选择一个合适的特征集合,滥用检测部分用于寻找先前行为描述模式,这种模式很可能预示着入侵,网络的通信量和系统的审计数据被用做两个元件的输入;此系统的系统结构既支持异常检测又支持滥用检测、既适用于个人工作站又可以适用于复杂网络。     

基于统计异常的Web应用入侵检测模型研究

传统的网络安全技术已经难以有效防范针对Web应用的攻击行为,Web应用入侵检测作为一种重要的安全技术已受到了广泛的重视。访问日志是Web应用入侵检测的重要数据,然而,海量的日志记录令应用管理员望而却步,若缺乏有效的分析方法,将很难发现和定位入侵行为。致力于这个问题的解决,多种误用和异常检测模型已被提出和采用。针对动态页面采用参数值长度、字符分布等统计异常模型,对真实Web应用的访问日志进行入侵检测,实验结果表明,模型可以有效地检测SQL注入等攻击。     

可扩展的异常检测系统的研究与实现

提出了可扩展的基于异常的入侵检测检测系统的体系结构,系统采用分布式结构及灵活的插件机制,可以方便地扩充检测功能,具有很好的可扩展性。实现了3种基于异常的检测算法,即相等匹配、数据挖掘、神经网络,为检测未知特征模式的攻击提供了较为有效的手段。     

Anomaly Detection for Industrial Internet of Things Cyberattacks

The evolution of the Internet of Things (IoT) has empowered modern industries with the capability to implement large-scale IoT ecosystems, such as the Industrial Internet of Things (IIoT). The IIoT is vulnerable to a diverse range of cyberattacks that can be exploited by intruders and cause substantial reputational and financial harm to organizations. To preserve the confidentiality, integrity, and availability of IIoT networks, an anomaly-based intrusion detection system (IDS) can be used to provide secure, reliable, and efficient IIoT ecosystems. In this paper, we propose an anomaly-based IDS for IIoT networks as an effective security solution to efficiently and effectively overcome several IIoT cyberattacks. The proposed anomaly-based IDS is divided into three phases: pre-processing, feature selection, and classification. In the pre-processing phase, data cleaning and normalization are performed. In the feature selection phase, the candidates’ feature vectors are computed using two feature reduction techniques, minimum redundancy maximum relevance and neighborhood components analysis. For the final step, the modeling phase, the following classifiers are used to perform the classification: support vector machine, decision tree, k-nearest neighbors, and linear discriminant analysis. The proposed work uses a new data-driven IIoT data set called X-IIoTID. The experimental evaluation demonstrates our proposed model achieved a high accuracy rate of 99.58%, a sensitivity rate of 99.59%, a specificity rate of 99.58%, and a low false positive rate of 0.4%.     

A comparison of Intrusion Detection systems

A computer system intrusion is seen as any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.[1] The introduction of networks and the Internet caused great concern about the protection of sensitive information and have resulted in many computer security research efforts during the past few years. Although preventative techniques such as access control and authentication attempt to prevent intruders, these can fail, and as a second line of defence, intrusion detection has been introduced. Intrusion detection systems (IDS) are implemented to detect an intrusion as it occurs, and to execute countermeasures when detected.Usually, a security administrator has difficulty in selecting an IDS approach for his unique set-up. In this Report, different approaches to intrusion detection systems are compared, to supply a norm for the best-fit system. The results would assist in the selection of a single appropriate intrusion detection system or combine approaches that best fit any unique computer system.     

基于网络流跨层特征的深度入侵检测方法

随着当今社会迈入信息化时代,保护网络空间安全变得越来越重要。近年来,新型网络攻击方法频频出现,严重威胁着人们的财产安全和国家的信息安全。因此,基于异常的入侵检测系统以其检测未知攻击的能力得到了广泛的重视。但是大多数基于异常的入侵检测技术都仅局限于单个数据包头部特征以及一定大小窗口内的统计特征,很少有工作以流(Flow)为单位提取特征,也很少有工作利用载荷中包含的攻击信息。基于以上情况,论文提出了一种基于网络流跨层特征的深度入侵检测方法,它在特征提取阶段,首先将一系列数据包整合为一个流,然后利用特征统计提取头部特征,利用文本卷积神经网络提取载荷特征。之后,将两部分特征进行拼接后,使用梯度提升算法进行回归训练,建立预测模型。最后,使用大量实验评估了方法的有效性。     

簇技术在移动Ad hoc网络入侵检测中的应用研究

由于移动Ad hoc网络的独特网络特性,其安全性特别脆弱。为其提供高安全的入侵检测系统势在必行,然而入侵检测审计数据的准确性、及时性、可靠性等是其获得高效的前提。在此将簇技术应用于Ad hoc网络入侵检测中,有效地提高了Ad hoc网络的安全性和对分布式攻击的协同检测能力,并降低了网络的通信负荷。     

无线传感器网络入侵检测系统研究综述

目前,无线传感器网络在智能环境检测,灾难控制,战场侦察,安全监视方面取得了日益广泛的应用,引起人们日益关注,无线传感器网络的安全问题越来越显得重要。论文首先介绍了入侵及入侵检测,然后分析了无线传感器网络入侵检测系统及其分类,主要研究分析目前的无线传感器网络入侵检测技术及其各自的优缺点。最后提出了无线传感器网络入侵检测技术可能的发展方向。     

无线局域网入侵检测系统的研究

入侵检测系统对于保障无线局域网(WLAN)的安全十分重要。在深入分析当前WLAN安全问题中面临的主要问题后,针对无线局域网的特点,提出并实现了一个分布式无线入侵检测系统。首先对无线局域网网络结构和主要安全技术进行了分析,阐述了入侵检测技术在无线局域网安全体系结构中的重要作用以及目前入侵检测技术存在的主要问题。然后在WLAN环境下实现了一个分布式无线入侵检测系统。研究了诸如Winpcap网络数据包捕获技术,多模式匹配算法中的自动机匹配算法及统计分析算法等具体实现技术。     

一种多层分类的入侵检测系统

信息安全是全球关注的重要话题。但Internet的复杂性、可访问性和开放性带来了日益增长的严重的信息系统安全的威胁。论文介绍了一种使用支持向量机和神经网络的入侵监测系统。主要思想是发现用以描述用户在系统上行为的模式与特征,用一系列相关的特征建立分类器去进行异常检测,希望能够实时地发现入侵。通过比较基于神经网络和支撑向量机的入侵检测系统,利用两者各自的优势,构造了一种新的入侵检测系统。     

Intrusion detection by machine learning: A review

The popularity of using Internet contains some risks of network attacks. Intrusion detection is one major research problem in network security, whose aim is to identify unusual access or attacks to secure internal networks. In literature, intrusion detection systems have been approached by various machine learning techniques. However, there is no a review paper to examine and understand the current status of using machine learning techniques to solve the intrusion detection problems. This chapter reviews 55 related studies in the period between 2000 and 2007 focusing on developing single, hybrid, and ensemble classifiers. Related studies are compared by their classifier design, datasets used, and other experimental setups. Current achievements and limitations in developing intrusion detection systems by machine learning are present and discussed. A number of future research directions are also provided.     

基于强化学习的无线传感器网络入侵检测攻防博弈研究

无线传感器网络易遭到各种内部攻击,入侵检测系统需要消耗大量能量进行攻击检测以保障网络安全。针对无线传感器网络入侵检测问题,建立恶意节点（malicious node,MN）与簇头节点（cluster head node,CHN）的攻防博弈模型,并提出一种基于强化学习的簇头入侵检测算法——带有近似策略预测的策略加权学习算法（weighted policy learner with approximate policy prediction,WPL-APP）。实验表明,簇头节点采用该算法对恶意节点进行动态检测防御,使得博弈双方快速达到演化均衡,避免了网络出现大量检测能量消耗和网络安全性能的波动。     

Enabling automated threat response through the use of a dynamic security policy

Information systems security issues are currently being addressed using different techniques, such as authentication, encryption and access control, through the definition of security policies, but also using monitoring techniques, in particular intrusion detection systems. We can observe that security monitoring is currently totally decorrelated from security policies, that is security requirements are not linked with the means used to control their fulfillment. Most of the time, security operators have to analyze monitoring results and manually react to provide countermeasures to threats compromising the security policy. The response process is far from trivial, since it both relies on the relevance of the threat analysis and on the adequacy of the selected countermeasures. In this paper, we present an approach aiming at connecting monitoring techniques with security policy management in order to provide response to threat. We propose an architecture allowing to dynamically and automatically deploy a generic security policy into concrete policy instances taking into account the threat level characterized thanks to intrusion detection systems. Such an approach provides means to bridge the gap between existing detection approaches and new requirements, which clearly deal with the development of intrusion prevention systems, enabling a better protection of the resources and services.     

A machine learning based intrusion detection scheme for data fusion in mobile clouds involving heterogeneous client networks

The combination of traditional cloud computing and mobile computing leads to the novel paradigm of mobile cloud computing. Due to the mobility of network nodes in mobile cloud computing, security has been a challenging problem of paramount importance. When a mobile cloud involves heterogeneous client networks, such as Wireless Sensor Networks and Vehicular Networks, the security problem becomes more challenging because the client networks often have different security requirements in terms of computational complexity, power consumption, and security levels. To securely collect and fuse the data from heterogeneous client networks in complex systems of this kind, novel security schemes need to be devised. Intrusion detection is one of the key security functions in mobile clouds involving heterogeneous client networks. A variety of different rule-based intrusion detection methods could be employed in this type of systems. However, the existing intrusion detection schemes lead to high computation complexity or require frequent rule updates, which seriously harms their effectiveness. In this paper, we propose a machine learning based intrusion detection scheme for mobile clouds involving heterogeneous client networks. The proposed scheme does not require rule updates and its complexity can be customized to suit the requirements of the client networks. Technically, the proposed scheme includes two steps: multi-layer traffic screening and decision-based Virtual Machine (VM) selection. Our experimental results indicate that the proposed scheme is highly effective in terms of intrusion detection.     

基于NetFlow的网络异常流量检测

NetFlow可以提供网络中IP流的信息。这些流的信息有多种用途，包括网管、网络规划、ISP计费等。在网络安全领域，NetFlow提供的IP流信息可以用来分析网络中的异常流量，这是对现有的基于特征的NIDS的很好的补充。本文介绍了Net—Flow—based Anomaly Traffic Analyzer，一个基于NetFlow的网络异常流量检测系统，并通过一些实验证明了该系统的有效性。     

基于序列模型的无线传感网入侵检测系统

随着物联网(IoT)的快速发展，越来越多的IoT节点设备被部署，但伴随而来的安全问题也不可忽视。IoT的网络层节点设备主要通过无线传感网进行通信，其相较于互联网更开放也更容易受到拒绝服务等网络攻击。针对无线传感网面临的网络层安全问题，提出了一种基于序列模型的网络入侵检测系统，对网络层入侵进行检测和报警，具有较高的识别率以及较低的误报率。另外，针对无线传感网节点设备面临的节点主机设备的安全问题，在考虑节点开销的基础上，提出了一种基于简单序列模型的主机入侵检测系统。实验结果表明，针对无线传感网的网络层以及主机层的两个入侵检测系统的准确率都达到了99%以上，误报率在1%左右，达到了工业需求，这两个系统可以全面有效地保护无线传感网安全。     

A model-based aspect-oriented framework for building intrusion-aware software systems

Security is a critical issue for software systems, especially for those systems which are connected to networks and the Internet, since most of them suffer from various malicious attacks. Intrusion detection is an approach to protect software against such attacks. However, security vulnerabilities that are exploited by intruders cut across multiple modules in software systems and are difficult to address and monitor. These kinds of concerns, called cross-cutting concerns, can be handled by aspect-oriented software development (AOSD) for better modularization. A number of works have utilized AOSD to address security issues of software systems, but none of them has employed AOSD for intrusion detection. In this paper, we propose a model-based aspect-oriented framework for building intrusion-aware software systems. We model attack scenarios and intrusion detection aspects using an aspect-oriented Unified Modeling Language (UML) profile. Based on the UML model, the intrusion detection aspects are implemented and woven into the target system. The resulting target system has the ability to detect the intrusions automatically. We present an experimental evaluation by applying this framework for some of the most common attacks included in the Web Application Security Consortium (WASC) web security threat classification. The experimental results demonstrate that the framework is effective in specifying and implementing intrusion detection and can be applied for a wide range of attacks.