网络入侵检测系统中的警报聚类

到目前为止,网络管理员对入侵检测系统(IDS)所产生的警报还是以在辅助工具下的手工操作进行整理,从而得到一个高级别的攻击描述。为了有效融合多种入侵检测系统报警信息,提高警告的准确性,警报聚类自动分析工具被建议使用来产生高级别的攻击描述。除此之外,警报聚类自动分析工具还可以有效地分析威胁,融合不同的信息源,例如来自于不同IDS中的信息源。该文提出了新的警报聚类系统,以便把来自于多种IDS所产生的警报进行警报聚类,产生攻击描述。实验结果表明,通过警报聚类模块有效地总结攻击可以产生高级别的警报,并大幅度地减少了要提交给管理员的警报数量。此外,以这些高级别警报为基础还可以进一步地进行威胁分析。     

Analysis of update delays in signature-based network intrusion detection systems

Network Intrusion Detection Systems (NIDS) play a fundamental role on security policy deployment and help organizations in protecting their assets from network attacks. Signature-based NIDS rely on a set of known patterns to match malicious traffic. Accordingly, they are unable to detect a specific attack until a specific signature for the corresponding vulnerability is created, tested, released and deployed. Although vital, the delay in the updating process of these systems has not been studied in depth. This paper presents a comprehensive statistical analysis of this delay in relation to the vulnerability disclosure time, the updates of vulnerability detection systems (VDS), the software patching releases and the publication of exploits. The widely deployed NIDS Snort and its detection signatures release dates have been used. Results show that signature updates are typically available later than software patching releases. Moreover, Snort rules are generally released within the first 100 days from the vulnerability disclosure and most of the times exploits and the corresponding NIDS rules are published with little difference. Implications of these results are drawn in the context of security policy definition. This study can be easily kept up to date due to the methodology used.     

网络入侵检测概述

入侵检测是目前网络安全研究的热点之一。本文试图对入侵检测的发展、特征、分类进行总结,以期获得对入侵检测技术的总体概念。     

Virtualization layer security challenges and intrusion detection/prevention systems in cloud computing: a comprehensive review

Virtualization plays a vital role in the construction of cloud computing. However, various vulnerabilities are existing in current virtualization implementations, and thus there are various security challenges at virtualization layer. In this paper, we investigate different vulnerabilities and attacks at virtualization layer of cloud computing. We examine the proposals of cloud intrusion detection system (IDS) and intrusion detection and prevention system frameworks. We recommend the cloud IDS requirements and research scope to achieve desired level of security at virtualization layer of cloud computing.     

浅析网络入侵检测系统

本文主要研究的就是入侵检测系统,从基本概念入手,对其入侵检测过程做了详细阐述,通过也讨论了入侵检测系统的未来发展道路.     

高速网络环境下的网络入侵检测系统的研究

高速网络环境下的入侵检测是一个新的研究方向。基于负载均衡技术和协议分析技术,提出了一个能够应用在高速环境下的网络入侵检测系统。负载均衡技术把在前端捕获的高速数据流进行分化,以利于后端处理;协议分析技术利用网络协议的层次性和相关协议的知识快速地判断攻击特征是否存在。基于代理的分布式体系结构,增强了系统的可扩展性,提高了系统的检测效率。     

校园网分布式入侵检测系统设计

本文引入主动安全防护的分布式入侵检测系统,并通过协议分析和模式匹配的检测方法大大提高入侵检测系统的检测速度和准确性。     

Automatic network intrusion detection: Current techniques and open issues

Automatic network intrusion detection has been an important research topic for the last 20 years. In that time, approaches based on signatures describing intrusive behavior have become the de-facto industry standard. Alternatively, other novel techniques have been used for improving automation of the intrusion detection process. In this regard, statistical methods, machine learning and data mining techniques have been proposed arguing higher automation capabilities than signature-based approaches. However, the majority of these novel techniques have never been deployed on real-life scenarios. The fact is that signature-based still is the most widely used strategy for automatic intrusion detection. In the present article we survey the most relevant works in the field of automatic network intrusion detection. In contrast to previous surveys, our analysis considers several features required for truly deploying each one of the reviewed approaches. This wider perspective can help us to identify the possible causes behind the lack of acceptance of novel techniques by network security experts.     

用遗传算法改进基于专家系统的入侵检测系统

基于专家系统的入侵检测系统的检测性能很大程度依赖于专家系统的规则集.为了提高基于专家系统的入侵检测系统的检测能力,使用遗传算法来对专家系统的规则集进行动态更新.但是基本遗传算法并不能有效对规则集进行动态更新,所以从编码、适应度函数、交叉等几个方面对遗传算法进行了改进.对如何使用改进的遗传算法对专家系统的规则集进行动态更新提出了一种实现方案.     

SLA-based complementary approach for network intrusion detection

Enhancing the intrusion detection system is essential to maintain user confidence in network services security. However, the threat of intruders on Internet services is prevalent. This paper proposes a distributed edge-to-edge complementary approach for intrusion detection in a DiffServ/MPLS domain. The QoS metrics are inspected at the edges routers to determine anomalous behavior in the network traffic. Consumed ratios of one-way delay variation (OWDV) and packet loss are computed to monitor service level agreement (SLA) violations. The bandwidth ratio is measured to differentiate abnormal from normal traffic as well as to detect multiple intrusions launched simultaneously. We employed SLA as a comparison scale to infer the deviation between the users consumed ratios and the predefined ratios in the SLA. Service violation occurs and intrusion may be launched when the predefined ratios are exceeded. The complementary services of DiffServ and MPLS techniques guarantee accurate measurements, whereas the complementary measurements of active and passive techniques immunize network performance against scalability limitation. Simulation results indicate that the proposed approach is capable of monitoring SLA violations and can filter out traffic of intruders who breach SLA without disturbing the normal traffic of legitimate users.     

Eliminating noise from intrusion detection systems

Effective noise reduction for intrusion detection systems (IDS) is a continuous area of research. One of the techniques for eliminating unqualified IDS alerts is to correlate them with environmental intelligence about the network and systems. This article provides an overview of correlation requirements with a proposed architecture and solution for the correlation and classification of IDS alerts in real time. The implementation of the QuIDScor correlation engine was validated on a real-world network and demonstrated a significant reduction of false alerts.     

Hierarchical visualization of network intrusion detection data

A technique for visualizing intrusion-detection system log files using hierarchical data based on IP addresses represents the number of incidents for thousands of computers in one display space. Our technique applies a hierarchical data visualization technique that represents leaf nodes as black square icons and branch nodes as rectangular borders enclosing the icons. This representation style visualizes thousands of hierarchical data leaf nodes equally in one display space. We applied the technique to bioactive chemical visualization and job distribution in parallel-computing environments.     

AdaBoost-based algorithm for network intrusion detection.

Network intrusion detection aims at distinguishing the attacks on the Internet from normal use of the Internet. It is an indispensable part of the information security system. Due to the variety of network behaviors and the rapid development of attack fashions, it is necessary to develop fast machine-learning-based intrusion detection algorithms with high detection rates and low false-alarm rates. In this correspondence, we propose an intrusion detection algorithm based on the AdaBoost algorithm. In the algorithm, decision stumps are used as weak classifiers. The decision rules are provided for both categorical and continuous features. By combining the weak classifiers for continuous features and the weak classifiers for categorical features into a strong classifier, the relations between these two different types of features are handled naturally, without any forced conversions between continuous and categorical features. Adaptable initial weights and a simple strategy for avoiding overfitting are adopted to improve the performance of the algorithm. Experimental results show that our algorithm has low computational complexity and error rates, as compared with algorithms of higher computational complexity, as tested on the benchmark sample data.     

Defending yourself: the role of intrusion detection systems

Intrusion detection systems (IDSs) are an important component of defensive measures protecting computer systems and networks from abuse. This article considers the role of IDSs in an organization's overall defensive posture and provides guidelines for IDS deployment, operation and maintenance     

基于神经网络模型的网络入侵检测的研究

门限循环单元是一种循环神经网络模型的变体,它改进了长短期记忆模型。经验表明,循环神经网络被广泛应用于不同类型的机器学习场景中,在解决自然语言处理、语音识别、文本分类等问题均良中有好表现。通常情况下,循环神经网络模型会使用Softmax函数作为顶层分类器,用交叉熵函数计算损失。在判断网络数据是否为恶意入侵数据这项任务中,可以使用二分类器节省计算开销。因此,对传统模型予以改进,用线性支持向量机取代Softmax函数作为模型的顶层分类器,用基于边界的损失函数取代交叉熵函数。实验结果表明,改进的模型在提升准确率和时间复杂度方面比传统模型表现好。     

A Pareto-based multi-objective evolutionary algorithm for automatic rule generation in network intrusion detection systems

Attacks against computer systems are becoming more complex, making it necessary to continually improve the security systems, such as intrusion detection systems which provide security for computer systems by distinguishing between hostile and non-hostile activity. Intrusion detection systems are usually classified into two main categories according to whether they are based on misuse (signature-based) detection or on anomaly detection. With the aim of minimizing the number of wrong decisions, a new Pareto-based multi-objective evolutionary algorithm is used to optimize the automatic rule generation of a signature-based intrusion detection system (IDS). This optimizer, included within a network IDS, has been evaluated using a benchmark dataset and real traffic of a Spanish university. The results obtained in this real application show the advantages of using this multi-objective approach.     

计算机网络入侵检测系统与技术措施分析

如今,计算机网络已经在人们的生产生活中得到了广泛的应用。由于网络的安全问题导致的信息泄露等情况时有发生。在计算机网络中采用入侵检测系统和技术,是增强计算机网络安全的根本手段。本文首先对计算机网络入侵检测系统和技术进行了概述,之后分析了检测技术的分类和存在的问题,并对其发展进行了展望。