网络异常的主动检测与特征分析

目前入侵检测系统主要使用的技术还是特征检测,它只能检测已知的入侵,而异常检测尽管能检测未知入侵,却无法保证准确性和可靠性.特征检测是建立在对特征的准确定位基础之上的,而异常检测是基于不可靠行为的,只能描述某种行为的趋势.文中对基于异常和特征的入侵检测系统模型做了一定研究,把网络异常特征与异常检测技术结合,提高了入侵检测系统的检测效果.     

基于粒子群和人工免疫的混合入侵检测系统研究

目前,漏报率和误报率高一直是入侵检测系统（IDS）的主要问题,而IDS主要有误用型和异常型两种检测技术。根据这两种检测技术各自的优点以及它们的互补性,本文给出一种基于人工免疫的异常检测技术和基于粒子群优化（PSO）的误用检测技术相结合的IDS模型;同时,该系统还结合特征选择技术降低数据维度,提高系统检测性能。实验表明,该
系统具有较高的检测率和较低的误报率,可以自动更新规则库,并且记忆未知类型的攻击,是一种有效的检测方法。     

基于信息反馈的入侵检测模型研究

针对目前入侵检测系统（Intrusion Detection System,IDS）对未知异常检测误报率率比较高的问题,提出了一种基于信息反馈的入侵检测方法。首先设计了一个IDS与主机协作检测的模型,然后详细介绍了IDS根据反馈信息利用行为分析技术对未知异常的检测过程。最终实现了高效的入侵检测系统。     

基于特征检测与聚类分析协作的入侵检测系统模型

入侵检测作为网络安全第2层防御机制起着越来越大的作用.分析了入侵检测的特征检测和异常检测技术的优缺点.针对这些方法的优点和缺点提出了基于特征检测与聚类分析协作的入侵检测系统模型.该模型首先进行特征检测,从中检测出已知入侵,然后将其他数据进行聚类分析,从中检测出未知入侵,从而既满足了模型的实时性要求,又解决了单独使用特征检测不能识别新型、未知入侵的缺点.实验结果表明该模型的可行性和有效性.     

自适应监督和聚类混合的WSN入侵检测系统设计

无线传感器网络的关键性基础设施监测系统中,为了检测传感器数据聚合阶段受到的已知的和未知的入侵行为,提出一种自适应监督和聚类混合的入侵检测系统(Adaptively Supervised and Clustered Hybrid Intrusion Detection System, AC-IDS)。系统建立在混合IDS框架的基础上,将传感器聚合数据分类后导入到基于机器学习的误用检测子系统和异常检测子系统,两个子系统分别用来检测已知攻击和未知攻击。实验结果表明,该系统的入侵检出率高达98.9%,检测传感器网络中已知和未知的恶意行为的总准确率约为99.80%。     

基于数据挖掘的入侵特征建模

通过分析数据挖掘技术在入侵特征搜寻中的作用，提出了一个应用在基于网络和主机的混合模式入侵检测系统中的特征挖掘模型。该模型的特点是完全运用数据挖掘技术来建模，不仅对各种已知和未知入侵行为具有很好的辨别度，而且非常适合于现在流行的混合模式的入侵检测系统。     

MAIDS-多检测技术的IDS模型

目前,入侵检测系统的漏报率和误报率高一直是困扰IDS用户的主要问题,而入侵检测系统主要有误用型和异常型两种检测技术。针对这一问题,根据这两种检测技术各自的优点,以及它们的互补性,将两种检测技术结合起来的方案越来越多地应用于IDS中。论文提出了基于统计的异常检测技术和基于模式匹配的误用检测技术及其它检测技术相结合的IDS模型-MAIDS,以期达到减少入侵检测系统的漏报率和误报率的目的,从而提高系统的安全性。     

一种改进的基于Agent的分布式入侵检测系统

提出一种改进的基于A gent的分布式入侵检测系统AD IDS,它将基于异常和误用的入侵检测系统有机地结合在一起。在分析A gent的实现上,使用了模式匹配、统计分析、完整性分析相结合的方法。实验证明能够发现一些未知攻击,提高了检测速率。     

入侵检测协作检测模型的分析与评估

目前,入侵检测系统(IDS)存在较高的误报率,这一直是困扰IDS用户的主要问题,而入侵检测系统主要有误用型和异常型两种检测技术,根据这两种检测技术各自的优点,以及它们的互补性,将两种检测技术结合起来的方案越来越多地应用于IDS.通过引入入侵检测能力,从理论上深刻解释了系统协作的必然性,提出了异常检测技术和误用检测技术相结合的IDS模型及其评估方法,降低了单纯使用某种入侵检测技术时产生的误报率,从而提高系统的安全性.     

两层入侵检测系统模型

在剖析入侵检测系统（IDS）两种模型－误用模型（Misuse Detectio,MD)和异常检测（Anomaly Detection,AD)的基础上，提出了一种两层的入侵检测分析模型，把基于聚类分析的异常检测模型和基于图的误用检测模型结合起来，融合了两种模型的优点，以达到更高的效率。     

Using artificial anomalies to detect unknown and known network intrusions

Intrusion detection systems (IDSs) must be capable of detecting new and unknown attacks, or anomalies. We study the problem of building detection models for both pure anomaly detection and combined misuse and anomaly detection (i.e., detection of both known and unknown intrusions). We show the necessity of artificial anomalies by discussing the failure to use conventional inductive learning methods to detect anomalies. We propose an algorithm to generate artificial anomalies to coerce the inductive learner into discovering an accurate boundary between known classes (normal connections and known intrusions) and anomalies. Empirical studies show that our pure anomaly-detection model trained using normal and artificial anomalies is capable of detecting more than 77% of all unknown intrusion classes with more than 50% accuracy per intrusion class. The combined misuse and anomaly-detection models are as accurate as a pure misuse detection model in detecting known intrusions and are capable of detecting at least 50% of unknown intrusion classes with accuracy measurements between 75 and 100% per class.     

Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes

This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS). This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and the ability of anomaly detection system (ADS) to detect novel unknown attacks. By mining anomalous traffic episodes from Internet connections, we build an ADS that detects anomalies beyond the capabilities of signature-based SNORT or Bro systems. A weighted signature generation scheme is developed to integrate ADS with SNORT by extracting signatures from anomalies detected. HIDS extracts signatures from the output of ADS and adds them into the SNORT signature database for fast and accurate intrusion detection. By testing our HIDS scheme over real-life Internet trace data mixed with 10 days of Massachusetts Institute of Technology/Lincoln Laboratory (MIT/LL) attack data set, our experimental results show a 60 percent detection rate of the HIDS, compared with 30 percent and 22 percent in using the SNORT and Bro systems, respectively. This sharp increase in detection rate is obtained with less than 3 percent false alarms. The signatures generated by ADS upgrade the SNORT performance by 33 percent. The HIDS approach proves the vitality of detecting intrusions and anomalies, simultaneously, by automated data mining and signature generation over Internet connection episodes     

基于Hamming网络的入侵检测技术的研究

分析了异常和误用入侵检测技术存在的一些问题，并结合神经网络的原理，提出了一个新的基于Hamming网络的入侵检测技术。该技术改善了基于特征检测算法中存在的不足，提高了对未知入侵类型的检测能力，并对Hamming网络入侵检测技术进行了分析和测试。     

人工异常在入侵检测中的应用

异常检测由于自身的原因很难在商业入侵检测系统中得到应用。文中构造了入侵检测系统模型，并且给出了产生人工异常的算法，结果表明模型经过人工异常训练后，能够检测绝大多数系统未知的入侵类型。在检测已知入侵方面，模型也有不俗表现。     

异常检测方法综述

1 引言计算机联网技术的发展改变了以单机为主的计算模式,但是,网络入侵的风险性和机会也相应地急剧增多。设计安全措施来防范未经授权访问系统的资源和数据。是当前网络安全领域的一个十分重要而迫切的问题。目前,要想完全避免安全事件的发生并不太现实,网络安全人员所能做到的只能是尽力发现和察觉入侵及入侵企图,以便采取有效的措施来堵     

基于异常与误用的入侵检测系统

入侵检测系统近年来得到长足的发展,但功能都不够完善.为此将基于误用的入侵检测与基于异常的检测结合为一体.在误用检测上,将检测规则进行分类排序,从而极大地提高了检测效率.异常检测则采用人工免疫技术,使系统对已知的攻击和新型攻击均有较强检测能力.     

基于数据挖掘的入侵检测

针对现有入侵检测方法的缺陷，结合异常检测和误用检测，提出了一种用数据挖掘技术构造入侵检测系统的方法，使用该方法构造了一个基于数据挖掘的入侵检测原型系统。实验表明，该系统对已知攻击模式具有很高的检测率，对未知攻击模式也具有一定的检测能力。同时，该系统也具有一定的智能性和自适应性。     

Intrusion detection in computer networks by a modular ensemble of one-class classifiers

Since the early days of research on intrusion detection, anomaly-based approaches have been proposed to detect intrusion attempts. Attacks are detected as anomalies when compared to a model of normal (legitimate) events. Anomaly-based approaches typically produce a relatively large number of false alarms compared to signature-based IDS. However, anomaly-based IDS are able to detect never-before-seen attacks. As new types of attacks are generated at an increasing pace and the process of signature generation is slow, it turns out that signature-based IDS can be easily evaded by new attacks. The ability of anomaly-based IDS to detect attacks never observed in the wild has stirred up a renewed interest in anomaly detection. In particular, recent work focused on unsupervised or unlabeled anomaly detection, due to the fact that it is very hard and expensive to obtain a labeled dataset containing only pure normal events.The unlabeled approaches proposed so far for network IDS focused on modeling the normal network traffic considered as a whole. As network traffic related to different protocols or services exhibits different characteristics, this paper proposes an unlabeled Network Anomaly IDS based on a modular Multiple Classifier System (MCS). Each module is designed to model a particular group of similar protocols or network services. The use of a modular MCS allows the designer to choose a different model and decision threshold for different (groups of) network services. This also allows the designer to tune the false alarm rate and detection rate produced by each module to optimize the overall performance of the ensemble. Experimental results on the KDD-Cup 1999 dataset show that the proposed anomaly IDS achieves high attack detection rate and low false alarm rate at the same time.     

A hybrid artificial immune system and Self Organising Map for network intrusion detection

Network intrusion detection is the problem of detecting unauthorised use of, or access to, computer systems over a network. Two broad approaches exist to tackle this problem: anomaly detection and misuse detection. An anomaly detection system is trained only on examples of normal connections, and thus has the potential to detect novel attacks. However, many anomaly detection systems simply report the anomalous activity, rather than analysing it further in order to report higher-level information that is of more use to a security officer. On the other hand, misuse detection systems recognise known attack patterns, thereby allowing them to provide more detailed information about an intrusion. However, such systems cannot detect novel attacks.A hybrid system is presented in this paper with the aim of combining the advantages of both approaches. Specifically, anomalous network connections are initially detected using an artificial immune system. Connections that are flagged as anomalous are then categorised using a Kohonen Self Organising Map, allowing higher-level information, in the form of cluster membership, to be extracted. Experimental results on the KDD 1999 Cup dataset show a low false positive rate and a detection and classification rate for Denial-of-Service and User-to-Root attacks that is higher than those in a sample of other works.     

A hybrid intrusion detection system design for computer network security

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.