基于粗糙集理论的网络入侵检测方法

提出了基于粗糙集理论的网络入侵检测方法，应用混合遗传算法求解粗糙集的约简，减少了计算时间。实验结果表明，该方法对DoS和Probe攻击具有很高的检测率和较低的误检率，并且对U2R和R2L攻击也有较好的检测率。     

基于支持向量机和贝叶斯分类的异常检测模型

通过对网络攻击类型和入侵检测方法的研究,发现常用的入侵检测方法不能很好地检测U2R和R2L两类攻击。为解决异常检测中对于U2R和R2L两类攻击检测率低的问题,提出了一种基于支持向量机和贝叶斯分类的异常检测模型,该模型利用BIRCH聚类算法减少训练数据集中重复记录,并利用支持向量机分类算法和贝叶斯分类算法分别检测DoS、Probe攻击和U2R、R2L攻击。实验结果表明,该模型对于U2R和R2L的检测率分别提高到了68.6%和45.7%。     

基于NN多分类器组合的入侵检测方法

本文根据传统的入侵检测方法误报率高、U2R和R2L攻击检测率低等缺点,提出了一种基于神经网络多分类器组合的入侵检测方法.实验结果表明,该方法不仅能够有效地提高检测率,特别是U2R和R2L等攻击具有较好的检测能力.因此,本文提出的基于神经网络多分类器组合的入侵检测方法是有效和实用的.     

SOINN多视图网络入侵检测

检测准确性是入侵检测系统(IDS)的关键性能。针对入侵检测中训练样本数目不平衡的问题,提出使用拓扑学习的方法训练网络数据分类器,并且使用多视图入侵检测方法进一步提高检测率。实验结果表明,提出的方法对于某些攻击类型的检测能力优于现有的方法。特别是提升了对非法远程闯入(R2L)攻击,与非法提升权限(U2R)攻击的检测能力。     

对低轮SAFER++的差分-非线性密码分析

SAFER 是进入NESSIE第2轮评估的7个分组算法之一．采用差分密码分析和非线性密码分析相结合的方法对4轮、5轮和6轮SAFER 进行分析，结果表明：6轮SAFER 对这种攻击方法不免疫；攻击4轮和5轮SAFER 时，与已有结果相比，攻击复杂度大大减小．攻击对2^250个256比特长度的密钥有效．     

高效的半监督多层次入侵检测算法

针对基于监督学习的入侵检测算法需要的大量有标签数据难以收集，无监督学习算法准确率不高，且对R2L及U2R两类攻击检测率低等问题，提出一种高效的半监督多层次入侵检测算法。首先，利用Kd-tree的索引结构，利用加权密度在高密度样本区选择K-means算法的初始聚类中心；然后，将聚类之后的数据分为三个类簇，将无标签类簇和混合类簇借助Tri-training采用加权投票规则扩充有标签数据集；最后，利用二叉树形结构设计层次化分类模型，在NSL-KDD数据集上进行了实验验证。结果表明半监督多层次入侵检测模型能够在利用少量有标签数据的情况下，对R2L及U2R的检测率分别达到49.38%、81.14%，有效提高R2L及U2R两类攻击的检测率，从而降低系统的漏报率。     

缓存侧信道攻击与防御

近年来，随着信息技术的发展，信息系统中的缓存侧信道攻击层出不穷.从最早利用缓存计时分析推测密钥的想法提出至今，缓存侧信道攻击已经历了10余年的发展和演进.研究中梳理了信息系统中缓存侧信道攻击风险，并对缓存侧信道攻击的攻击场景、实现层次、攻击目标和攻击原理进行了总结．系统分析了针对缓存侧信道攻击的防御技术，从缓存侧信道攻击防御的不同阶段出发，分析了攻击检测和防御实施2部分研究工作，并基于不同防御原理对防御方法进行分类和分析.最后，总结并讨论了互联网生态体系下缓存侧信道攻击与防御的研究热点，指出缓存侧信道攻击与防御未来的研究方向，为想要在这一领域开始研究工作的研究者提供参考.     

基于遗传优化与模糊规则挖掘的异常入侵检测

提出一种基于智能体进化计算框架与遗传模糊规则挖掘的异常入侵检测方法.通过应用模糊集分布策略、解释性的控制策略和模糊规则生成策略,实现了Agent之间的模糊集信息交换,从而有效地从网络数据中抽取正确的、可解释的模糊IF-THEN分类规则,优化了模糊系统的可解释性,并提高了系统的紧凑性.采用KDD-Cup99数据集进行测试,并与现有方法进行了比较,结果表明该方法对R2L的攻击检测性能稍弱,对DoS、Probe和U2R的攻击均具有较高的分类精度与较低的误报率.     

一种粗糙集-决策树结合的入侵检测方法

针对入侵检测系统收集数据海量、高维、检测模型复杂和检测准确率低等问题,采用粗糙集属性约简的优势寻找与判断入侵与否相关的属性,利用决策树分类算法生成模型并对网络连接进行入侵预测分类检测,从而提出了一种粗糙集属性约简和决策树预测分类相结合的网络入侵检测方法.实验结果表明,该方法在入侵检测准确率上有很大的提高,对DoS攻击、Probe攻击和R2L攻击的检测效果均有所提高,同时大大降低了检测的误报率.     

抗旋转攻击的小波域数字水印算法

为了提高基于小波变换的数字水印算法抵抗图像旋转攻击的能力,文章提出一种抗旋转攻击的小波域数字水印算法。对于旋转造成的几何攻击,我们可通过Radon变换计算原始图像水印在角度为0°的一组投影参照向量R0和待检测图像在0°～359°之间的投影参照向量R,然后对R的每一组投影参照向量与R0作相关系数计算。找到其相关系数最大的投影参照向量所对应的角度θ。在水印检测前先利用角度θ对图像进行几何校正,然后进行水印的提取。通过仿真实验结果证明,该方法可以获得良好的图像视觉效果,对于旋转几何攻击具有很强的鲁棒性,同时对于加噪、滤波、JPEG压缩、剪切攻击也具有很好的鲁棒性。     

A new dependency and correlation analysis for features

The quality of the data being analyzed is a critical factor that affects the accuracy of data mining algorithms. There are two important aspects of the data quality, one is relevance and the other is data redundancy. The inclusion of irrelevant and redundant features in the data mining model results in poor predictions and high computational overhead. This paper presents an efficient method concerning both the relevance of the features and the pairwise features correlation in order to improve the prediction and accuracy of our data mining algorithm. We introduce a new feature correlation metric Q/sub Y/(X/sub i/,X/sub j/) and feature subset merit measure e(S) to quantify the relevance and the correlation among features with respect to a desired data mining task (e.g., detection of an abnormal behavior in a network service due to network attacks). Our approach takes into consideration not only the dependency among the features, but also their dependency with respect to a given data mining task. Our analysis shows that the correlation relationship among features depends on the decision task and, thus, they display different behaviors as we change the decision task. We applied our data mining approach to network security and validated it using the DARPA KDD99 benchmark data set. Our results show that, using the new decision dependent correlation metric, we can efficiently detect rare network attacks such as User to Root (U2R) and Remote to Local (R2L) attacks. The best reported detection rates for U2R and R2L on the KDD99 data sets were 13.2 percent and 8.4 percent with 0.5 percent false alarm, respectively. For U2R attacks, our approach can achieve a 92.5 percent detection rate with a false alarm of 0.7587 percent. For R2L attacks, our approach can achieve a 92.47 percent detection rate with a false alarm of 8.35 percent.     

SHAPE—an approach for self-healing and self-protection in complex distributed networks

Increasing complexity of large scale distributed systems is creating problem in managing faults and security attacks because of the manual style adopted for management. This paper proposes a novel approach called SHAPE to self-heal and self-protect the system from various kinds of faults and security attacks. It deals with hardware, software, and network faults and provides security against DDoS, R2L, U2L, and probing attacks. SHAPE is implemented and evaluated against various standard metrics. The results are provided to support the approach.     

Association Rule Mining Frequent-Pattern-Based Intrusion Detection in Network

In the network security system, intrusion detection plays a significant role. The network security system detects the malicious actions in the network and also conforms the availability, integrity and confidentiality of data information resources. Intrusion identification system can easily detect the false positive alerts. If large number of false positive alerts are created then it makes intrusion detection system as difficult to differentiate the false positive alerts from genuine attacks. Many research works have been done. The issues in the existing algorithms are more memory space and need more time to execute the transactions of records. This paper proposes a novel framework of network security Intrusion Detection System (IDS) using Modified Frequent Pattern (MFP-Tree) via K-means algorithm. The accuracy rate of Modified Frequent Pattern Tree (MFPT)-K means method in finding the various attacks are Normal 94.89%, for DoS based attack 98.34%, for User to Root (U2R) attacks got 96.73%, Remote to Local (R2L) got 95.89% and Probe attack got 92.67% and is optimal when it is compared with other existing algorithms of K-Means and APRIORI.     

无监督异常检测的核聚类和序列分析方法

利用核函数构造数据的特征空间并在此空间采用核函数结合RA算法选取初始聚类中心,在核k-means聚类基础上,划分出大簇小簇,然后在大簇中进行异类分离以发现实验数据中以小概率事件出现的R2L,U2R和PROBE攻击;并且在大簇中挖掘闭合序列模式,获得描述大簇的序列规则,从中判断是否存在DoS攻击.算法分析和实验结果表明提出的方法可以获得较高的检测率并降低误报率.     

基于层次决策表增量学习算法的网络入侵检测

针对网络入侵检测系统面临的检测规则更新问题,提出一种解决方法,用粗糙集层次决策表表示系统的入侵检测规则,利用其增量学习算法完成新规则的学习。仿真实验结果表明,与仅用决策表规则的系统相比,使用层次决策表表示规则的系统所用的训练时间更短,漏报率低,对于Probe和R2L&U2R入侵具有更好的检测效果。     

Layered Approach Using Conditional Random Fields for Intrusion Detection

Intrusion detection faces a number of challenges; an intrusion detection system must reliably detect malicious activities in a network and must perform efficiently to cope with the large amount of network traffic. In this paper, we address these two issues of Accuracy and Efficiency using Conditional Random Fields and Layered Approach. We demonstrate that high attack detection accuracy can be achieved by using Conditional Random Fields and high efficiency by implementing the Layered Approach. Experimental results on the benchmark KDD '99 intrusion data set show that our proposed system based on Layered Conditional Random Fields outperforms other well-known methods such as the decision trees and the naive Bayes. The improvement in attack detection accuracy is very high, particularly, for the U2R attacks (34.8 percent improvement) and the R2L attacks (34.5 percent improvement). Statistical Tests also demonstrate higher confidence in detection accuracy for our method. Finally, we show that our system is robust and is able to handle noisy data without compromising performance.     

On hash functions using checksums

We analyse the security of iterated hash functions that compute an input dependent checksum which is processed as part of the hash computation. We show that a large class of such schemes, including those using non-linear or even one-way checksum functions, is not secure against the second preimage attack of Kelsey and Schneier, the herding attack of Kelsey and Kohno and the multicollision attack of Joux. Our attacks also apply to a large class of cascaded hash functions. Our second preimage attacks on the cascaded hash functions improve the results of Joux presented at Crypto’04. We also apply our attacks to the MD2 and GOST hash functions. Our second preimage attacks on the MD2 and GOST hash functions improve the previous best known short-cut second preimage attacks on these hash functions by factors of at least 2²⁶ and 2⁵⁴, respectively. Our herding and multicollision attacks on the hash functions based on generic checksum functions (e.g., one-way) are a special case of the attacks on the cascaded iterated hash functions previously analysed by Dunkelman and Preneel and are not better than their attacks. On hash functions with easily invertible checksums, our multicollision and herding attacks (if the hash value is short as in MD2) are more efficient than those of Dunkelman and Preneel.