A Simulation Environment for Intrusion Detection System in IEC 61850 Based Substation Automation System

Greater complexity and interconnectivity across systems embracing electrical power technologies has meant that cyber-security issues have attracted significant attention. In this paper a simulation environment for intrusion detection system in IEC 61850 standard-based substation automation system is provided to test simulated attacks on IEDs （intelligent electronic devices）. Intrusion detection is the process of detecting malicious attacker, so it is an effective and mature security mechanism to protect electrical facility. However, it is not harnessed when securing IEC 61850 automated substation. To prove the detection capability of the system testing environment was developed to analyze and test attacks simulated with different test cases. It shows that the simulation environment works accordingly to various network traffic scenarios and eventually proves the functionality of intrusion detection system to be later deployed in the real IEC 61850 based substation automation system site.     

A neuro-genetic based short-term forecasting framework for network intrusion prediction system

Information systems are one of the most rapidly changing and vulnerable systems, where security is a major issue. The number of security-breaking attempts originating inside organizations is increasing steadily. Attacks made in this way, usually done by ＂authorized＂ users of the system, cannot be immediately traced. Because the idea of filtering the traffic at the entrance door, by using firewalls and the like, is not completely successful, the use of intrusion detection systems should be considered to increase the defense capacity of an information system. An intrusion detection system （IDS） is usually working in a dynamically changing environment, which forces continuous tuning of the intrusion detection model, in order to maintain sufficient performance. The manual tuning process required by current IDS depends on the system operators in working out the tuning solution and in integrating it into the detection model. Furthermore, an extensive effort is required to tackle the newly evolving attacks and a deep study is necessary to categorize it into the respective classes. To reduce this dependence, an automatically evolving anomaly IDS using neuro-genetic algorithm is presented. The proposed system automatically tunes the detection model on the fly according to the feedback provided by the system operator when false predictions are encountered. The system has been evaluated using the Knowledge Discovery in Databases Conference （KDD 2009） intrusion detection dataset. Genetic paradigm is employed to choose the predominant features, which reveal the occurrence of intrusions. The neuro-genetic IDS （NGIDS） involves calculation of weightage value for each of the categorical attributes so that data of uniform representation can be processed by the neuro-genetic algorithm. In this system unauthorized invasion of a user are identified and newer types of attacks are sensed and classified respectively by the neuro-genetic algorithm. The experimental results obtained in this work show that the system achieves improvement in terms of misclassification cost when compared with conventional IDS. The results of the experiments show that this system can be deployed based on a real network or database environment for effective prediction of both normal attacks and new attacks.     

入侵检测系统发展的研究综述

With the fast development of Internet,more and more computer security affairs appear. Researchers have developed many security mechanisms to improve computer security ,including intrusion detection (ID). This paper re-views the history of intrusion detection systems (IDS)and mainstream techniques used in IDS,showing that IDS couldimprove security only provided that it is devised based on the architecture of the target system. From this, we could see the trend of integration of host-oriented ,network-oriented and application-oriented IDSs.     

一种基于贝叶斯判决的先进入侵检测模型

One key problem for intrusion detection system is the correctness and efficiency of detection algorithm.This paper presents a revised detection algorithm through the use of Bayes decision. Bayes decision is a random pat-tern classified recognition method of the pattern recognition theory. The algorithm in this paper is designed refer to the lest-risk Bayes decision. Experiments show that this algorithm has better performance. In the paper,we firstly in-troduce the Bayes algorithm and threshold selection algorithm. Then depending on the decision, the detection algo-rithm of intrusion detection system is designed. In the end,the experiment results are provided.     

Node grouping in system-level fault diagnosis

With the popularization of network applications and multiprocessor systems,dependability of systems has drawn considerable attention.This paper presents a new technique of node grouping for system-level fault diagnosis to simplify the complexity of large system diagnosis.The technique transforms a complicated system to a group network,where each group may consist of many nodes that are either fault-free or faulty.It is proven that the transformation leads to a unique group network to ease system diagnosis.Then it studies systematically one-step t-faults diagnosis problem based on node groupling by means of the concept of independent point sets and gives a simple sufficient and necessary condition.The paper presents a diagnosis procedure for t-diagnosable systems.furthermore,an efficient probabilistic diagnosis algorithm for practical applications is proposed based on the belief that most of the nodes in a system are fault-free.The result of software simulation shows that the probabilistic diagnoisis provides high probability of correct diagnosis and low diagnosis cost,is suitable for systems of any kind of topology.     

具有预警功能的网络监管体系结构研究

The architecture of network monitoring administration with precaution is presented. Related technologies and approaches to realize the architecture are analyzed and provided. The architecture consists of a precaution subsystem and a monitoring administration subsystem. With building an adaptive abnormal detection model and taking abnormal assessment approach, the precaution subsystem can forewarn the intrusion attempts and send the precaution information to the monitoring administration subsystem in real time. Then the monitoring administration subsystem can take some countermeasures in advance. Moreover, based on intrusion tolerance technology, the monitoring administration subsystem can reconfigure the resources and the security policies when facing active intrusions, so as to provide the expected users with timely services and ensure the security of the protected services as well.     

网络入侵追踪研究综述

Traceback system is a system for finding the hacker's real location on the network autonomously. It can be divided into two kinds: IP Packet Traceback system, and Connection Traceback system. The goal of IP Packet Traceback system is to traceback the Real Source that send the IP Address Spoofed packet,focused in the method that uses the intermediate routers. The Connection Traceback system traceback the Real Source of Detoured Intrusion,the detoured attack is an attack that is done via several systems. Because of more and more attackers emerging in recent years, the model that can apply to the current Internet should be developed,and Real-time traceback system is needed to actively defense the hacking.     

On-Line Predicting Behaviors of Jobs in Dynamic Load Balancing

A key issue of dynamic load balancing in a lossely coupled distributed system is selecting appropriate jobs to transfer.In this paper,a job selection policy based on on-line predicting behaviors of jobs is proposed.Tracing is used at the beginning of execution of a job to predict the approximate execution time and resource requirements of th job so as to make a correct decision about whether transferring the job is worthwhil.A dynamic load balancer using the job selection policy has been implemented.Experimental measurement results show that the policy proposed is able to improve mean response time of jobs and resource utilization of systems substantially.     

基于轻负载代理的协同分布式入侵检测系统

The LAFCDIDS(Lightweight Agent for Collaborative Distribution Intrusion Detection System)presented in this paper is a distributed intrusion detection system with the ability of collaborative detection in real time.The hierarchy architecture of agents and the ability of collaborative detection in real time are evident characteristics of the LAFCDIDS.Lightweight agent and agent sensitivity are LAFCDIDS‘‘s new concepts,which can reduce the overload of protected system,shorten the period of intrusion detection,and are suitable for monitoring the distributed collaborating attacks.     

一个入侵自动响应系统的设计与实现

给出了一个入侵自动响应系统的总体结构，总结了可能的响应方式作为研究的前提和基础，介绍了基于Mobile Agent 事件决策机制、自适应技术和协同技术，完成了相应的原型系统。该系统具有易扩充性、配置简单、避免单点时效性、在异构环境中运行等优点，并在保证结点可控性和检测效率的同时提高了系统的容错性和协作能力。     

自动入侵响应系统的研究

面对大量网络攻击事件，自动入侵响应系统能够在入侵发生后主动采取措施阻击入侵的延续和降低系统的损失，保护受害系统。该文给出了自动入侵响应的结构和简单分类，分析了基于自适应技术、移动代理技术、IDIP协议和主动网络的自动入侵响应系统的技术和疗法，指出了自动入侵响应系统目前存在的问题和今后的研究方向。     

入侵检测自适应性研究

网络的迅速发展与应用,为人们的生活生产带来了许多的便利,然而也带来了许多的损失。入侵检测自适应性能够及时地采取响应措施阻止攻击的延续和降低系统的损失,本文分析入侵检测自适应性的技术与要求,提出一个自适应系统的结构,通过模式匹配,数据挖掘及机器学习、意图识别及自适应技术来建立一个自适应性入侵检测系统。     

自动入侵响应技术研究

首先给出了自动入侵响应的基本特性以及系统模型，然后讨论了与自动入侵响应相关的主要技术，在此基础上分析了两个自动响应系统的实现方法，最后指出自动响应目前存在的问题及今后发展方向。     

基于免疫网络的RFID入侵检测模型研究

针对无线射频识别技术（RFID）的加密认证等安全策略在廉价标签上的局限性,采用入侵检测作为RFID系统的新型安全策略,通过分析RFID系统的典型安全攻击,基于人工免疫网络,提出了入侵特征提取方法和入侵分析方法,建立了一个自适应的RFID入侵检测模型。该模型在不需要修改RFID已有技术标准的前提下,与加密认证等已有安全策略互补提升RFID系统的安全防护能力。试验证明该模型具有极低的误检率和漏检率。     

基于Petri网的工作流和J2EE框架构建入侵响应模型

通过分析当前入侵响应系统存在的问题,提出了一种基于Petri网的工作流和J2EE框架构建的入侵响应模型,该模型先对所有报警事件进行过滤然后予以响应,并在响应当前报警事件的同时根据报警信息之间的关系,对进一步可能发生的攻击作出在线的预警并产生相应的响应措施。通过实验分析,该模型能够在入侵发生后主动采取措施阻击入侵的延续和降低系统的损失,保护受害系统。     

自动入侵响应决策技术的研究综述

简要介绍了自动入侵响应系统的作用和重要性.对自动入侵响应决策技术所涉及的相关问题进行了层次化的划分.阐述了入侵响应目的与策略在入侵相应决策中的作用及其研究状况.对已有自动入侵响应系统中的响应决策因素进行了介绍,分析了响应因素在决策中的作用,并对这些响应因素进行了分类.提出了入侵响应时机的概念,重点讨论了现有各种入侵响应时机决策模型和入侵响应措施决策模型,并对这些模型的特点和存在的问题进行了分析.介绍了入侵检测报警管理与入侵响应系统IDAM & IRS的体系结构、响应时机决策方法、响应措施决策方法和实验情况,并阐述了IDAM & IRS的主要特点.最后,总结了自动入侵响应决策技术的发展方向.     

An Immunity-based Security Architecture for Mobile Ad Hoc Networks

Mobile ad hoc network of lets convenient infrastructure less communication over the shared wireless channel. However, the nature of ad hoc networks makes them vulnerable to security attacks. Existing security technologies such as intrusion prevention and intrusion detection are passive in response to intrusions in that their countermeasures are only to protect the networks and there is no automated, network-wide counteraction against detected intrusions. While they all play an important role in counteracting intrusion, they do not, however, effectively address the root cause of the problem - intruders. In this paper, wc propose the architecture of automated intrusion response. When an intruder is found in our architecture, the block agents will get to the neighbor nodes of the intruder and formed a firewall to isolate the intruder. In the end, we illustrate our architecture by an example.     

Damage assessment and repair in attack resilient distributed database systems

Preventive measures sometimes fail to defect malicious attacks. With attacks on data-intensive applications becoming an ever more serious threat, intrusion tolerant database systems are a significant concern. The main objective of such systems is to detect attacks, and to assess and repair the damage in a timely manner. This paper focuses on efficient damage assessment and repair in distributed database systems. The complexity caused by data partition, distributed transaction processing, and failures makes intrusion recovery much more challenging than in centralized database systems. This paper identifies the key challenges and presents an efficient algorithm for distributed damage assessment and repair.     

A differentiated one-class classification method with applications to intrusion detection

Intrusion detection has become an indispensable tool to keep information systems safe and reliable. Most existing anomaly intrusion detection techniques treat all types of attacks as equally important without any differentiation of the risk they pose to the information system. Although detection of all intrusions is important, certain types of attacks are more harmful than others and their detection is critical to protection of the system. This paper proposes a new one-class classification method with differentiated anomalies to enhance intrusion detection performance for harmful attacks. We also propose new extracted features for host-based intrusion detection based on three viewpoints of system activity such as dimension, structure, and contents. Experiments with simulated dataset and the DARPA 1998 BSM dataset show that our differentiated intrusion detection method performs better than existing techniques in detecting specific type of attacks. The proposed method would benefit even other applications in anomaly detection area beyond intrusion detection.