A Max‐Flow‐Based Similarity Measure for Spectral Clustering

In most spectral clustering approaches, the Gaussian kernel‐based similarity measure is used to construct the affinity matrix. However, such a similarity measure does not work well on a dataset with a nonlinear and elongated structure. In this paper, we present a new similarity measure to deal with the nonlinearity issue. The maximum flow between data points is computed as the new similarity, which can satisfy the requirement for similarity in the clustering method. Additionally, the new similarity carries the global and local relations between data. We apply it to spectral clustering and compare the proposed similarity measure with other state‐of‐the‐art methods on both synthetic and real‐world data. The experiment results show the superiority of the new similarity: 1) The max‐flow‐based similarity measure can significantly improve the performance of spectral clustering; 2) It is robust and not sensitive to the parameters.     

A meta‐heuristic Bayesian network classification for intrusion detection

Software‐defined networking (SDN) is an innovative network paradigm much in demand today in academics and industry. In this network, the SDN controller must be able to observe and examine traffic flow through the network systems. However, intrusion‐based data packets affect the whole system is a major drawback. To overcome this issue, we propose a Novel Agent Program (NAP) framework for preventing switches from the external compromised attacks. A Meta‐Heuristic Bayesian Network Classification (MHBNC) algorithm for intrusion detection is proposed in this paper. The proposed algorithm follows certain procedures for preprocessing, feature selection, feature optimization, and classification. Normal and anomaly‐based data packets are classified successfully with its improved detection capabilities based on the optimization technique. The simulation results of the proposed ID_MBC (intrusion detection based on meta‐heuristic Bayesian classifier) technique is compared with existing techniques such as the association rule, PSO+GA, and the GA+RVM. The proposed MHBNC classifier performs better than existing methods.     

Anomaly detection in IP networks

Network anomaly detection is a vibrant research area. Researchers have approached this problem using various techniques such as artificial intelligence, machine learning, and state machine modeling. In this paper, we first review these anomaly detection methods and then describe in detail a statistical signal processing technique based on abrupt change detection. We show that this signal processing technique is effective at detecting several network anomalies. Case studies from real network data that demonstrate the power of the signal processing approach to network anomaly detection are presented. The application of signal processing techniques to this area is still in its infancy, and we believe that it has great potential to enhance the field, and thereby improve the reliability of IP networks.     

基于构造性核覆盖算法的异常入侵检测

将构造性核覆盖算法引入入侵检测研究中,提出了一种基于构造性核覆盖的异常入侵检测算法,用于监控进程的非正常行为.首先分析了核覆盖分类算法应用于入侵检测的可能性,然后具体描述了核覆盖算法在异构数据集下的推广,提出了基于核覆盖的异常入侵检测模型.并以sendmail系统调用序列数据集为例,详细讨论了该模型的工作过程.最后将实验仿真结果与其它方法进行了比较,结果表明,该方法的检测效果优于同类的其它方法.     

大数据技术在网络安全分析中的应用研究

针对误用检测方法和异常检测方法缺少对网络风险因素分析,导致网络漏洞检出率较低的问题,提出了基于大数据H adoop技术检测网络安全漏洞研究.构建标准化直接关系矩阵、生成总关系矩阵确定网络风险元素属性,由此分析网络风险.构建Hadoop框架,采集入侵行为漏洞信息,搭建核心装置,处理网络漏洞.避免外力干扰情况下,评估网络漏...     

基于大数据的电力信息网络流量异常检测机制

随着智能电网建设的加强,电力信息网络及其承载的业务系统得到迅猛发展,网络业务流量的检测和预警具有重要的安全意义.针对目前电力信息网络缺乏处理流量异常问题的有效技术手段,提出了一种基于大数据的电力信息网络流量异常检测机制,并通过对改进的局部异常因子(M-LOF)和支持向量域数据描述(SVDD)两种常用异常检测算法的对比分析,总结出适合电力信息网络的流量异常检测方法.     

Real-time detection of traffic anomalies in wireless mesh networks

Anomaly detection is emerging as a necessary component as wireless networks gain popularity. Anomaly detection has been addressed broadly in wired networks and powerful methods have been developed for correct detection of a variety of known attacks and other anomalies. In this paper, we propose a real-time anomaly detection and identification scheme for wireless mesh networks (WMN) using components from previous methods developed for wired networks. Experiments over a WMN testbed show the effectiveness of the proposed scheme in isolating different types of anomalies, such as Denial-of-service attacks, port scan attacks, etc. Our scheme uses Chi-square statistics and it is based on similar ideas as the scheme presented by Lakhina et al. although it has lower computational complexity. The original method by Lakhina et al. was developed for wired networks and used Principal Component Analysis (PCA) for reducing the dimensions of observed data and Hotelling’s t ² statistics to distinguish between normal and abnormal traffic conditions. However, in our studies we found that dimension reduction is the most computationally intensive process of the scheme. In this paper we propose an alternative way of reducing dimensions using flow variances in a Chi-square test. Experimental results show that the Chi-square test performs similarly well to the PCA-based method at merely a fraction of the computations. Moreover, we propose an automatic identification scheme to pin-point the cause of the detected anomaly and its contribution in terms of additional or lack of traffic. Our results and comparison with other statistical tools show that the Chi-square test and the PCA-based method with identification scheme make powerful tools for real-time detection of various anomalies in an interference prone wireless networking environment.     

Future IoT‐enabled threats and vulnerabilities: State of the art,challenges, and future prospects

In the recent era, the security issues affecting the future Internet‐of‐Things (IoT) standards has fascinated noteworthy consideration from numerous research communities. In this view, numerous assessments in the form of surveys were proposed highlighting several future IoT‐centric subjects together with threat modeling, intrusion detection systems (IDS), and various emergent technologies. In contrast, in this article, we have focused exclusively on the emerging IoT‐related vulnerabilities. This article is a multi‐fold survey that emphasizes on understanding the crucial causes of novel vulnerabilities in IoT paradigms and issues in existing research. Initially, we have emphasized on different layers of IoT architecture and highlight various emerging security challenges associated with each layer along with the key issues of different IoT systems. Secondly, we discuss the exploitation, detection, and defense methodologies of IoT malware‐enabled distributed denial of service (DDoS), Sybil, and collusion attack capabilities. We have also discussed numerous state‐of‐the‐art strategies for intrusion detection and methods for IDS setup in future IoT systems. Third, we have presented a brief classification of existing IoT authentication protocols and a comparative analysis of such protocols based on different IoT‐enabled cyber attacks. For conducting a real‐time future IoT research, we have presented some emerging blockchain solutions. We have also discussed a comparative examination of some of the recently developed simulation tools and IoT test beds that are characterized based on different layers of IoT infrastructure. We have also outlined some of the open issues and future research directions and also facilitate the readers with broad classification of existing surveys in this domain that addresses several scopes related to the IoT paradigm. This survey article focuses in enabling IoT‐related research activities by comparing and merging scattered surveys in this domain.     

A self‐learning stream classifier for flow‐based botnet detection

Botnets have been recently recognized as one of the most formidable threats on the Internet. Different approaches have been designed to detect these types of attacks. However, as botnets evolve their behavior to mislead the signature‐based detection systems, learning‐based methods may be deployed to provide a generalization capacity in identifying unknown botnets. Developing an adaptable botnet detection system, which incrementally evolves with the incoming flow stream, remains as a challenge. In this paper, a self‐learning botnet detection system is proposed, which uses an adaptable classification model. The system uses an ensemble classifier and, in order to enhance its generalization capacity, updates its model continuously on receiving new unlabeled traffic flows. The system is evaluated with a comprehensive data set, which contains a wide variety of botnets. The experiments demonstrate that the proposed system can successfully adapt in a dynamic environment where new botnet types are observed during the system operation. We also compare the system performance with other methods.     

流量异常检测中的直觉模糊推理方法

针对网络流量特征属性不确定性和模糊性的特点,将直觉模糊推理理论引入异常检测领域,该文提出一种基于包含度的直觉模糊推理异常检测方法。首先设计异常检测中特征属性的隶属度与非隶属度函数,其次,给出基于包含度的强相似度计算方法并生成推理规则库,再次给出多维多重式直觉模糊推理规则,最后建立异常检测中的直觉模糊推理方法。通过对异常检测标准数据集KDD99的实验,验证该方法的有效性,与常见经典异常检测方法对比,该方法具有更良好的检测效果。     

基于平衡迭代规约层次聚类的无线传感器网络流量异常检测方案

针对现有网络流量异常检测方法不适用于实时无线传感器网络(WSN)检测环境、缺乏合理异常判决机制的问题,该文提出一种基于平衡迭代规约层次聚类(BIRCH)的WSN流量异常检测方案.该方案在扩充流量特征维度的基础上,利用BIRCH算法对流量特征进行聚类,通过设计动态簇阈值和邻居簇序号优化BIRCH聚类过程,以提高算法的聚类...     

基于粗糙集属性约简的SVM异常入侵检测方法

文章提出了基于粗糙集属性约简的支持向量异常入侵检测方法。为验证该方法的有效性,对实验数据集KDD99分别用粗糙集属性约简的支持向量分类方法和传统的支持向量分类方法进行实验仿真,并把两者的实验结果进行对比。实验证明,基于粗糙集属性约简的支持向量异常入侵检测方法在检测精度相当的情况下,有效的降低了检测时间并减少了存储空间。     

Improving PCA‐based anomaly detection by using multiple time scale analysis and Kullback–Leibler divergence

The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management. In this paper, we address the problem considering a method based on PCA for detecting network anomalies. In more detail, this paper presents a new technique that extends the state of the art in PCA‐based anomaly detection. Indeed, by means of multi‐scale analysis and Kullback–Leibler divergence, we are able to obtain great improvements with respect to the performance of the ‘classical’ approach. Moreover, we also introduce a method for identifying the flows responsible for an anomaly detected at the aggregated level. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed method.Copyright © 2012 John Wiley & Sons, Ltd.     

一种基于流量聚类性和切分性的改进异常检测模型

针对链路层异常检测中，由固定反馈时间点而导致的计算量积压以及大量无意义的采样流量数据等现象，提出了一种基于流量特征值的改进异常检测模型，重点探讨如何通过反馈计算机制实现周期内计算任务的合理优化和缩减采样数据。一方面，在对流持续时间的聚类性进行了深入分析并给出其可能聚类的最优簇基础上，将统一的反馈时间分散到各个聚类时间点；另一方面，基于流时序的可切分性对流量数据进行周期划分，并设计拟合函数对周期内流量特征进行量化表达。在此基础上，设计了改进反馈机制和异常检测算法流程。仿真实验表明，所提出的模型和算法不仅通过优化反馈计算时间提高了检测精度，而且通过降低采样数据冗余提高了检测效率。     

基于神经网络的异常检测

本文针对流量异常,提出了一种使用神经网络的检测方法。在仔细分析网络流量异常的基础上,提取流量特征数据,经预处理后供优化的BP神经网络分析,可准确检测出流量异常。测试结果表明,该模型对流量异常的检测有较高的准确性。     

Robust Similarity Measure for Spectral Clustering Based on Shared Neighbors

Spectral clustering is a powerful tool for exploratory data analysis. Many existing spectral clustering algorithms typically measure the similarity by using a Gaussian kernel function or an undirected k‐nearest neighbor (kNN) graph, which cannot reveal the real clusters when the data are not well separated. In this paper, to improve the spectral clustering, we consider a robust similarity measure based on the shared nearest neighbors in a directed kNN graph. We propose two novel algorithms for spectral clustering: one based on the number of shared nearest neighbors, and one based on their closeness. The proposed algorithms are able to explore the underlying similarity relationships between data points, and are robust to datasets that are not well separated. Moreover, the proposed algorithms have only one parameter, k. We evaluated the proposed algorithms using synthetic and real‐world datasets. The experimental results demonstrate that the proposed algorithms not only achieve a good level of performance, they also outperform the traditional spectral clustering algorithms.     

基于协峭度张量的高光谱图像异常检测

高光谱图像中的异常像元往往具有在图像中出现的概率低和游离于背景数据云团之外的特点,如何“自动”确定这些异常像元是高光谱遥感图像处理中的一个重要研究方向。经典的高光谱异常检测方法一般从图像的统计特性入手,广泛应用的RXD异常检测算法通过计算图像的2阶统计特征,可以直接给出异常点的分布情况,算法复杂度低,但缺点是没有考虑到图像的高阶统计信息。基于独立成分分析的异常检测算法虽然考虑了高阶统计量对异常点的敏感性,但需要反复迭代提取异常成分后,再对提取后的成分进行异常检测。该文提出一种基于协峭度张量的异常检测算法,该算法不需要事先提取异常成分,可以直接对观测像元进行逐一检测,从而给出异常点的分布情况。基于模拟数据和真实数据的实验结果表明,该方法能够在检测出异常像元的同时更好地压制背景信息、减小虚警率,从而提高异常检测精度。     

一种基于LSTM自动编码机的工业系统异常检测方法

在工业互联网的环境下,自动有效的异常检测方法对工业系统的安全、稳定生产具有重要的意义。传统的异常检测方法存在需要大量标注样本、不适应高维度时序数据等不足,提出一种基于LSTM自动编码机的工业系统异常检测方法。为克服现有方法依赖标注样本的不足,提出采用自动编码机,通过无监督的方式学习大量正常样本的特征和模式,在此基础上通过对样本进行重构和计算重构误差的方式进行异常检测。其次,为克服现有方法不适应高维度时序数据的不足,提出采用双向LSTM作为编码器,进而挖掘多维时序数据的潜在特征。基于一个真实造纸工业的数据集的实验表明,所提方法在各项指标上都对现有无监督异常检测方法有一定的提升,检测的总体精度达到了93.4%。     

Temporal matching prior network for vehicle license plate detection and recognition in videos

In real‐world intelligent transportation systems, accuracy in vehicle license plate detection and recognition is considered quite critical. Many algorithms have been proposed for still images, but their accuracy on actual videos is not satisfactory. This stems from several problematic conditions in videos, such as vehicle motion blur, variety in viewpoints, outliers, and the lack of publicly available video datasets. In this study, we focus on these challenges and propose a license plate detection and recognition scheme for videos based on a temporal matching prior network. Specifically, to improve the robustness of detection and recognition accuracy in the presence of motion blur and outliers, forward and bidirectional matching priors between consecutive frames are properly combined with layer structures specifically designed for plate detection. We also built our own video dataset for the deep training of the proposed network. During network training, we perform data augmentation based on image rotation to increase robustness regarding the various viewpoints in videos.     

一种面向流量异常检测的概率流抽样方法

针对基于概率抽样的网络流量异常检测数据集构造过程中无法同时兼顾大、小流抽样需求及未区分flash crowd与流量攻击等问题,该文提出一种面向流量异常检测的概率流抽样方法。在对数据流按目的、源IP地址进行分类的基础上,将每类数据流抽样率定义为其目的、源IP地址抽样率的最大值,并在抽样过程中对数据流抽样数目向上取整,保证每类数据流至少被抽样一次,使抽样得到的数据集可有效反映原始流量在大、小流和源、目的IP地址方面的分布性。采用源IP地址熵刻画异常流源IP地址分散度,并基于源IP地址熵阈值设计攻击流抽样算法,降低由flash crowd引起的非攻击异常流抽样概率。仿真结果表明,该方法能同时满足大、小流抽样需求,具有较强的异常流抽样能力,可抽样到所有与异常流相关的可疑源、目的IP地址,并能在抽样过程中过滤非攻击异常流。