基于克隆选择聚类的入侵检测

提出基于克隆选择的模糊聚类算法，将该聚类算法用于网络入侵检测。针对入侵数据的混合属性改进距离测度的计算方法，实现了对大规模混合属性原始数据的异常检测，并能有效检测到未知攻击。在KDDCUP99数据集中进行了对比仿真实验，实验结果表明算法对已知攻击和未知攻击的检测率以及算法的误誊率都是理想的。     

基于循环神经网络的无线网络入侵检测分类模型构建与优化研究

为提高无线网络入侵检测模型的综合性能,该文将循环神经网络(RNN)算法用于构建无线网络入侵检测分类模型。针对无线网络入侵检测训练数据样本分布不均衡导致分类模型出现过拟合的问题,在对原始数据进行清洗、转换、特征选择等预处理基础上,提出基于窗口的实例选择算法精简训练数据集。对攻击分类模型的网络结构、激活函数和可复用性进行综合优化实验,得到最终优化模型,分类准确率达到98.6699%,综合优化后的运行时间为9.13 s。与其他机器学习算法结果比较,该优化方法在分类准确率和执行效率两个方面取得了很好的效果,综合性能优于传统的入侵检测分类模型。     

基于数据挖掘和特征选择的入侵检测模型

提出了一种基于SVM特征选择和C4.5数据挖掘算法的高效入侵检测模型.通过使用该模型对经过特征提取后的攻击数据的训练学习,可以有效地识别各种入侵,并提高检测速度.在经典的KDD 1999入侵检测数据集上的测试说明：该数据挖掘模型能够高效地对攻击模式进行训练学习,能够采用选择的特征正确有效地检测网络攻击.     

基于网络攻击面自适应转换的移动目标防御技术

基于网络攻击面自适应转换的移动目标防御技术是一种新型的网络防御技术,其核心包括入侵检测防御机制、自适应以及自适应跳变功能,设计模块包括数据包捕获模块、管理控制模块、入侵检测模块、访问控制模块、自适应模块,通过自适应模块能够自适应检测识别外界攻击,利用自适应转化算法,通过管理控制模块发出命令,将攻击转移到其他IP地址与端口、操作系统.     

基于分批估计的自适应加权数据融合算法

针对多传感器数据融合问题,文中提出了一种基于分批估计的自适应加权数据融合算法。该算法采用时间序列和空间序列对采集的数据分批求其方差,利用数据一致性检测对噪点进行剔除,进而得到自适应因子。随后采用自适应加权法对数据进行融合,得到预测值。文中模拟物联网数据进行仿真实验。结果表明,在处理数据时运用分批估计的自适应加权多传感器数据融合技术,能够提高传感器测量的精确度和系统的可靠性,基于分批估计的自适应加权平均法比传统自适应方法的均方根误差减少了10%,精度提高了2.3%。     

基于两步模糊聚类算法的网络入侵检测应用

模糊C-均值算法(FCM)广泛应用于入侵检测中,在其基础上为了更有效实现入侵数据的划分,应用了基于阴影集的粗糙模糊聚类算法(SRFCM).同时,为提高检测性能提出了一种新的"两步走"方法:首先运用算法将网络数据划分为正常和入侵两种类型,其次再运用算法将入侵数据划分为不同的攻击类型,有效提高了检测性能.本文采用KDDCUP1999数据集进行仿真实验,实验表明"两步走"方法在入侵检测中获得了较高的检测率.     

APT攻击的特点及防范

以政府机关、科研机构、大型企业的关键信息基础设施为目标的APT(高级持续性威胁)攻击逐年增多。总结攻击国家关键信息基础设施的APT具有高级、持续、有针对性三大特点,分析得出APT过程的八大常规步骤,列举防火墙、IPS(入侵防御系统)、IDS(入侵检测系统)、防病毒软件及日志审计等常用的传统防御方法的不足,提出具有综合管理和技术手段的APT防范新思路。     

一种新的DDoS攻击检测算法

为了准确及时的进行DDoS攻击检测,提出了一种新的DDoS攻击检测算法。该算法在基于传统的小波分析检测DDoS攻击的基础上融入了主成分分析法和小波分析法中DDoS检测方法,并根据该算法设计相应的模型和算法来检测 DDoS 攻击,并且引入信息论中的信息熵对源IP地址的分散程度进行度量,根据初始阶段Hurst指数及熵值的变化自适应地设定阈值以检测攻击的发生。实验结果表明,该方法大幅度的提高了DDoS检测的速度。     

受攻击后的网络可靠性估计模型设计

网络受到攻击入侵后容易出现信道失稳和链路输出失真,导致网络的可靠性下降,因此提出一种基于自适应均衡的受攻击后的网络可靠性估计模型。构建网络受攻击后的传输链路模型,采用链路衰落调制方法减少网络攻击对传输信道的损害,对网络传输信道进行分段均衡处理,采用自适应加权算法进行链路失真补偿,实现网络链路自适应均衡。仿真试验结果表明,采用该方法进行受攻击后的网络可靠性估计提高了对网络入侵的检测能力,抑制了攻击对网络的信道损害,提高网络安全性。     

混网网络结构下最优入侵目标检测软件的设计与实现

传统网络入侵目标检测方法存在漏报率高和对不确定入侵数据检测性能弱的缺陷,无法胜任混网网络安全检测的需要。针对混网网络结构特征,设计并实现了最优入侵目标检测软件,该软件包括负载均衡模块、误用检测模块、匹配算法自适应模块,并采用多核网络处理器的多个同构核当成混网入侵检测引擎。通过自适应多模式匹配模型,基于混网网络的状态、特征动态对模式匹配算法进行动态调控,确保入侵目标检测引擎的利用率最大化。该匹配模型包括规范预操作过程、流量检测过程以及动态调控过程。给出了混网网络结构下的数据包多核处理过程以及匹配算法的优化代码。实验结果说明,所设计入侵检测软件可实现混网下入侵目标的有效检测,具有较高的检测性能。     

A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection

Extensive research activities have been observed on network-based intrusion detection systems (IDSs). However, there are always some attacks that penetrate trafficprofiling- based network IDSs. These attacks often cause very serious damages such as modifying host critical files. A host-based anomaly IDS is an effective complement to the network IDS in addressing this issue. This article proposes a simple data preprocessing approach to speed up a hidden Markov model (HMM) training for system-call-based anomaly intrusion detection. Experiments based on a public database demonstrate that this data preprocessing approach can reduce training time by up to 50 percent with unnoticeable intrusion detection performance degradation, compared to a conventional batch HMM training scheme. More than 58 percent data reduction has been observed compared to our prior incremental HMM training scheme. Although this maximum gain incurs more degradation of false alarm rate performance, the resulting performance is still reasonable.     

车联网中基于神经网络的入侵检测方案

车联网的入侵检测（IDS）可用于确认交通事件通知中描述的事件的真实性。当前车联网IDS多采用基于冗余数据的一致性检测方案,为降低IDS对冗余数据的依赖性,提出了一个基于神经网络的入侵检测方案。该方案可描述大量交通事件类型,并综合使用了反向传播（BP）和支持向量机（SVM）2种学习算法。这2种算法分别适用于个人安全驾驶速度快与高效交通系统检测率高的应用。仿真实验和性能分析表明,本方案具有较快的入侵检测速度,且具有较高的检测率和较低的虚警率。     

利用有限状态机的无线网状网的入侵检测

Wireless Mesh Networks is vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, lack of centralized monitoring and management point. The raditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features. In this paper, we propose a distributed intrusion detection approach based on timed automata. A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then we construct the Finite State Machine (FSM) by the way of manually abstracting the correct behaviors of the node according to the routing protocol of Dynamic Source Routing (DSR). The monitor nodes can verify every node's behavior by the Finite State Machine (FSM), and validly detect real-time attacks without signatures of intrusion or trained data. Compared with the architecture where each node is its own IDS agent, our approach is much more efficient while maintaining the same level of effectiveness. Finally, we evaluate the intrusion detection method through simulation experiments.     

Integrated intrusion detection model based on artificial immune

The author puts forward an integrated intrusion detection （ID） model based on artificial immune （IIDAI）, a vaccination strategy based on the significance degree of genes and a method to generate initial memory antibodies with rough set （RS）. IIDAI integrates two kinds of intrusion detection mode： misuse detection and anonymous detection. Misuse detection and anonymous detection are applied to detect the known and the unknown attacks, respectively. On the basis of IIDAI model, an ID algorithm is presented. Simulation shows that the IIDAI has better performance than traditional ID methods in feasibility and effectiveness. It is very prone to achieve a higher convergence rate by using the vaccination strategy. Moreover, RS can remove the redundancy attributes and increase the detection speed. It can also increase detection rate by applying the integrated method.     

基于时间自动机的Ad hoc网络入侵检测

该文提出一种基于时间自动机分布式合作的入侵检测算法。首先,将整个网络分为子区域,每一区域随机选出簇头担任监视节点,负责本区域的入侵检测。其次,按照路由协议构筑节点正常行为和入侵行为的时间自动机,监视节点收集其邻居节点的行为信息,利用时间自动机分析节点的行为,识别入侵者。该算法不需要事先进行数据训练并能够实时检测入侵行为。最后,通过模拟实验证实了算法的有效性。     

A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods

Large-scale computer network attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic. In the early stage of an attack, however, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. Rapid response, a minimal false-alarm rate, and the capability to detect a wide spectrum of attacks are the crucial features of intrusion detection systems. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks that lead to changes in network traffic, such as denial-of-service attacks, worm-based attacks, port-scanning, and man-in-the-middle attacks. These methods employ a statistical analysis of data from multiple layers of the network protocol to detect very subtle traffic changes. The algorithms are based on change-point detection theory and utilize a thresholding of test statistics to achieve a fixed rate of false alarms while allowing us to detect changes in statistical models as soon as possible. There are three attractive features of the proposed approach. First, the developed algorithms are self-learning, which enables them to adapt to various network loads and usage patterns. Secondly, they allow for the detection of attacks with a small average delay for a given false-alarm rate. Thirdly, they are computationally simple and thus can be implemented online. Theoretical frameworks for detection procedures are presented. We also give the results of the experimental study with the use of a network simulator testbed as well as real-life testing for TCP SYN flooding attacks.     

Research on intrusion detection of industrial control system

Industrial control system was an important part of national critical infrastructure,once it was suffered from the cyber attack,it would cause property damage,casualties and other serious disasters.For providing theoretical supports to industrial security researchers,the features of attacks in an industrial control system and the difficulties of detection to these attacks were introduced.Then,a survey of intrusion detection technologies used by the industrial control systems was given.Also,the performance and characteristic were compared for the different types of detection technologies.Fi-nally,an industrial intrusion detection research was generated.     

RAD‐EI: A routing attack detection scheme for edge‐based Internet of Things environment

Internet of Things (IoT) offers various types of application services in different domains, such as “smart infrastructure, health‐care, critical infrastructure, and intelligent transportation system.” The name edge computing signifies a corner or edge in a network at which traffic enters or exits from the network. In edge computing, the data analysis task happens very close to the IoT smart sensors and devices. Edge computing can also speed up the analysis process, which allows decision makers to take action within a short duration of time. However, edge‐based IoT environment has several security and privacy issues similar to those for the cloud‐based IoT environment. Various types of attacks, such as “replay, man‐in‐the middle, impersonation, password guessing, routing attack, and other denial of service attacks” may be possible in edge‐based IoT environment. The routing attacker nodes have the capability to deviate and disrupt the normal flow of traffic. These malicious nodes do not send packets (messages) to the edge node and only send packets to its neighbor collaborator attacker nodes. Therefore, in the presence of such kind of routing attack, edge node does not get the information or sometimes it gets the partial information. This further affects the overall performance of communication of edge‐based IoT environment. In the presence of such an attack, the “throughput of the network” decreases, “end‐to‐end delay” increases, “packet delivery ratio” decreases, and other parameters also get affected. Consequently, it is important to provide solution for such kind of attack. In this paper, we design an intrusion detection scheme for the detection of routing attack in edge‐based IoT environment called as RAD‐EI. We simulate RAD‐EI using the widely used “NS2 simulator” to measure different network parameters. Furthermore, we provide the security analysis of RAD‐EI to prove its resilience against routing attacks. RAD‐EI accomplishes around 95.0% “detection rate” and 1.23% “false positive rate” that are notably better than other related existing schemes. In addition, RAD‐EI is efficient in terms of computation and communication costs. As a result, RAD‐EI is a good match for some critical and sensitive applications, such as smart security and surveillance system.     

Novel intrusion prediction mechanism based on honeypot log similarity

The current network‐based intrusion detection systems have a very high rate of false alarms, and this phenomena results in significant efforts to gauge the threat level of the anomalous traffic. In this paper, we propose an intrusion detection mechanism based on honeypot log similarity analysis and data mining techniques to predict and block suspicious flows before attacks occur. With honeypot logs and association rule mining, our approach can reduce the false alarm problem of intrusion detection because only suspicious traffic would be present in the honeypots. The proposed mechanism can reduce human effort, and the entire system can operate automatically. The results of our experiments indicate that the honeypot prediction system is practical for protecting assets from attacks or misuse.