自适应的Web攻击异常检测方法

针对传统建模容易引入不可信样本的问题,提出了一种自适应建立基于Web攻击异常检测模型的方法。依据样本中Request-URL的结构特征对样本集进行分类,并利用样本的各属性来构造样本分类子集的离散性函数,其中离散程度值将作为识别正常行为集的依据;在此基础上,使用改进的隐马尔可夫模型(HMM)算法对正常行为样本集进行建模,并利用HMM合并的方法实现检测模型的动态更新。实验结果表明,所提方法建立的模型能够有效地识别出Web攻击请求,并降低检测的误报率。     

基于用户行为分析的应用层DDoS攻击检测方法*

应用层拒绝服务攻击与传统的拒绝服务相比,其破坏性更大,也更难被检测和防御。对此,基于用户浏览行为的分析,提出了一种采用自回归模型来检测应用层DDoS攻击的方法。通过AR模型和卡尔曼滤波,学习和预测正常用户的访问并判断异常;当定位异常访问源后,反馈给前端路由器进行限流或过滤。在电信IDC实际网络环境中,测试结果表明该方法是有效的。     

Real-time anomaly detection systems for Denial-of-Service attacks by weighted k-nearest-neighbor classifiers

This study proposed a method which can detect large-scale attacks, such as DoS attacks, in real-time by weighted KNN classifiers. The key factor for designing an anomaly-based NIDS is to select significant features for making decisions. Not only is excellent detection performance required, but real-time processing is also demanded for most NIDSs. A good feature selection policy, which can choose significant and as few as possible features, plays a key role for any successful NIDS. The study proposed a genetic algorithm combined with KNN (k-nearest-neighbor) for feature selection and weighting. All initial 35 features in the training phase were weighted, and the top ones were selected to implement NIDSs for testing. Many DoS attacks were applied to evaluate the systems. For known attacks, an overall accuracy rate as high as 97.42% was obtained, while only the top 19 features were considered. For unknown attacks, an overall accuracy rate of 78% was obtained using the top 28 features.     

Detecting relay attacks on RFID communication systems using quantum bits

RFID systems became widespread in variety of applications because of their simplicity in manufacturing and usability. In the province of critical infrastructure protection, RFID systems are usually employed to identify and track people, objects and vehicles that enter restricted areas. The most important vulnerability which is prevalent among all protocols employed in RFID systems is against relay attacks. Until now, to protect RFID systems against this kind of attack, the only approach is the utilization of distance-bounding protocols which are not applicable over low-cost devices such as RFID passive tags. This work presents a novel technique using emerging quantum technologies to detect relay attacks on RFID systems. Recently, it is demonstrated that quantum key distribution (QKD) can be implemented in a client–server scheme where client only requires an on-chip polarization rotator that may be integrated into a handheld device. Now we present our technique for a tag–reader scenario which needs similar resources as the mentioned QKD scheme. We argue that our technique requires less resources and provides lower probability of false alarm for the system, compared with distance-bounding protocols, and may pave the way to enhance the security of current RFID systems.

     

基于时间序列分析的Web服务器DDoS攻击检测

摘要: 分布式拒绝服务攻击(Distributed Denial of Service, DDoS)的目标是破坏网络服务的有效性,是当前Web服务安全的主要威胁之一。本文提出了一种基于时间序列分析的DDoS攻击检测方法。该方法利用网络流量的自相似性,建立Web流量时间序列变化的自回归模型,通过动态分析Web流量的突变来检测针对Web服务器的DDoS攻击。在此基础上,通过对报警数据的关联分析,获得攻击的时间和位置信息。实验结果表明：该方法能有效检测针对Web服务器的DDoS攻击。     

Detecting Sybil attacks in Wireless Sensor Networks using neighboring information

As the prevalence of Wireless Sensor Networks (WSNs) grows in the military and civil domains, the need for network security has become a critical concern. In a Sybil attack, the WSN is subverted by a malicious node which forges a large number of fake identities in order to disrupt the network’s protocols. In attempting to protect WSNs against such an attack, this paper develops a scheme in which the node identities are verified simply by analyzing the neighboring node information of each node. The analytical results confirm the efficacy of the approach given a sufficient node density within the network. The simulation results demonstrate that for a network in which each node has an average of 9 neighbors, the scheme detects 99% of the Sybil nodes with no more than a 4% false detection rate. The experiment result shows that the Sybil nodes can still be identified when the links are not symmetric.     

Detecting adversarial attacks on audio-visual speech recognition using deep learning method

International Journal of Speech Technology - Deep learning techniques have made significant progress in various machine learning-based tasks in different fields. Deep learning patterns are...     

一种基于动态聚类的异常入侵检测方法

运用数据挖掘方法进行入侵检测已经成为网络安全领域的一个重要研究方向。提出一种动态聚类的数据挖掘方法进行异常入侵检测,该方法将不同用户行为的特征动态聚集,根据各个子的类支持度与预设的检测阈值比较来区分正常与异常。由于动态聚类算法在每次聚类过程中都检验归类的合理性,因此获得很好的聚类效果。实时检测试验得到了较高的检测率和较低的误报率。     

Detecting intrusion transactions in databases using data item dependencies and anomaly analysis

Abstract: The purpose of the intrusion detection system (IDS) database is to detect transactions that access data without permission. This paper proposes a novel approach to identifying malicious transactions. The approach concentrates on two aspects of database transactions: (1) dependencies among data items and (2) variations of each individual data item which can be considered as time‐series data. The advantages are threefold. First, dependency rules among data items are extended to detect transactions that read or write data without permission. Second, a novel behaviour similarity criterion is introduced to reduce the false positive rate of the detection. Third, time‐series anomaly analysis is conducted to pinpoint intrusion transactions that update data items with unexpected pattern. As a result, the proposed approach is able to track normal transactions and detect malicious ones more effectively than existing approaches.     

Outlier trajectory detection through a context-aware distance

Pattern Analysis and Applications - This paper presents an original method to detect anomalous human trajectories based on a new and promising context-aware distance. The input of the proposed...     

Distributed system anomaly detection using deep learning-based log analysis

Anomaly detection is a key step in ensuring the security and reliability of large-scale distributed systems. Analyzing system logs through artificial intelligence methods can quickly detect anomalies and thus help maintenance personnel to maintain system security. Most of the current works only focus on the temporal or spatial features of distributed system logs, and they cannot sufficiently extract the global features of distributed system logs to achieve a good correct rate of anomaly detection. To further address the shortcomings of existing methods, this paper proposes a deep learning model with global spatiotemporal features to detect the presence of anomalies in distributed system logs. First, we extract semi-structured log events from log templates and model them as natural language. In addition, we focus on the temporal characteristics of logs using the bidirectional long short-term memory network and the spatial invocation characteristics of logs using the Transformer. Extensive experimental evaluations show the advantages of our proposed model for distributed system log anomaly detection tasks. The optimal F1-Score on three open-source datasets and our own collected distributed system datasets reach 98.04%, 94.34%, 88.16%, and 97.40%, respectively.     

基于流量分析的App-DDoS攻击检测

针对当前应用层分布式拒绝服务攻击(App-DDoS)检测方法高度依赖于系统日志,且检测攻击类型单一的问题,提出了基于卡尔曼滤波和信息熵的联合检测模型DFM-FA(detection and filtering model against App-DDoSattacks based on flow analysis),将应用层的行为异常检测映射为网络层的流量异常检测,最大限度地保证了合法用户的优先正常访问.实验证明,DFM-FA既不依赖于系统日志,同时又能检测到FTP、DNS等多种App-DDoS攻击.     

A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference

In this paper, a hybrid anomaly intrusion detection scheme using program system calls is proposed. In this scheme, a hidden Markov model (HMM) detection engine and a normal database detection engine have been combined to utilise their respective advantages. A fuzzy-based inference mechanism is used to infer a soft boundary between anomalous and normal behaviour, which is otherwise very difficult to determine when they overlap or are very close. To address the challenging issue of high cost in HMM training, an incremental HMM training with optimal initialization of HMM parameters is suggested. Experimental results show that the proposed fuzzy-based detection scheme can reduce false positive alarms by 48%, compared to the single normal database detection scheme. Our HMM incremental training with the optimal initialization produced a significant improvement in terms of training time and storage as well. The HMM training time was reduced by four times and the memory requirement was also reduced significantly.     

Spatiotemporal context-aware network for video salient object detection

Neural Computing and Applications - It has been witnessed that there is an increasing interest in video salient object detection (VSOD) in computer vision field. Different from image salient object...     

Practical firewall policy inspection using anomaly detection and its visualization

Due to the increasing cyber threats, firewall has become the one of the core elements in network security. The effectiveness of firewall security is dependent on providing policy management techniques. For this reason, it is highly required to have an automatic tool that is real applicable to running firewalls and it should help administrators use in easy. This paper represents a first step toward a practically applicable tool called Firewall Policy Checker for firewall policy inspection based on four anomaly types. It also focuses on detecting dangerous services such as telnet, ftp and so on which many administrators set as time goes and detecting illegal servers. In addition, this tool supports a large number of rules with the high speed using efficient N-ary tree module. The experimental results using real organizations’ rules are introduced. Finally, this paper illustrates an easy 3D visualization even for non experts.     

Dynamic video anomaly detection and localization using sparse denoising autoencoders

The emergence of novel techniques for automatic anomaly detection in surveillance videos has significantly reduced the burden of manual processing of large, continuous video streams. However, existing anomaly detection systems suffer from a high false-positive rate and also, are not real-time, which makes them practically redundant. Furthermore, their predefined feature selection techniques limit their application to specific cases. To overcome these shortcomings, a dynamic anomaly detection and localization system is proposed, which uses deep learning to automatically learn relevant features. In this technique, each video is represented as a group of cubic patches for identifying local and global anomalies. A unique sparse denoising autoencoder architecture is used, that significantly reduced the computation time and the number of false positives in frame-level anomaly detection by more than 2.5%. Experimental analysis on two benchmark data sets - UMN dataset and UCSD Pedestrian dataset, show that our algorithm outperforms the state-of-the-art models in terms of false positive rate, while also showing a significant reduction in computation time.     

Real time detection of cache-based side-channel attacks using hardware performance counters

In this paper we analyze three methods to detect cache-based side-channel attacks in real time, preventing or limiting the amount of leaked information. Two of the three methods are based on machine learning techniques and all the three of them can successfully detect an attack in about one fifth of the time required to complete it. We could not experience the presence of false positives in our test environment and the overhead caused by the detection systems is negligible. We also analyze how the detection systems behave with a modified version of one of the spy processes. With some optimization we are confident these systems can be used in real world scenarios.     

Collaborative detection and filtering of shrew DDoS attacks using spectral analysis

This paper presents a new spectral template-matching approach to countering shrew distributed denial-of-service (DDoS) attacks. These attacks are stealthy, periodic, pulsing, and low-rate in attack volume, very different from the flooding type of attacks. They are launched with high narrow spikes in very low frequency, periodically. Thus, shrew attacks may endanger the victim systems for a long time without being detected. In other words, such attacks may reduce the quality of services unnoticeably. Our defense method calls for collaborative detection and filtering (CDF) of shrew DDoS attacks. We detect shrew attack flows hidden in legitimate TCP/UDP streams by spectral analysis against pre-stored template of average attack spectral characteristics. This novel scheme is suitable for either software or hardware implementation.The CDF scheme is implemented with the NS-2 network simulator using real-life Internet background traffic mixed with attack datasets used by established research groups. Our simulated results show high detection accuracy by merging alerts from cooperative routers. Both theoretical modeling and simulation experimental results are reported here. The experiments achieved up to 95% successful detection of network anomalies along with a low 10% false positive alarms. The scheme cuts off malicious flows containing shrew attacks using a newly developed packet-filtering scheme. Our filtering scheme retained 99% of legitimate TCP flows, compared with only 20% TCP flows retained by using the Drop Tail algorithm. The paper also considers DSP, FPGA, and network processor implementation issues and discusses limitations and further research challenges.     

A context-aware adaptive learning system using agents

Evolution of Web technologies has made e-learning a popular common way of education and training. As an outcome, learning content adaptation has been the subject of many research projects lately. This paper suggests a framework for building an adaptive Learning Management System (LMS). The proposed architecture is based upon multi-agent systems and uses both Sharable Content Object Reference Model (SCORM) 2004 and semantic Web ontology for learning content storage, sequencing and adaptation. This system has been implemented upon a well known open-source LMS and its functionalities are demonstrated through the simulation of a scenario mimicing the real life conditions. The result reveals the system effectiveness for which it appears that the proposed approach may be very promising.