网络入侵检测系统中的漂移检测

目前基于机器学习的入侵检测系统大都建立在入侵数据始终保持统计平稳的假设之上,无法应对攻击者有意改变数据特性或新型攻击方式的出现,而导致的检测率下降的状况.对于上述问题,即攻击漂移,提出了加权Rényi距离的检测方法.在KDD Cup99数据集上的实验证明,Rényi距离可以有效地增强检测效果;在检测到漂移后,通过重新训练模型可以使得对攻击的识别率显著提高.     

机器学习理论在入侵检测技术中的应用研究

入侵检测系统是主动保障网络信息安全的重要方法。本文针对大规模、高带宽网络环境下,入侵检测技术存在的不足,提出将机器学习理论应用到入侵检测系统中。文章简要介绍几种适合用于入侵检测系统中的机器学习算法,并建立基于机器学习理论的入侵检测系统框架。利用机器学习的算法不仅能检测到一些已知的攻击,还可以通过自我学习检测到未知的攻击。     

基于人工免疫分类器的入侵检测方法

针对入侵检测系统准确率不高和难以检测未知攻击的缺点,将有限资源人工免疫分类器模型算法AIRS应用于入侵检测系统。首先从KDD CUP 99数据集中选取出部分正常数据和攻击数据,对AIRS算法进行训练。然后根据训练得到的模型,对包含已知攻击和未知攻击的不同异常类比的数据集进行测试。实验结果表明:AIRS算法对已知攻击的检测率大大提高,对未知攻击的识别率也有很大的提高。     

基于深度学习和白流量过滤的网络流量检测系统研究

本文提出了一种基于孪生神经网络的网络入侵检测系统,主要通过对几种不同的机器学习算法进行比较研究,包括支持向量机、随机森林、卷积神经网络、孪生神经网络等,训练选择出适合本系统的网络模型,最终设计出能过滤白流量、检测流量包中是否存在攻击流量的系统。     

网络入侵后的波动控制系统设计与实现

网络入侵具有较强的破坏以及不可控性,受到入侵攻击后的网络流量存在冲突、约束数据带宽等随机因素,使得网络流量产生波动,稳定性降低。以往网络波动控制方法,在网络波动性高于设置的阈值后,控制方法不能对网络波动进行有效控制。因此,基于自抗扰控制器,设计并实现网络波动控制系统,该系统包括流量采集模块、流量汇总模块、流量异常检测和控制模块以及警示模块,并且具备网络探析部件、主机探析部件、策略管理中心、控制台四大功能。系统采用自抗扰处理器对入侵攻击产生的流量波动进行控制,确保网络流量的均衡性。实验结果表明,所提方法下的网络入侵行为显著降低,具有较低的网络入侵性能。     

基于数据挖掘和特征选择的入侵检测模型

提出了一种基于SVM特征选择和C4.5数据挖掘算法的高效入侵检测模型.通过使用该模型对经过特征提取后的攻击数据的训练学习,可以有效地识别各种入侵,并提高检测速度.在经典的KDD 1999入侵检测数据集上的测试说明：该数据挖掘模型能够高效地对攻击模式进行训练学习,能够采用选择的特征正确有效地检测网络攻击.     

多SVM决策组合在入侵检测中的应用

论文通过对支持向量机(SVM)和多分类器决策组合技术的研究,给出了一种基于多SVM决策组合的入侵检测系统;并通过KDD`99数据的仿真实验,结果证明该方法比单一的SVM分类器具有更好的检测效果。     

基于机器学习的网络攻击检测综述

当前网络安全问题是一个瓶颈问题,在网络入侵检测中机器学习可以看作是为了通过学习和积累经验提高攻击检测系统的性能而建立的计算机程序。机器学习应用于网络攻击检测,对网络的大量数据进行分析并通过学习算法自动产生规则,从而使网络具有自动识别攻击的能力。本文在详细介绍网络攻击检测系统机器学习原理的基础上,对现有的各种方法进行了评述并结合网络攻击检测的应用需求,阐述了网络攻击检侧系统机器学习技术的发展方向。     

无线传感器网络中一种基于流量预测和相关系数的异常检测方法

几种典型的流量预测模型在无线传感器网络入侵检测系统中的应用进行了分析,结合相关系数,提出了一种异常入侵检测方法.根据WSN节点的预测流量序列和实际流量序列的相关系数变化来进行异常检测.实验结果表明了该方法的有效性,在攻击强度较弱时也具有较高的检测率.     

基于OpenFlow与sFlow的DDoS攻击防御方法

分布式拒绝服务(DDoS)攻击是目前比较流行的网络攻击,其破坏力大并且难以防范追踪,对互联网安全造成了极大的威胁。针对此问题提出了一种基于OpenFlow与sFlow的入侵检测方法,通过sFlow采样技术实时检测网络流量,依据网络正常流量设定流量阈值,并通过对超过阈值的异常流量进行攻击检测、判断攻击流,最终使用OpenFlow协议阻断攻击源。该方法可以在几秒内自动检测、处理多种DDoS攻击。实验结果表明,与现有方案对比,该方法能够实时检测并阻止DDoS攻击,有效降低网络资源消耗。     

Anomaly based intrusion detection for 802.11 networks with optimal features using SVM classifier

The Wireless Fidelity (WiFi) is a widely used wireless technology due to its flexibility and mobility in the presence of vulnerable security features. Several attempts to secure 802.11 standard ends up with the inadequate security mechanisms that are vulnerable to various attacks and intrusions. Thus, integration of external defense mechanism like intrusion detection system (IDS) is inevitable. An anomaly-based IDS employs machine learning algorithms to detect attacks. Selecting the best set of features is central to ensure the performance of the classifier in terms of speed of learning, accuracy, and reliability. This paper proposes a normalized gain based IDS for MAC Intrusions (NMI) to improve the IDS performance significantly. The proposed NMI includes two primary components OFSNP and DCMI. The first component is optimal feature selection using NG and PSO (OFSNP) and the second component is Detecting and Categorizing MAC 802.11 Intrusions (DCMI) using SVM classifier. The OFSNP ranks the features using an independent measure as normalized gain (NG) and selects the optimal set of features using semi-supervised clustering (SSC). The SSC is based on particle swarm optimization (PSO) that uses labeled and unlabeled features simultaneously to find a group of optimal features. Using the optimal set of features, the proposed DCMI utilizes a rapid and straightforward support vector machine (SVM) learning that classifies the attacks under the appropriate classes. Thus, the proposed NMI achieves a better trade-off between detection accuracy and learning time. The experimental results show that the NMI accurately detects and classifies the 802.11 specific intrusions and also, it reduces the false positives and computation complexity by decreasing the number of features.     

Visualization of big data security: a case study on the KDD99 cup data set

Cyber security has been thrust into the limelight in the modern technological era because of an array of attacks often bypassing untrained intrusion detection systems (IDSs). Therefore, greater attention has been directed on being able deciphering better methods for identifying attack types to train IDSs more effectively. Keycyber-attack insights exist in big data; however, an efficient approach is required to determine strong attack types to train IDSs to become more effective in key areas. Despite the rising growth in IDS research, there is a lack of studies involving big data visualization, which is key. The KDD99 data set has served as a strong benchmark since 1999; therefore, we utilized this data set in our experiment. In this study, we utilized hash algorithm, a weight table, and sampling method to deal with the inherent problems caused by analyzing big data; volume, variety, and velocity. By utilizing a visualization algorithm, we were able to gain insights into the KDD99 data set with a clear identification of “normal” clusters and described distinct clusters of effective attacks.     

Circumventing security toolbars and phishing filters via rogue wireless access points

One of the solutions that has been widely used by naive users to protect against phishing attacks is security toolbars or phishing filters in web browsers. The present study proposes a new attack to bypass security toolbars and phishing filters via local DNS poisoning without the need of an infection vector. A rogue wireless access point (AP) is set up, poisoned DNS cache entries are used to forge the results provided to security toolbars, and thus misleading information is displayed to the victim. Although there are several studies that demonstrate DNS poisoning attacks, none to our best knowledge investigate whether such attacks can circumvent security toolbars or phishing filters. Five well‐known security toolbars and three reputable browser built‐in phishing filters are scrutinized, and none of them detect the attack. So ineptly, security toolbars provide the victim with false confirmative indicators that the phishing site is legitimate. Copyright © 2009 John Wiley & Sons, Ltd.     

机器学习系统毒化攻击综述

自机器学习被应用到许多关键性领域以来,机器学习系统的脆弱性也引起了人们的高度重视。其中,针对机器学习系统的毒化攻击得到了研究者的广泛关注,呈现了一些研究成果。因此,将系统地介绍当前机器学习系统毒化攻击的研究进展,对机器学习系统毒化攻击算法进行分类和总结,包括针对机器学习中的线性分类器、支持向量机、贝叶斯分类器和深度神经网络等几类常见模型的毒化攻击等攻击算法,目标是使现有的关于机器学习系统毒化攻击的研究成果更加清晰,为相关研究者的研究工作提供启发。     

Hybrid Fuzzy Adaptive Wiener Filtering with Optimization for Intrusion Detection

Intrusion detection plays a key role in detecting attacks over networks, and due to the increasing usage of Internet services, several security threats arise. Though an intrusion detection system (IDS) detects attacks efficiently, it also generates a large number of false alerts, which makes it difficult for a system administrator to identify attacks. This paper proposes automatic fuzzy rule generation combined with a Wiener filter to identify attacks. Further, to optimize the results, simplified swarm optimization is used. After training a large dataset, various fuzzy rules are generated automatically for testing, and a Wiener filter is used to filter out attacks that act as noisy data, which improves the accuracy of the detection. By combining automatic fuzzy rule generation with a Wiener filter, an IDS can handle intrusion detection more efficiently. Experimental results, which are based on collected live network data, are discussed and show that the proposed method provides a competitively high detection rate and a reduced false alarm rate in comparison with other existing machine learning techniques.     

A Feature Reduced Intrusion Detection System with Optimized SVM Using Big Bang Big Crunch Optimization

The swift proliferation in traffic across computer networks has led to certain types of attacks and intrusions, raising a serious global concern of information security. Attack detection is possible by monitoring and observing occurrences in intrusion detection systems, however these systems tend to suffer from problem of curse of dimensionality, high false alarm rate, high time complexity and low detections. In order to overcome these limitations, we propose a feature reduced intrusion detection system employing optimized SVM as a classifier. Feature Reduction has been performed by fusing ranked features from information gain and chi square in a way that it has helped in retaining only important features and discarding the rest. The study further proposes an optimized version of SVM classifier using Big Bang Big Crunch (BBBC) optimization that simulates the big bang and big crunch theory of evolution of universe. BBBC has helped in finding an optimal set of SVM parameters quickly that are further used for classification. We also experimented with a number of fitness functions for gauging the performance of IDS and propose a new fitness function based on the weighted F1 score of various traffic classes. KDD-99 dataset has been used for experimentation and analysis. The paper further experiments the effects of under-sampling and oversampling of various traffic classes on the proposed IDS performance and recommends that maintaining a desired ratio for a mix of under-sampling and over-sampling of desired classes produces the best results.

     

车联网中基于神经网络的入侵检测方案

车联网的入侵检测（IDS）可用于确认交通事件通知中描述的事件的真实性。当前车联网IDS多采用基于冗余数据的一致性检测方案,为降低IDS对冗余数据的依赖性,提出了一个基于神经网络的入侵检测方案。该方案可描述大量交通事件类型,并综合使用了反向传播（BP）和支持向量机（SVM）2种学习算法。这2种算法分别适用于个人安全驾驶速度快与高效交通系统检测率高的应用。仿真实验和性能分析表明,本方案具有较快的入侵检测速度,且具有较高的检测率和较低的虚警率。     

Approach of detecting low-rate DoS attack based on combined features

LDoS (low-rate denial of service) attack is a kind of RoQ (reduction of quality) attack which has the characteristics of low average rate and strong concealment.These characteristics pose great threats to the security of cloud computing platform and big data center.Based on network traffic analysis,three intrinsic characteristics of LDoS attack flow were extracted to be a set of input to BP neural network,which is a classifier for LDoS attack detection.Hence,an approach of detecting LDoS attacks was proposed based on novel combined feature value.The proposed approach can speedily and accurately model the LDoS attack flows by the efficient self-organizing learning process of BP neural network,in which a proper decision-making indicator is set to detect LDoS attack in accuracy at the end of output.The proposed detection approach was tested in NS2 platform and verified in test-bed network environment by using the Linux TCP-kernel source code,which is a widely accepted LDoS attack generation tool.The detection probability derived from hypothesis testing is 96.68%.Compared with available researches,analysis results show that the performance of combined features detection is better than that of single feature,and has high computational efficiency.     

Supervised learning‐based DDoS attacks detection: Tuning hyperparameters

Two supervised learning algorithms, a basic neural network and a long short‐term memory recurrent neural network, are applied to traffic including DDoS attacks. The joint effects of preprocessing methods and hyperparameters for machine learning on performance are investigated. Values representing attack characteristics are extracted from datasets and preprocessed by two methods. Binary classification and two optimizers are used. Some hyperparameters are obtained exhaustively for fast and accurate detection, while others are fixed with constants to account for performance and data characteristics. An experiment is performed via TensorFlow on three traffic datasets. Three scenarios are considered to investigate the effects of learning former traffic on sequential traffic analysis and the effects of learning one dataset on application to another dataset, and determine whether the algorithms can be used for recent attack traffic. Experimental results show that the used preprocessing methods, neural network architectures and hyperparameters, and the optimizers are appropriate for DDoS attack detection. The obtained results provide a criterion for the detection accuracy of attacks.     

DDoS attack detection and defense based on hybrid deep learning model in SDN

Software defined network (SDN) is a new kind of network technology,and the security problems are the hot topics in SDN field,such as SDN control channel security,forged service deployment and external distributed denial of service (DDoS) attacks.Aiming at DDoS attack problem of security in SDN,a DDoS attack detection method called DCNN-DSAE based on deep learning hybrid model in SDN was proposed.In this method,when a deep learning model was constructed,the input feature included 21 different types of fields extracted from the data plane and 5 extra self-designed features of distinguishing flow types.The experimental results show that the method has high accuracy,it’s better than the traditional support vector machine (SVM) and deep neural network (DNN) and other machine learning methods.At the same time,the proposed method can also shorten the processing time of classification detection.The detection model is deployed in SDN controller,and the new security policy is sent to the OpenFlow switch to achieve the defense against specific DDoS attack.