Swarm intelligence in intrusion detection: A survey

Intrusion Detection Systems (IDS) have nowadays become a necessary component of almost every security infrastructure. So far, many different approaches have been followed in order to increase the efficiency of IDS. Swarm Intelligence (SI), a relatively new bio-inspired family of methods, seeks inspiration in the behavior of swarms of insects or other animals. After applied in other fields with success SI started to gather the interest of researchers working in the field of intrusion detection. In this paper we explore the reasons that led to the application of SI in intrusion detection, and present SI methods that have been used for constructing IDS. A major contribution of this work is also a detailed comparison of several SI-based IDS in terms of efficiency. This gives a clear idea of which solution is more appropriate for each particular case.     

基于孤立点检测的自适应入侵检测技术研究

传统的入侵检测技术主要是从已知攻击数据中提取出每种具体攻击的特征规则模式,然后使用这些规则模式来进行匹配。然而基于规则的入侵检测的主要问题是现有的规则模式并不能有效应对持续变化的新型入侵攻击。针对这一问题,基于数据挖掘的入侵检测方法成为了入侵检测技术新的研究热点。本文提出了一种基于孤立点挖掘的自适应入侵检测框架,首先,基于相似系数寻找孤立点,然后对孤立点集合进行聚类,并使用改进的关联规则算法来从孤立点聚类结果中提取出各类入侵活动的潜在特征模式,然后生成可使用的匹配规则模式来添加到现有的规则模式中去,进而达到自适应的目的。本文使用KDD99的UCI数据集进行孤立点挖掘,然后使用IDS Snort的作为实验平台,使用IDS Informer模拟攻击工具进行测试,这两个实验结果表明了本文所提出算法的有效性。     

Alert correlation in collaborative intelligent intrusion detection systems—A survey

As complete prevention of computer attacks is not possible, intrusion detection systems (IDSs) play a very important role in minimizing the damage caused by different computer attacks. There are two intrusion detection methods: namely misuse- and anomaly-based. A collaborative, intelligent intrusion detection system (CIIDS) is proposed to include both methods, since it is concluded from recent research that the performance of an individual detection engine is rarely satisfactory. In particular, two main challenges in current collaborative intrusion detection systems (CIDSs) research are highlighted and reviewed: CIDSs system architectures and alert correlation algorithms. Different CIDSs system, architectures are explained and compared. The use of CIDSs together with other multiple security systems raise certain issues and challenges in, alert correlation. Several different techniques for alert correlation are discussed. The focus will be on correlation of CIIDS alerts. Computational, Intelligence approaches, together with their applications on IDSs, are reviewed. Methods in soft computing collectively provide understandable, and autonomous solutions to IDS problems. At the end of the review, the paper suggests fuzzy logic, soft computing and other AI techniques, to be exploited to reduce the rate of false alarms while keeping the detection rate high. In conclusion, the paper highlights opportunities for an integrated solution to large-scale CIIDS.     

高速网络环境下的入侵检测技术研究

首先介绍了目前高速网络环境下的入侵检测系统的研究概况,接着对基于FPGA和基于负载均衡技术的两类入侵检测系统模型进行了分析,并重点研究了基于网络处理器的采用负载均衡技术的入侵检测系统中的关键技术即数据捕获技术、负载均衡技术和数据分析技术.     

基于聚类的入侵检测研究综述

入侵检测通过收集各种网络数据,从中分析和发现可能的入侵攻击行为。为了增强入侵检测从海量数据中发现攻击行为的能力和提高入侵检测的智能性,数据挖掘被引入到入侵检测领域,以实现智能化的知识发现和入侵检测模型的建立。聚类分析是数据挖掘中的一种重要的技术,能够通过无监督的学习过程发现隐藏的模式,具有独立地发现知识的能力。现有大量关于其在入侵检测领域的应用研究,各种聚类分析方法及改进措施被用于从不同的训练数据集建立入侵检测模型,成为对整个检测系统的一个有力补充。对现有文献中典型的基于聚类的入侵检测模型作了全面的介绍和适当的比较分析,提出了进一步的研究建议。     

工业控制系统网络入侵检测方法综述

随着工业控制系统(industrial control systems,ICS)的网络化,其原有的封闭性被打破, 各种病毒、木马等随着正常的信息流进入ICS,已严重威胁ICS的安全性,如何做好ICS安全防护已迫在眉睫.入侵检测方法作为一种主动的信息安全防护技术可以有效弥补防火墙等传统安全防护技术的不足,被认为是ICS的第二道安全防线,可以实现对ICS外部和内部入侵的实时检测.当前工控系统入侵检测的研究非常活跃,来自计算机、自动化以及通信等不同领域的研究人员从不同角度提出一系列ICS入侵检测方法,已成为ICS安全领域一个热点研究方向.鉴于此,综述了ICS入侵检测的研究现状、存在的问题以及有待进一步解决的问题.     

信息安全设施中入侵检测技术探讨

从入侵检测技术的基本概念出发,着重讨论了入侵检测系统构造所涉及的关键技术,并提出了一个基于数据仓库的入侵检测系统通用模型;总结并评述了具有代表性的基于主机的入侵检测技术、基于网络的入侵检测技术和相关工具;探讨了入侵检测系统构造研究中存在的一些问题及相应的解决方案。     

高速网络环境下的入侵检测技术研究综述*

高速网的普及应用对入侵检测技术提出了更高要求,传统的方法已难以适应处理大流量的网络数据。对入侵检测过程进行分析,指出高速网络环境下制约入侵检测效果的不利因素和难点,强调应从数据包捕获、模式匹配、负载均衡、系统架构等方面入手,充分利用软件的灵活性、专用硬件的并行性和快速性来提高入侵检测系统的性能,以适应高速的网络环境。     

基于数据挖掘的SNORT网络入侵检测系统

回顾了当前入侵检测技术和数据挖掘技术,对Snort网络入侵检测系统进行了深入的剖析;然后在Snort的基础上构建了基于数据挖掘的网络入侵检测系统模型;重点设计和实现了其中基于k-means算法的异常检测引擎和聚类分析模块,并对k-means算法进行了改进,使其更适用于网络入侵检测系统。     

基于异常的入侵检测技术浅析

入侵检测是一个比较新的、迅速发展的领域,已成为网络安全体系结构中的一个重要的环节。详细介绍了基于异常的入侵检测技术的原理和基本流程,并结合现有的基于异常的入侵检测系统,重点分析了几种常用的异常检测技术,讨论了基于异常的入侵检测技术的优点和存在的问题。     

Probabilistic techniques for intrusion detection based on computeraudit data

This paper presents a series of studies on probabilistic properties of activity data in an information system for detecting intrusions into the information system. Various probabilistic techniques of intrusion detection, including decision tree, Hotelling's T² test, chi-square multivariate test, and Markov chain are applied to the same training set and the same testing set of computer audit data for investigating the frequency property and the ordering property of computer audit data. The results of these studies provide answers to several questions concerning which properties are critical to intrusion detection. First, our studies show that the frequency property of multiple audit event types in a sequence of events is necessary for intrusion detection. A single audit event at a given time is not sufficient for intrusion detection. Second, the ordering property of multiple audit events provides additional advantage to the frequency property for intrusion detection. However, unless the scalability problem of complex data models taking into account the ordering property of activity data is solved, intrusion detection techniques based on the frequency property provide a viable solution that produces good intrusion detection performance with low computational overhead     

Privacy issues in intrusion detection systems: A taxonomy,survey and future directions

Intrusion Detection Systems (IDSs) detect potential attacks by monitoring activities in computers and networks. This monitoring is carried out by collecting and analyzing data pertaining to users and organizations. The data is collected from various sources – such as system log files or network traffic–and may contain private information. Therefore, analysis of the data by an IDS can raise multiple privacy concerns. Recently, building IDSs that consider privacy issues in their design criteria in addition to classic design objectives (such as IDS’ performance and precision) has become a priority. This article proposes a taxonomy of privacy issues in IDSs which is then utilized to identify new challenges and problems in the field. In this taxonomy, we classify privacy-sensitive IDS data as input, built-in and generated data. Research prototypes are then surveyed and compared using the taxonomy. The privacy techniques used in the surveyed systems are discussed and compared based on their effects on the performance and precision of the IDS. Finally, the taxonomy and the survey are used to point out a number of areas for future research.     

Machine learning for intrusion detection in MANET: a state-of-the-art survey

Machine learning consists of algorithms that are first trained with reference input to “learn” its specifics and then used on unseen input for classification purposes. Mobile ad-hoc wireless networks (MANETs) have drawn much attention to research community due to their advantages and growing demand. However, they appear to be more susceptible to various attacks harming their performance than any other kind of network. Intrusion Detection Systems represent the second line of defense against malevolent behavior to MANETs, since they monitor network activities in order to detect any malicious attempt performed by intruders. Due to the inherent distributed architecture of MANET, traditional cryptography schemes cannot completely safeguard MANETs in terms of novel threats and vulnerabilities, thus by applying machine learning methods for IDS these challenges can be overcome. In this paper, we present the most prominent models for building intrusion detection systems by incorporating machine learning in the MANET scenario. We have structured our survey into four directions of machine learning methods: classification approaches, association rule mining techniques, neural networks and instance based learning approaches. We analyze the most well-known approaches and present notable achievements but also drawbacks or flaws that these methods have. Finally, in concluding our survey we provide some findings of paramount importance identifying open issues in the MANET field of interest.     

Automatic network intrusion detection: Current techniques and open issues

Automatic network intrusion detection has been an important research topic for the last 20 years. In that time, approaches based on signatures describing intrusive behavior have become the de-facto industry standard. Alternatively, other novel techniques have been used for improving automation of the intrusion detection process. In this regard, statistical methods, machine learning and data mining techniques have been proposed arguing higher automation capabilities than signature-based approaches. However, the majority of these novel techniques have never been deployed on real-life scenarios. The fact is that signature-based still is the most widely used strategy for automatic intrusion detection. In the present article we survey the most relevant works in the field of automatic network intrusion detection. In contrast to previous surveys, our analysis considers several features required for truly deploying each one of the reviewed approaches. This wider perspective can help us to identify the possible causes behind the lack of acceptance of novel techniques by network security experts.     

Data warehousing and data mining techniques for intrusion detection systems

This paper describes data mining and data warehousing techniques that can improve the performance and usability of Intrusion Detection Systems (IDS). Current IDS do not provide support for historical data analysis and data summarization. This paper presents techniques to model network traffic and alerts using a multi-dimensional data model and star schemas. This data model was used to perform network security analysis and detect denial of service attacks. Our data model can also be used to handle heterogeneous data sources (e.g. firewall logs, system calls, net-flow data) and enable up to two orders of magnitude faster query response times for analysts as compared to the current state of the art. We have used our techniques to implement a prototype system that is being successfully used at Army Research Labs. Our system has helped the security analyst in detecting intrusions and in historical data analysis for generating reports on trend analysis. Recommended by: Ashfaq Khokhar     

A comprehensive survey on deep learning based malware detection techniques

Recent theoretical and practical studies have revealed that malware is one of the most harmful threats to the digital world. Malware mitigation techniques have evolved over the years to ensure security. Earlier, several classical methods were used for detecting malware embedded with various features like the signature, heuristic, and others. Traditional malware detection techniques were unable to defeat new generations of malware and their sophisticated obfuscation tactics. Deep Learning is increasingly used in malware detection as DL-based systems outperform conventional malware detection approaches at finding new malware variants. Furthermore, DL-based techniques provide rapid malware prediction with excellent detection rates and analysis of different malware types. Investigating recently proposed Deep Learning-based malware detection systems and their evolution is hence of interest to this work. It offers a thorough analysis of the recently developed DL-based malware detection techniques. Furthermore, current trending malwares are studied and detection techniques of Mobile malware (both Android and iOS), Windows malware, IoT malware, Advanced Persistent Threats (APTs), and Ransomware are precisely reviewed.     

Cloud monitoring: A survey

Nowadays, Cloud Computing is widely used to deliver services over the Internet for both technical and economical reasons. The number of Cloud-based services has increased rapidly and strongly in the last years, and so is increased the complexity of the infrastructures behind these services. To properly operate and manage such complex infrastructures effective and efficient monitoring is constantly needed.Many works in literature have surveyed Cloud properties, features, underlying technologies (e.g. virtualization), security and privacy. However, to the best of our knowledge, these surveys lack a detailed analysis of monitoring for the Cloud. To fill this gap, in this paper we provide a survey on Cloud monitoring. We start analyzing motivations for Cloud monitoring, providing also definitions and background for the following contributions. Then, we carefully analyze and discuss the properties of a monitoring system for the Cloud, the issues arising from such properties and how such issues have been tackled in literature. We also describe current platforms, both commercial and open source, and services for Cloud monitoring, underlining how they relate with the properties and issues identified before. Finally, we identify open issues, main challenges and future directions in the field of Cloud monitoring.¹     

Contextual information fusion for intrusion detection: a survey and taxonomy

Research in cyber-security has demonstrated that dealing with cyber-attacks is by no means an easy task. One particular limitation of existing research originates from the uncertainty of information that is gathered to discover attacks. This uncertainty is partly due to the lack of attack prediction models that utilize contextual information to analyze activities that target computer networks. The focus of this paper is a comprehensive review of data analytics paradigms for intrusion detection along with an overview of techniques that apply contextual information for intrusion detection. A new research taxonomy is introduced consisting of several dimensions of data mining techniques, which create attack prediction models. The survey reveals the need to use multiple categories of contextual information in a layered manner with consistent, coherent, and feasible evidence toward the correct prediction of cyber-attacks.     

A hierarchical SOM-based intrusion detection system

Purely based on a hierarchy of self-organizing feature maps (SOMs), an approach to network intrusion detection is investigated. Our principle interest is to establish just how far such an approach can be taken in practice. To do so, the KDD benchmark data set from the International Knowledge Discovery and Data Mining Tools Competition is employed. Extensive analysis is conducted in order to assess the significance of the features employed, the partitioning of training data and the complexity of the architecture. Contributions that follow from such a holistic evaluation of the SOM include recognizing that (1) best performance is achieved using a two-layer SOM hierarchy, based on all 41-features from the KDD data set. (2) Only 40% of the original training data is sufficient for training purposes. (3) The ‘Protocol’ feature provides the basis for a switching parameter, thus supporting modular solutions to the detection problem. The ensuing detector provides false positive and detection rates of 1.38% and 90.4% under test conditions; where this represents the best performance to date of a detector based on an unsupervised learning algorithm.     

A content-based deep intrusion detection system

International Journal of Information Security - The growing number of Internet users and the prevalence of web applications make it necessary to deal with very complex software and applications in...