面向MANET报文丢弃攻击的模糊入侵检测系统

为了检测MANET报文丢弃攻击行为,提出一种异常模糊入侵检测系统（FIADS）。FIADS基于Sugeno型模糊推理,通过分布式方式检测每个节点可能遭受的攻击行为,并通过移除所有可能实施攻击的恶意节点提高MANET频谱资源。最后,构建模糊规则库仿真分析了FIADS,并和传统IDES进行了性能比较。仿真结果证明,相比IDES,FIADS能够有效检测报文丢弃攻击,具有更高的识别效率。     

MANET入侵检测系统研究与实现

近年来,随着物联网技术的发展,MANET网络介入互联网已经成为了一种趋势.而MANET网络中的入侵检测系统可以有效地保障MANET的安全运行.针对MANET网络的动态性和开放性以及节点计算存储资源的有限性,文中提出基于入侵检测系统（IDS）代理的协作式层次化的入侵检测系统.     

Topological comparison‐based wormhole detection for MANET

Wormhole attack is considered one of the most threatening security attacks for mobile ad hoc networks. In a wormhole attack, a tunnel is setup in advance between two colluders. The colluders record packets at one location and forward them through the tunnel to another location in the network. Depending on whether or not the colluders are participating in the network functions, the wormhole attack can be further divided into two categories: traditional wormhole attack and Byzantine wormhole attack. Existing researches focusing on detecting traditional wormhole attacks can be classified into three categories: one‐hop delay‐based approach, topological analysis‐based or special hardware/middleware‐based approaches. Unfortunately, they all have their own limitations. Most of the researches detecting Byzantine wormhole attack are not addressing the Byzantine wormhole attack directly. Instead, they focus on observing the consequence after a Byzantine wormhole attack, like packet dropping or modification. In this paper, we propose to detect both traditional and Byzantine wormhole attacks by detecting some topological anomalies introduced by wormhole tunnels. Simulation results show that our scheme can achieve both high wormhole attack detection rate and accuracy. Our scheme is also simple to implement. Copyright © 2012 John Wiley & Sons, Ltd.     

面向入侵检测的集成人工免疫系统

结合入侵检测的实际需求,提出了一种集成人工免疫系统(IAIS)。该系统结合了树突状细胞算法(DCA)和否定选择算法(NSA),DCA用于检测行为特征,NSA用于检测结构特征。通过KDD99数据集实验对该系统进行验证,并与其他方法进行了比较。实验结果表明,IAIS检测性能与经典分类算法相当。IAIS具有不依赖明确标识的数据来训练检测器,可结合行为特征和结构特征进行实时入侵检测的特点。     

入侵检测系统攻击语言研究

本文对入侵检测系统中现有的攻击语言进行了分类综述,在此基础上分析了这些语言存在的不足,提出应对现有语言进行合并,从而设计出一些综合性语言。这些综合语言应能从多个方面描述一个攻击,从而有利于数据的一致性和可重用性,推动攻击语言的标准化。本文最后给出了今后研究的方向。     

A ranging based scheme for detecting the wormhole attack in wireless sensor networks

Wireless sensor networks have been widely used in general and military scenarios. And this leads to a need for more security. Wireless sensor network are easy vulnerable to attack and compromise. Wormhole attack is a harmful against routing protocol which can drop data randomly or disturbing routing path. In this paper, we proposed a novel method to detect the wormhole attack based on statistical analysis. In the proposed method, a sensor can detect the fake neighbors which are caused by wormhole through the neighbor discovery process, and then a k-means clustering based method is used to detect wormhole attack according to the neighbor information. That is, by using this proposed method, we can detect the wormhole only by the neighbor information without any special requirement. We did some experiments to evaluate the performance of this method, and the experimental results show that our method can achieve satisfying results.     

Cross-layer based multiclass intrusion detection system for secure multicast communication of MANET in military networks

Wireless Networks - Multicast communication of mobile ad hoc networks (MANET), rather than multiple unicast communication, delivers common content to more than one receiver at a time. Due to...     

基于危险理论的无线传感器网络入侵检测模型

针对无线传感器网络入侵检测技术面临的挑战,利用了人工免疫技术的基本原理,提出一种基于危险理论的入侵检测模型。模型采用了分布式合作机制,与采用混杂模式监听获取全局知识的方法相比,在检测性能和能耗上都具有优势。仿真结果表明,相比于传统的单一阈值Watchdog算法和自我非我(SNS)模型,基于危险理论的检测模型能够提供较高的检测率和较低的误检率,并且有效降低了系统的能耗。     

用于网络入侵检测的群体协同人工淋巴细胞模型

将淋巴细胞的群体刺激机制引入到人工免疫系统中,在网络入侵检测中,关注网络级、主机级和进程级3类危险信号,建立新的人工淋巴细胞检测模型,对拒绝服务式攻击、蠕虫、木马进行混合检测,并获得对比实验结果,从而验证了多淋巴细胞的协同工作能力,提高了人工免疫系统的入侵检测率.     

入侵检测系统初探

随着网络技术的发展，传统的安全技术已经不能满足需要。入侵检测作为一种最重要的主动防御技术不但能检测外来的攻击还能检测来自内部的入侵。介绍了入侵检测的原理、技术以及它的发展趋势。     

一个检测分布式攻击的入侵检测模型的设计

给出了一个检测分布式攻击的入侵检测系统模型的设计，该模型采用基于特征的方法，能够实现数据收集方法在单独场所所不能实现的对分布式攻击的检测。跟其他方法相比，该方法能够极大的降低入侵检测式的通信量，从而简化了通讯安全管理的复杂性。     

Integrated intrusion detection model based on artificial immune

The author puts forward an integrated intrusion detection （ID） model based on artificial immune （IIDAI）, a vaccination strategy based on the significance degree of genes and a method to generate initial memory antibodies with rough set （RS）. IIDAI integrates two kinds of intrusion detection mode： misuse detection and anonymous detection. Misuse detection and anonymous detection are applied to detect the known and the unknown attacks, respectively. On the basis of IIDAI model, an ID algorithm is presented. Simulation shows that the IIDAI has better performance than traditional ID methods in feasibility and effectiveness. It is very prone to achieve a higher convergence rate by using the vaccination strategy. Moreover, RS can remove the redundancy attributes and increase the detection speed. It can also increase detection rate by applying the integrated method.     

针对虫洞攻击的无线传感器网络安全定位方法

节点定位技术是无线传感器网络的关键技术之一,是很多基于无线传感器网络的应用的基础。然而,无线传感器网络通常部署在无人值守的敌对环境中,攻击节点能够很容易地破坏网络中节点的定位过程。本文针对无线传感器网络中距离无关的定位技术,分析了虫洞攻击对DV-Hop定位过程的影响,提出了一种无线传感器网络中抵御虫洞攻击的DV-Hop安全定位方法。仿真结果表明所提出的安全定位方法能够有效降低虫洞攻击对DV-Hop定位过程的影响,验证了该方法的有效性。     

基于SVM分类机的入侵检测系统

本文设计并实现了一种基于SVM分类机的入侵检测系统。它收集并计算除服务器端口之外TCP／IP的流量特征，使用SVM算法进行分类，从而识别出该连接的服务类型，通过与该,连接服务器端口所表明服务类型的比较，检测出异常的TCP连接，在此基础上，本文深入探讨了TCP连接的观察时间、所取特征数目和SVM的核函数的选取对检测效果的影响。实验结果表明，本系统能够有效地检测出异常TCP连接。     

An elastic intrusion detection system for software networks

Internal users are the main causes of anomalous and suspicious behaviors in a communication network. Even when traditional security middleboxes are present, internal attacks may lead the network to outages or to leakage of sensitive information. In this article, we propose BroFlow, an Intrusion Detection and Prevention System based on Bro traffic analyzer and on the global network view of the software-defined networks (SDN) which is provided by the OpenFlow. BroFlow main contributions are (i) dynamic and elastic resource provision of traffic-analyzing machines under demand; (ii) real-time detection of DoS attacks through simple algorithms implemented in a policy language for network events; (iii) immediate reaction to DoS attacks, dropping malicious flows close of their sources, and (iv) near-optimal placement of sensors through a proposed heuristic for strategically positioning sensors in the network infrastructure, which is shared by multi-tenants, with a minimum number of sensors. We developed a prototype of the proposed system, and we evaluated it in a virtual environment of the Future Internet Testbed with Security (FITS). An evaluation of the system under attack shows that BroFlow guarantees the forwarding of legitimate packets at the maximal link rate, reducing up to 90 % of the maximal network delay caused by the attack. BroFlow reaches 50 % of bandwidth gain when compared with conventional firewalls approaches, even when the attackers are legitimate tenants acting in collusion. In addition, the system reduces the sensors number, while keeping full coverage of network flows.     

A novel approach for mitigating gray hole attack in MANET

Mobile ad hoc network (MANET) is defined as the category of wireless network that is capable of operating without any fixed infrastructure. The main assumption considered in this network is that all nodes are trusted nodes but in real scenario, some nodes can be malicious node and therefore can perform selective dropping of data packets instead of forwarding the data packets to the destination node. These malicious nodes behave normally during route discovery phase and afterwards drop fractions of the data packets routed through them. Such type of attack is known as smart gray hole attack which is variation of sequence number based gray hole attack. In this paper, we have launched smart gray hole attack and proposed a new mechanism for mitigating the impact of smart gray hole attack. Mitigating Gray hole Attack Mechanism (MGAM) uses several special nodes called as G-IDS (gray hole-intrusion detection system) nodes which are deployed in MANETs for detecting and preventing smart gray hole attack. G-IDS nodes overhear the transmission of its neighbouring nodes and when it detects that the node is dropping the data packets which are greater than threshold value then it broadcast the ALERT message in the network notifying about the identity of malicious node. The identified malicious is then blocked from further its participation by dropping the request and reply packet. In order to validate the effectiveness of our proposed mechanism, NS-2.35 simulator is used. The simulation results show that the proposed mechanism performs slightly well as compared with the existing scheme under smart gray hole attack.     

入侵检测系统中的行为模式挖掘

提出了一种利用模式挖掘技术进行网络入侵防范的方法及其入侵检测系统模型,设计并实现了一个基于关联规则的增量式模式挖掘算法。通过对网络数据包的分析,挖掘出网络系统中频繁发生的行为模式,并运用模式相似度比较对系统的行为进行检测,进而自动建立异常和误用行为的模式库。实验结果证明,本文提出的方法与现有的入侵检测方法相比,具有更好的环境适应性和数据协同分析能力,相应的入侵检测系统具有更高的智能性和扩展性。     

Divided two-part adaptive intrusion detection system

The main objective of this paper is to design a more complete intrusion detection system solution. The paper presents an efficient approach for reducing the rate of alerts using divided two-part adaptive intrusion detection system (DTPAIDS). The proposed DTPAIDS has a high degree of autonomy in tracking suspicious activity and detecting positive intrusions. The proposed DTPAIDS is designed with the aim of reducing the rate of detected false positive intrusion through two achievements. The first achievement is done by implementing adaptive self-learning neural network in the proposed DTPAIDS to gives it the ability to be automatic adaptively system based on Radial Basis Functions (RBF) neural network. The second achievement is done through dividing the proposed intrusion detection system IDS into two parts. The first part is IDS₁, which is installed in the front of firewall and responsible for checking each entry user’s packet and deciding if the packet considered is an attack or not. The second is IDS₂, which is installed behind the firewall and responsible for detecting only the attacks which passed the firewall. This proposed approach for IDS exhibits a lower false alarm rate when detects novel attacks. The simulation tests are conducted using DARPA 1998 dataset. The experimental results show that the proposed DTPAIDS [1] reduce false positive rate, [2] detects intrusion occurrence sensitively and precisely, [3] accurately self–adapts diagnoser model, thus improving its detection accuracy.     

协同入侵检测系统的研究和设计

随着网络的普及,网络入侵也趋于多样化和复杂化,针对入侵的这一特点,在基于状态的分布式协同入侵检测系统模型的基础上,采用攻击策略分析的技术,设计了一个基于策略分析的协同入侵检测系统模型。该模型的目标是提高检测的效率和速度,减轻网络流量载荷。该模型的特点是加入IDXP安全平台,可以提高模型组件间信息传输的安全性,增强自身的安全强度。