A comparative evaluation of intrusion detection architectures for mobile ad hoc networks

Mobile Ad Hoc Networks (MANETs) are susceptible to a variety of attacks that threaten their operation and the provided services. Intrusion Detection Systems (IDSs) may act as defensive mechanisms, since they monitor network activities in order to detect malicious actions performed by intruders, and then initiate the appropriate countermeasures. IDS for MANETs have attracted much attention recently and thus, there are many publications that propose new IDS solutions or improvements to the existing. This paper evaluates and compares the most prominent IDS architectures for MANETs. IDS architectures are defined as the operational structures of IDSs. For each IDS, the architecture and the related functionality are briefly presented and analyzed focusing on both the operational strengths and weaknesses. Moreover, methods/techniques that have been proposed to improve the performance and the provided security services of those are evaluated and their shortcomings or weaknesses are presented. A comparison of the studied IDS architectures is carried out using a set of critical evaluation metrics, which derive from: (i) the deployment, architectural, and operational characteristics of MANETs; (ii) the special requirements of intrusion detection in MANETs; and (iii) the carried analysis that reveals the most important strengths and weaknesses of the existing IDS architectures. The evaluation metrics of IDSs are divided into two groups: the first one is related to performance and the second to security. Finally, based on the carried evaluation and comparison a set of design features and principles are presented, which have to be addressed and satisfied in future research of designing and implementing IDSs for MANETs.     

A hybrid intrusion detection system design for computer network security

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.     

基于粒子群和人工免疫的混合入侵检测系统研究

目前,漏报率和误报率高一直是入侵检测系统（IDS）的主要问题,而IDS主要有误用型和异常型两种检测技术。根据这两种检测技术各自的优点以及它们的互补性,本文给出一种基于人工免疫的异常检测技术和基于粒子群优化（PSO）的误用检测技术相结合的IDS模型;同时,该系统还结合特征选择技术降低数据维度,提高系统检测性能。实验表明,该
系统具有较高的检测率和较低的误报率,可以自动更新规则库,并且记忆未知类型的攻击,是一种有效的检测方法。     

PPSS: A privacy-preserving secure framework using blockchain-enabled federated deep learning for Industrial IoTs

The growing reliance of industry 4.0/5.0 on emergent technologies has dramatically increased the scope of cyber threats and data privacy issues. Recently, federated learning (FL) based intrusion detection systems (IDS) promote the detection of large-scale cyber-attacks in resource-constrained and heterogeneous industrial systems without exposing data to privacy issues. However, the inherent characteristics of the latter have led to problems such as a trusted validation and consensus of the federation, unreliability, and privacy protection of model upload. To address these challenges, this paper proposes a novel privacy-preserving secure framework, named PPSS, based on the use of blockchain-enabled FL with improved privacy, verifiability, and transparency. The PPSS framework adopts the permissioned-blockchain system to secure multi-party computation as well as to incentivize cross-silo FL based on a lightweight and energy-efficient consensus protocol named Proof-of-Federated Deep-Learning (PoFDL). Specifically, we design two federated stages for global model aggregation. The first stage uses differentially private training of Stochastic Gradient Descent (DP-SGD) to enforce privacy protection of client updates, while the second stage uses PoFDL protocol to prove and add new model-containing blocks to the blockchain. We study the performance of the proposed PPSS framework using a new cyber security dataset (Edge-IIoT dataset) in terms of detection rate, precision, accuracy, computation, and energy cost. The results demonstrate that the PPSS framework system can detect industrial IIoT attacks with high classification performance under two distribution modes, namely, non-independent and identically distributed (Non-IID) and independent and identically distributed (IID).     

Mixing Wheat with the Chaff: Creating Useful Test Data for IDS Evaluation

As the use of intrusion detection systems (IDSs) continues to climb and as researchers find more ways to detect attacks amid a vast ocean of data. The problem of testing IDS solutions has reared its ugly bead. Showing that one technique is better than another or training an IDS about normal usage requires test data. As it turns out, collecting or creating such a data set is something of a catch-22. If the data already contains attacks, researchers will train the IDS to see the attacks as normal; the IDS could then fail to register them as malicious events in the future. The most efficient way, however, to determine whether a large data set contains malicious events is to scan it with existing IDS. Thus, any attacks that the existing IDS fails to find are presented to the new IDS as normal data leading to potential false negatives. Clearly, breaking this cycle requires an independent source of verifiable attack-free training data with which to train IDSs.     

基于虚拟机技术的安全系统研究

该文在深入分析蜜罐和入侵检测技术的基础上,提出了基于虚拟机技术的蜜罐入侵检查系统,它是集蜜罐、HIDS以及NIDS于一体的入侵检查系统,系统中将蜜罐在虚拟机上进行分离,结合IDS来控制蜜罐的安全性,同时结合两者对网络安全的检测信息来实现更强的入侵检查系统。该系统方案在最大化解决蜜罐自身安全问题的同时,结合3者的优点并抑制了各自的缺点,几乎不需要改变现有的入侵检测系统,故具有很强的实用性和广阔的应用前景。     

基于公共入侵检测框架的组件通信机制研究

随着网络技术的迅速发展以及网络带宽的不断增大,网络安全问题也日益突出,入侵检测系统作为一种不同于防火墙的主动保护网络资源的网络安全系统,在实际生活中得到了广泛的应用。但随着计算机网络共享资源的进一步增强,入侵活动变得复杂而又难以捉摸,单一的、缺乏协作的入侵检测系统已经满足不了应用的需要,公共入侵检测模型则对入侵检测系统的组成架构、数据交换的格式、协作方法等进行了标准化。下文在论述公共入侵检测框架模型的基础上,详细阐述了如何使用轻型目录访问协议协议进行组件通信。     

ContractGuard：面向以太坊区块链智能合约的入侵检测系统

以太坊智能合约本质上是一种在网络上由相互间没有信任关系的节点共同执行的已被双方认证程序。目前,大量的智能合约被用于管理数字资产,使智能合约成为黑客的重要攻击对象。常见的攻击方法是通过利用智能合约的漏洞来实现特定操作的入侵攻击。ContractGuard 是首次提出面向以太坊区块链智能合约的入侵检测系统,它能检测智能合约的潜在攻击行为。ContractGuard 的入侵检测主要依赖检测潜在攻击可能引发的异常控制流来实现。由于智能合约运行在去中心化的环境以及在高度受限的环境中运行,现有的IDS技术或者工具等以外部拦截形式的部署架构不适合于以太坊智能合约。为了解决这些问题,通过设计一个嵌入式的架构,实现了把 ContractGuard 直接嵌入智能合约的执行代码中,作为智能合约的一部分。在运行时刻,ContractGuard通过相应的context-tagged无环路径来实现入侵检测,从而保护智能合约。由于嵌入了额外的代码,ContractGuard一定程度上会增加智能合约的部署开销与运行开销,为了降低这两方面的开销,基于以太坊智能合约的特性对 ContractGuard 进行优化。实验结果显示,可有效地检测 83%的异常行为,其部署开销仅增加了36.14%,运行开销仅增加了28.17%。     

基于数据挖掘的实时检测系统的改进方案

为了更好地应用和推广基于实时数据挖掘的入侵检测系统,就要提高基于数据挖掘入侵检测模型的准确性,高效性和可用性。该文针对这三个方面分别提出了各种解决方法和改进方案,并在最后提出一个改进的检测模型结构,这种结构综合了该文提出的各种解决方法,可以大大提高实时IDSs的效率和可伸缩性。     

基于公共入侵检测框架的组件通信机制研究

入侵检测系统作为一种不同于防火墙的主动保护网络资源的网络安全系统得到了广泛的应用,但随着计算机网络共享资源的进一步增强,入侵活动变得复杂而又难以捉摸,单一的、缺乏协作的入侵检测系统已经满足不了应用的需要.公共入侵检测模型则对入侵检测系统的组成架构,数据交换的格式,协作方法等进行了标准化.在论述公共入侵检测框架模型的基础上,详细阐述了如何使用轻型目录访问协议进行组件通信.     

一种基于移动Agent的抗攻击性IDS模型

随着入侵检测系统(Inhusion Detection System——IDS)性能的逐步提高，攻击者往往在入侵目标网络之前攻击IDS，使其丧失保护功能。在当前常用的分布式入侵检测系统的基础上，提出了一种能够对抗拒绝服务(Denial of Service——DoS)攻击的IDS模型，并指出了将当前的分布式IDS转换成此模型的配置方法。     

A requirements taxonomy for reducing Web site privacy vulnerabilities

The increasing use of personal information on Web-based applications can result in unexpected disclosures. Consumers often have only the stated Web site policies as a guide to how their information is used, and thus on which to base their browsing and transaction decisions. However, each policy is different, and it is difficult—if not impossible—for the average user to compare and comprehend these policies. This paper presents a taxonomy of privacy requirements for Web sites. Using goal-mining, the extraction of pre-requirements goals from post-requirements text artefacts, we analysed an initial set of Internet privacy policies to develop the taxonomy. This taxonomy was then validated during a second goal extraction exercise, involving privacy policies from a range of health care related Web sites. This validation effort enabled further refinement to the taxonomy, culminating in two classes of privacy requirements: protection goals and vulnerabilities. Protection goals express the desired protection of consumer privacy rights, whereas vulnerabilities describe requirements that potentially threaten consumer privacy. The identified taxonomy categories are useful for analysing implicit internal conflicts within privacy policies, the corresponding Web sites, and their manner of operation. These categories can be used by Web site designers to reduce Web site privacy vulnerabilities and ensure that their stated and actual policies are consistent with each other. The same categories can be used by customers to evaluate and understand policies and their limitations. Additionally, the policies have potential use by third-party evaluators of site policies and conflicts.

Optimizing the Scalability of Network Intrusion Detection Systems Using Mobile Agents

Modern Intrusion Detection Systems (IDSs) are distributed real-time systems that detect unauthorized use or attacks upon an organization's network and/or hosts. The components of most distributed IDSs are arranged in a hierarchical tree structure, where the sensor nodes pass information to the analyzer nodes. Optimal placement of the analyzer nodes results in an improved response time for the IDS, and isolation of attacks within the IDS network. Since the network topology and workload are constantly changing, we are able to maintain near-optimal placement of the analyzer nodes by instantiating them as mobile agents. The analyzer nodes may then relocate, reproduce or be deleted as necessary. Such flexibility improves the response times and the stability of an IDS. The movement of the analyzer nodes also offers some protection against denial-of-service attacks, since secure analyzer nodes will be relocated to take over some of the functionality of the host under attack.     

IDS入侵检测系统研究

在分布式计算环境中,信息系统首先需要考虑的就是保护数据和资源免遭未授权的非法访问、操作,甚至恶意入侵和破坏,因此安全管理日益成为人们关注的焦点。在诸多的新兴技术中,IDS（入侵检测系统）以它新颖的思路和广阔的应用前景而倍受青睐。介绍IDS的历史和现状,说明现有IDS的不足以及今后ID技术的发展趋势。     

Classification Model for IDS Using Auto Cryptographic Denoising Technique

Intrusion detection systems (IDS) are one of the most promising ways for securing data and networks; In recent decades, IDS has used a variety of categorization algorithms. These classifiers, on the other hand, do not work effectively unless they are combined with additional algorithms that can alter the classifier’s parameters or select the optimal sub-set of features for the problem. Optimizers are used in tandem with classifiers to increase the stability and with efficiency of the classifiers in detecting invasion. These algorithms, on the other hand, have a number of limitations, particularly when used to detect new types of threats. In this paper, the NSL KDD dataset and KDD Cup 99 is used to find the performance of the proposed classifier model and compared; These two IDS dataset is preprocessed, then Auto Cryptographic Denoising (ACD) adopted to remove noise in the feature of the IDS dataset; the classifier algorithms, K-Means and Neural network classifies the dataset with adam optimizer. IDS classifier is evaluated by measuring performance measures like f-measure, recall, precision, detection rate and accuracy. The neural network obtained the highest classifying accuracy as 91.12% with drop-out function that shows the efficiency of the classifier model with drop-out function for KDD Cup99 dataset. Explaining their power and limitations in the proposed methodology that could be used in future works in the IDS area.     

基于本体的Web服务攻击检测技术研究

Web服务在给基于异构平台的应用集成带来极大便利的同时,各核心组件也面临着被恶意攻击的威胁。目前,主要依靠入侵检测系统(IDS)来检测这些攻击,但是分布在网络中的IDS往往是由不同的厂商或组织开发的,没有用于交换知识的可被共同理解的词汇集,难以交互和协作,工作效率低且很难抵御多层次、分布式攻击。提出了一种基于本体和Web本体标准语言（OWL）的Web服务攻击分类和描述方法,通过构建Web服务攻击本体以提供不同IDS共同理解的词汇集。在此基础上,设计了一种基于Web服务攻击本体库的入侵检测系统(O-IDS),能有效弥补现有IDS难以交互的不足,提高对多层次、分布式攻击的检测能力。     

入侵检测技术的初步探究

入侵检测系统是现代网络安全的重要组成部分。入侵检测就是通过监视特定的计算机或网络,在检测可能的攻击,主要有两类入侵检测系统：基于主机的和基于网络的。前者监视整修网络或部分网段,后者监视特定的计算机。如将两类系统相结合,实时监控网络传输和系统事件,并对可疑的行为进行自动的安全响应,将最大程度地降低安全风险,保护网络的系统安全。     

入侵检测技术研究

网络安全足当前的研究热点,入侵检测技术是网络安全中最主要的主动防范技术。该文介绍了入侵检测技术的概念、分类和发展现状;在归纳的基础上,对其核心技术——入侵分析技术进行了深入的分析和比较,给出了多种入侵分析技术有机结合的实例。针对入侵检测发展较晚和没有标准化的现状,提出了入侵检测所面临的最迫切的几个问题,并给出了可能的解决途径。最后对入侵检测系统的发展方向进行展望,结合多种技术提出了一种新的入侵检测框架。     

入侵检测系统数据集评测研究

入侵检测技术已经成为信息安全保障体系的重要组成部分。但是到目前为止,还没有广泛认同的入侵检测系统（IDS）评测标准,用户和研究人员对IDS和新的检测算法的有效性抱有疑问。解决这些问题的关键在于对IDS进行完善的评测。研究者对此提出了多种不同的IDS评测方案,如MIT Lincoln Lab提出的数据集评测和Neohapsis提出的OSEC（Open Security Evaluation Criteria）等。通过对评测结果的分析,能发现现有技术的不足,从而为IDS技术今后的研究提供指导。本文对MITLL提出的数据集评测方法进行了详细分析,阐述了数据集评测方法中的关键问题,并在MITLL研究的基础上,提出了相关改进方案,作为进一步的研究。     

基于规划识别的入侵检测研究

规划识别是人工智能的重要研究分支之一,在入侵检测领域中已有初步的应用。本文在介绍规划识别和入侵检测基本概念的基础上,按照规划识别方法分门别类地研究了基于事件层的规划识别、基于贝叶斯网络的规划识别、基于扩展目标规划图的规划识别、彩色Petri网、对手规划、行为状态图等在入侵检测领域的应用现状和进展;接着深入分析了规划识别和入侵检测的关系和相似之处;最后讨论了基于规划识别的入侵检测存在的问题,并指出了未来的发展趋势。本文综述了智能规划在入侵检测中应用的关键技术和存在的问题,研究内容对于相关人员从事入侵检测研究具有重要的参考价值。