A new ontology‐based multi agent framework for intrusion detection

Ontologies play an essential role in knowledge sharing and exploration, especially in multiagent systems. Intrusion is an unauthorized activity in a network, which is achieved by either active manner (information gathering) or passive manner (harmful packet forwarding). Most of the existing intrusion detection system (IDS) suffers from the following issues: it is usually adjusted to detect known service level network attacks and leaves from vulnerable to original and novel malicious attacks. Thus, it provides low accuracy and detection rate, which are the important problems of existing IDS. To overwhelm these drawbacks, an ontology‐based multiagent IDS framework is developed in this work for intrusion detection. The main intention of this work is to detect the network attacks with the help of multiple detection agents. In this analysis, there are 3 different types of agents, ie, IDS broker, deputy commander, and response agent, which are used to prevent and detect the attacks in a network. The novel concept of this work is based on the concept of signature matching; it identifies and detects the attackers with the help of multiple agents.     

Protection of MANETs from a range of attacks using an intrusion detection and prevention system

Mobile ad hoc networks (MANETs) are well known to be vulnerable to various attacks due to their lack of centralized control, and their dynamic topology and energy-constrained operation. Much research in securing MANETs has focused on proposals which detect and prevent a specific kind of attack such as sleep deprivation, black hole, grey hole, rushing or sybil attacks. In this paper we propose a generalized intrusion detection and prevention mechanism. We use a combination of anomaly-based and knowledge-based intrusion detection to secure MANETs from a wide variety of attacks. This approach also has the capability to detect new unforeseen attacks. Simulation results of a case study shows that our proposed mechanism can successfully detect attacks, including multiple simultaneous different attacks, and identify and isolate the intruders causing a variety of attacks, with an affordable network overhead. We also investigate the impact on the MANET performance of (a) the various attacks and (b) the type of intrusion response, and we demonstrate the need for an adaptive intrusion response.     

Improved Shamir's CRT‐RSA Algorithm: Revisit with the Modulus Chaining Method

RSA signature algorithms using the Chinese remainder theorem (CRT‐RSA) are approximately four‐times faster than straightforward implementations of an RSA cryptosystem. However, the CRT‐RSA is known to be vulnerable to fault attacks; even one execution of the algorithm is sufficient to reveal the secret keys. Over the past few years, several countermeasures against CRT‐RSA fault attacks have tended to involve additional exponentiations or inversions, and in most cases, they are also vulnerable to new variants of fault attacks. In this paper, we review how Shamir's countermeasure can be broken by fault attacks and improve the countermeasure to prevent future fault attacks, with the added benefit of low additional costs. In our experiment, we use the side‐channel analysis resistance framework system, a fault injection testing and verification system, which enables us to inject a fault into the right position, even to within 1 μs. We also explain how to find the exact timing of the target operation using an Atmega128 software board.     

Novel intrusion prediction mechanism based on honeypot log similarity

The current network‐based intrusion detection systems have a very high rate of false alarms, and this phenomena results in significant efforts to gauge the threat level of the anomalous traffic. In this paper, we propose an intrusion detection mechanism based on honeypot log similarity analysis and data mining techniques to predict and block suspicious flows before attacks occur. With honeypot logs and association rule mining, our approach can reduce the false alarm problem of intrusion detection because only suspicious traffic would be present in the honeypots. The proposed mechanism can reduce human effort, and the entire system can operate automatically. The results of our experiments indicate that the honeypot prediction system is practical for protecting assets from attacks or misuse.     

Effective allied network security system based on designed scheme with conditional legitimate probability against distributed network attacks and intrusions

Dependence on the Internet is increasing dramatically. Therefore, many researchers have given great attention to the issue of how to tighten Internet security. This study proposes a new scheme for the distributed intrusion prevention system (DIPS), in which the concept of ‘union’ is presented for satisfying the increasing requirements of Internet security issues. In this proposed design, the network intrusion detection system (NIDS) applies a misuse detection technique to detect well‐known intrusion behavior on the Internet. Meanwhile, for anomaly detection technique, a tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to reveal previously undiscovered intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service (DDoS) attacks inside the protected allied network is also covered. To increase the detection accuracy, reduction of false positives and false negatives is also accomplished. Experimental results reveal that the suggested network security system scheme is effective and efficient in resolving the intrusion activity problem of real network environments. Copyright © 2011 John Wiley & Sons, Ltd.     

An intrusion detection system based on combining probability predictions of a tree of classifiers

Intrusion detection system (IDS) represents an unavoidable tool to secure our network. It is considered as a second defense line against the different form of attacks. The principal limits of the current IDSs are their inability to combine the detection of the new form of attacks with high detection rate and low false alarm rate. In this paper, we propose an intrusion detection system based on the combination of the probability predictions of a tree of classifiers. Specifically, our model is composed of 2 layers. The first one is a tree of classifiers. The second layer is a classifier that combines the probability predictions of the tree. The built tree contains 4 levels where each node of this tree represents a classifier. The first node classifies the connections in 2 clusters: Denial of Service attacks and Cluster 2. Then, the second node classifies the connections of the Cluster 2 in Probing attacks and Cluster 3. The third node classifies the connections of the Cluster 3 in Remote‐to‐Local attacks and Cluster 4. Finally, the last node classifies the connections of the Cluster 4 in User‐to‐Root attacks and Normal connections. The second layer contains the last classifier that combines the probability predictions of the first layer and take the final decision. The experiments on KDD'99 and NSL‐KDD show that our model gives a low false alarm rate and the highest detection rate. Furthermore, our model is more precise than the recent intrusion detection system models with accuracy equal to 96.27% for KDD'99 and 89.75% for NSL‐KDD.     

PKG‐VUL: Security Vulnerability Evaluation and Patch Framework for Package‐Based Systems

In information security and network management, attacks based on vulnerabilities have grown in importance. Malicious attackers break into hosts using a variety of techniques. The most common method is to exploit known vulnerabilities. Although patches have long been available for vulnerabilities, system administrators have generally been reluctant to patch their hosts immediately because they perceive the patches to be annoying and complex. To solve these problems, we propose a security vulnerability evaluation and patch framework called PKG‐VUL, which evaluates the software installed on hosts to decide whether the hosts are vulnerable and then applies patches to vulnerable hosts. All these operations are accomplished by the widely used simple network management protocol (SNMP). Therefore, system administrators can easily manage their vulnerable hosts through PKG‐VUL included in the SNMP‐based network management systems as a module. The evaluation results demonstrate the applicability of PKG‐VUL and its performance in terms of devised criteria.     

Intelligent Internal Stealthy Attack and its Countermeasure for Multicast Routing Protocol in MANET

Multicast communication of mobile ad hoc networks is vulnerable to internal attacks due to its routing structure and high scalability of its participants. Though existing intrusion detection systems (IDSs) act smartly to defend against attack strategies, adversaries also accordingly update their attacking plans intelligently so as to intervene in successful defending schemes. In our work, we present a novel indirect internal stealthy attack on a tree‐based multicast routing protocol. Such an indirect stealthy attack intelligently makes neighbor nodes drop their routing‐layer unicast control packets instead of processing or forwarding them. The adversary targets the collision avoidance mechanism of the Medium Access Control (MAC) protocol to indirectly affect the routing layer process. Simulation results show the success of this attacking strategy over the existing “stealthy attack in wireless ad hoc networks: detection and countermeasure (SADEC)” detection system. We design a cross‐layer automata‐based stealthy attack on multicast routing protocols (SAMRP) attacker detection system to identify and isolate the proposed attacker. NS‐2 simulation and analytical results show the efficient performance, against an indirect internal stealthy attack, of SAMRP over the existing SADEC and BLM attacker detection systems.     

Distance bounding protocols for RFID enhanced by using void‐challenges and analysis in noisy channels

RFID systems are vulnerable to different attacks related to the location; distance fraud attack, relay attack and terrorist attack. The main countermeasure against these attacks is the use of protocols capable of measuring the round trip time of single challenge‐response bit. In this paper, we consider a modification of these protocols applying a new feature; the ‘void challenges’. This way, the success probability for an adversary to access to the system decreases. We use as reference‐point the most popular of this kind of protocols, the Hancke and Kuhn's protocol, to show the improvements achieved when different cases are analysed. Copyright © 2008 John Wiley & Sons, Ltd.     

A hierarchical mobile‐agent‐based security operation center

The continuous evolvement of the e‐domain has led to a significant increase in the amount of sensitive personal information stored on networked hosts. These hosts are invariably protected by security mechanisms such as intrusion detection systems, Intrusion Prevention System (IPS), antivirus software, firewalls, and so forth. However, they still remain vulnerable to the threat of malicious attacks, theft and intrusion. The high false positive alarm rate of such mechanisms is particularly troublesome because false alarms greatly degrade the efficiency of the security framework. Security operation centers (SOCs) provide an automated solution for analyzing the threat to a network such that appropriate protective measures can be put in place. This paper proposes a novel hierarchical mobile‐agent‐based SOC to overcome the vulnerability of traditional static SOCs to single point of failure attacks. In addition, the network is partitioned into multiple divisions, each with its own alert detection and aggregation methodology to improve the computational efficiency of the data collection and fusion process. The data acquired in the various divisions are fused and correlated in an efficient manner via intrusion detection message exchange format, XML, session and timer methods The experimental results confirm the effectiveness and efficiency of the proposed hierarchical mobile‐agent‐based SOC framework. Copyright © 2012 John Wiley & Sons, Ltd.     

A non‐biased trust model for wireless mesh networks

Trust models that rely on recommendation trusts are vulnerable to badmouthing and ballot‐stuffing attacks. To cope with these attacks, existing trust models use different trust aggregation techniques to process the recommendation trusts and combine them with the direct trust values to form a combined trust value. However, these trust models are biased as recommendation trusts that deviate too much from one's own opinion are discarded. In this paper, we propose a non‐biased trust model that considers every recommendation trusts available regardless they are good or bad. Our trust model is based on a combination of 2 techniques: the dissimilarity test and the Dempster‐Shafer Theory. The dissimilarity test determines the amount of conflict between 2 trust records, whereas the Dempster‐Shafer Theory assigns belief functions based on the results of the dissimilarity test. Numerical results show that our trust model is robust against reputation‐based attacks when compared to trust aggregation techniques such as the linear opinion pooling, subjective logic model, entropy‐based probability model, and regression analysis. In addition, our model has been extensively tested using network simulator NS‐3 in an Infrastructure‐based wireless mesh networks and a Hybrid‐based wireless mesh networks to demonstrate that it can mitigate blackhole and grayhole attacks.     

Intrusion detection and prevention system for an IoT environment

Internet of Things (IoT) security is the act of securing IoT devices and networks. IoT devices, including industrial machines, smart energy grids, and building automation, are extremely vulnerable. With the goal of shielding network systems from illegal access in cloud servers and IoT systems, Intrusion Detection Systems (IDSs) and Network-based Intrusion Prevention Systems (NBIPSs) are proposed in this study. An intrusion prevention system is proposed to realize NBIPS to safeguard top to bottom engineering. The proposed NBIPS inspects network activity streams to identify and counteract misuse instances. The NBIPS is usually located specifically behind a firewall, and it provides a reciprocal layer of investigation that adversely chooses unsafe substances. Network-based IPS sensors can be installed either in an inline or a passive model. An inline sensor is installed to monitor the traffic passing through it. The sensors are installed to stop attacks by blocking the traffic using an IoT signature-based protocol.     

A meta‐heuristic Bayesian network classification for intrusion detection

Software‐defined networking (SDN) is an innovative network paradigm much in demand today in academics and industry. In this network, the SDN controller must be able to observe and examine traffic flow through the network systems. However, intrusion‐based data packets affect the whole system is a major drawback. To overcome this issue, we propose a Novel Agent Program (NAP) framework for preventing switches from the external compromised attacks. A Meta‐Heuristic Bayesian Network Classification (MHBNC) algorithm for intrusion detection is proposed in this paper. The proposed algorithm follows certain procedures for preprocessing, feature selection, feature optimization, and classification. Normal and anomaly‐based data packets are classified successfully with its improved detection capabilities based on the optimization technique. The simulation results of the proposed ID_MBC (intrusion detection based on meta‐heuristic Bayesian classifier) technique is compared with existing techniques such as the association rule, PSO+GA, and the GA+RVM. The proposed MHBNC classifier performs better than existing methods.     

低层网络攻击及检测方法

常规的探作系统因缺乏充足的审计教据使基于主机的入侵检测系统无法检测到低层网络攻击。基于网络的入侵检测系统因只依靠网上教据流而不能检测到所有攻击。本文分析了几种低层IP攻击，在分析的基础上，提出在探作系统的审计记录中添加部分审计教据，使基于主机的入侵检测系统能检测到低层网络攻击。     

Modeling and analysis of intrusion detection integrated with batch rekeying for dynamic group communication systems in mobile ad hoc networks

We investigate performance characteristics of secure group communication systems (GCSs) in mobile ad hoc networks that employ intrusion detection techniques for dealing with insider attacks tightly coupled with rekeying techniques for dealing with outsider attacks. The objective is to identify optimal settings including the best intrusion detection interval and the best batch rekey interval under which the system lifetime (mean time to security failure) is maximized while satisfying performance requirements. We develop a mathematical model based on stochastic Petri net to analyze tradeoffs between security and performance properties, when given a set of parameter values characterizing operational and environmental conditions of a GCS instrumented with intrusion detection tightly coupled with batch rekeying. We compare our design with a baseline system using intrusion detection integrated with individual rekeying to demonstrate the effectiveness.     

Design and FPGA implementation of an efficient security mechanism for mobile pay‐TV systems

A mobile pay‐TV service is one of the ongoing services of multimedia systems. Designing an efficient mechanism for authentication and key distribution is an important security requirement in mobile pay‐TV systems. Until now, many security protocols have been proposed for mobile pay‐TV systems. However, the existing protocols for mobile pay‐TV systems are vulnerable to various security attacks. Recently, Wang and Qin proposed an authentication scheme for mobile pay‐TV systems using bilinear pairing on elliptic curve cryptography. They claimed that their scheme could withstand various attacks. In this paper, we demonstrate that Wang and Qin's scheme is vulnerable to replay attacks and impersonation attacks. Furthermore, we propose a novel security protocol for mobile pay‐TV systems using the elliptic curve cryptosystem to overcome the weaknesses of Wang and Qin's scheme. In order to improve the efficiency, the proposed scheme is designed in such a way that needs fewer scalar multiplication operations and does not use bilinear pairing, which is an expensive cryptographic operation. Detailed analyses, including verification using the Automated Validation of Internet Security Protocols and Applications tool and implementation on FPGA, demonstrate that the proposed scheme not only withstands active and passive attacks and provides user anonymity but also has a better performance than Wang and Qin's scheme.     

A lightweight intrusion detection framework for wireless sensor networks

In recent years, Wireless Sensor Networks (WSNs) have demonstrated successful applications for both civil and military tasks. However, sensor networks are susceptible to multiple types of attacks because they are randomly deployed in open and unprotected environments. It is necessary to utilize effective mechanisms to protect sensor networks against multiple types of attacks on routing protocols. In this paper, we propose a lightweight intrusion detection framework integrated for clustered sensor networks. Furthermore, we provide algorithms to minimize the triggered intrusion modules in clustered WSNs by using an over‐hearing mechanism to reduce the sending alert packets. Our scheme can prevent most routing attacks on sensor networks. In in‐depth simulation, the proposed scheme shows less energy consumption in intrusion detection than other schemes. Copyright © 2009 John Wiley & Sons, Ltd.     

On the security of an RFID‐based parking lot management system

Radio Frequency Identification (RFID)‐based parking management systems provide facilities to control parking lot systems within easy access and secure inspection. Chen and Chong have presented a scheme to prevent car thefts for parking lot management systems, which is based on EPC C1‐G2 RFID standard. They claimed that their protocol is resistant against well‐known RFID attacks. In this paper, we prove that Chen and Chong's scheme is not resistant against secret disclosure and impersonation attacks. Therefore, in Chen and Chong parking lot system, a car may be stolen without having a valid tag. In this paper, we also show that the proposed impersonation attack works for any length of cyclic redundancy check and the secret disclosure attack costs at most 2¹⁶ evaluations of the used pseudo random number generator. The success probability of both attacks is 1 while their complexity is only 2 runs of the protocol. Finally, we present an improved protocol and formally and informally prove that the improved protocol provides the desired level of security and privacy.     

Control theoretic approach to intrusion detection using a distributed hidden Markov model

Cooperative ad hoc wireless networks are more vulnerable to malicious attacks than traditional wired networks. Many of these attacks are silent in nature and cannot be detected by conventional intrusion detection methods such as traffic monitoring, port scanning, or protocol violations. These sophisticated attacks operate under the threshold boundaries during an intrusion attempt and can only be identified by profiling the complete system activity in relation to normal behavior. In this article we discuss a control- theoretic hidden Markov modelstrategy for intrusion detection using distributed observation across multiple nodes. This model comprises a distributed HMM engine that executes in a randomly selected monitor node and functions as a part of the feedback control engine. This drives the defensive response based on hysteresis to reduce the frequency of false positives, thereby avoiding inappropriate ad hoc responses.     

Some attacks against vehicles' passive entry security systems and their solutions

Recently, several companies have introduced passive entry systems for automotive applications. These systems are intended to increase user comfort by eliminating the requirement that the user has to reach for the customer identification device (CID), a credit card like tool, to gain access to the vehicle compartment. While this extra level of comfort is a desirable feature, especially in luxury vehicles, it introduces several key attacks against the system. This paper describes several techniques of potential attacks against the passive entry system and proposes solutions to protect the vehicle from such attacks.