共查询到20条相似文献,搜索用时 0 毫秒
1.
Compiling network traffic into rules using soft computing methods for the detection of flooding attacks 总被引:4,自引:0,他引:4
The ability to dynamically collect and analyze network traffic and to accurately report the current network status is critical in the face of large-scale intrusions, and enables networks to continually function despite of traffic fluctuations. The paper presents a network traffic model that represents a specific network pattern and a methodology that compiles the network traffic into a set of rules using soft computing methods. This methodology based upon the network traffic model can be used to detect large-scale flooding attacks, for example, a distributed denial-of-service (DDoS) attack. We report experimental results that demonstrate the distinctive and predictive patterns of flooding attacks in simulated network settings, and show the potential of soft computing methods for the successful detection of large-scale flooding attacks. 相似文献
2.
Typical packet traffic in a sensor network reveals pronounced patterns that allow an adversary analyzing packet traffic to deduce the location of a base station. Once discovered, the base station can be destroyed, rendering the entire sensor network inoperative, since a base station is a central point of data collection and hence failure. This paper investigates a suite of decorrelation countermeasures aimed at disguising the location of a base station against traffic analysis attacks. A set of basic countermeasures is described, including hop-by-hop reencryption of the packet to change its appearance, imposition of a uniform packet sending rate, and removal of correlation between a packet’s receipt time and its forwarding time. More sophisticated countermeasures are described that introduce randomness into the path taken by a packet. Packets may also fork into multiple fake paths to further confuse an adversary. A technique is introduced to create multiple random areas of high communication activity called hot spots to deceive an adversary as to the true location of the base station. The effectiveness of these countermeasures against traffic analysis attacks is demonstrated analytically and via simulation using three evaluation criteria: total entropy of the network, total overhead/energy consumed, and the ability to frustrate heuristic-based search techniques to locate a base station. 相似文献
3.
4.
Mohiuddin Ahmed 《Pattern Analysis & Applications》2018,21(2):579-599
Summarization is an important intermediate step for expediting knowledge discovery tasks such as anomaly detection. In the context of anomaly detection from data stream, the summary needs to represent both anomalous and normal data. But streaming data has distinct characteristics, such as one-pass constraint, for which conducting data mining operations are difficult. Existing stream summarization techniques are unable to create summary which represent both normal and anomalous instances. To address this problem, in this paper, a number of hybrid summarization techniques are designed and developed using the concept of reservoir for anomaly detection from network traffic. Experimental results on thirteen benchmark data streams show that the summaries produced from stream using pairwise distance (PSSR) and template matching (TMSSR) techniques can retain more anomalies than existing stream summarization techniques, and anomaly detection technique can identify the anomalies with high true positive and low false positive rate. 相似文献
5.
This paper addresses the problem of normal operation baselining for automatic detection of network anomalies. A model of network traffic is presented in which studied variables are viewed as sampled from a finite mixture model. Based on the stochastic approximation of the maximum likelihood function, we propose baselining network normal operation, using the asymptotic distribution of the difference between successive estimates of model parameters. The baseline random variable is shown to be stationary, with mean zero under normal operation. Anomalous events are shown to induce an abrupt jump in the mean. Detection is formulated as an online change point problem, where the task is to process the baseline random variable realizations, sequentially, and raise alarms as soon as anomalies occur. An analytical expression of false alarm rate allows us to choose the design threshold, automatically. Extensive experimental results on a real network showed that our monitoring agent is able to detect unusual changes in the characteristics of network traffic, adapt to diurnal traffic patterns, while maintaining a low alarm rate. Despite large fluctuations in network traffic, this work proves that tailoring traffic modeling to specific goals can be efficiently achieved. 相似文献
6.
《Computers & Security》2007,26(6):427-433
Symmetry is an obvious phenomenon in two-way communications. In this paper, we present an adaptive nonparametric method that can be used for anomaly detection in symmetric network traffic. Two important features are emphasized in this method: (i) automatic adjustment of the detection threshold according to the traffic conditions; and (ii) timely detection of the end of an anomalous event. Source-end defense against SYN flooding attacks is used to illustrate the efficacy of this method. Experiments on real traffic traces show that this method has high detection accuracy and low detection delays, and excels at detecting low intensity attacks. 相似文献
7.
Simulation studies are used to evaluate the impact of the distributional and correlational characteristics of traffic arrival processes on the performance of network routing elements. It is shown that synthetic traffic models that capture only the distributional or the correlational characteristics of real workloads can yield substantially optimistic predictions of queue lengths and drop rate.
A new technique for generating synthetic arrival streams is proposed and evaluated. Arrival streams are generated by the widely used method of sampling from a target distribution. However, the uniform stream used in the sampling is itself derived from fractional Gaussian noise. The resulting synthetic streams are shown to have sample autocorrelation functions that are consistent with long-range dependence and to provide measurably better performance estimates than standard distribution-based and FGN-based techniques. 相似文献
8.
9.
WebShell是一种常见的Web脚本入侵工具。随着流量加密和代码混淆等技术的逐渐发展,使用传统的文本内容特征和网络流特征进行匹配的检测手段越来越难以防范生产环境下复杂的WebShell恶意攻击事件,特别是对于对抗性样本、变种样本或0Day漏洞样本的检测效果不够理想。搭建网络采集环境,在高速网络环境中利用数据平面开发套件(DPDK,data plane development kit)技术捕获网络数据包,标注了一套由1万余条不同平台、不同语言、不同工具、不同加密混淆方式的WebShell恶意流量与3万余条正常流量组成的数据集;通过异步流量分析系统框架和轻量型日志采集组件快速地解析原始流量,并融合专家知识深度分析几种流行的WebShell管理工具通信过程中的HTTP数据包,从而构建面向加密混淆型WebShell流量的有效特征集;基于该有效特征集使用支持向量机(SVM,supportvectormachine)算法实现对加密混淆型WebShell恶意流量的离线训练和在线检测。同时,利用遗传算法改进参数搜索方式,克服了由人工经验设置参数方位以及网格搜索陷入局部最优解的缺点,模型训练效率也得到... 相似文献
10.
The Journal of Supercomputing - Along with the growing network connectivity across the world, there is a substantial increase in malicious network traffic to exploit the vulnerabilities, thus... 相似文献
11.
《Engineering Applications of Artificial Intelligence》2000,13(3):311-322
Automated incident detection and alternative path planning form important activities within a modern expressway traffic management system which aims to ensure a smooth flow of traffic along expressways. This is done by adopting efficient technologies and processes that can be directly applied for the automated detection of non-recurrent congestion, the formulation of response strategies, and the use of management techniques to suggest alternative routes to the road-users, resulting in significant overall reductions in both congestion and inconvenience to motorists. A delicate balance has to be struck here between the incident detection rate and the false-alarm rate. This paper presents the development of a hybrid artificial intelligence technique for automatically detecting incidents on a traffic network. The overall framework, algorithm development, implementation and evaluation of this hybrid fuzzy-logic genetic-algorithm technique are discussed in the paper. A cascaded framework of 11 fuzzy controllers takes in traffic indices such as occupancy and volume, to detect incidents along an expressway in California. The flexible and robust nature of the developed fuzzy controller allows it to model functions of arbitrary complexity, while at the same time being inherently highly tolerant of imprecise data. The maximizing capabilities of genetic algorithms, on the other hand, enable the fuzzy design parameters to be optimized to achieve optimal performance. The results obtained for the traffic network give a high detection rate of 70.0%, while giving a low false-alarm rate of 0.83%. A comparison between this approach and four other incident-detection algorithms demonstrates the superiority of this approach. 相似文献
12.
13.
朱红斌 《计算机工程与应用》2008,44(34):213-215
提出一种基于LVQ神经网络的交通事件检测方法。提取上下游的流量和占有率为特征,LVQ神经网络作为分类器进行交通事件自动检测。LVQ网络结构简单,但却表现出比BP神经网络更强的有效性和鲁棒性。为进一步提高神经网络的泛化能力,采用改进的Boosting算法,进行网络集成。运用Matlab 进行了仿真分析,结果表明提出的交通事件检测算法具有良好的检测性能。 相似文献
14.
15.
《计算机与应用化学》2015,(8)
当今的网络攻击事件频繁发生,用户严重受到来自黑客攻击的威胁。因此为了出于保护用户的需要,网络安全人员不得不开发出多种网络安全措施。目前网络的安全设备主要有防火墙和入侵检测系统。入侵检测系统中有两种检测方法误用检测算法和异常检测算法。本文在参考了已有的误用检测算法后,提出了一种新的检测算法。该算法将某些智能性算法融入了其中。本文中首先通过计算未知程序的权值,通过权值的属性来判断该程序是恶意程序还是合法的程序,如果某种程序属于恶意程序,则再使用MMTD的算法对恶意程序的大小属性进行匹配,最后通过已知恶意程序的属性有未知程序属性的比较,最终来判断该网络攻击程序属于何种攻击手段。最后说明一点,本文提出的算法主要是针对变体攻击手段进行检测。 相似文献
16.
基于网络全局流量异常特征的DDoS攻击检测 总被引:2,自引:0,他引:2
由于分布式拒绝服务(DDoS)攻击的隐蔽性和分布式特征,提出了一种基于全局网络的DDoS检测方法。与传统检测方法只对单条链路或者受害者网络进行检测的方式不同,该方法对营运商网络中的OD流进行检测。该方法首先求得网络的流量矩阵,利用多条链路中攻击流的相关特性,使用K L变换将流量矩阵分解为正常和异常流量空间,分析异常空间流量的相关特征,从而检测出攻击。仿真结果表明该方法对DDoS攻击的检测更准确、更快速,有利于DDoS攻击的早期检测与防御。 相似文献
17.
XIONG Wei HU Han-ping YANG Yue 《通讯和计算机》2007,4(8):15-19,23
Network anomalies caused by network attacks can significantly degrade or even terminate network services. A Real-time and reliable detection of anomalies is essential to rapid anomaly diagnosis, anomaly mitigation, and malfunction recovering. Unlike most detection methods based on the statistical analysis of the packet headers (Such as IP addresses and ports), a new approach only using network traffic volumes is proposed to detect anomalies reliably. Our method is based on autocorrelation function to judge whether anomalies have happened. In details, the correlation coefficients of normal and anomaly data fluctuate slightly respectively, while those of the overlapped data composed of them fluctuate greatly. Experimental results on network traffic volumes transformed from 1999 DARPA intrusion evaluation data set show that this method can effectively detect network anomalies, while avoiding the high false alarms rate. 相似文献
18.
19.