基于堆叠卷积注意力的网络流量异常检测模型

入侵检测系统(IDS)在发现网络异常和攻击方面发挥着重要作用,但传统IDS误报率较高,不能准确分析和识别异常流量。目前,深度学习技术被广泛应用于网络流量异常检测,但仅仅采用简单的深度神经网络(DNN)模型难以有效提取流量数据中的重要特征。针对上述问题,提出一种基于堆叠卷积注意力的DNN网络流量异常检测模型。通过堆叠多个以残差模块连接的注意力模块增加网络模型深度,同时在注意力模块中引入卷积神经网络、池化层、批归一化层和激活函数层,防止模型过拟合并提升模型性能,最后在DNN模型中得到输出向量。基于NSL-KDD数据集对模型性能进行评估,将数据集预处理生成二进制特征,采用多分类、二分类方式验证网络流量异常检测效果。实验结果表明,该模型性能优于KNN、SVM等机器学习模型和ANN、AlertNet等深度学习模型,其在多分类任务中识别准确率为0.807 6,较对比模型提高0.034 0～0.097 5,在二分类任务中准确率和F1分数为0.860 0和0.863 8,较对比模型提高0.013 0～0.098 8和0.030 6～0.112 8。     

A hybrid intrusion detection system design for computer network security

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.     

改进的入侵检测系统分析引擎实现技术

随着计算机网络的推广和网络事务的日益普及,网络安全得到了广泛的关注。入侵检测系统(IDS)作为一种重要的计算机系统安全监测手段,已经成为维护网络安全的主要技术之一。该文提出的改进模型是利用STAT(StateTransitionAnalysisTool,状态转换分析工具)技术对IDS分析引擎增加了有效的辅助模块,并使用数据挖掘技术对原始审记数据进行初步的数据清洗。与传统的IDS相比,改进后的系统有效地提高了入侵检测性能和精度,并具有较好的可扩展性和健壮性。     

基于流量信息结构的异常检测

由于人们对网络流量规律的认识还不够深入,大型高速网络流量的异常检测仍然是目前测量领域研究的一个难点问题.通过对网络流量结构和流量信息结构的研究发现,在一定范围内,正常网络流量的IP、端口等具有重尾分布和自相似特性等较为稳定的流量结构,这种结构对应的信息熵值较为稳定.异常流量和抽样流量的信息熵值以正常流量信息熵值为中心波动,构成以IP、端口和活跃IP数量为维度的空间信息结构.据此对流量进行建模,提出了基于流量信息结构的支持向量机(support vector machine,简称SVM)的二值分类算法,其核心是将流量异常检测转化为基于SVM的分类决策问题.实验结果表明,该算法具有很高的检测效率,还初步验证了该算法的抽样检测能力.因此,将该算法应用到大型高速骨干网络具有实际意义.     

Intrusion detection in computer networks by a modular ensemble of one-class classifiers

Since the early days of research on intrusion detection, anomaly-based approaches have been proposed to detect intrusion attempts. Attacks are detected as anomalies when compared to a model of normal (legitimate) events. Anomaly-based approaches typically produce a relatively large number of false alarms compared to signature-based IDS. However, anomaly-based IDS are able to detect never-before-seen attacks. As new types of attacks are generated at an increasing pace and the process of signature generation is slow, it turns out that signature-based IDS can be easily evaded by new attacks. The ability of anomaly-based IDS to detect attacks never observed in the wild has stirred up a renewed interest in anomaly detection. In particular, recent work focused on unsupervised or unlabeled anomaly detection, due to the fact that it is very hard and expensive to obtain a labeled dataset containing only pure normal events.The unlabeled approaches proposed so far for network IDS focused on modeling the normal network traffic considered as a whole. As network traffic related to different protocols or services exhibits different characteristics, this paper proposes an unlabeled Network Anomaly IDS based on a modular Multiple Classifier System (MCS). Each module is designed to model a particular group of similar protocols or network services. The use of a modular MCS allows the designer to choose a different model and decision threshold for different (groups of) network services. This also allows the designer to tune the false alarm rate and detection rate produced by each module to optimize the overall performance of the ensemble. Experimental results on the KDD-Cup 1999 dataset show that the proposed anomaly IDS achieves high attack detection rate and low false alarm rate at the same time.     

An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection module and a decision support system combining the results of these two detection modules. The proposed anomaly detection module uses a Self-Organizing Map (SOM) structure to model normal behavior. Deviation from the normal behavior is classified as an attack. The proposed misuse detection module uses J.48 decision tree algorithm to classify various types of attacks. The principle interest of this work is to benchmark the performance of the proposed hybrid IDS architecture by using KDD Cup 99 Data Set, the benchmark dataset used by IDS researchers. A rule-based Decision Support System (DSS) is also developed for interpreting the results of both anomaly and misuse detection modules. Simulation results of both anomaly and misuse detection modules based on the KDD 99 Data Set are given. It is observed that the proposed hybrid approach gives better performance over individual approaches.     

A Context Adaptive Intrusion Detection System for MANET

Due to the ad hoc and mobile nature of a MANET, it is much more vulnerable to attacks than a wired network. As a result, there has been a significant research focusing on designing an Intrusion Detection System (IDS) for MANETs to detect anomalous behavior and misuse. However, each mobile node in a MANET typically has limited energy and thus it is not efficient to perform IDS functions within a node to detect every incoming packet. There is a need for an IDS to implement an intelligent control mechanism in order to monitor and recognize security breach attempts efficiently over a period of the expected network lifetime. By leveraging the Network Node Intrusion Detection (NNID) strategy, we developed a context adaptive IDS controller that advises an IDS to carry out intrusion detection while being prepared for a possible “cut through” if it is likely that the residual energy is not sufficient. By being embedded with the context adaptive IDS controller, the proposed Context Adaptive Intrusion Detection System (CAIDS) is able to adapt to the current node context (such as residual energy, security threats and traffic loading) for accommodating and inspecting new arriving packets. The performance is evaluated using a reward function that discovers an effective way to perform intrusion detection and delivers security benefits while meeting the energy budget. The numerical results show that CAIDS offers a good trade-off between lifetime performance and security. This study demonstrates empirically that the CAIDS model intelligently monitors and recognizes security breach attempts while adhering to the resource budget plan over the period of expected network lifetime.     

Human perspective to anomaly detection for cybersecurity

Traditionally signature-based network Intrusion Detection Systems (IDS) rely on inputs from domain experts and can only identify the attacks if they occur as individual event. IDS generate large number of alerts and it becomes very difficult for human users to go through each message. Previous researches have proposed analytics based approaches to analyze IDS alert patterns based on anomaly detection models, multi-steps models or probabilistic approaches. However, due to the complexities of network intrusions, it is impossible to develop all possible attack patterns or to avoid false positives. With the advance in technologies and popularity of networks in our daily life, it is becoming more and more difficult to detect network intrusions. However, no matter how rapid the technologies change, the human behaviors behind the cyber attacks stay relatively constant. This provides us an opportunity to develop an improved system to detect the unusual cyber attacks. In this paper, we developed four network intrusion models based on consideration of human factors. We then tested these models on ITOC Cyber Defense Competition (CDX) 2009 data. Our results are encouraging. These Models are not only able to recognize most network attacks identified by SNORT log alerts, they are also able to distinguish the non-attack network traffic that was potentially missed by SNORT as indicated by ground truth validation of the data.     

序列模式挖掘在入侵检测中的应用研究

入侵检测系统是计算机安全体系中的一个重要构成要素,随着网络数据流量的不断增大,与数据挖掘相结合的入侵检测系统成为了研究热点。本文针对计算机入侵检测中网络安全审计数据的特点,提出了一个改进的PrefixSpan算法,并通过检测一个网络审计记录的实验,进行了结果分析。     

Intrusion Detection Systems in Internet of Things and Mobile Ad-Hoc Networks

Internet of Things (IoT) devices work mainly in wireless mediums; requiring different Intrusion Detection System (IDS) kind of solutions to leverage 802.11 header information for intrusion detection. Wireless-specific traffic features with high information gain are primarily found in data link layers rather than application layers in wired networks. This survey investigates some of the complexities and challenges in deploying wireless IDS in terms of data collection methods, IDS techniques, IDS placement strategies, and traffic data analysis techniques. This paper’s main finding highlights the lack of available network traces for training modern machine-learning models against IoT specific intrusions. Specifically, the Knowledge Discovery in Databases (KDD) Cup dataset is reviewed to highlight the design challenges of wireless intrusion detection based on current data attributes and proposed several guidelines to future-proof following traffic capture methods in the wireless network (WN). The paper starts with a review of various intrusion detection techniques, data collection methods and placement methods. The main goal of this paper is to study the design challenges of deploying intrusion detection system in a wireless environment. Intrusion detection system deployment in a wireless environment is not as straightforward as in the wired network environment due to the architectural complexities. So this paper reviews the traditional wired intrusion detection deployment methods and discusses how these techniques could be adopted into the wireless environment and also highlights the design challenges in the wireless environment. The main wireless environments to look into would be Wireless Sensor Networks (WSN), Mobile Ad Hoc Networks (MANET) and IoT as this are the future trends and a lot of attacks have been targeted into these networks. So it is very crucial to design an IDS specifically to target on the wireless networks.     

DSS for computer security incident response applying CBR and collaborative response

Recently, as hacking attempts increase dramatically; most enterprises are forced to employ some safeguards for hacking proof. For example, firewall or IPS (Intrusion Prevention System) selectively accepts the incoming packets, and IDS (Intrusion Detection System) detects the attack attempts from network. The latest version of firewall works in cooperation with IDS to immediately response to hacking attempts. However, it may make false alarms that misjudge normal traffic as hacking traffic and cause network problems to block the normal IP address by false alarms. By these false alarms made by IDS, system administrators or CSOs make wrong decisions and important data may be exposed or the availability of network or server system may be exhausted. Therefore, it is important to minimize the false alarms.As a way of minimizing false alarms and supporting adequate decisions, we suggest the RFM (Recency, Frequency, Monetary) analysis methodology, which analyzes log files with incorporating three criteria of recency, frequency and monetary with statistical process control chart, and thus leads to an intuitive detection of anomaly and misuse events. Moreover, to cope with hacking attempts proactively, we apply CBR (case based reasoning) to find out similarities between already known hacking patterns and new hacking patterns. With the RFM analysis methodology and CBR, we develop DSS which can minimize false alarms and decrease the time to respond to hacking events. In case that RFM analysis module finds out unknown viruses or worms occurred, this CBR system matches the most similar incident case from case-based database. System administrators can easily get information about how to fix and how we fixed in similar cases. And CSOs can build a blacklist of frequently detected IP addresses and users. This blacklist can be used for incident handling.Finally, we propose collaborative incident response system with DSS, this distributed agent systems interactively exchange the suspicious users and source IP addresses data and decide who is true-anomalous users and which IP addresses is the most riskiest and then deny all connections from that users and IP addresses automatically with less false-positives.     

An Integrated Intrusion Detection System for Cluster-based Wireless Sensor Networks

A Wireless Sensor Network (WSN) consists of many low-cost, small devices. Usually, as they are deployed to an open and unprotected region, they are vulnerable to various types of attacks. In this research, a mechanism of Intrusion Detection System (IDS) created in a Cluster-based Wireless Sensor Network (CWSN) is proposed. The proposed IDS is an Integrated Intrusion Detection System (IIDS). It can provide the system to resist intrusions, and process in real-time by analyzing the attacks. The IIDS includes three individual IDSs: Intelligent Hybrid Intrusion Detection System (IHIDS), Hybrid Intrusion Detection System (HIDS) and misuse Intrusion Detection System. These are designed for the sink, cluster head and sensor node according to different capabilities and the probabilities of attacks these suffer from. The proposed IIDS consists of an anomaly and a misuse detection module. The goal is to raise the detection rate and lower the false positive rate through misuse detection and anomaly detection. Finally, a decision-making module is used to integrate the detected results and report the types of attacks.     

基于信息熵的大规模网络流量异常检测

提出了基于信息熵的大规模网络流量异常检测方法。该方法吸收了子空间方法的思想,并结合了K-means分类方法。以校园网为实验环境,应用基于信息熵的方法实现了网络流量异常检测的全过程。通过实验结果与应用标准子空间方法对测量数据分析结果的对比,证明了基于信息熵的大规模网络流量异常检测有着更高的检测精度。     

Trajectory based abnormal event detection in video traffic surveillance using general potential data field with spectral clustering

Detection of abnormal trajectories in a traffic scene is an important problem in Video Traffic Surveillance (VTS). Recently, General Potential Data Field (GPDf)-based trajectory clustering scheme has been adopted for detecting abnormal events such as illegal U-turn, wrong side and unusual driving behaviors and it uses spatial and temporal attributes explicitly. The concept of data field is used to discover the relation between the spatial points in data-space and grouping them into clusters based on their mutual interaction. Existing methodologies related to potential data field-based clustering have certain limitations such as pre-defined cluster size, non-effective cluster center identification, and limitation in range estimation using isotropic impact factor (h) which leads to inaccurate results. In order to address the above-mentioned issues, this paper proposes an efficient anomaly detection scheme based on General Potential Data field with Spectral Clustering (GPDfSC). The proposed GPDfSC scheme utilizes potential data field technique along with spectral clustering for effective identification of abnormalities. The Limitation in impact factor(h) is overcome by using anisotropic impact parameter Bmat. Further, Bayesian Decision theory is used to classify the events as normal or abnormal. The proposed scheme is implemented in real time using GPU and from the results it is found that it gives 12% better accuracy in detecting abnormalities than the state of art technique.

     

Blockchain: Secured Solution for Signature Transfer in Distributed Intrusion Detection System

Exchange of data in networks necessitates provision of security and confidentiality. Most networks compromised by intruders are those where the exchange of data is at high risk. The main objective of this paper is to present a solution for secure exchange of attack signatures between the nodes of a distributed network. Malicious activities are monitored and detected by the Intrusion Detection System (IDS) that operates with nodes connected to a distributed network. The IDS operates in two phases, where the first phase consists of detection of anomaly attacks using an ensemble of classifiers such as Random forest, Convolutional neural network, and XGBoost along with genetic algorithm to improve the performance of IDS. The novel attacks detected in this phase are converted into signatures and exchanged further through the network using the blockchain framework in the second phase. This phase uses the cryptosystem as part of the blockchain to store data and secure it at a higher level. The blockchain is implemented using the Hyperledger Fabric v1.0 and v2.0, to create a prototype for secure signature transfer. It exchanges signatures in a much more secured manner using the blockchain architecture when implemented with version 2.0 of Hyperledger Fabric. The performance of the proposed blockchain system is evaluated on UNSW NB15 dataset. Blockchain performance has been evaluated in terms of execution time, average latency, throughput and transaction processing time. Experimental evidence of the proposed IDS system demonstrates improved performance with accuracy, detection rate and false alarm rate (FAR) as key parameters used. Accuracy and detection rate increase by 2% and 3% respectively whereas FAR reduces by 1.7%.     

Anomaly Detection in ICS Datasets with Machine Learning Algorithms

An Intrusion Detection System (IDS) provides a front-line defense mechanism for the Industrial Control System (ICS) dedicated to keeping the process operations running continuously for 24 hours in a day and 7 days in a week. A well-known ICS is the Supervisory Control and Data Acquisition (SCADA) system. It supervises the physical process from sensor data and performs remote monitoring control and diagnostic functions in critical infrastructures. The ICS cyber threats are growing at an alarming rate on industrial automation applications. Detection techniques with machine learning algorithms on public datasets, suitable for intrusion detection of cyber-attacks in SCADA systems, as the first line of defense, have been detailed. The machine learning algorithms have been performed with labeled output for prediction classification. The activity traffic between ICS components is analyzed and packet inspection of the dataset is performed for the ICS network. The features of flow-based network traffic are extracted for behavior analysis with port-wise profiling based on the data baseline, and anomaly detection classification and prediction using machine learning algorithms are performed.     

入侵检测中对系统日志审计信息进行数据挖掘的研究

入侵检测系统是用来检测网络入侵行为的工具，入侵检测系统的关键在于其安全模式规则的准确性，网络系统中存在大量的日志审计数据，在这些日志审计数据中含有许多与安全有关的信息，入侵检测系统可以从日志审计数据中提取安全模式规则，但由于这些日志审计数据量非常庞大，因此采用数据挖掘技术从中进行安全模式规则的提取，研究了如何在入侵检测中对系统日志审计信息进行数据挖掘，提出了全套的步骤，并重点论述了采用轴属对日志审计信息进行特征提取。     

移动自组网中基于任务分配的入侵检测

移动自组网具有传统计算机网络及无线通信网络两方面的复杂性。提出移动自组网中基于任务分配的网络入侵检测方案,并描述各主要功能模块的实现,通过模拟实验对方案进行验证。实验结果显示,该方案除了能基本实现传统移动自组网络IDS的功能之外,还能有效节约网络系统的资源,提高网络移动节点的可用性。     

一种混合式网络入侵检测系统

入侵检测系统通常采用单一的检测模式,难以有效地处理漏报和误报问题。该文分析不同类型网络流量的分布特征,提出一种将异常检测和误用检测相结合的混合式网络入侵检测系统,从总体上克服了单一模式的不足。实验结果表明,该方法能有效地提高入侵检测系统的检测率和准确率。     

基于网络的IDS的几点改进措施

在当前的网络安全体系中，入侵检测系统（IDS）正扮演着越来越重要的角色，基于网络的DS浊入侵检测系统的一个重要分支，它具有隐蔽性好，速度快等优点，但它还具有对高流量网络处理能力不足，对入侵的反应措施不力等弱点，这弱点在很大程度上限制了它的适用范围，该文对这些弱点提出一些改进措施。