大数据环境下的入侵检测系统框架

入侵检测技术在现代网络安全防护技术中占有重要地位,但面对现代大数据环境,传统的入侵检测技术面对瓶颈,很难在大数据量的情况下,做出及时准确的判断分析。简要介绍了现有的Hadoop、Spark等主要大数据软件,并在传统的入侵检测技术的基础上,结合现有的大数据技术,给出了在大数据环境下的入侵检测技术框架。从网络拓扑图的角度,描述了整个网络环境,然后以模块化、流程化的方式,分别详细的描述了流量采集模块、检测分析流程、入侵检测软件栈、报警模块等大数据环境下入侵检测系统的构成部分。最终以此构建了大数据环境下的入侵检测系统。     

车联网中基于神经网络的入侵检测方案

车联网的入侵检测（IDS）可用于确认交通事件通知中描述的事件的真实性。当前车联网IDS多采用基于冗余数据的一致性检测方案,为降低IDS对冗余数据的依赖性,提出了一个基于神经网络的入侵检测方案。该方案可描述大量交通事件类型,并综合使用了反向传播（BP）和支持向量机（SVM）2种学习算法。这2种算法分别适用于个人安全驾驶速度快与高效交通系统检测率高的应用。仿真实验和性能分析表明,本方案具有较快的入侵检测速度,且具有较高的检测率和较低的虚警率。     

一种针对基于SVM入侵检测系统的毒性攻击方法

在机器学习被广泛应用的背景下,本文提出一种针对基于SVM（Support Vector Machine）入侵检测系统的新颖攻击方法——毒性攻击.该方法通过篡改训练数据,进而误导SVM的机器学习过程,降低入侵检测系统的分类模型对攻击流量的识别率.本文把这种攻击建模为最优化问题,利用数值方法得到攻击样本.通过包含多种攻击类型的NSL-KDD数据集进行实验,从攻击流量的召回率和精度这两个指标对攻击效果进行评估,与已有方法相比,实验结果表明本文方法可更有效地降低入侵检测系统的识别率.本文希望通过该研究进一步认识针对机器学习的新颖攻击,为下一步研究对应的防御机制提供研究基础.     

Anomaly based intrusion detection for 802.11 networks with optimal features using SVM classifier

The Wireless Fidelity (WiFi) is a widely used wireless technology due to its flexibility and mobility in the presence of vulnerable security features. Several attempts to secure 802.11 standard ends up with the inadequate security mechanisms that are vulnerable to various attacks and intrusions. Thus, integration of external defense mechanism like intrusion detection system (IDS) is inevitable. An anomaly-based IDS employs machine learning algorithms to detect attacks. Selecting the best set of features is central to ensure the performance of the classifier in terms of speed of learning, accuracy, and reliability. This paper proposes a normalized gain based IDS for MAC Intrusions (NMI) to improve the IDS performance significantly. The proposed NMI includes two primary components OFSNP and DCMI. The first component is optimal feature selection using NG and PSO (OFSNP) and the second component is Detecting and Categorizing MAC 802.11 Intrusions (DCMI) using SVM classifier. The OFSNP ranks the features using an independent measure as normalized gain (NG) and selects the optimal set of features using semi-supervised clustering (SSC). The SSC is based on particle swarm optimization (PSO) that uses labeled and unlabeled features simultaneously to find a group of optimal features. Using the optimal set of features, the proposed DCMI utilizes a rapid and straightforward support vector machine (SVM) learning that classifies the attacks under the appropriate classes. Thus, the proposed NMI achieves a better trade-off between detection accuracy and learning time. The experimental results show that the NMI accurately detects and classifies the 802.11 specific intrusions and also, it reduces the false positives and computation complexity by decreasing the number of features.     

杂草算法优化支持向量机的网络入侵检测

为了解决支持向量机(优化SVM)在网络入侵检测中的参数优化问题,以提高网络入侵检测性能,提出一种入侵杂草(IWO)算法SVM的网络入侵检测模型(IWO-SVM)。首先将SVM参数编码为入侵杂草,以检测率作为优化目标函数,然后通过模拟杂草入侵种子的生长过程找到最SVM的最优参数,从而最优网络入侵检测模型,后在采用KDD99数据集性能测试。结果表明IWO-SVM是一种检测检测率高、速度快的网络入侵检测模型。     

A Snort-based approach for the development and deployment of hybrid IDS

Apart from the modeling techniques, the development and deployment of anomaly-based intrusion detection systems still faces two main problems. The first one is related to the acquisition and handling of real traffic to be used for training purposes. The second one concerns the better performance of signature-based IDS for known attacks. In this paper the authors propose the use of a modified version of Snort which results in a hybrid detector/classifier. This version can be used both during the training phase of the anomaly-based system and as a deployed hybrid detector and traffic sniffer. Furthermore, it can be adjusted to work just as signature-based, anomaly-based or both (hybrid) detector. On the other hand, this version can be used to directly sniff, classify and split the network traffic according to its malicious nature, which eases the problems related to the acquisition and handling of training traffic.     

Boosting算法在入侵检测中的应用

将一种基于支持向量机的Boosting算法应用于入侵检测,并通过KDD’99数据的仿真实验将它与单一的支持向量机分类器进行比较,结果表明Boosting算法比单一的支持向量机分类器具有更好的检测效果。     

Intrusion Detection System in Wireless Sensor Network Using Conditional Generative Adversarial Network

Wireless communication networks have much data to sense, process, and transmit. It tends to develop a security mechanism to care for these needs for such modern-day systems. An intrusion detection system (IDS) is a solution that has recently gained the researcher’s attention with the application of deep learning techniques in IDS. In this paper, we propose an IDS model that uses a deep learning algorithm, conditional generative adversarial network (CGAN), enabling unsupervised learning in the model and adding an eXtreme gradient boosting (XGBoost) classifier for faster comparison and visualization of results. The proposed method can reduce the need to deploy extra sensors to generate fake data to fool the intruder 1.2–2.6%, as the proposed system generates this fake data. The parameters were selected to give optimal results to our model without significant alterations and complications. The model learns from its dataset samples with the multiple-layer network for a refined training process. We aimed that the proposed model could improve the accuracy and thus, decrease the false detection rate and obtain good precision in the cases of both the datasets, NSL-KDD and the CICIDS2017, which can be used as a detector for cyber intrusions. The false alarm rate of the proposed model decreases by about 1.827%.

     

基于决策树分类算法的入侵检测研究简

针对目前的入侵检测系统（IDS）准确度不高、自适应性差、检测效率低等问题,本文基于决策树分类算法,设计了一个基于决策树的入侵检测系统模型。将决策树算法作为分类器应用于入侵检测的过程中,提高了入侵检测系统的性能。     

Effective discovery of attacks using entropy of packet dynamics

Network-based attacks are so devastating that they have become major threats to network security. Early yet accurate warning of these attacks is critical for both operators and end users. However, neither speed nor accuracy is easy to achieve because both require effective extraction and interpretation of anomalous patterns from overwhelmingly massive, noisy network traffic. The intrusion detection system presented here is designed to assist in diagnosing and identifying network attacks. This IDS is based on the notion of packet dynamics, rather than packet content, as a way to cope with the increasing complexity of attacks. We employ a concept of entropy to measure time-variant packet dynamics and, further, to extrapolate this entropy to detect network attacks. The entropy of network traffic should vary abruptly once the distinct patterns of packet dynamics embedded in attacks appear. The proposed classifier is evaluated by comparing independent statistics derived from five well-known attacks. Our classifier detects those five attacks with high accuracy and does so in a timely manner.     

Rayleigh信道下的支持向量机多用户检测方法

在BPSK调制的DS-CDMA中,基于支持向量机(Support Vector Machine,SVM)的多用户检测方法采用支持向量机的分类方法将接受向量分成+1和-1两类,达到检测的目的。与MMSE方法不同的是,支持向量机分类器的目的是找出一个能将训练向量中信号为+1和信号为-1的两类数据分离的最佳分离超平面。从数值仿真结果可以看出,在Rayleigh信道,这种支持向量机的多用户检测方法与MMSE多用户检测器相比,输出能达到较低的误码率。     

FPGA-Based Network Traffic Security： Design and Implementation Using C5.0 Decision Tree Classifier

In this work, a hardware intrusion detection system （IDS） model and its implementation are introduced to perform online real-time traffic monitoring and analysis. The introduced system gathers some advantages of many IDSs： hardware based from implementation point of view, network based from system type point of view, and anomaly detection from detection approach point of view. In addition, it can detect most of network attacks, such as denial of services （DOS）, leakage, etc. from detection behavior point of view and can detect both internal and external intruders from intruder type point of view. Gathering these features in one IDS system gives lots of strengths and advantages of the work. The system is implemented by using field programmable gate array （FPGA）, giving a more advantages to the system. A C5.0 decision tree classifier is used as inference engine to the system and gives a high detection ratio of 99.93%.     

基于概念漂移检测的大数据交易过程模型优化方法

通过大数据交易过程模型优化,实现对大数据交易过程的精确建模,对于构建稳定、鲁棒和精确的交易平台至关重要.然而,大数据交易流程随时间而变化,传统的静态模型优化方法无法反映现实流程模型的时态变化特征.为此,本文提出一种基于概念漂移的大数据交易模型优化方法,在概念漂移点检测和定位的基础上,设计大数据交易日志分割算法,演算日志精准分割点,构建具有时变特性的大数据交易分段模型,实现基于日志分割的模型优化.该方法在天元大数据交易平台的应用实践表明,优化模型在拟合度和精确度方面均优于静态模型,对大数据交易演化过程的适配性更强.     

基于遗传神经网络的入侵检测模型

这篇文章提出了一种基于遗传神经网络的入侵检测模型-进化神经网络入侵检测系统(ENNIDS),模型的核心模块利用遗传算法优化神经网络来实现,结合了误用检测和异常检测技术,并从理论上分析了该模型各个模块的功能和实现技术.我们在UCI机器学习数据库的入侵检测数据集上进行了实验,实验结果表明:该模型在检测正确率、误警率等方面能获得校好的性能。     

基于核主成分提取和支持向量机的入侵检测

现有的入侵检测算法存在小样本情况下泛化能力差的问题。提出了利用核主成分分析和支持向量机结合进行入侵检测的方法。与传统算法相比，该方法对网络异常连接有很高的检测率、更强的泛化能力和更快的处理时间。最后在KDD CUP99数据集上进行的实验，证明了方法的适用性和高效性。     

基于Petri网的攻击检测模式的优化生成算法

本文介绍了基于Petri网的入侵检测系统的概念,指出了这种方法所面临的主要困难是状态的组合爆炸,由此提出了通过将入侵模式Petri网和应用约束Petri网进行合成操作,从而减小无用状态的优化算法。     

基于多媒体分析的入侵检测系统

随着网络通信数据的日益增加,使入侵检测系统（IDS）面临着潜在的未能处理的攻击,这些网络通信大多数包含着大量的多媒体通信。论文针对这种情况,提出了一种通过在IDS中加入一个多媒体检测模块的方法,对多媒体通信进行预处理,以此来提高IDS在大通信量下的检测效率。     

基于SNORT的IPv6入侵检测系统的研究与实现

本文探讨了实现IPv6入侵检测系统的关键技术——规则构造和解析、IPv6包结构解析、IPv6快速规则匹配、IPv6分段重组、对过渡技术的支持、兼容IPv4等,并以SNORT的最新版本V2.2为基础实现了一个支持IPv4、IPv6和过渡技术的入侵检测系统。通过测试,该入侵检测系统能够检测出各种常见的IPv6入侵行为,在最小包长情况下能达到百兆比特每秒线速。     

基于电力调控数据挖掘的混合IDS研究

为适应大数据背景,提出一种基于电力调控数据挖掘的混合IDS自动构建方法。该系统利用公共路径挖掘算法,将同步相量测量数据和调控日志相融合,自动学习各类场景,并将系统状态遍历匹配到公共路径做出分类决策。为验证该方法,搭建了一个包含25个场景的试验平台,并对三母线两馈线系统进行训练和评估,其中90.2%的场景被正确分类。结果表明该IDS具有较高检测精度,可适用于电力调控要求的任务环境。     

A Game Theory Based Multi Layered Intrusion Detection Framework for Wireless Sensor Networks

Most of the existing intrusion detection frameworks proposed for wireless sensor networks (WSNs) are computation and energy intensive, which adversely affect the overall lifetime of the WSNs. In addition, some of these frameworks generate a significant volume of IDS traffic, which can cause congestion in bandwidth constrained WSNs. In this paper, we aim to address these issues by proposing a game theory based multi layered intrusion detection framework for WSNs. The proposed framework uses a combination of specification rules and a lightweight neural network based anomaly detection module to identify the malicious sensor nodes. Additionally, the framework models the interaction between the IDS and the sensor node being monitored as a two player non-cooperative Bayesian game. This allows the IDS to adopt probabilistic monitoring strategies based on the Bayesian Nash Equilibrium of the game and thereby, reduce the volume of IDS traffic introduced into the sensor network. The framework also proposes two different reputation update and expulsion mechanisms to enforce cooperation and discourage malicious behavior among monitoring nodes. These mechanisms are based on two different methodologies namely, Shapley Value and Vickery–Clark–Grooves (VCG) mechanism. The complexity analysis of the proposed reputation update and expulsion mechanisms have been carried out and are shown to be linear in terms of the input sizes of the mechanisms. Simulation results show that the proposed framework achieves higher accuracy and detection rate across wide range of attacks, while at the same time minimizes the overall energy consumption and volume of IDS traffic in the WSN.