SLA-based complementary approach for network intrusion detection

Enhancing the intrusion detection system is essential to maintain user confidence in network services security. However, the threat of intruders on Internet services is prevalent. This paper proposes a distributed edge-to-edge complementary approach for intrusion detection in a DiffServ/MPLS domain. The QoS metrics are inspected at the edges routers to determine anomalous behavior in the network traffic. Consumed ratios of one-way delay variation (OWDV) and packet loss are computed to monitor service level agreement (SLA) violations. The bandwidth ratio is measured to differentiate abnormal from normal traffic as well as to detect multiple intrusions launched simultaneously. We employed SLA as a comparison scale to infer the deviation between the users consumed ratios and the predefined ratios in the SLA. Service violation occurs and intrusion may be launched when the predefined ratios are exceeded. The complementary services of DiffServ and MPLS techniques guarantee accurate measurements, whereas the complementary measurements of active and passive techniques immunize network performance against scalability limitation. Simulation results indicate that the proposed approach is capable of monitoring SLA violations and can filter out traffic of intruders who breach SLA without disturbing the normal traffic of legitimate users.     

基于KPLS的网络入侵特征抽取及检测方法

从特征抽取的角度研究提高入侵检测性能问题,提出应用核偏最小二乘(KPLS)进行入侵特征抽取和检测的方法.其优点在于KPLS能非线性地抽取输入特征的多个正交分量,并保持与输出类别的相关性,可同时完成入侵特征抽取和判别.将该方法应用于基于Linux主机的入侵检测实验,取得了比SVM和KPCR等方法更好的效果.     

Effective network intrusion detection using stacking-based ensemble approach

The increasing demand for communication between networked devices connected either through an intranet or the internet increases the need for a reliable and accurate network defense mechanism. Network intrusion detection systems (NIDSs), which are used to detect malicious or anomalous network traffic, are an integral part of network defense. This research aims to address some of the issues faced by anomaly-based network intrusion detection systems. In this research, we first identify some limitations of the legacy NIDS datasets, including a recent CICIDS2017 dataset, which lead us to develop our novel dataset, CIPMAIDS2023-1. Then, we propose a stacking-based ensemble approach that outperforms the overall state of the art for NIDS. Various attack scenarios were implemented along with benign user traffic on the network topology created using graphical network simulator-3 (GNS-3). Key flow features are extracted using cicflowmeter for each attack and are evaluated to analyze their behavior. Several different machine learning approaches are applied to the features extracted from the traffic data, and their performance is compared. The results show that the stacking-based ensemble approach is the most promising and achieves the highest weighted F1-score of 98.24%.

     

Deep SARSA-based reinforcement learning approach for anomaly network intrusion detection system

International Journal of Information Security - The growing evolution of cyber-attacks imposes a risk in network services. The search of new techniques is essential to detect and classify dangerous...     

一种网络入侵检测中的数据包采样方法 *

数据包采样方法是提升数据包处理能力很好的方法 ,在网络流量监测分析中得到了广泛应用。然而 ,传统的数据包采样算法应用在 IDS中会极大降低入侵检测率。针对入侵检测的特性 ,利用攻击流量和正常流量在时间上的连续性 ,提出了一种新的数据包采样方法 ,在保证检测率的前提下 ,极大地提升了 IDS的处理能力。     

概率后缀树在入侵检测中的应用研究

系统调用序列能够反映系统进程的行为特征。而系统调用序列中每个调用的出现都与它之前出现的若干个调用相关。因此可以利用概率后缀树（PST）对系统调用序列建模,反映系统调用基于上下文的概率特性。提出了系统调用序列异常度的定义。在进行序列的异常检测时,先利用正常系统调用序列训练PST模型,然后通过该模型,利用计算未知系统调用序列的异常度,根据给定的阈值判断该序列是否异常。实验表明这一度量对于正常进程与异常进程有着良好的区分效果。     

非平衡技术在高速网络入侵检测中的应用

针对现有的高速网络入侵检测系统丢包率高、检测速度慢以及检测算法对不同类型攻击检测的非平衡性等问题,提出了采用两阶段的负载均衡策略的检测模型。在线检测阶段对网络数据包按协议类型进行分流的检测,离线建模阶段对不同协议类型的数据进行学习建模,供在线部分检测。在讨论非平衡数据处理的各种采样技术基础上,采用改进后的过抽样少数样本合成过采样技术（SMOTE）对网络数据进行预处理,采用AdaBoost 、随机森林算法等进行分类。另外对特征选取等方面进行了实验,结果表明SMOTE过抽样可提高各少数类的检测,随机森林算法分类效果好而且建模所用的时间稳定。     

An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge

Bayesian networks are important knowledge representation tools for handling uncertain pieces of information. The success of these models is strongly related to their capacity to represent and handle dependence relations. Some forms of Bayesian networks have been successfully applied in many classification tasks. In particular, naive Bayes classifiers have been used for intrusion detection and alerts correlation. This paper analyses the advantage of adding expert knowledge to probabilistic classifiers in the context of intrusion detection and alerts correlation. As examples of probabilistic classifiers, we will consider the well-known Naive Bayes, Tree Augmented Naïve Bayes (TAN), Hidden Naive Bayes (HNB) and decision tree classifiers. Our approach can be applied for any classifier where the outcome is a probability distribution over a set of classes (or decisions). In particular, we study how additional expert knowledge such as “it is expected that 80 % of traffic will be normal” can be integrated in classification tasks. Our aim is to revise probabilistic classifiers’ outputs in order to fit expert knowledge. Experimental results show that our approach improves existing results on different benchmarks from intrusion detection and alert correlation areas.     

Unsupervised deep learning approach for network intrusion detection combining convolutional autoencoder and one-class SVM

Applied Intelligence - With the rapid advancement in network technologies, the need for cybersecurity has gained increasing momentum in recent years. As a primary defense mechanism, an intrusion...     

Evolving statistical rulesets for network intrusion detection

Security threats against computer networks and the Internet have emerged as a major and increasing area of concern for end-users trying to protect their valuable information and resources from intrusive attacks. Due to the amount of data to be analysed and the similarities between attack and normal traffic patterns, intrusion detection is considered a complex real world problem. In this paper, we propose a solution that uses a genetic algorithm to evolve a set of simple, interval-based rules based on statistical, continuous-valued input data. Several innovations in the genetic algorithm work to keep the ruleset small. We first tune the proposed system using a synthetic data. We then evaluate our system against more complex synthetic data with characteristics associated with network intrusions, the NSL-KDD benchmark dataset, and another dataset constructed based on MIT Lincoln Laboratory normal traffic and the low-rate DDoS attack scenario from CAIDA. This new approach provides a very compact set of simple, human-readable rules with strongly competitive detection performance in comparison to other machine learning techniques.     

神经网络集成模型在入侵检测中的应用

入侵检测是网络安全研究中的热点。提出了一种用于入侵检测的神经网络集成模型。该模型采用神经网络集成分类技术,去除训练集中的冗余数据,利用遗传算法优化成员网络的权值,在此基础上训练成员网络,最终通过神经网络对成员网络的输出结果进行融合。理论和实验表明,模型具有较好的检测能力。     

AdaBoost-based algorithm for network intrusion detection.

Network intrusion detection aims at distinguishing the attacks on the Internet from normal use of the Internet. It is an indispensable part of the information security system. Due to the variety of network behaviors and the rapid development of attack fashions, it is necessary to develop fast machine-learning-based intrusion detection algorithms with high detection rates and low false-alarm rates. In this correspondence, we propose an intrusion detection algorithm based on the AdaBoost algorithm. In the algorithm, decision stumps are used as weak classifiers. The decision rules are provided for both categorical and continuous features. By combining the weak classifiers for continuous features and the weak classifiers for categorical features into a strong classifier, the relations between these two different types of features are handled naturally, without any forced conversions between continuous and categorical features. Adaptable initial weights and a simple strategy for avoiding overfitting are adopted to improve the performance of the algorithm. Experimental results show that our algorithm has low computational complexity and error rates, as compared with algorithms of higher computational complexity, as tested on the benchmark sample data.     

针对无线网络的入侵检测系统设计方法研究

从实际应用出发,提出了一种针对无线网络的入侵检测方法,给出了入侵检测系统的设计方案,扩展了系统管理员的安全管理能力(包括安全审计、监视、攻击识别和响应),具有较强的经济效益和借鉴意义.     

网络入侵检测概述

入侵检测是目前网络安全研究的热点之一。本文试图对入侵检测的发展、特征、分类进行总结,以期获得对入侵检测技术的总体概念。     

A neuro-genetic based short-term forecasting framework for network intrusion prediction system

Information systems are one of the most rapidly changing and vulnerable systems, where security is a major issue. The number of security-breaking attempts originating inside organizations is increasing steadily. Attacks made in this way, usually done by ＂authorized＂ users of the system, cannot be immediately traced. Because the idea of filtering the traffic at the entrance door, by using firewalls and the like, is not completely successful, the use of intrusion detection systems should be considered to increase the defense capacity of an information system. An intrusion detection system （IDS） is usually working in a dynamically changing environment, which forces continuous tuning of the intrusion detection model, in order to maintain sufficient performance. The manual tuning process required by current IDS depends on the system operators in working out the tuning solution and in integrating it into the detection model. Furthermore, an extensive effort is required to tackle the newly evolving attacks and a deep study is necessary to categorize it into the respective classes. To reduce this dependence, an automatically evolving anomaly IDS using neuro-genetic algorithm is presented. The proposed system automatically tunes the detection model on the fly according to the feedback provided by the system operator when false predictions are encountered. The system has been evaluated using the Knowledge Discovery in Databases Conference （KDD 2009） intrusion detection dataset. Genetic paradigm is employed to choose the predominant features, which reveal the occurrence of intrusions. The neuro-genetic IDS （NGIDS） involves calculation of weightage value for each of the categorical attributes so that data of uniform representation can be processed by the neuro-genetic algorithm. In this system unauthorized invasion of a user are identified and newer types of attacks are sensed and classified respectively by the neuro-genetic algorithm. The experimental results obtained in this work show that the system achieves improvement in terms of misclassification cost when compared with conventional IDS. The results of the experiments show that this system can be deployed based on a real network or database environment for effective prediction of both normal attacks and new attacks.     

遗传禁忌算法优化BP网络用于入侵检测

针对入侵检测系统存在的高漏报率和误报率,提出一种基于遗传禁忌神经网络的入侵检测模型。该模型基于遗传禁忌算法的全局搜索和BP网络局部精确搜索的特性,将遗传禁忌算法和BP算法有机结合,利用遗传禁忌算法优化BP网络初始权重,同时引入小生境技术改进遗传禁忌算法。实验表明,改进的遗传禁忌算法优化BP网络用于入侵检测能提高入侵检测的效率,降低误警率,可在一定程度上提高入侵检测系统的准确率。     

网络入侵检测系统中的警报聚类

到目前为止,网络管理员对入侵检测系统(IDS)所产生的警报还是以在辅助工具下的手工操作进行整理,从而得到一个高级别的攻击描述。为了有效融合多种入侵检测系统报警信息,提高警告的准确性,警报聚类自动分析工具被建议使用来产生高级别的攻击描述。除此之外,警报聚类自动分析工具还可以有效地分析威胁,融合不同的信息源,例如来自于不同IDS中的信息源。该文提出了新的警报聚类系统,以便把来自于多种IDS所产生的警报进行警报聚类,产生攻击描述。实验结果表明,通过警报聚类模块有效地总结攻击可以产生高级别的警报,并大幅度地减少了要提交给管理员的警报数量。此外,以这些高级别警报为基础还可以进一步地进行威胁分析。     

无线传感器网络入侵检测研究

首先分析了无线传感器网络的主要特点;然后对无线传感器网络中的入侵检测方案进行分类论述,着重阐述了典型的入侵检测算法并作了详细的分析比较;最后对无线传感器网络中的入侵检测技术进行总结,并指出了一些亟待解决的问题。     

用于网络入侵检测的模式匹配新方法

针对新一代网络入侵检测系统(NIDS)的创建需要先进的模式匹配引擎,提出一种模式匹配的新方案,利用基于硬件的可编程状态机技术(B-FSM)来实现确定性处理过程。该技术可以在一个输入流中同时获取大量模式,并高效地映射成转换规则。通过对网络入侵检测系统中普遍采用的规则集(Snort)进行实验,实验结果表明该方法具有存储高效、执行速度快、动态可更新等特点,可以满足NIDS的需要。