A logic-based model to support alert correlation in intrusion detection

Managing and supervising security in large networks has become a challenging task, as new threats and flaws are being discovered on a daily basis. This requires an in depth and up-to-date knowledge of the context in which security-related events occur. Several tools have been proposed to support security operators in this task, each of which focuses on some specific aspects of the monitoring. Many alarm fusion and correlation approaches have also been investigated. However, most of these approaches suffer from two major drawbacks. First, they only take advantage of the information found in alerts, which is not sufficient to achieve the goals of alert correlation, that is to say to reduce the overall amount of alerts, while enhancing their semantics. Second, these techniques have been designed on an ad hoc basis and lack a shared data model that would allow them to reason about events in a cooperative way. In this paper, we propose a federative data model for security systems to query and assert knowledge about security incidents and the context in which they occur. This model constitutes a consistent and formal ground to represent information that is required to reason about complementary evidences, in order to confirm or invalidate alerts raised by intrusion detection systems.     

云计算中的入侵检测模型

本文提出了一种云环境下的网络安全处理模型,模型中的每台云服务器都拥有自己的入侵检测系统,并且所有的服务器共享一个异常管理平台,该平台负责报警信息的接收、处理和日志管理.模型采用报警级别动态调整技术和攻击信息共享方法,最大限度地降低了漏报率和服务器遭受同种攻击的可能性,有效提高了检测效率和系统安全水平.     

浅析网络入侵检测系统

本文主要研究的就是入侵检测系统,从基本概念入手,对其入侵检测过程做了详细阐述,通过也讨论了入侵检测系统的未来发展道路.     

防网络攻击警报信息实时融合处理技术研究与实现

针对分布式入侵检测和网络安全预警所需要解决的问题,文章对多传感器数据融合技术进行了研究.在分析IDS警报信息之间的各种复杂关系的基础上,提出了一个警报信息实时融合处理模型,并根据该模型建立警报信息融合处理系统.实时融合来自多异构IDS传感器的警报信息,形成关于入侵事件的攻击序列图,并在此基础上进行威胁评估及攻击预测.该模型中拓展了漏报推断功能,以减少漏报警带来的影响,使得到的攻击场景更为完整.实验结果表明,根据该模型建立的融合处理系统应用效果好,具有很高的准确率和警报缩减率.     

改善入侵检测系统响应性能的方法研究

实时响应能力是刻画高速入侵检测技术的主要性能指标之一。本文对入侵检测过程中的各关键环节进行分析和探讨,指出制约入侵检测系统实时响应性能的不利因素,提出了改进方法和措施,指出必须通过软硬件技术的结合才能实现高速入侵检测。     

A multinomial logistic regression modeling approach for anomaly intrusion detection

Although researchers have long studied using statistical modeling techniques to detect anomaly intrusion and profile user behavior, the feasibility of applying multinomial logistic regression modeling to predict multi-attack types has not been addressed, and the risk factors associated with individual major attacks remain unclear. To address the gaps, this study used the KDD-cup 1999 data and bootstrap simulation method to fit 3000 multinomial logistic regression models with the most frequent attack types (probe, DoS, U2R, and R2L) as an unordered independent variable, and identified 13 risk factors that are statistically significantly associated with these attacks. These risk factors were then used to construct a final multinomial model that had an ROC area of 0.99 for detecting abnormal events. Compared with the top KDD-cup 1999 winning results that were based on a rule-based decision tree algorithm, the multinomial logistic model-based classification results had similar sensitivity values in detecting normal (98.3% vs. 99.5%), probe (85.6% vs. 83.3%), and DoS (97.2% vs. 97.1%); remarkably high sensitivity in U2R (25.9% vs. 13.2%) and R2L (11.2% vs. 8.4%); and a significantly lower overall misclassification rate (18.9% vs. 35.7%). The study emphasizes that the multinomial logistic regression modeling technique with the 13 risk factors provides a robust approach to detect anomaly intrusion.     

基于入侵检测技术的计算机网络安全研究

伴随着互联网技术的急速发展,海量的信息出现在网上,如何保护这些信息的安全,免受各种攻击就变得越来越重要.传统的网络安全技术主要是防火墙技术和加密技术,近年来出现了一种新的安全防护技术——入侵检测系统（Intrusion Detection System,简称IDS）.IDS的出现主要为防火墙进行必要的补充,二者的联动最大程度的保证了网络信息的安全,成为了网络安全的核心环节.     

On the robust detection of edges in time series filtering

Abrupt shifts in the level of a time series represent important information and should be preserved in statistical signal extraction. Various rules for detecting level shifts that are resistant to outliers and which work with only a short time delay are investigated. The properties of robustified versions of the t-test for two independent samples and its non-parametric alternatives are elaborated under different types of noise. Trimmed t-tests, median comparisons, robustified rank and ANOVA tests based on robust scale estimators are compared.     

A modeling approach to financial time series based on market microstructure model with jumps

A continuous-time generalized market microstructure (GMMS) model and its discretized model are proposed for characterizing a class of financial time series. The GMMS model is a kind of jump-diffusion model that may describe the dynamic behaviors of measurable market price, immeasurable market excess demand and market liquidity, as well as the interaction among the three variates in a market. The model includes a jump component that is used to capture the large abnormal variations of financial assets, which may occur when a market is affected by some special events happened suddenly, such as release of important financial information. On the basis of the discrete-time GMMS model, an online recursive jump detection algorithm is proposed, which is developed in accordance with the Markov property of financial time series and the Bayes theorem. Simulations and case studies demonstrate the feasibility and effectiveness of the model and its estimation approach presented in this paper.     

Finding anomalous periodic time series

Catalogs of periodic variable stars contain large numbers of periodic light-curves (photometric time series data from the astrophysics domain). Separating anomalous objects from well-known classes is an important step towards the discovery of new classes of astronomical objects. Most anomaly detection methods for time series data assume either a single continuous time series or a set of time series whose periods are aligned. Light-curve data precludes the use of these methods as the periods of any given pair of light-curves may be out of sync. One may use an existing anomaly detection method if, prior to similarity calculation, one performs the costly act of aligning two light-curves, an operation that scales poorly to massive data sets. This paper presents PCAD, an unsupervised anomaly detection method for large sets of unsynchronized periodic time-series data, that outputs a ranked list of both global and local anomalies. It calculates its anomaly score for each light-curve in relation to a set of centroids produced by a modified k-means clustering algorithm. Our method is able to scale to large data sets through the use of sampling. We validate our method on both light-curve data and other time series data sets. We demonstrate its effectiveness at finding known anomalies, and discuss the effect of sample size and number of centroids on our results. We compare our method to naive solutions and existing time series anomaly detection methods for unphased data, and show that PCAD’s reported anomalies are comparable to or better than all other methods. Finally, astrophysicists on our team have verified that PCAD finds true anomalies that might be indicative of novel astrophysical phenomena.     

Building lightweight intrusion detection system using wrapper-based feature selection mechanisms

Intrusion Detection System (IDS) is an important and necessary component in ensuring network security and protecting network resources and network infrastructures. How to build a lightweight IDS is a hot topic in network security. Moreover, feature selection is a classic research topic in data mining and it has attracted much interest from researchers in many fields such as network security, pattern recognition and data mining. In this paper, we effectively introduced feature selection methods to intrusion detection domain. We propose a wrapper-based feature selection algorithm aiming at building lightweight intrusion detection system by using modified random mutation hill climbing (RMHC) as search strategy to specify a candidate subset for evaluation, as well as using modified linear Support Vector Machines (SVMs) iterative procedure as wrapper approach to obtain the optimum feature subset. We verify the effectiveness and the feasibility of our feature selection algorithm by several experiments on KDD Cup 1999 intrusion detection dataset. The experimental results strongly show that our approach is not only able to speed up the process of selecting important features but also to yield high detection rates. Furthermore, our experimental results indicate that intrusion detection system with feature selection algorithm has better performance than that without feature selection algorithm both in detection performance and computational cost.     

Integrating intrusion alert information to aid forensic explanation: An analytical intrusion detection framework for distributive IDS

The objective of this research is to show an analytical intrusion detection framework (AIDF) comprised of (i) a probability model discovery approach, and (ii) a probabilistic inference mechanism for generating the most probable forensic explanation based on not only just the observed intrusion detection alerts, but also the unreported signature rules that are revealed in the probability model. The significance of the proposed probabilistic inference is its ability to integrate alert information available from IDS sensors distributed across subnets. We choose the open source Snort to illustrate its feasibility, and demonstrate the inference process applied to the intrusion detection alerts produced by Snort. Through a preliminary experimental study, we illustrate the applicability of AIDF for information integration and the realization of (i) a distributive IDS environment comprised of multiple sensors, and (ii) a mechanism for selecting and integrating the probabilistic inference results from multiple models for composing the most probable forensic explanation.     

On-line motif detection in time series with SwiftMotif

This article presents SwiftMotif, a novel technique for on-line motif detection in time series. With this technique, frequently occurring temporal patterns or anomalies can be discovered, for instance. The motif detection is based on a fusion of methods from two worlds: probabilistic modeling and similarity measurement techniques are combined with extremely fast polynomial least-squares approximation techniques. A time series is segmented with a data stream segmentation method, the segments are modeled by means of normal distributions with time-dependent means and constant variances, and these models are compared using a divergence measure for probability densities. Then, using suitable clustering algorithms based on these similarity measures, motifs may be defined. The fast time series segmentation and modeling techniques then allow for an on-line detection of previously defined motifs in new time series with very low run-times. SwiftMotif is suitable for real-time applications, accounts for the uncertainty associated with the occurrence of certain motifs, e.g., due to noise, and considers local variability (i.e., uniform scaling) in the time domain. This article focuses on the mathematical foundations and the demonstration of properties of SwiftMotif—in particular accuracy and run-time—using some artificial and real benchmark time series.     

基于PLA时间序列重现的在线车辆检测算法

文章提出了一种新的用于磁敏传感器的车辆检测算法。算法首先将磁敏数据时间序列经过变长滑动窗口滤波预处理,由PLA抽取平滑后的时间序列特征,用于车辆检测,从而获得相关的交通信息。仿真实验表明,算法有效地减少了慢速行驶的大型车辆对检测结果的影响,保持了较高的准确率。     

Large-scale network intrusion detection based on distributed learning algorithm

As network traffic bandwidth is increasing at an exponential rate, it’s impossible to keep up with the speed of networks by just increasing the speed of processors. Besides, increasingly complex intrusion detection methods only add further to the pressure on network intrusion detection (NIDS) platforms, so the continuous increasing speed and throughput of network poses new challenges to NIDS. To make NIDS usable in Gigabit Ethernet, the ideal policy is using a load balancer to split the traffic data and forward those to different detection sensors, which can analyze the splitting data in parallel. In order to make each slice contains all the evidence necessary to detect a specific attack, the load balancer design must be complicated and it becomes a new bottleneck of NIDS. To simplify the load balancer this paper put forward a distributed neural network learning algorithm (DNNL). Using DNNL a large data set can be split randomly and each slice of data is presented to an independent neural network; these networks can be trained in distribution and each one in parallel. Completeness analysis shows that DNNL’s learning algorithm is equivalent to training by one neural network which uses the technique of regularization. The experiments to check the completeness and efficiency of DNNL are performed on the KDD’99 Data Set which is a standard intrusion detection benchmark. Compared with other approaches on the same benchmark, DNNL achieves a high detection rate and low false alarm rate.     

Alert correlation in collaborative intelligent intrusion detection systems—A survey

As complete prevention of computer attacks is not possible, intrusion detection systems (IDSs) play a very important role in minimizing the damage caused by different computer attacks. There are two intrusion detection methods: namely misuse- and anomaly-based. A collaborative, intelligent intrusion detection system (CIIDS) is proposed to include both methods, since it is concluded from recent research that the performance of an individual detection engine is rarely satisfactory. In particular, two main challenges in current collaborative intrusion detection systems (CIDSs) research are highlighted and reviewed: CIDSs system architectures and alert correlation algorithms. Different CIDSs system, architectures are explained and compared. The use of CIDSs together with other multiple security systems raise certain issues and challenges in, alert correlation. Several different techniques for alert correlation are discussed. The focus will be on correlation of CIIDS alerts. Computational, Intelligence approaches, together with their applications on IDSs, are reviewed. Methods in soft computing collectively provide understandable, and autonomous solutions to IDS problems. At the end of the review, the paper suggests fuzzy logic, soft computing and other AI techniques, to be exploited to reduce the rate of false alarms while keeping the detection rate high. In conclusion, the paper highlights opportunities for an integrated solution to large-scale CIIDS.     

A hybrid intrusion detection system design for computer network security

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.     

试论计算机网络安全的入侵检测技术

时代在进步,互联网和计算机技术也在不断的升级,计算机及网络的使用已经在普通百姓的生活中得到了普及。计算机网络在人们的生活中发挥了重要的作用,给人们的工作和生活带来了很多便利,但同时网络安全问题也成为人们关注的焦点。入侵检测技术是计算机网络安全的重点防范技术,对计算机网络安全的维护起到了十分关键的作用。本文将对计算机网络安全的入侵检测技术进行简要探讨,以期为提高计算机网络安全性提供帮助。     

The modeling of time series based on fuzzy information granules

A lot of research has resulted in many time series models with high precision forecasting realized at the numerical level. However, in the real world, higher numerical precision may not be necessary for the perception, reasoning and decision-making of human. Model of time series with an ability of humans to perceive and process abstract entities (rather than numeric entities) is more adaptable for some problems of decision-making. With this regard, information granules and granular computing play a primordial role. Fox example, if change range (intervals) of stock prices for a certain period in the future is regarded as information granule, constructing model that can forecast change ranges (intervals) of stock prices for a period in the future is better able to help stock investors make reasonable decisions in comparison with those based upon specific forecasting numerical value of stock price. In this paper, we propose a new modeling approach to realize interval prediction, in which the idea of information granules and granular computing is integrated with the classical Chen’s method. The proposed method is to segment an original numeric time series into a collection of time windows first, and then build fuzzy granules expressed as a certain fuzzy set over each time windows by exploiting the principle of justifiable granularity. Finally, fuzzy granular model can be constructed by mining fuzzy logical relationships of adjacent granules. The constructed model can carry out interval prediction by degranulation operation. Two benchmark time series are used to validate the feasibility and effectiveness of the proposed approach. The obtained results demonstrate the effectiveness of the approach. Besides, for modeling and prediction of large-scale time series, the proposed approach exhibit a clear advantage of reducing computation overhead of modeling and simplifying forecasting.     

基于分布式统计时间序列的网络流量分析

研究网络数据在分布式存储下的相关性,有利于入侵检测整体的学习和指导优化数据的存储.重点研究了网络传输过程中各种类型数据的流量的这种相关性,提出了一种基于分布式统计(DS)的时间序列分析方法:根据网络协议间的关系将数据包分组,分析数量关系并给出报警阈值.仿真实验结果表明,该方法能较好地发现各种网络攻击.