A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection

Extensive research activities have been observed on network-based intrusion detection systems (IDSs). However, there are always some attacks that penetrate trafficprofiling- based network IDSs. These attacks often cause very serious damages such as modifying host critical files. A host-based anomaly IDS is an effective complement to the network IDS in addressing this issue. This article proposes a simple data preprocessing approach to speed up a hidden Markov model (HMM) training for system-call-based anomaly intrusion detection. Experiments based on a public database demonstrate that this data preprocessing approach can reduce training time by up to 50 percent with unnoticeable intrusion detection performance degradation, compared to a conventional batch HMM training scheme. More than 58 percent data reduction has been observed compared to our prior incremental HMM training scheme. Although this maximum gain incurs more degradation of false alarm rate performance, the resulting performance is still reasonable.     

Random-Forests-Based Network Intrusion Detection Systems

Prevention of security breaches completely using the existing security technologies is unrealistic. As a result, intrusion detection is an important component in network security. However, many current intrusion detection systems (IDSs) are rule-based systems, which have limitations to detect novel intrusions. Moreover, encoding rules is time-consuming and highly depends on the knowledge of known intrusions. Therefore, we propose new systematic frameworks that apply a data mining algorithm called random forests in misuse, anomaly, and hybrid-network-based IDSs. In misuse detection, patterns of intrusions are built automatically by the random forests algorithm over training data. After that, intrusions are detected by matching network activities against the patterns. In anomaly detection, novel intrusions are detected by the outlier detection mechanism of the random forests algorithm. After building the patterns of network services by the random forests algorithm, outliers related to the patterns are determined by the outlier detection algorithm. The hybrid detection system improves the detection performance by combining the advantages of the misuse and anomaly detection. We evaluate our approaches over the Knowledge Discovery and Data Mining 1999 (KDD’99) dataset. The experimental results demonstrate that the performance provided by the proposed misuse approach is better than the best KDD’99 result; compared to other reported unsupervised anomaly detection approaches, our anomaly detection approach achieves higher detection rate when the false positive rate is low; and the presented hybrid system can improve the overall performance of the aforementioned IDSs.      

Counselors network for intrusion detection

Intrusion detection systems (IDSs) are a fundamental component of defense solutions. In particular, IDSs aim to detect malicious activities on computer systems and networks by relying on data classification models built from a training dataset. However, classifiers' performance can vary for each attack pattern. A common technique to overcome this issue is to use ensemble methods, where multiple classifiers are employed and a final decision is taken combining their outputs. Despite the potential advantages of such an approach, its usefulness is limited in scenarios where (i) multiple expert classifiers present divergent results, (ii) all classifiers present poor results due to lack of representative features, or (iii) detectors have insufficient labeled signatures to train their classifiers for a specific attack pattern. In this work, we introduce the concept of a counselors network to deal with conflicts from different classifiers by exploiting the collaboration among IDSs that analyze multiple and heterogeneous data sources. Empirical results demonstrate the feasibility of the proposed architecture in improving the accuracy of the intrusion detection process.     

Intrusion detection in wireless ad hoc networks

Intrusion detection has, over the last few years, assumed paramount importance within the broad realm of network security, more so in the case of wireless ad hoc networks. These are networks that do not have an underlying infrastructure; the network topology is constantly changing. The inherently vulnerable characteristics of wireless ad hoc networks make them susceptible to attacks, and it may be too late before any counter action can take effect. Second, with so much advancement in hacking, if attackers try hard enough they will eventually succeed in infiltrating the system. This makes it important to constantly (or at least periodically) monitor what is taking place on a system and look for suspicious behavior. Intrusion detection systems (IDSs) do just that: monitor audit data, look for intrusions to the system, and initiate a proper response (e.g., email the systems administrator, start an automatic retaliation). As such, there is a need to complement traditional security mechanisms with efficient intrusion detection and response. In this article we present a survey on the work that has been done in the area of intrusion detection in mobile ad hoc networks.     

基于隐马尔可夫模型的用户行为异常检测新方法

提出一种基于隐马尔可夫模型的用户行为异常检测方法,主要用于以shell命令为审计数据的主机型入侵检测系统。与Lane T提出的检测方法相比,所提出的方法改进了对用户行为模式和行为轮廓的表示方式,在HMM的训练中采用了运算量较小的序列匹配方法,并基于状态序列出现概率对被监测用户的行为进行判决。实验表明,此方法具有很高的检测准确度和较强的可操作性。     

A Method for Anomaly Detection of User Behaviors Based on Machine Learning

1Introduction Intrusiondetectiontechniquescanbecategorizedinto misusedetectionandanomalydetection.Misusedetec tionsystemsmodelattacksasspecificpatterns,anduse thepatternsofknownattackstoidentifyamatchedac tivityasanattackinstance.Anomalydetectionsystems u…     

入侵检测技术的研究

入侵检测系统用于检测对计算机系统和网络的攻击。作为一种新型的信息系统安全机制,通过监控这些信息系统的使用情况,来检测信息系统的用户越权使用以及系统外部的入侵者利用系统的安全缺陷对系统进行入侵的企图。本文首先分析了入侵检测系统的主要模型及其实现技术,然后,对网络环境下基于代理机制的入侵检测模型及其主要实现技术进行了讨论。     

Statistical fingerprint‐based intrusion detection system (SF‐IDS)

Intrusion detection systems (IDS) are systems aimed at analyzing and detecting security problems. The IDS may be structured into misuse and anomaly detection. The former are often signature/rule IDS that detect malicious software by inspecting the content of packets or files looking for a “signature” labeling malware. They are often very efficient, but their drawback stands in the weakness of the information to check (eg, the signature), which may be quickly dated, and in the computation time because each packet or file needs to be inspected. The IDS based on anomaly detection and, in particular, on statistical analysis have been originated to bypass the mentioned problems. Instead of inspecting packets, each traffic flow is observed so getting a statistical characterization, which represents the fingerprint of the flow. This paper introduces a statistical analysis based intrusion detection system, which, after extracting the statistical fingerprint, uses machine learning classifiers to decide whether a flow is affected by malware or not. A large set of tests is presented. The obtained results allow selecting the best classifiers and show the performance of a decision maker that exploits the decisions of a bank of classifiers acting in parallel.     

遗传算法在基于网络异常的入侵检测中的应用

考虑到基于误用的IDS不能有效检测未知入侵行为,而基于统计的异常检测法在建模时忽略了多变量在一段时间内的关系,提出了一种异常检测算法.用滑动窗口将系统各属性表示为特征向量,从而将系统正常状态分布在n维空间中,并使用遗传算法进化检测规则集来覆盖异常空间.经实验证明该方法提高了检测率.     

入侵检测技术趋势

描述了遗传算法．统计模型、神经网络、人工免疫系统等入侵检测技术趋势，并指出入侵检测系统的不足。将防火墙、密罐和漏洞扫描与入侵检测系统相结合，以进一步提高入侵检测系统的性能     

RADAR: A reputation-driven anomaly detection system for wireless mesh networks

As one of the backup measures of intrusion prevention techniques, intrusion detection plays a paramount role in the second defense line of computer networks. Intrusion detection in wireless mesh networks (WMNs) is especially challenging and requires particular design concerns due to their special infrastructure and communication mode. In this paper, we propose a novel anomaly detection system, termed RADAR, to detect and handle anomalous mesh nodes in wireless mesh networks. Specifically, reputation is introduced to characterize and quantify a node’s behavior in terms of fine-grained performance metrics of interest. The dual-core detection engine of RADAR then explores spatio-temporal property of such behavior to manifest the deviation between that of normal and anomalous nodes. Although the current RADAR prototype is only implemented with routing protocols, the design architecture allows it to be easily extended to cross-layer anomaly detection where anomalous events occur at different layers and can be resulted by either intentional intrusion or accidental network failure. The simulation results demonstrate that RADAR can achieve high detection accuracy, low computational complexity, and low false positive rate.     

Intrusion detection and prevention system for an IoT environment

Internet of Things (IoT) security is the act of securing IoT devices and networks. IoT devices, including industrial machines, smart energy grids, and building automation, are extremely vulnerable. With the goal of shielding network systems from illegal access in cloud servers and IoT systems, Intrusion Detection Systems (IDSs) and Network-based Intrusion Prevention Systems (NBIPSs) are proposed in this study. An intrusion prevention system is proposed to realize NBIPS to safeguard top to bottom engineering. The proposed NBIPS inspects network activity streams to identify and counteract misuse instances. The NBIPS is usually located specifically behind a firewall, and it provides a reciprocal layer of investigation that adversely chooses unsafe substances. Network-based IPS sensors can be installed either in an inline or a passive model. An inline sensor is installed to monitor the traffic passing through it. The sensors are installed to stop attacks by blocking the traffic using an IoT signature-based protocol.     

网络误用和异常入侵检测系统设计

文中讨论了误用和异常入侵检测技术存在的不足,提出结合误用检测和异常检测的入侵检测系统模型,该系统利用规则匹配检测已知入侵,利用免疫算法检测未知入侵并更新规则数据库,检测效率较高。     

基于组件的NIDS研究

论文提出的基于组件的网络型入侵检测系统,具有良好的分布性和可扩展性。它将基于网络和基于主机的入侵检测系统有机地结合起来,提供集成化的检测、报告和响应功能。     

Design and analysis of intrusion detection systems for wireless mesh networks

Intrusion is any unwanted activity that can disrupt the normal functions of wired or wireless networks. Wireless mesh networking technology has been pivotal in providing an affordable means to deploy a network and allow omnipresent access to users on the Internet. A multitude of emerging public services rely on the widespread, high-speed, and inexpensive connectivity provided by such networks. The absence of a centralized network infrastructure and open shared medium makes WMNs particularly susceptible to malevolent attacks, especially in multihop networks. Hence, it is becoming increasingly important to ensure privacy, security, and resilience when designing such networks. An effective method to detect possible internal and external attack vectors is to use an intrusion detection system. Although many Intrusion Detection Systems (IDSs) were proposed for Wireless Mesh Networks (WMNs), they can only detect intrusions in a particular layer. Because WMNs are vulnerable to multilayer security attacks, a cross-layer IDS are required to detect and respond to such attacks. In this study, we analyzed cross-layer IDS options in WMN environments. The main objective was to understand how such schemes detect security attacks at several OSI layers. The suggested IDS is verified in many scenarios, and the experimental results show its efficiency.     

基于系统调用特征的入侵检测研究

对网络服务程序进行攻击是非法用户入侵系统的主要途径 ,针对关键程序的入侵检测近年来受到重视 .该文提出的CTBIDS检测模型在利用系统调用特征树描述程序行为特征的基础上 ,通过异常有限积累判别程序入侵 ,既能体现异常状况的长期积累 ,也能很好地反映入侵的异常局部性原理 .此外 ,该文通过统计分析方法确定入侵判别参数 ,使得入侵判别更加准确 .测试及试用结果表明CTBIDS能有效检测出针对关键程序的攻击     

基于shell命令和Markov链模型的用户行为异常检测

异常检测是目前入侵检测系统(IDS)研究的主要方向。该文提出一种基于shell命令和Markov链模型的用户行为异常检测方法,该方法利用一阶齐次Markov链对网络系统中合法用户的正常行为进行建模,将Markov链的状态与用户执行的shell命令联系在一起,并引入一个附加状态;Markov链参数的计算中采用了运算量较小的命令匹配方法;在检测阶段,基于状态序列的出现概率对被监测用户当前行为的异常程度进行分析,并提供了两种可选的判决方案。文中提出的方法已在实际入侵检测系统中得到应用,并表现出良好的检测性能。     

入侵检测技术研究现状与未来发展

入侵检测技术是一种主动防御型安全技术,可以弥补传统安全技术的不足.文章对入侵检测技术进行了归类,介绍了两种通用的入侵检测方法:一种是根据采集点的不同,将IDS分为基于主机的IDS和基于网络的IDS;另外一种是根据检测所基于的原则不同,将入侵检测系统划分为异常检测IDS和误用检测IDS.文章还对入侵检测技术的未来发展方向进行了讨论.     

A revised taxonomy for intrusion-detection systems

Intrusion-detection systems aim at detecting attacks against computer systems and networks, or in general against information systems. Indeed, it is difficult to provide provably secure information systems and to maintain them in such a secure state during their lifetime and utilization. Sometimes, legacy or operational constraints do not even allow the definition of a fully secure information system. Therefore, intrusion- detection systems have the task of monitoring the usage of such systems to detect apparition of insecure states. They detect attempts and active misuse, either by legitimate users of the information systems or by external parties, to abuse their privileges or exploit security vulnerabilities. In a previous paper [Computer networks 31, 805–822 (1999)], we introduced a taxonomy of intrusion- detection systems that highlights the various aspects of this area. This paper extends the taxonomy beyond real- time intrusion detection to include additional aspects of security monitoring, such as vulnerability assessment.     

基于粗糙集和人工免疫的集成入侵检测模型

针对当前入侵检测存在的问题,通过引入粗糙集方法,综合误用检测和异常检测设计了一种基于粗糙集和人工免疫的集成入侵检测（RSAI-IID）模型,提出了一种在入侵检测中实现疫苗注入的方法。采用粗糙集方法获取疫苗,并保证了疫苗的优良性,优化检测性能;误用检测筛掉已知的入侵行为,提高检测的速度;异常检测针对未知攻击进行实时检测。最后在KDD99数据集上进行实验仿真,验证了模型的可行性和有效性。