利用主机软件信息消除NIDS虚警

由于缺乏对网络主机上下文的了解,多数基于特征的NIDS(网络入侵检测系统)产生的虚警数量太多,使得管理员无法尽快将注意力集中到真正有威胁的报警上.通过改进已有的MDS使其能够有效利用网络主机上的软件信息消除MDS虚警的有效方法,改进后的MDS根据已知的受监控网段内的主机软件信息,在与入侵规则做匹配之前进行预先判断,过滤掉不需要匹配的入侵规则,从而减少很多没有实际意义的报警记录.改进后的NIDS原型系统在企业内部网实施的实测结果显示,该方法确实可以达到减少虚警数量提高报警质量的目的.     

NIDS歧义流量矫正系统

基于网络的入侵检测系统通过分析网络流量识别攻击,但隐藏在歧义网络数据中的Insertion和Evasion攻击利用不同系统实现网络协议栈的差异以及各系统所处不同的网络位置,逃避NIDS检测,以致漏报。文章回顾了歧义问题的相关研究,分析了其产生原因,并以重叠IP分片重组和重叠TCP段重构为例进行讨论。针对以逃避NIDS检测为目的的歧义流量问题,提出了NIDS歧义流量矫正系统,通过分析相关网络协议在实现中产生的歧义,对网络流量进行相应的矫正,使NIDS有效检测出隐藏在歧义网络流量中的特定的Insertion和Evasion攻击。     

A fast pattern matching algorithm with multi-byte search unit for high-speed network security

A signature-based intrusion detection system identifies intrusions by comparing the data traffic with known signature patterns. In this process, matching of packet strings against signature patterns is the most time-consuming step and dominates the overall system performance. Many signature-based network intrusion detection systems (NIDS), e.g., the Snort, employ one or multiple pattern matching algorithms to detect multiple attack types. So far, many pattern matching algorithms have been proposed. Most of them use single-byte standard unit for search, while a few algorithms such as the Modified Wu-Manber (MWM) algorithm use typically two-byte unit, which guarantees better performance than others even as the number of different signatures increases. Among those algorithms, the MWM algorithm has been known as the fastest pattern matching algorithm when the patterns in a rule set rarely appear in packets. However, the matching time of the MWM algorithm increases as the length of the shortest pattern in a signature group decreases.In this paper, by extending the length of the shortest pattern, we minimize the pattern matching time of the algorithm which uses multi-byte unit. We propose a new pattern matching algorithm called the L⁺¹-MWM algorithm for multi-pattern matching. The proposed algorithm minimizes the performance degradation that is originated from the dependency on the length of the shortest pattern. We show that the L⁺¹-MWM algorithm improves the performance of the MWM algorithm by as much as 20% in average under various lengths of shortest patterns and normal traffic conditions. Moreover, when the length of the shortest pattern in a rule set is less than 5, the L⁺¹-MWM algorithm shows 38.87% enhancement in average. We also conduct experiments on a real campus network and show that 12.48% enhancement is obtained in average. In addition, it is shown that the L⁺¹-MWM algorithm provides a better performance than the MWM algorithm by as much as 25% in average under various numbers of signatures and normal traffic conditions, and 20.12% enhancement in average with real on-line traffic.     

高效自适应的抗污染攻击网络编码传输方案

本文主要研究网络编码在抗污染攻击中的应用,针对中间节点对收到的所有编码包进行验证浪费网络资源和目的节点解码速率慢等问题,提出一种高效自适应的抗污染攻击网络编码传输方案-EANC(Efficient and Adaptive Network Coding transmission scheme against pollution attack)。EANC方案在数据分组编码阶段,利用按照网络编码的时间和空间特性构造的线性子空间签名方案准确地验证数据分组是否被污染从而有效控制污染数据分组的传播,并且能使中间节点调节验证步骤使之自适应于当前网络的污染程度,从而提高验证效率;在目的节点解码阶段,EANC方案利用目的节点重传恢复机制降低解码恢复时延。仿真结果表明,EANC方案能够减少子空间的签名长度并且降低目的节点解码恢复的平均时延。     

Hierarchical multi-pattern matching algorithm for network content inspection

Inspection engines that can inspect network content for application-layer information are urgently required. In-depth packet inspection engines, which search the whole packet payload, can identify the interested packets that contain certain patterns. Network equipment then utilizes the searching results from the inspection engines for application-oriented management. The most important technology for fast packet inspection is an efficient multi-pattern matching algorithm to perform exact string matching between packets and a large set of patterns. This paper proposes a novel hierarchical multi-pattern matching algorithm (HMA) for packet inspection. HMA builds hierarchical index tables from the most frequent common-codes, and efficiently reduces the amount of external memory accesses and memory space by two-tier and cluster-wise matching. Analysis and simulation results reveal that HMA performs much better than state-of-the-art matching algorithms. In particular, HMA can update patterns incrementally, thus creating a reliable network system.     

利用Netfilter实现NIDS集群的研究和实践

目前基于网络的入侵检测系统(NIDS)面临普通单机检测设备的数据包处理能力不能适应网络带宽发展需求的问题，该文介绍了利用NIDS集群在高速网络环境下实现入侵检测的方法。根据NIDS集群的特点利用Linux内核中Netfilter模块实现了数据包基于分流转发和会话的动态负载均衡。并通过使用基于Linux操作系统的IDS负载均衡器实现了NIDS集群在高速网络环境下的入侵检测。     

Flow-based anomaly detection in high-speed links using modified GSA-optimized neural network

Ever growing Internet causes the availability of information. However, it also provides a suitable space for malicious activities, so security is crucial in this virtual environment. The network intrusion detection system (NIDS) is a popular tool to counter attacks against computer networks. This valuable tool can be realized using machine learning methods and intrusion datasets. Traditional datasets are usually packet-based in which all network packets are analyzed for intrusion detection in a time-consuming process. On the other hand, the recent spread of 1–10-Gbps-technologies have clearly pointed out that scalability is a growing problem. In this way, flow-based solutions can help to solve the problem by reduction of data and processing time, opening the way to high-speed detection on large infrastructures. Besides, NIDS should be capable of detecting new malicious activities. Artificial neural network-based NIDSs can detect unseen attacks, so a multi-layer perceptron (MLP) neural classifier is used in this study to distinguish benign and malicious traffic in a flow-based NIDS. In this way, a modified gravitational search algorithm (MGSA), as a modern heuristic technique, is employed to optimize the interconnection weights of the neural anomaly detector. The proposed scheme is trained using an enhanced version of the first labeled flow-based dataset for intrusion detection introduced in 2009. In addition, the particle swarm optimization (PSO) algorithm and traditional error back-propagation (EBP) algorithm are employed to train MLP, so performance comparison becomes possible. The experimental results based on the actual network data show that the MGSA-optimized neural anomaly detector is effective for monitoring abnormal traffic flows in the gigabytes traffic environment, and the accuracy is about 97.8 %.     

A hybrid machine learning approach to network anomaly detection

Zero-day cyber attacks such as worms and spy-ware are becoming increasingly widespread and dangerous. The existing signature-based intrusion detection mechanisms are often not sufficient in detecting these types of attacks. As a result, anomaly intrusion detection methods have been developed to cope with such attacks. Among the variety of anomaly detection approaches, the Support Vector Machine (SVM) is known to be one of the best machine learning algorithms to classify abnormal behaviors. The soft-margin SVM is one of the well-known basic SVM methods using supervised learning. However, it is not appropriate to use the soft-margin SVM method for detecting novel attacks in Internet traffic since it requires pre-acquired learning information for supervised learning procedure. Such pre-acquired learning information is divided into normal and attack traffic with labels separately. Furthermore, we apply the one-class SVM approach using unsupervised learning for detecting anomalies. This means one-class SVM does not require the labeled information. However, there is downside to using one-class SVM: it is difficult to use the one-class SVM in the real world, due to its high false positive rate. In this paper, we propose a new SVM approach, named Enhanced SVM, which combines these two methods in order to provide unsupervised learning and low false alarm capability, similar to that of a supervised SVM approach.We use the following additional techniques to improve the performance of the proposed approach (referred to as Anomaly Detector using Enhanced SVM): First, we create a profile of normal packets using Self-Organized Feature Map (SOFM), for SVM learning without pre-existing knowledge. Second, we use a packet filtering scheme based on Passive TCP/IP Fingerprinting (PTF), in order to reject incomplete network traffic that either violates the TCP/IP standard or generation policy inside of well-known platforms. Third, a feature selection technique using a Genetic Algorithm (GA) is used for extracting optimized information from raw internet packets. Fourth, we use the flow of packets based on temporal relationships during data preprocessing, for considering the temporal relationships among the inputs used in SVM learning. Lastly, we demonstrate the effectiveness of the Enhanced SVM approach using the above-mentioned techniques, such as SOFM, PTF, and GA on MIT Lincoln Lab datasets, and a live dataset captured from a real network. The experimental results are verified by m-fold cross validation, and the proposed approach is compared with real world Network Intrusion Detection Systems (NIDS).     

基于混合模式匹配算法的网络入侵检测

为了提升中央处理单元(CPU)和图形处理单元(GPU)协同检测网络入侵的性能,本文提出了一种具有数据包有效载荷长度约束的CPU/GPU混合模式匹配算法(LHPMA)。在分析CPU/GPU混合模式匹配算法(HPMA)的基础上,设计了长度约束分离算法(LBSA)对传入数据包进行提前分类。利用CPU中的预过滤缓冲区对较长数据包进行快速预过滤,结合全匹配缓冲区将较短数据包直接分配给GPU进行全模式匹配,通过减少有效载荷长度的多样性,提升了CPU/GPU协同检测网络入侵的性能。实验结果表明,LHPMA增强了HPMA的处理性能,充分发挥了GPU并行处理较短数据包的优势,并且LHPMA提高了网络入侵检测的吞吐量。     

Data preprocessing for anomaly based network intrusion detection: A review

Data preprocessing is widely recognized as an important stage in anomaly detection. This paper reviews the data preprocessing techniques used by anomaly-based network intrusion detection systems (NIDS), concentrating on which aspects of the network traffic are analyzed, and what feature construction and selection methods have been used. Motivation for the paper comes from the large impact data preprocessing has on the accuracy and capability of anomaly-based NIDS. The review finds that many NIDS limit their view of network traffic to the TCP/IP packet headers. Time-based statistics can be derived from these headers to detect network scans, network worm behavior, and denial of service attacks. A number of other NIDS perform deeper inspection of request packets to detect attacks against network services and network applications. More recent approaches analyze full service responses to detect attacks targeting clients. The review covers a wide range of NIDS, highlighting which classes of attack are detectable by each of these approaches.Data preprocessing is found to predominantly rely on expert domain knowledge for identifying the most relevant parts of network traffic and for constructing the initial candidate set of traffic features. On the other hand, automated methods have been widely used for feature extraction to reduce data dimensionality, and feature selection to find the most relevant subset of features from this candidate set. The review shows a trend toward deeper packet inspection to construct more relevant features through targeted content parsing. These context sensitive features are required to detect current attacks.     

基于漏洞扫描的入侵检测规则屏蔽方法研究

网络入侵检测系统的规则数在不断地增加,规则匹配的过程越来越复杂.在高速网络的环境下,NIDS(Network Intrusion Detection System)难以适应,产生漏检.将漏洞扫描与入侵检测进行融合,通过对保护对象扫描,找出存在的漏洞,根据漏洞信息将无用的规则屏蔽.实验结果表明,可以大量减少无用的检测规则;同时可以减少相应的警报信息.提高了检测效率、降低丢包率.     

一种可扩展的高效入侵监测平台技术

为了在更高带宽的网络中进行有效的入侵检测分析,研究了入侵检测中的数据获取技术,提出了一种可扩展的高效入侵监测框架SEIMA(scalable efficient intrusion monitoring architecture).在SEIMA结构模型中,通过将高效网络流量负载分割器与多个并行工作的入侵检测传感器相结合,从而可以将入侵检测扩展应用到更高的网络带宽中;通过使用高效地址翻译技术和缓冲区管理机制实现了旁路操作系统的高性能用户级网络报文传输模型,以便提高单传感器的报文处理性能;通过采用有限自动机的方法构建了基于用户层的多规则报文过滤器以消除多余数据包的处理开销.模拟环境和实际环境下的测试结果表明,SEIMA在提高网络入侵检测系统数据获取效率的同时,能够降低系统CPU的利用率,从而可以将更多的系统资源用于更复杂的数据分析过程.     

基于特征检测的分布式网络报警系统

分析当前网络入侵检测系统NIDS的主要思想和实现方法，针对传统NIDS的不足，提出了一种基于特征检测的分布式网络报警系统模型，并且详细地描述了该模型的结构和实现。该模型将规则匹配与案例分析以及集中控制与分布检测相结合，在保证网络安全的基础上，有效地提高了NIDS的动态性和自适应性。     

利用网络入侵检测系统与防火墙的功能结合构建安全网络模型

通过剖析防火墙以及网络入侵检测系统的特点，提出了实现网络入侵检测系统与防火墙的功能结合的观点，并就利用这种功能结合在构建安全网络模型的应用问题上进行了阐述。     

入侵检测系统中的多模式精确匹配算法WDawgMatch

经典的多模式匹配算法如AC、BM,并不满足NIDS对报文负载中攻击特征串检测时做在线乱序流匹配的需求。著名的多模式精确匹配算法DawgMatch弥补了上述算法无法在扫描的同时获得分片摘要信息的缺点,因此在网络入侵检测系统(NIDS)的在线检测中得到普遍应用。尽管基于DAWA自动机使得DawgMatch可通过二元索引来提高空间使用效率,但它的匹配性能尚不能达到高速报文入侵检测线速匹配的要求。本文提出了新算法WDawgMatch,它牺牲预处理时间,引入加权边消除了DawgMatch匹配回溯现象,提升了匹配速度。性能分析和实验结果表明,WDawgMatch降低了原算法的最坏时间复杂度,缩小了与AC算法的差距,完全满足NIDS线速匹配的要求。     

多源网络编码同态签名方案*

由于网络编码的系统很容易受到污染攻击,提出了一个适用于多源网络编码应对污染攻击的同态签名方案.该方案使用了同态哈希函数,能够阻止恶意修改的数据分组.被污染的数据分组会被验证者丢弃,从而保证了系统的安全性.该方案是同态的且是为多源网络编码特别设计的,与文件和分组的大小无关,而且方案中的公钥和每个分组的开销是常量.     

结合遗传算法的NIDS多媒体包多线程择危模型

当网络流量超出网络入侵检测系统（NIDS）负载能力时,漏检将不可避免,此时应选择较危险的数据包优先处理。因多媒体数据包在流量中所占比例较大,故曾提出对其识别和特殊处理的方法,收效良好。在此基础上,提出结合遗传算法的NIDS多媒体包多线程择危模型,该模型能在漏检发生时,根据不同线程的最大处理能力,按照多媒体数据包的危险程度择危优先处理。实验结果表明,使用该模型能够有效提高NIDS在每个线程内所选择的多媒体数据包序列的危险系数。     

基于Netfilter框架的分布式网络入侵检测系统

针对网络入侵检测系统（NIDS）的处理速度无法跟上网络通讯及其数量的增长速度,提出了基于Netfilter的分布式NIDS系统和负载均衡算法,在Netfilter上实现了数据包的分流,使得分配到每一个NIDS的数据包的集合是一个特定攻击的特征集合。实验表明,分布式NIDS中每个NIDS的负载基本相等,漏检率减少到了单个NIDS的1/4。     

网络入侵检测系统的负载均衡方案

在高速网络环境下,数据流的高速化使得网络入侵检测系统往往会出现严重的漏报率,针对此性能瓶颈,提出了一种基于预测的并行入侵检测系统的负载均衡方案。该方案主动测量各探测器的负载为预测依据,采用混沌时间序列的全域预测法为预测手段,利用预测的负载值为负载均衡的根据。通过仿真实验,证明了该方案的可行性及有效性,它能有效地均衡负载、减少系统的丢包率。