基于异常和特征的入侵检测系统模型

目前大多数入侵检测系统(Intrusion Detection System，IDS)没有兼备检测已知和未知入侵的能力，甚至不能检测已知入侵的微小变异，效率较低。本文提出了一种结合异常和特征检测技术的IDS。使用单一技术的IDS存在严重的缺点，为提高其效率，唯一的解决方案是两者的结合，即基于异常和特征的入侵检测。异常检测能发现未知入侵，而基于特征的检测能发现已知入侵，结合两者而成的基于异常和特征的入侵检测系统不但能检测已知和未知的入侵，而且能更新基于特征检测的数据库，因而具有很高的效率。     

免疫原理驱动的入侵检测系统框架

将人体免疫原理应用于计算机安全领域是安全技术研究的一次新的尝试。免疫系统捍卫着人体的生存,正如入侵检测系统(IDS,IntrusionDetectionSystem)保护计算机系统免受攻击的摧毁。当前大多数IDS系统仅采用基于特征的检测以减少误报,然而这会造成不可忍受的漏报问题。论文将免疫原理引入入侵检测领域,试图为当前入侵检测领域普遍存在的误报、漏报问题提出一种解决方案,并提出一种分布式、轻量级和自组织的入侵检测系统框架。     

入侵检测系统发展的研究综述

With the fast development of Internet,more and more computer security affairs appear. Researchers have developed many security mechanisms to improve computer security ,including intrusion detection (ID). This paper re-views the history of intrusion detection systems (IDS)and mainstream techniques used in IDS,showing that IDS couldimprove security only provided that it is devised based on the architecture of the target system. From this, we could see the trend of integration of host-oriented ,network-oriented and application-oriented IDSs.     

A comparison of Intrusion Detection systems

A computer system intrusion is seen as any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.[1] The introduction of networks and the Internet caused great concern about the protection of sensitive information and have resulted in many computer security research efforts during the past few years. Although preventative techniques such as access control and authentication attempt to prevent intruders, these can fail, and as a second line of defence, intrusion detection has been introduced. Intrusion detection systems (IDS) are implemented to detect an intrusion as it occurs, and to execute countermeasures when detected.Usually, a security administrator has difficulty in selecting an IDS approach for his unique set-up. In this Report, different approaches to intrusion detection systems are compared, to supply a norm for the best-fit system. The results would assist in the selection of a single appropriate intrusion detection system or combine approaches that best fit any unique computer system.     

入侵检测技术的研究与进展

入侵检测系统(IDS)作为一门新兴的安全技术，是网络安全系统中的重要组成部分。该文阐述了入侵检测系统的基本原理和功能模块，从数据源、检测方法和检测定时三个方面描述了入侵检测系统的分类，并对目前国内外入侵检测技术的研究现状作了介绍和分析。随着计算机技术和网络技术的高速发展，海量存储和高带宽的传输技术，都使得集中式的入侵检测越来越不能满足系统需求。由此指出，分布式入侵检测(DID)必将逐渐成为入侵检测乃至整个网络安全领域的研究重点，为进行入侵检测技术的研究提供一定的技术和理论依据。     

MOVIH-IDS: A mobile-visualization hybrid intrusion detection system

A novel hybrid artificial intelligent system for intrusion detection, called MObile-VIsualization Hybrid IDS (MOVIH-IDS), is presented in this study. A hybrid model built by means of a multiagent system that incorporates an unsupervised connectionist intrusion detection system (IDS) has been defined to guaranty an efficient computer network security architecture. This hybrid IDS facilitates the intrusion detection in dynamic networks, in a more flexible and adaptable manner. The proposed improvement of the system in this paper includes deliberative agents characterized by the use of an unsupervised connectionist model to identify intrusions in computer networks. This hybrid IDS has been probed through several real anomalous situations related to the simple network management protocol as it is potentially dangerous. Experimental results probed the successful detection of such attacks through MOVIH-IDS.     

Wired and wireless intrusion detection system: Classifications, good characteristics and state-of-the-art

In computer and network security, standard approaches to intrusion detection and response attempt to detect and prevent individual attacks. Intrusion Detection System (IDS) and intrusion prevention systems (IPS) are real-time software for risk assessment by monitoring for suspicious activity at the network and system layer. Software scanner allows network administrator to audit the network for vulnerabilities and thus securing potential holes before attackers take advantage of them.

In this paper we try to define the intruder, types of intruders, detection behaviors, detection approaches and detection techniques. This paper presents a structural approach to the IDS by introducing a classification of IDS. It presents important features, advantages and disadvantages of each detection approach and the corresponding detection techniques. Furthermore, this paper introduces the wireless intrusion protection systems.

The goal of this paper is to place some characteristics of good IDS and examine the positioning of intrusion prevention as part of an overall layered security strategy and a review of evaluation criteria for identifying and selecting IDS and IPS. With this, we hope to introduce a good characteristic in order to improve the capabilities for early detection of distributed attacks in the preliminary phases against infrastructure and take a full spectrum of manual and automatic response actions against the source of attacks.     

基于Web的入侵检测资源监视系统的设计与实现

Web上的主机资源包括Web服务器上的文件、端口及地址等,针对现有基于签名的入侵检测系统在Web上存在的安全缺陷,文章通过分析攻击的根源和发生攻击的位置来检测Web上的攻击,进而提出Web入侵检测模型。该模型的核心是Web服务器中对主机资源的监视,最后详细的论述了资源监视系统的设计和实现。     

An automatically tuning intrusion detection system.

An intrusion detection system (IDS) is a security layer used to detect ongoing intrusive activities in information systems. Traditionally, intrusion detection relies on extensive knowledge of security experts, in particular, on their familiarity with the computer system to be protected. To reduce this dependence, various data-mining and machine learning techniques have been deployed for intrusion detection. An IDS is usually working in a dynamically changing environment, which forces continuous tuning of the intrusion detection model, in order to maintain sufficient performance. The manual tuning process required by current systems depends on the system operators in working out the tuning solution and in integrating it into the detection model. In this paper, an automatically tuning IDS (ATIDS) is presented. The proposed system will automatically tune the detection model on-the-fly according to the feedback provided by the system operator when false predictions are encountered. The system is evaluated using the KDDCup'99 intrusion detection dataset. Experimental results show that the system achieves up to 35% improvement in terms of misclassification cost when compared with a system lacking the tuning feature. If only 10% false predictions are used to tune the model, the system still achieves about 30% improvement. Moreover, when tuning is not delayed too long, the system can achieve about 20% improvement, with only 1.3% of the false predictions used to tune the model. The results of the experiments show that a practical system can be built based on ATIDS: system operators can focus on verification of predictions with low confidence, as only those predictions determined to be false will be used to tune the detection model.     

入侵检测系统系统性能参数的仿真法分析

随着网络的发展和对网络安全的逐步重视,入侵检测系统的研究越来越受到关注。对于入侵检测系统的框架模型、采用的匹配策略和不同检测系统之间的协作模式等,都已经做了许多工作,并已经形成了相对统一的标准。但是,对入侵检测系统在实际操作中应该如何达到配置最优缺少相应的研究。该文运用非马尔科夫模型进行仿真模拟,指出影响入侵检测系统性能的几个关键参数,给出特定流量模式下达到最优性能的配置方法。采用与实际情况更为贴近的仿真模型,考虑更多的参数是今后研究发展方向。     

Review of "Enhancing Computer Security with Smart Technology" [Book Review]

This book presents various methods for enhancing the enforcement of computer security. It consists of two parts and nine chapters. Among the topics covered are: basic issues with cyber trust; the need for firewalls; web application security; risk assessment; the relevance of machine learning in computer security; applying machine learning to intrusion detection; scanning and probing techniques; signature-based and anomaly IDs; artificial immune systems; and exploratory multivariate analysis for network security.     

利用决策树改进基于特征的入侵检测系统

当前,大多数入侵检测系统(IDS)采用一种特征匹配的方式来确定攻击的发生,它以存在的攻击为模型建立攻击特征,通过对输入和预定义的特征相匹配来确定攻击。许多系统通过把每一个输入事件和所有的规则持续地比较来执行匹配。这不是最理想的。文中描述了一个应用机器学习聚类技术改善匹配过程的方法。给定一个特征集,通过算法产生一颗决策树,使用该决策树能够尽量少地比较发现恶意的事件。这个思想已经被应用于一个基于网络的入侵检测系统。试验显示,检测速度得到显著的提高。     

A neuro-genetic based short-term forecasting framework for network intrusion prediction system

Information systems are one of the most rapidly changing and vulnerable systems, where security is a major issue. The number of security-breaking attempts originating inside organizations is increasing steadily. Attacks made in this way, usually done by ＂authorized＂ users of the system, cannot be immediately traced. Because the idea of filtering the traffic at the entrance door, by using firewalls and the like, is not completely successful, the use of intrusion detection systems should be considered to increase the defense capacity of an information system. An intrusion detection system （IDS） is usually working in a dynamically changing environment, which forces continuous tuning of the intrusion detection model, in order to maintain sufficient performance. The manual tuning process required by current IDS depends on the system operators in working out the tuning solution and in integrating it into the detection model. Furthermore, an extensive effort is required to tackle the newly evolving attacks and a deep study is necessary to categorize it into the respective classes. To reduce this dependence, an automatically evolving anomaly IDS using neuro-genetic algorithm is presented. The proposed system automatically tunes the detection model on the fly according to the feedback provided by the system operator when false predictions are encountered. The system has been evaluated using the Knowledge Discovery in Databases Conference （KDD 2009） intrusion detection dataset. Genetic paradigm is employed to choose the predominant features, which reveal the occurrence of intrusions. The neuro-genetic IDS （NGIDS） involves calculation of weightage value for each of the categorical attributes so that data of uniform representation can be processed by the neuro-genetic algorithm. In this system unauthorized invasion of a user are identified and newer types of attacks are sensed and classified respectively by the neuro-genetic algorithm. The experimental results obtained in this work show that the system achieves improvement in terms of misclassification cost when compared with conventional IDS. The results of the experiments show that this system can be deployed based on a real network or database environment for effective prediction of both normal attacks and new attacks.     

An application of blackboard architecture for the coordination among the security systems

The paper describes the design and implementation of a security architecture for a coordination information system constructed by blackboard architecture (BBA). The need arises for systems to coordinate with one another, to manage diverse attacks across networks and time. The coordination issue is the essential problem since it is beyond the scope of any one intrusion detection system (IDS) to deal with the intrusions. This paper shows a modeling and simulation of network security in which the multiple IDSes and a firewall coordinate by sharing attacker’s information for the effective detection of the intrusion. Another characteristic in the proposed simulation is the composition of a real intrusion by generating non-abstracted intrusion packets and, accordingly, the construction of non-abstracted version of IDS and firewall model components that are closely related to the intrusion packets.     

Intrusion detection using a linguistic hedged fuzzy-XCS classifier system

Intrusion detection systems (IDS) are a fundamental defence component in the architecture of the current telecommunication systems. Misuse detection is one of the different approaches to create IDS. It is based on the automatic generation of detection rules from labelled examples. Such examples are either attacks or normal situations. From this perspective the problem can be viewed as a supervised classification one. In this sense, this paper proposes the use of XCS as a classification technique to aid in the tasks of misuse detection in IDS systems. The final proposed XCS variant includes the use of hedged linguistic fuzzy classifiers to allow for interpretability. The use of this linguistic fuzzy approach provides with both the possibility of testing human designed detectors and a posteriori human fine tuning of the models obtained. To evaluate the performance not only several classic classification problems as Wine or Breast Cancer datasets are considered, but also a problem based on real data, the KDD-99. This latter problem, the KDD-99, is a classic in the literature of intrusion systems. It shows that with simple configurations the proposed variant obtains competitive results compared with other techniques shown in the recent literature. It also generates human interpretable knowledge, something very appreciated by security experts. In fact, this effort is integrated into a global detection architecture, where the security administrator is guiding part of the intrusion detection (and prevention) process.     

入侵检测技术研究与系统设计

入侵检测技术是一种主动保护网络资源免受黑客攻击的安全技术。入侵检测系统监控受保护系统的使用情况,发现不安全状态。它不仅帮助系统对付外来网络攻击,还可以查知内部合法用户的非法操作,扩展了系统管理员的安全管理能力。入侵检测为系统提供了实时保护,被认为是防火墙之后的第二道安全闸门。文章讲述了入侵检测技术的发展状况和关键技术,对现有系统进行了分类,并指出了该技术面临的一些挑战。最后提出了一种基于数据挖掘技术的具有自学习、自完善功能的入侵检测模型,可发现已知和未知的滥用入侵和异常入侵活动。     

基于神经网入侵检测研究与设计

近年来,网络的攻击变得越来越普遍,也越来越难于防范,传统的技术如防火墙难于满足目前网络安全的需要,一项新的网络安全技术—网络入侵检测技术被提出,它能很好的解决其他技术的不足,但是目前的入侵检测技术在入侵检测的准确性和可靠性上还存在问题。本文首先介绍了入侵检测中的特点,然后对神经网络做了详细的介绍,最后设计了一个基于神经网络的入侵检测系统。     

IDS在研究所网络化中的设计与应用

随着计算机技术的发展,计算机网络给人们带来极大便利的同时,也带来了网络入侵等安全问题的威胁。文章讲述了入侵检测技术,分析了各种入侵检测过程及IDS的作用,并应用P2DR＂动态安全模型＂对某研究所的网络信息安全系统进行了初步的设计。     

Intrusion detection in computer networks by a modular ensemble of one-class classifiers

Since the early days of research on intrusion detection, anomaly-based approaches have been proposed to detect intrusion attempts. Attacks are detected as anomalies when compared to a model of normal (legitimate) events. Anomaly-based approaches typically produce a relatively large number of false alarms compared to signature-based IDS. However, anomaly-based IDS are able to detect never-before-seen attacks. As new types of attacks are generated at an increasing pace and the process of signature generation is slow, it turns out that signature-based IDS can be easily evaded by new attacks. The ability of anomaly-based IDS to detect attacks never observed in the wild has stirred up a renewed interest in anomaly detection. In particular, recent work focused on unsupervised or unlabeled anomaly detection, due to the fact that it is very hard and expensive to obtain a labeled dataset containing only pure normal events.The unlabeled approaches proposed so far for network IDS focused on modeling the normal network traffic considered as a whole. As network traffic related to different protocols or services exhibits different characteristics, this paper proposes an unlabeled Network Anomaly IDS based on a modular Multiple Classifier System (MCS). Each module is designed to model a particular group of similar protocols or network services. The use of a modular MCS allows the designer to choose a different model and decision threshold for different (groups of) network services. This also allows the designer to tune the false alarm rate and detection rate produced by each module to optimize the overall performance of the ensemble. Experimental results on the KDD-Cup 1999 dataset show that the proposed anomaly IDS achieves high attack detection rate and low false alarm rate at the same time.     

Hybrid flexible neural‐tree‐based intrusion detection systems

An intrusion is defined as a violation of the security policy of the system, and, hence, intrusion detection mainly refers to the mechanisms that are developed to detect violations of system security policy. Current intrusion detection systems (IDS) examine all data features to detect intrusion or misuse patterns. Some of the features may be redundant or contribute little (if anything) to the detection process. The purpose of this study is to identify important input features in building an IDS that is computationally efficient and effective. This article proposes an IDS model based on a general and enhanced flexible neural tree (FNT). Based on the predefined instruction/operator sets, a flexible neural tree model can be created and evolved. This framework allows input variables selection, overlayer connections, and different activation functions for the various nodes involved. The FNT structure is developed using an evolutionary algorithm, and the parameters are optimized by a particle swarm optimization algorithm. Empirical results indicate that the proposed method is efficient. © 2007 Wiley Periodicals, Inc. Int J Int Syst 22: 337–352, 2007.