Windows下基于Snort入侵检测系统的构建

入侵检测系统是一种主动、实时、自动检测入侵行为的工具和手段。文章介绍了在Windows平台下Snort入侵检测系统的构建,并通过测试,证实了该系统的有效性。     

分布式安全审计系统设计与实现

安全审计愈来愈受关注,但是大多数分布式安全审计系统仍不成熟.首先阐述了分布式安全审计的概念.然后介绍了一个基于数据挖掘技术的分布式分层的安全审计系统的功能及体系结构设计,并详细阐述了XML日志格式、多模式串匹配、模糊聚类和关联安全规则等系统设计实现中采用的一些重要技术.提高了检测效率和发现未知攻击的能力,增强了系统的安全性,可以有效的对整个系统进行安全级别的评估.     

基于主机的安全审计系统研究

文章综合入侵检测、访问控制等技术,以P2DR安全模型为基础,提出了一种适用于涉密局域网中UNIX主机的主机(服务器)安全审计系统的原型系统,其可行性基本得到了验证。模型以多级安全策略为基础,以全面增强主机安全。     

基于SVDD的网络安全审计模型研究

审计是入侵检测的基础，为入侵检测提供必要的分析数据．在传统的网络安全审计与入侵检测系统中，需要由人工来定义攻击特征以发现异常活动．但攻击特征数据难以获取，能够预知的往往只是正常用户正常使用的审计信息．提出并进一步分析了一种基于支持向量描述（SVDD）的安全审计模型，使用正常数据训练分类器，使偏离正常模式的活动都被认为是潜在的入侵．通过国际标准数据集MITLPR的优化处理，只利用少量的训练样本，试验获得了对异常样本100％的检测率，而平均虚警率接近为0．     

The detection mechanism for false data injection attack via the ellipsoidal set-membership approach

The false data injection (FDI) attack detection problem in cyber-physical systems (CPSs) is investigated in this paper. A novel attack detection algorithm is proposed based on the ellipsoidal set-membership approach. In comparison to the existing FDI attack detection methods, the developed attack detection approach in this paper neither requires predefined thresholds nor specific statistical characteristics of the attacks. In order to guarantee that the estimation ellipsoid contains normal states despite the unknown but bounded (UBB) process and measurement noises, the one-step ellipsoidal set-membership estimation method is put forward. In addition, a convex optimization algorithm is introduced to calculate the gain matrix of the observer recursively. Moreover, with the help of the state estimation ellipsoid, the residual ellipsoid can be obtained for attack detection. Whether a detector can detect the FDI attack depends on the relationship between the residual value and residual ellipsoidal set. Finally, the effectiveness of the proposed method is demonstrated by a numerical simulation example.     

基于旁路监听的数据库安全审计系统

通过分析数据库安全审计机制,提出一种基于旁路监听的数据库安全审计系统框架,并实现了针对Oracle数据库的安全审计系统。涉及Java网络抓包、TNS协议解析、SQL语法解析和数据库安全检测等技术实现,提出一种发现用户正常行为规则的异常检测算法。系统实验结果表明该系统能有效对Oracle数据库进行实时安全审计,并实现了数据库操作行为的安全检测。     

神经网络在入侵检测系统中的应用

该文介绍了入侵检测系统的作用、类型和原理,论述了神经网络应用于入促检测系统中的优势,提出了神经网络入侵检测系统的模型。     

A Data Analysis-Based Approach for Detecting Intruders

ABSTRACT

We introduce a novel anomaly intrusion detection method based on Linear Discriminant Analysis (LDA). This approach searches for those vectors in the underlying space that best discriminate among users' profile classes. The discrimination rules are based on linear combinations of the observed users' profiles, called discriminant factors. This new approach provides for the ability to learn and later determine whether a new profile does or does not correspond to those of known users. Unlike many researchers we used realistic data to learn the behaviors of four students' classes. After that we apply LDA to get an appropriate discrimination between the student classes. Thus one can easily determine if a new student is legitimate or not by projecting its profile onto the profile subspace. Simulations show that our approach outperforms both Principal Components Analysis (PCA) and Electre Tri methods.     

SOIDS:一种使用移动代理的面向服务的分布式入侵检测系统模型

提出了一种使用移动代理的面向服务的分布式入侵检测系统模型SOIDS(Service—oriented Intrusion Detection System)．通过将服务和移动代理分布到网络上，SOIDS很好地解决了基于集中式框架的入侵检测系统面临的性能瓶颈问题．本文深入探讨了SOIDS的体系结构和消息机制，并以实例详细描述了代理和服务合作追踪检测入侵的流程．本文对实现网络安全系统的开放性，可扩展性和健壮性方面也进行了有益的探索．     

Event‐triggered cascade high‐gain observer and its application

In this article, we consider the event‐triggered cascade high‐gain observer (ETCHGO) for a class of nonlinear systems. By cascading lower dimensional observers, we design a cascade high‐gain observer together with a Zeno‐free event‐triggered mechanism to estimate the state of the plant. We show that the ETCHGO has the same steady‐state performance as the continuous‐time cascade high‐gain observer, that is, there is a finite time after which the estimation error will not exceed the given threshold, and moreover, the finite time and the threshold can be made sufficiently small by adjusting some design parameters. We also investigate an ETCHGO with saturation, which will reduce the peaking value while maintaining the steady‐state estimation performance. Furthermore, we use the ETCHGO with saturation to solve the output feedback stabilization problem for a class of nonlinear systems. An example is given to illustrate our results.     

DBSL：一种面向入侵容忍的分布式入侵检测方法

面向入侵容忍的入侵检测是网络安全最前沿的研究热点之一,它是确保系统在威胁性的环境下提供预定服务的重要技术.容侵系统服务于复杂网络环境中,入侵往往在多个终端并发发生,传统入侵检测算法无法有效分析分布式入侵特征并且未对入侵后的系统恢复提供线索,不再适用.该文在研究分布式入侵特征的基础上,结合机器学习思想,提出了一种基于改进的分布式贝叶斯结构学习的入侵检测方法—DBSL方法.该方法特别适合于检测分布式入侵.文中对DBSL方法实现的关键问题进行了详细的讨论和分析.     

DBSL: 一种面向入侵容忍的分布式入侵检测方法

面向入侵容忍的入侵检测是网络安全最前沿的研究热点之一,它是确保系统在威胁性的环境下提供预定服务的重要技术.容侵系统服务于复杂网络环境中,入侵往往在多个终端并发发生,传统入侵检测算法无法有效分析分布式入侵特征并且未对入侵后的系统恢复提供线索,不再适用.该文在研究分布式入侵特征的基础上,结合机器学习思想,提出了一种基于改进的分布式贝叶斯结构学习的入侵检测方法—DBSL方法.该方法特别适合于检测分布式入侵.文中对DBSL方法实现的关键问题进行了详细的讨论和分析.     

UNIX缓冲区溢出攻击:技术原理、防范与检测

通过对ＵＮＩＸ的ｓｕｉｄ程序使用缓冲区溢出攻击已成为黑客入侵远程系统并获取ｒｏｏｔ权限的常用技术。文章分析了 ＵＮＩＸ系统中存在缓冲区溢出攻击隐患的根源及其技术原理,探讨了一些防范和检测技术。     

MDCI:一个分布式检测DDoS攻击的方法

鉴于DDoS攻击分布式、汇聚性的特点，实现分布在大规模网络环境中的多个IDS系统间合作检测有助于在攻击流形成规模前合成攻击全貌并适当反应．MDCI系统首次提出了环形合作模式，即构建一个环重要网络信息资源的IDS系统合作组，通过组内节点同信息共享和警报关联分析，迅速判定DDoS攻击、MDCI系统中，采用报头内容分析和反向散射分析相结合的方法对本地捕获的数据报进行分析并采用统一标准格式对可疑特征进行报警；采用数据流分类概率评估的方法实现合作结点间警报信息的关联分析，从而合成攻击的全貌．通过实验可以看到，该系统有效地提高了针对DDoS攻击的预警速度．     

Empirical study on multiclass classification‐based network intrusion detection

Early and effective network intrusion detection is deemed to be a critical basis for cybersecurity domain. In the past decade, although a significant amount of work has focused on network intrusion detection, it is still a challenge to establish an intrusion detection system with a high detection rate and a relatively low false alarm rate. In this paper, we have performed a comprehensive empirical study on network intrusion detection as a multiclass classification task, not just to detect a suspicious connection but also to assign the correct type as well. To surpass the previous studies, we have utilized four deep learning models, namely, deep neural networks, long short‐term memory recurrent neural networks, gated recurrent unit recurrent neural networks, and deep belief networks. Our approach relies on the pretraining of the models by exploiting a particle swarm optimization–based algorithm for their hyperparameters selection. In order to investigate the performance differences, we also included two well‐known shallow learning methods, namely, decision forest and decision jungle. Furthermore, we used in our experiments four datasets, which are dedicated to intrusion detection systems to explore various environments. These datasets are KDD CUP 99, NSL‐KDD, CIDDS, and CICIDS2017. Moreover, 22 evaluation metrics are used to assess the model's performance in each of the datasets. Finally, intensive quantitative, Friedman test, and ranking methods analyses of our results are provided at the end of this paper. The results show a significant improvement in the detection of network attacks with our recommended approach.     

多层神经网络在入侵检测中的应用

对多层ANN的结构和向后传播算法进行了设计,提出了移动窗口和事件子视图等概念,通过提取审计事件类型的方法,采样了ANN的训练数据和测试数据.具体实现了设计算法,并用该软件分别对UNIX和Windows XP两个操作系统的数据进行了实验.实验结果表明,多层ANN可以作为一个入侵检测的模型和技术应用于入侵检测之中.     

开放式系统的攻击取证和系统恢复机制 Eudemon的设计及实现

该文提出了一种开放式系统的攻击取证和系统恢复机制Eudemon。Eudemon综合了攻击检测、文件保护和系统恢复等安全技术,采取分布式结构,通过一台远程记录服务器保护多个主机系统。该保护机制能够检测、记录恶意的攻击行为,对攻击行为进行分析取证;在系统遭遇到攻击时,利用保存的系统信息和应用数据,能及时恢复系统和重要数据。该文描述了Eudemon机制的结构设计、实现技术以及系统安全措施。     

Security analysis for cyber‐physical systems under undetectable attacks: A geometric approach

In this paper, the security issues of cyber‐physical systems under undetectable attacks are studied. The geometric control theory is used to investigate the design, implementation, and impact evaluation of undetectable attacks. First, a feedforward‐feedback structure for undetectable attacks is proposed, which provides a designable form for an attack to be undetectable. The corresponding attack strategy is designed via pole placement in the weakly unobservable subspace of the attacked system. Then, the security analysis of several common undetectable attacks injected from actuators, sensors, and the coordinated of the two is discussed. Finally, the simulations on the quadruple‐tank process demonstrate the effectiveness of the proposed methods.     

高速网络安全监控系统的设计与实现

随着计算机网络的发展,对高速网络的安全进行监控变得越来越重詈。结合实际需求,本文提出了一些重要的设计思想,实现与测试了一个基于高速网络关键点捕获,对网络攻击进行实时检测、预警和响应的高速网络安全监控系统原型,有效地解决了目前高速网络安全监控系统存在的一些难题。目前,该系统原型已经在实际中得到成功应用。     

The Neutralizer: a self‐configurable failure detector for minimizing distributed storage maintenance cost

To achieve high data availability or reliability in an efficient manner, distributed storage systems must detect whether an observed node failure is permanent or transient, and if necessary, generate replicas to restore the desired level of replication. Given the unpredictability of network dynamics, however, distinguishing permanent and transient failures is extremely difficult. Though timeout‐based detectors can be used to avoid mistaking transient failures as permanent failures, it is unknown how the timeout values should be selected to achieve a better tradeoff between detection latency and accuracy. In this paper, we address this fundamental tradeoff from several perspectives. First, we explore the impact of different timeout values on maintenance cost by examining the probability of their false positives and false negatives. Second, we propose a self‐configurable failure detector called the Neutralizer based on the idea of counteracting false positives with false negatives. The Neutralizer could enable the system to maintain a desired replication level on average with the least amount of bandwidth. We conduct extensive simulations using real trace data from a widely deployed peer‐to‐peer system and synthetic traces based on PlanetLab and Microsoft PCs, showing a significant reduction in aggregate bandwidth usage after applying the Neutralizer (especially in an environment with a low average node availability). Overall, we demonstrate that the Neutralizer closely approximates the performance of a perfect ‘oracle’ detector in many cases. Copyright © 2008 John Wiley & Sons, Ltd.