A comparison of Intrusion Detection systems

A computer system intrusion is seen as any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.[1] The introduction of networks and the Internet caused great concern about the protection of sensitive information and have resulted in many computer security research efforts during the past few years. Although preventative techniques such as access control and authentication attempt to prevent intruders, these can fail, and as a second line of defence, intrusion detection has been introduced. Intrusion detection systems (IDS) are implemented to detect an intrusion as it occurs, and to execute countermeasures when detected.Usually, a security administrator has difficulty in selecting an IDS approach for his unique set-up. In this Report, different approaches to intrusion detection systems are compared, to supply a norm for the best-fit system. The results would assist in the selection of a single appropriate intrusion detection system or combine approaches that best fit any unique computer system.     

超声波防盗报警系统的设计

系统以CYGNAL单片机为核心,用超声波传感器来检测闯入监控范围内的物体而实现自动报警.用户使用时把此系统安装在窗户或门上,当有人非法进人房间时,报警系统开始报警.研究了超声波发射器发出信号的放大以及整流滤波的方法,并通过系统软件实现报警功能.此技术的应用大大降低了系统成本,具有较高的可维护性.最后提出了性能改进方法,...     

Stochastic modeling of facility security-systems for analytical solutions

In this paper the author presents a modeling approach which makes use of conventional systems engineering techniques; namely, system block diagrams and networks where the transfer functions are expressed in the complex domain using Laplace transforms. Transit times, and times for the intruders and the responding guard force to overcome barriers, are both static and dynamic; the times are either deterministic or probabilistic variables obeying different and mixed probability laws.The solution methods are analytical, yielding measures of effectiveness of the security system. Modeling and solutions are presented for two cases. One case is for the simplified scenario where the reliability, sensitivity and response times of the sensors are assumed to be independent of time. The other is for the generalized case where sensor response times are time dependent and where the guard force encounters multiple barriers when attempting to intercept the intruders.     

Argus: the digital doorman

When you've visited someone in a large apartment or office complex, chances are that a security guard in the lobby granted you access. Perhaps over time, the guard has learned to associate you with the person you plan to visit and immediately notifies that person over the building intercom when you arrive. Argus, named after the vigilant watchman from Greek mythology, is an automated version of such a security guard: a system for automatic visitor identification. We successfully implemented and tested Argus at Just Research. To detect visitors, Argus's digital camera photographs the building entrance at regular intervals, and a motion detection algorithm identifies potential scenes containing visitors. Using a neural-network-based face detector, Argus extracts faces from these images. A memory-based face recognition system examines these faces and attempts to find visually similar matches in its stored database of visitors. An interface agent notifies system users whenever visitors arrive. Users can also provide feedback to Argus in the event of misclassified visitors. Because the face recognizer can learn online, Argus immediately incorporates these corrections into its face recognition data set.     

双ARM的车门多参数远程监测系统设计

设计了一种智能检测轨道车门参数的监测系统.该系统基于ARM8和STM32双ARM构架,STM32系统主要是采集各个车门的电机数据,封装后通过短距离无线通信模块传输给ARM8系统.ARM8系统有两个作用,一方面是接收来自各个STM32系统采集到的电机数据,另一方面是监测车门丝杆转块的位置信息.当收到开关门触发信号时就驱动视觉传感器拍照,把图片信息和STM32系统发送的数据一起打包发送到服务器网络,然后在PC端访问服务器,可以随时随地查看车门电机的各项参数.实际使用表明,该系统可以适用于车门系统多参数监测,给后期检测维修提供了参考依据,减少了维修工作.     

Combining Monitors for Runtime System Verification

Runtime verification permits checking system properties that cannot be fully verified off-line. This is particularly true when the system includes complex third-party components, such as general-purpose operating systems and software libraries, and when the properties of interest include security and performance. The challenge is to find reliable ways to monitor these properties in realistic systems. In particular, it is important to have assurance that violations will be reported when they actually occur. For instance, a monitor may not detect a security violation if the violation results from a series of system events that are not in its model.We describe how combining runtime monitors for diverse features such as memory management, security-related events, performance data, and higher-level temporal properties can result in more effective runtime verification. After discussing some basic notions for combining and relating monitors, we illustrate their application in an intrusion-tolerant Web server architecture under development at SRI.     

Optimal movement of mobile sensors for barrier coverage of a planar region

Intrusion detection, area coverage and border surveillance are important applications of wireless sensor networks today. They can be (and are being) used to monitor large unprotected areas so as to detect intruders as they cross a border or as they penetrate a protected area. We consider the problem of how to optimally move mobile sensors to the fence (perimeter) of a region delimited by a simple polygon in order to detect intruders from either entering its interior or exiting from it. We discuss several related issues and problems, propose two models, provide algorithms and analyze their optimal mobility behavior.     

A system design for surveillance systems protecting critical infrastructures

Critical infrastructures are attractive targets for attacks by intruders with different hostile aims. Modern information and sensor technology provides abilities to detect such attacks. The objective of this work is to outline a system design for surveillance systems aimed at protection of critical infrastructures, with the focus on early threat detection at the perimeter of critical infrastructures. The outline of the system design is based on an assessment of stakeholder needs. The needs were identified from interviews with domain experts and system operators. The system design of the surveillance system and the user requirements in terms of capabilities were then determined. The result consists of the system design for surveillance systems, comprising the systems capabilities, the systems structure, and the systems process. The outcome of the work will have an impact on the implementation of the surveillance systems with respect to the sensors utilized, the sensor data algorithms and the fusion techniques.     

Learning DFA representations of HTTP for protecting web applications

Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements.This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).     

A Real-time Door Detection System for Domestic Robotic Navigation

Human beings use doors to access rooms and corridors, to know where they are, to know where they have to go, etc. Similarly, it would be quite useful for robots to be able to detect doors in order to accomplish more complex and flexible navigation tasks. Such a goal is even more desirable when domestic environments are taken into account. Moreover, if the human-robot interaction is considered, the use of this semantic information can be broadly used. In this paper we present a solid and complete door detection system which fuses data from an end-user camera and a laser rangefinder. By using both Haar-like features and the Integral Image, the computation time is significantly reduced when compared to other methods found in the literature. Extensive tests in real-world environments have been performed in order to prove the efficiency, robustness and real-time ability of our system.     

Linux下基于可执行路径分析的内核 rootkit检测技术研究

如何检测系统是否被入侵者安装了rootkit是计算机安全领域中的重要问题。该文描述了一种基于可执行路径分析(EPA)的检测内核级rootkit的新技术,该技术利用处理器的单步执行模式,来测定系统内核中执行指令的数量,从而达到检测rootkit的目的。     

Multimodal person detection system

Person detection is often critical for personal safety, property protection, and national security. Most person detection technologies implement unimodal classification, making predictions based on a single sensor data modality, which is most often vision. There are many ways to defeat unimodal person detectors, and many more reasons to ensure technologies responsible for detecting the presence of a person are accurate and precise. In this paper, we design and implement a multimodal person detection system which can acquire data from multiple sensors and detect persons based on a variety of unimodal classifications and multimodal fusions. We present two methods of generating system-level predictions: (1) device perspectives which makes a final decision based on multiple device-level predictions and (2) system perspectives which combines data samples from multiple devices into a single data sample and then makes a decision. Our experimental results show that system-level predictions from system perspectives are generally more accurate than system-level predictions from device perspectives. We achieve an accuracy of 100%, zero false positive rate and zero false negative rate with fusion of system perspectives motion and distance data.

     

An artificial immune based intrusion detection model for computer and telecommunication systems

Recent years have seen a growing interest in computational methods based upon natural phenomena with biologically inspired techniques, such as cellular automata, immune human systems, neural networks, DNA and molecular computing. Some of these techniques are classified under the realm of a general paradigm, called bio-computing. In this paper, we propose a security system for fraud detection of intruders and improper use of both computer system and mobile telecommunication operations. Our technique is based upon data analysis inspired by the natural immune human system. We show how immune metaphors can be used efficiently to tackle this challenging problem. We also describe how our scheme extracts salient features of the immune human system and maps them within a software package designed to identify security violations of a computer system and unusual activities according to the usage log files. Our results indicate that our system shows a significant size reduction of the logs file (i.e., registration of each log activity), and thereby the size of the report maintained by the computer system manager. This might help the system manager to monitor and observe unusual activities on the machine hosts more efficiently, as they happen, and can act accordingly before it is too late. Last but not least, we propose an intrusion and fraud detection model based upon immune human analogy for mobile phone operations. We discuss our model and present its specification using the Z Language.     

Helping users help themselves

Application-learning problems are a perennial design challenge. This persistent help-seeking behavior is forcing designers to wonder if any technologies for designing interactive help will satisfy the user as much as asking a real person. In addition to hypermedia applications, the paper considers several technologies explored as help systems. These technologies can easily provide a knowledgeable apprentice to help users accomplish their tasks, but they do pose challenges for interface design     

基于Linux共享库注射技术的网络诱骗系统设计

网络诱骗是一种主动的网络安全防御技术,通过跟踪、监视网络入侵者的行为来分析入侵者的攻击意图和行为特征,从而掌握最新的安全技术.其中,如何捕获入侵者的数据是实施网络诱骗的关键问题.分析了现有的网络诱骗系统的数据捕获方法的不足,并在深入研究Linux共享库注射技术的基础上,提出了一种以该技术为核心的网络诱骗数据捕获方法,使得诱骗系统更难于被发现,提高了诱骗的质量.并结合其它技术,给出了一个以该方法为核心的诱骗系统的实现.     

Enhancing host security using external environment sensors

We propose a framework that uses (external) environment information to enhance computer security. The benefit of our framework is that the environment information is collected by sensors that are outside the control of a host and communicate to an external monitor via an out-of-band channel (w.r.t. the host), thus it cannot be compromised by malware on a host system. The information gathered still remains intact even if malware uses rootkit techniques to hide its activities. Our framework can be applied for a number of security applications: (1) intrusion detection; (2) rate monitoring/control of external resources; and (3) access control. We show that that the framework is useful even with coarse-grained and simple information. We present some experimental prototypes that employ the framework to detect/control email spam, detect/control DDoS zombie attacks and detect misuse of compute resources. Experimental evaluation shows that the framework is effecting in detecting or limiting the activities of such malware. The growing popularity of multimodal sensors and physical security information management systems suggests that such environmental sensors will become common making our framework cost effective and feasible in the near future.     

基于代理的网络入侵检测的研制

入侵检测系统可以系统或网络资源进行实时检测，及时发现闯入系统或网络的入侵者，也可预防合法用户对资源的误操作，它是P^2DR(Policy Protection Detection Response，简称P^2DR）安全模型的一个重要组成部分。本文首先介绍了入侵检测系统的研究难点与目前存在的问题，然后重点介绍了我们所研制的基于代理的网络入侵检测系统的体系结构，总体设计与实现，关键技术以及系统的特色。目前该系统在入侵检测系统的体系结构，入侵检测技术、响应与恢复策略，分布式代理（Agent）技术，基于代理的入侵检测知识等方面有创新和突破。     

系统日志的安全管理方案与分析处理策略

系统中的各类日志文件作为系统和网络用户行为的记录管理者，对及早发现入侵行为、恢复系统、统计系统资源使用状况和为打击计算机犯罪提供电子物证有着极其重要的作 用。因此，保护系统日志安全，不被内部用户或外部入侵者修改或删除显得尤为重要。但是，我们在制定网络信息安全策略时往往忽视系统日志安全，基本上还没有形成一套 套比较合理的系统日志安全管理方法。本文讨论了对各类系统日志文件进行集中式统一管理的问题，提出了对日志文件处理分析和完整性加密保护的办法，最后提出了相应的日志管理策略。     

A model-based aspect-oriented framework for building intrusion-aware software systems

Security is a critical issue for software systems, especially for those systems which are connected to networks and the Internet, since most of them suffer from various malicious attacks. Intrusion detection is an approach to protect software against such attacks. However, security vulnerabilities that are exploited by intruders cut across multiple modules in software systems and are difficult to address and monitor. These kinds of concerns, called cross-cutting concerns, can be handled by aspect-oriented software development (AOSD) for better modularization. A number of works have utilized AOSD to address security issues of software systems, but none of them has employed AOSD for intrusion detection. In this paper, we propose a model-based aspect-oriented framework for building intrusion-aware software systems. We model attack scenarios and intrusion detection aspects using an aspect-oriented Unified Modeling Language (UML) profile. Based on the UML model, the intrusion detection aspects are implemented and woven into the target system. The resulting target system has the ability to detect the intrusions automatically. We present an experimental evaluation by applying this framework for some of the most common attacks included in the Web Application Security Consortium (WASC) web security threat classification. The experimental results demonstrate that the framework is effective in specifying and implementing intrusion detection and can be applied for a wide range of attacks.     

Correlating TCP/IP Packet contexts to detect stepping-stone intrusion

Stepping-stone intrusion is one of the most popular techniques for attacking other computers, and detecting this form of intrusion and resisting intruders’ evasion are critical security issues. In this paper, we propose a new approach to this problem by introducing packet context to help detect stepping-stone intrusion. Pearson product-moment correlation coefficient is introduced to correlate packet context. The proposed approach does not need a threshold, and it is easily implemented. The experimental results show that the proposed approach can detect stepping-stone intrusion and resist intruders’ time-jittering and chaff-perturbation manipulation to an extent.