Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Weina Niu,Zhongliu Zhuo,Xiaosong Zhang,Xiaojiang Du,Guowu Yang,Mohsen Guizani

DOI: https://doi.org/10.1109/tvt.2019.2894290

IF: 6.8

2019-01-01

IEEE Transactions on Vehicular Technology

Abstract:In recent years, malware with strong concealment uses encrypted protocol to evade detection. Thus, encrypted traffic identification can help security analysts to be more effective in narrowing down those encrypted network traffic. Existing methods are protocol independent, such as statistical-based and machine-learning- based approaches. Statistical-based approaches, however, are confined to payload length and machine-learning-based approaches have a low recognition rate for encrypted traffic using undisclosed protocols. In this paper, we proposed a heuristic statistical testing (HST) approach that combines both statistics and machine learning and has been proved to alleviate their respective deficiencies. We manually selected four randomness tests to extract small payload features for machine learning to improve real-time performances. We also proposed a simple handshake skipping method called HST-R to increase the classification accuracy. We compared our approach with other identification approaches on a testing dataset consisting of traffic that uses two known, two undisclosed, and one custom cryptographic protocols. Experimental results showed that HST-R performs better than other traditional coding-based, entropy-based, and ML-based approaches. We also showed that our handshake skipping method could generalize better for unknown cryptographic protocols. Finally, we also conducted experimental comparisons among different classification algorithms. The results showed that C4.5, with our method, has the highest identification accuracy for secure sockets layer and secure shell traffic.

Likun Liu,Jiantao Shi,Hongli Zhang,Xiangzhan Yu

DOI: https://doi.org/10.1109/bdcloud.2018.00113

2018-01-01

Abstract:Deep Packet Inspection (DPI) is the core of security devices, such as NIDS, NIPS, which is also an important target of the adversary. The vulnerability of DPI engine is that it relies heavily on pattern matching algorithms, which consume a lot of system resources. In order to make denial of service of DPI, the adversary leverages string repetitions to perform algorithmic complexity attacks. In this paper, we propose an attack identification method for automata and design three defensive strategies. Our attack identification method adopts a two-step threshold detection method, while defensive mechanisms include dropping, transferring and rescheduling the traffic. And the rescheduling traffic based on multi-core platform is a parallelization problem. To solve this problem, this paper proposes a traffic exchange strategy between threads, so that the attack traffic is allocated to dedicated threads. We demonstrate the effectiveness of our method by checking the packet loss rate of NIC and monitoring the utilization of CPU and memory. Upon different attack intensity, our experiments show a throughput boost of up to 11%-60% by comparing with the original system, and 4%-14% with the Level-1 threshold detection. In addition, the false negative rate under the diversified attack scenarios is lower than the original system and Level-1 threshold detection.

Aaron Gibson,Hamilton Scott Clouse

DOI: https://doi.org/10.48550/arXiv.1711.08075

2017-11-21

Cryptography and Security

Abstract:Growing concern for individual privacy, driven by an increased public awareness of the degree to which many of our electronic activities are tracked by interested third parties (e.g. Google knows what I am thinking before I finish entering my search query), is driving the development anonymizing technologies (e.g. Tor). The coming mass migration to IPv6 as the primary transport of Internet traffic promises to make one such technology, end-to-end host based encryption, more readily available to the average user. In a world where end-to-end encryption is ubiquitous, what can replace the existing models for network intrusion detection? How can network administrators and operators, responsible for securing networks against hostile activity, protect a network they cannot see? In an encrypted world, signature based event detection is unlikely to prove useful. In order to secure a network in such an environment, without trampling the privacy afforded to users by end-to-end encryption, our threat detection model needs to evolve from signature based detection to a heuristic model that flags deviations from normal network-wide behavior for further investigation. In this paper we present such a heuristic model and test its effectiveness for detecting intrusions in an entirely encrypted network environment. Our results demonstrate the network intrusion detection system's ability to monitor a network carrying only host-to-host encrypted traffic. This work indicates that a broad perspective change is required. Network security models need to evolve from endeavoring to define attack signatures to describing what the network looks like under normal conditions and searching for deviations from the norm.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

Faeiz Alserhani Department of Computer Engineering and Networks,College of Computer and Information Sciences,Jouf University,Al Jouf,Saudi Arabia

DOI: https://doi.org/10.1080/08839514.2024.2381882

IF: 2.777

2024-07-27

Applied Artificial Intelligence

Abstract:At present, encrypted data is the cornerstone of Internet communication, providing the maximum degree of privacy and security protection for all transmitted data while shielding users against potential cyber threats and attacks. However, since the Deep Packet Inspection (DPI) system is the primary layer of defense against numerous cyberattacks, applying encrypted network data poses severe issues for detection and prevention systems. In dynamic contexts such as the Internet of Things (IoT), detecting intrusion inside encrypted network traffic is vital. Yet, it is equally important to predict and prevent any cyber-attacks that may compromise the integrity and security of the network infrastructure. As a result, there is a fundamental need for methodologies based on intelligent analysis of patterns and attributes of encrypted network traffic. To satisfy security requirements in such a context, we propose an application of deep learning models for enhanced intrusion detection systems (IDS). The Tree-based Spider-Net Multipath (TBSNM) methodology is utilized, while an Advanced Encryption Standard (AES) technique is used to authenticate users. User selection is accomplished through robust Deep Reinforcement Learning with the Tabu Search (DRL-TS) algorithm, while channel selection is optimized through rigorous training employing Proximal Policy Optimization (PPO). Path selection is then determined by analyzing traffic statistics extracted from the Routing Information Protocol (RIP). Finally, an optimized IDS is established based on a Lightweight Deep Neural Network with Hunger Games Search and Remora Optimization Algorithm (LDNN-HGS-ROA). Evaluation results have shown that the proposed system architecture is effective in detecting attacks, achieving an enhanced IDS architecture with higher performance rates.

computer science, artificial intelligence,engineering, electrical & electronic

Hao Zhu,Fagen Li,Lihui Liu,Yong Zeng,Xiaoli Li,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-031-45513-1_3

2023-01-01

Abstract:The popularity of Internet traffic encryption has made encrypted traffic detection becoming a hot topic in the present academic community. Due to its fine-grained detection strategy that avoids the influence of traffic shaping, the encrypted payload detection method based on deep packet inspection (DPI) can obtain better detection results when compared to machine learning detection methods based on traffic features. Yet, existing DPI-based methods will cause non-negligible delays due to encryption in real-time scenarios. Signcryption can improve the delay in DPI-based detection scenarios. However, existing signcryption schemes fail to resolve the conflict between the correctness of detection results and message confidentiality. This paper proposes an encrypted traffic detection scheme based on signcryption that can effectively reduce latency. Furthermore, in the high concurrency scenario, the gateway is introduced to replace the client to complete the preprocessing protocol with the middle agent, avoiding the execution of preprocessing protocols between each client and the middle agent, thus reducing the latency caused by excessive calculation. In this paper, the algorithms of rule signcryption, preprocessing protocol, client processing packet, and traffic detection are designed for this scheme. The confidentiality and unforgeability of the scheme are analyzed by the random oracle model. Finally, through simulation experiments, our scheme significantly improves the delay problem in the preprocessing phase compared with the state-of-the-art methods.

Marco Grossi,Fabrizio Alfonsi,Marco Prandini,Alessandro Gabrielli

2023-11-10

Abstract:Data breaches and cyberattacks represent a severe problem in higher education institutions and universities that can result in illegal access to sensitive information and data loss. To enhance the security of data transmission, Intrusion Prevention Systems (IPS, i.e., firewalls) and Intrusion Detection Systems (IDS, i.e., packet sniffers) are used to detect potential threats in the exchanged data. IPSs and IDSs are usually designed as software programs running on a server machine. However, when the speed of exchanged data is too high, this solution can become unreliable. In this case, IPSs and IDSs designed on a real hardware platform, such as ASICs and FPGAs, represent a more reliable solution. This paper presents a packet sniffer that was designed using a commercial FPGA development board. The system can support a data throughput of 10 Gbit/s with preliminary results showing that the speed of data transmission can be reliably extended to 100 Gbit/s. The designed system is highly configurable by the user and can enhance the data protection of information transmitted using the Ethernet protocol. It is particularly suited for the security of universities and research centers, where point-to-point network connections are dominant and large amount of sensitive data are shared among different hosts.

Cryptography and Security,Systems and Control

YU Rong,SUN Zhi,CHEN Jia,MEI Shunliang,DAI Yiqi

DOI: https://doi.org/10.3321/j.issn:1000-0054.2005.10.022

2005-01-01

Abstract:Intrusion detection technology is an indispensable way to protect the network security.This paper presents a high-speed intrusion detection system(IDS framework based on network processor and detection cluster.Two hardware algorithms were developed for the traffic distributor.One is the high-speed data-receiving program with the IXP1200 network processor,while the other is the load balance policy based on the destination media access control(MAC address.Tests show that the first algorithm achieves more than(1 Gb/s data-capturing ability,while the second algorithm is a satisfactery trade-off between protecting information integrity and reducing computational complexity.

Ren Yue,Chen Miao,Li Bo,Wang Xueyuan,Li Xingzhi,Liao Zijun

DOI: https://doi.org/10.1109/cac53003.2021.9727422

2021-10-22

Abstract:With the rapid development of the Internet, network traffic is becoming more complex and diverse. At the same time, malicious traffic is growing. This seriously threatens the security of networks and information. However, the current DPI (Deep Packet Inspect) engine based on x86 architecture is slow in monitoring speed, which cannot meet the needs. Generally, two factors affect the detection rate: CPU and memory; The efficiency of data packet acquisition, and multi regular expression matching. Under these circumstances, this paper presents an efficient implementation of the DPI engine based on a generic x86 platform. DPDK is used as the platform of network data packets acquisition and processing. Using the multi-queue of the NIC (network interface controller) and the customized symmetric RSS key, the network traffic is divided and reorganized in the form of conversation. The core of traffic identification is hyperscan, which uses a flow pattern to match the packets load of a single conversation efficiently. It greatly reduces memory requirements. The method makes full use of the system resources and takes into account the advantages of high efficiency of hardware implementation. And it has a remarkable improvement in the efficiency of recognition.

Nicholas Gray,Katharina Dietz,Michael Seufert,Tobias Hossfeld

DOI: https://doi.org/10.1109/hpsr52026.2021.9481849

2021-06-07

Abstract:Today’s communication networks process an increasing amount of traffic, while simultaneously providing services to a larger and more diverse quantity of devices. This enhances the complexity of the network and imposes a larger attack space, impacting network management and security efforts. Deployed hardware middle-boxes, like firewalls and Intrusion Detection Systems (IDSs) often lack the flexibility to adapt to this dynamic environment, which Network Function Virtualization (NFV) addresses by implementing these services in software. Yet, this may impose a bottleneck, due to the absence of hardware acceleration. To mitigate this drawback, the functionality can be offloaded to programmable hardware, using P4. In this work we implement an IDS, capable of operating in core and backbone networks up to 100Gbps. This is achieved by using the hardware acceleration of P4-enabled Intel© Tofino™ switches for high performance metadata extraction, in order to train an ML-based detection engine. The system is evaluated regarding its throughput and obtainable aggregation levels as well as its accuracy for detecting a variety of network attacks.

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxp026

2009-01-01

The Computer Journal

Abstract:Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.

Anish Singh Shekhawat,Fabio Di Troia,Mark Stamp

DOI: https://doi.org/10.48550/arXiv.2312.04596

2023-12-06

Abstract:In recent years there has been a dramatic increase in the number of malware attacks that use encrypted HTTP traffic for self-propagation or communication. Antivirus software and firewalls typically will not have access to encryption keys, and therefore direct detection of malicious encrypted data is unlikely to succeed. However, previous work has shown that traffic analysis can provide indications of malicious intent, even in cases where the underlying data remains encrypted. In this paper, we apply three machine learning techniques to the problem of distinguishing malicious encrypted HTTP traffic from benign encrypted traffic and obtain results comparable to previous work. We then consider the problem of feature analysis in some detail. Previous work has often relied on human expertise to determine the most useful and informative features in this problem domain. We demonstrate that such feature-related information can be obtained directly from machine learning models themselves. We argue that such a machine learning based approach to feature analysis is preferable, as it is more reliable, and we can, for example, uncover relatively unintuitive interactions between features.

Cryptography and Security,Machine Learning

Wenbao Jiang,Hua Song,Yiqi Dai

DOI: https://doi.org/10.1016/j.cose.2004.07.005

2005-01-01

Abstract:Network-based intrusion detection systems (NIDSs) frequently have problems with handling heavy traffic loads in real-time, which result in packet loss and false negatives. This paper presents a high-performance network intrusion detection system, called HPMonitor, which combines a high-efficiency detection engine and a load-balancing device to address these problems. The paper describes HPMonitor's system architecture, discusses a flow-based dynamic load-balancing algorithm called dynamic least load first (DLLF) algorithm, and introduces a new multi-pattern string matching algorithm called shift max algorithm (SMA). The test results reveal that the DLLF algorithm is an effective balancing algorithm for NIDS. Meanwhile, the experimental results show that the SMA algorithm is faster in searching large sets of patterns when compared with other algorithms, and its performance is affected little when the patterns set number increases.

Liangchen Chen,Shu Gao,Baoxu Liu,Zhigang Lu,Zhengwei Jiang

DOI: https://doi.org/10.1007/s11227-020-03372-1

IF: 3.3

2020-06-29

The Journal of Supercomputing

Abstract:With the rapid increase in amount of network encrypted traffic and malware samples using encryption to evade identification, detecting encrypted malicious traffic presents challenges. The quality of the encrypted traffic sampling method directly affects the result of malware detection, but most existing machine learning methods for sampling flow-based encrypted traffic data are inherently inaccurate. To solve these problems, an innovative three-stage hierarchical sampling approach based on the improved density peaks clustering algorithm (THS-IDPC) is proposed to enhance the accuracy and efficiency of encrypted malicious traffic detection model. First, we propose an improved density peaks clustering algorithm based on grid screening, custom center decision value and mutual neighbor degree (DPC-GS-MND). In DPC-GS-MND, grid screening effectively reduces the computational complexity and mutual neighbor degree improves the clustering accuracy. Then, we extract and research the three categories features of encrypted traffic data related to malicious activities, and adopt a three-layer hierarchical clustering algorithm based on DPC-GS-MND. Finally, a three-stage sampling approach based on the three-layer hierarchical clustering algorithm (THS-IDPC) is proposed to sample the encrypted traffic data for further deep detection. The experimental results demonstrated that the proposed THS-IDPC is very effective to reduce normal traffic from massive network encrypted traffic simultaneously, and the encrypted malicious traffic detection model with THS-IDPC sampling method can detect multiple encrypted malicious traffic families with higher accuracy and efficiency. Meanwhile, DPC-GS-MND and THS-IDPC have good application prospects in network intrusion detection system under the big data environment.

Dehu Li,Haixin Duan,Jian Jiang

DOI: https://doi.org/10.1109/bcgin.2013.253

2013-01-01

Abstract:Research on evasion attack of intrusion detection plays an important role in anti-evasion research and the testing of Intrusion Detection Systems. However, the widely used "fragroute" evasion tool has some significant defects such as: the evasion techniques are quite simple and the semantics of attack can probably be disrupted in evasion test. This paper proposed a signature based overlapping segmentation evasion technique and implemented it. The new technique has the following advantages: the semantics of attack won't be disrupted during evasion test, and the TCP (Transmission Control Protocol) data gram can be segmented accurately at the location of signatures, the segment reassembly policy can also be customized according to the reassembly policy of the target OS (Operating System). At the end of this paper, the popular Snort IDS were used to test the new technique. Our test with Snort shows that the new technique can evade Snort effectively. We also found that Snort's Stream5 preprocessor which aims to reassemble overlapped segments cannot work properly in most situations.

Wei Wei

2007-01-01

Abstract:Network Intrusion Detection System (NIDS) is an important and practical tool for network security. To guarantee a precise detection the NIDS must detect packets at a wire speed. However, with the recent trend of high-speed networks, the capability of a single NIDS can not meet the speed’s demand, resulting in rising of false negatives. To promote the NIDS performance and efficiency, present studies on IDSs for high-speed network monitoring have begun to choose the distributed architecture as an alterative, first suggested by Christopher Kruegel et al . In such a design, the incoming network traffic is disseminated to a pool of sensors, which process a fraction of the whole traffic, reducing the possibility of packet loss caused by overload.

Bin Liu

2011-01-01

Abstract:Since the speed of application layer content detection has been increased to 10 Gb/s,TCP/IP stacks have become the new bottle-neck in network intrusion detection systems.Previous systems have used 64 bit instructions,parallel instructions and kernel space memory mapping to speed up the bottle-necks,such as the TCP checksum computation,TCP connection table Hash value calculation and data copies from the kernel space to the user space.A method was developed using universal Hash in the TCP connection lookup table to avoid algorithmic complexity attacks and to speed up the computations using the parallel instructions in the SSE(streaming SIMD extensions) instruction set.A Bloom filter is used to filter TCP half-open connections.The TCP/IP stack was then parallelized using multi-loaded dynamic-link library(DLL) to achieve higher throughput.Evaluations show that a TCP/IP stack using these three processing cores is able to deliver 4.4 Gb/s throughput against attacking traffic with an average packet size of 110 Bytes and 15.2 Gb/s with normal traffic with an average packet size of 501 Bytes,which is 4 times the speed of the original system and 50%-70% higher than the authors' previous work.

Joseph Rose,Matthew Swann,Gueltoum Bendiab,Stavros Shiaeles,Nicholas Kolokotronis

DOI: https://doi.org/10.1109/NetSoft51509.2021.9492685

2021-09-06

Abstract:The rapid increase in the use of IoT devices brings many benefits to the digital society, ranging from improved efficiency to higher productivity. However, the limited resources and the open nature of these devices make them vulnerable to various cyber threats. A single compromised device can have an impact on the whole network and lead to major security and physical damages. This paper explores the potential of using network profiling and machine learning to secure IoT against cyber-attacks. The proposed anomaly-based intrusion detection solution dynamically and actively profiles and monitors all networked devices for the detection of IoT device tampering attempts as well as suspicious network transactions. Any deviation from the defined profile is considered to be an attack and is subject to further analysis. Raw traffic is also passed on to the machine learning classifier for examination and identification of potential attacks. Performance assessment of the proposed methodology is conducted on the Cyber-Trust testbed using normal and malicious network traffic. The experimental results show that the proposed anomaly detection system delivers promising results with an overall accuracy of 98.35% and 0.98% of false-positive alarms.

Cryptography and Security,Artificial Intelligence