Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Chiem Trieu Phong,Wei Qi Yan

DOI: https://doi.org/10.4018/ijdcf.2014100104

2014-01-01

International Journal of Digital Crime and Forensics

Abstract:Penetration testing is an effort to attack a system using similar techniques and tools adopted by real hackers. The ultimate goal of penetration testing is to call to light as many existing vulnerabilities as possible, then come up with practical solutions to remediate the problems; thus, enhance the system security as a whole. The paper introduces concepts and definitions related to penetration testing, together with different models and methodologies to conduct a penetration test. A wide range of penetration testing state-of-the-art, as well as related tools (both commercial and free open source available on the market) are also presented in relatively rich details.

Zhongqiang Chen,Alex Delis,Peter Wei

DOI: https://doi.org/10.1093/comjnl/bxn043

2009-01-01

The Computer Journal

Abstract:Intrusion prevention systems (IPSs) not only attempt to detect attacks but also block malicious traffic and pro-actively tear down pertinent network connections. To effectively thwart attacks, IPSs have to operate both in real-time and inline fashion. This dual mode renders the design/implementation and more importantly the testing of IPSs a challenge. In this paper, we propose an IPS testing framework termed IPS Evaluator which consists of a trace-driven inline simulator-engine, mechanisms for generating and manipulating test cases, and a comprehensive series of test procedures. The engine features attacker and victim interfaces which bind to the external and internal ports of an IPS-under-testing (IUT). Our engine employs a bi-directional injection policy to ensure that replayed packets are subject to security inspection by the IUT before they are forwarded. Furthermore, the send-and-receive mechanism of our engine allows for the correlation of engine-replayed and IUT-forwarded packets as well as the verification of IUT actions on detected attacks. Using dynamic addressing and routing techniques, our framework rewrites both source and destination addresses for every replayed packet on-the-fly. In this way, replayed packets conform to the specific features of the IUT. We propose algorithms to partition attacker/victim-emanated packets so that they are subjected to security inspections by the IUT and in addition, we offer packet manipulation operations to shape replayed traces. We discuss procedures that help verify the IUT's detection and prevention accuracy, attack coverage and behavior under diverse traffic patterns. Finally, we evaluate the strengths of our framework by mainly examining the open-source IPS Snort-Inline. IPS deficiencies revealed during testing help establish the effectiveness of our approach.

WU Qing-tao,SHAO Zhi-qing

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.12.004

2005-01-01

Abstract:Intrusion detection,as one of the most active and important network security technology,can compensate the shortcomings of traditional security protection measure.Through building dynamic security cycle,it can promote the protection capacity of system and reduce the security threats as great as possible. An overview of basic issues on intrusion detection is shown in this paper,which is involved with three main aspects of intrusion detection,including Intrusion Detection System(IDS) architecture,intrusion detection methods and IDS evaluation.Firstly,three kinds of IDS architectures are analyzed.Then,current intrusion detection models are given,and their merits or shortcomings are discussed in detail.Finally,some future promi￣sing directions are presented.

Alex Zhu,Wei Qi Yan

DOI: https://doi.org/10.4018/ijdcf.2017100106

2017-01-01

International Journal of Digital Crime and Forensics

Abstract:SQLIA is adopted to attack websites with and without confidential information. Hackers utilized the compromised website as intermediate proxy to attack others for avoiding being committed of cyber-criminal and also enlarging the scale of Distributed Denial of Service Attack DDoS. The DDoS is that hackers maliciously turn down a website and make network resources unavailable to web users. It is extremely difficult to effectively detect and prevent SQLIA because hackers adopt various evading SQLIA Intrusion Detection System techniques. Victims may not be even aware of that their confidential data has been compromised for a long time. In this paper, our contribution is that we evaluate several most popular open source SQLIA tools and SQLIA prevention tools with both qualitative and quantitative assessments.

Ding Wen

2008-01-01

Abstract:The intrusion detection system(IDS) is introduced including the main content and evaluation matrix of it.Three key issues in a testing environment are analyzed including network traffic simulation,computer usage simulation and computer attack simulation.The environment configuration of testing evaluation is also discussed and the hardware environment and software platform of IDS test and evaluation environment are realized.The steps to build IDS testing platform based on LAN are given and the technique to carry out the IDS testing is developed.Some problems in the testing evaluation are discussed and the solutions are given.

Chenxi Wang,John C. Knight

2000-01-01

Abstract: This paper identifies vulnerabilities for generic IDSs, and argues that protection of theIDS itself must be dealt with before it can be relied upon to provide the security that isexpected. We also outline possible solution techniques and implementation strategies

Theuns Verwoerd,Ray Hunt

DOI: https://doi.org/10.1016/s0140-3664(02)00037-3

IF: 5.047

2002-09-01

Computer Communications

Abstract:Recent security incidents and analysis have demonstrated that manual response to such attacks is no longer feasible. Intrusion detection systems (IDS) offer techniques for modelling and recognising normal and abusive system behaviour. Such methodologies include statistical models, immune system approaches, protocol verification, file and taint checking, neural networks, whitelisting, expression matching, state transition analysis, dedicated languages, genetic algorithms and burglar alarms. This paper describes these techniques including an IDS architectural outline and an analysis of IDS probe techniques finishing with a summary of associated technologies.

computer science, information systems,telecommunications,engineering, electrical & electronic

张铭来,金成飚,赵文耘

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.01.066

2002-01-01

Abstract:Intrusion Detection is an important technology in network security domain . This paper discusses some problems of network-based intrusion detection system in three ways: the data link layer, the network layer and the transport layer , and analyzes the attack on the network-based IDS and its countermeasure.

Zeeshan Ahmad,Adnan Shahid Khan,Cheah Wai Shiang,Johari Abdullah,Farhan Ahmad

DOI: https://doi.org/10.1002/ett.4150

IF: 3.6

2020-10-16

Transactions on Emerging Telecommunications Technologies

Abstract:<p>The rapid advances in the internet and communication fields have resulted in a huge increase in the network size and the corresponding data. As a result, many novel attacks are being generated and have posed challenges for network security to accurately detect intrusions. Furthermore, the presence of the intruders with the aim to launch various attacks within the network cannot be ignored. An intrusion detection system (IDS) is one such tool that prevents the network from possible intrusions by inspecting the network traffic, to ensure its confidentiality, integrity, and availability. Despite enormous efforts by the researchers, IDS still faces challenges in improving detection accuracy while reducing false alarm rates and in detecting novel intrusions. Recently, machine learning (ML) and deep learning (DL)‐based IDS systems are being deployed as potential solutions to detect intrusions across the network in an efficient manner. This article first clarifies the concept of IDS and then provides the taxonomy based on the notable ML and DL techniques adopted in designing network‐based IDS (NIDS) systems. A comprehensive review of the recent NIDS‐based articles is provided by discussing the strengths and limitations of the proposed solutions. Then, recent trends and advancements of ML and DL‐based NIDS are provided in terms of the proposed methodology, evaluation metrics, and dataset selection. Using the shortcomings of the proposed methods, we highlighted various research challenges and provided the future scope for the research in improving ML and DL‐based NIDS.</p>

telecommunications

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.3390/electronics8121545

IF: 2.9

2019-01-01

Electronics

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanisms. An improved intrusion detection system (IDS), which is strongly correlated to specific industrial scenarios, is necessary for modern ICS. On one hand, this paper outlines three kinds of attack models, including infiltration attacks, creative forging attacks, and false data injection attacks. On the other hand, a two stage IDS is proposed, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on the autoregressive integrated moving average (ARIMA), can forecast the traffic of the ICS network in the short term and detect infiltration attacks precisely according to the abnormal changes in traffic patterns. Furthermore, the anomaly detection model, using a one class support vector machine (OCSVM), is able to detect malicious control instructions by analyzing the key field in Ethernet/IP packets. The confusion matrix is selected to testify to the effectiveness of the proposed method, and two other innovative IDSs are used for comparison. The experiment results show that the proposed two stage IDS in this paper has an outstanding performance in detecting infiltration attacks, forging attacks, and false data injection attacks compared with other IDSs.

陈丽丽,李卫,管晓宏,祝春华

DOI: https://doi.org/10.3969/j.issn.1000-7180.2004.06.035

2004-01-01

Abstract:NIDS (Network Intrusion Detection System) as an important security protection tool has become a hotspot for research. We introduce the basic concept of IDS and its primary components and common classification first, then we present the framework of a net-based IDS and its implementation in detail. We put forward our views about the current research of IDS and its prospect last.

Moses Garuba,Chunmei Liu,Duane Fraites

DOI: https://doi.org/10.1109/itng.2008.231

2008-04-01

Abstract:Organizations require security systems that are flexible and adaptable in order to combat increasing threats from software vulnerabilities, virus attacks and other malicious code, in addition to internal attacks. Network intrusion detection systems, which are part of the layered defense scheme, must be able to meet these organizational objectives in order to be effective. Although signature based network intrusion detection systems meet several organizational security objectives, heuristic based network intrusion detection systems are able to fully meet the objectives of the organization. Through a comparative theoretical study, this paper analyzes several organizational security objectives in order to determine the network intrusion detection system that effectively meets these objectives. Through conclusive analysis of the study, heuristic based systems are better served to meet the organizational objectives than signature based systems. The analysis was based on which system provided definitive security objectives and offered the flexibility, adaptability, and reduced vulnerability that an organization requires.

Navya Iyengar

DOI: https://doi.org/10.48550/arXiv.2007.11654

2020-07-22

Networking and Internet Architecture

Abstract:Cloud-based and network-based technology has witnessed an exponential rise in development. Adaptation of these latest technologies has opened flood gates for data breaches, an increase in sophistication of cyber threats, and, a multitude of new attack vectors. Numerous tools and solutions are currently available for detection of these threats. Network-based Intrusion Detection Systems is one of the most effective tools implemented to maintain confidentiality, integrity, and, availability of networks. While there are several open source tools in the offing, this paper evaluates two open-source NIDS Snort and Suricata, along with strategic placement of multi sensor IDS in a WAN environment, in combination with NIDS, for in time threat detection and protection of systems.

M. Ali Aydın,A. Halim Zaim,K. Gökhan Ceylan

DOI: https://doi.org/10.1016/j.compeleceng.2008.12.005

2009-05-01

Abstract:Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

蔡忠闽,孙国基,卫军胡,管晓宏

DOI: https://doi.org/10.3969/j.issn.1004-731x.2002.03.030

2002-01-01

Abstract:Intrusion Detection System (IDS) plays a key role in defense-in-depth computer security architecture and is an important complement to the peripheral defense elements such as firewalls and authentication mechanisms. But due to the complexity in both its design and interactions with the deploying environment, an objective testing of IDS is very difficult. In this paper, we first propose a set of performance indexes for IDS evaluation. Then we present the architecture of a simulation environment to test intrusion detection systems automatically. Next, under the framework of this architecture, we discuss three key issues in the realization of such a testing environment: network traffic simulation, computer usage simulation and computer attack simulation. At the end, we give some testing results of an IDS developed by ourselves in a basic testing environment we built.

Qianli Zhang,Xing Li

1999-01-01

Abstract:In order to present large-scale malicious attacks on an ISP network to maintain network services, we have designed a method to record key packets classified by sessions. Session is the service provided above the IP layer. We define a TCP connection a session, a UDP packet exchange a session, or echo and echo response of ICMP to be a session. The research of network attack/intrusion/information collection has shown that most of the illegal action performed would have something special ongoing in such sessions. For example, winnuke will send OOB packets to the 139 port of a host; most of the platform detection will use strange packets too. Not only the strange packets itself, but the sequence of such packets going through the network indicate the attack. For example, teardrop will transmit packets that have abnormal fragment offset in the second packet, then cause some platform to crash. Some patterns of sessions will be created by flood based attack/information collection. For example, the SYN flood will create a pile SYN-SYN ACK-RST packets in the network, and most of scan tools will create several kind of patterns in the network, all of these patterns indicate the failure of the connection, these include SYN-SYN ACK-RST and SYN-RST and SYNICMP Unreachable message. Based on this thought, we have designed the session-state transition analysis. We will define some packets as the indication of the session state. The happening of such packets causes the change of the session state. When comparing with the predefined rules, we will detect most of the DOS attacks. Another approach is to store these session states transition patterns into a database; thus we can calculate the happening rates of some specific patterns. Compared with the average level, abnormal high happening rates often indicate the possible attack or information collection. For example, we can collect a site’s all sessions' SYN-SYN ACK-RST pattern to decide whether a normal scan had happened. The implementation includes four parts. The first is the data collection part, which collects and unwraps packets passing through the network; the second part is the signature matching part, which will match the packet signature, to filter only the specified packets; the third part will cluster such pa ckets into sessions, and store the session specific signature chain and check whether a rule based match is satisfied; the fourth part will flush the session data into a database, and check whether a statistical based anomaly has happened. Using such kind of techniques has several basic advantages. The first is not to violate privacy, since we are interested in only packet header to know whether a state has changed, to inspect header only also make this implementation efficient and fit for a large scale network. The other advantage is to avoid the headache to set the threshold of a statistical approach. Most scan detection tools (For example, gabriel) will calculate the burst of connections. New scan technique has appeared to avoid burst of connections, for example, slow scan and stealthy scan. Set a proper threshold is much more difficult for a large-scale network. For rule based analysis, since we use the state transition to detect intrusion, we could predict the happening of some attacks in a premature stage. The future approach includes the content analysis based IDS, especially the remote buffer overflow detection. This part of research is underway.

Muye Li,Yibin Huang,Heng Pan

DOI: https://doi.org/10.1109/iaeac47372.2019.8997670

2019-12-01

Abstract:In recent years, safety incidents of industrial control systems (ICS) have occurred frequently. On the one hand, the gradual adaptation of standards, general communication protocols and software and hardware systems to ICS reduces the attack difficulty of ICS. On the other hand, more and more vulnerability researchers focus on ICS which is becoming the focus of network attackers. This paper analyses the vulnerability and security risks of the current ICS architecture, network environment, communication protocols and supporting software. With the help of the concept of Cyber Kill Chain, the two stages of network attack in ICS are elaborated in detail. Combining with Havex and Stuxnet virus, the mechanism of network intrusion attack in ICS is analyzed comprehensively and thoroughly, which provides effective technical support for the research of ICS network attack defense.

XB Guo,DP Qian,M Liu,R Zhang,B Xu

DOI: https://doi.org/10.1109/iccnmc.2001.962637

2001-01-01

Abstract:Network scanning is an increasing threat to network security. This paper classifies and analyzes current scanning methods, and draws a conclusion that the current detection and protection of scanning mainly aim at information concealment. A novel system of the detection and protection named IEDP is presented in this paper Its concept is discussed and its implementation is described in details. Compared with the current approaches, the concept of IEDP can be recapitulated in one word: "impartation". When detecting a scanning, IEDP gives the scanner bogus information to spoof and confuse him/her. So, for example, when scanning ports, the scanner will find that all ports are listening and can't tell which port is really open. IEDP also adopts a new mechanism called error steering to spoof the scanner IEDP randomly steers errors in communication with the scanner, let the scanner believe that the communication is unstable and give up scanning. Experiments show that IEDP system is efficient.