Lihua Yin,Binxing Fang,Xiangzhan Yu,MingZeng Hu

2005-01-01

Abstract:Intrusion tolerance is the capability of internet systems which withstand attacks and intrusions under unsafe environment. Its precondition is redundancy and replication of information. This paper presents the architecture of an intrusion tolerant system and group communication technology has been introduced because of information replication characteristic. Group membership service is one of the most important constitutes of group communication. The paper describes group membership algorithm and termination condition of the algorithm in detail. Blocking detection and avoidance are also depicted. Group membership service has been extended from LAN to WAN environment. Finally, we have developed a group membership prototype system on WAN condition. Experiment results show that the algorithm has a well performance even though running in complicated Internet.

Yong-mei GAO,Ji-yi WU,Ling-di PING

DOI: https://doi.org/10.3969/j.issn.1673-629X.2009.08.039

2009-01-01

Abstract:Owing to many new characteristics such as central-less control and multi-hop communication,the security situation is more rigorous than that in the traditional Ad hoc network.Especially,when the number of nodes increase,the difficulty of building network,network availability and network security will be influenced badly.After the particular analysis of Sergio Marti's Watchdog and Pathrater arithmetic,intrusion detection system called SuperWatchdog,as the improved solution,was introduced to overcome the weakness of Watchdog.The main feature of the proposed system is its ability to discover malicious nodes which can partition the network by falsely reporting other nodes as misbehaving and then proceeds to protect the network.Simulation results show that our system decrease the overhead greatly,though it does not increase the throughput obviously.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Wei-Fa Liao,Hung-Min Sun,Wei Wu

DOI: https://doi.org/10.1109/dasc-picom-datacom-cyberscitec.2016.159

2016-01-01

Abstract:In recent years, Cloud computing has become increasingly popular. Many companies have replaced traditional hosting to cloud hosting. Cloud providers are responsible for tenant isolation, if a tenant (virtual machine) is infected, other tenants will be affected. Because the virtual network environment is very complex, the traditional intrusion detection systems can only detect attacks from external networks, but can not effectively detect the internal traffic (virtual network). In order to full defend from a threat, we need to redesign the architecture of the intrusion detection system. In this thesis, we propose a flexible distributed architecture for intrusion detection, and uses software-defined networking technology for defensive purposes. In addition, our system collects alerts from different nodes, and analyzes their correlation to generate security rules to achieve the effect of a joint defense. To make the administrator more effective in management purposes, we also provide a web-based management center to reduce the burden on administrators. Finally, we analyze the performance of the proposed system with an original system. The results show that our system adds slightly overhead, and it can effectively block the malicious flow.

Guanding Yu

2005-01-01

Abstract:A distributed IP spoof detection system in Intranet is proposed, which can efficiently detect IP spoof behaviors in Intranet. Current techniques of defending IP spoof are analyzed. Aimed at characteristics of Intranet, the design of the system is introduced in detail. The determination method of IP spoof and the design of the monitor, which is a key component of the system, are presented. The implementation of data capture model is also presented. From the experimentation result, it is concluded that the system has the characteristics of high accuracy and real-time performance, but little data traffic. It can be generalized in Intranet of different scales and in other network security systems.

Yanzhang He,Xiaohong Jiang,Changbo Dai,Zikun Fan

DOI: https://doi.org/10.1007/978-3-319-67952-5_6

2017-01-01

Abstract:Nowadays, the distributed computing is prevailing in artificial intelligence applications due to the limited computation capacity of single computing node. Generally, distributed computing system contains large scale of computing node, and therefore system breakdown is regarded as usual matter. To enhance the system availability and performance, failure detection dominates important status to recover the system. The traditional failure detector simply equates the link fault with the node fault problem, which greatly affects the resource utilization, fault locating and fast repair. We present a self-adaptive Link-based Failure Detection Agreement DLFDA with an improved node fault detection algorithm, which can accurately distinguish the node fault and link fault. DLFDA can dynamically adjust the detection structure to increase the coverage of the link fault detection, while using Gossip protocol to distribute fault diagnosis results to other system members, which extensively reduces the damage of the system performance. Finally, the experimental results show that our method can meet the requirements of theoretical design.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Sisi Duan,Karl Levitt,Hein Meling,Sean Peisert,Haibin Zhang

DOI: https://doi.org/10.1109/srds.2014.28

2014-01-01

Abstract:Building robust network services that can withstand a wide range of failure types is a fundamental problem in distributed systems. The most general approach, called Byzantine fault tolerance, can mask arbitrary failures. Yet it is often considered too costly to deploy in practice, and many solutions are not resilient to performance attacks. To address this concern we leverage two key technologies already widely deployed in cloud computing infrastructures: replicated state machines and intrusion detection systems. First, we have designed a general framework for constructing Byzantine failure detectors based on an intrusion detection system. Based on such a failure detector, we have designed and built a practical Byzantine fault-tolerant protocol, which has costs comparable to crash-resilient protocols like Paxos. More importantly, our protocol is particularly robust against several key attacks such as flooding attacks, timing attacks, and fairness attacks, that are typically not handled well by Byzantine fault masking procedures.

Jaydip Sen

DOI: https://doi.org/10.48550/arXiv.1111.0382

2011-11-02

Cryptography and Security

Abstract:The current intrusion detection systems have a number of problems that limit their configurability, scalability and efficiency. There have been some propositions about distributed architectures based on multiple independent agents working collectively for intrusion detection. However, these distributed intrusion detection systems are not fully distributed as most of them centrally analyze data collected from distributed nodes which may lead to a single point of failure. In this paper, a distributed intrusion detection architecture is presented that is based on autonomous and cooperating agents without any centralized analysis components. The agents cooperate by using a hierarchical communication of interests and data, and the analysis of intrusion data is made by the agents at the lowest level of the hierarchy. This architecture provides significant advantages in scalability, flexibility, extensibility, fault tolerance, and resistance to compromise. A proof-of-concept prototype is developed and experiments have been conducted on it. The results show the effectiveness of the system in detecting intrusive activities.

SHI Li-li,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.02.022

2008-01-01

Abstract:This paper presents the Distributed Firewall and Invading Detection Technique, analyzes their deficiencies, discusses and researches the combination technique, explains the design principle and implementation of the combination system based on the Distributed Firewall and Invading Detection Technique. Through the union system, the firewall may using the IDS discover promptly the attack behavior outside its strategy, the IDS also may block the attack behavior from exterior network through the firewall, thus can form one kind of safe protection system with effective interaction, en-hanced the network whole safety performance enormously.

Lu Yiwen,Zhang Guixu

DOI: https://doi.org/10.3969/j.issn.1000-386X.2009.01.016

2009-01-01

Abstract:Different from the traditional firewall and intrusion detection techniques,intrusion tolerance focuses on the survivability of system on condition that intrusion is somehow inevitable,thus preferably meeting the design requirements of the survivable system.A scheme based on intrusion tolerance for system design is proposed,which guarantees the continuity of key services by fault-tolerant techniques,and meanwhile,obtains the tradeoff between confidentiality and availability of key data by proactive secret sharing,so that the system can process high survivability under attacks and faults.

Chao-shu ZUO,Xin-Song LIU,Yuan-Jie QIU,Yao HAO,Xiang-wen ZHU

DOI: https://doi.org/10.3321/j.issn:1001-506X.2005.05.039

2005-01-01

Abstract:Efficiency and availability in the distributed parallel server are being emphasized increasingly. In view of this, a dynamic reconfiguration fault-tolerance model is presented in view of system architecture, and the data distribution and operations in the model are described. On the basis of the model, a dynamic reconfiguration fault-tolerance algorithm is put forward and depicted in detail. The algorithm copes with the node and network faults by data distribution and operations of dynamic reconfiguration, meanwhile the tasks being executed will not be interrupted. Finally, the algorithm's average response time is comparatively analyzed and tested, which shows that the algorithm's performance is better than that of other similar algorithms. The algorithm has been successfully applied to the system platform of e-government affair - distributed parallel database system (DPSQL). The application proves the algorithm can greatly enhance the efficiency and availability of the system.

Yixin Jiang,Chuang Lin,Minghui Shi,Xuemin (Sherman) Shen,Xiaowen Chu

DOI: https://doi.org/10.1016/j.comcom.2007.04.012

IF: 5.047

2007-01-01

Computer Communications

Abstract:In this paper, a novel authentication protocol is proposed, which satisfies both security and reliability requirements for group communications in ad hoc networks. The security features include identity anonymity and location intracability, periodic one-way session key and pseudonym identity refreshment with implicit authentication, dynamic joining and leaving an in-progress communication session, and data encryption. The reliability features include efficient Denial of Service tolerance for broadcasting refreshment messages, fault-tolerance for recovering lost refreshment messages, robustness for resisting the clock skews among member nodes and seamless key switch without disrupting ongoing data transmissions. The performance and security analysis show that the communication and computation overhead of the proposed protocol is similar to the existing one, while the security can be enhanced significantly. The simulation results demonstrate the robustness of the proposed protocol under severe Denial of Service attack and poor wireless channel quality.

Fang Zhou,Hua Sun,Xuefeng Zheng

DOI: https://doi.org/10.1109/NSWCTC.2010.250

2010-01-01

Abstract:To improve the ability of system providing service when encounter malicious invasion, a new model of tolerance invasion system is given based on dynamic threshold encryption. The real-time detection of the model is realized by the Collaboration between servers and hosts. The sensitive data in the system apply dynamic threshold encryption, and can change their share with the distribution. The model has such as distribution, self-adaptability, fault tolerance, dynamic and expansibility features to ensure that the system has a higher level of safety.

贺龙涛,方滨兴,云晓春

DOI: https://doi.org/10.3321/j.issn:1000-436x.2004.07.011

2004-01-01

Abstract:Based on the analysis of current distributed intrusion detection system topology, we design a self-organized hierarchical massive network intrusion detection system. We present the idea of self-organization between nodes, and separate detecting function from organizing function with organizer server in the distributed intrusion detection system. It reduces the implement complexity, and avoids the single point of failure. When some nodes of the system are out of work, the others still work well. We realize a complete protocol assembly platform. It does well in practice.

P Yi,YC Jiang,YP Zhong,SY Zhang

DOI: https://doi.org/10.1109/saintw.2005.1619986

2005-01-01

Abstract:Mobile ad hoc networking (MANET) has become an exciting and important technology in recent years, because of the rapid proliferation of wireless devices. Mobile ad hoc networks is highly vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, lack of centralized monitoring and management point. The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features. In this paper, we propose a distributed intrusion detection approach based on finish state machine (FSM). A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then we construct the finite state machine (FSM) by the way of manually abstracting the correct behaviours of the node according to the routing protocol of Dynamic Source Routing (DSR). The monitor nodes can verify every node's behaviour by the FSM, and validly detect real-time attacks without signatures of intrusion or trained data. Compared with the architecture where each node is its own IDS agent, our approach is much more efficient while maintaining the same level of effectiveness.

WANG Fang,YI Ping,WU Yue,WANG Zhi-yang

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.10.027

2010-01-01

Computer Science

Abstract:Mobile ad hoc networks are highly vulnerable to attacks due to the open medium,dynamically changing network topology,cooperative algorithms,lack of centralized monitoring and management point.The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features.We proposed a distributed intrusion detection approach based on finish state machine(FSM).A cluster-based detection scheme was presented,where periodically a node is elected as the monitor node for a cluster.These monitor nodes can not only make local intrusion detection decisions,but also cooperatively take part in global intrusion detection.And then we constructed the finite state machine(FSM)by the way of manually abstracting the correct behaviours of the node according to the routing protocol of Dynamic Source Routing(DSR).The monitor nodes can verify every node's behaviour by the FSM,and validly detect real-time attacks without signatures of intrusion or trained data.Compared with the architecture where each node is its own IDS agent,our approach is much more efficient while maintaining the same level of effectiveness.Finally,we evaluated the intrusion detection method through simulation experiments.

Yu Xiangzhan

2004-01-01

Abstract:In this paper we discuss the problems that the failure detecting of the large-scale distributed system faces, analyze the advantages and disadvantages of the methods proposed before, and propose a new failure detecting implementation combining hierarchical protocol and gossip-style protocol. This implementation adopts hierarchical design and divides the nodes on the large-scale distributed network into several groups. Push model is adopted for the detecting of the nodes of the same group, while the transmission of heartbeat message between different groups uses a protocol similar to gossip-style protocol. It not only shortens detecting time, but also decreases network load. And the leader node can conveniently realize the participation and withdrawal of nodes of the system, which increases the extensibility greatly. Through the experiment and analysis it shows that our implementation possesses the timeliness, accuracy, adaptability and extensibility.

Ruey-Maw Chen,Kuo-Ta Hsieh

DOI: https://doi.org/10.1002/dac.1289

2011-06-01

International Journal of Communication Systems

Abstract:Dependence on the Internet is increasing dramatically. Therefore, many researchers have given great attention to the issue of how to tighten Internet security. This study proposes a new scheme for the distributed intrusion prevention system (DIPS), in which the concept of ‘union’ is presented for satisfying the increasing requirements of Internet security issues. In this proposed design, the network intrusion detection system (NIDS) applies a misuse detection technique to detect well‐known intrusion behavior on the Internet. Meanwhile, for anomaly detection technique, a tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to reveal previously undiscovered intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service (DDoS) attacks inside the protected allied network is also covered. To increase the detection accuracy, reduction of false positives and false negatives is also accomplished. Experimental results reveal that the suggested network security system scheme is effective and efficient in resolving the intrusion activity problem of real network environments. Copyright © 2011 John Wiley & Sons, Ltd. In this work, a new system scheme of the allied distributed intrusion prevention system was implemented to meet the increasing Internet security issues. A network intrusion detection system (NIDS) applies misuse detection technique to detect well‐known intrusion behaviors on the Internet. Meanwhile, for anomaly detection technique, a designed tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to find out new intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service attacks inside the protected allied network is also designed. To increase the detection accuracy, reducing false positive and false negative are also accomplished.

telecommunications,engineering, electrical & electronic

RuoZi Sun,Yue Wang,Jian Yuan,XiuMing Shan,Yong Ren

DOI: https://doi.org/10.1007/s11432-012-4652-1

2012-01-01

Science China Information Sciences

Abstract:In a wireless network, node failure due to either natural disasters or human intervention can cause network partitioning and other communication problems. For this reason, a wireless network should be fault tolerant. At present, most researchers use k-connectivity to measure fault tolerance, which requires the network to be connected after the failure of any up to k-1 nodes. However, wireless network node failures are usually spatially related, and particularly in military applications, nodes from the same limited area can fail together. As a metric of fault-tolerance, k-connectivity fails to capture the spatial relativity of faults and hardly satisfies the fault tolerance requirements of a wireless network design. In this paper, a new metric of fault-tolerance, termed D-region fault tolerance, is introduced to measure wireless network fault tolerance. A D-region fault tolerant network means that even after all the nodes have failed in a circular region with diameter D, it still remains connected. Based on D-region fault tolerance, we propose two fault-tolerant topology control algorithms--the global region fault tolerance algorithm （GRFT） and the localized region fault tolerance algorithm （LRFT）. It is theoretically proven that both algorithms are able to generate a network with D-region fault tolerance. Simulation results indicate that with the same fault tolerance capabilities, networks based on both GRFT and LRFT algorithms have a lower transmission radius and lower logical degree.