Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

CHEN Rong,GAO Ji,GUO Hang

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.03.005

2006-01-01

Abstract:To solve the problem of lacking dynamic organizing agility in distributed intrusion detection systems,an on-demand intrusion detection model adaptive to the shared data environment was presented.Considering the dynamic sharing and multi-domain integration properties of grid computing,the intrusion detection system consisted of four parts including security estimate system,work flow programming service,data grid environment and detection resource service in the model based on global detection services.By combining the system and node level reconstructions,detection services were ensured from nodes when global detection services of intrusion detection system failed.Results show that compared with the intrusion detection system Snort,the analysis engine program Higen can consume less detection time and user time in local area network(LAN) and wide area network(WAN) experimental environment,and improve the agility of cooperative detection in grid computing.

Pei-You Zhu,Ji Gao,Bo-Ou Jiang,Hui Song

DOI: https://doi.org/10.1109/ICMLC.2006.258807

2006-01-01

Abstract:Grid is a new technology which implements flexible, secure, coordinated resource sharing among dynamic collections of individuals, institutions, and resources. Unlike in conventional network systems, the services and resources in Grid are heterogeneous and dynamic, they also belong to different domains. So the intrusion detection system (IDS) for Grid should be a system which could rapidly and dynamically integrate the related node detection resources of a Grid Computing application according to the dynamic detection demand and ensure the security of Grid Computing. Conventional network IDS lack the necessary flexibility needed by Grid environment and could not dynamically adjust their structure to the dynamic Grid Computing applications. This paper provides a new flexible multi-agent approach to intrusion detection for Grid (MAIDG). MAIDG not only takes advantage of the flexibility and autonomy of agent technology, but also makes good use of the Globus Toolkit4.0 (GT4)'s data management components which provide the virtual interfaces for all the (heterogeneous or homogeneous) detection resources and realize the publication, location, and high performance transfer of detection data. In a word, this paper provides a new ideal and way to realize the intrusion detection system for Grid.

Kecheng Li,Genyuan Yang,Shanling Dong,Meiqin Liu

DOI: https://doi.org/10.23919/ccc63176.2024.10661728

2024-01-01

Abstract:The increasing integration of smart grid technologies in multiregional power systems improves efficiency but also exposes them to cyber security threats, especially false data injection attacks. In this paper, we address this challenge by proposing a distributed detection framework tailored for multi-regional power systems. Traditional centralized approaches are insufficient to cope with the dynamic and decentralized nature of these systems. The framework aims to simultaneously monitor and analyze multiple regions in real-time, enhancing the system’s ability to withstand false data injection attacks. This study outlines the proposed framework and provides simulation results for validation, emphasizing the need for proactive defense mechanisms in safeguarding the data integrity of power systems.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Shibo He,Jiming Chen,Xu Li,Xuemin (Sherman) Shen,Youxian Sun

DOI: https://doi.org/10.1109/tmc.2013.129

IF: 6.075

2014-01-01

IEEE Transactions on Mobile Computing

Abstract:The barrier coverage problem in emerging mobile sensor networks has been an interesting research issue due to many related real-life applications. Existing solutions are mainly concerned with deciding one-time movement for individual sensors to construct as many barriers as possible, which may not be suitable when there are no sufficient sensors to form a single barrier. In this paper, we aim to achieve barrier coverage in the sensor scarcity scenario by dynamic sensor patrolling. Specifically, we design a periodic monitoring scheduling (PMS) algorithm in which each point along the barrier line is monitored periodically by mobile sensors. Based on the insight from PMS, we then propose a coordinated sensor patrolling (CSP) algorithm to further improve the barrier coverage, where each sensor's current movement strategy is derived from the information of intruder arrivals in the past. By jointly exploiting sensor mobility and intruder arrival information, CSP is able to significantly enhance barrier coverage. We prove that the total distance that sensors move during each time slot in CSP is the minimum. Considering the decentralized nature of mobile sensor networks, we further introduce two distributed versions of CSP: S-DCSP and G-DCSP. We study the scenario where sensors are moving on two barriers and propose two heuristic algorithms to guide the movement of sensors. Finally, we generalize our results to work for different intruder arrival models. Through extensive simulations, we demonstrate that the proposed algorithms have desired barrier coverage performances.

Yichi Zhang,Lingfeng Wang,Weiqing Sun,Robert C. Green,Mansoor Alam

DOI: https://doi.org/10.1109/PES.2011.6039697

2011-01-01

Abstract:The advent of the smart grid promises to usher in an era that will bring intelligence, efficiency, and optimality to the power grid. Most of these changes will occur as an Internet-like communications network is superimposed on top of the current power grid using wireless technologies including 802.15.4, 802.11, and the Zigbee protocol. Each of these will expose the power grid to cyber security threats. In order to address this issue, this work proposes a Distributed Intrusion Detection System for Smart Grids (SGDIDS) by developing and deploying an intelligent module, the Analyzing Module (AM) in the multiple layers of smart grids. Multiple AMs will be embedded at each level of the smart grid - the home area network (HAN), neighborhood area network (NAN), and the Wide Area Network (WAN) - where they will use Artificial Immune System (AIS) to detect and classify malicious data and possible cyber attacks. AMs at each level will be trained using data that is relevant to their level and will also be able to communicate in order to improve detection. Simulation results demonstrate that this is a promising methodology for identifying malicious network traffic and improving system security.

Schuartz, Fábio César

DOI: https://doi.org/10.1007/s12243-024-01046-0

2024-06-09

Annals of Telecommunications

Abstract:With the growth of computer networks worldwide, there has been a greater need to protect local networks from malicious data that travel over the network. The increase in volume, speed, and variety of data requires a more robust, accurate intrusion detection system capable of analyzing a huge amount of data. This work proposes the creation of an intrusion detection system using stream classifiers and three classification layers—with and without a reduction in the number of features of the records and three classifiers in parallel with a voting system. The results obtained by the proposed system are compared against other models proposed in the literature, using two datasets to validate the proposed system. In all cases, gains in accuracy of up to 18.52% and 3.55% were obtained, using the datasets NSL-KDD and CICIDS2017, respectively. Reductions in classification time up to 35.51% and 94.90% were also obtained using the NSL-KDD and CICIDS2017 datasets, respectively.

telecommunications

Boxiang Dong,Zhengzhang Chen,Hui Wang,Lu-An Tang,Kai Zhang,Ying Lin,Haifeng Chen,Guofei Jiang

DOI: https://doi.org/10.48550/arXiv.1608.02639

2016-08-08

Cryptography and Security

Abstract:Intrusion detection system (IDS) is an important part of enterprise security system architecture. In particular, anomaly-based IDS has been widely applied to detect abnormal process behaviors that deviate from the majority. However, such abnormal behavior usually consists of a series of low-level heterogeneous events. The gap between the low-level events and the high-level abnormal behaviors makes it hard to infer which single events are related to the real abnormal activities, especially considering that there are massive "noisy" low-level events happening in between. Hence, the existing work that focus on detecting single entities/events can hardly achieve high detection accuracy. Different from previous work, we design and implement GID, an efficient graph-based intrusion detection technique that can identify abnormal event sequences from a massive heterogeneous process traces with high accuracy. GID first builds a compact graph structure to capture the interactions between different system entities. The suspiciousness or anomaly score of process paths is then measured by leveraging random walk technique to the constructed acyclic directed graph. To eliminate the score bias from the path length, the Box-Cox power transformation based approach is introduced to normalize the anomaly scores so that the scores of paths of different lengths have the same distribution. The efficiency of suspicious path discovery is further improved by the proposed optimization scheme. We fully implement our GID algorithm and deploy it into a real enterprise security system, and it greatly helps detect the advanced threats, and optimize the incident response. Executing GID on system monitoring datasets showing that GID is efficient (about 2 million records per minute) and accurate (higher than 80% in terms of detection rate).

Yichi Zhang,Lingfeng Wang,Weiqing Sun,Robert C. Green,Mansoor Alam

DOI: https://doi.org/10.1109/tsg.2011.2159818

IF: 10.275

2011-01-01

IEEE Transactions on Smart Grid

Abstract:The advent of the smart grid promises to usher in an era that will bring intelligence, efficiency, and optimality to the power grid. Most of these changes will occur as an Internet-like communications network is superimposed on top of the current power grid using wireless mesh network technologies with the 802.15.4, 802.11, and WiMAX standards. Each of these will expose the power grid to cybersecurity threats. In order to address this issue, this work proposes a distributed intrusion detection system for smart grids (SGDIDS) by developing and deploying an intelligent module, the analyzing module (AM), in multiple layers of the smart grid. Multiple AMs will be embedded at each level of the smart grid-the home area networks (HANs), neighborhood area networks (NANs), and wide area networks (WANs)-where they will use the support vector machine (SVM) and artificial immune system (AIS) to detect and classify malicious data and possible cyberattacks. AMs at each level are trained using data that is relevant to their level and will also be able to communicate in order to improve detection. Simulation results demonstrate that this is a promising methodology for supporting the optimal communication routing and improving system security through the identification of malicious network traffic.

Lili Gao,Xiaopeng Deng,Weimin Yang

DOI: https://doi.org/10.1007/s00521-021-05733-0

2021-01-27

Neural Computing and Applications

Abstract:The most important problems that occur during the extraction of knowledge from data streams are related to the properties characterizing "BigData," namely high speed of information flow (velocity), variety of used forms, variability of data and diversity of information accuracy diagnosis methods (veracity). The use of online or sequential learning methods offers a specialized solution for solving real-time data processing problems. Data are provided without a clear knowledge of their particular inherent characteristics. Conventional approaches focus on applying heuristic or logical analysis rules. They fail to effectively handle new patterns (produced as a function of time) and to consider the dynamic change rate of their characteristics. In most cases, these methods approximate, by creating general rather than clear imprints of knowledge, which is hidden in the flows. Moreover, their function requires significant computational resources. This paper introduces (to the best of our knowledge, for the first time in the literature) the implementation of a specialized online reservoir computing architecture for smart city infrastructure protection which has low requirements in computing resources; it is efficient and suitable for real-time data flow analysis. More specifically, it describes the development of an echo state network, comprised of analog neurons with sparse random connections at the input levels and at the dynamical reservoir. Its training at the output level is performed with the recursive least square method. A complex data set was selected for the testing of the proposed model, which fully simulates the digital attacks that can be faced by the mechatronic equipment used in smart water supply networks located in the front end of the smart cities.

computer science, artificial intelligence

Siddharth Bhatia,Bryan Hooi,Minji Yoon,Kijung Shin,Christos Faloutsos

DOI: https://doi.org/10.1609/aaai.v34i04.5724

2020-04-03

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Given a stream of graph edges from a dynamic graph, how can we assign anomaly scores to edges in an online manner, for the purpose of detecting unusual behavior, using constant time and memory? Existing approaches aim to detect individually surprising edges. In this work, we propose Midas, which focuses on detecting microcluster anomalies, or suddenly arriving groups of suspiciously similar edges, such as lockstep behavior, including denial of service attacks in network traffic data. Midas has the following properties: (a) it detects microcluster anomalies while providing theoretical guarantees about its false positive probability; (b) it is online, thus processing each edge in constant time and constant memory, and also processes the data 108–505 times faster than state-of-the-art approaches; (c) it provides 46%-52% higher accuracy (in terms of AUC) than state-of-the-art approaches.

Khloud Al Jallad,Mohamad Aljnidi,Mohammad Said Desouki

DOI: https://doi.org/10.48550/arXiv.2209.13961

2022-09-28

Cryptography and Security

Abstract:With the growing use of information technology in all life domains, hacking has become more negatively effective than ever before. Also with developing technologies, attacks numbers are growing exponentially every few months and become more sophisticated so that traditional IDS becomes inefficient detecting them. This paper proposes a solution to detect not only new threats with higher detection rate and lower false positive than already used IDS, but also it could detect collective and contextual security attacks. We achieve those results by using Networking Chatbot, a deep recurrent neural network: Long Short Term Memory (LSTM) on top of Apache Spark Framework that has an input of flow traffic and traffic aggregation and the output is a language of two words, normal or abnormal. We propose merging the concepts of language processing, contextual analysis, distributed deep learning, big data, anomaly detection of flow analysis. We propose a model that describes the network abstract normal behavior from a sequence of millions of packets within their context and analyzes them in near real-time to detect point, collective and contextual anomalies. Experiments are done on MAWI dataset, and it shows better detection rate not only than signature IDS, but also better than traditional anomaly IDS. The experiment shows lower false positive, higher detection rate and better point anomalies detection. As for prove of contextual and collective anomalies detection, we discuss our claim and the reason behind our hypothesis. But the experiment is done on random small subsets of the dataset because of hardware limitations, so we share experiment and our future vision thoughts as we wish that full prove will be done in future by other interested researchers who have better hardware infrastructure than ours.

Yuanzhuo Wang,Chuang Lin,Yang Yang,Junjie Lv,Yang Qu

DOI: https://doi.org/10.1109/GCC.2006.4

2006-01-01

Abstract:Grid services allow the services to be seen as a seamless information processing system that the user can access from any location, the Grid resources are often distributed, autonomic, heterogeneous and dynamic, and they are accessible through the Internet, when users and cooperant servers communicate with a server. Distributed Denial-of-service can make the service requests become hard to implement. An intrusion tolerant mechanism against the attack is formalized for Grid services based on the mechanism design analysis of game theory in this paper. The problems that the attackers could use the authentic IP addresses of the zombies to hide the source of attacks and to increase the computational ability and the likelihood to filter out legitimate traffic are effectively settled under the mechanism. The condition for the legitimate clients being served successfully is further deduced to give an instruction for clients.

Jun Gao,Weiming Hu,Xiaoqin Zhang,Xi Li

DOI: https://doi.org/10.1109/wi-iat.2009.113

2009-01-01

Web Intelligence

Abstract:Due to the increasing demands for network security, distributed intrusion detection has become a hot research topic in computer science. However, the design and maintenance of the intrusion detection system (IDS) is still a challenging task due to its dynamic, scalability, and privacy properties. In this paper, we propose a distributed IDS framework which consists of the individual and global models. Specifically, the individual model for the local unit derives from Gaussian Mixture Model based on online Adaboost algorithm, while the global model is constructed through the PSO-SVM fusion algorithm. Experimental results demonstrate that our approach can achieve a good detection performance while being trained online and consuming little traffic to communicate between local units.

Wei-Fa Liao,Hung-Min Sun,Wei Wu

DOI: https://doi.org/10.1109/dasc-picom-datacom-cyberscitec.2016.159

2016-01-01

Abstract:In recent years, Cloud computing has become increasingly popular. Many companies have replaced traditional hosting to cloud hosting. Cloud providers are responsible for tenant isolation, if a tenant (virtual machine) is infected, other tenants will be affected. Because the virtual network environment is very complex, the traditional intrusion detection systems can only detect attacks from external networks, but can not effectively detect the internal traffic (virtual network). In order to full defend from a threat, we need to redesign the architecture of the intrusion detection system. In this thesis, we propose a flexible distributed architecture for intrusion detection, and uses software-defined networking technology for defensive purposes. In addition, our system collects alerts from different nodes, and analyzes their correlation to generate security rules to achieve the effect of a joint defense. To make the administrator more effective in management purposes, we also provide a web-based management center to reduce the burden on administrators. Finally, we analyze the performance of the proposed system with an original system. The results show that our system adds slightly overhead, and it can effectively block the malicious flow.

Jiayu Shi,Shichao Liu,Bo Chen,Li Yu

DOI: https://doi.org/10.1109/tcsii.2020.3020139

2021-01-01

Abstract:The stealthy false data injection (FDI) attacks in smart grids can bypass the bad data detection, and thus make an incorrect state estimate in the control center. In this brief, a distributed data-driven intrusion detection approach is proposed to reveal the existence of the sparse stealthy FDI attack in a multi-area interconnected power system. The proposed distributed intrusion detection approach avoids the over-fitting issue that is extensively seen when implementing machine learning algorithms for large-scale systems. Firstly, each area estimates the entire system state based on a distributed state estimation algorithm. Then, the state of each local area is used as trained neural network input to detect the stealthy FDI attacks. Simulation results on the IEEE 118-bus system verify that the proposed method not only reduces the risk of over-fitting, but also can locate the areas which have been attacked.

Prabhat Kumar,Govind P. Gupta,Rakesh Tripathi

DOI: https://doi.org/10.1007/s12652-020-02696-3

IF: 3.662

2020-11-27

Journal of Ambient Intelligence and Humanized Computing

Abstract:With the development of internet of things (IoT), capabilities of computing, networking infrastructure, storage of data and management have come very close to the edge of networks. This has accelerated the necessity of Fog computing paradigm. Due to availability of Internet, most of our business operations are integrated with IoT platform. Fog computing has enhanced the strategy of collecting and processing, huge amount of data. On the other hand, attacks and malicious activities has adverse consequences on the development of IoT, Fog, and cloud computing. This has led to development of many security models using fog computing to protect IoT network. Therefore, for dynamic and highly scalable IoT environment, a distributed architecture based intrusion detection system (IDS) is required that can distribute the existing centralized computing to local fog nodes and can efficiently detect modern IoT attacks. This paper proposes a novel distributed ensemble design based IDS using Fog computing, which combines k-nearest neighbors, XGBoost, and Gaussian naive Bayes as first-level individual learners. At second-level, the prediction results obtained from first level is used by Random Forest for final classification. Most of the existing proposals are tested using KDD99 or NSL-KDD dataset. However, these datasets are obsolete and lack modern IoT-based attacks. In this paper, UNSW-NB15 and actual IoT-based dataset namely, DS2OS are used for verifying the effectiveness of the proposed system. The experimental result revealed that the proposed distributed IDS with UNSW-NB15 can achieve higher detection rate upto 71.18% for Backdoor, 68.98% for Analysis, 92.25% for Reconnaissance and 85.42% for DoS attacks. Similarly, with DS2OS dataset, detection rate is upto 99.99% for most of the attack vectors.

computer science, information systems,telecommunications, artificial intelligence

Weiyong Yang,Peng Gao,Hao Huang,Xingshen Wei,Haotian Zhang,Zhihao Qu

DOI: https://doi.org/10.1109/globecom48099.2022.10001486

2022-01-01

Abstract:Advanced persistent threat (APT) attacks have caused severe damage to many core information infrastructures. To tackle this issue, the graph-based methods have been proposed due to their ability for learning complex interaction patterns of network entities with discrete graph snapshots. However, such methods are challenged by the computer networking model characterized by a natural continuous-time dynamic heterogeneous graph. In this paper, we propose a heterogeneous graph neural network based APT detection method in smart grid clouds. Our model is an encoder-decoder structure. The encoder uses heterogeneous temporal memory and attention embedding modules to capture contextual information of interactions of network entities from the time and spatial dimensions respectively. We implement a prototype and conduct extensive experiments on real-world cyber-security datasets with more than 10 million records. Experimental results show that our method can achieve superior detection performance than state-of-the-art methods.