ZHU Ying-ying,YE Mao,LIU Nai-qi,LI Zheng,ZHENG Kai-yuan

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.18.034

2008-01-01

Computer Engineering and Applications Journal

Abstract:Considering the shortcomings of Windows system intrusion detection and the advantages of the Linux system intrusion detection based on the sequence of the system call,a kernel-level host intrusion detection program based on the BP neural network algorithm to study and classify the sequence of Windows Native API is proposed in this paper.Experiment results prove that the sequence of Native API can be used for intrusion detection.Windows Native API means the kernel model API,which is similar to the Linux system call.The neural network is trained to learn the normal and abnormal sequence of Native API.In the intrusion detection,use the trained neural network to classify the emerging Native API sequence,and find whether the intrusion happens.

Fei Yu,Renfai Li,Miaoliang Zhu,Bin Jiang

DOI: https://doi.org/10.1109/wcica.2004.1342337

2004-01-01

Abstract:Effective intrusion detection is necessary for system security. This paper describes an inference machine based on the FRete algorithm using the classic Rete algorithm, which can carry out intellectual reasoning on suspicious data in network. In order to improve the match efficiency of the inference machine, node in mode net is added into the inclusive brother's chain, the connection joint of the same production type in the network is divided into equivalence form according to variable restrain. Finally, a distributed intrusion detection system based on FRete network algorithm is realized.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Jinfu Chen,Yemin Yin,Saihua Cai,Weijia Wang,Shengran Wang,Jiming Chen

DOI: https://doi.org/10.1016/j.scico.2024.103156

IF: 1.039

2024-01-01

Science of Computer Programming

Abstract:Software vulnerability detection is a challenging task in the security field, the boom of deep learning technology promotes the development of automatic vulnerability detection. Compared with sequence-based deep learning models, graph neural network (GNN) can learn the structural features of code, it performs well in the field of vulnerability detection for source code. However, different GNNs have different detection results for the same code, and using a single kind of GNN may lead to high false positive rate and false negative rate. In addition, the complex structure of source code causes single GNN model cannot effectively learn their depth feature, thereby leading to low detection accuracy. To solve these limitations, we propose a software vulnerability detection model called iGnnVD based on the integrated graph neural networks. In the proposed iGnnVD model, the base detectors including GCN, GAT and APPNP are first constructed to capture the bidirectional information in the code graph structure with bidirectional structure; And then, the residual connection is used to aggregate the features while retaining the features each time; Finally, the convolutional layer is used to perform the aggregated classification. In addition, an integration module that analyses the detection results of three detectors for final classification is designed using a voting strategy to solve the problem of high false positive rate and false negative rate caused by using a single kind of base detector. We perform extensive experiments on three datasets and experimental results show that the proposed iGnnVD model can improve the detection accuracy of vulnerabilities in source code as well as reduce the false positive rate and false negative rate compared with existing deep learning-based vulnerability detection models, it also has good stability.

Feng Li,Sun Jie,Zhou Xiaoming,Yang Liwei,Pen Qinke

DOI: https://doi.org/10.3321/j.issn:0253-987x.2006.04.009

2006-01-01

Abstract:In order to detect more and more serious attacks against the Windows operating system (OS), a multi-step consistency model and exponential iteration detection algorithm (EIDA) based on Native API sequences were proposed to realize the detection of the anomaly intrusions from kernel space in Windows operating system. The system service dispatch table is captured by designing a virtual device so as to get the Native API information in real time. One step and two steps consistency models are built by the captured normal Native API data to describe the normal behavior of processes. In the detection process, the normal index of emerging Native API is measured continuously by EIDA. The normal indexes are analyzed through an alarm extraction algorithm, which uniquely determines the corresponding attack and provide administrator with guarantee to grasp the security situation of OS in time. The experiments under different Windows OS environment indicate that the proposed method has better accuracy.

Yingying Zhu,Mao Ye,Xin Zhao,Lijuan Li,Xi Meng

2008-01-01

Abstract:The invention discloses a host computer invasion detection method based on the natural subsequence mode decomposition. The method includes the following steps: firstly, defining rules; obtaining Windows Native API data sequence, decomposing process sequences into natural subsequence mode sets and then layering the natural subsequence modes according to the support degree; thirdly, decomposing suspected sequences into a plurality of layers respectively containing natural sequence modes with similar support degrees; fourthly, matching the normal process sequences with the suspected sequences according to the corresponding layers, calculating the abnormal degree according to the matched number and judging if the suspected sequences are abnormal. The method overcomes the disadvantages existed in the prior art and can accurately and effectively identify the current attacks and the new increasing attacks.

赵欣,叶茂,朱莺嘤,郑凯元

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.05.027

2010-01-01

Abstract:Network intrusion detection is an important aspect of information security.Many good results in this aspect have been obtained in recent years.Most of them face the problem of low detection rate.The network connection's attributes which have the character of obvious distinction between normal and abnormal are often chosen by experts to judge whether the new network connections are normal.This method has some randomness which affects the detection rate.A method which aims to choose attributes based on the inherent law of normal network connections is proposed.The attributes can be chosen such that the high dimensional data can be transformed to one dimension automatically.The method of sequence data mining is used to find the rules of normal network connections.The new network connections can be detected by these rules.An experiment has been done on the datum of KDD99.The result indicates that the method of this paper has high detection rate.

Yingying Zhu,Mao Ye,Xin Zhao,Lijuan Li,Xi Meng

2008-01-01

Abstract:The invention discloses a network intrusion detection method which makes decomposition based on an inherent subsequence mode, including the following steps: 1, network data interception and pretreatment are done; 2, the sequence of a normal training set and a suspected sequence respectively go through the inherent sequence pattern mining, wherein, a sequence chart is established for the sequences; a closed path in the sequence chart is located and identified as a candidate sequence for the inherent subsequence mode; the inherent subsequence modes composing each candidate sequence are located according to the original sequence; 3, stratification is made in accordance with the support degree; 4, anomaly detection is done as follows: firstly, the inherent subsequence modes of the suspected sequence and the normal sequence respectively and independently form a plurality of layers in accordance with the respective support degree, then the inherent subsequence mode of the suspended sequence and the normal subsequence are matched in the corresponding layer, finally, the anomaly degree is calculated based on the number of matches so as to judge whether the suspected sequence is abnormal. The method overcomes the deficiencies in the prior art and can accurately and effectively identify the existing attacks and the increasing number of new attacks.

DOI: https://doi.org/10.36652/0869-4931-2024-78-5-230-234

2024-01-01

Abstract:Attack graphs are a popular area of research that display all the paths an trespasser can take to penetrate a network. Existing graph generation methods rely heavily on expert opinion regarding network vulnerabilities and topology. An intrusion detection system based on graph-directed analytics of the big data analytics, which is based on machine learning, is proposed, which made it possible to obtain good accuracy results and a high level of attack detection during its testing. Keywords attack, graph, detection, machine learning, network

Zongqu Zhao,Junfeng Wang,Chonggang Wang

DOI: https://doi.org/10.1002/sec.524

IF: 1.968

2012-02-28

Security and Communication Networks

Abstract:The traditional malware detection schemes based on specific signature give an unsatisfactory performance as disposing the previously unknown malware, so the general features of binary files should be explored to solve this problem. Recently, classification algorithms were employed successfully to choose the features in unknown malicious code, and most of the works use byte or operation code sequence n‐gram representation of the executables. However, these n‐gram representations are heavily dependent on the training data. In this paper, we present a graph‐based method to detect unknown malware. The function call graph of an executable, which includes the functions and the call relations between them, is selected as the representation of the executable in this method. The features are defined according to both the statistical information and the topology of the function call graph. They are extracted and processed through machine learning to classify unknown Portable Executable files. For the sake of fixed sum of the features, the graph‐based method can avoid so many features found in other methods. In our experiments, three types of malware datasets were tested, and as high as 96.8% accuracy can be achieved. Furthermore, it can achieve 92.1% accuracy when only 5% of the dataset is served as training set. Copyright © 2012 John Wiley & Sons, Ltd. To detect the unknown malware, the features of graph‐based method are predefined from function call graph of software, and then the rules are built with these features to classify an executable as the benign or the malware. The quantity and the contents of these features are independent of testing dataset, and this peculiarity enables our experiment results to nearly reflect the situation of unknown malware detection. The design can provide a high malware detection accuracy by using a small set of training set.

computer science, information systems,telecommunications

LI Nai-jie,PENG Qin-ke

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.01.082

2007-01-01

Abstract:Anomaly detection algorithm for Windows platform is studied.A host process pattern extraction algorithm using Windows Native API sequences and based on decision tree is presented,and a wildcard is introduced in patterns,so the size of pattern set is reduced considerably.More over,transition probabilities between patterns are computed to build a global Markov Chain Model of pattern sequences,and related anomaly detection algorithm is presented.Experiments demonstrate that the algorithms can extract a pattern set of small size and high generalization ability,and can detect anomalies effectively.

白莉莉,庞建民,张一弛,岳峰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.09.048

2010-01-01

Abstract:Aiming at the problem that malware detection method based on signature can be easily subverted by obfuscation techniques,this paper proposes a detection method based on Critical Application Programming Interface Graph(CAG).By statically extracting nodes with critical API calling from Control Flow Graph(CFG) for each malware,each malicious behavior can be presented by one CAG.A matching algorithm based on CAG is used to determine whether a suspicious executable programming has the same malicious behavior as a malware does.Experimental results show that the method can detect malware variants efficiently with low false negative rate.

Yingying Zhu,Mao Ye,Naiqi Liu,Xin Zhao,Xue Li

DOI: https://doi.org/10.1109/icnc.2008.101

2008-01-01

Abstract:The problem of network intrusion detection is an active research issue. Based on the techniques of sequence data mining, we propose a completely new approach based on intrinsic subsequence to detect intrusions in the network connection data. An intrinsic subsequence means that all items in it are always present together as a whole in the sequence. The total number of an intrinsic subsequence appeared in a sequence is referred to as absolute support. The intrinsic subsequences with approximate absolute support form a layer A sequence is supposed to be composed of a set of intrinsic subsequences. And the anomalies are always shown as a composition of some unusual intrinsic subsequences. The abnormal sequence can be detected by decomposing the sequence into a number of layers and finding the differences of the corresponding layers between the normal and suspect sequence data. An original algorithm for intrusion detection by using the idea of decomposition is proposed. The experiments on the data sets of KDD 99 illuminate the utility and efficiency of our new approach.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Zhitang Li,Aifang Zhang,Dong Li,Li Wang

DOI: https://doi.org/10.1007/978-3-540-73871-8_6

2007-01-01

Abstract:In monitoring anomalous network activities, intrusion detection systems tend to generate a large amount of alerts, which greatly increase the workload of post-detection analysis and decision-making. A system to detect the ongoing attacks and predict the upcoming next step of a multistage attack in alert streams by using known attack patterns can effectively solve this problem. The complete, correct and up to date pattern rule of various network attack activities plays an important role in such a system. An approach based on sequential pattern mining technique to discover multistage attack activity patterns is efficient to reduce the labor to construct pattern rules. But in a dynamic network environment where novel attack strategies appear continuously, the novel approach that we propose to use incremental mining algorithm shows better capability to detect recently appeared attack. In order to improve the correctness of results and shorten the running time of the mining algorithms, the directed graph is presented to restrict the scope of data queried in mining phase, which is especially useful in incremental mining. Finally, we remove the unexpected results from mining by computing probabilistic score between successive steps in a multistage attack pattern. A series of experiments show the validity of the methods in this paper.

Ruozhou LIANG,Yue GAO,Xibin ZHAO

DOI: https://doi.org/10.1360/ssi-2021-0252

2021-01-01

Scientia Sinica Informationis

Abstract:Advanced persistent threat (APT) in real scenes, especially in industrial scenes, is complex and long term, but the current methods cannot effectively extract the long term relationship in the attack. An attack detection method with provenance graphs, called SeqNet, is proposed. SeqNet uses sequence feature extraction to detect APT attacks. In SeqNet, the provenance graph sequence describing the running state of the system is transformed into the feature sequence first, and then the gate recurrent unit (GRU) model is used to extract the feature of the system. The encoder-decoder model with the local attention mechanism is used to train the GRU model. Finally, the K-means clustering method is used to model the normal behavior of the system. In this study, experiments are carried out on five public datasets, such as StreamSpot, wget, shellshock, ClearScope, and CADETS, compared with the state-of-the-art methods. The method used here achieves similar or improved results on all five datasets. Experimental results show that the proposed method can detect real-life APT scenarios.

Ping Yi,Yiping Zhong,Shiyong Zhang

DOI: https://doi.org/10.1007/11508380_121

2005-01-01

Abstract:The mobile ad hoc networks are particularly vulnerable to intrusion, as its features of open medium, dynamic changing topology, cooperative routing algorithms. The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features, because no matter how secure the mobile ad hoc networks, its is still possible the nodes are compromised and become malicious. In this paper, we propose a novel intrusion detection approach for mobile ad hoc networks by using finite state machine. We construct the finite state machine (FSM) by the way of manually abstracting the correct behaviours of the node according to the routing protocol of Dynamic Source Routing (DSR). The monitor nodes cooperatively monitor every node's behaviour by the FSM. Our approach can detect real-time attacks without signatures of intrusion or trained data. Finally, we evaluate the intrusion detection method through simulation experiments.

Xr Yang,Qb Song,Jy Shen

2001-01-01

Abstract:In this paper we present a frequent sequence patterns mining-based algorithm used for network intrusion detection, which is an application and extension of SPADE algorithm. It is based on the idea that much behavior on the network appear as sequences of activities, according to the sequence patterns we computed, we can construct the intrusion rule base and legal action rule base, then we can detect known and novel intrusion activities by rules' matching. In addition, when system is running, we use an incremental sequence patterns mining algorithm to complement the rule library in order to avoid re-executing the algorithm on the entire dataset, thereby reducing execution time. The experimental results indicate that this algorithm is efficient enough to meet the needs of active detect novel intrusion. Compared with most existing methods used in commercial systems which are built using purely knowledge engineering approaches, our algorithm is more intelligent and adaptive.

Wu Liu,Jian-Ping Wu,Hai-Xin Duan,Xing Li

DOI: https://doi.org/10.1007/11540007_96

2006-01-01

Abstract:In this paper, we apply data mining techniques to construct intrusion detection patterns. We mine both system audit data and network traffic data for consistent and useful patterns of program and user behavior, and use an iterative low-frequency-finder mining algorithm to find the low frequency but important patterns.

ZHANG Cheng,PENG Qinke

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.07.050

2007-01-01

Abstract:A novel method is proposed to construct variable-length patterns by using dynamically extracting information from call stack of the process.This method uses the chains of function return addresses to derive a table of variable-length patterns,and reduces the pattern set based on the structure of functions of the process.Then a Markov chain model is constructed based on variable-length patterns to detect abnormal behaviors.The experimental results indicate that compared with the traditional variable-length pattern based method and the first-order Markov chain model method,the proposed method can achieve higher hit rates and lower false alarm rates.