Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

LIU Xue-fei,WANG Shen-qiang,WU Bo-qiao,MA Heng-tai,WEN Wei-ping

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.01.049

2007-01-01

Abstract:Second analyzing Intrusion Detection System(IDS)'s alarm information has already become an important and practical method of improving IDS's detection performance.The paper roundly provides root cause and correlation analysis of alarm information based on analyzing IDS's alarm information,giving the practical method,the experiment proves the me￣thod's validity.

Dong Li,Zhitang Li,Li Wang

DOI: https://doi.org/10.1109/FSKD.2007.464

2007-01-01

Abstract:Various IDS devices produce large number of alert, the majority of which are false positives. It is laborious for the security officers to find real intrusions. To find intrusions in real time, we should first remove false positives in the alerts. According to the experience of IDS alerts analysis, we find that there are some regularities in alert flow occurrence: power law, trend, periodicity. Based on these statistical regularities, we can operate it based on time sequence effectively. The results of real world data analysis demonstrate that the method can reduce massive false positives in real time effectively.

Jie Ma,Zhitang Li,Bingbing Wang

DOI: https://doi.org/10.4304/jcp.6.8.1715-1722

2011-01-01

Abstract:Intrusion detection systems typically create a large volume of alarms and most of them are false alarms that can be seen as background noises caused by normal system behaviors. Manual analysis of a large number of alarms is both time consuming and labor intensive. This study focuses on the statistical analysis of the alarm flow. Using the Singular Spectrum Analysis (SSA) approach, we found that the alarm flow has a small intrinsic dimension, and the structure of alarm flow can be composed by leading components (normal components) and residual components (abnormal components). Only changes in abnormal components are worth of further study to confirm whether they are true or false alarm. To achieve this goal, an SSA-based anomalies detection algorithm was implemented and applied to catch anomalous changes in residua components, and thus interesting alarms were highlighted and noises were filtered out. Compared with detection approaches using stationary models, our SSA-based method can well deal with the non-stationary natures inherent in the alarm flow. Evaluation results from real network data show a significant increase in model accuracy, and more efficient filtering of alarm noise.

Lin Yang,Liu Guiquan,Yang Lishen

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.11.057

2006-01-01

Abstract:Frequent alarms and high false rate are nearly unavoidable in intrusion detection. For the situation, a method of alarm deviation analysis in intrusion detection is proposed in this article. It not only mitigates the impact of frequent alarms but also minimizes the effect of false alarms through integrative evaluation. The testing result shows the effectiveness of the method.

Yongwei Meng,Tao Qin,Yukun Liu,Chao He

DOI: https://doi.org/10.1109/iscc.2018.8538535

2018-01-01

Abstract:Intrusion Prevention System (IPS) is important for network security management as it can help the administrator by generating alarms corresponding to different attacks. But there are many false alarms due to their running mechanism, which greatly reduces its usability. In this paper, we develop a hierarchical framework to mine high threat alarms from raw massive logs. We first divide the raw alarms into two parts based on their attributes, the first part mainly include alarms from several kinds of serious attacks while others constitute the second part. To mine high threat alarms from the first part, we proposed a similar alarm mining method based on Choquet Integral to cluster and rank the results of clustering. The potential threats are mixed with many false alarms in the second part, to reduce effect from false alarms, we employ the frequent pattern mining algorithm to mine correlation rules and employ them to filter the false alarms. Following we qualify the threat degree of those alarms based on the features extracted from characteristics of alarms themselves. Experimental results based on the data collected from the campus network of Xi’an Jiaotong University verify the efficiency and accuracy of the developed methods. Based on the mining and ranking results, administrators can deal with the high threats with their limited time and energy to keep the network under control.

Jie Ma,Zhitang Li

2010-01-01

Abstract:How to analyze security alarms automatically and find useful information form them has attract a lot of interests. Although many alarm correlation approaches and risk assessment methods have been proposed, most of them were implemented with high computational complexity and time consuming, and they can not deal well with huge number of security alarms. This work focus on performing an real-time security threat evaluation. We aggregate individual alarms to alarm flows, and then process the flows instead of individual alarms. Using the Singular Spectrum Analysis (SSA) approach, we found that the alarm flow has a small intrinsic dimension, and the alarm flow can be decomposed into leading components and residual components. Leading components represent the basic part and residual components represent the noise part of the flow. To capture the main features of the leading components forming the alarm flow, we accomplish the security threat evaluation. Case based experiments real network data shows the effectiveness of the method. To the best of our knowledge, this is the first study that applies SSA on the analysis of IDS alarm flows.

T. Liu,Z. Wang,H. Wang,K. Lu

DOI: https://doi.org/10.15837/ijccc.2012.3.1391

IF: 2.635

2014-01-01

International Journal of Computers Communications & Control

Abstract:Intrusion Detection System (IDS) typically generates a huge number of alerts with high false rate, especially in the large scale network, which result in a huge challenge on the efficiency and accuracy of the network attack detection. In this paper, an entropy-based method is proposed to analyze the numerous IDS alerts and detect real network attacks. We use Shannon entropy to examine the distribution of the source IP address, destination IP address, source threat and destination threat and datagram length of IDS alerts; employ Renyi cross entropy to fuse the Shannon entropy vector to detect network attack. In the experiment, we deploy the Snort to monitor part of Xi’an Jiaotong University (XJTU) campus network including 32 C-class network (more than 4000 users), and gather more than 40,000 alerts per hour on average. The entropy-based method is employed to analyze those alerts and detect network attacks. The experiment result shows that our method can detect 96% attacks with very low false alert rate.

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

Huang Kai,Zhengwei Qi,Liu Bo

DOI: https://doi.org/10.1109/WAINA.2009.58

2009-01-01

Abstract:Network always suffers from the traffic anomaly such as router rate change, device restart or the worm attack. The early detection of unusual anomaly in the network is a key to fast recover and avoidance of future serious problem to provide a stable network transmission. In this paper we present a statistical approach to analysis the distribution of network traffic to identify the normal network traffic behavior. We adapt the EM algorism to estimate the distribution parameter of Gaussian mixture distribution model. If only there is a statistical signature of unusual fluctuation or change in the network traffic an alarm will be triggered. We adapt the time series analysis of the statistical analysis result. Up bound and low bound will be defined through the analysis. The exceeding of the bound will be the signal of traffic anomaly. Another time series analysis approach also can reflect the fluctuation of network with the crossover of two indicator lines called K line and D line. These two indicator lines are some think like the mean value of the historical data in a time slice with one more sensitive to the change of the new coming data and another not. The approach three-MACD indicator approach is like the K D approach but more blunt to the unusual fluctuation of network traffic which can submit an alarm more correctly.

Jie Ma,Zhitang Li,Weiming Li

DOI: https://doi.org/10.1109/FSKD.2008.522

2008-01-01

Abstract:Signature based network intrusion detection systems (NIDSs) often report a massive number of elementary alerts of low-level security-related events which are logically involved in a single multi-stage attack. Since be overwhelmed by these alerts, security administrators almost unable to discover complicated multistage attack in time. It is necessary to develop a real-time system to extracting useful attack strategies from the alert stream, which enables network administrators to launches appropriate response to stop attacks and prevent them form escalating. This paper focuses on developing a new alert clustering and correlation technique to automatically discover attack strategies from the evolving alert stream, without specific prior knowledge. The proposed algorithms can discovery various attack sequential patterns in different kinds of time horizons or user-defined time periods. Experiments show our approach can effectively construct attack scenarios and accordingly predict next most possible attack behavior.

Li Zhi-tang,Li Dong,Lei Jie,Zhang Aifang

DOI: https://doi.org/10.1109/isdpe.2007.118

2007-01-01

Abstract:In large-scale network, IDS can produce a large number of alerts. Nowadays there isn't an effective method to differentiate true alerts from false alerts. Confronted with this problem, we build a model for IDS alert analysis based on statistical decision. Through theoretical analysis, we find the optimal strategy: deleting alerts when FPP( False Positive Probability) exceeds some threshold, or sampling for checkup. What's more, we can work out FPP threshold and sample numbers. Theoretical analysis also finds that under some conditions the cost for alert checkup increases with FPP increasing. Together with them we construct FPP information network based on Bayes network to reduce checkup losses. Experiments demonstrate that some conclusions agree with our experience.

Xuefei Tian,Chenlu Li,Aijuan Qian,Xiaoju Dong

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom51426.2020.00077

2020-01-01

Abstract:The network environment is increasingly complex, resulting in the explosive growth of network traffic logs. Discovering the patterns of these logs and detecting various cyber-attacks and anomalies have become a widespread concern. However, traditional network analysis techniques and Intrusion Detection System (IDS) have limited ability to identify and respond to the malicious activities hidden in dynamic and long-duration time series. This paper proposes a novel visual analysis system, combining visual analysis and machine learning model, to better reveal the pattern of various traffic logs, detect and classify abnormal network behaviors from enormous traffic logs. The system supports interactive exploration in data space and comparative analysis of the normal and abnormal pattern. It could help users analyze traffic logs conveniently and identify network intrusions efficiently. Besides, a supervised classifier in our system supports the prediction of a single traffic log which facilitates users' analysis of the patterns of traffic logs. A case study conducted on the CICIDS-2017 dataset demonstrates the feasibility of our system.

Qin Qia,Zhiwen Wang

DOI: https://doi.org/10.4304/jnw.7.5.863-868

2012-01-01

Abstract:Intrusion Detection System (IDS) typically generates a huge number of alerts with high false rate , especially in the large scale network, which result in a huge challenge on the efficiency and accuracy of the network attack detection . In this paper, an entropy-based method is proposed to analyze the numerous IDS alerts and detect real network attacks. We use Shannon entropy to examine the distribution of the source IP address, destination IP address, source threat and destination threat and datagram length of IDS alerts; employ Renyi cross entropy to fuse the Shannon entropy vector to detect network attack. In the experiment, we deploy the Snort to monitor part of Xi’an Jiaotong University (XJTU) campus network including 32 C-class network (more than 4000 users), and gather more than 40,000 alerts per hour on average. The entropy-based method is employed to analyze those alerts and detect network attacks. The experiment result shows that our method can detect 96% attacks with very low false alert rate.

Yongwei Meng,Tao Qin,Yukun Liu,Chao He

DOI: https://doi.org/10.1109/access.2018.2823724

IF: 3.9

2018-01-01

IEEE Access

Abstract:Security equipment such as intrusion prevention system is an important supplementary for security management. They reduce the difficulty of network management by giving alarms corresponding to different attacks instead of raw traffic packet inspection. But there are many false alarms due to their running mechanism, which greatly reduces its usability. In this paper, we develop a hierarchical framework to mine high threating alarms from the massive alarm logs, and aim to provide fundamental and useful information for administrators to design efficient management policy. First, the alarms are divided into two parts based on their attributes, the first part mainly includes several kinds of famous attacks which are critical for security management, we proposed a similar alarm mining method based on Choquet integral to cluster and rank the frequently occurred attacks. The rest alarms constitute the second part, which are caused by the potential threats attacks, also include many false alarms. To reduce the effect of false alarms and rank the potential threats, we employ the frequent pattern mining algorithm to mine correlation rules and then filter false alarms. Following, we proposed a self-adapting threat degree calculation method to qualify the threat degree of these alarms after filtering. To verity the methods developed, an experimental platform is constructed in the campus network of Xi'an Jiaotong University. Experimental results based on the data collected verify the efficiency of the developed methods. For the first kind of alarms, the similar alarms mining accuracy is higher than 97% and the alarms are ranked with different processing urgencies. For the rest alarms, the proposed methods have filtering accuracy above 80% and can rank the potential threats. Based on the ranking results, administrators can deal with the high threats with their limited time and energy, in turn, keep the network under control.

ZHAO Tie-shan,LI Zeng-zhi,GAO Bo

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.05.003

2005-01-01

Abstract:Intrusion detection is an important part of computer security. It is a research hotspot. A time-based sequence model applying to intrusion detection is brought forward. In some period of time of a running computer system, mean value of an event's frequency in k audits is taken as expected value at k+1th audit. Relative error of the expected value and real value at k+1th audit is computed. If the relative error is bigger than some set threshold, an intrusion occurs at K+1th audit. Simulation results open out how to select threshold. If a large amount of intrusion events appear in a short time, the model works effectively.

吕志军,袁卫忠,仲海骏,黄皓,曾庆凯,谢立

DOI: https://doi.org/10.3969/j.issn.1002-137x.2004.10.015

2004-01-01

Computer Science

Abstract:Intrusion detection system(IDS)must be capable of detecting new and unknown attacks. In this paper, we propose an Anomaly Detection System based on Data Mining(ADESDM). Firstly, ADESDM mine suspicious behaviors in the protocol header, ports and application data with strong association rules and weak association rules; then, it sends the suspicious behaviors to the Deciding Module based on Bayesian Belief Net (DMBBN). In real network communications, the attributes, such as time, direction, ports and IP addresses, are influencing each other. The DMBBN illustrates the conditional probabilities and relationship among the above attributes, and uses them to determine whether the suspicious behaviors are normal ones or attacks. Thus, system can reduce the false alarm rate.

Zehua Ren,Yang Liu,Huixiang Liu,Baoxiang Jiang,Xiangzhen Yao,Lin Li,Haiwen Yang,Ting Liu

DOI: https://doi.org/10.1109/infocomwkshps54753.2022.9798168

2022-01-01

Abstract:Traditional intrusion detection systems often deal with massive alarms based on specific filtering rules, which is complex and inexplicable. In this demo, we developed a network security situation awareness (NSSA) system based on the spatio-temporal correlation of alarms. It can monitor the security situation from the temporal dimension and discover abnormal events based on the time series of alarms. Also, it can analyze alarms from the spatial dimension on the heterogeneous alarm graph and handle alarms in batches of events. With this system, system operators can filter most irrelevant alarms quickly and efficiently. The rich visualization of alarm data could also help find hidden high-risk attack behaviors.