Lin Chen,Zhitang Li,Cuixia Gao,Yingshu Liu

DOI: https://doi.org/10.1109/CIT.2009.108

2009-01-01

Abstract:As an important part of computer forensics, network forensics particularly places emphasis on dynamic network information collection and proactive defense. Most forensics systems based on intrusion detection or honeypot rarely emphasize the availability of actual servers. In addition, few of them discussed the occasion of dynamic forensics particularly. The work presented in this paper is based on an idea to assist dynamic forensics with intrusion tolerance and deception technology to enhance the availability of server system and gather more useful evidences on a proper occasion. A mechanism of dynamic forensics based on intrusion forensics is proposed and is modeled with finite state machine. The workflow is described. A semi Markov process based on the embedded Markov chain of the states transition model is built and described. Finally, the forensics capability and server availability are analysis. According to the numerical analysis result, the security performance and forensics capability of the forensics system are enhanced to a certain degree.

陈琳,李之棠,高翠霞

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.11.015

2009-01-01

Computer Science

Abstract:With the development of intrusion and computer crime technologies,dynamic forensics is becoming more and more important.Dynamic forensics based on intrusion detection and honeypot technologies has great advantage in real-time performance,whereas these methods are defective in overcoming the difficulty of evidence and system reliability,and hard to seize the opportunity of investigation.A self-adaptive mechanwasm was proposed which used intrusion detection system as forensics trigger and shadow honeypot was used to verify the suspicious attack,observe and analyze the attack activities further more to gather key evidences.And then the finite state machine model of this mechanism was illuminated and key technologies such as shadow honeypot,state transition opportunity and evidence security storage method were described.The dynamic forensics system with this mechanism can tolerate intrusion in a certain degree and get the investigation process under control.Moreover,the amount of unnecessary evidences can be reduced obviously.

LIN Guo-yuan,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.27.042

2006-01-01

Abstract:In this article,we analyze the condition of computer forensics and point out dynamic forensics is its trend. After reasoning the feasibility of adopting IDS into dynamic forensics,a dynamic forensics system model is presented and expounded in detail.Since it is the combo of IDS and justice parsing technique,it will be instructive for the dynamic forensics of computer crime.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Wei Ren,Hai Jin

DOI: https://doi.org/10.1145/1066677.1066749

2005-01-01

Abstract:ABSTRACTNetwork forensics and honeynet systems have the same features of collecting information about the computer misuses. Honeynet system can lure attackers and gain information about new types of intrusions. Network forensics system can analysis and reconstruct the attack behaviors. These two systems integrating together can help to build an active self-learning and response system to profile the intrusion behavior features and investigate the attack original source. In this paper, we present a design of honeynet based active network intrusion response system. The features of our system are distributed adaptive network forensics and active real time network investigation.

于志宏,刘喆,赵阔,努尔布力,史光坤,胡亮

DOI: https://doi.org/10.3321/j.issn:1671-5489.2008.04.029

2008-01-01

Abstract:In order to solve the problems existed in static forensics technology,this paper presents the design and implementation of a dynamic computer forensics system based on network.Compared with the traditional tools of the system,it performs the work of gathering evidence in advance before criminal action has occurred or in the process of crime so as to avoid the evidence chain lost caused by evidence not scout timely.It can improve the efficiency of the work of gathering evidence;enhance data integrity and timeliness of evidence.This paper describes the architecture,function and work flow,and the implementation of main functions of the core module technology.

Weihua Li,Lan Jiang

DOI: https://doi.org/10.3969/j.issn.1000-2758.2005.03.005

2005-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:Our aim is to provide many functions in our new multi-function system for dealing with hacker intrusion. These functions include conventional detection and alert, non-conventional hacker deception and trapping, and restoration of damaged files. Our system is a multi-layer comprehensive active defense system, integrating real-time intrusion detection, alert, security accident restoration, and hacker deception. In the full paper, we explain in much detail how to implement the many functions in our new system. Here we give only a briefing. Compared with conventional IDS (Intrusion Detection System), our new system can not only monitor and trap hackers in real-time mode, but also can realize intrusion tolerance better. The detection function of our system can not only monitor hacker attack but also cleverly track the hacker until the hacker's true source is found. The restoration function of our system can restore important files which have been attacked by hacker or infected by virus. Our new system has been employed successfully on several networks; it can deal effectively with 31 categories of known hacker attacks, whose ways of attack number as many as 2045.

W Ren,H Jin

DOI: https://doi.org/10.1109/aina.2005.164

2005-01-01

Abstract:Network forensics is a new approach for the network security, because the firewall and IDS cannot always stop and discover the misuse in the network. Once the system is compromised, the forensics and investigation always after the attacks and lose some useful instant evidence. The integrated analysis of the log and audit system and network traffic can lead to an efficient navigation of the traffic. The current network forensics approaches only focus on the network traffic capture and traffic replay, which always result in the performance bottleneck or forensics analysis difficulties. However, the adaptive capture without lose the potential sensitive traffic and real time investigation are seldom discussed. In this paper, we discuss the frameworks of distributed agent-based real time network intrusion forensics system, which is deployed in local area network environment. Some novel approaches for network forensics are discussed for the first time, such as network forensics server, network forensics database, network forensics agents, forensics data integration and active real time network forensic.

Tao Li,Juling Ding,Xiaojie Liu,Pin Yang

DOI: https://doi.org/10.1007/11539117_113

2005-01-01

Abstract:Dynamically evolutive models and recursive equations for self, antigen, dynamic computer forensics, immune tolerance, mature-lymphocyte lifecycle and immune memory are presented. Following that, a new model, referred to as Insdcf, for computer network surveillance and dynamic computer forensics is proposed. Simulation results show that the proposed model has the features of real-time processing, self-learning, self-adaptivity, and diversity, thus providing a good solution for computer network surveillance and dynamic computer forensics.

Fang Zhou,Hua Sun,Xuefeng Zheng

DOI: https://doi.org/10.1109/NSWCTC.2010.250

2010-01-01

Abstract:To improve the ability of system providing service when encounter malicious invasion, a new model of tolerance invasion system is given based on dynamic threshold encryption. The real-time detection of the model is realized by the Collaboration between servers and hosts. The sensitive data in the system apply dynamic threshold encryption, and can change their share with the distribution. The model has such as distribution, self-adaptability, fault tolerance, dynamic and expansibility features to ensure that the system has a higher level of safety.

Tian Zhihong,Jiang Wei,Li Yang

DOI: https://doi.org/10.1109/cc.2015.7084411

2015-01-01

Abstract:Network forensics is a security infrastructure, and becomes the research focus of forensic investigation. However many challenges still exist in conducting network forensics: network has produced large amounts of data; the comprehensibility of evidence extracting from collected data; the efficiency of evidence analysis methods, etc. To solve these problems, in this paper we develop a network intrusion forensics system based on transductive scheme that can detect and analyze efficiently computer crime in networked environments, and extract digital evidence automatically. At the end of the paper, we evaluate our method on a series of experiments on KDD Cup 1999 dataset. The results demonstrate that our methods are actually effective for real-time network forensics, and can provide comprehensible aid for a forensic expert.

ZHANG Ran,HE Jing-sha

2005-01-01

Abstract:Based on the analysis of the limitation of traditional intrusion detection systems, the concept of dynamic adaptive IDS is proposed, and a model of dynamic adaptive intrusion detection and response is estab-lished. By dynamic association among its elements and adaptive policies, this model provides dynamic adaptability to the changing environment and attacks with its dynamically configurable architecture, functions, and management. In addition, the concept of coordination domain is proposed in order to facilitate the management of coordinative detection.

Liang Hu,Kuo Tang,Guangkun Shi, Nurbol,Kuo Zhao

DOI: https://doi.org/10.1109/ICICTA.2009.729

2009-01-01

Abstract:With the increasing development of information technology, the computer crime problem is getting even serious. However traditional computer forensic that employs the static investigation after security events has inherent limitations. The authenticity, effectiveness and timeliness of the evidence are difficult to meet real needs. In order to solve the existing problems which static forensics technology has, this paper presents the design and implementation of DDCFS: a distributed dynamic computer forensics system based on network. Comparing with the traditional tools of the forensic system, it employs the work of gathering evidences of criminal actions before they occur or just they are ongoing, which avoid the evidence chain lose caused by traditional static forensic. It can improve the efficiency of the work of gathering evidences; enhance data integrity and timeliness of evidences. This paper describes the architecture, function and forensic procedure of DDCFS, and the implementation of the core module.

Jianxun Tang,Mingsong Chen,Haoyu Chen,Shenqi Zhao,Yu Huang

DOI: https://doi.org/10.1186/s13677-022-00379-2

2023-01-01

Journal of Cloud Computing Advances Systems and Applications

Abstract:Honeypot is an active defense mechanism, which attracts attackers to interact with virtual resources in the honeypot mainly by simulating real working scenarios and deploying decoy targets, so as to prevent real resources from being damaged and collect attackers' attack processes and analyze potential system vulnerabilities to proactively respond to similar attacks. Because of the existing honeypot system has defects such as the inability to deploy specific honeypots to induce attacks based on complex attacks, the inability to select the best honeypot for dynamic response based on honeypot deployment and maintenance costs during attack interactions, and insufficient ability to identify variants of known attack methods. Although hybrid honeypots can solve some of these problems by deploying low-interaction honeypots and high-interaction honeypots, they cannot really be applied to real production scenarios because of their slow TCP connection switching speed and inability to efficiently identify encrypted malicious traffic. In this paper, we propose a new dynamic security defense system based on the combination of TCP_REPAIR-based dynamic honeypot selection architecture and a deep learning-based intelligent firewall. The system accurately distributes encrypted or non-encrypted attack traffic and its variants through the intelligent firewall. The normal traffic is sent to the actual system, and the marked malicious traffic dynamically selects honeypots to respond according to the attack process.The experimental result indicated that the system can select honeypots for targeted responses according to the actual network situation quickly and dynamically and covertly, effectively improving the utilization rate of honeypot clusters as well as the ability to decoy.

Tao Li,Xiaojie Liu,Hongbin Li

DOI: https://doi.org/10.1007/11599371_7

2005-01-01

Abstract:Building on the concepts and the formal definitions of self, nonself, antigen, and detector introduced in the research of network intrusion detection, the dynamic evolution models and the corresponding recursive equations of self, antigen, immune-tolerance, lifecycle of mature detectors, and immune memory are presented. Following that, an immune-based model, referred to as AIBM, for dynamic intrusion detection is developed. Simulation results show that the proposed model has several desirable features including self-learning, self-adaption and diversity, thus providing a effective solution for network intrusion detection.

WANG Yi-miao,PENG Hong,CHEN Long

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.05.086

2007-01-01

Abstract:So it is costly to be evidence as a whole.A proactive forensics method was proposed to reduce the huge amount of data and reserve valuable evidence according to IDS alerts.The method was viable and reach a good trade-off performance,between possible evidence and cost.

JI Yu-chen,FU Xiao,SHI Jin,LUO Bin,ZHAO Zhi-hong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.01.068

2014-01-01

Abstract:According to characteristics of computer intrusion forensic evidence, such as easy revise, easy loss, numerous sources, multifarious content, this paper discusses the current developing states about intrusion event reconstruction, analyzes intrusion event reconstruction source from the system layer object/event and the operate system layer object/event, and introduces the main intrusion event reconstruction tools. It reviews the existing methods for intrusion event reconstruction, including log analysis based on timestamp, semantic integrity checking, tracking technologies based on operate system layer object, event reconstruction models based on finite state machine and so on, evaluates their performance in terms of several metrics, such as reconstruction efficiency, false positives rate, credibility of evidence, authenticity of evidence, reconstruction environment, and summarizes the pros and cons of each method. Some important future research directions in the field of intrusion event reconstruction of computer intrusion forensic are discussed.

Ran Tao,Li Yang,Lu Peng,Bin Li

DOI: https://doi.org/10.1109/cicybs.2009.4925084

2010-01-01

International Journal of Information Security and Privacy

Abstract:Application features such as port numbers are used by network-based intrusion detection systems (NIDSs) to detect attacks coming from networks. System calls and the operating system related information are used by host-based intrusion detection systems (HIDSs) to detect intrusions towards a host. However, the relationship between hardware architecture events and denial-of-service (DoS) attacks has not been well revealed. When increasingly sophisticated intrusions emerge, some attacks are able to bypass both the application and the operating system level feature monitors. Therefore, a more effective solution is required to enhance existing HIDSs. In this paper, we identify the following hardware architecture features: instruction count, cache miss, bus traffic and integrate them into a novel HIDS framework based on a modern statistical gradient boosting trees model. Through the integration of application, operating system and architecture level features, our proposed HIDS demonstrates a significant improvement of the detection rate in terms of sophisticated DoS intrusions.

Nitin Naik,Changjing Shang,Paul Jenkins,Qiang Shen

DOI: https://doi.org/10.1109/tetci.2020.3023447

2020-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:As active network defence systems, honeypots are commonly used as a decoy to inspect attackers and their attack tactics in order to improve the cybersecurity infrastructure of an organisation. A honeypot may be successful provided that it disguises its identity. However, cyberattackers continuously endeavour to discover honeypots for evading any deception and bolstering their attacks. Active fingerprinting attack is one such technique that may be used to discover honeypots by sending specially designed traffic. Preventing a fingerprinting attack is possible but doing that may hinder the process of dealing with the attackers, counteracting the purpose of a honeypot. Instead, detecting an attempted fingerprinting attack in real-time can enhance a honeypots capability, uninterruptedly managing any immediate consequences and preventing the honeypot being identified. Nevertheless, it is difficult to detect and predict an attempted fingerprinting attack due to the challenge of isolating it from other similar attacks, particularly when imprecise observations are involved in the monitoring of the traffic. Dynamic fuzzy rule interpolation (D-FRI) enables an adaptive approach for effective reasoning with such situations by exploiting the best of both inference and interpolation. The dynamic rules produced by D-FRI facilitate approximate reasoning with perpetual changes that often occur in this type of application, where dynamic rules are required to cover new network conditions. This paper proposes a D-FRI-Honeypot, an enhanced honeypot running D-FRI framework in conjunction with Principal Component Analysis, to detect and predict an attempted fingerprinting attack on honeypots. This D-FRI-Honeypot works with a sparse rule base but is able to detect active fingerprinting attacks when it does not find any matching rules. Also, it learns from current network conditions and offers a dynamically enriched rule base to support more precise detection. This D-FRI-Honeypot is tested against five popular fingerprinting tools (namely, Nmap, Xprobe2, NetScanTools Pro, SinFP3 and Nessus), to demonstrate its successful applications.