Peng Ning,Sushil Jajodia,Xiaoyang Sean Wang

DOI: https://doi.org/10.1145/503339.503342

2001-01-01

ACM Transactions on Information and System Security

Abstract:Abstraction is an important issue in intrusion detection, since it not only hides the difference between heterogeneous systems, but also allows generic intrusion-detection models. However, abstraction is an error-prone process and is not well supported in current intrusion-detection systems (IDSs). This article presents a hierarchical model to support attack specification and event abstraction in distributed intrusion detection. The model involves three concepts: system view , signature , and view definition . A system view provides an abstract interface of a particular type of information; defined on the instances of system views, a signature specifies certain distributed attacks or events to be monitored; a view definition is then used to derive information from the matches of a signature and presents it through a system view. With the three elements, the model provides a hierarchical framework for maintaining signatures, system views, as well as event abstraction. As a benefit, the model allows generic signatures that can accommodate unknown variants of known attacks. Moreover, abstraction represented by a system view can be updated without changing either its specification or the signatures specified on its basis. This article then presents a decentralized method for autonomous but cooperative component systems to detect distributed attacks specified by signatures. Specifically, a signature is decomposed into finer units, called detection tasks , each of which represents the activity to be monitored on a component system. The component systems (involved in a signature) then perform the detection tasks cooperatively according to the "dependency" relationships among these tasks. An experimental system called CARDS has been implemented to test the feasibility of the proposed approach.

LIU Tong,WANG Ze-bing,FENG Yan

DOI: https://doi.org/10.3969/j.issn.1007-130x.2005.08.004

2005-01-01

Abstract:As the distributed intrusion becomes serious, the performance demand for distributed intrusion detection systems will be more and more important. In this paper, the concept of the Super-Peer intrusion detection model (SPIDM) is proposed. Furthermore, the technology of intelligent agent is implemented in this model. As a result, this efficient combination of distributed intrusion detection systems with the super-peer framework increases the system efficiency and collaboration, enhances the system openness, and thus improves the system performance as a whole.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Chenlin Huang,Hui Zhao,Huaping Hu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.06.017

2001-01-01

Abstract:Intrusion Detection(ID)is an important aspect in network security technology. As to enterprises′ Intranet,the approaches of layered filtration,distributed processing,hierachical management,security communication and autonomous agent are adopted to our architecture to put forward a Hierachical Intrusion Detection System Based on Distributed Autonomous Agents,and the architecture and the detailed design of the IDS are presented. The IDS has the desirable characteristics of real-time detection,real-time response,in-time recovery,robustness and scalahility and so on.

Chen Min

2002-01-01

Abstract:In recent years, intrusion detection systems, being the important part of the information security system, have gained extensive attentions. Many different intrusion detection technologies come into being. This paper presents an architecture of Intrusion Detection Systems (IDS) based on autonomous agents. The distributed architecture paves the way in that IDSes can avoid the single point failure of the distributed systems, balance the system load and improve the efficiency, to meet the requirements of modern computer and network technologies.

Jaydip Sen

DOI: https://doi.org/10.48550/arXiv.1111.0382

2011-11-02

Cryptography and Security

Abstract:The current intrusion detection systems have a number of problems that limit their configurability, scalability and efficiency. There have been some propositions about distributed architectures based on multiple independent agents working collectively for intrusion detection. However, these distributed intrusion detection systems are not fully distributed as most of them centrally analyze data collected from distributed nodes which may lead to a single point of failure. In this paper, a distributed intrusion detection architecture is presented that is based on autonomous and cooperating agents without any centralized analysis components. The agents cooperate by using a hierarchical communication of interests and data, and the analysis of intrusion data is made by the agents at the lowest level of the hierarchy. This architecture provides significant advantages in scalability, flexibility, extensibility, fault tolerance, and resistance to compromise. A proof-of-concept prototype is developed and experiments have been conducted on it. The results show the effectiveness of the system in detecting intrusive activities.

段海新,吴建平

DOI: https://doi.org/10.13328/j.cnki.jos.2001.09.015

2001-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:An integrative taxonomy for intrusion detection technologies is proposed, which can specify accurately existing intrusion detection methods. Aiming at multiple-domain environments, a distributed cooperative intrusion detection system (DCIDS) is designed, which implements cooperative intrusion detection through efficient, secure information exchange among IDSes in different domain. The architecture of intrusion detection systems is described, as well as its four components: sensor, analyzer, manager and user-interface. Some key issues are also discussed, including secure communication and selection of detection places.

HUANG Liang,TANG Wen-zhong

2006-01-01

Journal of Computer Applications

Abstract:The shortages of current intrusion detection systems were analyzed, and the necessity of collaboration was discussed. A mutiagent collaborative intrusion detection framework was put forward. It adopted distributed detection and centralized analysis architecture, generic alert form and secure transfer protocol in this system, unified dispatch by coordinate engine to manage cooperative request, collect relative data and distribute alerts and new rules. This system can well implement information sharing among multiagents and achieve collaborative detection after test and application.

Kai Hwang,Ying Chen,Hua Liu

DOI: https://doi.org/10.1109/IPDPS.2005.160

2005-01-01

Abstract:Network security breaches hinder the application of distributed computing systems manifested as the Grids, clusters, intranets, extranets, or P2P systems. A new integrated approach is presented for building future, network-based intrusion detection systems (NIDS). We integrate the Snort (a NIDS) with a custom-designed anomaly detection system (ADS) to yield a powerful cyber defense system, called CAIDS. This system detects known attacks through signature matching and reveals network anomalies by Internet traffic datamining. The CAIDS design integrates two different detection engines for alert correlation between intrusions and anomalies. We aim to automate signature generation into Snort database. The system was tested over an Internet trace of 24 millions of packets containing 200 attacks. Our simulation experiments result in a 75% detection rate on all attacks with a low 5% false alarm rate. The system generates alerts on both intrusive attacks to distributed resources and anomalies detected in the Internet, intranet, and extranet connections.

Jianping Zeng,Donghui Guo

DOI: https://doi.org/10.5220/0002516401760181

2005-01-01

Abstract:More and more application services are provided and distributed over the Internet for public access. However, the security of distributed application severs is becoming a serious problem due to many possible attacks, such as deny of service, illegal intrusion, etc. Because of weakness of the firewall systems in ensuring security, intrusion detection system (IDS) becomes popular. Now, many kinds of IDS systems are available for serving in the Internet distributed system, but these systems mainly concentrate on networkbased and host-based detection. It is inconvenience to integrate these systems to distributed application servers for application-based intrusion detection. An agent-based IDS that can be smoothly integrated into applications of enterprise information systems is proposed in this paper. We will introduce its system architecture, agent structure, integration mechanism, and etc. In such an IDS system, there are three kinds of agents, i.e. client agent, server agent and communication agent. This paper is also to explain how to integrate agents with access control model for getting better security performance. By introducing standard protocol such as KQML, IDMEF into the design of agent, our agent-based IDS shows much more flexible for built in different kinds of software application system.

Dong Yongle,Qian Jun,Shi Meilin

DOI: https://doi.org/10.1109/CCECE.2003.1226031

2003-01-01

Abstract:Widespread attacks involving multiple hosts/networks happen more frequently as internetworking among computer systems via the Internet becomes more widely and keeps rapid increase. Due to lack of information, it can be quite difficult for conventional intrusion detection systems to identify such attacks in progress. Cooperative intrusion detection, on the basis of information sharing, is proved as a necessary measure to detect widespread attacks by other researcher D. Frincke (2000), Polla, D. et al., (1998). This paper presents a cooperative approach for intrusion detection that provides a method for individual ID components working cooperatively to perform concerted detections. Being constructed on the basis of ID components, CoIDS can adopt both existed (usually more mature) and new ID techniques. This makes CoIDS extensible and scalable. In addition, an ID component is essentially an autonomous agent, which makes CoIDS available with certain loss of functionality even when the intrusion detection manager does not work. Its reliability is also improved because failure of one ID component will not cause any other to stop working. Furthermore, it improved the accuracy of detection for conventional intrusions by validating analysis result with data from different ID components.

CAO Zhigang,WANG Shenkang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.07.058

2005-01-01

Abstract:The framework model proposed in this paper is a distributed intrusion detecting system based on a tridimensional agent.The framework is an open system, which has good scalability. It adopts a central controlling module and a detecting module for side-by-side agent, which can dependently control and process. It also can track in and note the intrusing data, then test it. The state-checking mechanism and policy of authentication in this model ensure the security of the agents themselves and the communication among them.

Xiaoping Yang,Yu Dou

DOI: https://doi.org/10.1109/wcica.2004.1342340

2004-01-01

Abstract:To overcome some problems related to current Intrusion Detection System (IDS), such as high false negative and false positive rate, complex configuration, high cost and the inability to cooperate among components in the system, authors proposed a distributed IDS prototype. The system consists of control centers, proxies and sensors. In conjunction, authors also proposed a special communication protocol, CDIDSTP for the transparent communication between control centers and sensors via proxy. Combining carefully designed sensors and modulated IDS functions, an effective, highly auto-configurable IDS is implemented. In addition, the modulated IDS functions make the cooperation of same functional components within sensor possible.

Liu Hua Yeo,Xiangdong Che,Shalini Lakkaraju

DOI: https://doi.org/10.48550/arXiv.1708.07174

2017-08-23

Cryptography and Security

Abstract:Intrusion detection systems (IDS) help detect unauthorized activities or intrusions that may compromise the confidentiality, integrity or availability of a resource. This paper presents a general overview of IDSs, the way they are classified, and the different algorithms used to detect anomalous activities. It attempts to compare the various methods of intrusion techniques. It also describes the various approaches and the importance of IDSs in information security.

YANG Bo,CHEN Shu-yu

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.15.014

2007-01-01

Abstract:The characteristics of distributed intrusion is illustrated by the thesis,the concept about P2P is introduced,including the growing applications,development status and differences between P2P and C/S.Each subsystem of IDS are connected by P2P in order to share in intrusion message.On the basis of the common intrusion detection framework architecture,a new distributed IDS model is put forward and their functional modules are designed,especially,communication module of IDS are introduced in detail.

Qi Zhang,Ramaprabhu Janakiraman

DOI: https://doi.org/10.7936/K7M043N3

2001-01-01

Abstract: While advances in computer and communications technologyhave made the network ubiquitous, they have also rendered networked systemsvulnerable to malicious attacks orchestrated from a distance. Theseattacks, usually called cracker attacks or intrusions, start with crackers infiltratinga network through a vulnerable host and then going on to launchfurther attacks. Crackers depend on increasingly sophisticated techniqueslike using distributed attack sources. On the other hand, software ...

ZHOU Quan,WANG Chong-jun,WANG Jun,ZHOU Xin-min,CHEN Shi-fu

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.05.045

2007-01-01

Abstract:The ability to detect intruders in computer systems increases in importance as computers were increasingly integra-ted into the systems that rely on for the correct functioning of society.A history of research in intrusion detection and several approaches based on AI technology in IDS especially some machine learning technology,and then agent-based intrusion detection systems were introduced.In the end,some possible research directions and challenges was presented in this field.

ZHOU Lian-ying,LIU Feng-yu

2006-01-01

Abstract:This article uses the " swarm intelligence" characteristics of infesting insects for reference and presents a model for distributed intrusion detection system, which is simple in structure and low in resource consumption but can detect complex intrusion behaviors. The entity intrusion detection system of the model is separated into numbers of detection units that are independent and unitary in function but can cooperate with each other. The core idea of the model, or the realization of the swarm intelligence of the model, is that each detection unit offers information to the detection system and utilizes information from the detection system. The key technology of the model is to make every distributed detection unit accessible to the shared database efficiently. An optimization plan based on internet routing protocol OSPF ( Open Shortest Path First) is provided. The experimental result shows the validity of presented model.

DING Guo-liang,WANG Xi-wu,CHEN Kai-yan,WANG Jia-zhen

DOI: https://doi.org/10.3969/j.issn.1001-9383.2006.01.004

2006-01-01

Abstract:The problems of existing Intrusion detection system(IDS)is analyzed,a kind of distributed architecture of uniting the level and equal structures,is put forward,and the realizations of detection agent and communication protocol are given.The experiments proves this the system may carry out intrusion detection under distributed net- work environment.

YU-FANG ZHANG,ZHONG-YANG XIONG,XIU-QIONG WANG

DOI: https://doi.org/10.1109/ICMLC.2005.1527342

2005-01-01

Abstract:The research on distributed intrusion detection system (DIDS) is a rapidly growing area of interest because the existence of centralized intrusion detection system (IDS) techniques is increasingly unable to protect the global distributed information infrastructure. Distributed analysis employed by Agent-based DIDS is an accepted fabulous method. Clustering-based intrusion detection technique overcomes the drawbacks of relying on labeled training data which most current anomaly-based intrusion detection depend on. Clustering-based DIDS technique according to the advantages of two techniques is presented. For effectively choosing the attacks, twice clustering is employed: the first clustering is to choose the candidate anomalies at Agent IDS and the second clustering is to choose the true attack at central IDS. At last, through experiment on the KDD CUP 1999 data records of network connections verified that the methods put forward is better.