Peng Ning,Sushil Jajodia,X. Sean Wang

2013-01-01

Abstract:Intrusion Detection In Distributed Systems: An Abstraction-Based Approach presents research contributions in three areas with respect to intrusion detection in distributed systems. The first contribution is an abstraction-based approach to addressing heterogeneity and autonomy of distributed environments. The second contribution is a formal framework for modeling requests among cooperative IDSs and its application to Common Intrusion Detection Framework (CIDF). The third contribution is a novel approach to coordinating different IDSs for distributed event correlation.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Jaydip Sen

DOI: https://doi.org/10.48550/arXiv.1111.0382

2011-11-02

Cryptography and Security

Abstract:The current intrusion detection systems have a number of problems that limit their configurability, scalability and efficiency. There have been some propositions about distributed architectures based on multiple independent agents working collectively for intrusion detection. However, these distributed intrusion detection systems are not fully distributed as most of them centrally analyze data collected from distributed nodes which may lead to a single point of failure. In this paper, a distributed intrusion detection architecture is presented that is based on autonomous and cooperating agents without any centralized analysis components. The agents cooperate by using a hierarchical communication of interests and data, and the analysis of intrusion data is made by the agents at the lowest level of the hierarchy. This architecture provides significant advantages in scalability, flexibility, extensibility, fault tolerance, and resistance to compromise. A proof-of-concept prototype is developed and experiments have been conducted on it. The results show the effectiveness of the system in detecting intrusive activities.

Peng Ning,Sushil Jajodia,X. Sean Wang

DOI: https://doi.org/10.1007/978-1-4615-0467-2_6

2004-01-01

Abstract: In this chapter, we present a model to represent distributed attacks based on the concept of system view presented in Chapter 3. However, instead of developing a completely new model, we extend a model named ARMD [Lin et al., 1998, Lin, 1998], which was developed for host-based intrusion detection. There are several other models that could be used instead of ARMD, including rule based languages (e.g., P-BEST [Lindqvist and Porras, 1999] and RUSSEL [Mounji et al., 1995]), the State Transition Analysis Tool (STAT) [Il-gun et al., 1995, Vigna and Kermmerer, 1998, Vigna and Kemmerer, 1999], and the Colored Petri Automata (CPA) [Kumar, 1995, Kumar and Spafford, 1994].

WU Jun,WANG Chong-Jun,WANG Jun,CHEN Shi-Fu

DOI: https://doi.org/10.1109/WI-IATW.2006.61

2006-01-01

Abstract:At present, distributed intrusion detection systems are taking on more and more characteristic of distributing and intelligence. Multi-agent system (MAS), which shows its intelligence by the interaction of a group of intelligent agents, is a popular tool for building novel intrusion detection systems (IDSs). The BDI (belief-desire-intention) model is a well studied architecture of agency for intelligent agents situated in complex and dynamic environments. Traditional MAS-based distributed IDSs commonly do their detection work within a framework that employs the method of distributed data collection and hierarchical data analysis. This is a simple and strict method, but it restricts the characteristic of distributing, intelligence and real-time response badly. In this paper, we present a dynamically-created hierarchical framework, and then bring forward the basic algorithm system to support it. We introduce the opponent BDI model to our agents, and realize the detection based on multi-agent cooperation, which effectively improves the traditional distributed intrusion detection

CAO Zhigang,WANG Shenkang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.07.058

2005-01-01

Abstract:The framework model proposed in this paper is a distributed intrusion detecting system based on a tridimensional agent.The framework is an open system, which has good scalability. It adopts a central controlling module and a detecting module for side-by-side agent, which can dependently control and process. It also can track in and note the intrusing data, then test it. The state-checking mechanism and policy of authentication in this model ensure the security of the agents themselves and the communication among them.

Jingyu Hua,Takashi Nishide,Kouichi Sakurai

DOI: https://doi.org/10.1109/SAINT.2010.107

2010-01-01

Abstract:Model-based intrusion detection works by comparing a process's runtime behavior with a pre-computed normal program model. This paper studies this technology from the viewpoint of abstract interpretation theory. We regard different program behavior models used to perform intrusion detection as different abstractions of the concrete trace semantics of programs. Based on this point, we formally define model-based intrusion detection and present a generic generation algorithm for program models on a provided abstraction domain. Eventually, we discuss how to use this mechanism to implement a real intrusion detection model proposed by us before.

Dong Yongle,Qian Jun,Shi Meilin

DOI: https://doi.org/10.1109/CCECE.2003.1226031

2003-01-01

Abstract:Widespread attacks involving multiple hosts/networks happen more frequently as internetworking among computer systems via the Internet becomes more widely and keeps rapid increase. Due to lack of information, it can be quite difficult for conventional intrusion detection systems to identify such attacks in progress. Cooperative intrusion detection, on the basis of information sharing, is proved as a necessary measure to detect widespread attacks by other researcher D. Frincke (2000), Polla, D. et al., (1998). This paper presents a cooperative approach for intrusion detection that provides a method for individual ID components working cooperatively to perform concerted detections. Being constructed on the basis of ID components, CoIDS can adopt both existed (usually more mature) and new ID techniques. This makes CoIDS extensible and scalable. In addition, an ID component is essentially an autonomous agent, which makes CoIDS available with certain loss of functionality even when the intrusion detection manager does not work. Its reliability is also improved because failure of one ID component will not cause any other to stop working. Furthermore, it improved the accuracy of detection for conventional intrusions by validating analysis result with data from different ID components.

Jianping Zeng,Donghui Guo

DOI: https://doi.org/10.5220/0002516401760181

2005-01-01

Abstract:More and more application services are provided and distributed over the Internet for public access. However, the security of distributed application severs is becoming a serious problem due to many possible attacks, such as deny of service, illegal intrusion, etc. Because of weakness of the firewall systems in ensuring security, intrusion detection system (IDS) becomes popular. Now, many kinds of IDS systems are available for serving in the Internet distributed system, but these systems mainly concentrate on networkbased and host-based detection. It is inconvenience to integrate these systems to distributed application servers for application-based intrusion detection. An agent-based IDS that can be smoothly integrated into applications of enterprise information systems is proposed in this paper. We will introduce its system architecture, agent structure, integration mechanism, and etc. In such an IDS system, there are three kinds of agents, i.e. client agent, server agent and communication agent. This paper is also to explain how to integrate agents with access control model for getting better security performance. By introducing standard protocol such as KQML, IDMEF into the design of agent, our agent-based IDS shows much more flexible for built in different kinds of software application system.

Jun Gao,Weiming Hu,Xiaoqin Zhang,Xi Li

DOI: https://doi.org/10.1109/wi-iat.2009.113

2009-01-01

Web Intelligence

Abstract:Due to the increasing demands for network security, distributed intrusion detection has become a hot research topic in computer science. However, the design and maintenance of the intrusion detection system (IDS) is still a challenging task due to its dynamic, scalability, and privacy properties. In this paper, we propose a distributed IDS framework which consists of the individual and global models. Specifically, the individual model for the local unit derives from Gaussian Mixture Model based on online Adaboost algorithm, while the global model is constructed through the PSO-SVM fusion algorithm. Experimental results demonstrate that our approach can achieve a good detection performance while being trained online and consuming little traffic to communicate between local units.

Ming-lei SHANG,Feng XU,Jing LU,Hao HUANG

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.09.015

2005-01-01

Abstract:To improve IDS'(Intrution Detection System) robustness in WAN,after analyzing several typical IDS models, MABDIDSM (Mobile Agent Based Distributed Intrusion Detection System Model) protecting from attack is presented in this paper. Mobile agent circles among the consoles in every LAN and collects intrusion events to manager center in MABDIDSM. These intrusion events are analyzed and processed in manager center.If manager center is paralyzed, mobile agent can elect new manager center from remainder consoles. Thus MABDIDSM is equipped with better capacity of protecting from attack in WAN.

Angelo Barboni,Hamed Rezaee,Francesca Boem,Thomas Parisini

DOI: https://doi.org/10.1109/tac.2020.2998765

IF: 6.549

2020-09-01

IEEE Transactions on Automatic Control

Abstract:Distributed detection of covert attacks for linear large-scale interconnected systems is addressed in this article. Existing results consider the problem in centralized settings. This article focuses on large-scale systems subject to bounded process and measurement disturbances, where a single subsystem is under a covert attack. A detection methodology is proposed, where each subsystem can detect the presence of covert attacks in neighboring subsystems in a distributed manner. The detection strategy is based on the design of two model-based observers for each subsystem using only local information. An extensive detectability analysis is provided and simulation results on a power network benchmark are given, showing the effectiveness of the proposed methodology for the detection of covert cyber-attacks.

automation & control systems,engineering, electrical & electronic

Jianping Zeng,Donghui Guo

2009-01-01

Abstract:Now days, difierent kinds of IDS systems are availablefor serving in the network distributed system, but thesesystems mainly concentrate on network-based and host-based detection. It is inconvenient to integrate these sys-tems into distributed application servers for application-based intrusion detection. An agent-based IDS that canbe smoothly integrated into the applications of enterpriseinformation systems is proposed in this paper and we dis-cuss the system architecture, agent structure, and integra-tion mechanism. Our IDS system consists of three kindsof agents, namely, client agent, server agent and commu-nication agent. This paper also explains how to integrateagents with an access control model for getting better se-curity performance. By introducing standard protocolssuch as KQML, IDMEF into the design of agent, ouragent-based IDS shows how to build more °exible soft-ware applications. Keywords: Agent-based, IDMEF, intrusion detection,KQML 1 Introduction Many application services, such as e-business, remote ed-ucation and Internet-based design, etc, are necessary tobe distributed over the Internet. However, because theInternet is an open society so that anyone can access theresource on it, then the application system may confrontwith all kinds of attacks or intrusions, such as Denial ofService (DoS), port scan, illegal intrusion by hacking userinformation, etc.Of all these security events, illegal intrusion is a moreserious issue. But standard security deployments such asflrewalls are limited in their efiectiveness because of sim-ple access control mode and also the intrusion methodsare evolving fast. Once an attacker has breached the flre-wall, he can roam at will through the network [13]. Thismakes intrusion detection system (IDS) very importantand necessary. Traditionally, there are two main classesof IDSs: host-based and network-based systems. A host-based IDS monitors the detailed activity of a particularhost, while network-based IDS monitors networks of com-puters and other devices such as, routers, gateways, andprimarily detects intrusion by sni–ng and analyzing datafrom network tra–c. Network and host-based IDSs, canbe further classifled based on two methods of detection[17]: anomaly detection and misuse detection.However, Masquerading attack is a typical intrusionand it can be a more serious threat to the security ofcomputer systems and the computational infrastructure[15]. By this kind of attacks, an assailant attempts toimpersonate a legitimate user after gaining access to thislegitimate user’s account. So, the assailant can fully un-derstand the information he gets. While by other kinds ofattacks, he just gets some segment of data or encrypteddata, which is much more di–cult to be understood. Awell-known instance of masquerader activity is about aFBI mode [15]. Since masquerading attack happens ex-actly at application layer, we call the methods to detectthis kind intrusion as application-based intrusion detec-tion. Application-based intrusion is more di–cult to bedetected and the detection program is usually unable toget satisfactory performance for the following reasons:1) Data about user action on system is much more di–-cult to be collected than network-based or host-baseddetection, because of the independency of applicationsystem.2) Application-based detection can degrade the perfor-mance of corresponding application system due tothe extra work that should be done in the process ofdata collection and analysis.3) A masquerader may happen to have similar behav-ioral patterns as the legitimate user, therefore it canescape detection and successfully cause damage un-der the cover of seemingly normal behavior [4].

Yan-guo Wang,Xi Li,Weiming Hu

DOI: https://doi.org/10.1109/icsmc.2008.4811596

2008-01-01

Abstract:With the increasing requirements of fast response and privacy protection, how to detect network intrusions in a distributed architecture becomes a hot research area in the development of modern information security systems. However, it is a challenge to build such a system, given the difficulties brought by the mixed-attribute property of network connection data and the constraints on network communication. In this paper, we present a framework for distributed detection of network intrusions based on a parametric model. The parametric model can explicitly reflect the distributions of different intrusion types and handle the mixed-attribute data naturally. Based on the model, we can generate an accurate global intrusion detector with a very low cost of communication among the distributed detection sites, and no sharing of original network data is needed. Experimental results demonstrate the advantages of the proposed framework in the distributed intrusion detection application.

段海新,吴建平

DOI: https://doi.org/10.13328/j.cnki.jos.2001.09.015

2001-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:An integrative taxonomy for intrusion detection technologies is proposed, which can specify accurately existing intrusion detection methods. Aiming at multiple-domain environments, a distributed cooperative intrusion detection system (DCIDS) is designed, which implements cooperative intrusion detection through efficient, secure information exchange among IDSes in different domain. The architecture of intrusion detection systems is described, as well as its four components: sensor, analyzer, manager and user-interface. Some key issues are also discussed, including secure communication and selection of detection places.

Amod Pandit,R Joe Stanley,Bruce McMillin

Abstract:Intrusion detection systems (IDS) attempt to address the vulnerability of computer-based systems for abuse by insiders and to penetration by outsiders. An IDS is required to examine an enormous amount of data generated by computer networks to assist in the abuse detection process. Thus, there is a need to develop automated tools that address these requirements to assist system operators in the detection of violations of existing security policies. In this research, an automated IDS is proposed for insider threats in a distributed system. The proposed IDS functions as an anomaly detector for insider system operations based on the analysis of the system's log files. The approach integrates dynamic programming and adaptive resonance theory (ART1) clustering. The integrated approach aligns sequences of log events with prototypical sequences of events for performing tasks and classifies the aligned sequences for intrusion detection. The system examined for this research is a Boots System for controlling the movement of boots from one place to another under specific security restrictions related to the boot orders. We present the proposed model, the results achieved and the analysis of an implemented prototype.

CHEN Shuo,AN Chang-qing,LI Xue-nong

DOI: https://doi.org/10.13328/j.cnki.jos.2001.02.010

2001-01-01

Journal of Software

Abstract:The DIDAPPER (distributed intrusion detector with apperception) system presented in this paper is a distributed intrusion detector with apperception. The distributed architecture, the apperception ability and the sharing of knowledge are evident characteristics of the DIDAPPER. This paper focuses on the apperception ability of DIDAPPER. Traffic specimens and IP traps are DIDAPPER's new concepts, which can capture and recognize abnormal traffics and are suitable for monitoring the large scale network attacks. The other aspect of DIDAPPER's apperception ability comes from the neural network algorithm. The BP neural network with learning ability has been applied to traffic analysis, and shows good effect on the recognition of traffic patterns.

Qi Zhang,Ramaprabhu Janakiraman

DOI: https://doi.org/10.7936/K7M043N3

2001-01-01

Abstract: While advances in computer and communications technologyhave made the network ubiquitous, they have also rendered networked systemsvulnerable to malicious attacks orchestrated from a distance. Theseattacks, usually called cracker attacks or intrusions, start with crackers infiltratinga network through a vulnerable host and then going on to launchfurther attacks. Crackers depend on increasingly sophisticated techniqueslike using distributed attack sources. On the other hand, software ...

ZHANG Ran,HE Jing-sha

2005-01-01

Abstract:Based on the analysis of the limitation of traditional intrusion detection systems, the concept of dynamic adaptive IDS is proposed, and a model of dynamic adaptive intrusion detection and response is estab-lished. By dynamic association among its elements and adaptive policies, this model provides dynamic adaptability to the changing environment and attacks with its dynamically configurable architecture, functions, and management. In addition, the concept of coordination domain is proposed in order to facilitate the management of coordinative detection.