YANG Tong,QIAO Xiang-dong,ZHENG Lian-qing

DOI: https://doi.org/10.3969/j.issn.1009-3516.2008.02.021

2008-01-01

Abstract:Snort,one of the best Open Source Network Intrusion Detection Systems,is analysed in detail,in this paper,for the sake of searching network intrusion detection system.Then a solution is proposed to eliminate the redundancy of snort's rule chain.Experiments are done,which show that the solution proposed is correct and effective.Finally,on the basis of ARP technology approach,NIDS is developed with the improved snort as kernel module.Its excellent performance proves the solution to be valid once again.

LONG Xiao-fei,FENG Yan,WANG Rui-jie

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.03.016

2007-01-01

Abstract:For lackness of knowledge about the context of network hosts,most signature-based NIDSs produce too many false positives,which prevent the administrators from focusing their efforts on real dangerous alerts quickly.A mechanism in NIDS is proposed,which makes a decision before pattern matching to filter unnecessary intrusion rules for matching,by utilizing the software information of the target hosts,to mitigate false positives drastically.This method is implemented in the prototype system.The result of testing on typical intranet shows that this method surely mitigate false positives and improve quality of alerts in NIDS.

Kevin McAreavey,Weiru Liu,Paul Miller,Kedian Mu

DOI: https://doi.org/10.1142/s1793351x11001274

2011-01-01

Abstract:In this preliminary study, we investigate how inconsistency in a network intrusion detection rule set can be measured. To achieve this, we first examine the structure of these rules which are based on Snort and incorporate regular expression (Regex) pattern matching. We then identify primitive elements in these rules in order to translate the rules into their (equivalent) logical forms and to establish connections between them. Additional rules from background knowledge are also introduced to make the correlations among rules more explicit. We measure the degree of inconsistency in formulae of such a rule set (using the Scoring function, Shapley inconsistency values and Blame measure for prioritized knowledge) and compare the informativeness of these measures. Finally, we propose a new measure of inconsistency for prioritized knowledge which incorporates the normalized number of atoms in a language involved in inconsistency to provide a deeper inspection of inconsistent formulae. We conclude that such measures are useful for the network intrusion domain assuming that introducing expert knowledge for correlation of rules is feasible.

Fei Yu,Renfai Li,Miaoliang Zhu,Bin Jiang

DOI: https://doi.org/10.1109/wcica.2004.1342337

2004-01-01

Abstract:Effective intrusion detection is necessary for system security. This paper describes an inference machine based on the FRete algorithm using the classic Rete algorithm, which can carry out intellectual reasoning on suspicious data in network. In order to improve the match efficiency of the inference machine, node in mode net is added into the inclusive brother's chain, the connection joint of the same production type in the network is divided into equivalence form according to variable restrain. Finally, a distributed intrusion detection system based on FRete network algorithm is realized.

Long Huang,Longlong Zhu,Jiashuo Yu,Xinyang Chen,Linying Zheng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/lcn60385.2024.10639711

2024-01-01

Abstract:Packet classification is a crucial component of modern networks. Existing decision tree-based algorithms alleviate the rule replication problem caused by overlapping rules in the ruleset via rule partitioning. They partition the ruleset into multiple subsets based on rule characteristics to reduce rule overlaps. However, existing algorithms fail to address the overlap between rules in the same set, seriously decreasing speed and memory performance. In this paper, we propose DOT, a framework for optimizing rule partitions before constructing decision trees. Its key idea is to migrate rules in subsets based on rule overlaps and the features of heuristics used to construct trees, as well as reorganize rules aided by tuples. DOT finds out the migrated rule candidates using rule dependency graphs and heuristic features, then transforms the rule migration problem into an integer linear programming problem and solves for the optimal migration strategy. Further, we employ a tuple-assisted approach to accelerate rule matching. Experiments show that DOT enhances existing decision tree-based algorithms, improving lookup speed by 1.69 ×, reducing average 24.85% memory consumption and 31.03% decision tree depth.

方杰,许峰,黄皓

2005-01-01

Journal of Computer Applications

Abstract:Rule based intrusion detection system is the mainstream of intrusion detection systems. For every incoming network packet, a scheme of creating a single rule set for pattern match was discussed. This scheme could reduce the work of pattern match, and improve the efficiency of system.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

尚凤军,潘英俊,潘雪增,毕斌

2008-01-01

Abstract:The typical IP classification algorithms was surveyed and a novel IP classification scheme was proposed based on the stochastic distribution, which is based on non-collision hash Trie-tree algorithm and XOR hash algorithm. The core of algorithm consists of three parts: structure the non-collision hash function, which is constructed mainly based on destination/source port and protocol type field so that the hash function usually can avoid space explosion problem; intro- duce multibit Trie-tree based the key value of XOR hash in order to reduce time complexity; lookup every rule index to en- sure the validity that the final rule index was got. The test results show that the classification rate of multibit Trie tree algo- rithm is up to 2 million packets per second and the maximum memory consumed is 1MB for 10 000 rules.

Uwe Aickelin,Jamie Twycross,Thomas Hesketh-Roberts

DOI: https://doi.org/10.1504/ijesdf.2007.013596,

2007-01-01

International Journal of Electronic Security and Digital Forensics

Abstract:Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and SNORT is one popular and actively developing open-source IDS that uses such a set of signatures known as SNORT rules. Our aim is to identify a way in which SNORT could be developed further by generalising rules to identify novel attacks. In particular, we attempted to relax and vary the conditions and parameters of current SNORT rules, using a similar approach to classic rule learning operators such as generalisation and specialisation. We demonstrate the effectiveness of our approach through experiments with standard data sets and show that we are able to detect previously undetected variants of various attacks.

Weitong CHEN,Yuntao QIAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.16.050

2006-01-01

Abstract:This paper presents a network intrusion detection method based on Rough Set theory,and use a hybrid method with genetic algorithm to find a possibly short reduct which can reduce computing time.The result of the experiment shows that this model has high detection rate and low false reject rate in detecting DoS and probe attacks,and performs well in detecting R2L and U2R attacks either.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Xinming Chen,Yiyao Wu,Lianghong Xu,Y. Xue

2009-01-01

Abstract:As security threats and network bandwidth increase in a very fast pace, there is a growing interest in designing highperformance network intrusion detection system (NIDS). This paper presents a parallelization strategy for the popular open-source Snort to build a high performance NIDS on multi-core IA platform. A modular design of parallel NIDS based on Snort is proposed in this paper. Named Para-Snort, it enables flexible and easy module design. This paper also analyzed the performance impact of load balancing and multi-pattern matching. Modified-JSQ and AC-WM algorithms are implemented in order to resolve the bottlenecks and improve the performance of the system. Experimental results show that Para-Snort achieves significant speedup of 4 to 6 times for various traces with a 7-thread parallelizing test setup.

GUO Shan-Qing,XIE Li,ZENG Ying-Pei

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.09.003

2006-01-01

Abstract:Progress has been made in using machine learning techniques such as SVM and neural networks for intrusion detection,but the non-understandable detection results have prevented those algorithms from being thoroughly utilized.In this paper,the authors put forward a novel huge-data oriented method,which was based on the popular association rules extraction algorithm and targeted at the result of intrusion detection,to build real-time rules for enhancing the understanding of detection results and therefore decrease possible loss.The algorithm,by introducing local support,global confidence,CI-Tree and IX-Tree structure,employed these tree structures to build online rules for currently active intrusion.This algorithm solved a number of problems that exist in applying association rules algorithm to intrusion detection:(1)multi-scan(twice at least);(2)mass useless rules due to unbalanced distribution of attacking data;(3)unwanted frequent set produced in the old two-phase rule-building method.Experimental results have demonstrated the method's good performance in both rule building efficacy and time efficiency.

Chenxi Li,Jiahai Yang,Guo Li,Kang Wang

DOI: https://doi.org/10.1109/LCNSymposium47956.2019.9000666

2019-01-01

Abstract:With the emergence of Network Function Virtualization (NFV) technology, researchers start to implement typical software Intrusion detection Systems (IDS) as Virtual Network Function (VNF) to improve the scalability of IDS deployment. Determining the setups and configurations of every instance to optimize VNF performance is one of the core challenges in NFV scenario. Previous researches mainly focus on how IDS performs under different Virtual Machine (VM) setups and just load its default configuration. However, when loading different rulesets and running IDS under different VM setups, the default configuration may not always lead to optimal performance. In this paper, we focus on the configuration problem of Snort. We propose a lightweight estimation algorithm to auto configure the most performance-related part of Snort - Fast Pattern Matcher (FPM). We firstly explore how those options make influence on Snort's packet detection by several measurement experiments. Then we summarize some basic principles to design our auto configuration algorithm. At last, we implement the algorithm to evaluate its accuracy and efficiency. The result shows our algorithm can seek a better configuration than the default one in various situations; in the meanwhile, it just takes a few seconds to run the algorithm, which is important if we want to import an auto configuration modular into NFV dynamic and elastic scheduling strategy.

YU-XIN DING,MIN XIAO,AI-WU LIU,Yu-Xin Ding,Min Xiao,Ai-Wu Liu

DOI: https://doi.org/10.1109/icmlc.2009.5212282

2009-07-01

Abstract:Since most of current intrusion detection systems (IDS) only use one of the two detection methods, misused detection or anomaly detection, both of them have their own limitations. In this paper, the technique that combines misuse detection system with anomaly detection system (ADS) is used. The hybrid intrusion detection system (HIDS) contains three sub-modules, misused detection module, anomaly detection module and signature generation module. The basis of misused detection module is snort. Anomaly detection module is constructed by using frequent episode rule. And signature generation module is based on a variant of Apriori algorithm. Misused detection module uses the signature of attacks to detection the known attacks. Anomaly detection module can detect the unknown attacks and signature generation module extracts the signature of attacks that are detected by ADS module, and maps the signatures into snort rules.

Yang Tong,Wang Si-si,Qiao Xiang-dong,Chen Qi

DOI: https://doi.org/10.1109/WICOM.2009.5302544

2009-01-01

Abstract:when network is overload, snort spends a lot of time to matching rules. The algorithm determines the performance of intrusion detection system to a large extent. Snort adopts BM algorithm in default, in order to enhance the efficiency of network intrusion detection system which is based on snort, this paper analyzes BM algorithm firstly, and proposes an improved algorithm. Secondly, this thesis compares the two algorithms (BM algorithm and the improved BM algorithm) theoretically, and does a quantitative description of the extent of the improved BM algorithm according to the experimental results. Finally, the improve BM algorithm is applied to the network intrusion detection system, and have achieved good results.

Yu Jianming,Xue Yibo,Li Jun

DOI: https://doi.org/10.1016/s1007-0214(07)70137-2

2007-01-01

Tsinghua Science & Technology

Abstract:As the core algorithm and the most time consuming part of almost every modern network intrusion management system (NIMS), string matching is essential for the inspection of network flows at the line speed. This paper presents a memory and time efficient string matching algorithm specifically designed for NIMS on commodity processors. Modifications of the Aho-Corasick (AC) algorithm based on the distribution characteristics of NIMS patterns drastically reduce the memory usage without sacrificing speed in software implementations. In tests on the Snort pattern set and traces that represent typical NIMS workloads, the Snort performance was enhanced 1.48%-20% compared to other well-known alternatives with an automaton size reduction of 4.86-6.11 compared to the standard AC implementation. The results show that special characteristics of the NIMS can be used into a very effective method to optimize the algorithm design.

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Chenghua Tang,Yi Xie

DOI: https://doi.org/10.1109/ieec.2010.5533264

2010-07-01

Abstract:In order to solve the implementation efficiency problem of the network information system security policy, an improved object-oriented Rete algorithm and network structure model are proposed. The control methods of the nodes and tokens in the matching algorithm with the pattern join order are studied, that core idea is to use the separate matches to construct matching tree dynamically based on content for achieving significantly reduce the computational results. The improved object-oriented Rete optimize network structure based on the extended Rete class structure is proposed. Result shows that the algorithm and network structure can effectively improve the efficiency of system implementation.