Fang Jinhe,Feng Yan,Wang Ruijie

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.18.048

2006-01-01

Abstract:After discussing the constraints of current intrusion detection systems(IDS),we issue two problems should be considered in developing an adaptive IDS,one is to select the time to update the normal profile and the other is to select a mechanism to update the profile.To resolve the first problem,we calculate the similarity between the incremental audit data and the normal profile and then decide whether to and when to update the profile.To resolve the second problem,we employ a sliding window approach and use only the audit data inside that sliding window to update the profile.The window therefore acts to filter out outdated audit data and to build a profile based on only recent data that reflects the recent system activities.

Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

Lin Yang,Liu Guiquan,Yang Lishen

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.11.057

2006-01-01

Abstract:Frequent alarms and high false rate are nearly unavoidable in intrusion detection. For the situation, a method of alarm deviation analysis in intrusion detection is proposed in this article. It not only mitigates the impact of frequent alarms but also minimizes the effect of false alarms through integrative evaluation. The testing result shows the effectiveness of the method.

ZHANG LILI,CAO TIANJIE

DOI: https://doi.org/10.3969/j.issn.1008-0570.2008.06.025

2008-01-01

Abstract:To be dead against the high false alarm rate,leakage rate,numerous detection algorithm,the passive response pattern and other such problem,a collaboration-based intelligent intrusion detection system was proposed. This technique is fully integrated with the advantages of some intrusion detection algorithm to make those scheme achieve optimal detection performance. Further more,this system could joint security and safety equipment and technology in response,change from passive to active. It forms a cooperative intrusion detection system of both detection and response.

Wen Ying,Hu Wei,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.08.047

2006-01-01

Abstract:Intrusion detection is an important measure to safeguard the network security.Due to the fact that current ID systems have too many alerts and lack of inter-cooperation,the paper presents an alerts process system model based on alert fusion and correlation.The model has the advantage of low redundant alert number and high intrusion detection performance.In addition,it can help anticipate the real intention of attackers￡?thus greatly improve the system's efficiency as well as further enhance the robustness of the network.

YU-XIN DING,MIN XIAO,AI-WU LIU,Yu-Xin Ding,Min Xiao,Ai-Wu Liu

DOI: https://doi.org/10.1109/icmlc.2009.5212282

2009-07-01

Abstract:Since most of current intrusion detection systems (IDS) only use one of the two detection methods, misused detection or anomaly detection, both of them have their own limitations. In this paper, the technique that combines misuse detection system with anomaly detection system (ADS) is used. The hybrid intrusion detection system (HIDS) contains three sub-modules, misused detection module, anomaly detection module and signature generation module. The basis of misused detection module is snort. Anomaly detection module is constructed by using frequent episode rule. And signature generation module is based on a variant of Apriori algorithm. Misused detection module uses the signature of attacks to detection the known attacks. Anomaly detection module can detect the unknown attacks and signature generation module extracts the signature of attacks that are detected by ADS module, and maps the signatures into snort rules.

WU Qing-tao,SHAO Zhi-qing

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.12.004

2005-01-01

Abstract:Intrusion detection,as one of the most active and important network security technology,can compensate the shortcomings of traditional security protection measure.Through building dynamic security cycle,it can promote the protection capacity of system and reduce the security threats as great as possible. An overview of basic issues on intrusion detection is shown in this paper,which is involved with three main aspects of intrusion detection,including Intrusion Detection System(IDS) architecture,intrusion detection methods and IDS evaluation.Firstly,three kinds of IDS architectures are analyzed.Then,current intrusion detection models are given,and their merits or shortcomings are discussed in detail.Finally,some future promi￣sing directions are presented.

Ping Yi,Hongkai Xing,Yue Wu,Linchun Li

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

Zhang Yunpeng,Hu Fei,Ma Chunyan,Lu Wei,Li Mei

DOI: https://doi.org/10.3321/j.issn:1002-8331.2005.35.045

2005-01-01

Abstract:This paper establishes and accomplishes the intrusion detection system,SC-IDS.It combines the knowledge-based IDS and anomaly-based IDS into a system,it accords with P2DR model and the distributed framework.It surmounts the shortcoming of traditional ways of detection,for example,high false positive and false negative rate;can't adapt large-scale network;can't cooperate with other security product etc.It gains a good effect after operation.

Yi Ping,Xing Hongkai,Wu Yue,Cai Jiwen

DOI: https://doi.org/10.1109/cmc.2009.327

2009-01-01

Abstract:IDS may result in many intrusion alerts. A general approach for solving this problem is to do some correlation analysis with these alerts and build attack scenario. Author presents a method for alert correlation through results tracing back to reasons. According to hacker attacks linked to a certain sequence characteristics, we correlate the alerts through results tracing back to reasons and gain the correlated alerts. This method can found internal relations of invasion, to accurately identify intrusion targets. Through succeed attacks to match the previous attacks, we can greatly reduce the volume of data, and improve speed and efficiency for correlation analysis.

Anbang Wang,Xinyu Gong,Jialiang Lu

DOI: https://doi.org/10.1109/smartcloud.2019.00028

2019-01-01

Abstract:With the development of network technology and the updating of intelligent networking devices, the variety of cyber attacks and the number of users being attacked are increasing. Intrusion Detection Systems (IDS) are commonly used in the field of network security to detect anomalous activity and behavior. Many previous works have achieved high detection accuracy on standard testing data sets by implementing mature Machine Learning (ML) algorithms. Inspired by the network ontology researches,, we propose two Long Short-Term Memory (LSTM) based IDSs with deep feature extraction: multi-class feature extraction IDS and dual-class feature extraction IDS. Through our experiments on the CICIDS2017 data set, we have found that multi-class feature extraction IDS can better identify the types of cyber attacks while the dual-class feature extraction IDS can better recall new attacks. We conclude that when the structure and characteristics of the classifier are limited, a reasonable selection of the feature extraction space can help improve the characteristics of the classifier and better achieve the downstream tasks in the security field.

刘密霞,张秋余,赵宏,余冬梅

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.10.068

2008-01-01

Abstract:At first,this paper studied technology and method of alert correlation for analyzing their advantages and disadvantages.Then,presented alert correlation model based on multi-sources data fusion.After that,discussed evaluation dataset for analyzing their used scope and existent problems.At last,described future research and development.

李家春,李之棠

DOI: https://doi.org/10.3969/j.issn.1001-3695.2001.12.002

2001-01-01

Abstract:Intrusion Detection system(IDS) is an importance part of computer network security system.In this paper,classifies ,development,study trend and directions are thorough discussed,that research and developing homemade IDS is promising and importance is pointed out.

SHI Mei-Lin,QIAN Jun,XU Chao

2006-01-01

Computer Science

Abstract:Intrusion detection technology has been an indispensable part of information security metrics, but till now no standard is widely accepted to evaluate the effectiveness and accuracy of intrusion detection systems (IDS). Thus, both the end users and researchers have doubt on the effectiveness of IDS and algorithms. The key point of the solution is to construct a precise and comprehensive methodology for IDS evaluation. Researchers have proposed several IDS evaluation methods, such as dataset evaluation proposed by MIT Lincoln Lab and Open Security Evaluation Criteria proposed by Neohapsis, etc. According to the evaluation results researchers may look through the weak point of current intrusion detection technologies and thus improve on them. In this paper we present a detail analysis of dataset evaluation methodology proposed by MIT Lincoln Lab and point out the key problems of dataset evaluation methodology. We also propose an improving research plan as our furthering work in order to update the evaluation dataset.

ZHANG Jun,SU Pu-rui,FENG Deng-guo

2006-01-01

Journal of Computer Applications

Abstract:The technology of Intrusion Detection is one of the important measures to protect the networks.Host-based intrusion detection is used to protect the key hosts.A flexible loading intrusion detection based on system-call was introduced in this paper.This system improved the common data collection method,and adopted virtual equipment driversto acquire system call.This method brings small influence on system,is easy to load and unload,and provides the standard interface. The data analysis integrates the two detection methods: anomaly and misuse,which provides corresponding detection models and introduces the noise filtering function.

陈丽丽,李卫,管晓宏,祝春华

DOI: https://doi.org/10.3969/j.issn.1000-7180.2004.06.035

2004-01-01

Abstract:NIDS (Network Intrusion Detection System) as an important security protection tool has become a hotspot for research. We introduce the basic concept of IDS and its primary components and common classification first, then we present the framework of a net-based IDS and its implementation in detail. We put forward our views about the current research of IDS and its prospect last.

YANG Kun,LUO Guang-chun,LU Xian-liang

DOI: https://doi.org/10.3969/j.issn.1001-0548.2006.05.024

2006-01-01

Abstract:This paper introduces a method of intrude detection based on data fusion, and presents a new mechanism-DFIDM. In DFIDM, a few of sensors are configured to collect data, such as log file, information of network traffics and data package of network. After some pretreatments such as local decision-making, Data refinement, and object refinement, these data will be transferred to fusion center. In this paper, we mainly research the multiple parameters of final decision-making, such as reliability of sensors, the factor of time, the factor of space. As it showed by the research result this mechanism can improve the veracity of IDS.

李小勇,刘东喜,谷大武,白英彩

DOI: https://doi.org/10.3321/j.issn:1006-2467.2004.04.011

2004-01-01

Abstract:Indirect attack is one of the important means used by network attackers to conceal themselves. This paper presents an intruder locating system based on network intrusion detection, which can trace back the indirect attack in controlled network environment. The sensors distributed in network detect attacks, gather attack fingerprint and then send alarm information to the central analyzer, which correlates alarm information and constructs attack path to obtain the intruder's origin network address. Compared with the other systems available, this system is more accurate and scalable, and can trace back intruder's address in real time.