Peng Ning,X. Sean Wang,Sushil Jajodia

2000-01-01

Abstract:It is essential for intrusion detection systems to share information in order to discover attacks involving multiple sites. Common Intrusion Detection Framework (CIDF) is an important step towards enabling di erent intrusion detection and response (IDR) components to interoperate with each other. Although CIDF provides an infrastructure and language support that allows an IDR component to understand the information sent by another component, it does not contain a facility for a component to request speci c information from other components. The lack of such a facility may result in a waste of processing time, storage capacity and network bandwidth. This paper proposes an extension to the Common Intrusion Speci cation Language (CISL), the language adopted by CIDF, to model requests among CIDF components. The extension is simple and consistent with the original CISL. Each request for information is described as a pattern for relevant information and an optional format speci cation for the responding message. The use of pattern in modeling requests not only provides a way to represent queries, but also leads to a potential reuse of signature-based intrusion detection software.

Peng Ning,Sushil Jajodia,X. Sean Wang

DOI: https://doi.org/10.1007/978-1-4615-0467-2_5

2004-01-01

Abstract: In this chapter, we apply the formal model that we developed in Chapter 4 to provide a query facility for Common Intrusion Detection Framework (CIDF).

Yanan Zhang,Jingru Xing,Yaozong Xu,Maode Ma,Cong Wang

DOI: https://doi.org/10.1007/978-981-97-5606-3_22

2024-01-01

Abstract:Named Data Networking (NDN) is one of the potential Future Internet Architectures, shifting from the traditional host-centric architecture to a data-centric one. Collusion Interest Flooding Attacks (CIFAs) is a new type of attack that intermittently sending malicious Interests to overwhelm the Pending Interest Table (PIT). Collusive producers working with the attackers respond to these malicious Interest packets just before they expire in the PIT, thereby disguising their attacks as legitimate, which makes detection methods against Interest Flooding Attacks (IFAs) unable to identify CIFAs. This paper proposes the DM-CIFA scheme, which aggregates decision tree and K-means algorithm for effective detection and mitigation of CIFAs. Firstly, a decision tree is trained to monitor the number of entries in the PIT, and the throughput of Interest and Data packets of the router for attack detection. Then the malicious prefix identification algorithm, based on the K-means algorithm, is activated after an attack is detected. Additionally, the bottleneck router mitigating CIFAs by informing the next hop router with a signed Interest packet (SIP) that carry the malicious prefixes to pinpoint attackers and reject forwarding malicious Interests. The simulation results demonstrate the proposed DM-CIFA has high sensitivity towards CIFAs and the capability to effectively mitigate the attack's effects on the NDN.

陈林,王申康

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.04.045

2005-01-01

Abstract:This article firstly introduces the generator in an IDS system firmly based on CIDF, then its implementation is provided. Due to its reusable character, it can be used in other IDS systems for reference.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Peng Ning,Sushil Jajodia,X. Sean Wang

2013-01-01

Abstract:Intrusion Detection In Distributed Systems: An Abstraction-Based Approach presents research contributions in three areas with respect to intrusion detection in distributed systems. The first contribution is an abstraction-based approach to addressing heterogeneity and autonomy of distributed environments. The second contribution is a formal framework for modeling requests among cooperative IDSs and its application to Common Intrusion Detection Framework (CIDF). The third contribution is a novel approach to coordinating different IDSs for distributed event correlation.

Zhi Wang,Leshi Shao,Kai Cheng,Yuanzhao Liu,Jianan Jiang,Yuanping Nie,Xiang Li,Xiaohui Kuang

DOI: https://doi.org/10.1002/int.22877

IF: 8.993

2022-03-27

International Journal of Intelligent Systems

Abstract:Many machine‐learning‐based intrusion detection methods have been proposed, however there is a lack of collaboration among these methods. Faced with a cascade of malicious behaviors and various running environments, coupled with the endless emergence of new malicious activities, it is difficult for us to choose an algorithm manually that is suitable for all scenarios. In addition, usually the binary detection models are applied that only “normal” or “abnormal” decision is made, and it is difficult for us to know how much confidence we have in the prediction model. In this study, we propose an intrusion collaborative detection framework (ICDF), an ICDF that allows heterogeneous detection models to effectively work together which have complementary expertise. A multialgorithm model ensemble learning method with confidence interval is adopted. In this process, each algorithm model only makes prediction judgments on its own credible probability interval and refuses to predict outside the interval. The final result is generated by voting based on the confidence of multiple models. Ten detection algorithms were tested on three different data sets. Compared with different single algorithms, ICDF could achieve high precision and recall rate, and the best F1 scores.

computer science, artificial intelligence

Dong Yongle,Qian Jun,Shi Meilin

DOI: https://doi.org/10.1109/CCECE.2003.1226031

2003-01-01

Abstract:Widespread attacks involving multiple hosts/networks happen more frequently as internetworking among computer systems via the Internet becomes more widely and keeps rapid increase. Due to lack of information, it can be quite difficult for conventional intrusion detection systems to identify such attacks in progress. Cooperative intrusion detection, on the basis of information sharing, is proved as a necessary measure to detect widespread attacks by other researcher D. Frincke (2000), Polla, D. et al., (1998). This paper presents a cooperative approach for intrusion detection that provides a method for individual ID components working cooperatively to perform concerted detections. Being constructed on the basis of ID components, CoIDS can adopt both existed (usually more mature) and new ID techniques. This makes CoIDS extensible and scalable. In addition, an ID component is essentially an autonomous agent, which makes CoIDS available with certain loss of functionality even when the intrusion detection manager does not work. Its reliability is also improved because failure of one ID component will not cause any other to stop working. Furthermore, it improved the accuracy of detection for conventional intrusions by validating analysis result with data from different ID components.

Zayed alhaddad, Mostafa Hanoune, Abdelaziz Mamouni

DOI: https://doi.org/10.17762/ijcnis.v8i3.1950

2022-04-17

International Journal of Communication Networks and Information Security (IJCNIS)

Abstract:In recent years, Cloud computing has emerged as a new paradigm for delivering highly scalable and on-demand shared pool IT resources such as networks, servers, storage, applications and services through internet. It enables IT managers to provision services to users faster and in a cost-effective way. As a result, this technology is used by an increasing number of end users. On the other hand, existing security deficiencies and vulnerabilities of underlying technologies can leave an open door for intruders. Indeed, one of the major security issues in Cloud is to protect against distributed attacks and other malicious activities on the network that can affect confidentiality, availability and integrity of Cloud resources. In order to solve these problems, we propose a Collaborative Network Intrusion Detection System (C-NIDS) to detect network attacks in Cloud by monitoring network traffic, while offering high accuracy by addressing newer challenges, namely, intrusion detection in virtual network, monitoring high traffic, scalability and resistance capability. In our NIDS framework, we use Snort as a signature based detection to detect known attacks, while for detecting network anomaly, we use Support Vector Machine (SVM). Moreover, in this framework, the NIDS sensors deployed in Cloud operate in collaborative way to oppose the coordinated attacks against cloud infrastructure and knowledge base remains up-to-date.

李辉,蔡忠闽,韩崇昭,管晓宏

DOI: https://doi.org/10.3969/j.issn.1000-1220.2003.09.008

2003-01-01

Abstract:State of the art of the Intrusion Detection technology is investigated and a new IDS inference framework and prototype based on information fusion is proposed. The new framework is to solve the problems of existing IDS——high false positive rate and incapable of detection of coordinated attacks. The prototype employ Bayesian Network to do information fusion and goal-tree to analyze intensions of coordinated attacks and quantify the security risk of system. The prototype is more integral than existing IDS and easier to find coordinated attacks with lower false positive rate.

SJ Zhou,ZG Qin,XC Luo,XF Zhang,F Zhang,JD Liu

DOI: https://doi.org/10.1109/pdcat.2003.1236280

2003-01-01

Abstract:Flexible intrusion detection and response system (ID&R) needs to maximize security while minimizing cost and making response automatically. (CID)-D-2&R, the Cost-based Intelligent Intrusion Detection and Response System, is proposed in the paper, which is originally developed as a facility to deal with network-based attacks and to make effective response automatically and intelligently. The networking environment deployed with the (CID)-D-2&R consists of two major parts: Guard, which runs on the specific Guarded Host (GH), and Spy, which runs in Guarded Network (GN). The components of the (CID)-D-2&R are introduced, which include intrusion detection, attack classification, damage analysis, attack path rebuilding, resources automatically safeguarding, calamity recovery, and security Officer. The several kinds of data flow in (CID)-D-2&R are discussed, too. While (CID)-D-2&R is only a prototype, some experimental results are also presented.

张民,罗光春

DOI: https://doi.org/10.3969/j.issn.1001-0548.2009.02.24

2009-01-01

Abstract:Intrusion detection message exchange format (IDMEF) standard has been widely used in intrusion detection system (IDS). This paper proposes an architecture of large scale cooperative IDS based on IDMEF. The design and implementation of the cooperative IDS are discussed by the means of Prelude framework and development suite. The deployment and application of this architecture on CERNET are finally analyzed.

SJ Zhou,ZG Qin,Q Lu,XC Luo,JD Liu

DOI: https://doi.org/10.1109/icapp.2002.1173599

2002-01-01

Abstract:Intrusion detection and response system (ID&R) need to maximize security while minimizing cost and taking response automatically. CI/sup 2/D&R, the Cost-based Intelligent Intrusion Detection and Response System, is originally developed as facilities for deal with network-based attacks automatically and intelligently. This paper provides an overview of CI/sup 2/D&R architecture. The primary components of CI/sup 2/D&R and their functions are also probed into. What is more, the data flow of CI/sup 2/D&R is discussed and compared. Finally, the related work is touched on and conclusions are drawn.

段海新,吴建平

DOI: https://doi.org/10.13328/j.cnki.jos.2001.09.015

2001-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:An integrative taxonomy for intrusion detection technologies is proposed, which can specify accurately existing intrusion detection methods. Aiming at multiple-domain environments, a distributed cooperative intrusion detection system (DCIDS) is designed, which implements cooperative intrusion detection through efficient, secure information exchange among IDSes in different domain. The architecture of intrusion detection systems is described, as well as its four components: sensor, analyzer, manager and user-interface. Some key issues are also discussed, including secure communication and selection of detection places.

Peng Ning,Sushil Jajodia,Xiaoyang Sean Wang

DOI: https://doi.org/10.1145/503339.503342

2001-01-01

ACM Transactions on Information and System Security

Abstract:Abstraction is an important issue in intrusion detection, since it not only hides the difference between heterogeneous systems, but also allows generic intrusion-detection models. However, abstraction is an error-prone process and is not well supported in current intrusion-detection systems (IDSs). This article presents a hierarchical model to support attack specification and event abstraction in distributed intrusion detection. The model involves three concepts: system view , signature , and view definition . A system view provides an abstract interface of a particular type of information; defined on the instances of system views, a signature specifies certain distributed attacks or events to be monitored; a view definition is then used to derive information from the matches of a signature and presents it through a system view. With the three elements, the model provides a hierarchical framework for maintaining signatures, system views, as well as event abstraction. As a benefit, the model allows generic signatures that can accommodate unknown variants of known attacks. Moreover, abstraction represented by a system view can be updated without changing either its specification or the signatures specified on its basis. This article then presents a decentralized method for autonomous but cooperative component systems to detect distributed attacks specified by signatures. Specifically, a signature is decomposed into finer units, called detection tasks , each of which represents the activity to be monitored on a component system. The component systems (involved in a signature) then perform the detection tasks cooperatively according to the "dependency" relationships among these tasks. An experimental system called CARDS has been implemented to test the feasibility of the proposed approach.

Yawei Zhang,Xiaojun Ye,Feng Xie,Yong Peng

DOI: https://doi.org/10.1109/CIT.2009.69

2009-01-01

Abstract:Security mechanisms within DBMSs are far from effective to detect and prevent anomalous behavior of applications and intrusions from attackers. In fact, intrusions executed by unauthorized users to explore system vulnerabilities, and malicious database transactions executed by authorized users, both cannot be detected and prevented by typical security mechanisms. In this paper we proposed a database intrusion detection system architecture based on the database communication content detection mechanism. Implementation strategies for main components are detailed. Besides, we investigate several critical intrusion detection approaches used in the practice.

Zhichun Li,Yan Chen,Aaron Beach

DOI: https://doi.org/10.1145/1162666.1162669

2006-01-01

Abstract:Traffic anomalies and distributed attacks are commonplace in today's networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a DIDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of four common types of intrusions: DoS attacks, port scanning, virus/worm infection and botnets; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP subnets in scans. We further propose several schemes to distribute the alarms more evenly across the SFCs, and improve the resiliency against the failures or attacks. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. It significantly outperforms the traditional hierarchical approach when facing large amounts of diverse intrusion alerts.

Zouhair Chiba,Noreddine Abghour,Khalid Moussaid,Amina El Omri,Mohamed Rida

DOI: https://doi.org/10.1145/3368756.3369061

2019-10-02

Abstract:With the advent of digital technology, computer networks have developed rapidly at an unprecedented pace contributing tremendously to social and economic development. They have become the backbone for all critical sectors and all the top Multi-National companies. Unfortunately, security threats for computer networks have increased dramatically over the last decade being much brazen and bolder. Indeed, intrusions or attacks can lead to irreparable damages, information leakage and significant financial losses. Hence, there is a great need for an effective Network Intrusion Detection System (NIDS). In the current study, we propose a hybrid NIDS to detect network attacks in the network environment by monitoring network traffic, thereby achieving a solid line of protection against inside and outside intruders and maintaining performance and service quality. In our NIDS framework, we use Suricata as a signature based detection to uncover known attacks, while for detecting network anomaly, we use Isolation Forest Algorithm (IFA). By applying Suricata prior to the IFA classifier, IFA has to detect only unknown attacks. Therefore, detection time is reduced and computational power is saved. Suricata is an open source IDS, which has been advanced as a multi-threaded alternative to popular Snort IDS. The major benefits of a multi-threaded design is that it offers increased speed and efficiency in network traffic analysis and can also help divide up the IDS workload based on where the processing needs are. Consequently, Suricata shows an increase in accuracy and system performance over the de facto standard, single threaded NIDS Snort. While, IFA is one of the newest approaches to detect anomalies/outliers, which introduces the use of isolation as a more effective and efficient means to recognize anomalies than the popularly used basic distance and density measures. In fact, IFA uses no distance or density measures to identify outliers, this eliminates major computational cost of distance calculation in all distance-based and density-based algorithms. Additionally, IFA has a low constant in its computational complexity. Moreover, in this framework, the NIDSs operate in collaborative way to oppose attacks by sharing alerts stored in central log. In this way, unknown attacks that were detected by any NIDS can easily be detected by others IDSs. This also helps to reduce computational cost for detecting intrusions at others NIDSs, and improve detection rate in overall the network environment.

Wei Lin,Liu Xiang,Derek Pao,Bin Liu

DOI: https://doi.org/10.1109/FGCN.2008.67

2008-01-01

Abstract:In order to protect Internet users from various attacks such as worms, viruses and other intrusions, signature-based intrusion detection system (IDS) should be deployed at the critical part of the network with rapid response for updating newly emerged attack signatures and containing the spread of worms or viruses at their early stage. The processing speed of one IDS cannot achieve the throughput requirement in the core networks because of the pattern matching, the key operation for signature-based IDS, is complex and time consuming. In this paper, it argues that if the signature set is shared by multiple IDSs, a packet needs to be checked once and once only by one of the IDSs, so traffic load can be redistributed among the IDSs to avoid local congestion. Packet marking is used to indicate the status of this packet utilized by collaborative IDSs, and a redistribution strategy named inner logical ring (ILR) is built among IDSs to redistribute the traffic load. Meanwhile, caching scheme is used to keep sequence for packets belonging to the same flow. This collaborative distributed IDS is robust with rapid response to various attacks, and the detection throughput is significantly increased from the throughput of the weakest IDS to the summation of all the collaborative IDSs.

LI Yufeng,LAN Julong,XUE Xiangyang

DOI: https://doi.org/10.3969/j.issn.1009-6868.2011.04.007

2011-01-01

Abstract:This paper proposes a Common Security and Control Framework(CSCF) for application security,network security,information security,and behavioral security in tri-network convergence.CSCF has an independent architecture and can be operated transparently across the whole network.It treats the network link as the control object and can perform functions such as link traffic identification and link traffic analysis.It can also check and control a security problem at one point and initiate a whole-system response.CSCF is based on a distributed security and control platform with high scalability.This paper discusses the development of techniques used to establish a security system that proactively defends against threats,flexibly reacts to and blocks threats as they occur,and traces threats.