Zhanfei Ma

DOI: https://doi.org/10.1109/iceit.2010.5607649

2010-01-01

Abstract:Traditional network security system and technology lack self-adaptation, intelligentization and the ability of parallel distributed processing. Inspired by the intelligence recognition capability of Immune-SoftMan (ISM), a novel distributed architecture which based on multi-ISM alliance for network security system is thus proposed. The component functions are put up and component collaborations in the network are presented here. This system adopts new analysis schemes to aim to reduce the relativity of each ISM component as far as possible and avoid the single point failure caused by the single central analyzer. Compared with traditional intrusion detection systems (IDSs), this system is a more adaptive and efficient system. It enables member sites of ISM components in the same trust community or different ones to forewarn attacks cooperatively, and possesses higher detection rate, load balancing and better self-adaptability. By analyzing these mechanisms, it aims to guide the future research on cooperation, negotiation and coordination of multi-ISM system under open, heterogeneous and dynamic network environment.

Zhanfei Ma,Shuying Yang

DOI: https://doi.org/10.13245/j.hust.150510

2015-01-01

Abstract:Existing network intrusion detection system (NIDS) has many disadvantages ,such as low‐er intelligent ,poor adaptive capacity ,weak coordination and load balancing .Inspired by the intelli‐gence recognition capability of immune‐SoftMan (ISM ) ,a novel distributed community cooperation model and corresponding algorithm were thus proposed .The system model was based on multi‐ISM alliance for the network intrusion detection and defense system (MISMNIDDS) .The partial‐global planning (PGP) strategy was adopted by MISMNIDDS .Moreover ,the cooperation ,negotiation and coordination mechanism of autonomy ISM′s were possessed .The system model combined the merits of the level model and collaboration model ,and could be self‐updated locally to adapt to dynamic net‐work environment .The results show that the MISMNIDDS is a self‐organizing network security sys‐tem .Compared with traditional DIDS ,the MISMNIDDS possesses higher detection performance , lower false alarm rate and fewer server system resources .Furthermore ,the MISMNIDDS enables member sites in the same trust community or different ones to resist attacks cooperatively .

Zhanfei Ma,Xuefeng Zheng,Dongkui Li,Xuebao Li,Liping Yang

DOI: https://doi.org/10.1109/wicom.2009.5301978

2009-01-01

Abstract:"SoftMan" (SM) is a new concept based on the production of distributed technique, Agent, intelligent robot and artificial life, its corresponding theory and technology fruits provide a good foundation and reference for studying the present intrusion detection systems (IDSs). Inspired by the intelligence recognition capability of SM, a novel cooperation control model for intrusion detection system based on multi-SoftMan (MSMIDS) is proposed. This model is adopted distributed architecture. In order to reduce the relativity of each detection components as far as possible and avoid the simple failure point caused by the single central analyzer, the model is adopted the non-control center multi-SoftMan architecture, which is making enough use of SM attributes, such as independence, activity, self-learning, self-adaptation, self-evolution and society. The experimental results show that MSMIDS enables member sites in the same trust community or different ones to forewarn attacks cooperatively, and possesses the higher detection rate, load balance and better self-adaptability. MSMIDS also provides a new idea for implementation of network security system.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Zhanfei Ma,Xuefeng Zheng

DOI: https://doi.org/10.1109/cccm.2008.8

2008-01-01

Abstract:Recent security incidents and analysis have demonstrated that current intrusion detection systems (1DS) to some attacks are no longer feasible. Implementing an effective intrusion detection capability is an elusive goal, not solved easily or with a single mechanism. However, we argue that "SoftMan" (SM) technology goes a long way toward realizing the ideal behavior desired in an intrusion detection system. This paper discusses various characteristics in which SoftMan could be applied to the problem of detecting and responding to intrusions. The paper looks not only at the benefits derived from intelligence, but also at those associated with Multi-SoftMan alliance in general. After exploring these benefits, a novel network security defence mechanism based on Multi-SoftMan is proposed. At the same time, the paper visualizes the architecture and system behaviors of Multi-SoftMan intrusion prevention system (MSMIPS). Relevant abstract mathematical models and detailed inferential equations are founded. The experimental results show that MSMIPS enables member sites in the same trust community or different ones to forewarn attacks cooperatively. Furthermore, SoftMan technology also provides a novel idea for improving detection efficiency to the current network intrusion detection system (N1DS).

Xifeng AN,Weihua LI,Zun LIU

DOI: https://doi.org/10.3321/j.issn:0253-987X.2008.12.013

2008-01-01

Abstract:A novel network security cooperative defense technology is studied and a cooperative control framework based on agent mechanism is proposed to solve the lack of cooperative control and whole effect in traditional defense systems. The technology supports both IPv4 and IPv6 protocols and security modules in the framework are associated with each other to accomplish communication and work together. Furthermore, a network security cooperative defense system is composed and the key functions that support the early-alert, audit, accident recovery, network camouflage and so on are also achieved. The pivotal research is emphasized on the key technologies of system call sequences audit model based on machine learning and cooperative accident recovery. Under the condition of 100 M Data flow speed, the NSCDS software's false negative is less than 6% and its false positive is less than 8%. Besides, all module functions work normally and the system can be used to carry out cooperative defense capability.

马占飞,郑雪峰,曾广平,涂序彦

2009-01-01

Abstract:Traditional distributed intrusion detection systems(DIDS)have many shortcomings,such as heavy interdependence of components,and weak flexibility,intelligentization and reliability of these systems.Through studying and analyzing the intelligence recognition characteristics of SoftMan,MSMIIDS,which is an acronym for Multi-SoftMan-based intelligent intrusion detection system,is proposed to solve these problems.Compared with the traditional distributed intrusion detection systems,MSMIIDS is a more adaptive and efficient system.MSMIIDS enables member sites in the same trust community or different ones to forewarn attacks cooperatively,and possesses higher detection rate and better self-adaptability.MSMIIDS provides also a way for implementation of computer network system security.

YU Feng,WANG Min,ZHAO Jian,GAO Xiang

DOI: https://doi.org/10.3969/j.issn.1000-7180.2006.10.036

2006-01-01

Abstract:The traditional intrusion detection system mostly employs misused detection method or anomaly detection method. Its miss rate and the false positive rate are quite high and its adaptability is less, so it is difficult to meet extensive security demand of the network. The paper describes an immune based adaptive distributed network intrusion detection system model; the model employs three types of Agent: predictor Agents are used for sniffing traffic and detect anomalies; assessor Agents weight the prediction of predictor Agents and draw a binary conclusion; manager Agents judge if the prediction from the assessor Agent was right or not, sending him back the results. The model not only can detect intrusions by predictor Agents but also can update the weights automatically and constantly according to the previous performance of each predictor Agent. Then the model improves the ability of detecting intrusions and the adaptability of the system.

LIU Nian,LIU Yong,LI Tao,LIU Sun-jun

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.01.030

2009-01-01

Abstract:In order to change the current passive network security defense situation depending on traditional network security tools,such as firewall,network vulnerability scanning and intrusion detection etc,the artificial immune technology is applied to network security situation awareness.This technology adopts intrusion detection model based on immune to realize the detection of known and unknown intrusion behaviors,and establishes real-time and quantitative network risk evaluation model based on the corresponding relationship between the antibody concentration variation of biological immune system and the intrusion rate of pathogen.During the trend forecast of network security situation,ARMA model based on time series is adopted to make real-time and quantitative analysis and forecast on network security situation and its future trend,in this way,it can reduce the risk of network attack effectively and improve the emergency logistic support ability of network information system.The experiment result shows that this system can adjust network security strategy timely and efficiently,provide overall security guarantee for the system and is a good solution to active network security defense.

马占飞,郑雪峰

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.04.088

2009-01-01

Abstract:Through analyzing and studying the characteristics of large-scale network intrusion detection system(IDS),discussed some crucial disadvantages of the existing IDS briefly.Inspired by the intelligence recognition capability of SM,proposed a novel and visual multi-softman intrusion prevention system(MSMIPS) cooperation model.In order to reduce the relativity of each detection components as far as possible and avoid the single point failure caused by the single central analyzer,the model is adopted the non-control center multi-softman(MSM) distributed architecture.At the same time,MSMIPS enables member sites in the same trust community or different ones to forewarn attacks cooperatively.Thus,MSMIPS had some merits,such as higher detection rate,load balance and better self-adaptability,and so on.MSMIPS also provided a novel way for implementation of network security.

Lu YU,Zhen-qiang WU

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2009.01.029

2009-01-01

Abstract:Through the research on the achievements of human immune system,a model of adaptive network security based on immune theory has been given.The model introduces the evaluation of system vulnerability level,and it can dynamically adapt its security policy according to the current security situation and performance of the system in order to achieve the network adaptive security.After the explanation of the functions of security risk assessment component,security level adjustment component and security operation execution component,the redesign of security risk assessment component is emphasized.This model is characterized by distributing,self-studying and adaptability.

马占飞,郑雪峰,曾广平,涂序彦

DOI: https://doi.org/10.3969/j.issn.1002-137x.2008.06.012

2008-01-01

Computer Science

Abstract:SoftMan is a new concept based on production of distributed technique, agent, intelligent robot and artificial life, and its corresponding theory and technology fruits provide a good foundation and reference for studying the present intrusion detection systems (IDS). Inspired by the intelligence recognition capability of SoftMan , a novel Multi-SoftMan intrusion prevention system (MSMIPS) negotiation control model and relevant algorithm are presented and researched deeply for network security systems, which model is adopted distributed intelligence architecture. In order to reduce the relativity of each detection components as far as possible and avoid the simple point failure caused by the single central analyzer, the model is adopted the non-control center Multi-SoftMan architecture, which is used to SoftMan attributes, such as independence, activity, self-learning, self-adaptation, inheritance and variation, and so on. All of the components in model, such as data collection units, intrusion detection and analysis units, are independent, which has realized successfully the distributing data collection and the real-time detection and response. Therefore, the robustness of the system is enhancing, the distributing detection idea is realized really, and helps to improve intrusion detection efficiency, intelligentization and maintainability.

Zhan-fei MA,Xue-feng ZHENG

DOI: https://doi.org/10.13195/j.cd.2010.05.102.mazhf.025

2010-01-01

Abstract:Through analyzing and studying the characteristics of the biological immune system (BIS) and the intelligence recognition technology of SoftMan, a concept of immune-SoftMan(ISM) is proposed. The basic attribute of ISM is presented, and a formalized negotiation control model based on multi-ISM alliance is designed. This model can monitor the distributed dynamic network environment in real time, and alarm and diagnose faults in advance, based on which, a novel negotiation control algorithm based on multi-ISM is also constructed. The presented model and algorithm can achieve a self-organizing system that is more robust and flexible in dynamic network environment and can be self-updated locally.

MA Zhan-Fei

2008-01-01

Abstract:"SoftMan" is a new concept based on production of distributed technique, agent, intelligent robot and artificial life, and its corresponding theory and technology fruits provide a good foundation and reference for studying the present intrusion detection systems (IDS). Through the study on intrusion detection technology, artificial intelligence and SoftMan theory, a novel cooperation model of intelligent intrusion prevention based on Multi-SoftMan (MSMIIPS) is presented. In order to reduce the relativity of each detection components as far as possible and avoid the simple point failure caused by the single central analyzer, the model is adopted the non-control center Multi-SoftMan distributed architecture. All of the components in model, such as data collection units, intrusion detection and analysis units, are independent, which has realized really the distributing data collection and the real-time detection and response. Therefore, the robustness of the system is enhanced, the distributing detection is realized, and helps to improve intrusion detection efficiency, intelligentization and maintainability.

MA Zhan-Fei,YANG Shu-ying

2009-01-01

Abstract:Immune-SoftMan (ISM) is a new concept based on production of artificial intelligence,artificial life,biological immune mechanism and distributed technique. Immune-SoftMan is the development of mobile Agent and virtual Robot in network environment. It inherited many research fruits of Robot and Agent. In the paper,the concept and main characteristics of immune-SoftMan are depicted. On this base,we produce and present the migrating mechanism of immune-SoftMan,and construct its migrating model. Immune-SoftMan's corresponding theory and technology fruits provide a good foundation and reference for studying the present distributed intrusion detection and defence system.

SunJun Liu,Tao Li,DianGang Wang,Kui Zhao,Xun Gong,XiaoQing Hu,Chun Xu,Gang Liang

DOI: https://doi.org/10.1007/11903697_14

2006-01-01

Abstract:Inspired by the immune theory and multi-agent systems, an immune multi-agent active defense model for network intrusion is established. The concept of immune agent is introduced. While its logical structure and running mechanism are established. The method which uses antibody concentration to quantitatively describe the degree of intrusion danger is presented. The proposed model implements a multi-layer and distributed active defense mechanism for network intrusion, and it is a new way to the network security.

马占飞,郑雪峰,曾广平,涂序彦

DOI: https://doi.org/10.3321/j.issn:1001-0920.2008.08.020

2008-01-01

Abstract:Through the study on large system cybernetics,artificial intelligence and SoftMan intelligent detection technology,a negotiation model of intelligent intrusion detection based on multi-SoftMan,which adoptes distributed architecture,is presented and researched deeply for network security systems.In order to reduce the relativity of each detection components as far as possible and avoid the simple point failure caused by the single central analyzer,the model adoptes the non-control center multi-SoftMan architecture.All the components in model,such as data collection units,intrusion detection and analysis units,are independent,which realizes the distributing data collection and the real-time detection and response.Finally the robustness of the system is enhanced,the distributing detection is realized.

段丹青,陈松乔,杨卫平

DOI: https://doi.org/10.3969/j.issn.1673-629X.2004.08.036

2004-01-01

Abstract:The concepts of Intrusion Detection System (IDS) has been introduced,and the main weaknesses in current IDS has been pointed out.In order to solve the problems in existing IDS,the artificial immunology is introduced in our network-based IDS.According to the feature of human immune system,a multi-agent network-based intrusion detection system based on artificial immunology has been proposed.The system adopts the distributed architecture based on multi-agent,employs the artificial immune mechanism including negative selection,clonal selection,gene library evolution,associative memory and so on,therefore,the system has the features of adaptability,being distributed,self-recognition and extendibility.

MA Zhan-fei,ZHENG Xue-feng

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.03.072

2008-01-01

Abstract:Drawing the inspiration from biology immune mechanism,a novel distributed agent intrusion detection system(DAIDS) model was given based on its principle and architecture to improve the capability of detection of current network intrusion detection systems.The real-time detection of the host network was realized by the multi-agents collaboration of this model,which had such characteristics as diversity,distributed,self-adaptability,tolerance,dynamic and expansibility,and so on.In the design process,the better algorithm and model based on biological immunity characteristic was discussed.The agent mechanism was considered as a method of communication and monitor,as far as possible few takes the system resource,enhanced the system efficiency,and guaranteed the higher security level.At the same time,a novel intrusion detection opinion was proposed in the network security fields.

史亮,李斌,庄镇泉

DOI: https://doi.org/10.3969/j.issn.1007-130x.2005.02.003

2005-01-01

Abstract:In this paper we present a multi-agent-based distributed intrusion detection system. This system distributes the intrusion detection work of the whole network into each host, overcomes the problem of single point invalidation and the bottleneck of treatment ability in centralized or hierarchical systems; gives the task of management and distributed intrusion detection for the whole network to the network security management agent NSMA and use the cooperation between NSMAs instead of the cooperation between the low-level detection points, improving the detection and management ability. We also introduce the function redundancy idea into the system design, and overcome the single point invalidation problem while improving the system's real-time intrusion detection ability. This paper presents the system design idea and realization plan in detail, and at the same time, it gives the resolution plan for the relevant problems.