L Feng,XH Guan,SG Guo,Y Gao,PN Liu

DOI: https://doi.org/10.1016/j.cose.2004.01.016

IF: 5.105

2004-01-01

Computers & Security

Abstract:Identifying the intentions or attempts of the monitored agents through observations is very vital in computer network security. In this paper, a plan recognition method for predicting the anomaly events and the intentions of possible intruders to a computer system is developed based on the observation of system call sequences. The probability of the goal state for a system call sequence is defined as the prediction index to determine if the intention is normal. An efficient algorithm based on the dynamic Bayesian network theory with parameter compensation is derived and then applied to update the index recursively. Extensive empirical testing is performed on the data sets published in the literature and those collected in an actual computer system at our lab. The testing results showed that this method can identify the intrusion behaviors from the observed system call sequences with good accuracy.

Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

Qinming He,Jianfei Qian,Hua Chen,Fangzhong Qi

DOI: https://doi.org/10.1109/imsccs.2006.269

2006-01-01

Abstract:In traditional way, software plans are represented explicitly by some semantic schemas. However, semantic contents, constrains and relations of plans are hard for explicit presentation. Besides, it is a heavy and error-prone work to build such a library of plans. Algorithms of recognition of such plans demand exact matching by which semantic denotation is obvious itself. We thus present a novel approach of applying neural network in the presentation and recognition of plans via asymmetric Hebbian plasticity and non-linear auto-regressive with exogenous inputs (NARX) to learn and recognize plans. Semantics of plans are represented implicitly and error-tolerant. The recognition procedure is also error-tolerant because it tends to match fuzzily like human. Models and relevant limitations are illustrated and analyzed in this article

王月海,洪炳镕

DOI: https://doi.org/10.3321/j.issn:0367-6234.2004.07.005

2004-01-01

Abstract:The existing plan recognition models are efficient only in collaborative field, so a plan recognition approach based on Bayesian belief network model is proposed to suit the adversarial multi-agent environment. Several typical rules of robotic soccer were studied and experiments were done by using the robot soccer simulation game. The simulation results show that the collaborations of the whole team and the ratio of winning game were both improved remarkably.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Jian-Wei ZHUGE,Xin-Hui HAN,Zhi-Yuan YE,Wei ZOU

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.08.013

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Based on the classical plan recognition methods in the domain of artificial intelligence, and considering the characteristics of attack plan recognition problem in the domain of network security operation, this paper extends the goal graph model, introducing the observation node to distinguish the planner’s actions and the recognizer’s observations against the actions, replacing the unitary action nodes using the hierarchy composed with detail actions and abstract actions, maintaining the precondition and effect conditions between the actions and security states in the abstract action level according to the abstract attack patterns, therefore, proposes the Extended Goal Graph(EGG) model. Furthermore, this paper proposes an attack plan recognition algorithm based on the Extended Goal Graph, the algorithm can recognize the hidden attack intention and plan from the large volume of low level intrusion detection system alerts correctly and effectively. Through the experiments using DARPA 2000 intrusion scenario correlation benchmark dataset and in-the-wild botnet scenarios data captured in the honeynet, the results show the completeness and soundness of the algorithm, as well as its advantage beyond the alert correlation systems such as TIAA [5] .

Wu Tao,Wang Chong-Jun,Xie Jun-Yuan

2010-01-01

Abstract:Intrusion detection,as an active measure to assure information security,has been receiving intensive attention and has recently become the focus of the computer security especially the network security research communities.In order to avoid being detected,however,intrusion events have evolved to become intelligent and distributive,making them good at concealing their purposes and so penetrating the intrusion detection system.To deal with this problem,as this paper does,techniques involving artificial intelligence and machine learning are brought in.This paper models intrusion and its detection as two multi-agent systems that have conflict interests,and holds the opinion that to intrude is just to device and execut attacking plans aiming to achieve certain objectives,the key of intrusion detection then is to analyze the observed opopnent's actions perceived as abnormal and reveal their intentions,which is then a classical intention recognition problem.Be is justifiable,we noticed that the traditional KEY-HOLE observing method for intention recognition is not suitable to be used here,because the environment for intrusion detection usually has an attack-defense nature thus is dynamic and can be extremely complex,making it expectable that failures to report intrusions and false reports of intrusions do happen,as a result acquiring a complete and true action sequence of the intruder is impossible.Under this circumstance,to design a strategy so robust that can recognize the intruder's intention using just an action sequence which not only contains only part of the intruder's complete action squence and also unknownly includs some misclassified actions is desperated needed,and this is exactly what this paper may contribute.Further than proposing the two multi-agent systems model,this paper sees the intrusion process as a Partially Observable Markov Decision Process(POMDP),and then estimates the intruder's intention as the output of the process.In this cae intention of the intruder can be recognized through an incomplete and defective action sequence it has just taken.The effectiveness of the proposed method is proved by experiments on data set contributed by DARPA.

Yu-jun Xiao,Wen-yuan Xu,Zhen-hua Jia,Zhuo-ran Ma,Dong-lian Qi

DOI: https://doi.org/10.1631/fitee.1601540

2017-01-01

Abstract:Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.

Zhang Lin,Liu Huayun,Cheng Weiming

DOI: https://doi.org/10.2991/icmra-15.2015.215

2015-01-01

Abstract:Plan recognition as an important research direction of artificial intelligence, are widely used in many aspects of the intelligent system. This article from the concept, classification, methods, research situation and application field, introduces the research of plan recognition. In this article, provide a certain theoretical basis for the further research plan recognition.

谭小彬,王卫平,奚宏生,殷保群

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.12.073

2002-01-01

Abstract:The paper builds a Markov model of system calls sequence on computer system for intrusion detection, and introduces an anomaly detection method for computer systems. It analyses the current system calls sequences by using the knowledge on statistics, then defines a mismatch factor based on transition probabilities to compute the mismatch rate, and judges whether the process is in normal state or not by analyzing the mismatch rate. It also gives an updated algorithm of transition probabilities based on forgetting factor.

Congyuan Xu,Jizhong Shen,Xin Du,Fan Zhang

DOI: https://doi.org/10.1109/access.2018.2867564

IF: 3.9

2018-01-01

IEEE Access

Abstract:To improve the performance of network intrusion detection systems (IDS), we applied deep learning theory to intrusion detection and developed a deep network model with automatic feature extraction. In this paper, we consider the characteristics of the time-related intrusion and propose a novel IDS that consists of a recurrent neural network with gated recurrent units (GRU), multilayer perceptron (MLP), and softmax module. Experiments on the well-known KDD 99 and NSL-KDD data sets show that the system has leading performance. The overall detection rate was 99.42% using KDD 99 and 99.31% using NSL-KDD with false positive rates as low as 0.05% and 0.84%, respectively. In particular, for detecting the denial of service attacks, the system achieved detection rates of 99.98% and 99.55%, respectively. Comparative experiments showed that the GRU is more suitable as a memory unit for IDS than LSTM, and proved that it is an effective simplification and improvement of LSTM. Moreover, the bidirectional GRU can reach the best performance compared with the recently published methods.

Guang Kou,Shuo Wang,Guangming Tang

DOI: https://doi.org/10.1049/cje.2018.10.007

IF: 1.019

2019-01-01

Chinese Journal of Electronics

Abstract:This paper analyzed the existing network security situation evaluation methods and discovered that they cannot accurately reflect the features of large-scale, synergetic, multi-stage gradually shown by network attack behaviors. For this purpose, the association between attack intention and network configuration information was deep analyzed. Then a network security situation evaluation method based on attack intention recognition was proposed. Unlike traditional method, the evaluation method was based on intruder. This method firstly made causal analysis of attack event and discovered and simplified intrusion path to recognize every attack phases, then realized situation evaluation based on the attack phases. Lastly attack intention was recognized and next attack phase was forecasted based on achieved attack phases, combined with vulnerability and network connectivity. A simulation experiments for the proposed network security situation evaluation model is performed by network examples. The experimental results show that this method is more accurate on reflecting the truth of attack. And the method does not need training on the historical sequence, so the method is more effective on situation forecasting.

engineering, electrical & electronic

ZM Cai,XH Guan,P Shao,QK Peng,GJ Sun

DOI: https://doi.org/10.1111/1468-0394.00249

IF: 3.3

2003-01-01

Expert Systems

Abstract:Abstract: Intrusion detection is important in the defense‐in‐depth network security framework. This paper presents an effective method for anomaly intrusion detection with low overhead and high efficiency. The method is based on rough set theory to extract a set of detection rules with a minimal size as the normal behavior model from the system call sequences generated during the normal execution of a process. It is capable of detecting the abnormal operating status of a process and thus reporting a possible intrusion. Compared with other methods, the method requires a smaller size of training data set and less effort to collect training data and is more suitable for real‐time detection. Empirical results show that the method is promising in terms of detection accuracy, required training data set and efficiency.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

Fan Huang

DOI: https://doi.org/10.48550/arXiv.2105.13698

2021-05-28

Abstract:Network activities recognition has always been a significant component of intrusion detection. However, with the increasing network traffic flow and complexity of network behavior, it is becoming more and more difficult to identify the specific behavior quickly and accurately by user network monitoring software. It also requires the system security staff to pay close attention to the latest intrusion monitoring technology and methods. All of these greatly increase the difficulty and complexity of intrusion detection tasks. The application of machine learning methods based on supervised classification technology would help to liberate the network security staff from the heavy and boring tasks. A finetuned model would accurately recognize user behavior, which could provide persistent monitoring with a relative high accuracy and good adaptability. Finally, the results of network activities recognition by J48 and Naïve Bayes algorithms are introduced and evaluated.

Cryptography and Security,Artificial Intelligence

Xiuzhen Chen,QevgHua Zheng,Xiaohong Guan,Chenguang Lin

DOI: https://doi.org/10.1109/ICMLC.2004.1378527

2004-01-01

Abstract:Forecasting intending intrusion according to intrusion preludes is vital in computer security.. One novel intrusion behavior forecast system based on interactive knowledge discovery, which consists of off-line interactive knowledge discovery and on-line forecast, is put forward. As to the former, the algorithm of sequential pattern discovery, WINEPI, is introduced to implement interactive knowledge discovery so as to mine frequent sequential patterns, of intrusion behavior from historical intrusion, event dataset. And a novel idea of correlating discovered short sequential patterns based on intrusion prerequisite and intrusion intention is proposed to build long sequential patterns. As to the on-line part of intrusion behavior forecast system, it employs inference engine developed in this paper to forecast intrusion behavior based on intrusion preludes and to discover forecast rules. This system changes passive data storage into active data usage and helps to achieve active defense. Application in the integrated network security monitor and defense system named Net-Keeper have shown that all forecast accuracies are greater than 75%, which proves this system is feasible.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Amod Pandit,R Joe Stanley,Bruce McMillin

Abstract:Intrusion detection systems (IDS) attempt to address the vulnerability of computer-based systems for abuse by insiders and to penetration by outsiders. An IDS is required to examine an enormous amount of data generated by computer networks to assist in the abuse detection process. Thus, there is a need to develop automated tools that address these requirements to assist system operators in the detection of violations of existing security policies. In this research, an automated IDS is proposed for insider threats in a distributed system. The proposed IDS functions as an anomaly detector for insider system operations based on the analysis of the system's log files. The approach integrates dynamic programming and adaptive resonance theory (ART1) clustering. The integrated approach aligns sequences of log events with prototypical sequences of events for performing tasks and classifies the aligned sequences for intrusion detection. The system examined for this research is a Boots System for controlling the movement of boots from one place to another under specific security restrictions related to the boot orders. We present the proposed model, the results achieved and the analysis of an implemented prototype.

Robert P. Goldman,Christopher W. Geib,Christopher A. Miller

DOI: https://doi.org/10.48550/arXiv.1301.6700

2013-01-23

Abstract:We present a new abductive, probabilistic theory of plan recognition. This model differs from previous plan recognition theories in being centered around a model of plan execution: most previous methods have been based on plans as formal objects or on rules describing the recognition process. We show that our new model accounts for phenomena omitted from most previous plan recognition theories: notably the cumulative effect of a sequence of observations of partially-ordered, interleaved plans and the effect of context on plan adoption. The model also supports inferences about the evolution of plan execution in situations where another agent intervenes in plan execution. This facility provides support for using plan recognition to build systems that will intelligently assist a user.

Artificial Intelligence

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.