郭陟,赵曦滨,顾明

DOI: https://doi.org/10.3321/j.issn:0372-2112.2004.08.036

2004-01-01

Abstract:Intrusion detection systems take an important role in securing Internet applications.The exactness of user behavior profiles directly affects the detection performance of intrusion detection systems because profiles are the criterion of anomaly detection.The exactness of profiles would be reduced with the use of traditional profile creation methods due to uncertainty of user behavior patterns in Internet.We proposes a new intrusion detection scheme based on information visualization,and presents a new CCA(Curvilinear Component Analysis)-based visualization algorithm.This algorithm is better than traditional algorithm in the performance of distance mapping,and can provide more exact visual information for security experts.Visual information of user behavior patterns facilitates security experts to select more suitable cluster analysis algorithms to create more exact behavior profiles.

Xin Xu,Wei Wang,Xin Chen

DOI: https://doi.org/10.1109/ICIS.2011.24

2011-01-01

Computer and Information Science

Abstract:In this paper, we propose a novel method for detecting and visualizing profile correlation in subspace. The proposed method is able to (1) detect shifting-and-scaling correlated profiles in subspace, where the correlation can be either positive or negative, (2) summarize and visualize the shifting-and-scaling correlation in subspace, and (3) allow users to explore interested correlation subspace interactively. Initially, shifting and scaling were regarded as two different correlation patterns, in which profiles in subspace can overlap by a single shifting and scaling respectively. In later work, a much more generous correlation, shifting-and-scaling correlation, was studied, compared to which, shifting correlation and scaling correlation are just two special cases. Shifting-and-scaling correlation ensures subspace profile coherence not only in tendency as those tendency-based methods do, but also in value change proportion in subspace. However, no work has been focused on visualization of subspace shifting-and-scaling correlation yet. Our work is the first one to enable interactive exploration and visualization of subspace shifting-and-scaling correlation.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Guo Zhi,Ming Gao

2005-01-01

Abstract:Web applications, which are widely used to provide E-commerce and E-government services with the spread use of Internet, are faced with serious threats of security now. Intrusion detection was an effective way to secure web applications. Using visualization technique will facilitate security experts to create normal behavior profiles more exactly, and improve the detection performance of intrusion detection. However, traditional visualization model based on scatter points was not suitable to some web applications due to its poor display effect for volumes of samples. This paper proposes a new visualization model based on density field and corresponding algorithm in order to provide richer visual information for security experts and facilitate security experts to creating profiles more exactly. A comparison of experimental results between traditional model and new model was presented in this paper.

Wei Wang,Xiaohong Guan,Xiangliang Zhang

DOI: https://doi.org/10.1007/978-3-540-28648-6_105

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer security in recent years. In this paper, a new intrusion detection method based on Principle Component Analysis (PCA) with low overhead and high efficiency is presented. System call data and command sequences data are used as information sources to validate the proposed method. The frequencies of individual system calls in a trace and individual commands in a data block are computed and then data column vectors which represent the traces and blocks of the data are formed as data input. PCA is applied to reduce the high dimensional data vectors and distance between a vector and its projection onto the subspace reduced is used for anomaly detection. Experimental results show that the proposed method is promising in terms of detection accuracy, computational expense and implementation for real-time intrusion detection.

Jia Liu,Wang Yinchai,Teh Chee Siong,Xinjin Li,Liping Zhao,Fengrui Wei

DOI: https://doi.org/10.21203/rs.3.rs-1770107/v1

2022-01-01

Abstract:Abstract Intrusion detection is a fuzzy classification problem. Intrusion detection can detect the attack behaviors of hackers in advance. For generating a visualizing architecture for identifying intrusions, this study proposes an approach that combines ANFIS (Adaptive Network-based Fuzzy Inference System), DT (Decision Tree), and K-means clustering algorithm for visualizing the deep pattern of intrusion detection. The ANFIS generates complex and fuzzy combinations of selected attributes. To reduce the rules generation of ANFIS, Pearson Correlation analysis is used to select attributes that highly relate to the target. Meanwhile, standard deviation analysis and a proposed adaptive K-means algorithm are used for determining the interval division of selected attributes. Then, the CART (classification and regression tree) is used to identify the deep mode in generated rules and selected attributes. The architecture of the proposed algorithm is a hybrid visualizing approach. The architecture can identify deep and hybrid features in intrusion detection. The proposed algorithm was trained, validated, and tested on the NSL-KDD dataset. Using 22 attributes that highly relate to the target, the performance of the proposed method achieved a 99.86% detection rate and 0.14% false alarm rate, which is better than many classifiers. Besides, the visualizing model can help us visually identify the complex pattern of intrusions and analyze the pattern of various intrusions.

Jia-jun ZHU,Gong CHEN,Yong SHI,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.10.032

2017-01-01

Abstract:In recent years,network security becomes the focus of attention from all walks of life,while the detection abnormal users are an important aspect in network security.By writing Python program,the user behavior data could be collected,thus to form user profile and establish detection model.The model,by extracting behavior characteristics of the user,user's machine-learning method and exercises the behavior learning of normal users,and then judges whether the user is abnormal by using Mahalanobis distance and isolation forest algorithm.The experiment and comparison with thetwo traditional algorithms indicate that the proposed model could detect the abnormal users quickly and accurately,and thus could provide some reference value for the research field of network security.

Dit-Yan Yeung,Yuxin Ding

DOI: https://doi.org/10.1007/3-540-47887-6_49

2002-01-01

Abstract:Intrusion detection has emerged as an important approach to network security. In this paper, we adopt an anomaly detection approach by detecting possible intrusions based on user profiles built from normal usage data. In particular, user profiles based on Unix shell commands are modeled using two different types of behavioral models. The dynamic modeling approach is based on hidden Markov models (HMM) and the principle of maximum likelihood, while the static modeling approach is based on event occurrence frequency distributions and the principle of minimum cross entropy. The novelty detection approach is adopted to estimate the model parameters using normal training data only. To determine whether a certain behavior is similar enough to the normal model and hence should be classified as normal, we use a scheme that can be justified from the perspective of hypothesis testing. Our experimental results show that static modeling outperforms dynamic modeling for this application. Moreover, the static modeling approach based on cross entropy is similar in performance to instance-based learning reported previously by others for the same dataset but with much higher computational and storage requirements than our method.

Hong-Wei Sun,Kwok-Yan Lam,Siu-Leung Chung,Ming Gu,Jia-Guang Sun

DOI: https://doi.org/10.1007/11534310_86

2005-01-01

Abstract:This paper proposes a new algorithm that improves the efficiency of the anomaly detection stage of a vector-based intrusion detection scheme. In general, intrusion detection schemes are based on the hypothesis that normal system/user behaviors are consistent and can be characterized by some behavior profiles such that deviations from the profiles are considered abnormal. In complicated computing environments, users may exhibit complicated usage patterns that the user profiles have to be established using sophisticated classification methods such as vector quantization (VQ) technique. However, anomaly detection based on the data set in a high dimension space is inefficient. In this paper we focus on the design of an algorithm that uses principal component analysis (PCA) to improve the anomaly detection efficiency. The main contribution of this research is to demonstrate how the efficiency of the anomaly detection can be raised while the effectiveness of the detection in terms of low false alarm rate and high detection rate can be maintained.

Xinzi Zhang,Jinjun Wang,Yihong Gong,Shizhou Zhang,Shun Zhang

DOI: https://doi.org/10.1109/ICPR.2014.777

2014-01-01

Abstract:Despite the existence of many state-of-the-art face verification systems, the use of complex features and/or high order recognition models in these systems limits their application in devices with low computation power or low latency requirement. In this paper, we approach the problem by performing verification using simple linear distance model. We introduce a novel probability-based distance metric learning algorithm called Class Center Analysis (CCA) to improve the matching performance in a transformed space. CCA generalizes the classic Neighborhood Components Analysis (NCA) from two aspects. First NCA often leads to distributed clusters, while CCA produces more concentrative clusters, And second, NCA sometimes gives over-fitted distance transformation model, while CCA has better generalization ability. With CCA, our system is able to directly project the difference between face image pair into a real-valued score as their similarity, using only simple matrix-vector operation, and thus consuming very low computation. Our comprehensive experimental evaluation show that, CCA outperforms several other benchmark algorithms in verification accuracy. We have also built the CCA algorithm into a mobile application that uses face image for user authentication.

Zhi Guo,Kwok-yan Lam,Siu-Leung Chung,Ming Gu,Jia-guang Sun

DOI: https://doi.org/10.1007/978-3-540-45203-4_5

2003-01-01

Abstract:This paper presents an efficient implementation technique for presenting multivariate audit data needed by statistical-based intrusion detection systems. Multivariate data analysis is an important tool in statistical intrusion detection systems. Typically, multivariate statistical intrusion detection systems require visualization of the multivariate audit data in order to facilitate close inspection by security administrators during profile creation and intrusion alerts. However, when applying these intrusion detection schemes to web-based Internet applications, the space complexity of the visualization process is usually prohibiting due to the large number of resources managed by the web server. In order for the approach to be adopted effectively in practice, this paper presents an efficient technique that allows manipulation and visualization of a large amount of multivariate data. Experimental results show that our technique greatly reduces the space requirement of the visualization process, thus allowing the approach to be adopted for monitoring web-based Internet applications.

Zhang, Yanling,Liu, Haolin,Dong, Xiaoju,Li, Chenlu,Zhang, Zexi

DOI: https://doi.org/10.1007/s12650-021-00789-5

IF: 1.7

2021-01-01

Journal of Visualization

Abstract:Cyber security issues are always worthy of attention. Intrusion detection system (IDS) is one of approaches used to protect computer system and identify potential attack. However, existing methods are limited by high-dimensional computational complexity in rare or unknown attack detection task. To improve the ability of detecting anomaly intrusions, a hybrid intrusion detection framework is proposed in this paper. The proposed RuleRCD algorithm first uses fuzzy association rules based on Apriori and K -Means algorithm for normal pattern and major attack detection. The other data are then fed to an active learning-based rare category detection algorithm to identify its attack pattern. This paper also introduces an interactive visualization system, which integrates experts’ decision into intrusion detection workflow. The method improves the effectiveness and interpretability of detection process. KDD-99 dataset is used to evaluate the proposed framework. The result shows that the approach outperforms some methods, especially in terms of the rare attack.

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Wei Wang,Xiaohong Guan,Xiangliang Zhang,Liwei Yang

DOI: https://doi.org/10.1016/j.cose.2006.05.005

IF: 5.105

2006-01-01

Computers & Security

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

Xudong Zhu,Zhijing Liu

DOI: https://doi.org/10.1108/17563781111160039

2011-01-01

International Journal of Intelligent Computing and Cybernetics

Abstract:Purpose The purpose of this paper is to address the problem of profiling human behaviour patterns captured in surveillance videos for the application of online normal behaviour recognition and anomaly detection. Design/methodology/approach A novel framework is developed for automatic behaviour profiling and online anomaly detection without any manual labeling of the training dataset. Findings Experimental results demonstrate the effectiveness and robustness of the authors' approach using noisy and sparse datasets collected from one real surveillance scenario. Originality/value To discover the topics, co‐clustering topic model not only captures the correlation between words, but also models the correlations between topics. The major difference between the conventional co‐clustering algorithms and the proposed CCMT is that CCMT shows a major improvement in terms of recall, i.e. interpretability.

Ying-Ti Tsai,Chung-Ho Wang,Yung-Chia Chang,Lee-Ing Tong

DOI: https://doi.org/10.1049/2024/3948341

2024-07-27

IET Information Security

Abstract:Artificial intelligence algorithms and big data analysis methods are commonly employed in network intrusion detection systems. However, challenges such as unbalanced data and unknown network intrusion modes can influence the effectiveness of these methods. Moreover, the information personnel of most enterprises lack specialized knowledge of information security. Thus, a simple and effective model for detecting abnormal behaviors may be more practical for information personnel than attempting to identify network intrusion modes. This study develops a network intrusion detection model by integrating weighted principal component analysis into an exponentially weighted moving average control chart. The proposed method assists information personnel in easily determining whether a network intrusion event has occurred. The effectiveness of the proposed method was validated using simulated examples.

computer science, information systems, theory & methods

W Wang,XH Guan,XL Zhang

DOI: https://doi.org/10.1109/cdc.2004.1428613

2004-01-01

Abstract:Profiling program and user behaviors is an effective approach for detecting hostile attacks to a computer system. A new model based method by non-negative matrix factorization (NMF) is presented in this paper to profile program and user behaviors for anomaly intrusion detection. In this new method, the audit data streams obtained from sequences of system calls and UNIX commands are used as the information source. The audit data is partitioned into segments with a fixed length. Program and user behaviors are, in turn, measured by the frequencies of individual system calls or commands embedded in each segment of the data, and NMF is applied to extract the features from the blocks of audit data associated with the normal behaviors. The model describing the normal program and user behaviors are built based on these features and deviation from the normal program and user behaviors above a predetermined threshold is considered as anomalous. The method is implemented and tested with the system call data from the University of New Mexico and the Unix command data from AT&T Research lab. Experiment results show that the proposed method is promising in terms of detection accuracy, computational expense and implementation for real-time intrusion detection.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Jin Shi,Guangwei Hu,Mingxin Lu,Li Xie

DOI: https://doi.org/10.1109/ISME.2010.156

2010-01-01

Abstract:Traditional network security assessment technologies are usually qualitative analyses from large variation of security factors. It is difficult to guide security managers to configure network security mechanisms. A new network security quantitative analysis method called ACRL is presented in this paper. It assesses attack sequences from credibility, risk and the loss of system and provides the assessment values to security managers. It can assess the network security mechanisms and measures in position and can help security managers adjust the corresponding security mechanisms and choose the response methods against attacks in detail. An experiment of our method shows favorable and promising results.

Xing Xu,Jie Li,Yang Yang,Fumin Shen

DOI: https://doi.org/10.1109/jiot.2020.3034621

IF: 10.6

2021-04-15

IEEE Internet of Things Journal

Abstract:Intrusion detection is an important technique that can provide solid protection for the network equipment against the security attacks. However, the attacks are usually unbalanced in different types and the attacks of unknown classes may also occur with the growth of Internet construction. In this case, the traditional machine learning-based intrusion detection methods usually have inferior detection accuracy and high false-positive rates. To tackle this problem, in this article, we propose a novel deep learning-based intrusion detection method named log-cosh conditional variational autoencoder (LCVAE). It inherits the capability of the conditional variational autoencoder (CVAE) that can capture the complex distribution of observed data and generate new data with prespecified classes. Different from the traditional CVAE, to better model the discrete property in the intrusion data, we design an effective loss term using the log hyperbolic cosine (log-cosh) function in the proposed LCVAE method. It can well balance the generation and reconstruction procedures and is more effective to generate diverse intrusion data for the imbalanced classes. To improve the detection accuracy, we utilize the classification based on convolutional neural network to perform feature extraction and classification based on the observed and generated intrusion data. We conduct extensive experiments on the challenging data set NSL-KDD with large-scale intrusion data. The results show that the superior detection performance of the proposed LCVAE method comparing with several state-of-the-art intrusion detection methods, and also demonstrate the potentiality of generating new intrusion data with promising diversity.

computer science, information systems,telecommunications,engineering, electrical & electronic