Hassan Hadi Al-Maksousy,Michele C. Weigle,Cong Wang

DOI: https://doi.org/10.1109/ths.2018.8574174

2018-01-01

Abstract:Malware detection is an important problem. We propose an efficient real-time system to detect and classify malware based on network behavior using deep neural networks. We show that the splitting of the system into two neural networks, detection and analysis, is the key to increasing accuracy. Therefore, this approach allows for the construction of a real-time monitoring system with very low CPU usage. Finally, we provide a comparison analysis of four machine learning classifiers for this task.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

WANG Xiaodong,ZHU Miaoliang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.07.055

2005-01-01

Abstract:This paper puts forward an intellective network safe guard system based on a multi-agent system structure. The purpose of the system is to defend the intrusion of campus-wide network. It is based on IDXP and the focus is blackboard. This system can deal with multi-levels and many ways of anti-intrusions, which has self-determination. It is proved to have a good performance by spot tests.

Cong Shan,Hu Mingzeng,Wang Yongheng,Bao Xiuguo

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.06.041

2006-01-01

Abstract:The security problem resulting from internal computer network misuse is becoming even more difficult in the researching field of network security management.The paper proposes an effective detecting method and constructs a prototype system.This method learns from the advantages of P2P,using IP spoof and the echo function of ICMP data packet to complete the detection.Proved by the experiment,put into the large-scale network composed by several subnets,this method can detect the misuse of any subnet with a high efficiency.

YU-XIN DING,MIN XIAO,AI-WU LIU,Yu-Xin Ding,Min Xiao,Ai-Wu Liu

DOI: https://doi.org/10.1109/icmlc.2009.5212282

2009-07-01

Abstract:Since most of current intrusion detection systems (IDS) only use one of the two detection methods, misused detection or anomaly detection, both of them have their own limitations. In this paper, the technique that combines misuse detection system with anomaly detection system (ADS) is used. The hybrid intrusion detection system (HIDS) contains three sub-modules, misused detection module, anomaly detection module and signature generation module. The basis of misused detection module is snort. Anomaly detection module is constructed by using frequent episode rule. And signature generation module is based on a variant of Apriori algorithm. Misused detection module uses the signature of attacks to detection the known attacks. Anomaly detection module can detect the unknown attacks and signature generation module extracts the signature of attacks that are detected by ADS module, and maps the signatures into snort rules.

Ozgur Depren,Murat Topallar,Emin Anarim,M. Kemal Ciliz

DOI: https://doi.org/10.1016/j.eswa.2005.05.002

IF: 8.5

2005-11-01

Expert Systems with Applications

Abstract:In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection module and a decision support system combining the results of these two detection modules. The proposed anomaly detection module uses a Self-Organizing Map (SOM) structure to model normal behavior. Deviation from the normal behavior is classified as an attack. The proposed misuse detection module uses J.48 decision tree algorithm to classify various types of attacks. The principle interest of this work is to benchmark the performance of the proposed hybrid IDS architecture by using KDD Cup 99 Data Set, the benchmark dataset used by IDS researchers. A rule-based Decision Support System (DSS) is also developed for interpreting the results of both anomaly and misuse detection modules. Simulation results of both anomaly and misuse detection modules based on the KDD 99 Data Set are given. It is observed that the proposed hybrid approach gives better performance over individual approaches.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Jie Yang,Xin Chen,Xudong Xiang,Jianxiong Wan

DOI: https://doi.org/10.1109/cmc.2010.73

2010-01-01

Abstract:A hybrid intrusion detection approach combing both misuse detection and anomaly detection can detect newly discovered attacks while maintaining a relatively high detection rate. This paper presents a novel hybrid intrusion detection system based on protocol analysis and decision tree algorithms. Performance evaluation of the proposed system is conducted using Generalized Stochastic Petri Nets (GSPN). Simulation results show that this hybrid system can reach a high detection rate.

Simon T. Powers,Jun He

DOI: https://doi.org/10.1016/j.ins.2007.11.028

2012-08-03

Abstract:Network intrusion detection is the problem of detecting unauthorised use of, or access to, computer systems over a network. Two broad approaches exist to tackle this problem: anomaly detection and misuse detection. An anomaly detection system is trained only on examples of normal connections, and thus has the potential to detect novel attacks. However, many anomaly detection systems simply report the anomalous activity, rather than analysing it further in order to report higher-level information that is of more use to a security officer. On the other hand, misuse detection systems recognise known attack patterns, thereby allowing them to provide more detailed information about an intrusion. However, such systems cannot detect novel attacks. A hybrid system is presented in this paper with the aim of combining the advantages of both approaches. Specifically, anomalous network connections are initially detected using an artificial immune system. Connections that are flagged as anomalous are then categorised using a Kohonen Self Organising Map, allowing higher-level information, in the form of cluster membership, to be extracted. Experimental results on the KDD 1999 Cup dataset show a low false positive rate and a detection and classification rate for Denial-of-Service and User-to-Root attacks that is higher than those in a sample of other works.

Neural and Evolutionary Computing,Cryptography and Security

Bo-Xiang Wang,Jiann-Liang Chen,Chiao-Lin Yu

DOI: https://doi.org/10.1109/access.2022.3175886

IF: 3.9

2022-05-27

IEEE Access

Abstract:The work develops a network threat detection system, AI@NTDS, that uses the behavioral features of attackers and intelligent techniques. The proposed AI@NTDS system combines data analysis, feature extraction, and feature evaluation to construct a detection model, which supports a more straightforward strategy by which the operating system or its operators can defend against network attacks. The Linux system interaction information of SSH (Secure Shell) and Telnet are obtained from the Cowrie Honeypot and labeled according to Enterprise Tactics of MITRE ATT&CK to ensure dataset credibility. The proposed AI@NTDS system has three levels, depending on the attacker's attacks and the user's risk of damage. Fifty-two features are used to detect the network threat level. The features contain message-based features for all kinds of Linux operating instructions, host-based features for all types of information in the network connection process, and geography-based features are related to the attacker's location. AI-based algorithms LightGBM, Random Forest and the K-NN algorithm are used to verify the identification of the custom features. Finally, the detection model that is trained using the best combination of features is used to predict the test dataset. The accuracy of the proposed AI@NTDS system reaches 99%, 95.66%, and 94.08% with the LightGBM, Random Forest, and K-NN algorithms, respectively. The mutual dependencies of features and network threats are evaluated. Results of a performance analysis reveal that the proposed AI@NTDS system has an accuracy of 99.20% and an F1-score of 99.80%. It is superior to existing detection mechanisms, which it outperforms by 4% and 1% i- accuracy and F1-score, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Davide Ariu,Roberto Tronci,Giorgio Giacinto

DOI: https://doi.org/10.1016/j.cose.2010.12.004

2011-06-01

Abstract:Nowadays the security of Web applications is one of the key topics in Computer Security. Among all the solutions that have been proposed so far, the analysis of the HTTP payload at the byte level has proven to be effective as it does not require the detailed knowledge of the applications running on the Web server. The solutions proposed in the literature actually achieved good results for the detection rate, while there is still room for reducing the false positive rate.To this end, in this paper we propose HMMPayl, an IDS where the payload is represented as a sequence of bytes, and the analysis is performed using Hidden Markov Models (HMM). The algorithm we propose for feature extraction and the joint use of HMM guarantee the same expressive power of n – gram analysis, while allowing to overcome its computational complexity. In addition, we designed HMMPayl following the Multiple Classifiers System paradigm to provide for a better classification accuracy, to increase the difficulty of evading the IDS, and to mitigate the weaknesses due to a non optimal choice of HMM parameters. Experimental results, obtained both on public and private datasets, show that the analysis performed by HMMPayl is particularly effective against the most frequent attacks toward Web applications (such as XSS and SQL-Injection). In particular, for a fixed false positive rate, HMMPayl achieves a higher detection rate respect to previously proposed approaches it has been compared with.

computer science, information systems

Abbasgholi Pashaei,Mohammad Esmaeil Akbari,Mina Zolfy Lighvan,Asghar Charmin

DOI: https://doi.org/10.1016/j.rineng.2022.100576

2022-08-08

Results in Engineering

Abstract:Man-in-the-Middle (MITM) and Distributed Denial of Service (DDoS) attacks are significant threats, especially to Industrial Control Systems (ICS). The honeypot is one of the most common approaches to protecting the network against such attacks. This study proposes a Markov Decision Process (MDP) called the state-action-reward-state-action (SARSA) for honeypot design. The proposed system using environmental experiments can achieve greater accuracy and convergence speed than traditional IDSs. Here, we use two types of agents, one for classification and the other for the environment. The environmental agent tries to minimize the rewards given to the classifying agent. Therefore, the classification agent is forced to learn the most complicated policies, increasing its learning capability in the long term. Thus, the proposed method improves the level of interaction for the early detection of honeypots by recording aggressive behavior. It can be especially suitable for very imbalanced datasets. To evaluate the performance of the proposed method, we compare it with two categories of malicious ICS attacks, including MITM and DDoS. The results show that the proposed model is superior to traditional non-linear IDS models in terms of accuracy (<0.99) and F-measure (0.98).

Xiaoqing Sun,Mingkai Tong,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.1909.01590

2019-09-04

Cryptography and Security

Abstract:Domain name system (DNS) is a crucial part of the Internet, yet has been widely exploited by cyber attackers. Apart from making static methods like blacklists or sinkholes infeasible, some weasel attackers can even bypass detection systems with machine learning based classifiers. As a solution to this problem, we propose a robust domain detection system named HinDom. Instead of relying on manually selected features, HinDom models the DNS scene as a Heterogeneous Information Network (HIN) consist of clients, domains, IP addresses and their diverse relationships. Besides, the metapath-based transductive classification method enables HinDom to detect malicious domains with only a small fraction of labeled samples. So far as we know, this is the first work to apply HIN in DNS analysis. We build a prototype of HinDom and evaluate it in CERNET2 and TUNET. The results reveal that HinDom is accurate, robust and can identify previously unknown malicious domains.

Wei Shi,Wanlei Zhou,Weimin Zheng

2004-01-01

Abstract:Network information identification is a “hot” topic currently. This paper designs a self-learning system using neural network algorithm for identifying the harmful network messages of both Chinese and English languages. The system segments the message into words and creates key word vector which characterizes the harmful network information. The BP algorithm is taken advantage of to train the neural network. The result of training and studying of the neural network can be applied onto many network applications based on message identification. The result of experiments demonstrates that our system has a high degree of accuracy.

Jiao Ma,Kun Chai,Yao Xiao,Tian Lan,Wei Huang

DOI: https://doi.org/10.1109/icm.2011.287

2011-09-01

Abstract:In order to solve the problems that IDSs and firewalls cannot efficiently detect new SQL injection and too much time is wasted when the security personnel reads log files to analyze attacks, we proposed and implemented a high-interaction web honeypot system for SQL injection analysis. By (i)modifying PHP extension for MySQL to intercept database requests and (ii)adopting exception based and signature based detection techniques, the system can generate the corresponding attack graphs to solve problems above. For illustration, SQL injection attack examples are utilized to show the performance of the honeypot system. The results show that the honeypot system can intercept all database requests and increase the efficiency of SQL injection analysis with the attack graphs. This system provides an efficient and timely detection on the new SQL injection and helps security personnel quickly analyzing the new SQL injection with the attack graph.

S. Suganya,S. Selvamuthukumaran

DOI: https://doi.org/10.3233/jifs-233579

2023-08-05

Abstract:Hadoop is a big data processing system that enables the distributed processing of massive data sets across multiple computers using straightforward programming techniques. Hadoop has been extensively investigated in many attacks as a result of its growing significance in industry. A company may learn about the actions of invaders as well as the weaknesses of the Hadoop cluster by examining a significant quantity of data from the log file. In a Big Data setting, the goal of the paper is to generate an analytical classification for intrusion detection. In this study, Hadoop log files were examined based on assaults that were recorded in the log files. Prior to analysis, the log data is cleaned and improved using a Hadoop preprocessing tool. For feature extraction, the hybrid Improved Sparrow Search Algorithm with Mutual Information Maximization (H-ISSA-MIM). Then the CNN (Convolutional Neural Network) classifier will detect the intrusions. The implementation is performed using the MATLAB 2020a software. The performance metrics like accuracy, precision, F-score, recall, specificity, FPR, FNR are calculated for the proposed methodology and it is compared with the existing techniques like Decision Tree (DT), Principal Components Analysis (PCA)- K means, Long Short Time Memory (LSTM). The maximum value of accuracy finds out in the proposed method 98% .

Feng Cui,Mingdi Xu,Bo Xie,Chaoyang Jin,Zhengxiao Li,Haipeng Fan

DOI: https://doi.org/10.1109/ICCCS61882.2024.10603260

2024-04-19

Abstract:Intrusion Detection Systems (IDS) play a crucial role in safeguarding network security perimeters by monitoring network traffic and system behavior in real time. The advent of deep learning, particularly through the application of Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks, has significantly enhanced IDS's ability to detect network threats by leveraging autonomous learning and generalization capabilities. However, deep learning-based IDSs encounter challenges, including the necessity for extensive data labeling and the computational resources required, which pose obstacles to their widespread adoption and effectiveness. Nonetheless, deep learning-based IDS encounter challenges, including the requirement for extensive labeled datasets and significant computational resources. This paper proposes a novel hybrid IDS framework — HDCBAN that integrates deep convolutional neural networks, bidirectional LSTM networks, and the AlexNet model to efficiently predict and classify malicious network activities. The HDCBAN model employs deep CNNs to capture local features through convolution, bidirectional LSTMs to seize temporal features for enhanced performance and prediction capabilities, and AlexNet to augment classification efficacy through feature extraction. The effectiveness of this hybrid approach was assessed using real-world datasets, including the publicly available CSE-CIC-IDS 2017, CSE-CIC-IDS 2018, and NSL-KDD datasets, with preprocessing to optimize model performance. Experimental results, validated through 10-fold cross-validation, reveal that our model achieves a malicious attack detection rate and accuracy of up to 99.88% for CSE-CIC-IDS and 99.93% for NSL-KDD, thereby outperforming existing models in detection rate, accuracy, and reducing false positives.

Computer Science,Engineering

S. Nagarajan,S. Kayalvizhi,R. Subhashini,V. Anitha

DOI: https://doi.org/10.1016/j.cie.2023.109166

2023-04-23

Abstract:The security analysis has become the hotspot concern in Industrial Control Systems (ICSs) that grabs the research attention in today's era. Owing to the rapid admittance of the Industrial Internet of Things (IIoT), the superimposition of fog and cloud computing plays a pivotal role for rectifying such issues as fewer computation resources and more latency in the network. In addition to this, security issue comes first while developing the ICS in the sector of IIoT. In general, ICS is applied for various processes, such as electric utilization and water supply management, that are related to every individual's life. Though it is interlinked with the Internet, it can easily expose to different threats. To defend the model, Intrusion Detection Systems (IDS) are employed. In signature-based detection, anomaly detection is used to find out the unknown attacks in the network. Yet, the ICS is structured with many software and hardware tools. It also seems in the openness nature of the industrial environment that, it becomes vulnerable to various attacks. Hence, detecting unknown attacks is a complex task in the openness nature of the industrial environment. It causes failure to protect such systems from malicious entities that could result in more complications for humans. Hence, the detection of malicious activities is essential. In order to provide an efficient model, a new hybrid deep learning is proposed in ICS. Initially, the original data is to be collected based on the ICS industry. Secondly, the gathered data is preprocessed to clean the artifacts and clean the data. Thirdly, the optimal features are chosen directly from the gathered data with the help of a hybrid algorithm called the Hybrid Honey Badger-World Cup Algorithm (HHB-WCA). The chosen optimal features are fed to the hybrid deep learning termed as Autoencoder-Bi-directional Long Short-Term Memory (A-Bi-LSTM), where the encoded features from Autoencoder are extracted and encoded features are subjected to the Bi-LSTM classifier. Finally, the simulation outcome has shown that the developed method is compared with the other traditional algorithms to detect the unknown classes in the network.

computer science, interdisciplinary applications,engineering, industrial

Haibo Zhao,Jianhua Li,Yuhang Yang

DOI: https://doi.org/10.3321/j.issn:1006-2467.1999.01.022

1999-01-01

Shanghai Jiaotong Daxue Xuebao/Journal of Shanghai Jiaotong University

Abstract:Intrusion detection (ID) is an important aspect in network security technology. Real time intrusion detection is one of the key technologies in developing firewall. An ID based on statistics was described and a keystroke-recognizing algorithm was given. Then an ID based on a state indexed decision tree was discussed and a fast multi-key search algorithm suitable to real-time detection was given. Finally, a description of an actual intelligent intrusion detection system used in firewalls was presented.

Junjiang He,Cong Tang,Wenshan Li,Tao Li,Li Chen,Xiaolong Lan

DOI: https://doi.org/10.1109/tifs.2023.3324388

IF: 7.231

2023-11-25

IEEE Transactions on Information Forensics and Security

Abstract:Host-based intrusion detection systems (HIDS) have been widely acknowledged as an effective approach for detecting and mitigating malicious activities. Among various data sources utilized in HIDS, system call traces have gained significant popularity due to their inherent advantage of providing fine-grained information. Nevertheless, conventional feature extraction techniques relying on system calls tend to overlook the issue of high-dimensional sparse feature space. In this paper, we conduct a theoretical analysis to investigate the underlying causes of the sparsity problem. Subsequently, we propose an anti-sparse theory (anti-ST) as a solution to address this issue. Then, we design a multi-granularity feature extraction method (MGFE), which also meets the prerequisite mathematical conditions of the anti-ST. By applying this method, we effectively reduce the size of the feature space and minimize the number of generated features, thus mitigating sparsity. Furthermore, leveraging this approach, we propose a robust and anti-sparsity host intrusion detection framework, known as the MGFE-based Host Intrusion Detection Framework (BR-HIDF). A series of experiments were conducted to evaluate the proposed framework and compare it with the state-of-the-art method. The results demonstrate that our framework achieves impressive accuracy (97.26%), precision (97.62%), recall (96.85%), and F1 score (97.23%) in the intrusion detection task, surpassing existing frameworks. Moreover, the proposed framework significantly reduces the time overhead by 38.80%, exhibiting the highest AUC value of 0.992. Furthermore, we enhance the robustness of the detection system by integrating host-based and network-based detection, which provides greater flexibility in identifying various types of attacks.

computer science, theory & methods,engineering, electrical & electronic