张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Xifeng AN,Weihua LI,Zun LIU

DOI: https://doi.org/10.3321/j.issn:0253-987X.2008.12.013

2008-01-01

Abstract:A novel network security cooperative defense technology is studied and a cooperative control framework based on agent mechanism is proposed to solve the lack of cooperative control and whole effect in traditional defense systems. The technology supports both IPv4 and IPv6 protocols and security modules in the framework are associated with each other to accomplish communication and work together. Furthermore, a network security cooperative defense system is composed and the key functions that support the early-alert, audit, accident recovery, network camouflage and so on are also achieved. The pivotal research is emphasized on the key technologies of system call sequences audit model based on machine learning and cooperative accident recovery. Under the condition of 100 M Data flow speed, the NSCDS software's false negative is less than 6% and its false positive is less than 8%. Besides, all module functions work normally and the system can be used to carry out cooperative defense capability.

Chunmei YIN,Mingchu LI,Jianbo MA

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.01.061

2006-01-01

Abstract:Computer security has been focused on passive defense strategies and intrusion detection system has its own security vulnerability.This paper designs and implements honeypot scan detection system,combines the active defense honeypot with passive defense intrusion detection,introduces a new 2-dimension link structure for slow scan and new event mechanism in the system,and solves some weaknesses in known techniques.The tests on this system in a typical network environment show that the system can provide early warning about scan,detecting slow scan and some new,attacks and has very low false positives and false negatives.

GAO Zheng,CHEN Shu-yu,LI Guo-yong

2010-01-01

Abstract:Aiming at the shortages of misuse detection and anomaly detection in intrusion detection system,on basis of researching hybrid intrusion detection system,a new design of hybrid intrusion detection system was proposed by studying it.Misuse detection module is based on Snort's pattern rules database.Anomaly detection is to use self-organizing neural network for data clustering,and then to classify these data by supervised learning vector quantization.Simulation of the key modules in this system was done successfully,and results show that the system improved capabilities and accuracy of the hybrid intrusion detection system.

Bo-Xiang Wang,Jiann-Liang Chen,Chiao-Lin Yu

DOI: https://doi.org/10.1109/access.2022.3175886

IF: 3.9

2022-05-27

IEEE Access

Abstract:The work develops a network threat detection system, AI@NTDS, that uses the behavioral features of attackers and intelligent techniques. The proposed AI@NTDS system combines data analysis, feature extraction, and feature evaluation to construct a detection model, which supports a more straightforward strategy by which the operating system or its operators can defend against network attacks. The Linux system interaction information of SSH (Secure Shell) and Telnet are obtained from the Cowrie Honeypot and labeled according to Enterprise Tactics of MITRE ATT&CK to ensure dataset credibility. The proposed AI@NTDS system has three levels, depending on the attacker's attacks and the user's risk of damage. Fifty-two features are used to detect the network threat level. The features contain message-based features for all kinds of Linux operating instructions, host-based features for all types of information in the network connection process, and geography-based features are related to the attacker's location. AI-based algorithms LightGBM, Random Forest and the K-NN algorithm are used to verify the identification of the custom features. Finally, the detection model that is trained using the best combination of features is used to predict the test dataset. The accuracy of the proposed AI@NTDS system reaches 99%, 95.66%, and 94.08% with the LightGBM, Random Forest, and K-NN algorithms, respectively. The mutual dependencies of features and network threats are evaluated. Results of a performance analysis reveal that the proposed AI@NTDS system has an accuracy of 99.20% and an F1-score of 99.80%. It is superior to existing detection mechanisms, which it outperforms by 4% and 1% i- accuracy and F1-score, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ran Tao,Li Yang,Lu Peng,Bin Li

DOI: https://doi.org/10.1109/cicybs.2009.4925084

2010-01-01

International Journal of Information Security and Privacy

Abstract:Application features such as port numbers are used by network-based intrusion detection systems (NIDSs) to detect attacks coming from networks. System calls and the operating system related information are used by host-based intrusion detection systems (HIDSs) to detect intrusions towards a host. However, the relationship between hardware architecture events and denial-of-service (DoS) attacks has not been well revealed. When increasingly sophisticated intrusions emerge, some attacks are able to bypass both the application and the operating system level feature monitors. Therefore, a more effective solution is required to enhance existing HIDSs. In this paper, we identify the following hardware architecture features: instruction count, cache miss, bus traffic and integrate them into a novel HIDS framework based on a modern statistical gradient boosting trees model. Through the integration of application, operating system and architecture level features, our proposed HIDS demonstrates a significant improvement of the detection rate in terms of sophisticated DoS intrusions.

Ruey-Maw Chen,Kuo-Ta Hsieh

DOI: https://doi.org/10.1002/dac.1289

2011-06-01

International Journal of Communication Systems

Abstract:Dependence on the Internet is increasing dramatically. Therefore, many researchers have given great attention to the issue of how to tighten Internet security. This study proposes a new scheme for the distributed intrusion prevention system (DIPS), in which the concept of ‘union’ is presented for satisfying the increasing requirements of Internet security issues. In this proposed design, the network intrusion detection system (NIDS) applies a misuse detection technique to detect well‐known intrusion behavior on the Internet. Meanwhile, for anomaly detection technique, a tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to reveal previously undiscovered intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service (DDoS) attacks inside the protected allied network is also covered. To increase the detection accuracy, reduction of false positives and false negatives is also accomplished. Experimental results reveal that the suggested network security system scheme is effective and efficient in resolving the intrusion activity problem of real network environments. Copyright © 2011 John Wiley & Sons, Ltd. In this work, a new system scheme of the allied distributed intrusion prevention system was implemented to meet the increasing Internet security issues. A network intrusion detection system (NIDS) applies misuse detection technique to detect well‐known intrusion behaviors on the Internet. Meanwhile, for anomaly detection technique, a designed tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to find out new intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service attacks inside the protected allied network is also designed. To increase the detection accuracy, reducing false positive and false negative are also accomplished.

telecommunications,engineering, electrical & electronic

Hongbin Han

2006-01-01

Abstract:Facing the fast developing Internet,the ability of traditional intrusion detection system becomes weaker.This paper focuses on introducing computer immunity and multi-agent technology into the traditional intrusion detection system to design a computer's immunity-based multi-agent intrusion detection system.Compared with the traditional system,this system is flexible,distributed,intelligent and so on.It can finish the intrusion detection and defence completely.

Xi Chen

DOI: https://doi.org/10.54254/2755-2721/38/20230530

2024-02-07

Abstract:With the widespread application of computer network technology, computer network security defense capability has become a focus of attention in various industries. The extensive use of computer information systems in various sectors has significantly improved work efficiency but has also introduced security risks and management issues. The deployment of network security detection and control systems allows for effective security monitoring and management of computer operations and real-time network information. This paper presents a computer network security detection and control system based on human-computer interaction, which enables users to handle daily key business processes. The work principles and overall architecture of the network security detection and control system are analyzed and demonstrated. It offers functions such as filtering options, address rules, network security detection, network unreachability, overall traffic analysis, subnet definition, fault diagnosis, and security analysis. Testing and analysis indicate that the systems design achieves the intended goals. In the application of network security features, it can effectively combine various forces to enhance the quality and efficiency of network security, making it widely applicable in various industry units.

Li-juan ZHENG,Bei-bei CHU,Wen-feng ZHOU,Hai-bo LAN

DOI: https://doi.org/10.3969/j.issn.1001-9383.2006.04.003

2006-01-01

Abstract:Different from security schemes mainly for prevention,the intrusion-tolerant system can provide normal and continuous service even after it has been attacked.The theories related to intrusion-tolerant is introduced, then a network intrusion-tolerant model is presented.In the model,it adopts an intrusion detection system based on neural network as its trigger,through the analysis of the workflow and performance,a conclusion is drawn that the model has good self-adaptability、security and flexibility,and can resist various of service attacks.

Simon T. Powers,Jun He

DOI: https://doi.org/10.1016/j.ins.2007.11.028

2012-08-03

Abstract:Network intrusion detection is the problem of detecting unauthorised use of, or access to, computer systems over a network. Two broad approaches exist to tackle this problem: anomaly detection and misuse detection. An anomaly detection system is trained only on examples of normal connections, and thus has the potential to detect novel attacks. However, many anomaly detection systems simply report the anomalous activity, rather than analysing it further in order to report higher-level information that is of more use to a security officer. On the other hand, misuse detection systems recognise known attack patterns, thereby allowing them to provide more detailed information about an intrusion. However, such systems cannot detect novel attacks. A hybrid system is presented in this paper with the aim of combining the advantages of both approaches. Specifically, anomalous network connections are initially detected using an artificial immune system. Connections that are flagged as anomalous are then categorised using a Kohonen Self Organising Map, allowing higher-level information, in the form of cluster membership, to be extracted. Experimental results on the KDD 1999 Cup dataset show a low false positive rate and a detection and classification rate for Denial-of-Service and User-to-Root attacks that is higher than those in a sample of other works.

Neural and Evolutionary Computing,Cryptography and Security

Xingyuan Yang,Jie Yuan,Hao Yang,Ya Kong,Hao Zhang,Jinyu Zhao

DOI: https://doi.org/10.3390/fi15040127

2023-03-29

Future Internet

Abstract:In this paper, considering the problem that the common defensive means in the current cyber confrontation often fall into disadvantage, honeypot technology is adopted to turn reactive into proactive to deal with the increasingly serious cyberspace security problem. We address the issue of common defensive measures in current cyber confrontations that frequently lead to disadvantages. To tackle the progressively severe cyberspace security problem, we propose the adoption of honeypot technology to shift from a reactive to a proactive approach. This system uses honeypot technology for active defense, tempting attackers into a predetermined sandbox to observe the attacker's behavior and attack methods to better protect equipment and information security. During the research, it was found that due to the singularity of traditional honeypots and the limitations of low-interactivity honeypots, the application of honeypot technology has difficulty in achieving the desired protective effect. Therefore, the system adopts a highly interactive honeypot and a modular design idea to distinguish the honeypot environment from the central node of data processing, so that the honeypot can obtain more sufficient information and the honeypot technology can be used more easily. By managing honeypots at the central node, i.e., adding, deleting, and modifying honeypots and other operations, it is easy to maintain and upgrade the system, while reducing the difficulty of using honeypots. The high-interactivity honeypot technology not only attracts attackers into pre-set sandboxes to observe their behavior and attack methods, but also performs a variety of advanced functions, such as network threat analysis, virtualization, vulnerability perception, tracing reinforcement, and camouflage detection. We have conducted a large number of experimental comparisons and proven that our method has significant advantages compared to traditional honeypot technology and provides detailed data support. Our research provides new ideas and effective methods for network security protection.

SHI Li-li,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.02.022

2008-01-01

Abstract:This paper presents the Distributed Firewall and Invading Detection Technique, analyzes their deficiencies, discusses and researches the combination technique, explains the design principle and implementation of the combination system based on the Distributed Firewall and Invading Detection Technique. Through the union system, the firewall may using the IDS discover promptly the attack behavior outside its strategy, the IDS also may block the attack behavior from exterior network through the firewall, thus can form one kind of safe protection system with effective interaction, en-hanced the network whole safety performance enormously.

Kai Hwang,Ying Chen,Hua Liu

DOI: https://doi.org/10.1109/IPDPS.2005.160

2005-01-01

Abstract:Network security breaches hinder the application of distributed computing systems manifested as the Grids, clusters, intranets, extranets, or P2P systems. A new integrated approach is presented for building future, network-based intrusion detection systems (NIDS). We integrate the Snort (a NIDS) with a custom-designed anomaly detection system (ADS) to yield a powerful cyber defense system, called CAIDS. This system detects known attacks through signature matching and reveals network anomalies by Internet traffic datamining. The CAIDS design integrates two different detection engines for alert correlation between intrusions and anomalies. We aim to automate signature generation into Snort database. The system was tested over an Internet trace of 24 millions of packets containing 200 attacks. Our simulation experiments result in a 75% detection rate on all attacks with a low 5% false alarm rate. The system generates alerts on both intrusive attacks to distributed resources and anomalies detected in the Internet, intranet, and extranet connections.

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.

WANG Jie,HU Hua-ping,TANG Yong

DOI: https://doi.org/10.3969/j.issn.1007-130x.2006.02.010

2006-01-01

Abstract:Most security technologies are designed to prevent unauthorized activities for resources.And security tools are put into place as a defensive measure.Therefore there are some shortcomings in network protection.After analyzing the research situation and the shortcomings of security tools in intrusion detection and system protection,a distributed virtual honeynet system is studied and implemented.The system is composed of a Hybrid Virtual Honeynet and a low-interaction Honeypot.Which reduces the inherent risk of Honeypot,and adds the simulation's trueness,and it makes up for the shortcomings of existing different types of honeypots.As a dynamic security defensive mechanism,it improves effectively the integral safety of large-scale networks,and is a completely supplement of traditional security mechanisms.

Zheng Minjiao,Ma Yufeng,Wu Bo,Qian Zhang

DOI: https://doi.org/10.1109/iccbd56965.2022.10080304

2022-01-01

Abstract:Honeynet, as a representative network deception technology, can protect the network while attracting attackers to understand their patterns, strategies and behaviors. The new honeynet based on the latest bility, but the ability to construct honeynet scene dynamically is still a little bit insufficient at the moment. We propose a dynamic deception honeynet architecture combining virtual and real honeypot, which is used to dynamically generate a real network according to the cyber situation and the attack behavior to attract attackers. It redirects the advanced attacker to the environment that he is more interested, in order to capture the attacker and conduct further analysis. This improves the lack of dynamic and inductivity in the existing honeynet. Finally, we de-veloped the prototype system and set up the experimental environment. The result shows that the system has a high degree of intelligence and strong in-ductivity.

黄艳,方勇,蒋磊,刘亮

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.07.075

2012-01-01

Abstract:In order to achieve a security system of in-advance defense, in-progress detection, and afterward extraction of the trace, an overall design framework of security protection in combination of dynamic hybrid honeypot and real-time computer trace extraction is proposed, and the security policies are continuously optimized by audit module. Meanwhile, by the agent of trace extraction and network data collector, the evidences are collected in real time, and the collected data is sent to the server and analyzer for the extraction of crime evidence.

Chunmei Yin,Mingchu Li,Jianbo Ma,Jizhou Sun

DOI: https://doi.org/10.1109/ccece.2004.1345313

2004-01-01

Abstract:We present an application of a honeypot in detection collaboration with an intrusion detection system. We have designed and implemented a honeypot port-scan detection system for scan detection, which can work as a module of the intrusion detection system and can also run independently. Nowadays, intrusion detection systems face more challenges, such as data overload, high false positives and negatives, and being incapable of understanding the encrypted or IPv6 packets. We introduce new data structures (such as a new link structure for slow scan) and new event mechanisms in our system, and present a new method to solve some weaknesses in known techniques, so our system can provide an early scan warning and detect some new attacks. Our tests on this system in a typical network environment show that the system has very low false positives and false negatives.