Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

Shan Rong-sheng,Li Xiao-yong D.,Li Jian-hua

DOI: https://doi.org/10.1007/s11741-004-0073-8

2004-01-01

Abstract:Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.

LIU Ting-hua,SONG Hua,DAI Yi-qi

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.09.003

2006-01-01

Abstract:Techniques of the port scan and its detection were introduced briefly.A new self-adaptive distributed detection method of port scan wasdesigned and implemented.By detecting anomalous packets and calculating the class's anomalysum value,it sets adynamic threshold combined with the network traffic,and then judges whether that is a scan.This method could detect slow scans,random scans and distributed scans effectively.And it could detect DDoS(distributed denial of service) attacks as well.

Hao Ding,Haifeng Ji,Zhiyao Huang,Haiqing Li

DOI: https://doi.org/10.1109/wcica.2004.1343091

2004-01-01

Abstract:Based on fuzzy logic theory, a new data fusion method for target identification using D-S evidence theory (Dempster-Shafer theory) is presented. By acquiring signals from multiple sources, the belief function assignment value of each transducer is obtained from extracted eigenvalue by using fuzzy logic. The fusion belief function assignment is received by using D-S evidence theory. To solve the problem of combing evidences with high degree of conflict, a modified D-S evidence theory combination rule is introduced. The problem of inconsistent evidence is handled using the method. More accurate result of target identification can be obtained. A comparison of the results of target identification based on separate original data with those based on fusion data shows that the accuracy of target identification is increased.

Weicheng Qiu,Yinghua Ma,Xiuzhen Chen,Haiyang Yu,Lixing Chen

DOI: https://doi.org/10.1016/j.cose.2022.102709

IF: 5.105

2022-01-01

Computers & Security

Abstract:Cyber-attacks are becoming increasingly sophisticated, posing greater challenges in accurately detecting intrusions. Failure to prevent intrusions could degrade the credibility of security services. Intrusion Detection System (IDS) is one of the most effective paradigms to identify attack behaviors. This paper proposes a novel hybrid intrusion detection system called DST-IDS. The proposed method employs both packet-based and flow-based intrusion detection techniques and combines them with Dempster-Shafer Theory (DST). DST-IDS has an ensemble-like framework. It takes both traffic flows and their first N packets as inputs; flow-based IDS aims to predict traffic flows and packet-based IDS detects attacks in the corresponding packets; DST is then applied to fuse predictions of flow-based IDS and packet-based IDS to a final detection result. We also design a novel data collection/processing tool in DST-IDS to reduce the data volume required to perform intrusion detection and enable early detection. In addition, DST-IDS is designed to work with heterogeneous data distribution where the distribution of the training dataset can differ from the data distribution during implementation. This property drastically improves the practicality of DST-IDS. We run experiments on public datasets and real networks to evaluate the proposed method. The experimental results show that DST-IDS outperforms state-of-the-art benchmarks in terms of intrusion detection accuracy and detection speed. Particularly, DST-IDS provides real-time detection in real networks and handles well heterogeneous data distribution.

WANG Ping-hui,ZHENG Qing-hua,NIU Guo-lin,GUAN Xiao-hong,CAI Zhong-min

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.003

2007-01-01

Journal of Communications

Abstract:A slowly port scan detect method was presented based on the statistical traffic features.Two statistical features: the ratio between the number of hosts and ports a host communicates and similarities of the ports set,were selected to denote the traffic features.The CUSUM and wavelet transform methods were employed to analyze the features and detect the slowly port scan behaviors.The experimental results show that the methods proposed detect port scan behaviors effi-ciently and correctly,it has low false negative and false positive alarm rate compared with the Snort.

CHEN Bo,WAN Shou-hong,YUE Li-hua

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.28.063

2010-01-01

Computer Engineering and Applications Journal

Abstract:As for the low accuracy of single source ship detection,based on Dempster-Shafer theory,this paper introduces an improved basic probability assign method which updated by weights.Using the solutions of conflicting evidences,the data from the ship detection of SAR and optical imagery are fused on feature level with the improved Dempster-Shafer theory,and the experiment results show that this method can improve the accuracy of ship detection greatly.

MA Li-bo,ZHANG Jia,LI Xing

DOI: https://doi.org/10.3321/j.issn:0438-0479.2007.z2.021

2007-01-01

Abstract:A scan detection platform constructed by unused IP addresses will effectively improve detection accuracy and reduce false alarm.Before constructing a real scan detection platform,we need to evaluate the detection effectiveness of controlled monitoring addresses to predict the detecting tagets and determine the necessity of the platform deployment.To match these requirements,a new scan detection model based on network classification is presented.According to this model,we can evaluate the detection effectiveness of a scan detection platform which is used to detect random or local preference scanning sources and provide theory guidance for the platform construction and deployment.We use the Leurre'com Honeynet Project's distributed scan detection platform as a practical evaluation instance.Evaluation results show that the platform can effectively detect high speed random scanning sources like Slammer worm and local preference scanning sources whose average scanning rate is more than 2 scan connections per second.To low speed scanning sources,the detection effectiveness is poor.Statistics of real monitoring data and simulation results validate the veracity of evaluation results.

Dibo Hou,Huimei He,Pingjie Huang,Guangxin Zhang,Hugo Loaiciga

DOI: https://doi.org/10.1088/0957-0233/24/5/055801

IF: 2.398

2013-01-01

Measurement Science and Technology

Abstract:This study presents a method for detecting contamination events of sources of drinking water based on the Dempster-Shafer (D-S) evidence theory. The detection method has the purpose of protecting water supply systems against accidental and intentional contamination events. This purpose is achieved by first predicting future water-quality parameters using an autoregressive (AR) model. The AR model predicts future water-quality parameters using recent measurements of these parameters made with automated (on-line) water-quality sensors. Next, a probabilistic method assigns probabilities to the time series of residuals formed by comparing predicted water-quality parameters with threshold values. Finally, the D-S fusion method searches for anomalous probabilities of the residuals and uses the result of that search to determine whether the current water quality is normal (that is, free of pollution) or contaminated. The D-S fusion method is extended and improved in this paper by weighted averaging of water-contamination evidence and by the analysis of the persistence of anomalous probabilities of water-quality parameters. The extended D-S fusion method makes determinations that have a high probability of being correct concerning whether or not a source of drinking water has been contaminated. This paper's method for detecting water-contamination events was tested with water-quality time series from automated (on-line) water quality sensors. In addition, a small-scale, experimental, water-pipe network was tested to detect water-contamination events. The two tests demonstrated that the extended D-S fusion method achieves a low false alarm rate and high probabilities of detecting water contamination events.

DongCai Qu,Xiangwei Meng,Juan Huang,You He

DOI: https://doi.org/10.1109/icosp.2004.1452577

2004-01-01

Abstract:The D-S evidence combination theory is another important uncertainty inference method different from information processing by neural network, which is applied widely in intelligent information processing, and highly practical in engineering. On concisely introducing the Dempster-Shafer evidence combination theory frame, this article researches into the neural network intelligent recognition technology assisted by Dempster-Shafter evidence combination theory, sets forth the intelligent recognition tactics, presents the method and procedure of multi-sensor data fusion intelligent recognition on account of the calculating case, and puts forward some questions to be inquired.

Qing Ye,Xiaoping Wu,Yongqing Liu,Gaofeng Huang

DOI: https://doi.org/10.1109/IITSI.2010.87

2010-01-01

Abstract:Intrusion Detection system has become the main research focus in the area of information security. Dempster-Shafer theory of Evidence (DST) and rough set theory (RST) are two typically effective tools in dealing with uncertainty questions including network intrusion detection. In this paper, to solve some problems in applying DST, a hybrid approach of RST and DST is proposed. Firstly, to obtain basic probability assignment (BPA) of evidence theory for all evidences, a novel method of getting evidences and objective BPA based on attribute importance is presented. The attribute simplification algorithm is established to eliminate redundant evidences and establish the final combined evidences. A hybrid model for intrusion detection based on RST and DST is presented to give a higher detection precision and better performance, and in an illustrative example it is effective and feasible.

Yuanzhang Li,Shangjun Yao,Ruyun Zhang,Chen Yang

DOI: https://doi.org/10.1002/int.22330

IF: 8.993

2020-11-10

International Journal of Intelligent Systems

Abstract:<p>Security monitoring and analysis can help users to timely perceive threats faced by the host, thereby protecting and backup data and improving the host's security status. In the research domain of host security analysis, many feasible solutions have been proposed. However, real‐time performance and accuracy still need improvement. This paper proposes a host security analysis method based on Dempster–Shafer (D‐S) evidence theory. It adopts three models of support vector regression, logistic regression, and K‐nearest neighbor regression, as sensors for multisource information fusion. Multiple sensors perform security analysis on the host, respectively, and use the analysis results as evidence of D‐S evidence theory. Experiments show that the proposed method provides effective security protection for the host in terms of absolute error, root mean square error, and the average absolute percentage error.</p>

computer science, artificial intelligence

B Yan,Zm Lu,Sh Sun

2003-01-01

Abstract:Watermark detection algorithm plays an important role in enhancing the robustness of watermark. This paper proposes one watermark detection technique based on Dempster-Shafer (D-S) theory. D-S theory can be simply viewed as an extension to classical Bayesian Theory in statistical inference. The proposed audio watermark detection method uses D-S theory to model uncertainty when the watermarked audio has been attacked, by using D-S rule of combination, correlation results from several frames are combined to form a more reliable decision. Results from simulation experiment using spread spectrum techniques and audio masking validate the proposed detection algorithm.

YU Xin,HAN Chong-zhao,PAN Quan,XIE Ming-zhi

DOI: https://doi.org/10.3321/j.issn:1001-506x.2007.05.031

2007-01-01

Abstract:The problems of target identification based on multiple and asynchronous information sources are discussed.Dempster-Shafer evidence reasoning is applied to combine different evidences coming from various sensors.Then the new confidence function can be gotten.At the same time,a method of consequent target identification based on the decision from basic belief assignment is put forward.Finally the effectiveness of this method is demonstrated.The results of simulation can prove that the new method is more reliable and accurate.

Yi-Zhou Li,Hao Hu,Dao-Zheng Huang

DOI: https://doi.org/10.3141/2426-04

IF: 1.7

2014-01-01

Transportation Research Record

Abstract:Although a huge amount of information is available in all kinds of marine safety databases, only a small part can be used directly. The disorganized information from different sources leads to a mixture of format and definition. In the work reported in this paper, the Dempster Shafer theory (DST) of evidence was applied to combine evidence (i.e., a piece of information that supports a claim) from different sources. The method is regarded as a generalization of the Bayesian theory and can avoid two difficulties in classical probability theory: handling the conflicting information and assigning prior probabilities. The work of data fusion was demonstrated first by a decision fusion problem that involved the reconciliation of contradictory expert reports. The DST can provide a decision maker with a comprehensive result through the combination of different experts' opinions. Second, fusion was conducted of two representative maritime incident databases: that of the Global Integrated Shipping Information System and that of the International Chamber of Commerce. Although the records in the databases had some defects (e.g., disorder, error, contradiction), the DST was able to work effectively and calculate an uncertainty interval of incident.

Lanjia Wang,Haixin Duan,Xing Li

DOI: https://doi.org/10.1007/11602897_21

2005-01-01

Abstract:Detecting and identifying port scans is important for tracking malicious activities at early stage. The previous work mainly focuses on detecting individual scanners, while cares little about their common scan patterns that may imply important security threats against network. In this paper we propose a scan vector model, in which a scanner is represented by a vector that combines different scan features online, such as target ports and scan rate. A center-based clustering algorithm is then used to partition the scan vectors into groups, and provide a condense view of the major scan patterns by a succinct summary of the groups. The experiment on traffic data gathered from two subnets in our campus network shows that our method can accurately identify the major scan patterns without being biased by heavy hitters, meanwhile, possessing simplicity and low computation cost.

Li-Bo Ma,Hai-Xin Duan,Quang-Anh Tran,Xing Li

DOI: https://doi.org/10.1109/icmlc.2006.258991

2006-01-01

Abstract:One of difficulties network scan detection system must face is how to identify a scan source from normal and abnormal hybrid traffics. In this paper, firstly we use modified low interaction honeypots to get pure abnormal scan traffics for avoiding scan sources identification procedure. Secondly, we try to consider scans detection problem through the eye of a network on the basis of above dataset. A 3 layers scan detection network is constructed where the node of every layer is source-IP, destination-IP and resource (the couple {destination port, protocol}), the link is the scan access connection between nodes. The scan detection network owns good features of layer and single-direction. A degree statistics method is put forward to grade the importance of nodes of the scan detection network and give proper warnings. By using a degree statistics method on honeypot dataset we can focus on the research of scan sources' behaviors and stand out what's really worthy of noticing and warning instead of staying at the procedure of identifying whether a source is a scanner or not. Our method enriches the statistic information of scan detection and can effectively reduce warning false positives comparing to previous works

Jason M. Pittman

DOI: https://doi.org/10.48550/arXiv.2302.09317

2023-02-18

Abstract:Port scanning is the process of attempting to connect to various network ports on a computing endpoint to determine which ports are open and which services are running on them. It is a common method used by hackers to identify vulnerabilities in a network or system. By determining which ports are open, an attacker can identify which services and applications are running on a device and potentially exploit any known vulnerabilities in those services. Consequently, it is important to detect port scanning because it is often the first step in a cyber attack. By identifying port scanning attempts, cybersecurity professionals can take proactive measures to protect the systems and networks before an attacker has a chance to exploit any vulnerabilities. Against this background, researchers have worked for over a decade to develop robust methods to detect port scanning. One such method revealed by a recent systematic review is the random forest supervised machine learning algorithm. The review revealed six existing studies using random forest since 2021. Unfortunately, those studies each exhibit different results, do not all use the same training and testing dataset, and only two include source code. Accordingly, the goal of this work was to reproduce the six random forest studies while addressing the apparent shortcomings. The outcomes are significant for researchers looking to explore random forest to detect port scanning and for practitioners interested in reliable technology to detect the early stages of cyber attack.

Cryptography and Security,Machine Learning

Haiying Wang,Yuke Shi,Long Chen,Xiaofeng Zhang

DOI: https://doi.org/10.3390/s24196455

IF: 3.9

2024-10-07

Sensors

Abstract:Tunnel fires are generally detected using various sensors, including measuring temperature, CO concentration, and smoke concentration. To address the ambiguity and inconsistency in multi-sensor data, this paper proposes a tunnel fire detection method based on an improved Dempster-Shafer (DS) evidence theory for multi-sensor data fusion. To solve the problem of evidence conflict in the DS theory, a two-level multi-sensor data fusion framework is adopted. The first level of fusion involves feature fusion of the same type of sensor data, removing ambiguous data to obtain characteristic data, and calculating the basic probability assignment (BPA) function through the feature interval. The second-level fusion derives basic probability numbers from the BPA, calculates the degree of evidence conflict, normalizes the BPA to obtain the relative conflict degree, and optimizes the BPA using the trust coefficient. The classical DS evidence theory is then used to integrate and obtain the probability of tunnel fire occurrence. Different heat release rates, tunnel wind speeds, and fire locations are set, forming six fire scenarios. Sensor monitoring data under each simulation condition are extracted and fused using the improved DS evidence theory. The results show that there is a 67.5%, 83.5%, 76.8%, 83%, 79.6%, and 84.1% probability of detecting fire when it occurs, respectively, and identifies fire occurrence in approximately 2.4 s, an improvement from 64.7% to 70% over traditional methods. This demonstrates the feasibility and superiority of the proposed method, highlighting its significant importance in ensuring personnel safety.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation