Wenbao Jiang,Hua Song,Yiqi Dai

DOI: https://doi.org/10.1016/j.cose.2004.07.005

2005-01-01

Abstract:Network-based intrusion detection systems (NIDSs) frequently have problems with handling heavy traffic loads in real-time, which result in packet loss and false negatives. This paper presents a high-performance network intrusion detection system, called HPMonitor, which combines a high-efficiency detection engine and a load-balancing device to address these problems. The paper describes HPMonitor's system architecture, discusses a flow-based dynamic load-balancing algorithm called dynamic least load first (DLLF) algorithm, and introduces a new multi-pattern string matching algorithm called shift max algorithm (SMA). The test results reveal that the DLLF algorithm is an effective balancing algorithm for NIDS. Meanwhile, the experimental results show that the SMA algorithm is faster in searching large sets of patterns when compared with other algorithms, and its performance is affected little when the patterns set number increases.

Hassan Hadi Al-Maksousy,Michele C. Weigle,Cong Wang

DOI: https://doi.org/10.1109/ths.2018.8574174

2018-01-01

Abstract:Malware detection is an important problem. We propose an efficient real-time system to detect and classify malware based on network behavior using deep neural networks. We show that the splitting of the system into two neural networks, detection and analysis, is the key to increasing accuracy. Therefore, this approach allows for the construction of a real-time monitoring system with very low CPU usage. Finally, we provide a comparison analysis of four machine learning classifiers for this task.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

WU Chun-ming,WANG Bao-jin,CHEN Jun-hua,JIANG Ming,ZHANG Dong

2010-01-01

Abstract:Multi-path transmission,using several paths between the source and the destination,will cause packet reordering and present some problems about load balancing while achieving high bandwidth utilization.This paper proposes a traffic splitting algorithm based on nonius.We define the nonius as the deference between the transmission delay of the current path and the time between two successive packets.As a baseline of the delay,the nonius prevents the flow from packet reordering.The nonius can slide dynamically because of different path or the different time between two successive packets.The packet can be transmitted among as many paths as possible because the nonius slides dynamically;as a result,the load balancing can be achieved.The simulation results show that the proposed algorithm gains a prominent improvement in load balancing over previous algorithms,while without reordering is ensured.

Da-Wen Huang,Fengji Luo,Jichao Bi,Mingyang Sun

DOI: https://doi.org/10.1109/tifs.2022.3191491

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deploying Intrusion Detection Systems (IDSs) is an essential way to enhance the security of Multi-hop Clustered Wireless Sensor Networks (MCWSNs). The conventional IDS deployment architectural designs show limitations in ensuring the security of MCWSNs due to the limited monitoring range of the nodes. This paper proposes an efficient IDS deployment architecture for MCWSNs. The architecture is a hybrid design, in which the cluster heads and the sink collaboratively act as IDS agents to monitor the entire network and perform intrusion detection. Based on the new architecture, this paper proposes a resource allocation model to optimally allocate resources among the IDS agents so that the network’s security metric can be maximized. A comprehensive analytical framework is proposed to analyze the optimality of the model’s solution, and an efficient computational approach is developed to obtain the optimal resource allocation strategy. Extensive numerical simulation and comparison studies are conducted to validate the proposed method.

Wei Wei

2007-01-01

Abstract:Network Intrusion Detection System (NIDS) is an important and practical tool for network security. To guarantee a precise detection the NIDS must detect packets at a wire speed. However, with the recent trend of high-speed networks, the capability of a single NIDS can not meet the speed’s demand, resulting in rising of false negatives. To promote the NIDS performance and efficiency, present studies on IDSs for high-speed network monitoring have begun to choose the distributed architecture as an alterative, first suggested by Christopher Kruegel et al . In such a design, the incoming network traffic is disseminated to a pool of sensors, which process a fraction of the whole traffic, reducing the possibility of packet loss caused by overload.

YU Rong,SUN Zhi,CHEN Jia,MEI Shunliang,DAI Yiqi

DOI: https://doi.org/10.3321/j.issn:1000-0054.2005.10.022

2005-01-01

Abstract:Intrusion detection technology is an indispensable way to protect the network security.This paper presents a high-speed intrusion detection system(IDS framework based on network processor and detection cluster.Two hardware algorithms were developed for the traffic distributor.One is the high-speed data-receiving program with the IXP1200 network processor,while the other is the load balance policy based on the destination media access control(MAC address.Tests show that the first algorithm achieves more than(1 Gb/s data-capturing ability,while the second algorithm is a satisfactery trade-off between protecting information integrity and reducing computational complexity.

YX Jiang,C Lin,ZG Shan,Z Chen

2004-01-01

Abstract:The main problem existed in the Network-based Intrusion Detection System (NIDS) is that the data-processing ability of classical centralized intrusion detection architecture does dissatisfy the increasing requirement of high-speed network. To resolve this problem, especially in real-time online intrusion detection, a NIDS cluster scheme is firstly introduced in this paper. Secondly, given the high resource demands and the special load-balancing characteristics in NIDS cluster, three optimized polices to improve the performance of NIDS cluster are proposed, i.e. Early Simple Packet Filter (ESPF), Adaptive Hash Load-Balancing (AHLB) algorithm, Priority Scheduling with Buffer Limited (PSBL). All the optimized measures are in collaboration with one another and provide the NIDS cluster scalability, adaptability, and high performance. Moreover, with the goal of analyzing the performance of NIDS cluster a Stochastic Petri Net (SPN) model is proposed. To cope with the well-known state space explosion problem, we propose an approximate analysis technique, which can significantly reduce the computing complexity of the model. In the end, the numerical results of the performance analysis for those schemes are presented, and some valuable conclusions are recommended which are suitable for NIDS cluster to achieve high performance.

Wei Lin,XiaoFei Wang,YaXuan Qi,Derek Pao,Bin Liu

DOI: https://doi.org/10.1109/INFCOMW.2009.5072152

2009-01-01

Abstract:In this paper, two-stage NIDS architecture is proposed, which aims to both increase the throughput and reduce memory cost. The contributions of this work are listed below.

Hai-Guang LAI,Hao HUANG,Jun-Yuan XIE

DOI: https://doi.org/10.3321/j.issn:0254-4164.2007.04.007

2007-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:As the band of networks increases, the process speed of network-based intrusion detection systems (NIDSes) hardly keep up with the speed of networks. By arranging several sensors to deal with the traffic in parallel, the intrusion detection system's speed can be significantly increased. How to split the traffic to the sensors is the key problem of a parallel intrusion detection system. To resolve the problems, load balance, attack evidence keeping, and efficiency have to be concerned. Existing traffic partition algorithms cannot satisfy these requirements well, especially load balance, which directly affect the performance of a parallel intrusion detection system. A traffic partition algorithm called PABCS is proposed in the paper, which splits the traffic according to connections' states. PABCS provides better load balance than the usually used hash-based algorithm and guarantees that no attacks evidence for intrusion detection is lost after partition. Moreover, in the experiment, the algorithm's process speed reaches 1 Gbps.

WANG Wen-hua,GUO Zhi,GU Ming

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.10.037

2005-01-01

Abstract:Aiming to reduce the workload of target hosts in intrusion detection systems, this paper proposes a new efficient mobile Agent-based mechanism for data collection using load balancing technology. It can dynamically distribute computing tasks between target hosts according to current workload of hosts , which can make the most of computing ability of hosts to assure that intrusion is detected timely.

CHEN Jia,SI Tiange,DAI Yiqi

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.13.058

2006-01-01

Abstract:Intrusion detection technology is an indispensable way to keep the network safety. This paper proposes an intrusion detection system (IDS) framework based on network processor and detecting cluster. The possibility of functioning the distributor by IXP1200 and the key algorithms of the distributor are discussed. The result shows that the distributor can achieve a more than 1000Mbps data-capturing ability, and the load balance policy based on CAM is a satisfying trade-off on protecting the information integrity and reducing the computing complexity.

Abdulsalam O. Alzahrani,Mohammed J. F. Alenazi

DOI: https://doi.org/10.3390/fi13050111

2021-04-28

Future Internet

Abstract:Software-defined Networking (SDN) has recently developed and been put forward as a promising and encouraging solution for future internet architecture. Managed, the centralized and controlled network has become more flexible and visible using SDN. On the other hand, these advantages bring us a more vulnerable environment and dangerous threats, causing network breakdowns, systems paralysis, online banking frauds and robberies. These issues have a significantly destructive impact on organizations, companies or even economies. Accuracy, high performance and real-time systems are essential to achieve this goal successfully. Extending intelligent machine learning algorithms in a network intrusion detection system (NIDS) through a software-defined network (SDN) has attracted considerable attention in the last decade. Big data availability, the diversity of data analysis techniques, and the massive improvement in the machine learning algorithms enable the building of an effective, reliable and dependable system for detecting different types of attacks that frequently target networks. This study demonstrates the use of machine learning algorithms for traffic monitoring to detect malicious behavior in the network as part of NIDS in the SDN controller. Different classical and advanced tree-based machine learning techniques, Decision Tree, Random Forest and XGBoost are chosen to demonstrate attack detection. The NSL-KDD dataset is used for training and testing the proposed methods; it is considered a benchmarking dataset for several state-of-the-art approaches in NIDS. Several advanced preprocessing techniques are performed on the dataset in order to extract the best form of the data, which produces outstanding results compared to other systems. Using just five out of 41 features of NSL-KDD, a multi-class classification task is conducted by detecting whether there is an attack and classifying the type of attack (DDoS, PROBE, R2L, and U2R), accomplishing an accuracy of 95.95%.

Chenxi Li,Jia Li,Jiahai Yang,Jinlei Lin

DOI: https://doi.org/10.1016/j.cose.2021.102271

2021-07-01

Abstract:<p>Compared with traditional Intrusion Detection System (IDS) solutions, deploying IDS in Network Function Virtualization (NFV) environment can have better scalability and flexibility. Existing research works in this area do not consider many IDS features to design IDS-specific workload scheduling approaches. Thus, there is space further to promote the performance of IDS deployment in the NFV scenario. In this paper, we find some critical IDS features by analyzing packet processing procedures, software implementation, and rulesets of typical IDS. Combining these features with the flexibility of NFV, we propose a novel workload scheduling framework for IDS deployment in the NFV scenario. Our framework contains two parts: 1) a novel protocol &amp; destination port based traffic migration strategy which can promote the detection performance and reduce the memory usage compared with the traditional 5-tuple hash based strategy; 2) an auto-configuration algorithm to find a better-than-default configuration for each Virtual Network Function (VNF) instance. We evaluate our framework with real network traffic and benchmark traffic datasets for IDS. Experimental results show that our framework can always have better detection performance and lower memory usage than the 5-tuple hash based migration strategy and the default configuration.</p>

computer science, information systems

Fengkai Luan,Jiaxing Yang,Hu Zhang,Zhongyu Zhao,Liping Yuan

DOI: https://doi.org/10.1109/jsen.2022.3216376

IF: 4.3

2022-01-01

IEEE Sensors Journal

Abstract:This work is aimed at smart sensors in the context of the boom in intelligent manufacturing under artificial intelligence (AI). First, an intelligent industrial system is innovatively constructed based on AI and Digital Twins technology. Its sensors use self-powered sensors based on solar energy. Secondly, layered architecture and four modules of the balancing system are built based on the Software Defined Network with programmability and flexibility, and a controller load balancing strategy is proposed based on the layered architecture. Besides, the link load balancing algorithm is optimized based on Dijkstra’s algorithm (This algorithm is the leading AI algorithm used here). Finally, simulation experiments are carried out on different controllers and algorithms. The results show that the AI system has a high control accuracy. Controller 5 experiences a surge in load at 45s, exceeding the load threshold. Controllers 1 and 5 are selected for load balancing. Migration can be done quickly when load balancing is completed within 5 seconds. Control Transfer Load Balance has the longest response time when the load value reaches 20% to 70%. The load policy has the shortest response time, indicating the best effect. In addition, the load balancing algorithm proposed here fully considers the link conditions in the link load comparison and achieves an excellent effect. The load rate increase affects the network delay’s continuous increase. Moreover, the highest network delay of the algorithm reported here is 0.25ms; that of the Yen algorithm is 0.31ms; that of Dijkstra’s algorithm is 0.43ms, which is 83.3% lower than that of the unoptimized algorithm. In the 10%~100% load rate range, the packet loss rate of the proposed algorithm is lower than that of the other two algorithms. Load balancing strategies outperform other standard algorithms in terms of network performance. This study provides some reference for the development of self-powered sensors in the field of industrial manufacturing.

engineering, electrical & electronic,instruments & instrumentation,physics, applied

Zhichun Li,Yan Chen,Aaron Beach

DOI: https://doi.org/10.1145/1162666.1162669

2006-01-01

Abstract:Traffic anomalies and distributed attacks are commonplace in today's networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a DIDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of four common types of intrusions: DoS attacks, port scanning, virus/worm infection and botnets; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP subnets in scans. We further propose several schemes to distribute the alarms more evenly across the SFCs, and improve the resiliency against the failures or attacks. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. It significantly outperforms the traditional hierarchical approach when facing large amounts of diverse intrusion alerts.

S. Pavithra,K. Venkata Vikas

DOI: https://doi.org/10.1109/access.2024.3405187

IF: 3.9

2024-05-31

IEEE Access

Abstract:The growth of cyber threats demands a robust and adaptive intrusion detection system (IDS) capable of effectively recognizing malicious activities from network traffic. However, the existing imbalance of class in network data possesses a significant challenge to traditional IDS. To overcome these challenges, this project proposes a novel hybrid Intrusion Detection System using machine learning algorithms, which includes XGBoost, Long Short-Term Memory (LSTM), Mini-VGGNet, and AlexNet, which is used to handle the unbalanced network traffic data. Furthermore, the Random Forest Regressor is used to ascertain the importance of features for enhancing detection accuracy and interpretability. Addressing the inherent class imbalance in network data is crucial for ensuring the IDS's effectiveness. The proposed system employs a combination of oversampling techniques for minority classes and under sampling techniques for majority classes during data preprocessing. This balanced representation of network traffic data helps prevent the IDS from being biased towards the majority class and improves its ability to detect rare or novel intrusions. The utilization of Random Forest Regressor for feature extraction serves a dual purpose. It helps identify the most relevant features within the network traffic data that contribute significantly to detecting intrusions. It enables the system to prioritize and focus on these important features during model training, thereby enhancing detection accuracy while reducing computational complexity. This research contributes to the ongoing efforts to mitigate cyber threats and safeguard critical network infrastructures.

computer science, information systems,telecommunications,engineering, electrical & electronic