Peng Jiang,Hongyi Wu,Cong Wang,Chunsheng Xin

DOI: https://doi.org/10.1109/ICC.2018.8422830

2018-01-01

Abstract:Identity-based attacks such as MAC spoofing are common in wireless networks. The recently developed virtualization technologies bring a new type of MAC spoofing attack, virtual MAC spoofing. This makes it even more challenging to detect such attacks, especially in a tight environment with spatial similarities. In this paper, we design, implement and evaluate a system to effectively detect virtual MAC spoofing attacks via deep learning. A deep convolutional neural network is constructed to extract physical features from CSI obtained from packet transmissions, to detect virtual MAC spoofing attacks. An important merit of the proposed detection system is that this system can distinguish two devices even at the same location, which was not well addressed by previous approaches. Our extensive experimental results demonstrate the effectiveness of the system with an average detection accuracy of 95%, even when devices are co-located.

Zhang Xiantao,Li Qi,Qing Sihan,Zhang Huanguo

DOI: https://doi.org/10.1109/WKDD.2008.135

2008-01-01

Abstract:Intrusion detection system (IDS) has been introduced and broadly applied to prevent unauthorized access to system resource and data for several years. However, many problems are still not well resolved in most of IDS, such as detection evasion, intrusion containment. In order to resolve these problems, we propose a novel flexible architecture VNIDA which is based on virtual machine monitor (VMM) and has no-intrusive behavior to target system after studying popular IDS architectures. In this architecture, a separate intrusion detection domain (IDD) is added to provide intrusion detection services for all virtual machines. Specially, an IDD helper is introduced to take response to the intrusions according to the security policies. Moreover, event sensors and IDS stub, as the core components of IDS, are separately isolated from target systems, so strong reliability is also achieved in this architecture. To show the feasibility of the VNIDA, we implement a prototype based on the proposed architecture. Based on the prototype, we employed some rootkits to evaluate our VNIDA, and the results shows that VNIDA has the ability to detect them efficiently, even some potential intrusions. In addition, system performance evaluation also shows that VNIDA only introduce less than 1.25% extra overhead.

Hassan Hadi Al-Maksousy,Michele C. Weigle,Cong Wang

DOI: https://doi.org/10.1109/ths.2018.8574174

2018-01-01

Abstract:Malware detection is an important problem. We propose an efficient real-time system to detect and classify malware based on network behavior using deep neural networks. We show that the splitting of the system into two neural networks, detection and analysis, is the key to increasing accuracy. Therefore, this approach allows for the construction of a real-time monitoring system with very low CPU usage. Finally, we provide a comparison analysis of four machine learning classifiers for this task.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

lei xue,yangyang liu,tianqi li,kaifa zhao,jianfeng li,le yu,xiapu luo,yajin zhou,guofei gu

2022-01-01

Abstract:Modern vehicles are equipped with many ECUs (Electronic Control Unit) that are connected to the IVN (In-Vehicle Network) for controlling the vehicles. Meanwhile, various interfaces of vehicles, such as OBD-II port, T-Box, sensors, and telematics, implement the interaction between the IVN and external environment. Although rich value-added functionalities can be provided through these interfaces, such as diagnostics and OTA (Over The Air) updates, the adversary may also inject malicious data into IVN, thus causing severe safety issues. Even worse, existing defense approaches mainly focus on detecting the injection attacks launched from IVN, such as malicious/compromised ECUs, by analyzing CAN frames, and cannot defend against the higher layer MIAs (Message Injection Attacks) that can cause abnormal vehicle dynamics. In this paper, we propose a new state-aware abnormal message injection attack defense approach, named SAID. It detects the abnormal data to be injected into IVN by considering the data semantics and the vehicle dynamics and prevents the MIAs launched from devices connected to the vehicles, such as the compromised diagnostic tools and T-boxes. We develop a prototype of SAID for defending against MIAs and evaluate it using both real road data and simulation data. The experimental results show that SAID can defend against more than 99% of the network and service layer attack traffic and all state layer MIAs, effectively enforcing the safety of vehicles.

YANG Feng,JIANG Hui,ZHUGE Jian-wei,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.08.040

2012-01-01

Abstract:Due to the advantages of resources utilization,management and isolation,Virtualization Technology has been widely used in the areas of virtual server,malware analysis and cloud computing platform.The malicious code writers and security researchers start a new game in Virtualization Technology,and how to detect the presence of virtual environments becomes a hot research topic.This paper,introduces the significance of Virtual Machine Environment(VME) Detection Methods,uses examples to describe the principles and methods of local and remote VME detection,makes a summary of VME Detection Methods,indicates the direction of Virtualization transparency,analyses and discusses the future trend.

Youhui Zhang,Yu Gu,Hongyi Wang,Dongsheng Wang

DOI: https://doi.org/10.1109/sbac-pad.2006.32

2006-01-01

Abstract:In this paper we present a storage-based intrusion detection system (IDS) that makes use of advantages of virtual machine (VM) and smart disk technologies. The virtual machine monitor (VMM) can prevent the IDS itself from potential attacks while the smart disk technology provides IDS with a whole view of the file system of the monitored VM. We show how to use a tool and some file system knowledge to enable the virtual disk to maintain a sector-to-file mapping table (called file-aware block level storage) as well as how to detect the changes to file content on-line. Based on these features, normal file-level intrusion detection (ID) rules can be converted to sector-level ones in order to integrate ID functions to the virtual storage. We implement such a prototype based on QEMU VMM and the OS of VM is Windows XP. Moreover the time overhead introduced by this solution is tested

Shaoqiang Wang,Baosen Zheng,Zhaoyuan Liu,Ziyao Fan,Yubao Liu,Yinfei Dai

DOI: https://doi.org/10.1109/access.2024.3445498

IF: 3.9

2024-01-01

IEEE Access

Abstract:As the connectivity between Electronic Control Units (ECUs) and the external environment intensifies, the security and safeguarding of In-Vehicle Networks (IVNs) have become pressing issues. The Controller Area Network (CAN) bus, the most commonly employed vehicular network protocol, is particularly vulnerable due to its inherent lack of security measures, making it susceptible to various attacks. In this paper, we introduce a novel intrusion detection model for CAN networks, named IVN-ViT. The proposed IVN-ViT model utilizes an enhanced Vision Transformer architecture (Edge-ViT), incorporating self-supervised learning with Cutout data augmentation, Particle Swarm Optimization (PSO) for feature selection, and a fine-tuning strategy that merges Parameter Instance Discrimination (PID) with supervised loss. This not only enhances the model’s convergence speed and predictive accuracy but also meets the lightweight requirements of CAN networks. Experimental results on the "HCRL-car hacking" dataset and the "X-CANIDS" dataset demonstrate that our model achieves over 99% accuracy across all types of attacks. In a simulated vehicular environment, the detection latency for each message averages approximately 1.04ms, fully meeting the first-time requirements of CAN networks. The experiments validate that our proposed method significantly improves model accuracy while ensuring efficient operation within the limited computational resources available in vehicle systems.

Siqin Zhao,Kang Chen,Weimin Zheng

DOI: https://doi.org/10.1109/ChinaGrid.2009.45

2009-01-01

Abstract:It is very important to protect critical resources such as private data and code in computer systems. It is promising to protect private data and to improve the system security by leveraging the isolation attribute of virtual machine(VM). The isolation attribute of VM is provided by Virtual Machine Monitor (VMM) that runs in higher priority than guest OSes. If the critical components are isolated in VMs,access control can be enforced or attestation can be made when the subject is accessing via VMs. In this way, VMs can improve the security level of critical components such as OS, kernel, data, and applications. For computer system security, VMs can be used to detect malware intrusions and to protect critical components, which can be implemented by integrating detection or protection mechanism in either VMM or VMs. Authentication is required to create trustful VMs. This paper surveys technologies related of using virtual machines to enhance system security.

Mohammad Hashem Haghighat,Jun Li

DOI: https://doi.org/10.26599/tst.2020.9010022

2021-01-01

Abstract:Several security solutions have been proposed to detect network abnormal behavior.However,successful attacks is still a big concern in computer society.Lots of security breaches,like Distributed Denial of Service(DDoS),botnets,spam,phishing,and so on,are reported every day,while the number of attacks are still increasing.In this paper,a novel voting-based deep learning framework,called VNN,is proposed to take the advantage of any kinds of deep learning structures.Considering several models created by different aspects of data and various deep learning structures,VNN provides the ability to aggregate the best models in order to create more accurate and robust results.Therefore,VNN helps the security specialists to detect more complicated attacks.Experimental results over KDDCUP'99 and CTU-13,as two well known and more widely employed datasets in computer network area,revealed the voting procedure was highly effective to increase the system performance,where the false alarms were reduced up to 75％in comparison with the original deep learning models,including Deep Neural Network(DNN),Convolutional Neural Network(CNN),Long Short-Term Memory(LSTM),and Gated Recurrent Unit(GRU).

Vladimir Ciric,Marija Milosevic,Danijel Sokolovic,Ivan Milentijevic

DOI: https://doi.org/10.1016/j.simpat.2024.102916

IF: 4.199

2024-02-01

Simulation Modelling Practice and Theory

Abstract:In an increasingly digitalized world, cybersecurity has emerged as a critical component of safeguarding sensitive information and infrastructure from malicious threats. The threat actors are often in line or even one step ahead of the defense, causing the increasing reliance of security teams on artificial intelligence while trying to detect zero-day attacks. However, most of the cybersecurity solutions based on artificial intelligence that can be found in the literature are trained and tested on reference datasets that are at least five or more years old, which gives a vague insight into their security performances. Moreover, they often tend to be designed as isolated, self-focused components. The aim of this paper is to design and implement a modular network intrusion detection architecture capable of simulating cyberattacks based on real-world scenarios while evaluating its defense capabilities. The architecture is designed as a full pipeline from real-time network data collection and transformation to threat-information presentation and visualization, with a pre-trained artificial intelligence module at its core. Well-known components like CICFlowMeter, Prometheus, and Grafana are used and modified to fit our data preparation and core modules to form the proposed architecture for real-world network traffic security monitoring. For the sake of cyberattack simulation, the proposed architecture is situated within a virtual environment, surrounded by the Kali Linux-based penetration simulation agent on one side and a vulnerable agent on the other. The intrusion detection artificial intelligence module is trained on the CICIDS-2017 dataset, and it is demonstrated using the proposed architecture that, despite being trained on an outdated dataset, the trained module is still effective in detecting sophisticated modern attacks. Two case studies are given to illustrate how modular architectures and virtual environments can be valuable tools to assess the security properties of artificial intelligence-based solutions through simulation in real-world scenarios.

computer science, interdisciplinary applications, software engineering

J Manikandan,U. Srilakshmi

DOI: https://doi.org/10.5750/ijme.v1i1.1393

2024-07-27

Abstract:Virtualization is a critical technology that enables users to leverage the vast resources available within datacenters. Despite its numerous benefits, such as on-demand scalability, continuous availability, and cost efficiency, virtualization is susceptible to various security challenges, including intrusion, data compromise, and session hijacking. To address these threats, this study presents an innovative approach based on deep learning for detecting attacks and proactively isolating virtual machines (VMs) to mitigate their impact. The event sequences of VMs are transformed into event images using advanced techniques Integrated Gramian Markov Plot (IGMP). The proposed IGMP model comprises of the Gramian model with Markov estimate. The model uses the recurrence plot for the estimation of the IGMP in the virtualization process with the computation of data centers. Additionally, to improve the security IGMP model uses the aggregation signature generation model for the security features in the Virtual Machines. The proposed IGMP model uses the Deep learning models are then employed to extract meaningful features from these event images, which are subsequently classified into specific attack classes. Once an attack is predicted within the physical machine, the suspected VMs are immediately isolated to prevent further damage. Experimental results demonstrated that the high efficacy of the IGMP method, achieving an impressive attack prediction accuracy of 96%, surpassing existing approaches by at least 2%.

engineering, marine

Hwan-Seok Yang

DOI: https://doi.org/10.1007/s11042-013-1487-8

IF: 2.577

2013-05-01

Multimedia Tools and Applications

Abstract:Internet is used in all sectors of society by rapid changes in computing technology and expanded internet prevalence. But due to opposite effect of this, malicious code and damage of hacking is growing rapidly and the technique is becoming various. Attacker’s attack patterns and information should be collected in order to reduce the damage and cope more aggressively to attack. In this paper, we propose a system which build honeypot farm using created virtual machine dynamically by utilizing honeypot to collect attack information and virtualization technology. The created virtual machines are managed by VMSC and protocol-based intrusion detection system which shows stable performance in mass traffic to attacker’s intrusion detection is applied. Measurement of attack attempt and attack detection rate was measured to confirm the performance of the proposed system in this paper and the result of good performance through experiment was confirmed.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

. C. Ioannou,V. Vassiliou,S. M. Kasongo,Y. Sun,Y. Xiao,C. Xing,T. Zhang,Aman deep Kaur,Prakash Rao Ragiri,H. Alipour,Y. B. Al-Nashif,P. Satam

2020-01-01

Abstract:The threat of cyber intrusion is progressively high and harmful. Intrusion Detection Systems (IDS) provides the ability to identify security breaches in a system. A security breach will be taking any action based on the owner of the system believes unauthorized. Attacks in Wireless Networks (WNs) aim in limiting or even eliminating the ability of the network to perform its expected function. WNs are networks with limited resources and often deployed in uncontrollable environments that an intruder can easily access. WN attacks target specific network layer’s vulnerabilities but normally affect other layers as well. Network layer should be monitored and evaluated in order to detect possible malicious intervention. In this research, a general methodology of an anomaly-based Intrusion Detection System is proposed and evaluated the proposed system using routing layer attacks in Ad-hoc Distance Vector Routing (AODV) protocol and IDS is able to detect malicious activity and our solution delivered the packets to the receiver in a new route without discarding.

Chenxi Li,Jia Li,Jiahai Yang,Jinlei Lin

DOI: https://doi.org/10.1016/j.cose.2021.102271

2021-07-01

Abstract:<p>Compared with traditional Intrusion Detection System (IDS) solutions, deploying IDS in Network Function Virtualization (NFV) environment can have better scalability and flexibility. Existing research works in this area do not consider many IDS features to design IDS-specific workload scheduling approaches. Thus, there is space further to promote the performance of IDS deployment in the NFV scenario. In this paper, we find some critical IDS features by analyzing packet processing procedures, software implementation, and rulesets of typical IDS. Combining these features with the flexibility of NFV, we propose a novel workload scheduling framework for IDS deployment in the NFV scenario. Our framework contains two parts: 1) a novel protocol &amp; destination port based traffic migration strategy which can promote the detection performance and reduce the memory usage compared with the traditional 5-tuple hash based strategy; 2) an auto-configuration algorithm to find a better-than-default configuration for each Virtual Network Function (VNF) instance. We evaluate our framework with real network traffic and benchmark traffic datasets for IDS. Experimental results show that our framework can always have better detection performance and lower memory usage than the 5-tuple hash based migration strategy and the default configuration.</p>

computer science, information systems

Yuwei Yao

DOI: https://doi.org/10.1109/iciscae52414.2021.9590714

2021-09-24

Abstract:The computer database that handles big data efficiently has created convenience for modern society, but it has gradually exposed more potential safety hazards in the application process. Computer databases storing massive data are prone to information loss, content tampering and other problems in the face of various attacks. With the development of the Internet and the continuous breakthrough of network technology, there are more and more hidden dangers that undermine network security, and the level and scope of damage are also increasing. This paper mainly describes the related concepts of intrusion detection technology, and puts forward the effective implementation of computer database intrusion detection technology based on virtualization technology, as well as the related strategies of fully optimizing computer database intrusion detection technology, so that the computer database can be effectively protected. Diversified intrusion detection system technology is widely used, which can not only ensure the safe and normal operation of database system, but also prevent the loss of important information and the destruction of structural integrity.

陈丽丽,李卫,管晓宏,祝春华

DOI: https://doi.org/10.3969/j.issn.1000-7180.2004.06.035

2004-01-01

Abstract:NIDS (Network Intrusion Detection System) as an important security protection tool has become a hotspot for research. We introduce the basic concept of IDS and its primary components and common classification first, then we present the framework of a net-based IDS and its implementation in detail. We put forward our views about the current research of IDS and its prospect last.

Li Lin,Huanzeng Yang,Jing Zhan,Xuhui Lv

DOI: https://doi.org/10.1155/2022/1242576

IF: 1.968

2022-04-16

Security and Communication Networks

Abstract:Edge-assisted Internet of things applications often need to use cloud virtual network services to transmit data. However, the internal threats such as illegal management and configuration to cloud platform intentionally or unintentionally will lead to virtual network security problems such as malicious changes of user network and hijacked data flow. It will eventually affect edge-assisted Internet of things applications. We propose a virtual network internal threat detection method called VNGuarder in a cloud computing environment, which can effectively monitor whether the virtual network configuration of legitimate users under the IaaS cloud platform has been maliciously changed or destroyed by insiders. First, based on the life cycle of cloud virtual network services, we summarized two types of internal attacks involving illegal use of virtualization management tools and illegal invocation of virtual network-related processes. Second, based on normal behavior of tenants, a hierarchical trusted call correlation scheme is proposed to provide a basis for discovering that insiders illegally call virtualized management tools and virtual network-related processes on the controller node of the cloud platform or the network node and compute node. Third, a trace-enable mechanism combining real-time monitoring and log analysis is introduced. By collecting and recording the complete call process of virtual network management and configuration in the cloud platform, and comparing it with the result of the hierarchical trusted call correlation, abnormal operations can be reported to the tenants in time. Comprehensive simulation experiments on the Openstack platform show that VNGuarder can effectively detect illegal management and configuration of virtual networks by insiders without significantly affecting the creation time of tenant networks and the utilization of CPU and memory.

computer science, information systems,telecommunications