Xifeng AN,Weihua LI,Zun LIU

DOI: https://doi.org/10.3321/j.issn:0253-987X.2008.12.013

2008-01-01

Abstract:A novel network security cooperative defense technology is studied and a cooperative control framework based on agent mechanism is proposed to solve the lack of cooperative control and whole effect in traditional defense systems. The technology supports both IPv4 and IPv6 protocols and security modules in the framework are associated with each other to accomplish communication and work together. Furthermore, a network security cooperative defense system is composed and the key functions that support the early-alert, audit, accident recovery, network camouflage and so on are also achieved. The pivotal research is emphasized on the key technologies of system call sequences audit model based on machine learning and cooperative accident recovery. Under the condition of 100 M Data flow speed, the NSCDS software's false negative is less than 6% and its false positive is less than 8%. Besides, all module functions work normally and the system can be used to carry out cooperative defense capability.

Ye Guo,Miaoliang Zhu

DOI: https://doi.org/10.1109/IMSCCS.2006.178

2006-01-01

Abstract:Considering the shortcomings of the current worm Defense system, an agent-oriented worm Defense system, AOSWD, is proposed in this paper. In the hierarchical framework of AOSWD, the agents are independent but can roam in the network freely and collaborate with each other to defend against Internet worms. In this paper, we discuss the system architecture and the realization details, propose the key technique for the system and analyze the system performance.

WANG Xiaodong,ZHU Miaoliang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.07.055

2005-01-01

Abstract:This paper puts forward an intellective network safe guard system based on a multi-agent system structure. The purpose of the system is to defend the intrusion of campus-wide network. It is based on IDXP and the focus is blackboard. This system can deal with multi-levels and many ways of anti-intrusions, which has self-determination. It is proved to have a good performance by spot tests.

GUO Ye,ZHU Miao-liang

2006-01-01

Journal of Computer Applications

Abstract:Current situation of the traditional security defense system was briefly introduced. Considering the shortcomings of the current worm defense system and advantages of Agents, an Agent-oriented worm defense system named AOSWD was proposed, which can defend against Internet worms quickly and effectively.The architecture and the key technology of the system were discussed. Experimental results prove the effectiveness of AOSWD.

Chen Junhua

DOI: https://doi.org/10.1109/IMCCC.2013.79

2013-09-21

Abstract:To solve the lack of collaborative control and whole effect of security modules in the traditional early-warning systems, a novel network security collaborative early-warning technology is studied and a collaborative control framework and early-alert info quick-publish mechanism is proposed. This framework was based on multi-agent, which can make secure modules in the framework be associated with each other to accomplish to communication and work together. Furthermore, two corresponding multicast trees of early-alert information publish are established based on two multi-agent network typology structures: the bottom random overlay network and top hypercube structured overlay network. Simulation results show that this network security collaborative early-warning can make all module functions work normally and reduce this info load and publish time, furthermore, improve the network security system's collaborative defense capability well.

Computer Science

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

YU Zhong,YU Hui,LI Wei-hua

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.06.035

2007-01-01

Abstract:Through analyzing and studying the characteristics of large-scale network intrusion detection,a system structure which based on multi-agents alliance was proposed.In which,we use the plan knowledge chart to describe the intruder's attack attention,and through analyzing its strategy,proposed a method of work division and coordination amongst the multi-agents alliance.

Jianxiao Liu,Lijuan Li

DOI: https://doi.org/10.1109/paciia.2008.143

2008-01-01

Abstract:Due to the rapid growth of the network application, new kinds of network attacks are emerging endlessly. So it is critical to protect the networks from attackers and the intrusion detection technology becomes popular. On the basis of analyzing the defect of a kind of modern distributed intrusion detection system, this article proposes a distributed intrusion detection system model based on agents. This system adopts the way which combines static agent and mobile agent, Host-based Intrusion Detection System (IDS) and Network-based Intrusion Detection System. The function of each module in the system is described in detail. The system uses mobile agent for decentralized data collection, data analysis and response, and has certain dynamic learning capability. The self-adapt ability of the system is strong and can solve the main problems of the modern system. Finally, the preliminary implementation of the module in this system like agent is given in detail and the system's performance evaluation is presented.

JB Zhang,CB Xiao

DOI: https://doi.org/10.1109/iccnmc.2003.1243068

2003-01-01

Abstract:This paper presents a network early-warning architecture based on intrusion detection using mobile agent. This model can predict potential attacks based on rules among suspicious events, which are produced by basic intrusion detection module. Depending on the current needs of the deduction process, it can dispatch relevant mobile agents to collect further suspicious events. The advantage of this model is that: on the one hand it can lower network traffic and system load because of the use of mobile agent; on the other hand it can reduce the number of false positives, predict potential attacks, and furthermore prepare the response in advance.

张险峰,秦志光,刘锦德

2004-01-01

Abstract:The architecture for distributed early warning of network security is presented in this paper. Related technologies and approaches to realize the architecture are analyzed. In this architecture,the protected network is divided into several security domains. Every domain consists of several sensors agents,an early warning center and else nodes. In every security domain,sensor agents installed on different network segments collect the network data which analyze the network data in real time by building an adaptive abnormal detection model and taking abnormal assessment approach. Early warning centers receive abnormal analysis results from sensor agents,and make data fusion with else security information to generate early warning information. Early warning information is sent to the early warning center of intended security domain. Meanwhile,early warning centers also receive the early warning message (including intrusion message) from else early warning centers. So the architecture is characterized by distributed early warning of network security. By the technology of distributed early warning,security monitor system can adopt some precautionary measures to enhanced network security before the network intrusions happen.

安喜锋,李伟华,刘尊

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.08.070

2008-01-01

Abstract:Based on the research on security events in large-scale network environment,technology and realizable method of early-alert,orientation and rapid isolation control for large-scale networks are studied.By analysing the characteristics of security events,a early-alert model of distributed network security events is built.By monitoring the activities of security events,guard disaster areas is formed.Research on forecast model of trend of overspreading,in order to be rapidly orientated and safely isolated.A prototype has been imple-mented and used to protect distributed network system.The early-alert false negative is less than 5% and its false positive is less than 7% in the speed of 100 M.

Mei-Ling Shyu,Thiago Quirino,Zongxing Xie,Shu-Ching Chen,Liwu Chang

DOI: https://doi.org/10.1145/1278460.1278463

2007-09-01

ACM Transactions on Autonomous and Adaptive Systems

Abstract:Recently, network security has become an extremely vital issue that beckons the development of accurate and efficient solutions capable of effectively defending our network systems and the valuable information journeying through them. In this article, a distributed multiagent intrusion detection system (IDS) architecture is proposed, which attempts to provide an accurate and lightweight solution to network intrusion detection by tackling issues associated with the design of a distributed multiagent system, such as poor system scalability and the requirements of excessive processing power and memory storage. The proposed IDS architecture consists of (i) the Host layer with lightweight host agents that perform anomaly detection in network connections to their respective hosts, and (ii) the Classification layer whose main functions are to perform misuse detection for the host agents, detect distributed attacks, and disseminate network security status information to the whole network. The intrusion detection task is achieved through the employment of the lightweight Adaptive Sub-Eigenspace Modeling (ASEM)-based anomaly and misuse detection schemes. Promising experimental results indicate that ASEM-based schemes outperform the KNN and LOF algorithms, with high detection rates and low false alarm rates in the anomaly detection task, and outperform several well-known supervised classification methods such as C4.5 Decision Tree, SVM, NN, KNN, Logistic, and Decision Table (DT) in the misuse detection task. To assess the performance in a real-world scenario, the Relative Assumption Model, feature extraction techniques, and common network attack generation tools are employed to generate normal and anomalous traffic in a private LAN testbed. Furthermore, the scalability performance of the proposed IDS architecture is investigated through the simulation of the proposed agent communication scheme, and satisfactory linear relationships for both degradation of system response time and agent communication generated network traffic overhead are achieved.

computer science, information systems, artificial intelligence, theory & methods

Bing Yang,Huaping Hu,Xiangwen Duan,Shiyao Jin

DOI: https://doi.org/10.1007/978-3-540-76969-9_9

2007-01-01

Abstract:Over the past decades more and more network security devices, such as IDS, Firewall and scanner, are distributed in the network. So superfluous alerts are generated, and do not have unified format. How to organize and utilize those alerts to enhance network security becomes a hot topic of research. Network-warning system, which can correlate alerts and predict future attacks, appears as one promising solution for the problem. In this paper, an intelligent strong-survivability network-warning model is introduced, which consists of a lot of intelligent agents. And a prototype is implemented based on the model. We propose a self-adaptive data-processing algorithm for classifying and reducing alerts automatically, and design a strong-survivability structure. The intelligence of self-adaptive algorithm depends on machine learning. In the prototype we adopt three methods (C5.0, Neural Net and CART) to construct the self-adaptive algorithm, and choose the best method fitting the algorithm, which is CART. The prototype can not only reduce and classify the original alert data from different network security devices, but also correlate alerts and generate intrusion scenario graphs. The equality of all agents makes the model strong-survivable. Furthermore, the model can predict potential attacks based on scenario graphs and track the attack sources(1).

Y Du,Hq Wang,Yg Pang

DOI: https://doi.org/10.1007/978-3-540-30214-8_35

2004-01-01

Abstract:With the ever increasing sophistication of attacking techniques, intrusion detection has been a very active field of research. We are designing and implementing a prototype intrusion detection system (IADIDF) that is composed of distributed agents. This paper describes the function of entities, defines the communication and alert mechanism. There are three main agents include Detectors, Managers and Communicators. Each agent operates cooperatively yet independently of the others, providing for efficiency alerts and distribution of resources. Communication mechanism is composed of three layers, which are Transport, Hosts and MessageContent layers. All entities of the prototype are developed in C program under Linux platform. Then, we analyze system performance, advantages of the prototype, and come to a conclusion that the operating of agents will not impact system heavily.

NIU Yi,ZHENG Qi-lun,PENG Hong

DOI: https://doi.org/10.3969/j.issn.1674-1404.2007.04.019

2007-01-01

Abstract:Traditional network protection is static methods such as firewall,IDS etc.,which could not response in time or showed more probability in misdetection and false detection.A security operation center(SOC) model based on multi-agents was presented.Some concept including sensor-agent,message-agent,analyze-agent,alarm-agent and manage-agent was defined.A SOC system based on multi-agents was proposed,which can response in time and decrease greatly the wrong detection and the rate of false.

闫怀志,胡昌振,谭惠民

DOI: https://doi.org/10.3969/j.issn.1000-3428.2003.10.015

2003-01-01

Abstract:The concept of network distributed dynamic defence architecture(DDDA)is presented from the system science point of view. The design principle and method based on system engineering and agent-oriented programming for DDDA are studied and a prototype of DDDA is developed . The function of such models as data acquirment, information processing, decision-making and response agents and their dynamic cooperative relationship are discussed in detail. Owing to its essential intelligence, dynamic characteristics, DDDA can detect and prevent many types of intrusions and realize distributed, dynamic defence effectively. Key words Dynamic defence;Distributed agent;Network security architecture;Agent-oriented

Wei-Fa Liao,Hung-Min Sun,Wei Wu

DOI: https://doi.org/10.1109/dasc-picom-datacom-cyberscitec.2016.159

2016-01-01

Abstract:In recent years, Cloud computing has become increasingly popular. Many companies have replaced traditional hosting to cloud hosting. Cloud providers are responsible for tenant isolation, if a tenant (virtual machine) is infected, other tenants will be affected. Because the virtual network environment is very complex, the traditional intrusion detection systems can only detect attacks from external networks, but can not effectively detect the internal traffic (virtual network). In order to full defend from a threat, we need to redesign the architecture of the intrusion detection system. In this thesis, we propose a flexible distributed architecture for intrusion detection, and uses software-defined networking technology for defensive purposes. In addition, our system collects alerts from different nodes, and analyzes their correlation to generate security rules to achieve the effect of a joint defense. To make the administrator more effective in management purposes, we also provide a web-based management center to reduce the burden on administrators. Finally, we analyze the performance of the proposed system with an original system. The results show that our system adds slightly overhead, and it can effectively block the malicious flow.

Shuying Zhang,Shufen Liu

2006-01-01

Abstract:Network warning is summarized on research situation in the world firstly.Then,the designed project of the multilayer distributing intrusion detection warning system based on Mobile Agent is proposed.Moreover,the correlative technologys and methods have been researched in the paper.It could not only resolve the problems of overload of transmission and bottleneck of the transact speed of the traditional intrusion detection system in the large scale network,but also could prevent the attacks to network warning system.

Jun Liu,Zhe Li,Qiang Mi

DOI: https://doi.org/10.3321/j.issn:1002-0470.2007.11.002

2007-01-01

Abstract:On the basis of analyzing of the technical requirements of an intrusion detection system for Ad Hoc networks, a mobile agent based cross-layer intrusion detection system is proposed. In the system, detecting nodes monitor their neighbors' communicating behavior on network layer as well as MAC layer. Multi-layer information monitored locally, as an important resource of audit data, enables local intrusion detection to collect enough intrusion evidences in the early period of attack. If local information is insufficient to evaluate the state, mobile agent technology is adopted. This collaborating detection can save network resources and avoid the restriction of desired nodes density in united detection, and thus reduces the miscarriage of justice rate, increases the detecting efficiency and provides the system with distributed property, flexibility and adaptability. The performances of the system were simulated with NS-2 (Network Simulations) software. The simulation results indicate it can safeguard the network under attack and maintain the network performance.

Ji Zheng,Xin Wang,Xiangyang Xue,C. K. Toh

DOI: https://doi.org/10.1109/cit.2005.18

2005-01-01

Abstract:A general or agent-based security system is usually constructed hierarchically and has a central manager acting as head of the whole system. However, the manager becomes a bottleneck for being connected by each client. It can even overload when too many clients request service simultaneously. The whole system may collapse when the central manager is attacked. And these systems are passive to detect and deal with the secure problem. Hereby we present a mobile agent-based P2P Autonomous Security Hole Discovery system (PASHD). It can detect infection and network intrusion based on knowledge of the local host. Viruses will be removed and connection will be refused after identification. In case of a suspicious activity, PASHD initiates a voting approach to make a collective decision and take further action. This system acts self-learning when encountering intrusion or infection with new patterns. And it has the capability of autonomous discovery the security hole of hosts in network. The integration of peer-to-peer behavior with mobile agents reduces latency and load; however, flexibility, effectivity, security and cooperation of the system are enhanced.