WU Qing-tao,WANG Qi-jing,ZHENG Rui-juan

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.08.043

2011-01-01

Abstract:It is difficult to detect the intention of an intruder,identify semantics of attacks and predict further attacks effectively using intrusion detection methods in the construction of high-level attack scenario and disposal of sophisticated attack.Aiming at the uncertain question in the attack process,this paper presents an intrusion intention recognition method based on Dynamic Bayesian Networks(DBN).Directed Acyclic Graph(GAG) is used to express the connection between attack behavior,attack plan and objectives,and the probabilistic reasoning method is used to predict next attack.Experiments reflect the change law of intrusion intention in the attack process,and proves the feasibility and validity.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Jingsong Zheng,Xiaoguang Gao,Chong Chen

2007-01-01

Abstract:As a capable intelligent inference tool, Discrete Dynamic Bayesian Networks(DDBN) has a strong robustness. It can be used to analyze situation information from remote scouting systems synthetically and consequently improve the intelligent and automatic combating ability of fighting aircrafts. Based on the introduction of DDBN direct inference algorithm, the criterion for element determination is proposed, the DDBN model for Assessment of Situation and Threat(STA) is established in this paper. Simulation results show that the DDBN model can synthesize deterministic and non-deterministic information of different times to assess the battle-field situation effectively.

Li Feng,Wei Wang,Lina Zhu,Yi Zhang

DOI: https://doi.org/10.1016/j.jnca.2008.06.002

IF: 7.574

2009-01-01

Journal of Network and Computer Applications

Abstract:Predicting the intentions of an observed agent and taking corresponding countermeasures is the essential part for the future proactive intrusion detection systems (IDS) as well as intrusion prevention systems (IPS). In this paper, an approach of dynamic Bayesian network with transfer probability estimation was developed to predict whether the goal of system call sequences is normal or not, with early-warnings being launched, so as to ensure that some appropriate countermeasures could be taken in advance. Since complete set of system call state transfer can hardly be built in real environments, the empirical results show that the newly emerging system call transfer would have great impact on the prediction performance if we straightly use dynamic Bayesian network without transfer probability estimation. Therefore, we estimate the probability of new state transfer to predict the goals of system call sequences together with those in conditional probability table (CPT). It surmounts the difficulties of manually selecting compensating parameters with dynamic Bayesian network approach [Feng L, Guan X, Guo S, Gao Y, Liu P. Predicting the intrusion intentions by observing system call sequences. Computers & Security 2004; 23/3: 241-252] and obviously makes our prediction model more applicable. The University of New Mexico (UNM) and KLINNS data sets were analyzed and the experimental results show that it performs very well for predicting the goals of system call sequences with high accuracy and furthermore dispenses with much more manual work for selecting compensating parameters.

Wu Peng,Changzhen Hu,ShuPing Yao

DOI: https://doi.org/10.15918/j.tbit1001-0645.2010.09.026

2010-01-01

Abstract:In order to predict an attacker's high level goals and assess network security situation, an intrusive intention recognition method is presented in this paper. Concept and taxonomy of intrusive intention are introduced at first. Then, to reduce complexity of understanding and analysis, a method of hierarchical attack path graph generation is proposed to recognize intrusive intention. Based on the attack path graph, the algorithms for evaluating quantitatively intention accessibility, reliable probability, attack path prediction and possible minimum attack path are developed. Next, economical and effective protective measures are addressed to block attackers' intention to be achieved, by applying minimum vertex cut set theory to directed graph. Finally several experiments are done to prove the feasibility and validity of this method.

L Feng,XH Guan,SG Guo,Y Gao,PN Liu

DOI: https://doi.org/10.1016/j.cose.2004.01.016

IF: 5.105

2004-01-01

Computers & Security

Abstract:Identifying the intentions or attempts of the monitored agents through observations is very vital in computer network security. In this paper, a plan recognition method for predicting the anomaly events and the intentions of possible intruders to a computer system is developed based on the observation of system call sequences. The probability of the goal state for a system call sequence is defined as the prediction index to determine if the intention is normal. An efficient algorithm based on the dynamic Bayesian network theory with parameter compensation is derived and then applied to update the index recursively. Extensive empirical testing is performed on the data sets published in the literature and those collected in an actual computer system at our lab. The testing results showed that this method can identify the intrusion behaviors from the observed system call sequences with good accuracy.

Yuan Yang,Zhongmin Cai,Weixuan Mao,Zhihai Yang

DOI: https://doi.org/10.1007/978-3-319-20550-2_16

2015-01-01

Abstract:Identifying whether system objects are infected or not on a compromised system is a complex and error-prone task. Most existing solutions follow a traditional causal analysis method which tries to precisely correlate potential infected objects with the entry point of an intrusion, also known as intrusion root, based on dependencies between objects. However, the entanglement of both legitimate, and malicious, actions makes it difficult to pinpoint the intrusion root and establish precise dependencies. In this paper, we propose a novel method to identify intrusion infections with a small number of observed intrusion symptoms and legitimate objects. This method does not require the identification of an accurate intrusion root and precise dependencies. In particular, we propose a new form of dependency network to encode dependencies of information flows and take temporal information into account. It captures potential propagation paths of an intrusion from a system-wide perspective. Then, based on the temporal dependency network, we develop a probabilistic Bayesian network model to characterize uncertainties of propagating infections along the dependency edges. Finally, we employ a probabilistic inference method to identify the intrusion infections with the help of only a few observed intrusion symptoms and legitimate objects. Extensive experimental results in synthetic and real-world scenarios demonstrate that our method is capable of identifying the infected objects even when the intrusion root is undetermined and dependencies are coarse-grained.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Jianguo Ding,Shihao Xu,Bernd Krämer,Yingcai Bai,Hansheng Chen,Jun Zhang

DOI: https://doi.org/10.1007/978-3-540-30566-8_97

2004-01-01

Abstract:The level of seriousness and sophistication of recent cyber-attacks has risen dramatically over the past decade. This brings great challenges for network protection and the automatic security management. Quick and exact localization of intruder by an efficient intrusion detection system (IDS) will be great helpful to network manager. In this paper, Bayesian networks (BNs) are proposed to model the distributed intrusion detection based on the characteristic of intruders' behaviors. An inference strategy based on BNs are developed, which can be used to track the strongest causes (attack source) and trace the strongest dependency routes among the behavior sequences of intruders. This proposed algorithm can be the foundation for further intelligent decision in distributed intrusion detection.

冯力,管晓宏,郭三刚,高艳,刘培妮

DOI: https://doi.org/10.3321/j.issn:0254-4164.2004.08.010

2004-01-01

Chinese Journal of Computers

Abstract:Plan recognition is a prediction theory for identifying and determining the intentions or the attempts of the agents monitored through observation data. In this paper, a plan recognition based method is presented to predict the anomaly events and intensions of potential intruders to a computer system using the system call sequences as observation data. The method is established on a dynamic Bayesian network with parameter compensation and an algorithm is developed to update this network. The experimental results show that this method has a good accuracy in predicting the intrusion intensions from the system call sequences.

Wang Liangmin,Ma Jianfeng

DOI: https://doi.org/10.3969/j.issn.1009-1742.2008.08.015

2008-01-01

Engineering Sciences

Abstract:To solve the open problem of predicting intrusion in Reactive Intrusion Tolerance System,a hybrid Bayesian network method is presented in this paper.Firstly,an intrusion model is presented,which pays its emphasis on the influence of the intrusion upon the system and describes the intrusion as the state transition process of the attackers' capability.The intrusion model is appropriate to trig the reactive intrusion tolerance system.We proposed the constructing algorithm and the proof of its feasibility.Secondly,a hybrid Bayesian network model based on this intrusion model is presented to show the casual relation of the attack behavior and secure state.The model is divided into two layers: attack behavior layer and secure state layer,in which the attack edges and state nodes of intrusion model are used as nodes in behavior layer and state layer respectively.In this hybrid Bayesian network model,the connections of the same layer are continuous,but that of the different layer are converge.The algorithm for computing the joint probability distribution of the hybrid Bayesian network is presented.In the end,the efficiency of the intrusion model and hybrid Bayesian network in predicting intrusion is shown by the experiment with our belief propagation algorithm,and the advantages of this predicting method over the related work are shown by analysis and comparisons.

Jialiang Xie,Honghui Wang,Jonathan M. Garibaldi,Dongrui Wu

DOI: https://doi.org/10.1109/tfuzz.2021.3117441

IF: 12.253

2021-01-01

IEEE Transactions on Fuzzy Systems

Abstract:Network security requires effective detection and proper analysis of abnormal network behavior. To address the uncertainty associated with the process of network intrusion detection, this article proposes a network intrusion-detection algorithm based on dynamic intuitionistic fuzzy sets (IFSs). We use the classic network intrusion datasets KDD 99, NSL-KDD, and the massive, high-dimensional dataset UNSW-NB15 to evaluate the performance of our proposed algorithm. First, we perform data preprocessing on these three datasets and select features based on the results of a chi-square test. Second, using time-series processing, we construct dynamic intuitionistic fuzzy patterns from the feature-selected datasets. At last, we use a proposed distance measure for the dynamic IFSs to generate a classifier that facilitates the detection of network intrusion. Experimental results show that the classification performance of the proposed algorithm is superior to that of other state-of-the-art algorithms on the three aforementioned datasets. The achieved improvement in classification performance is particularly significant for large datasets.

Wu Tao,Wang Chong-Jun,Xie Jun-Yuan

2010-01-01

Abstract:Intrusion detection,as an active measure to assure information security,has been receiving intensive attention and has recently become the focus of the computer security especially the network security research communities.In order to avoid being detected,however,intrusion events have evolved to become intelligent and distributive,making them good at concealing their purposes and so penetrating the intrusion detection system.To deal with this problem,as this paper does,techniques involving artificial intelligence and machine learning are brought in.This paper models intrusion and its detection as two multi-agent systems that have conflict interests,and holds the opinion that to intrude is just to device and execut attacking plans aiming to achieve certain objectives,the key of intrusion detection then is to analyze the observed opopnent's actions perceived as abnormal and reveal their intentions,which is then a classical intention recognition problem.Be is justifiable,we noticed that the traditional KEY-HOLE observing method for intention recognition is not suitable to be used here,because the environment for intrusion detection usually has an attack-defense nature thus is dynamic and can be extremely complex,making it expectable that failures to report intrusions and false reports of intrusions do happen,as a result acquiring a complete and true action sequence of the intruder is impossible.Under this circumstance,to design a strategy so robust that can recognize the intruder's intention using just an action sequence which not only contains only part of the intruder's complete action squence and also unknownly includs some misclassified actions is desperated needed,and this is exactly what this paper may contribute.Further than proposing the two multi-agent systems model,this paper sees the intrusion process as a Partially Observable Markov Decision Process(POMDP),and then estimates the intruder's intention as the output of the process.In this cae intention of the intruder can be recognized through an incomplete and defective action sequence it has just taken.The effectiveness of the proposed method is proved by experiments on data set contributed by DARPA.

Jing Xu,Christian R. Shelton

DOI: https://doi.org/10.1613/jair.3050

2014-01-16

Abstract:Intrusion detection systems (IDSs) fall into two high-level categories: network-based systems (NIDS) that monitor network behaviors, and host-based systems (HIDS) that monitor system calls. In this work, we present a general technique for both systems. We use anomaly detection, which identifies patterns not conforming to a historic norm. In both types of systems, the rates of change vary dramatically over time (due to burstiness) and over components (due to service difference). To efficiently model such systems, we use continuous time Bayesian networks (CTBNs) and avoid specifying a fixed update interval common to discrete-time models. We build generative models from the normal training data, and abnormal behaviors are flagged based on their likelihood under this norm. For NIDS, we construct a hierarchical CTBN model for the network packet traces and use Rao-Blackwellized particle filtering to learn the parameters. We illustrate the power of our method through experiments on detecting real worms and identifying hosts on two publicly available network traces, the MAWI dataset and the LBNL dataset. For HIDS, we develop a novel learning method to deal with the finite resolution of system log file time stamps, without losing the benefits of our continuous time model. We demonstrate the method by detecting intrusions in the DARPA 1998 BSM dataset.

Artificial Intelligence,Cryptography and Security

Hongjie Sun,Binxing Fang,Hongli Zhang

2006-01-01

WSEAS TRANSACTIONS ON INFORMATION SCIENCE AND APPLICATIONS

Abstract:The more and more complicated and advanced network attacks greatly thread the security of network. It is difficult to collect the network internal link character directly, because present networks have evolved into large and complex systems that are decentralized and loosely controlled. Network tomography is a new concept proposed for estimating internal network structure and link-level performance from end-to-end measurements and it gives a new direction to solve intrusion detection problem. In order to detect and locate the source of anomaly and attack in the beginning of their spreading, we abstract the required link-level properties of network performance using end-to-end measurements and propose a new approach using maximum likelihood estimation and neural network for anomaly link detection and location. Maximum likelihood estimation is used to estimate the distribution of link character, a mixing and optimizing neural network solution combining the Back Propagation (BP) Algorithm with the Simulated Annealing (SA) Algorithm is used for link activity profile learning and anomaly link detection. Comparing with single BP algorithm, the value calculation result shows that BP-SA mixing and optimizing solution has a higher speed and higher accuracy. Experiment results indicate the new approach is effective and of a definite practicability. It is a bran-new idea and has a further develop potential for large scale network anomaly detection.

秦华旺,戴跃伟,王执铨

DOI: https://doi.org/10.3969/j.issn.1002-137x.2008.07.022

2008-01-01

Computer Science

Abstract:A kind of intrusion tolerant system based on Bayesian networks is proposed in this paper.The work flow of the system is also given.The process is denoted by process character vector which is classified concretely.The work flow of process is described by Bayesian networks model.The calculative expressions of probability about process type are given,and which are based on the Bayesian networks illation.The danger function used to confirm the degree of danger about process is built.An example is given to explain the course of distinguishing intruded process.

Guang Kou,Shuo Wang,Guangming Tang

DOI: https://doi.org/10.1049/cje.2018.10.007

IF: 1.019

2019-01-01

Chinese Journal of Electronics

Abstract:This paper analyzed the existing network security situation evaluation methods and discovered that they cannot accurately reflect the features of large-scale, synergetic, multi-stage gradually shown by network attack behaviors. For this purpose, the association between attack intention and network configuration information was deep analyzed. Then a network security situation evaluation method based on attack intention recognition was proposed. Unlike traditional method, the evaluation method was based on intruder. This method firstly made causal analysis of attack event and discovered and simplified intrusion path to recognize every attack phases, then realized situation evaluation based on the attack phases. Lastly attack intention was recognized and next attack phase was forecasted based on achieved attack phases, combined with vulnerability and network connectivity. A simulation experiments for the proposed network security situation evaluation model is performed by network examples. The experimental results show that this method is more accurate on reflecting the truth of attack. And the method does not need training on the historical sequence, so the method is more effective on situation forecasting.

engineering, electrical & electronic

Yue Hu,Qing Zhou,Jun Liu

2007-01-01

Abstract:An intrusion detection system based on an improved neural network is proposed in this paper, in which we combine an optimization technique, dynamic tunneling technique (DTT), with an improved NN learning algorithm, RPROP, called RDTA, instead of traditional BP algorithm to train neural network. Additionally, a resilient factor is introduced into RDTA to construct a rapid learning algorithm RRDTA. The trained neural network is applied to detect attacks. KDD99 datasets is used to test the performance of the proposed IDS and the experiments show that RRDTA enhances the training efficiency of NN greatly and this method produces good results on large data sets.

Qunli Xiao,Yuanna Liu,Xinyang Deng,Wen Jiang

DOI: https://doi.org/10.1109/CCDC52312.2021.9602205

2021-01-01

Abstract:The enemy's tactical intention is one of the important basis for the commander's decision. The accuracy and timeliness of the judgment of the enemy's tactical intention will directly affect the correctness and effectiveness of our combat command decisions. In this paper, a robust target intention recognition method based on dynamic bayesian network is proposed. Self-organizing feature maps is introduced to preprocess the track information to estimate the stable heading of the target and various characteristic factors related to the air target combat intention are integrated to construct a dynamic bayesian network model for the recognition of the enemy's target intention. In the simulated air combat scene, the proposed method can effectively realize combat intention recognition.

Yuan Yang,Zhongmin Cai,Chunyan Wang,Junjie Zhang

DOI: https://doi.org/10.1109/tifs.2018.2833048

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:There is an increasing need of assessing and mitigating the effects of successful attacks. Uncovering malicious and contaminated objects in an attacked computing system is referred to as identification of attack ramifications. Previous methods identify the attack ramifications by directly tracking information flows (or dependences) from the intrusion root (i.e., the entry point of an attack). They face challenges such as undetermined intrusion root and dependence explosion. In this paper, we present a novel, light-weight method capable of identifying attack ramifications without the knowledge of intrusion root and less subject to dependency explosion. The method utilizes a probabilistic reasoning approach to fuse evidence derived from a subset of objects whose security states are known. It first splits the lifetime of an object into consecutive time slices (object-slices) to profile how the security state of this object changes over time. Then, a temporal dependence network (TDN) is constructed from system call traces to correlate object-slices according to information flows between them. Based on that, a Bayesian network (BN) model is built to characterize the uncertainties of infection propagations in the TDN. Finally, the method adopts loopy belief propagation on the BN model to infer the security state of an object. We evaluate the proposed method using a large data set of 389 attacks launched by the real-world malware samples including sophisticated ones such as Stuxnet. Extensive experiments demonstrate that our method is able to identify attack ramifications with a 97.47% precision at 97.21% recall without the knowledge of intrusion root.