Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Dong Ma,Yongjun Wang

DOI: https://doi.org/10.1109/mines.2012.148

2012-01-01

Abstract:In this paper, we present a network detection method based on collaborative model of network threat attacks, as well as trend analysis of network structure. First of all, the collaborative model is given a specific framework, build process and collaborative mechanisms. Then ripe for pattern matching algorithm and behavioral sequence template for a simple introduction to this approach, and explains how to use the collaborative model structure. Finally, the security situation of the entire network is analyzed by a quantitative situation evaluating model, The experiment results shows that, during its running in an intranet security guard system of a large enterprise, the next-step attack can be predicted by our algorithm, and the security situation of the entire network can be accurately evaluated as well.

Dawei Song,Xun Zhu,Fengjuan Ma

DOI: https://doi.org/10.1088/1742-6596/2066/1/012029

2021-11-01

Journal of Physics: Conference Series

Abstract:Abstract with the rise and rapid development of mobile communication, intelligent terminal and data system, we are entering the era of mobile Internet. In recent years, more and more data need to be processed and transmitted in daily life, and structured data is becoming more and more important. Among them, multi-mode matching technology can search data in a wider range. Matching for multiple patterns at a time avoids unnecessary matching, accelerates the matching process, and helps to find longer matching information and obtain higher accuracy. This paper mainly introduces the high camouflage intrusion detection method of structured database based on multi-mode matching. This paper uses the high disguised intrusion detection method of structured database based on multi-mode matching, collects sensitive information of wireless access points and stations through the communication of WLAN in multimodal matching, then intercepts and forges data packets to initiate replay attack. Replay attack is characterized by abnormal traffic in the network, which can be detected by statistical analysis. The experimental results show that the high camouflage intrusion detection method based on multi-mode matching makes the camouflage intrusion detection rate increase by 23%. The limitations of the design and research of camouflage intrusion detection are analyzed, discussed and summarized, so as to enrich the academic research results.

Liang Hu,Kuo Tang,Yu Ku,Kuo Zhao

DOI: https://doi.org/10.4156/jcit.vol5.issue3.13

2010-01-01

Abstract:With the development of high-speed network technique and increasing volume of network traffic, traditional pattern matching method can’t adapt to the new challenges to intrusion detection. To solve this, protocol analysis is introduced into the procedure of intrusion detection, and it has advantages such as the capability of detailed command parsing, attack detection and protocol acknowledgement against fragment attacks, the lower false positives and high performance. By the integration with pattern matching, intrusion detection technology based on protocol analysis may significantly reduce the amount of computation and improve the efficiency of packet analysis as well as the detection rates.

Rongmao Chen,Linbo Qiao,Bofeng Zhang,Zhenghu Gong

DOI: https://doi.org/10.2991/iccnce.2013.138

2013-01-01

Abstract:As the network threats nowadays turn to be more intricate and diversiform, traditional intrusion detection methods are facing with the challenges of lacking flexibility because that they are just code-actual. This paper summarizes the common correlating features exhibited by the network events from the perspective of the detector, and proposes a detection framework which can be used to detect various network threats.After having a static scanning of the threats pattern library, it loads and initials the data structure of threat behaviors, and then utilizes the scheme of event driven to deal with the network event streams. Finally, it logs and calls the related function to query the threat behavior states. The formalization analysis shows that this framework has high flexibility and expansibility to adapt to the evolvement of network threat behaviors.

YU Zhi-hong,ZHAO Kuo,HU Liang

DOI: https://doi.org/10.3969/j.issn.1671-5896.2008.02.009

2008-01-01

Abstract:Because there are some problems for traditional pattern matching detection technique such as high strength!computations,low detection rates and high false alarm rates an intelligent matching for intrusion detection rules based on protocol analysis is proposed.And this technique aims at detecting attacks by the means of high regularity of TCP/IP(Transmission Control Protocol/Internet Protocol),which results in obvious decrease of computational quantities of rules matching.The design and implementation of auto sorting rules base based on dynamic analysis are also presented.Experimental results show that our proposals can shorten about 20% the time of pattern matching and improve the efficiency of intrusion detection.

Mei-Ling Shyu,Thiago Quirino,Zongxing Xie,Shu-Ching Chen,Liwu Chang

DOI: https://doi.org/10.1145/1278460.1278463

2007-09-01

ACM Transactions on Autonomous and Adaptive Systems

Abstract:Recently, network security has become an extremely vital issue that beckons the development of accurate and efficient solutions capable of effectively defending our network systems and the valuable information journeying through them. In this article, a distributed multiagent intrusion detection system (IDS) architecture is proposed, which attempts to provide an accurate and lightweight solution to network intrusion detection by tackling issues associated with the design of a distributed multiagent system, such as poor system scalability and the requirements of excessive processing power and memory storage. The proposed IDS architecture consists of (i) the Host layer with lightweight host agents that perform anomaly detection in network connections to their respective hosts, and (ii) the Classification layer whose main functions are to perform misuse detection for the host agents, detect distributed attacks, and disseminate network security status information to the whole network. The intrusion detection task is achieved through the employment of the lightweight Adaptive Sub-Eigenspace Modeling (ASEM)-based anomaly and misuse detection schemes. Promising experimental results indicate that ASEM-based schemes outperform the KNN and LOF algorithms, with high detection rates and low false alarm rates in the anomaly detection task, and outperform several well-known supervised classification methods such as C4.5 Decision Tree, SVM, NN, KNN, Logistic, and Decision Table (DT) in the misuse detection task. To assess the performance in a real-world scenario, the Relative Assumption Model, feature extraction techniques, and common network attack generation tools are employed to generate normal and anomalous traffic in a private LAN testbed. Furthermore, the scalability performance of the proposed IDS architecture is investigated through the simulation of the proposed agent communication scheme, and satisfactory linear relationships for both degradation of system response time and agent communication generated network traffic overhead are achieved.

computer science, information systems, artificial intelligence, theory & methods

Zhitang Li,Aifang Zhang,Dong Li,Li Wang

DOI: https://doi.org/10.1007/978-3-540-73871-8_6

2007-01-01

Abstract:In monitoring anomalous network activities, intrusion detection systems tend to generate a large amount of alerts, which greatly increase the workload of post-detection analysis and decision-making. A system to detect the ongoing attacks and predict the upcoming next step of a multistage attack in alert streams by using known attack patterns can effectively solve this problem. The complete, correct and up to date pattern rule of various network attack activities plays an important role in such a system. An approach based on sequential pattern mining technique to discover multistage attack activity patterns is efficient to reduce the labor to construct pattern rules. But in a dynamic network environment where novel attack strategies appear continuously, the novel approach that we propose to use incremental mining algorithm shows better capability to detect recently appeared attack. In order to improve the correctness of results and shorten the running time of the mining algorithms, the directed graph is presented to restrict the scope of data queried in mining phase, which is especially useful in incremental mining. Finally, we remove the unexpected results from mining by computing probabilistic score between successive steps in a multistage attack pattern. A series of experiments show the validity of the methods in this paper.

Chun Jason Xue,Meilin Liu,QingFeng Zhuge,Edwin Hsing-Mean Sha

DOI: https://doi.org/10.1007/s11265-008-0279-2

2008-01-01

Journal of Signal Processing Systems

Abstract:With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stopping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matching for a packet is completed in O(N log M) time where N is the size of the packet and M is the longest pattern length. Implementation is done on a standard off-the-shelf field-programmable gate array. Comparison with the other techniques shows promising results.

Xr Yang,Qb Song,Jy Shen

2001-01-01

Abstract:In this paper we present a frequent sequence patterns mining-based algorithm used for network intrusion detection, which is an application and extension of SPADE algorithm. It is based on the idea that much behavior on the network appear as sequences of activities, according to the sequence patterns we computed, we can construct the intrusion rule base and legal action rule base, then we can detect known and novel intrusion activities by rules' matching. In addition, when system is running, we use an incremental sequence patterns mining algorithm to complement the rule library in order to avoid re-executing the algorithm on the entire dataset, thereby reducing execution time. The experimental results indicate that this algorithm is efficient enough to meet the needs of active detect novel intrusion. Compared with most existing methods used in commercial systems which are built using purely knowledge engineering approaches, our algorithm is more intelligent and adaptive.

Xu Dongliang,Zhang Hongli,Zhang Lei,Yao Chongchong

DOI: https://doi.org/10.11959/j.issn.1000-0801.2015068

2015-01-01

Abstract:Pattern matching is the core module in network security system,it's the highest occupancy rate of system resources is more than 70%.According to problem and challenges of pattern matching in the network security system,taking 2000 as the boundary,the pattern matching was divided into the traditional pattern matching method and the new pattern matching method.Through the analysis of the principle and the computational complexity of different pattern matching method and the development and evolution of the new pattern matching method,applicable environment of different methods was concluded.A comprehensive review and evaluation of pattern matching in network security system was presented.Finally,a conclusion and some suggestions for future research were summarized and prospected.

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.

Hongbin Lu,Kai Zheng,Bin Liu,Xin Zhang,Yunhao Liu

DOI: https://doi.org/10.1109/jsac.2006.877221

IF: 16.4

2006-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The ability to inspect both packet headers and payloads to identify attack signatures makes network intrusion detection system (NIDS) a promising approach to protect Internet systems. Since most of the known attacks can be represented with strings or combinations of multiple substrings, string matching is a key component, as well as the bottleneck in NIDS to address the requirement of constantly increasing capacity. We propose a memory-efficient multiple-character-approaching architecture consisting of multiple parallel deterministic finite automata (DFAs), called TDP-DFA. By employing efficient representations for the transition rules in each DFA, TDP-DFA significantly reduces the complexity. We also present a novel scheme to share the storage of transition rules among multiple DFAs, substantially decreasing the total storage cost, and avoiding the cost increase being proportional to the number of DFAs. We evaluate this design through theoretical analysis and comprehensive experiments. Results show that TDP-DFA is able to meet the critical requirement of OC-768 wirespeed processing, as well as constituting a promising way for scaling up to cope with throughput over 100 Gb/s in the future

Hongjie Sun,Binxing Fang,Hongli Zhang

2006-01-01

WSEAS TRANSACTIONS ON INFORMATION SCIENCE AND APPLICATIONS

Abstract:The more and more complicated and advanced network attacks greatly thread the security of network. It is difficult to collect the network internal link character directly, because present networks have evolved into large and complex systems that are decentralized and loosely controlled. Network tomography is a new concept proposed for estimating internal network structure and link-level performance from end-to-end measurements and it gives a new direction to solve intrusion detection problem. In order to detect and locate the source of anomaly and attack in the beginning of their spreading, we abstract the required link-level properties of network performance using end-to-end measurements and propose a new approach using maximum likelihood estimation and neural network for anomaly link detection and location. Maximum likelihood estimation is used to estimate the distribution of link character, a mixing and optimizing neural network solution combining the Back Propagation (BP) Algorithm with the Simulated Annealing (SA) Algorithm is used for link activity profile learning and anomaly link detection. Comparing with single BP algorithm, the value calculation result shows that BP-SA mixing and optimizing solution has a higher speed and higher accuracy. Experiment results indicate the new approach is effective and of a definite practicability. It is a bran-new idea and has a further develop potential for large scale network anomaly detection.

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxp026

2009-01-01

The Computer Journal

Abstract:Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.

Zhichun Li,Yan Chen,Aaron Beach

DOI: https://doi.org/10.1145/1162666.1162669

2006-01-01

Abstract:Traffic anomalies and distributed attacks are commonplace in today's networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a DIDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of four common types of intrusions: DoS attacks, port scanning, virus/worm infection and botnets; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP subnets in scans. We further propose several schemes to distribute the alarms more evenly across the SFCs, and improve the resiliency against the failures or attacks. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. It significantly outperforms the traditional hierarchical approach when facing large amounts of diverse intrusion alerts.

Haitian Liu,Rong Jiang,Bin Zhou,Xing Rong,Juan Li,Aiping Li

DOI: https://doi.org/10.1109/dsc55868.2022.00025

2022-01-01

Abstract:With the increasing severity of network threats, network security has become a global concern. Especially the Sequential network attacks (SNAs), are becoming increasingly prominent. Hidden Markov Model (HMM) is often used to model such problems. By revealing the early life cycle of SNAs, it helps to understand attacker strategies. Based on this, this paper proposes a new intrusion detection mechanism for SNA detection to meet the challenges of modeling and detecting multiple sequential network attack scenarios. We developed an architecture capable of identifying these organized attack processes. The system goes through three main stages. The first stage processes the alerts output by IDS and feeds them into different sub-alert sequences belonging to different attackers. The second stage uses the DTW&1NN algorithm to classify sub-alert sequences belonging to the same SNA scenario. The third stage of the proposed system is attack decoding, which utilizes a Hidden Markov Model (HMM) to determine the most likely sequence of SNA phases for a given sequence of relevant alerts. Finally, simulation experiments are carried out based on the public dataset of CSE-CIC-IDS2018 to verify the effectiveness of the proposed architecture.

Amjad Amjad,Nizar Alhafez,Iyad Al Al-khayat,,,

DOI: https://doi.org/10.54216/jisiot.120110

2024-01-01

Journal of Intelligent Systems and Internet of Things

Abstract:In the realm of cybersecurity, the incessant evolution of network attacks necessitates advanced and robust intrusion detection systems (IDS). The major issues with these systems are numerous: false positivenegative alarms, delayed response and detection time, size of processed data, adaptability to future threats, scalability of the system, difficulty in detecting distributed attacks, and downtime (fault tolerance). We propose a system that introduces a distributed framework aimed at enhancing network security by effectively identifying subtle deviations from normal network behavior. This is achieved through transfer learning based on artificial neural networks, and support vector machine (SVM), capitalizing on their complementary strengths in recognizing complex patterns and addressing high-dimensional datasets. To validate the efficacy of the proposed approach, the NSL-KDD dataset is utilized within a distributed IDS architecture. It consists of several intrusion detection nodes representing subnetworks. A node consists of two agents that work collaboratively. A way is proposed to avoid interference between analysis agents: the network agents manager monitors the functioning of the nodes and displays the results of each vulnerability-detecting node in each subnet separately. Such communication between agents should reduce FPAS (false positive alarms) significantly. The Detection engine extracts relevant features of network attacks to solve the problem of SVM in processing huge sizes of data and detect adaptive future threats to detect famous distributed denial of services (DDOS) attacks in real-time. The system is highly scalable by increasing the number of intrusion detection system nodes if necessary. Central processing is avoided to circumvent a system failure situation, where processing and decision-making take place at the detection node level within each subnet.