Fang Jinhe,Feng Yan,Wang Ruijie

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.18.048

2006-01-01

Abstract:After discussing the constraints of current intrusion detection systems(IDS),we issue two problems should be considered in developing an adaptive IDS,one is to select the time to update the normal profile and the other is to select a mechanism to update the profile.To resolve the first problem,we calculate the similarity between the incremental audit data and the normal profile and then decide whether to and when to update the profile.To resolve the second problem,we employ a sliding window approach and use only the audit data inside that sliding window to update the profile.The window therefore acts to filter out outdated audit data and to build a profile based on only recent data that reflects the recent system activities.

Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

宋世杰,胡华平,胡笑蕾,金士尧

2003-01-01

Abstract:The key issue of anomaly NIDS is building normal patterns, comparing current system or user behaviors with history behaviors, and then detecting intrusion. We introduced some data mining algorithms, presentd a classification method of IDS based on data mining, and described the process of data mining application in anomaly NIDS from network layer and application layer. We proposed three methods of pattern comparison in detail, and verified that the obtained normal audit data is enough for network layer anomaly NIDS.'

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

杨向荣,宋擒豹,沈钧毅

DOI: https://doi.org/10.3321/j.issn:0253-987X.2002.02.016

2002-01-01

Abstract:An efficient method based on data mining is presented for detecting network intrusion. According to this method, user's behavior patterns are mined from IP packets, and used to build user's behavior rules base automatically. By comparing similarity, the new method can be used to detect known and unknown network attacks in real-time. The user's behavior patterns mining algorithm IDSPADE is described in detail, which is the most important part of DMIDS. The experimental results indicate that this algorithm is efficient enough to meet the needs of active detect novel intrusion. Compared with most existing systems by using the pure knowledge engineering approaches, the algorithm is more intelligent and adaptive.

Sun Jian-hua,Jin Hai,Chen Hao,Han Zong-fen

DOI: https://doi.org/10.1007/bf02828629

2005-01-01

Abstract:Aiming at the shortcomings in intrusion detection systems (IDSs) used in commercial and research fields, we propose the MA-IDS system, a distributed intrusion detection system based on data mining. In this model, misuse intrusion detection system (MIDS) and anomaly intrusion detection system (AIDS) are combined. Data mining is applied to raise detection performance, and distributed mechanism is employed to increase the scalability and efficiency. Host- and network-based mining algorithms employ an improved Bayesian decision theorem that suits for real security environment to minimize the risks incurred by false decisions. We describe the overall architecture of the MA-IDS system, and discuss specific design and implementation issue.

杨建华,蒋玉明,彭轮

DOI: https://doi.org/10.3969/j.issn.1008-0570.2009.24.011

2009-01-01

Abstract:In this paper an intrusion detection system based on data mining is proposed,and its main idea is to apply data mining methods to learn rules that can capture normal and intrusion activities from pre-processed audit data that contain network connection information. Put forward a method to improve the Apriori algorithm,whose I/O is quite surprising when scanning the database. To improve the method is feasible;the normal rules in the knowledge database in IDS are mined. And the experiment indicates that the model can produce new rules,which approve the validity and the feasibility of the IDS.

Cai Wan

2003-01-01

Computer Science

Abstract:Intrusion Detection System (IDS) is an important network security technique. It can dynamic detect the network attack behaviors. At present, great issues for IDS are incapable of detecting the unknown malicious attack behaviors. So that, some new detection techniques are presented,data mining-based detection technique is an effective method in them. In this paper, data mining-based detection method and its key techniques are discussed in detail.

Jianhua Sun,Hai Jin,Hao Chen,Zong F. Man

2005-01-01

Wuhan University Journal of Natural Sciences

Abstract:Aiming at the shortcomings in intrusion detection systems (IDSs) used in commercial and research fields, we propose the MA-IDS system, a distributed intrusion detection system based on data mining. In this model, misuse intrusion detection system (MIDS) and anomaly intrusion detection system (AIDS) are combined. Data mining is applied to raise detection performance, and distributed mechanism is employed to increase the scalability and efficiency. Host- and network-based mining algorithms employ an improved Bayesian decision theorem that suits for real security environment to minimize the risks incurred by false decisions. We describe the overall architecture of the MA-IDS system, and discuss specific design and implementation issue.

ZHAO Yu-ming,ZHANG Wei,teng SH

2007-01-01

Abstract:The technique of intrusion detection has become a focus in the field ofnetwork security. This paper introduced the categories of intrusion detection and the methods of data mining applied in abnormal detection. It also described the design and implementation of the abnormal IDS based on system call and data mining algorithms.

Xiejun Ni,Daojing He,Farooq Ahmad

DOI: https://doi.org/10.21015/vtse.v9i2.403

2016-01-01

VFAST Transactions on Software Engineering

Abstract:Revised July 2015 ABSTRACT. Network anomaly detection is an effective way to detect intrusions which defends our computer systems or network from attackers on the Internet. In this paper, we introduce the current research works in network anomaly detection and consider several pratical solutions for this issue. Different from signature-based method, data mining techniques can automatically extract normal pattern from a large set of network data and distinguish them from each other. However, those data mining techniques, such as classification, clustering, association rules and feature selection, can not be applied into this problem directly due to the characteristic of network data and technique themselves. We analyze those unfitness and propose some adaptation to detect anomaly timely and accurately.

张博,李伟华,布日古德

DOI: https://doi.org/10.3969/j.issn.1671-654X.2004.04.038

2004-01-01

Abstract:For the developed of knowledge discover and other relative technology, the date mining has been a focus in these days. This technology is very effective on building in signature and models in the Intrusion Detection System (IDS). To deal with the lots of Intrusion, we build the signature database and signature association combing with the concept of the association rules of date mining and enhance the network security through audit.

胡亮,金刚,于漫,任斐,任维武

DOI: https://doi.org/10.3321/j.issn:1671-5489.2009.06.032

2009-01-01

Abstract:The authors provided a comprehensive survey of anomaly detection systems used in the recent years.Intrusion detection was divided into 3 kinds based on technologies used.They are statistical anomaly detection,machine learning based anomaly detection and data mining based anomaly detection.The authors described the various features of anomaly detection technologies in details,represented the algorithms used in the current Anomaly Intrusion Detection Systems,the implements of the algorithms,and also compared the effects of various detection algorithms through the experiment.

Lei Zhang,Changjiang Liu,Yong Chen,Shaowen Lao

DOI: https://doi.org/10.1109/ICICTA.2018.00009

2018-01-01

Abstract:This paper introduces the latest development of intrusion detection based on data mining, and studies the key technologies of network intrusion detection based on data mining, especially outlier mining. A anomaly detection model based on outlier mining is proposed. The model firstly preprocesses the data and sets the normal sample set, calculates the outlier score of each sample in the normal sample set, and combines it with the specified outlier value threshold. The normal behavior profile is formed, which can be used as the basis for detection.

Lei Zhang,Jianqing Zhang,Yong Chen,Shaowen Liao

DOI: https://doi.org/10.1109/icicta.2018.00074

2018-01-01

Abstract:In this paper, a hybrid intrusion detection model based on data mining, which is commonly used in network security anomaly detection, is proposed that combines anomaly detection with misuse detection technology. Two test stages were formed and applied to the instrusion detection system in the process of large-scale network traffic detection. On the basis of improving the detection ability of the massive information detection system, the security of the data source of the intrusion detection system was ensured.

吕锡香,杨波,裴昌幸,苏晓龙

DOI: https://doi.org/10.3969/j.issn.1001-2400.2004.04.020

2004-01-01

Journal of Xidian University

Abstract:We discuss our research in developing the detection engine of the intrusion detection system. The key ideas are to combine the slide window into the data mining technique to design the base detection engine which is the essential share of the meta detection engine. In addition, Apriori, a kind of data mining algorithm, is improved to mine network data. The improved algorithm does not scan all items in database and only links the items in the same list, so the detection efficiency is improved greatly. Also, other key details in IDS are put forward.

Lü Hong-zhu,ZHANG Jian-ping,DENG Wen-xin

DOI: https://doi.org/10.3969/j.issn.1007-9831.2007.06.011

2007-01-01

Abstract:The body under study is the technology of data mining.However,the intrusion model of the current IDS can't reflect the intrusion characteristics well,a new model of the abnormity detection model with the application of DM technology was given and the abnormity detection model of design process.

赵欣,叶茂,朱莺嘤,郑凯元

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.05.027

2010-01-01

Abstract:Network intrusion detection is an important aspect of information security.Many good results in this aspect have been obtained in recent years.Most of them face the problem of low detection rate.The network connection's attributes which have the character of obvious distinction between normal and abnormal are often chosen by experts to judge whether the new network connections are normal.This method has some randomness which affects the detection rate.A method which aims to choose attributes based on the inherent law of normal network connections is proposed.The attributes can be chosen such that the high dimensional data can be transformed to one dimension automatically.The method of sequence data mining is used to find the rules of normal network connections.The new network connections can be detected by these rules.An experiment has been done on the datum of KDD99.The result indicates that the method of this paper has high detection rate.

Yu-Xin Ding,Hai-Sen Wang,Qing-Wei Liu

DOI: https://doi.org/10.1109/icmlc.2008.4620604

2008-01-01

Abstract:Traditional intrusion detection systems focus on low-level attacks, and only generate isolated alerts. They can't rind logical relations among alerts. In addition, IDS's accuracy is low, a lot of alerts are false alerts. So it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. To solve this problem different intrusion scenario detection methods are proposed. In this paper a data mining method is used to find the attack scenarios. Firstly redundancy alerts are checked and deleted, then attack scenario patterns are mined by using the associate-rule algorithms which is an improved Apriori algorithm. These mined scenario patterns are used to rind attack scenarios. In (his paper 1999 DARPA intrusion detection scenario specific datasets are used as the experimental data and the corresponding results are shown. Compared with current scenario detection methods which depend on human knowledge to define attack scenarios, our methods use data mining method to find the scenarios automatically. Our experimental results demonstrate the potential of the proposed method.