Fang Jinhe,Feng Yan,Wang Ruijie

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.18.048

2006-01-01

Abstract:After discussing the constraints of current intrusion detection systems(IDS),we issue two problems should be considered in developing an adaptive IDS,one is to select the time to update the normal profile and the other is to select a mechanism to update the profile.To resolve the first problem,we calculate the similarity between the incremental audit data and the normal profile and then decide whether to and when to update the profile.To resolve the second problem,we employ a sliding window approach and use only the audit data inside that sliding window to update the profile.The window therefore acts to filter out outdated audit data and to build a profile based on only recent data that reflects the recent system activities.

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

Jian Zhang,Xiao Fu,Xiaojiang Du,Bin Luo,Zhihong Zhao

DOI: https://doi.org/10.1109/ICDCSW.2013.7

2013-01-01

Abstract:An important data source for intrusion forensics is various types of logs from the systems and networks being investigated. However, there are still many problems when using these logs for forensic analysis. Firstly, with the development of computers and Internet, intrusion behaviors involve more types and more quantities of logs, and these massive and complex log evidences make forensics analyst overwhelmed. Secondly, among the large number of logs that investigators need to analyze, the data related to criminal behaviors only accounts for a very small proportion and most of the rest data are useless records resulted from normal behaviors. Large amount of forensic data and high proportion of useless records make it very difficult to investigate and collect evidences. In addition, this makes criminal behaviors that submerged in a large amount of useless records easily overlooked. This paper introduces a new method for the reduction of candidate log evidences for intrusion forensics. Its main idea is to extract the key attribute fields as features of log records and assign a score to each log record. This score is used to indicate the degree of redundancy of the record. The greater the score is, the more likely the records are redundant. Our experiments based on Darpa2000 and Snort real-world data show that this method can significantly reduce the interference caused by useless data for forensic analysis: it removes 57% and 82% useless data in Darpa2000 and the Snort real-world data, respectively.

Zhang Xu,Zhenyu Wu,Zhichun Li,Kangkook Jee,Junghwan Rhee,Xusheng Xiao,Fengyuan Xu,Haining Wang,Guofei Jiang

DOI: https://doi.org/10.1145/2976749.2978378

2016-01-01

Abstract:Intrusive multi-step attacks, such as Advanced Persistent Threat (APT) attacks, have plagued enterprises with significant financial losses and are the top reason for enterprises to increase their security budgets. Since these attacks are sophisticated and stealthy, they can remain undetected for years if individual steps are buried in background "noise." Thus, enterprises are seeking solutions to "connect the suspicious dots" across multiple activities. This requires ubiquitous system auditing for long periods of time, which in turn causes overwhelmingly large amount of system audit events. Given a limited system budget, how to efficiently handle ever-increasing system audit logs is a great challenge. This paper proposes a new approach that exploits the dependency among system events to reduce the number of log entries while still supporting high-quality forensic analysis. In particular, we first propose an aggregation algorithm that preserves the dependency of events during data reduction to ensure the high quality of forensic analysis. Then we propose an aggressive reduction algorithm and exploit domain knowledge for further data reduction. To validate the efficacy of our proposed approach, we conduct a comprehensive evaluation on real-world auditing systems using log traces of more than one month. Our evaluation results demonstrate that our approach can significantly reduce the size of system logs and improve the efficiency of forensic analysis without losing accuracy.

JI Yu-chen,FU Xiao,SHI Jin,LUO Bin,ZHAO Zhi-hong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.01.068

2014-01-01

Abstract:According to characteristics of computer intrusion forensic evidence, such as easy revise, easy loss, numerous sources, multifarious content, this paper discusses the current developing states about intrusion event reconstruction, analyzes intrusion event reconstruction source from the system layer object/event and the operate system layer object/event, and introduces the main intrusion event reconstruction tools. It reviews the existing methods for intrusion event reconstruction, including log analysis based on timestamp, semantic integrity checking, tracking technologies based on operate system layer object, event reconstruction models based on finite state machine and so on, evaluates their performance in terms of several metrics, such as reconstruction efficiency, false positives rate, credibility of evidence, authenticity of evidence, reconstruction environment, and summarizes the pros and cons of each method. Some important future research directions in the field of intrusion event reconstruction of computer intrusion forensic are discussed.

Shuai Jiang,Xiaolong Xu

DOI: https://doi.org/10.1007/978-3-030-34637-9_12

2019-01-01

Abstract:In the era of network and big data, network information security has become a major issue. Intrusion Detection System (IDS) is an essential component of network security facilities, which utilizes network traffic data to detect attacks. IDS can adopt data analysis and data mining technologies to detect attacks to network systems. However, the computational overhead of IDS is too large to serve for real-time detection due to the redundancy and irrelevant features in the network traffic dataset. We hence analyze seven classification algorithms for intrusion detection, where we separately perform data preprocessing with two kinds of dimensionality reduction techniques, Principal Component Analysis (PCA) and Singular Value Decomposition (SVD), to improve the performance of IDS. The experimental results on the NSL-KDD dataset indicate that the classification algorithms with dimensionality reduction outstands in detection rate and detection speed. Meanwhile, SVD demonstrate its superiority to PCA in boosting these algorithms.

XIAO Zheng-hong,YIN Hao

DOI: https://doi.org/10.3969/j.issn.1000-7180.2006.05.023

2006-01-01

Abstract:At first this paper introduces the development process of intrusion detection, then it describes the detection. Secondly, intrusion detection techniques for statistics analysis based on network traffic are thoroughly discussed in this paper, and it also points the future research aspects. Finally we document some remaining problems and challenges, and give the possible solution.

Darren Quick,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1007/s10586-016-0553-1

2016-03-21

Cluster Computing

Abstract:An issue that continues to impact digital forensics is the increasing volume of data and the growing number of devices. One proposed method to deal with the problem of “big digital forensic data”: the volume, variety, and velocity of digital forensic data, is to reduce the volume of data at either the collection stage or the processing stage. We have developed a novel approach which significantly improves on current practice, and in this paper we outline our data volume reduction process which focuses on imaging a selection of key files and data such as: registry, documents, spreadsheets, email, internet history, communications, logs, pictures, videos, and other relevant file types. When applied to test cases, a hundredfold reduction of original media volume was observed. When applied to real world cases of an Australian Law Enforcement Agency, the data volume further reduced to a small percentage of the original media volume, whilst retaining key evidential files and data. The reduction process was applied to a range of real world cases reviewed by experienced investigators and detectives and highlighted that evidential data was present in the data reduced forensic subset files. A data reduction approach is applicable in a range of areas, including: digital forensic triage, analysis, review, intelligence analysis, presentation, and archiving. In addition, the data reduction process outlined can be applied using common digital forensic hardware and software solutions available in appropriately equipped digital forensic labs without requiring additional purchase of software or hardware. The process can be applied to a wide variety of cases, such as terrorism and organised crime investigations, and the proposed data reduction process is intended to provide a capability to rapidly process data and gain an understanding of the information and/or locate key evidence or intelligence in a timely manner.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Taining Zhang,Yihan Xiao,C. Xing,Zhongkai Zhao

DOI: https://doi.org/10.1109/ACCESS.2019.2904620

IF: 3.9

2019-03-12

IEEE Access

Abstract:With the popularity and development of network technology and the Internet, intrusion detection systems (IDSs), which can identify attacks, have been developed. Traditional intrusion detection algorithms typically employ mining association rules to identify intrusion behaviors. However, they fail to fully extract the characteristic information of user behaviors and encounter various problems, such as high false alarm rate (FAR), poor generalization capability, and poor timeliness. In this paper, we propose a network intrusion detection model based on a convolutional neural network–IDS (CNN–IDS). Redundant and irrelevant features in the network traffic data are first removed using different dimensionality reduction methods. Features of the dimensionality reduction data are automatically extracted using the CNN, and more effective information for identifying intrusion is extracted by supervised learning. To reduce the computational cost, we convert the original traffic vector format into an image format and use a standard KDD-CUP99 dataset to evaluate the performance of the proposed CNN model. The experimental results indicate that the AC, FAR, and timeliness of the CNN–IDS model are higher than those of traditional algorithms. Therefore, the model we propose has not only research significance but also practical value.

Engineering,Computer Science

Jingmin Zhou

2008-01-01

Abstract:Despite years of research and development efforts, intrusion detection is still facing significant challenges. A particular intriguing problem is that existing network intrusion detection systems report an excessive number of alerts, of which few are "interesting" from the point of view of security officers. Moreover, these alerts do not provide adequate details about the intrusions that can assist security officers to efficiently assess the security risks. In this dissertation, we propose methods to reduce the number of alerts and improve their quality. In our approach, we first identify and extract additional information from the intrusion alerts such as the result of an attack. Using this information, we are able to quickly filter out a majority of alerts that are generally not helpful in intrusion analysis. We also create a systematic approach to consistently and unambiguously model the extracted information, in particular the relations between different alerts. We demonstrate the scalability of this model by applying it to almost one thousand different network intrusion detection signatures. Using the model, we successfully construct high-level description of multi-stage intrusion strategies from low-level alerts, as well as compute the possible variations of multi-stage intrusions from a single intrusion instance. This not only reduces the number of total alerts, but also improves the alert quality. We conducted experiments with several real-world intrusion detection datasets, and the results showed the effectiveness of our approach.

T N Varunram,M B Shivaprasad,K H Aishwarya,Anush Balraj,S V Savish,S Ullas

DOI: https://doi.org/10.1109/iccca52192.2021.9666265

2021-12-17

Abstract:Intrusion Detection Systems are of paramount importance in the present-day network security environment. By analyzing and predicting the behavior of incoming data, IDS helps in classifying it as either a benign or dangerous activity. In this paper, implementation of multiple Intrusion Detection Systems is done using different machine learning algorithms like KNN, AdaBoost, SVM, Logistic Regression, Random Forest, Artificial Neural Networks and Naive Bayes. The class imbalance in the dataset, caused by innate mannerisms of network analysis, is corrected using Synthetic Minority Oversampling Technique (SMOTE). The dataset is then reduced using three different Dimensionality Reduction Techniques namely PCA, t-SNE, and UMAP. The three datasets produced by these techniques are then used to build the Intrusion Detection System, using the machine learning algorithms. The models will implement binary classification to classify the incoming attacks between benign activity and DDoS Attacks.

Bhushan Deore,Surendra Bhosale

DOI: https://doi.org/10.1007/s42979-021-00991-0

2021-12-30

SN Computer Science

Abstract:Due to the increase in the use of the internet all over the world for business and education activates, cybercrime is increasing day by day in spite of the development of security protocols and algorithms. Recent research is based on the intrusion detection system. We attempt to develop is a secure protocol to detect malicious data, along with actual data, in the incoming data traffic. An intrusion detection system based on a recurrent neural network (RNN) classifier for feature reduction. Failure in intrusion detection apparatus results in a series of negatives ranging from loss of confidential data and thereof reducing reliability for the end-user. Hence, detection systems play an important role in the service end user. In the proposed work, an intelligent system is developed based on machine learning techniques specifically RNN wherein, a novel algorithm is developed for combining a correlation and information gain, feature reduction is achieved. A feed-forward neural network is then fed these reduced features for testing and training on the NSL-KDD dataset. Normally, pre-processing of the dataset is carried out before the training phase. It helps us to regularize instances of each class in the dataset. Attack and non-attack classes are formed which helps us to implement this developed algorithm for giving the best results in terms of Feature ranking. Our algorithms reduced the number of features, which in turn reduced in preprocessing time of extracting features related to information gain and correlation in the dataset.

Shuai Jiang,Xiaolong Xu

DOI: https://doi.org/10.1109/CSCWD49262.2021.9437645

2021-01-01

Abstract:Intrusion detection system (IDS), as a network security device, monitors network data in real time and responds actively when it detects suspicious transmissions. However, suffered from the large amount of redundancy and high correlation of network data, the traditional IDS have defects in low detection rate and high computational overhead. In this paper, we propose a network data classification m...

Hongbin Sun,Su Wang,Zhiliang Wang,Zheyu Jiang,Dongqi Han,Jiahai Yang

DOI: https://doi.org/10.1145/3678890.3679048

2024-01-01

Abstract:Recently enterprises and governments face escalating APT attacks, leading to significant economic losses. APT attacks often persist for extended periods, necessitating the storage of extensive audit logs for effective detection. To reduce data storage overhead, enterprises commonly adopt compression strategies. However, efficient compression strategies may introduce additional query overhead. Existing approaches propose data reduction algorithms, but these methods can compromise data integrity, rendering current attack investigation and anomaly-based intrusion detection ineffective. To address these difficulties, we present AudiTrim, a system that ensures real-time, general, efficient, and low-overhead data compaction without compromising attack investigation and anomaly-based intrusion detection. It efficiently reduces log sizes without impacting user experiences, achieving real-time compaction and adaptable deployment on different operating systems. AudiTrim employs two strategies: 1) Data Reduction: By analyzing the types of duplicate edges, our data reduction approach not only considers a broader range of scenarios for redundant edges compared to previous methods but also enhances the efficiency of data reduction. 2) Data Compression: By aggregating log information at the server-side and training a compression model, we facilitate a data compression algorithm that ensures ease of querying. Both strategies meet real-time, low-overhead, and general requirements, fulfilling enterprise data storage needs. The final compaction ratio reaches 26×-65×.

Jun Li

2008-01-01

Abstract:Nowadays,Intrusion Detection(ID)is popular applying with the technology of data mining and machine learning.However,lots of algorithms used in ID were limited in practicing for consuming time.It can be more efficient and rapidly by using rough set in attribute reduction.A new algorithm is presented for redundant attribute reduction based on the rough set,and then classified by Nave Bayes classifier.Experiment results show that this method is more efficient and has better performance and less time.

Jun Qian,Chao Xu,Meilin Shi

DOI: https://doi.org/10.1007/11766155_32

2006-01-01

Abstract:Although the intrusion detection system industry is rapidly maturing, the state of intrusion detection system evaluation is not. The off-line dataset evaluation proposed by MIT Lincoln Lab is a practical solution in terms of evaluating the performance of IDS. While the evaluation dataset represents a significant and monumental undertaking, there remain several issues unsolved in the design and modeling of the resulting dataset which may make the evaluation results biased. Some researchers have noticed such problems and criticized the design and execution of the dataset, but there is no technical contribution for new efforts proposed per se. In this paper we present our efforts to redesign and generate new dataset. We first study how network applications and user behaviors characterize the network traffic. Second, we apply ourselves to improve on the background traffic simulation (including HTTP, SMTP, POP, P2P, FTP and other types of traffic). Unlike the existing model, our model simulates traffic from user level rather than from packet level, which is more reasonable for background traffic modeling and simulation. Our model takes advantage of user-level web mining, automatic user profiling and Enron email dataset etc. The high fidelity of simulated background traffic is shown in experiment. Moreover, different kinds of attacker personalities are profiled and more than 300 instances of 62 different automated attacks are launched against victim hosts and servers. All our efforts try to make the dataset more “real” and therefore be fairer for IDS evaluation.

Sai Xie,Zhe Chen

DOI: https://doi.org/10.48550/arXiv.1703.03225

2017-03-09

Abstract:In the era of big data and Internet of things, massive sensor data are gathered with Internet of things. Quantity of data captured by sensor networks are considered to contain highly useful and valuable information. However, for a variety of reasons, received sensor data often appear abnormal. Therefore, effective anomaly detection methods are required to guarantee the quality of data collected by those sensor nodes. Since sensor data are usually correlated in time and space, not all the gathered data are valuable for further data processing and analysis. Preprocessing is necessary for eliminating the redundancy in gathered massive sensor data. In this paper, the proposed work defines a sensor data preprocessing framework. It is mainly composed of two parts, i.e., sensor data anomaly detection and sensor data redundancy elimination. In the first part, methods based on principal statistic analysis and Bayesian network is proposed for sensor data anomaly detection. Then, approaches based on static Bayesian network (SBN) and dynamic Bayesian networks (DBNs) are proposed for sensor data redundancy elimination. Static sensor data redundancy detection algorithm (SSDRDA) for eliminating redundant data in static datasets and real-time sensor data redundancy detection algorithm (RSDRDA) for eliminating redundant sensor data in real-time are proposed. The efficiency and effectiveness of the proposed methods are validated using real-world gathered sensor datasets.

Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture

Yijun Cai,Dian Li,Yuyue Wang

DOI: https://doi.org/10.1007/s13198-021-01279-5

2021-08-25

International Journal of System Assurance Engineering and Management

Abstract:Medical information system is a comprehensive system which integrates the application of medicine, information, management, computer and other disciplines. It has been widely used in the social medical security system. But with the rapid development of Internet plus medical technology, the risk of malicious invasion has increased dramatically, which gradually exposes the problem of inadequate medical information security. Therefore, effective detection of medical information system network intrusion and timely prevention of network threats have become the focus of attention and research in this field. Intrusion detection is a common detection method in network security, it plays a very important role in network security. Traditional intrusion detection is mostly based on rule matching, statistics and other methods. With the advent of the era of big data, traditional intrusion detection can not play a good performance, especially in the face of massive, complex and unbalanced intrusion data. The privacy data access monitoring system based on virtual computing environment can monitor the access of privacy data in two levels, namely, tracking the flow of privacy data within the host and tracking the propagation of privacy data between hosts. In the host, we can customize the taint propagation rules to achieve fine-grained capture of privacy data violations in the virtual computing environment. Hence, this paper studies the medical data intrusion detection technology based on virtual data pipeline from the assurance perspectives. The model is designed and implemented with the discussions of the performance. The experimental results have proven that the proposed model is efficient.

SHI Mei-Lin,QIAN Jun,XU Chao

2006-01-01

Computer Science

Abstract:Intrusion detection technology has been an indispensable part of information security metrics, but till now no standard is widely accepted to evaluate the effectiveness and accuracy of intrusion detection systems (IDS). Thus, both the end users and researchers have doubt on the effectiveness of IDS and algorithms. The key point of the solution is to construct a precise and comprehensive methodology for IDS evaluation. Researchers have proposed several IDS evaluation methods, such as dataset evaluation proposed by MIT Lincoln Lab and Open Security Evaluation Criteria proposed by Neohapsis, etc. According to the evaluation results researchers may look through the weak point of current intrusion detection technologies and thus improve on them. In this paper we present a detail analysis of dataset evaluation methodology proposed by MIT Lincoln Lab and point out the key problems of dataset evaluation methodology. We also propose an improving research plan as our furthering work in order to update the evaluation dataset.