张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Peng Ning,Sushil Jajodia,Xiaoyang Sean Wang

DOI: https://doi.org/10.1145/503339.503342

2001-01-01

ACM Transactions on Information and System Security

Abstract:Abstraction is an important issue in intrusion detection, since it not only hides the difference between heterogeneous systems, but also allows generic intrusion-detection models. However, abstraction is an error-prone process and is not well supported in current intrusion-detection systems (IDSs). This article presents a hierarchical model to support attack specification and event abstraction in distributed intrusion detection. The model involves three concepts: system view , signature , and view definition . A system view provides an abstract interface of a particular type of information; defined on the instances of system views, a signature specifies certain distributed attacks or events to be monitored; a view definition is then used to derive information from the matches of a signature and presents it through a system view. With the three elements, the model provides a hierarchical framework for maintaining signatures, system views, as well as event abstraction. As a benefit, the model allows generic signatures that can accommodate unknown variants of known attacks. Moreover, abstraction represented by a system view can be updated without changing either its specification or the signatures specified on its basis. This article then presents a decentralized method for autonomous but cooperative component systems to detect distributed attacks specified by signatures. Specifically, a signature is decomposed into finer units, called detection tasks , each of which represents the activity to be monitored on a component system. The component systems (involved in a signature) then perform the detection tasks cooperatively according to the "dependency" relationships among these tasks. An experimental system called CARDS has been implemented to test the feasibility of the proposed approach.

Xiaohong Qu,Zhijie Liu,Xiaoyao Xie

DOI: https://doi.org/10.1109/ICASID.2009.5276963

2009-01-01

Abstract:Intrusion detection system is a new safeguard technology for system security after traditional technologies, such as firewall, message encryption and so on. To intrusion detection system, it makes improving efficiency of intrusion detection by choosing better method of intrusion detection, traditional intrusion detection system because of large amount of calculation, the high rate of omissions and misstatem tmts has not already adapted to the needs of the current network system protocol analysis is a kind of key technology for network intrusion detection. The paper which based on that idea will presents a distributed intrusion detection system model based on protocol analysis, it makes processing work very simple using protocol analysis technology in detection module. Compared with other model, the model has obvious advantage by analysing, and it can decrease the rate of FN and enhance the capability of system.

Yan-guo Wang,Xi Li,Weiming Hu

DOI: https://doi.org/10.1109/icsmc.2008.4811596

2008-01-01

Abstract:With the increasing requirements of fast response and privacy protection, how to detect network intrusions in a distributed architecture becomes a hot research area in the development of modern information security systems. However, it is a challenge to build such a system, given the difficulties brought by the mixed-attribute property of network connection data and the constraints on network communication. In this paper, we present a framework for distributed detection of network intrusions based on a parametric model. The parametric model can explicitly reflect the distributions of different intrusion types and handle the mixed-attribute data naturally. Based on the model, we can generate an accurate global intrusion detector with a very low cost of communication among the distributed detection sites, and no sharing of original network data is needed. Experimental results demonstrate the advantages of the proposed framework in the distributed intrusion detection application.

段海新,吴建平

DOI: https://doi.org/10.13328/j.cnki.jos.2001.09.015

2001-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:An integrative taxonomy for intrusion detection technologies is proposed, which can specify accurately existing intrusion detection methods. Aiming at multiple-domain environments, a distributed cooperative intrusion detection system (DCIDS) is designed, which implements cooperative intrusion detection through efficient, secure information exchange among IDSes in different domain. The architecture of intrusion detection systems is described, as well as its four components: sensor, analyzer, manager and user-interface. Some key issues are also discussed, including secure communication and selection of detection places.

史亮,李斌,庄镇泉

DOI: https://doi.org/10.3969/j.issn.1007-130x.2005.02.003

2005-01-01

Abstract:In this paper we present a multi-agent-based distributed intrusion detection system. This system distributes the intrusion detection work of the whole network into each host, overcomes the problem of single point invalidation and the bottleneck of treatment ability in centralized or hierarchical systems; gives the task of management and distributed intrusion detection for the whole network to the network security management agent NSMA and use the cooperation between NSMAs instead of the cooperation between the low-level detection points, improving the detection and management ability. We also introduce the function redundancy idea into the system design, and overcome the single point invalidation problem while improving the system's real-time intrusion detection ability. This paper presents the system design idea and realization plan in detail, and at the same time, it gives the resolution plan for the relevant problems.

蔡忠闽,彭勤科,管晓宏,孙国基

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.07.028

2002-01-01

Abstract:In this paper we present a multi-layer and defense-in-depth intrusion detection model for networked computer systems with a prototype. In this model, the operations on the protected computer system are monitored by four sensors from different viewpoints. The final judgement is made by combining the results of the individual sensors using information fusion techniques. It is demonstrated that an anomaly behavior can be more easily discovered and false alarms can be effectively reduced using our detection model. The methods to detect intrusions at different layers are also discussed using the experience gained in prototype realization.

Xiao He

2010-01-01

Abstract:This paper analyzes the current methods commonly used in intrusion detection and network intrusion attacks,based on an SNMP-based Intrusion Detection System protocol design.Through reading and analyzing Management Information Base(MIB) of the network connection information,aiming at the characteristics of network intrusion and attacks,The program monitoring the network.The system consists of six modules,to realize network intrusion detection.

朱文涛,李津生,洪佩琳

DOI: https://doi.org/10.3969/j.issn.1000-1220.2003.12.007

2003-01-01

Abstract:With the expansion of network scale and the proliferation of security concems, it has become an urgent need to develop large-scale distributed intrusion detection systems. We investigated the framework and mechanism of such systems, and presented a case study of the distributed systems based on the network offensive and defensive strategy.A novel representation of the strategy utilizing state transitions is proposed.By comparing with a previously presented scheme, our solutions expansibility and feasibility in distributed intrusion detection are illustrated.

王泽芳,陈小平,史烈

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.11.055

2002-01-01

Abstract:Intrustion detection system is very important in computer security.The article introduces the idea of intrusion detection based on system-call monitoring under Linux and the design of the corresponding model.

Zhang Yunpeng,Hu Fei,Ma Chunyan,Lu Wei,Li Mei

DOI: https://doi.org/10.3321/j.issn:1002-8331.2005.35.045

2005-01-01

Abstract:This paper establishes and accomplishes the intrusion detection system,SC-IDS.It combines the knowledge-based IDS and anomaly-based IDS into a system,it accords with P2DR model and the distributed framework.It surmounts the shortcoming of traditional ways of detection,for example,high false positive and false negative rate;can't adapt large-scale network;can't cooperate with other security product etc.It gains a good effect after operation.

QINGtao WU,Zhiqing SHAO,Xiyuan QIAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.10.049

2006-01-01

Abstract:Distributed denial of service (DDoS) attacks are major threats to availability of computer network. A detection model for early DDoS attacks is presented, which involves with probability distributions of normal behavior on computer network and DDoS attacks detection threshold. The model employs statistical analysis of data from network connections to find the probability distributions of normal behavior. Based on the probability distributions, the threshold is set for detecting attacks. Also, the feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of the model in detecting DDoS attacks. Furthermore, this model provides some directed sense for other network security detection research.

SHI Li-li,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.02.022

2008-01-01

Abstract:This paper presents the Distributed Firewall and Invading Detection Technique, analyzes their deficiencies, discusses and researches the combination technique, explains the design principle and implementation of the combination system based on the Distributed Firewall and Invading Detection Technique. Through the union system, the firewall may using the IDS discover promptly the attack behavior outside its strategy, the IDS also may block the attack behavior from exterior network through the firewall, thus can form one kind of safe protection system with effective interaction, en-hanced the network whole safety performance enormously.

Zhang Xiaosong,Chen Ting,Ma Yue,Li Hua

DOI: https://doi.org/10.1109/ICFIN.2009.5339561

2009-01-01

Abstract:This paper proposes a model of intrusion detection based on peer-to-peer (p2p) mechanism. The crux of our research is that quantitatively analyze the response rate of the global intrusion detection system (IDS). The principal approaches are modeling, deduction and numerical simulation. Theoretical proof and experiments demonstrate that our model is reliable and robust. Based on this model, we draw the following conclusions. First, this model is insensitive to network scale so it is adaptable to large-scale network. Second, response rate depends mostly on peer's degree. Third, our model does not care about how many peers are aware of intrusion in the beginning. In a word, with proper parameters our model can achieve an extremely rapid response rate.

Jun Gao,Weiming Hu,Xiaoqin Zhang,Xi Li

DOI: https://doi.org/10.1109/wi-iat.2009.113

2009-01-01

Web Intelligence

Abstract:Due to the increasing demands for network security, distributed intrusion detection has become a hot research topic in computer science. However, the design and maintenance of the intrusion detection system (IDS) is still a challenging task due to its dynamic, scalability, and privacy properties. In this paper, we propose a distributed IDS framework which consists of the individual and global models. Specifically, the individual model for the local unit derives from Gaussian Mixture Model based on online Adaboost algorithm, while the global model is constructed through the PSO-SVM fusion algorithm. Experimental results demonstrate that our approach can achieve a good detection performance while being trained online and consuming little traffic to communicate between local units.

Peng Ning,Sushil Jajodia,X. Sean Wang

DOI: https://doi.org/10.1007/978-1-4615-0467-2_6

2004-01-01

Abstract: In this chapter, we present a model to represent distributed attacks based on the concept of system view presented in Chapter 3. However, instead of developing a completely new model, we extend a model named ARMD [Lin et al., 1998, Lin, 1998], which was developed for host-based intrusion detection. There are several other models that could be used instead of ARMD, including rule based languages (e.g., P-BEST [Lindqvist and Porras, 1999] and RUSSEL [Mounji et al., 1995]), the State Transition Analysis Tool (STAT) [Il-gun et al., 1995, Vigna and Kermmerer, 1998, Vigna and Kemmerer, 1999], and the Colored Petri Automata (CPA) [Kumar, 1995, Kumar and Spafford, 1994].

贺龙涛,方滨兴,云晓春

DOI: https://doi.org/10.3321/j.issn:1000-436x.2004.07.011

2004-01-01

Abstract:Based on the analysis of current distributed intrusion detection system topology, we design a self-organized hierarchical massive network intrusion detection system. We present the idea of self-organization between nodes, and separate detecting function from organizing function with organizer server in the distributed intrusion detection system. It reduces the implement complexity, and avoids the single point of failure. When some nodes of the system are out of work, the others still work well. We realize a complete protocol assembly platform. It does well in practice.

WANG Fang,YI Ping,WU Yue,WANG Zhi-yang

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.10.027

2010-01-01

Computer Science

Abstract:Mobile ad hoc networks are highly vulnerable to attacks due to the open medium,dynamically changing network topology,cooperative algorithms,lack of centralized monitoring and management point.The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features.We proposed a distributed intrusion detection approach based on finish state machine(FSM).A cluster-based detection scheme was presented,where periodically a node is elected as the monitor node for a cluster.These monitor nodes can not only make local intrusion detection decisions,but also cooperatively take part in global intrusion detection.And then we constructed the finite state machine(FSM)by the way of manually abstracting the correct behaviours of the node according to the routing protocol of Dynamic Source Routing(DSR).The monitor nodes can verify every node's behaviour by the FSM,and validly detect real-time attacks without signatures of intrusion or trained data.Compared with the architecture where each node is its own IDS agent,our approach is much more efficient while maintaining the same level of effectiveness.Finally,we evaluated the intrusion detection method through simulation experiments.