LONG Xiao-fei,FENG Yan,WANG Rui-jie

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.03.016

2007-01-01

Abstract:For lackness of knowledge about the context of network hosts,most signature-based NIDSs produce too many false positives,which prevent the administrators from focusing their efforts on real dangerous alerts quickly.A mechanism in NIDS is proposed,which makes a decision before pattern matching to filter unnecessary intrusion rules for matching,by utilizing the software information of the target hosts,to mitigate false positives drastically.This method is implemented in the prototype system.The result of testing on typical intranet shows that this method surely mitigate false positives and improve quality of alerts in NIDS.

李辉,蔡忠闽,韩崇昭,管晓宏

DOI: https://doi.org/10.3969/j.issn.1000-1220.2003.09.008

2003-01-01

Abstract:State of the art of the Intrusion Detection technology is investigated and a new IDS inference framework and prototype based on information fusion is proposed. The new framework is to solve the problems of existing IDS——high false positive rate and incapable of detection of coordinated attacks. The prototype employ Bayesian Network to do information fusion and goal-tree to analyze intensions of coordinated attacks and quantify the security risk of system. The prototype is more integral than existing IDS and easier to find coordinated attacks with lower false positive rate.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Guangyang Zeng,Junfeng Wu,Xiufang Shi,Zhiguo Shi

DOI: https://doi.org/10.1109/ALLERTON.2018.8635875

2018-01-01

Abstract:Information fusion brings great advantages in multi-sensor detection systems and has attracted much attention. Regarding decision level fusion, in many existing literatures, the fusion center (FC) gives a global decision via a likelihood ratio (LR) test where the LR function is compared with a constant threshold. Most of these can be viewed as one-stage decision fusion schemes because the FC does not utilize the historical information in a continuous period of time. In this paper, we propose a novel multi-stage decision fusion scheme with feedback from the view of the Neyman-Pearson (N-P) criterion. In the proposed scheme, at each stage, the FC selects one threshold from two alternative values based on the feedback of the previous stage’s global decision to perform the LR test. Then we prove the convergence of the global detection probability and the false alarm probability when the true state of the target remains unchanged. For the decision fusion of two homogeneous sensors, we derive the optimal alternative thresholds under the N-P criterion. Simulation results show that the proposed scheme can effectively improve the performance of target detection.

Jingmin Zhou

2008-01-01

Abstract:Despite years of research and development efforts, intrusion detection is still facing significant challenges. A particular intriguing problem is that existing network intrusion detection systems report an excessive number of alerts, of which few are "interesting" from the point of view of security officers. Moreover, these alerts do not provide adequate details about the intrusions that can assist security officers to efficiently assess the security risks. In this dissertation, we propose methods to reduce the number of alerts and improve their quality. In our approach, we first identify and extract additional information from the intrusion alerts such as the result of an attack. Using this information, we are able to quickly filter out a majority of alerts that are generally not helpful in intrusion analysis. We also create a systematic approach to consistently and unambiguously model the extracted information, in particular the relations between different alerts. We demonstrate the scalability of this model by applying it to almost one thousand different network intrusion detection signatures. Using the model, we successfully construct high-level description of multi-stage intrusion strategies from low-level alerts, as well as compute the possible variations of multi-stage intrusions from a single intrusion instance. This not only reduces the number of total alerts, but also improves the alert quality. We conducted experiments with several real-world intrusion detection datasets, and the results showed the effectiveness of our approach.

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Chaoqun Yang,Li Feng,Heng Zhang,Shibo He,Zhiguo Shi

DOI: https://doi.org/10.1109/tsipn.2018.2790361

2018-01-01

IEEE Transactions on Signal and Information Processing over Networks

Abstract:Networked radar systems are vulnerable to different types of attacks, including electronic countermeasure (ECM) jamming and false data injection (FDI) attack. Substantial research has concentrated on ECM jamming, which interferes with radar echoes between a radar and targets. However, FDI attack in which an attacker somehow replaces or modifies radars' measurements, has rarely been considered. FDI attack is much stealthier than ECM jamming, making detection more difficult. In this paper, we take the first attempt to investigate the FDI attack's effects on a networked radar system. Further, we propose a novel data fusion algorithm to combat this attack. The proposed algorithm can dramatically reduce the attack's adverse effects, since it creatively introduces data's confidence factors into data fusion and adaptively decreases the fusion weights of the injected data. Numerical results verify the effectiveness of the proposed algorithm.

Rasheed Ahmad,Izzat Alsmadi,Ahmad, Rasheed

DOI: https://doi.org/10.1007/s10586-024-04365-y

2024-03-27

Cluster Computing

Abstract:The increasing frequency and sophistication of cyber-attacks pose significant threats to organizational entities and critical national infrastructure, leading to substantial financial and operational consequences. Detecting such attacks early and accurately remains a complex endeavour, compounded by challenges in intrusion detection system (IDS) design, the exploitation of zero-day attacks, and issues of reliability and resiliency in physical systems. This research addresses these challenges through a two-fold approach: firstly, implementing input data fusion from diverse and heterogeneous sources, and secondly, fusing classifiers from multiple deep learning (DL)-based algorithms. The success of machine learning (ML) and DL models for IDS relies on meticulous data collection and classifier selection. The paper underscores the limitations of relying on single datasets and ML/DL algorithms, emphasizing potential biases and training restrictions. Rigorous experiments were conducted to identify optimal DL architectures, ensuring the creation of models that exhibit robust generalization on new traffic instances, leading to trusted and unbiased results. The study demonstrates the efficacy of the proposed models through comprehensive evaluations and metrics. Results indicate that the fusion of data and classifiers significantly improves model generalization. The paper also outlines key challenges and future trends in data fusion, emphasizing its role in enhancing IDS performance for securing critical infrastructure.

computer science, information systems, theory & methods

Gou Jin,Yang Jiangang,Chen Qian

2005-01-01

Abstract:This paper presents a compound intrusion detection model based on a knowledge fusion algorithm. The proposed method suggests a set of related pattern knowledge objects with a well-defined structure, which instructs that pattern knowledge can be used for misuse detection or anomaly detection or both of them. Fusion algorithm is used to fuse original or real time knowledge objects to generate new useful ones and destroy those who may lead to miscar-riage of justice. In contrast with the conventional intrusion detection models, process in the paper combines anomaly and misuse detection so that it eliminates the flaws of a narrow definition for intrusion patterns and extends the known intrusions patterns to novel intrusions patterns. The experimental results show the feasibility of design rationale.

孙云,黄皓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.09.059

2008-01-01

Abstract:Intrusion Detection System(IDS) has been harassed by false positive and false negative problem.Common IDS using single detection mode is hard to solve this problem effectively.This paper analyzes the characteristics of network flow and presents a new method,called hybrid IDS,combining misuse detection mode and anomaly detection mode,the method can overcome the shortcomings of IDS using single mode.Experiments show that the new method can improve IDS detection rate and decrease false alerts effectively.

Xiu-Zhen Chen,Qing-Hua Zheng,Xiao-Hong Guan,Chen-Guang Lin,Jie Sun

DOI: https://doi.org/10.1016/j.cose.2004.08.009

IF: 5.105

2005-01-01

Computers & Security

Abstract:How to evaluate network security threat quantitatively is one of key issues in the field of network security, which is vital for administrators to make decision on the security of computer networks. A novel model of security threat evaluation with a series of quantitative indices is proposed on the analysis of prevalent network intrusions. This model is based on multiple behavior information fusion and two indices of privilege validity and service availability that are proposed to evaluate the impact of prevalent network intrusions on system security, so as to provide security evolution over time, i.e., monitor security changes with respect to modification of security factors. The Markov model and the algorithm of D-S evidence reasoning are proposed to measure these two indices, respectively. Compared with other methods, this method mitigates the impact of unsuccessful intrusions on threat evaluation. It evaluates the impact of important intrusions on system security comprehensively and helps administrators to insight into intrusion steps, determine security state and identify dangerous intrusion traces. Testing in a real network environment shows that this method is reasonable and feasible in alleviating the tremendous task of data analysis and facilitating the understanding of the security evolution of the system for its administrators.

Fu Xiao,Xie Li

DOI: https://doi.org/10.1109/npc.2008.26

2008-01-01

Abstract:Intrusion detection systems (IDSs) can easily create thousands of alerts per day, up to 99% of which are false positives (i.e. alerts that are triggered incorrectly by benign events). This makes it extremely difficult for managers to analyze and react to attacks. This paper presents a novel method for handling IDS alerts more efficiently. It introduces outlier detection technique into this field, and designs a special outlier detection algorithm for identifying true alerts and reducing false positives. This algorithm uses frequent attribute values mined from historical alerts as the features of false positives, and then filters false alerts by the score calculated based on these features. We also proposed a two-phrase framework, which not only can filter newcome alerts in real time, but also can learn from these alerts and automatically adjust the filtering mechanism to new situations. Moreover our method needs no domain knowledge and little human assistance, so it is more practical than current ways. We have built a prototype implementation of our method. And the experiments on DARPA 2000 and real-world data have proved that this model has high performance.

Mengjie Li,Chao Liu

DOI: https://doi.org/10.1155/2022/6491577

2022-07-08

Mobile Information Systems

Abstract:With the rapid development of today's alarm system, the market demand for an intelligent alarm system is increasing. The traditional alarm system needs technological progress/advancement to meet the needs of the society, and the alarm system needs to develop in the direction of integration, both digitally and professionally. The intelligent fire warning systems using integrated multisensor digital data integration techniques can obtain the data information of the measured object more accurately and comprehensively from multiple dimensions, to improve the system alarm accuracy. This article aims to study the application of multisensor data fusion technology in intelligent fire alarm systems. For the issue of multivalued bias of the ID3 algorithm, this paper proposes the CAC_ID3 algorithm. Through the C4.5, the CART and the ID3 algorithm are compared and analyzed on the F1 value and the correct rate of the multisensor intelligent fire alarm data is set, and experiments show that the correct rate and F1 value of the CAC_ID3 algorithm are 1, which are higher than the other three algorithms. This shows that the CAC_ID3 algorithm has good classification effect and superior performance.

computer science, information systems,telecommunications

耿立中,贾惠波

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.04.010

2011-01-01

Abstract:The bottleneck formation of intrusion detection leaning in the network-attached storage（NAS） application was analyzed to increase the NAS security framework efficiency and show that the learning cost of intrusion detection methods shows exponential growth with increasing knowledge and the bottleneck seriously restricts the detection performance,which can be solved using information fusion technologies.A NAS security framework was then designed and implemented by fusing two different intrusion detection methods,the storage based intrusion detection method and the system call based intrusion detection method.The experimental results demonstrate that the framework can more effectively retard intrusion with the overall detection capability increasing by 15%.

Fu Xiao,Shi Jin,Xie Li

DOI: https://doi.org/10.4304/jnw.5.1.88-97

2010-01-01

Abstract:Current system managers often have to process huge amounts of alerts per day, which may be produced by all kinds of security products, network management tools or system logs. This has made it extremely difficult for managers to analyze and react to threats and attacks. So an effective technique which can automatically filter and analyze alerts has become urgent need. This paper presents a novel method for handling IDS alerts more efficiently. It introduces a new data mining technique, outlier detection, into this field, and designs a special outlier detection algorithm for identifying true alerts and reducing false positives (i.e. alerts that are triggered incorrectly by benign events). This algorithm uses frequent attribute values mined from historical alerts as the features of false positives, and then filters false alerts by the score calculated based on these features. We also proposed a three-phrase framework, which not only can filter newcome alerts in real time, but also can learn from these alerts and automatically adjust the filtering mechanism to new situations. Moreover our method can help managers analyze the root causes of false positives. And our method needs no domain knowledge and little human assistance, so it is more practical than current ways. We have built a prototype implementation of our method. Through the experiments on DARPA 2000, we have proved that our model can effectively reduce false positives. And on real-world dataset, our model has even higher reduction rate. By comparing with other alert reduction methods, we believe that our model has better performance.

LIU Ya-Ming,XU Feng,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.09.014

2005-01-01

Computer Science

Abstract:Current intrusion detection systems only offer security administrators a great lot of independent, low-level a- lert, though there may be logical connections between them. It is a heavy burden for security administrators to analyze so many alerts, and a series of important alerts which are related to each other are often inundated with a large number of unimportant ones. Hence it is necessary to find a appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper presents a model of alert correlation based on attack intention. The proposed ap- proach constructs attack scenarios using attack intentions, i.e. purposes of attack actions corresponding to alerts. When alerts appear, the model turns them into corresponding attack intentions and correlate those attack intentions ac- cording to attack scenarios which have been established before.

陈丽丽,李卫,管晓宏,祝春华

DOI: https://doi.org/10.3969/j.issn.1000-7180.2004.06.035

2004-01-01

Abstract:NIDS (Network Intrusion Detection System) as an important security protection tool has become a hotspot for research. We introduce the basic concept of IDS and its primary components and common classification first, then we present the framework of a net-based IDS and its implementation in detail. We put forward our views about the current research of IDS and its prospect last.