Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

王泽芳,陈小平,史烈

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.11.055

2002-01-01

Abstract:Intrustion detection system is very important in computer security.The article introduces the idea of intrusion detection based on system-call monitoring under Linux and the design of the corresponding model.

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Amr Abed

DOI: https://doi.org/10.31224/osf.io/5uyac

2016-12-31

Abstract:Linux containers are gaining increasing traction in both individual and industrial use, and as these containers get integrated into mission-critical systems, real-time detection of malicious cyber attacks becomes a critical operational requirement. This paper introduces a real-time host-based intrusion detection system that can be used to passively detect malfeasance against applications within Linux containers running in a standalone or in a cloud multi-tenancy environment. The demonstrated intrusion detection system uses bags of system calls monitored from the host kernel for learning the behavior of an application running within a Linux container and determining anomalous container behavior. Performance of the approach using a database application was measured and results are discussed.

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/IAS.2009.100

2009-01-01

Abstract:Rapid increase of information resources speeds the development of network storage. And security of network storage satisfies the demands of privacy and safety of the information. Data encryption and personal identity authentication which are based on cryptography can protect the storage against non-authorized access, while they are ineffective for malicious authorized users and inherent attacks. Also heavy performances affect the control of storage. This paper demonstrates an efficient intrusion detection system model for network-attached storage based on system calls and improves the Process Homeostasis to realize the implementation. The experimental results demonstrate high detection rate and low false detection rate. The total performance is about 3% additions when the detection system is running normally.

Tarrah R. Glass-Vanderlan,Michael D. Iannacone,Maria S. Vincent,Qian,Chen,Robert A. Bridges

DOI: https://doi.org/10.48550/arXiv.1805.06070

2018-05-17

Abstract:This survey focuses on intrusion detection systems (IDS) that leverage host-based data sources for detecting attacks on enterprise network. The host-based IDS (HIDS) literature is organized by the input data source, presenting targeted sub-surveys of HIDS research leveraging system logs, audit data, Windows Registry, file systems, and program analysis. While system calls are generally included in audit data, several publicly available system call datasets have spawned a flurry of IDS research on this topic, which merits a separate section. Similarly, a section surveying algorithmic developments that are applicable to HIDS but tested on network data sets is included, as this is a large and growing area of applicable literature. To accommodate current researchers, a supplementary section giving descriptions of publicly available datasets is included, outlining their characteristics and shortcomings when used for IDS evaluation. Related surveys are organized and described. All sections are accompanied by tables concisely organizing the literature and datasets discussed. Finally, challenges, trends, and broader observations are throughout the survey and in the conclusion along with future directions of IDS research.

Cryptography and Security

Junjiang He,Cong Tang,Wenshan Li,Tao Li,Li Chen,Xiaolong Lan

DOI: https://doi.org/10.1109/tifs.2023.3324388

IF: 7.231

2023-11-25

IEEE Transactions on Information Forensics and Security

Abstract:Host-based intrusion detection systems (HIDS) have been widely acknowledged as an effective approach for detecting and mitigating malicious activities. Among various data sources utilized in HIDS, system call traces have gained significant popularity due to their inherent advantage of providing fine-grained information. Nevertheless, conventional feature extraction techniques relying on system calls tend to overlook the issue of high-dimensional sparse feature space. In this paper, we conduct a theoretical analysis to investigate the underlying causes of the sparsity problem. Subsequently, we propose an anti-sparse theory (anti-ST) as a solution to address this issue. Then, we design a multi-granularity feature extraction method (MGFE), which also meets the prerequisite mathematical conditions of the anti-ST. By applying this method, we effectively reduce the size of the feature space and minimize the number of generated features, thus mitigating sparsity. Furthermore, leveraging this approach, we propose a robust and anti-sparsity host intrusion detection framework, known as the MGFE-based Host Intrusion Detection Framework (BR-HIDF). A series of experiments were conducted to evaluate the proposed framework and compare it with the state-of-the-art method. The results demonstrate that our framework achieves impressive accuracy (97.26%), precision (97.62%), recall (96.85%), and F1 score (97.23%) in the intrusion detection task, surpassing existing frameworks. Moreover, the proposed framework significantly reduces the time overhead by 38.80%, exhibiting the highest AUC value of 0.992. Furthermore, we enhance the robustness of the detection system by integrating host-based and network-based detection, which provides greater flexibility in identifying various types of attacks.

computer science, theory & methods,engineering, electrical & electronic

ZHAO Yu-ming,ZHANG Wei,teng SH

2007-01-01

Abstract:The technique of intrusion detection has become a focus in the field ofnetwork security. This paper introduced the categories of intrusion detection and the methods of data mining applied in abnormal detection. It also described the design and implementation of the abnormal IDS based on system call and data mining algorithms.

Jianping Zeng,Donghui Guo

2009-01-01

Abstract:Now days, difierent kinds of IDS systems are availablefor serving in the network distributed system, but thesesystems mainly concentrate on network-based and host-based detection. It is inconvenient to integrate these sys-tems into distributed application servers for application-based intrusion detection. An agent-based IDS that canbe smoothly integrated into the applications of enterpriseinformation systems is proposed in this paper and we dis-cuss the system architecture, agent structure, and integra-tion mechanism. Our IDS system consists of three kindsof agents, namely, client agent, server agent and commu-nication agent. This paper also explains how to integrateagents with an access control model for getting better se-curity performance. By introducing standard protocolssuch as KQML, IDMEF into the design of agent, ouragent-based IDS shows how to build more °exible soft-ware applications. Keywords: Agent-based, IDMEF, intrusion detection,KQML 1 Introduction Many application services, such as e-business, remote ed-ucation and Internet-based design, etc, are necessary tobe distributed over the Internet. However, because theInternet is an open society so that anyone can access theresource on it, then the application system may confrontwith all kinds of attacks or intrusions, such as Denial ofService (DoS), port scan, illegal intrusion by hacking userinformation, etc.Of all these security events, illegal intrusion is a moreserious issue. But standard security deployments such asflrewalls are limited in their efiectiveness because of sim-ple access control mode and also the intrusion methodsare evolving fast. Once an attacker has breached the flre-wall, he can roam at will through the network [13]. Thismakes intrusion detection system (IDS) very importantand necessary. Traditionally, there are two main classesof IDSs: host-based and network-based systems. A host-based IDS monitors the detailed activity of a particularhost, while network-based IDS monitors networks of com-puters and other devices such as, routers, gateways, andprimarily detects intrusion by sni–ng and analyzing datafrom network tra–c. Network and host-based IDSs, canbe further classifled based on two methods of detection[17]: anomaly detection and misuse detection.However, Masquerading attack is a typical intrusionand it can be a more serious threat to the security ofcomputer systems and the computational infrastructure[15]. By this kind of attacks, an assailant attempts toimpersonate a legitimate user after gaining access to thislegitimate user’s account. So, the assailant can fully un-derstand the information he gets. While by other kinds ofattacks, he just gets some segment of data or encrypteddata, which is much more di–cult to be understood. Awell-known instance of masquerader activity is about aFBI mode [15]. Since masquerading attack happens ex-actly at application layer, we call the methods to detectthis kind intrusion as application-based intrusion detec-tion. Application-based intrusion is more di–cult to bedetected and the detection program is usually unable toget satisfactory performance for the following reasons:1) Data about user action on system is much more di–-cult to be collected than network-based or host-baseddetection, because of the independency of applicationsystem.2) Application-based detection can degrade the perfor-mance of corresponding application system due tothe extra work that should be done in the process ofdata collection and analysis.3) A masquerader may happen to have similar behav-ioral patterns as the legitimate user, therefore it canescape detection and successfully cause damage un-der the cover of seemingly normal behavior [4].

Nidhi Joraviya,Bhavesh N. Gohil,Udai Pratap Rao

DOI: https://doi.org/10.1007/s11227-024-05895-3

IF: 3.3

2024-02-12

The Journal of Supercomputing

Abstract:In the rapidly evolving IT industry, containerization has introduced new security challenges including cloud data breaches. DL-HIDS explores the application of Deep Learning (DL) techniques for detecting such attacks. Various system call-based features, including the sequence, frequency, and metadata of system calls, as well as images, derived from these calls were explored. While using images as features is effective for DL models, determining the optimal image feature size can be challenging and requires extensive experimentation. The existing approach uses pre-trained Convolutional Neural Networks (CNNs) that incorporate system call parameters with metadata that are redundant resulting in a low detection rate. To address these limitations, we employ a deep CNN that takes images generated from system call logs as input. Our experimentation involves varying image size, system call parameters, and CNN architecture using the Leipzig Intrusion Detection DataSet-2019 dataset containing recent containerized cloud environment attack data. Our results demonstrate improvement over state-of-the-art methods toward accuracy, precision, recall, F1 score, and false-positive rate.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/ICIC.2009.43

2009-01-01

Abstract:Sequences of system call have become an important data resource of anomaly detection. Considering the large overhead of existing methods to construct normal profile using system call traces, an efficient algorithm is proposed based on STIDE in order to reduce the computing cost. The axis system calls which could represent the characteristics of normal behaviors are extracted by a sequences extracting factor. The improved algorithm measures the interestingness of sequences of system calls by involving the axis system calls, then train and tests the relevant sequences which we are concerned about. Experimental results demonstrate that the computing cost of training and testing in the new way has a reduction of 70% than the standard algorithm.

蔡忠闽,彭勤科,管晓宏,孙国基

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.07.028

2002-01-01

Abstract:In this paper we present a multi-layer and defense-in-depth intrusion detection model for networked computer systems with a prototype. In this model, the operations on the protected computer system are monitored by four sensors from different viewpoints. The final judgement is made by combining the results of the individual sensors using information fusion techniques. It is demonstrated that an anomaly behavior can be more easily discovered and false alarms can be effectively reduced using our detection model. The methods to detect intrusions at different layers are also discussed using the experience gained in prototype realization.

Yawei Zhang,Xiaojun Ye,Feng Xie,Yong Peng

DOI: https://doi.org/10.1109/CIT.2009.69

2009-01-01

Abstract:Security mechanisms within DBMSs are far from effective to detect and prevent anomalous behavior of applications and intrusions from attackers. In fact, intrusions executed by unauthorized users to explore system vulnerabilities, and malicious database transactions executed by authorized users, both cannot be detected and prevented by typical security mechanisms. In this paper we proposed a database intrusion detection system architecture based on the database communication content detection mechanism. Implementation strategies for main components are detailed. Besides, we investigate several critical intrusion detection approaches used in the practice.

YU-XIN DING,MIN XIAO,AI-WU LIU,Yu-Xin Ding,Min Xiao,Ai-Wu Liu

DOI: https://doi.org/10.1109/icmlc.2009.5212282

2009-07-01

Abstract:Since most of current intrusion detection systems (IDS) only use one of the two detection methods, misused detection or anomaly detection, both of them have their own limitations. In this paper, the technique that combines misuse detection system with anomaly detection system (ADS) is used. The hybrid intrusion detection system (HIDS) contains three sub-modules, misused detection module, anomaly detection module and signature generation module. The basis of misused detection module is snort. Anomaly detection module is constructed by using frequent episode rule. And signature generation module is based on a variant of Apriori algorithm. Misused detection module uses the signature of attacks to detection the known attacks. Anomaly detection module can detect the unknown attacks and signature generation module extracts the signature of attacks that are detected by ADS module, and maps the signatures into snort rules.

Youhui Zhang,Dongsheng Wang

DOI: https://doi.org/10.1109/icpads.2006.92

2006-01-01

Abstract:Storage-based intrusion detection systems (IDS) can be valuable tools in monitoring for the intrusion on a host computer. However, because the traditional storage device works on the block-level while intrusion always happens on the file-level, this gap has to be erased by detection software, which is a hard and time-consuming task. To solve this problem and to accord with the trend of moving more processing power into storage, this paper presents a novel idea to design an IDS on object-based storage devices (OSD), and analyzes how the features of OSD can be used for intrusion detection (ID) and for violation responding. Moreover, the existing OSD standard is enhanced to own the new functions. Compared with the existing research on block-level storage devices, OSD-based ID is more straightforward for implementation. We build such a prototype based on the OSD reference implementation provided by Intel. Testing results show that the extra overhead introduced by ID is acceptable

XIE Tian-yu,CAO Qi-ying

2012-01-01

Abstract:A Distributed Intrusion Detection System based on hadoop cluster is presented.The System is implemented with distributed data collecting,distributed data storage and distributed data analysis.It can overcome the problem of single point invalidation and the limitation of data processing capability.

徐明,陈纯,应晶

2004-01-01

Journal of Software

Abstract:The aim of this paper is to create a new anomaly detection model based on rules. A detailed classification of the LINUX system calls according to their function and level of threat is presented. The detection model only aims at critical calls (I.e. The threat level 1 calls). In the learning process, the etection model dynamically processes every critical call, but does not use data mining or statistics from static data. Therefore, the increment learning could be implemented. Based on some simple predefined rules and refining, the number of rules in the rule database could be reduced dramatically, so that the rule match time can be reduced effectively during detection processing. The experimental results clearly demonstrate that the detection model can effectively detect R2L, R2R and L2R attacks. Moreover the detected anomaly is limited in the corresponding requests, but not in the entire trace. The detection model is fit for the privileged processes, especially for those based on request-responses.