Peng Ning,X. Sean Wang,Sushil Jajodia

2000-01-01

Information Systems Security

Abstract: It is essential for intrusion detection systems to shareinformation in order to discover attacks involvingmultiple sites. Common Intrusion Detection Framework(CIDF) is an important step towards enabling differentintrusion detection and response (IDR) components tointeroperate with each other. Although CIDF providesan infrastructure and language support that allows anIDR component to understand the information sent byanother component, it does not contain a facility for acomponent to...

Yanan Zhang,Jingru Xing,Yaozong Xu,Maode Ma,Cong Wang

DOI: https://doi.org/10.1007/978-981-97-5606-3_22

2024-01-01

Abstract:Named Data Networking (NDN) is one of the potential Future Internet Architectures, shifting from the traditional host-centric architecture to a data-centric one. Collusion Interest Flooding Attacks (CIFAs) is a new type of attack that intermittently sending malicious Interests to overwhelm the Pending Interest Table (PIT). Collusive producers working with the attackers respond to these malicious Interest packets just before they expire in the PIT, thereby disguising their attacks as legitimate, which makes detection methods against Interest Flooding Attacks (IFAs) unable to identify CIFAs. This paper proposes the DM-CIFA scheme, which aggregates decision tree and K-means algorithm for effective detection and mitigation of CIFAs. Firstly, a decision tree is trained to monitor the number of entries in the PIT, and the throughput of Interest and Data packets of the router for attack detection. Then the malicious prefix identification algorithm, based on the K-means algorithm, is activated after an attack is detected. Additionally, the bottleneck router mitigating CIFAs by informing the next hop router with a signed Interest packet (SIP) that carry the malicious prefixes to pinpoint attackers and reject forwarding malicious Interests. The simulation results demonstrate the proposed DM-CIFA has high sensitivity towards CIFAs and the capability to effectively mitigate the attack's effects on the NDN.

Peng Ning,Sushil Jajodia,X. Sean Wang

DOI: https://doi.org/10.1007/978-1-4615-0467-2_5

2004-01-01

Abstract: In this chapter, we apply the formal model that we developed in Chapter 4 to provide a query facility for Common Intrusion Detection Framework (CIDF).

陈林,王申康

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.04.045

2005-01-01

Abstract:This article firstly introduces the generator in an IDS system firmly based on CIDF, then its implementation is provided. Due to its reusable character, it can be used in other IDS systems for reference.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Haonan Peng,Chunming Wu,Yanfeng Xiao

DOI: https://doi.org/10.3390/app132111629

2023-01-01

Applied Sciences

Abstract:The importance of network security has become increasingly prominent due to the rapid development of network technology. Network intrusion detection systems (NIDSs) play a crucial role in safeguarding networks from malicious attacks and intrusions. However, the issue of class imbalance in the dataset presents a significant challenge to NIDSs. In order to address this concern, this paper proposes a new NIDS called CBF-IDS, which combines convolutional neural networks (CNNs) and bidirectional long short-term memory networks (BiLSTMs) while employing the focal loss function. By utilizing CBF-IDS, spatial and temporal features can be extracted from network traffic. Moreover, during model training, CBF-IDS applies the focal loss function to give more weight to minority class samples, thereby mitigating the impact of class imbalance on model performance. In order to evaluate the effectiveness of CBF-IDS, experiments were conducted on three benchmark datasets: NSL-KDD, UNSW-NB15, and CIC-IDS2017. The experimental results demonstrate that CBF-IDS outperforms other classification models, achieving superior detection performance.

SJ Zhou,ZG Qin,Q Lu,XC Luo,JD Liu

DOI: https://doi.org/10.1109/icapp.2002.1173599

2002-01-01

Abstract:Intrusion detection and response system (ID&R) need to maximize security while minimizing cost and taking response automatically. CI/sup 2/D&R, the Cost-based Intelligent Intrusion Detection and Response System, is originally developed as facilities for deal with network-based attacks automatically and intelligently. This paper provides an overview of CI/sup 2/D&R architecture. The primary components of CI/sup 2/D&R and their functions are also probed into. What is more, the data flow of CI/sup 2/D&R is discussed and compared. Finally, the related work is touched on and conclusions are drawn.

SJ Zhou,ZG Qin,XC Luo,XF Zhang,F Zhang,JD Liu

DOI: https://doi.org/10.1109/pdcat.2003.1236280

2003-01-01

Abstract:Flexible intrusion detection and response system (ID&R) needs to maximize security while minimizing cost and making response automatically. (CID)-D-2&R, the Cost-based Intelligent Intrusion Detection and Response System, is proposed in the paper, which is originally developed as a facility to deal with network-based attacks and to make effective response automatically and intelligently. The networking environment deployed with the (CID)-D-2&R consists of two major parts: Guard, which runs on the specific Guarded Host (GH), and Spy, which runs in Guarded Network (GN). The components of the (CID)-D-2&R are introduced, which include intrusion detection, attack classification, damage analysis, attack path rebuilding, resources automatically safeguarding, calamity recovery, and security Officer. The several kinds of data flow in (CID)-D-2&R are discussed, too. While (CID)-D-2&R is only a prototype, some experimental results are also presented.

Zhi Wang,Leshi Shao,Kai Cheng,Yuanzhao Liu,Jianan Jiang,Yuanping Nie,Xiang Li,Xiaohui Kuang

DOI: https://doi.org/10.1002/int.22877

IF: 8.993

2022-03-27

International Journal of Intelligent Systems

Abstract:Many machine‐learning‐based intrusion detection methods have been proposed, however there is a lack of collaboration among these methods. Faced with a cascade of malicious behaviors and various running environments, coupled with the endless emergence of new malicious activities, it is difficult for us to choose an algorithm manually that is suitable for all scenarios. In addition, usually the binary detection models are applied that only “normal” or “abnormal” decision is made, and it is difficult for us to know how much confidence we have in the prediction model. In this study, we propose an intrusion collaborative detection framework (ICDF), an ICDF that allows heterogeneous detection models to effectively work together which have complementary expertise. A multialgorithm model ensemble learning method with confidence interval is adopted. In this process, each algorithm model only makes prediction judgments on its own credible probability interval and refuses to predict outside the interval. The final result is generated by voting based on the confidence of multiple models. Ten detection algorithms were tested on three different data sets. Compared with different single algorithms, ICDF could achieve high precision and recall rate, and the best F1 scores.

computer science, artificial intelligence

Peng Ning,Sushil Jajodia,X. Sean Wang

2013-01-01

Abstract:Intrusion Detection In Distributed Systems: An Abstraction-Based Approach presents research contributions in three areas with respect to intrusion detection in distributed systems. The first contribution is an abstraction-based approach to addressing heterogeneity and autonomy of distributed environments. The second contribution is a formal framework for modeling requests among cooperative IDSs and its application to Common Intrusion Detection Framework (CIDF). The third contribution is a novel approach to coordinating different IDSs for distributed event correlation.

Chao Kong,Bo Yang,Zhiping Jia,Zhenxiang Chen

DOI: https://doi.org/10.1109/MINES.2009.66

2009-01-01

Abstract:An Intrusion Detection System (IDS) implements pattern matching approach on the network traffic to find the malicious packets carrying attack signatures. In this paper, a common Field Programmable Gate Array (FPGA) based on-board hardware architecture which is compatible with both ordinary string and Perl Compatible Regular Expression (PCRE) pattern matching is proposed to accelerate IDS. Furthermore, a flexible storage structure which is suitable for many general hardware matching algorithms and an optimized combinational logic circuit structure for PCRE matching are designed. With the synchronization of a connection decoder, ordinary string matching module coordinates with PCRE matching module to implement string-PCRE mixed rule.

Dong Yongle,Qian Jun,Shi Meilin

DOI: https://doi.org/10.1109/CCECE.2003.1226031

2003-01-01

Abstract:Widespread attacks involving multiple hosts/networks happen more frequently as internetworking among computer systems via the Internet becomes more widely and keeps rapid increase. Due to lack of information, it can be quite difficult for conventional intrusion detection systems to identify such attacks in progress. Cooperative intrusion detection, on the basis of information sharing, is proved as a necessary measure to detect widespread attacks by other researcher D. Frincke (2000), Polla, D. et al., (1998). This paper presents a cooperative approach for intrusion detection that provides a method for individual ID components working cooperatively to perform concerted detections. Being constructed on the basis of ID components, CoIDS can adopt both existed (usually more mature) and new ID techniques. This makes CoIDS extensible and scalable. In addition, an ID component is essentially an autonomous agent, which makes CoIDS available with certain loss of functionality even when the intrusion detection manager does not work. Its reliability is also improved because failure of one ID component will not cause any other to stop working. Furthermore, it improved the accuracy of detection for conventional intrusions by validating analysis result with data from different ID components.

Zayed alhaddad, Mostafa Hanoune, Abdelaziz Mamouni

DOI: https://doi.org/10.17762/ijcnis.v8i3.1950

2022-04-17

International Journal of Communication Networks and Information Security (IJCNIS)

Abstract:In recent years, Cloud computing has emerged as a new paradigm for delivering highly scalable and on-demand shared pool IT resources such as networks, servers, storage, applications and services through internet. It enables IT managers to provision services to users faster and in a cost-effective way. As a result, this technology is used by an increasing number of end users. On the other hand, existing security deficiencies and vulnerabilities of underlying technologies can leave an open door for intruders. Indeed, one of the major security issues in Cloud is to protect against distributed attacks and other malicious activities on the network that can affect confidentiality, availability and integrity of Cloud resources. In order to solve these problems, we propose a Collaborative Network Intrusion Detection System (C-NIDS) to detect network attacks in Cloud by monitoring network traffic, while offering high accuracy by addressing newer challenges, namely, intrusion detection in virtual network, monitoring high traffic, scalability and resistance capability. In our NIDS framework, we use Snort as a signature based detection to detect known attacks, while for detecting network anomaly, we use Support Vector Machine (SVM). Moreover, in this framework, the NIDS sensors deployed in Cloud operate in collaborative way to oppose the coordinated attacks against cloud infrastructure and knowledge base remains up-to-date.

Wei Lin,Liu Xiang,Derek Pao,Bin Liu

DOI: https://doi.org/10.1109/FGCN.2008.67

2008-01-01

Abstract:In order to protect Internet users from various attacks such as worms, viruses and other intrusions, signature-based intrusion detection system (IDS) should be deployed at the critical part of the network with rapid response for updating newly emerged attack signatures and containing the spread of worms or viruses at their early stage. The processing speed of one IDS cannot achieve the throughput requirement in the core networks because of the pattern matching, the key operation for signature-based IDS, is complex and time consuming. In this paper, it argues that if the signature set is shared by multiple IDSs, a packet needs to be checked once and once only by one of the IDSs, so traffic load can be redistributed among the IDSs to avoid local congestion. Packet marking is used to indicate the status of this packet utilized by collaborative IDSs, and a redistribution strategy named inner logical ring (ILR) is built among IDSs to redistribute the traffic load. Meanwhile, caching scheme is used to keep sequence for packets belonging to the same flow. This collaborative distributed IDS is robust with rapid response to various attacks, and the detection throughput is significantly increased from the throughput of the weakest IDS to the summation of all the collaborative IDSs.

张民,罗光春

DOI: https://doi.org/10.3969/j.issn.1001-0548.2009.02.24

2009-01-01

Abstract:Intrusion detection message exchange format (IDMEF) standard has been widely used in intrusion detection system (IDS). This paper proposes an architecture of large scale cooperative IDS based on IDMEF. The design and implementation of the cooperative IDS are discussed by the means of Prelude framework and development suite. The deployment and application of this architecture on CERNET are finally analyzed.

LI Yufeng,LAN Julong,XUE Xiangyang

DOI: https://doi.org/10.3969/j.issn.1009-6868.2011.04.007

2011-01-01

Abstract:This paper proposes a Common Security and Control Framework(CSCF) for application security,network security,information security,and behavioral security in tri-network convergence.CSCF has an independent architecture and can be operated transparently across the whole network.It treats the network link as the control object and can perform functions such as link traffic identification and link traffic analysis.It can also check and control a security problem at one point and initiate a whole-system response.CSCF is based on a distributed security and control platform with high scalability.This paper discusses the development of techniques used to establish a security system that proactively defends against threats,flexibly reacts to and blocks threats as they occur,and traces threats.

段海新,吴建平

DOI: https://doi.org/10.13328/j.cnki.jos.2001.09.015

2001-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:An integrative taxonomy for intrusion detection technologies is proposed, which can specify accurately existing intrusion detection methods. Aiming at multiple-domain environments, a distributed cooperative intrusion detection system (DCIDS) is designed, which implements cooperative intrusion detection through efficient, secure information exchange among IDSes in different domain. The architecture of intrusion detection systems is described, as well as its four components: sensor, analyzer, manager and user-interface. Some key issues are also discussed, including secure communication and selection of detection places.

Lingzi Zhu,Bo Zhao,Weidong Li,Yixuan Wang,Yang An

DOI: https://doi.org/10.1016/j.adhoc.2024.103517

IF: 4.816

2024-04-23

Ad Hoc Networks

Abstract:The networking of industrial cyber–physical systems (CPS) introduces increased security vulnerabilities, necessitating advanced intrusion detection systems (IDS). Many current studies aiming to enhance IDS capabilities leverage Federated Learning (FL) technology for collaborative intrusion detection. However, devices deployed in an industrial setting in a distributed manner are vulnerable to cyber and poisoning attacks. Compromised clients can create malicious parameters to disrupt intrusion detection models, making them ineffective in identifying attacks. Nevertheless, existing FL-based intrusion detection methods exhibit suboptimal performance in detecting malicious clients and resisting poisoning attacks. To address these issues, we propose TICPS, a collaborative intrusion detection framework based on a trustworthy model update strategy to detect cyber threats from industrial CPS. The framework enables multiple industrial CPS to collaboratively construct an intrusion detection model and evaluate the security of each industrial CPS node using an update evaluation mechanism, ensuring effective intrusion detection even in the presence of poisoning. Extensive experiments on real-world industrial CPS datasets demonstrate that TICPS can effectively detect various types of cyber threats targeting industrial CPS. In particular, the framework achieves an intrusion detection accuracy of 94% even when the proportion of malicious agents reaches 80% under three typical poisoning attacks.

computer science, information systems,telecommunications

Ameni Chetouane,Kamel Karoui

DOI: https://doi.org/10.1002/cpe.8332

2024-12-03

Concurrency and Computation Practice and Experience

Abstract:Software Defined Networking (SDN) is an open network approach that has been proposed to address some of the main problems with traditional networks. However, SDN faces cybersecurity issues. To provide a network defense against attacks, an Intrusion Detection System (IDS) needs to be updated and included into the SDN architecture on a regular basis. Machine learning methods have proved effective in detecting intrusions in SDN. Moreover, these techniques pose the problem of significant computational overload and the absence of regular updates when new cyber‐attacks appear. To address these issues, we propose a new SDN‐based cloud intrusion detection system called Continual Federated Learning (CFL). In CFL, we modify the classical federated learning process by granting a more important and dynamic role to each participating client. On the one hand, it can trigger this process whenever a new type of intrusion is detected. On the other hand, once the new model has been identified, the customer can decide whether or not to deploy it in his network. In addition, to verify the accuracy of the CFL system, we have formally specified it by a communication protocol. This specification organizes the exchanges between the different communicating entities involved in the CFL. To verify the accuracy of this specification, we described it using the PROMELA language and checked with the associated SPIN tool. On the experimental side, we deployed this specification of the CFL system in an SDN computing environment. We defined different scenarios, and we proposed that each client decides locally to deploy or not the newly obtained intrusion detection model. The decision is based on a modified metric where we integrate the severity of the intrusions. Experimental results using private local datasets show that the proposed CFL system can efficiently and accurately detect new types of intrusions while preserving client confidentiality. Thus, it can be considered a promising system for SDN‐based edge computing.

computer science, theory & methods, software engineering

Peng Ning,Sushil Jajodia,Xiaoyang Sean Wang

DOI: https://doi.org/10.1145/503339.503342

2001-01-01

ACM Transactions on Information and System Security

Abstract:Abstraction is an important issue in intrusion detection, since it not only hides the difference between heterogeneous systems, but also allows generic intrusion-detection models. However, abstraction is an error-prone process and is not well supported in current intrusion-detection systems (IDSs). This article presents a hierarchical model to support attack specification and event abstraction in distributed intrusion detection. The model involves three concepts: system view , signature , and view definition . A system view provides an abstract interface of a particular type of information; defined on the instances of system views, a signature specifies certain distributed attacks or events to be monitored; a view definition is then used to derive information from the matches of a signature and presents it through a system view. With the three elements, the model provides a hierarchical framework for maintaining signatures, system views, as well as event abstraction. As a benefit, the model allows generic signatures that can accommodate unknown variants of known attacks. Moreover, abstraction represented by a system view can be updated without changing either its specification or the signatures specified on its basis. This article then presents a decentralized method for autonomous but cooperative component systems to detect distributed attacks specified by signatures. Specifically, a signature is decomposed into finer units, called detection tasks , each of which represents the activity to be monitored on a component system. The component systems (involved in a signature) then perform the detection tasks cooperatively according to the "dependency" relationships among these tasks. An experimental system called CARDS has been implemented to test the feasibility of the proposed approach.