张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Yijie Xun,Zhouyan Deng,Jiajia Liu,Yilin Zhao

DOI: https://doi.org/10.1109/tvt.2023.3236820

IF: 6.8

2023-01-01

IEEE Transactions on Vehicular Technology

Abstract:Intelligent connected vehicles (ICVs) integrate advanced equipment and communication network technologies to realize information exchange and sharing between vehicles and people, roads, clouds, etc., bringing great convenience to people's lives. However, the interconnection of intelligent equipment and vehicles also brings many vulnerable interfaces, threatening the security of in-vehicle networks, e.g., controller area network (CAN) bus. For protecting the security of CAN bus, some researchers propose a data encryption and decryption protocol-based method. Note that due to the resource constraints of computing and bandwidth and the requirements for low-delay data transmission, the research on protocol-based data encryption and decryption method is progressing slowly. For this reason, more researchers study vehicle intrusion detection systems (IDSs) based on side channel analysis. It does not occupy the bandwidth of CAN bus, and detects intrusion by analyzing the physical characteristics of CAN bus. Nevertheless, most of the existing work either cannot locate the source electronic control unit (ECU) of the malicious data frames, or cannot detect malicious data frames from ECUs and external nodes simultaneously, which greatly limits their practical application value. Therefore, we propose a novel IDS based on vehicle voltage signals. Specifically, we map multiple identifiers (IDs) sent for each ECU without developer documentation. In addition, we creatively design FeatureBagging-CNN combined model to detect malicious intrusion. When the external nodes or compromised ECUs send malicious data frames, the system can accurately detect them and locate their sender.

telecommunications,engineering, electrical & electronic,transportation science & technology

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Li Yang,Abdallah Moubayed,Abdallah Shami

DOI: https://doi.org/10.1109/JIOT.2021.3084796

2021-05-27

Abstract:Modern vehicles, including connected vehicles and autonomous vehicles, nowadays involve many electronic control units connected through intra-vehicle networks to implement various functionalities and perform actions. Modern vehicles are also connected to external networks through vehicle-to-everything technologies, enabling their communications with other vehicles, infrastructures, and smart devices. However, the improving functionality and connectivity of modern vehicles also increase their vulnerabilities to cyber-attacks targeting both intra-vehicle and external networks due to the large attack surfaces. To secure vehicular networks, many researchers have focused on developing intrusion detection systems (IDSs) that capitalize on machine learning methods to detect malicious cyber-attacks. In this paper, the vulnerabilities of intra-vehicle and external networks are discussed, and a multi-tiered hybrid IDS that incorporates a signature-based IDS and an anomaly-based IDS is proposed to detect both known and unknown attacks on vehicular networks. Experimental results illustrate that the proposed system can detect various types of known attacks with 99.99% accuracy on the CAN-intrusion-dataset representing the intra-vehicle network data and 99.88% accuracy on the CICIDS2017 dataset illustrating the external vehicular network data. For the zero-day attack detection, the proposed system achieves high F1-scores of 0.963 and 0.800 on the above two datasets, respectively. The average processing time of each data packet on a vehicle-level machine is less than 0.6 ms, which shows the feasibility of implementing the proposed system in real-time vehicle systems. This emphasizes the effectiveness and efficiency of the proposed IDS.

Cryptography and Security,Artificial Intelligence,Machine Learning,Networking and Internet Architecture

Zixiang Bi,Guoai Xu,Guosheng Xu,Miaoqing Tian,Ruobing Jiang,Sutao Zhang

DOI: https://doi.org/10.1155/2022/2554280

IF: 1.968

2022-03-07

Security and Communication Networks

Abstract:As the number and computational power of electronic computing units installed in standard automobiles continue to increase, contemporary motor vehicles face more cybersecurity threats than previous designs, while providing greater convenience and various useful features. Although vehicles are attacked at various entry points, eventually, attacks are injected into the in-vehicle controller area network (CAN) to cause vehicle anomalies. Currently, OEMs and research fields have implemented protection for the CAN bus in terms of external interfaces, internal protocols, and intrusion detection. Although the deployment of intrusion detection solutions is the most effective approach, the main challenges currently faced by automobile intrusion detection algorithms in practice involve limited computing resources, insufficient real-time responsiveness, and low recognition accuracy. In this study, we propose a novel intrusion detection method based on the message and time transfer matrix to address these difficulties, which can be applied to the vehicle Electronic Control Unit (ECU) to achieve real-time attack signal identification with high accuracy. Experiments on actual vehicles show that the proposed algorithm identified various attacks with high accuracy while consuming less computational and storage resources than previous methods. Moreover, the efficiency of the proposed algorithm is not affected by the attack injection frequency. Compared with other methods, the proposed method achieved better attack identification performance. Additionally, the message and time transfer matrix used by the algorithm can be used as a message transfer fingerprint of the CAN bus to discover anomalies.

computer science, information systems,telecommunications

Qian Wang,Yiming Qian,Zhaojun Lu,Yasser Shoukry,Gang Qu

DOI: https://doi.org/10.1109/asianhost.2018.8607178

2018-01-01

Abstract:The recent developments in the automobile industry and the self-driving technology necessitated an increase in the traditional automobile features to guarantee the drivers safety, improve the driving convenience and realize the autonomous driving. To support these necessary functions and features, a significant amount of the hardware equipment, i.e., Electronic Control Unit (ECU), is integrated into the car system. However, these ECUs also bring security vulnerabilities because their communication follows the Controller Area Network (CAN) protocol that was designed without supporting message origin authentication. Several methods to resolve this problem have been proposed in the literature, but most of them would require heavy communications and calculations to support the cryptography algorithms. In this paper, we propose a delay-based Intrusion Detection System (IDS) to protect the CAN network by identifying the location of the compromised ECU for the in-vehicle network. We develop and implement our detection method on CAN bus prototype, and our results show that our method is capable of an overall detection accuracy above 97%. The proposed scheme is demonstrated to protect the integrity of the messages on CAN bus leading to a further improve the security and safety of autonomous vehicles.

YU-XIN DING,MIN XIAO,AI-WU LIU,Yu-Xin Ding,Min Xiao,Ai-Wu Liu

DOI: https://doi.org/10.1109/icmlc.2009.5212282

2009-07-01

Abstract:Since most of current intrusion detection systems (IDS) only use one of the two detection methods, misused detection or anomaly detection, both of them have their own limitations. In this paper, the technique that combines misuse detection system with anomaly detection system (ADS) is used. The hybrid intrusion detection system (HIDS) contains three sub-modules, misused detection module, anomaly detection module and signature generation module. The basis of misused detection module is snort. Anomaly detection module is constructed by using frequent episode rule. And signature generation module is based on a variant of Apriori algorithm. Misused detection module uses the signature of attacks to detection the known attacks. Anomaly detection module can detect the unknown attacks and signature generation module extracts the signature of attacks that are detected by ADS module, and maps the signatures into snort rules.

Haipeng Yao,Pengcheng Gao,Peiying Zhang,Jingjing Wang,Chunxiao Jiang,Lijun Lu

DOI: https://doi.org/10.1109/MNET.001.1800479

IF: 10.294

2019-01-01

IEEE Network

Abstract:The design of an intrusion detection system (IDS) plays a critical role in guaranteeing the security of the Industrial Internet of Things (IIoT). Recently, the rapid development of edge-based IIoT has posed new challenges in the design of a beneficial IDS considering its billions of IIoT devices and substantially decentralized data interaction. Both the detection method and the system architecture become the key components in constructing an efficient IDS for edge-based IIoT. In this article, we survey the typical state-of-theart studies about detection methods and system structure of IDS. Moreover, we propose a hybrid IDS architecture and introduce a machine learning aided detection method, which outperforms the literature in terms of a range of benchmarks.

N. Zeeni,N. Nadkarni,Jimmy D Bell,P. Even,G. Fromentin,D. Tomé,N. Darcel

DOI: https://doi.org/10.1016/j.neuroimage.2010.01.065

IF: 5.7

2010-05-01

NeuroImage

Abstract:

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

A. Chavez,N. Jacobs,C. B. Jones,J. Johnson,A. Summers,S. Hossain‐McKenzie,C. Lai

DOI: https://doi.org/10.1109/CyberPELS.2019.8925064

2019-04-01

Abstract:The integration of communication-enabled grid-support functions in distributed energy resources (DER) and other smart grid features will increase the U.S. power grid's exposure to cyber-physical attacks. Unwanted changes in DER system data and control signals can damage electrical infrastructure and lead to outages. To protect against these threats, intrusion detection systems (IDSs) can be deployed, but their implementation presents a unique set of challenges in industrial control systems (ICSs), New approaches need to be developed that not only sense cyber anomalies, but also detect undesired physical system behaviors. For DER systems, a combination of cyber security data and power system and control information should be collected by the IDS to provide insight into the nature of an anomalous event. This allows joint forensic analysis to be conducted to reveal any relationships between the observed cyber and physical events. In this paper, we propose a hybrid IDS approach that monitors and evaluates both physical and cyber network data in DER systems, and present a series of scenarios to demonstrate how our approach enables the cyber-physical IDS to achieve more robust identification and mitigation of malicious events on the DER system.

Environmental Science,Engineering,Computer Science

M. Ali Aydın,A. Halim Zaim,K. Gökhan Ceylan

DOI: https://doi.org/10.1016/j.compeleceng.2008.12.005

2009-05-01

Abstract:Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Ozgur Depren,Murat Topallar,Emin Anarim,M. Kemal Ciliz

DOI: https://doi.org/10.1016/j.eswa.2005.05.002

IF: 8.5

2005-11-01

Expert Systems with Applications

Abstract:In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection module and a decision support system combining the results of these two detection modules. The proposed anomaly detection module uses a Self-Organizing Map (SOM) structure to model normal behavior. Deviation from the normal behavior is classified as an attack. The proposed misuse detection module uses J.48 decision tree algorithm to classify various types of attacks. The principle interest of this work is to benchmark the performance of the proposed hybrid IDS architecture by using KDD Cup 99 Data Set, the benchmark dataset used by IDS researchers. A rule-based Decision Support System (DSS) is also developed for interpreting the results of both anomaly and misuse detection modules. Simulation results of both anomaly and misuse detection modules based on the KDD 99 Data Set are given. It is observed that the proposed hybrid approach gives better performance over individual approaches.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Zhangwei Yu,Yan Liu,Guoqi Xie,Renfa Li,Siming Liu,Laurence T. Yang

DOI: https://doi.org/10.1109/tii.2022.3202539

IF: 12.3

2022-12-17

IEEE Transactions on Industrial Informatics

Abstract:Intelligent connected vehicle is rapidly growing with the 5-G technology; the diversity of functional interfaces has significantly expanded the avenues of attack, making automotive controller area network (CAN) more vulnerable to cyberthreats. Automotive CAN network attacks are a direct threat to traffic safety, and in this study, we explore the use of intrusion detection techniques for mitigating cyberattacks. However, most automotive CAN network intrusion detection technologies are not capable of defending against sophisticated attacks, making it extremely challenging for detecting intrusions in practice. In this article, we propose a novel time interval conditional entropy method for detecting intrusions in automotive CAN networks. The time interval conditional entropy intrusion detection method is not susceptible to interference and is capable of detecting a variety of attacks. In our experiments, the conditional entropy values of regular communication messages are collected and utilized to distinguish and detect the attacks. The time interval conditional entropy detection method is implemented and evaluated in our controller area net-work bus (CAN-BUS) network platform. The experiments show that our method has higher detection accuracy and is easier to deploy compared to existing automotive CAN network intrusion detection methods.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Richa Singh,R L Ujjwal

DOI: https://doi.org/10.3389/fdata.2023.1081466

2023-02-01

Abstract:The Internet of Things (IoT) consists of several smart devices equipped with computing, sensing, and network capabilities, which enable them to collect and exchange heterogeneous data wirelessly. The increasing usage of IoT devices in daily activities increases the security needs of IoT systems. These IoT devices are an easy target for intruders to perform malicious activities and make the underlying network corrupt. Hence, this paper proposes a hybridized bio-inspired-based intrusion detection system (IDS) for the IoT framework. The hybridized sine-cosine algorithm (SCA) and salp swarm algorithm (SSA) determines the essential features of the network traffic. Selected features are passed to a machine learning (ML) classifier for the detection and classification of intrusive traffic. The IoT network intrusion dataset determines the performance of the proposed system in a python environment. The proposed hybridized system achieves maximum accuracy of 84.75% with minimum selected features i.e., 8 and takes minimum time of 96.42 s in detecting intrusion for the IoT network. The proposed system's effectiveness is shown by comparing it with other similar approaches for performing multiclass classification.

Qian Wang,Zhaojun Lu,Gang Qu

DOI: https://doi.org/10.48550/arXiv.1808.04046

2018-08-13

Abstract:Dozens of Electronic Control Units (ECUs) can be found on modern vehicles for safety and driving assistance. These ECUs also introduce new security vulnerabilities as recent attacks have been reported by plugging the in-vehicle system or through wireless access. In this paper, we focus on the security of the Controller Area Network (CAN), which is a standard for communication among ECUs. CAN bus by design does not have sufficient security features to protect it from insider or outsider attacks. Intrusion detection system (IDS) is one of the most effective ways to enhance vehicle security on the insecure CAN bus protocol. We propose a new IDS based on the entropy of the identifier bits in CAN messages. The key observation is that all the known CAN message injection attacks need to alter the CAN ID bits and analyzing the entropy of such bits can be an effective way to detect those attacks. We collected real CAN messages from a vehicle (2016 Ford Fusion) and performed simulated message injection attacks. The experimental results showed that our entropy based IDS can successfully detect all the injection attacks without disrupting the communication on CAN.

Cryptography and Security

Jianping Zeng,Donghui Guo

DOI: https://doi.org/10.5220/0002516401760181

2005-01-01

Abstract:More and more application services are provided and distributed over the Internet for public access. However, the security of distributed application severs is becoming a serious problem due to many possible attacks, such as deny of service, illegal intrusion, etc. Because of weakness of the firewall systems in ensuring security, intrusion detection system (IDS) becomes popular. Now, many kinds of IDS systems are available for serving in the Internet distributed system, but these systems mainly concentrate on networkbased and host-based detection. It is inconvenience to integrate these systems to distributed application servers for application-based intrusion detection. An agent-based IDS that can be smoothly integrated into applications of enterprise information systems is proposed in this paper. We will introduce its system architecture, agent structure, integration mechanism, and etc. In such an IDS system, there are three kinds of agents, i.e. client agent, server agent and communication agent. This paper is also to explain how to integrate agents with access control model for getting better security performance. By introducing standard protocol such as KQML, IDMEF into the design of agent, our agent-based IDS shows much more flexible for built in different kinds of software application system.

Jie Yang,Xin Chen,Xudong Xiang,Jianxiong Wan

DOI: https://doi.org/10.1109/cmc.2010.73

2010-01-01

Abstract:A hybrid intrusion detection approach combing both misuse detection and anomaly detection can detect newly discovered attacks while maintaining a relatively high detection rate. This paper presents a novel hybrid intrusion detection system based on protocol analysis and decision tree algorithms. Performance evaluation of the proposed system is conducted using Generalized Stochastic Petri Nets (GSPN). Simulation results show that this hybrid system can reach a high detection rate.