Chen Guanlin,Feng Yan,Wang Zebing

DOI: https://doi.org/10.3969/j.issn.1000-0801.2010.10.014

2010-01-01

Abstract:Nowadays wireless intrusion prevention systems have become the research hotspot with the fast development of WLAN.In this paper,we first introduce the common attack methods for WLAN,and then present the framework of the wireless IPS with a distributed pre-decision engine,which can predict the future actions and direct active responses to these actions.We implement an improved model with extended detection rules for conducting intrusion plan and making pre-decision,by gathering wireless device information and importing supporting degree of intrusion plan in plan recognition.Experimental results showed that the distributed pre-decision engine can not only improve wireless intrusion detection and prevention performance,also reduce false negatives and false positives evidently.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Zhongqiang Chen,Alex Delis,Peter Wei

DOI: https://doi.org/10.1093/comjnl/bxn043

2009-01-01

The Computer Journal

Abstract:Intrusion prevention systems (IPSs) not only attempt to detect attacks but also block malicious traffic and pro-actively tear down pertinent network connections. To effectively thwart attacks, IPSs have to operate both in real-time and inline fashion. This dual mode renders the design/implementation and more importantly the testing of IPSs a challenge. In this paper, we propose an IPS testing framework termed IPS Evaluator which consists of a trace-driven inline simulator-engine, mechanisms for generating and manipulating test cases, and a comprehensive series of test procedures. The engine features attacker and victim interfaces which bind to the external and internal ports of an IPS-under-testing (IUT). Our engine employs a bi-directional injection policy to ensure that replayed packets are subject to security inspection by the IUT before they are forwarded. Furthermore, the send-and-receive mechanism of our engine allows for the correlation of engine-replayed and IUT-forwarded packets as well as the verification of IUT actions on detected attacks. Using dynamic addressing and routing techniques, our framework rewrites both source and destination addresses for every replayed packet on-the-fly. In this way, replayed packets conform to the specific features of the IUT. We propose algorithms to partition attacker/victim-emanated packets so that they are subjected to security inspections by the IUT and in addition, we offer packet manipulation operations to shape replayed traces. We discuss procedures that help verify the IUT's detection and prevention accuracy, attack coverage and behavior under diverse traffic patterns. Finally, we evaluate the strengths of our framework by mainly examining the open-source IPS Snort-Inline. IPS deficiencies revealed during testing help establish the effectiveness of our approach.

LI Feng,WU Chun-ming

DOI: https://doi.org/10.3969/j.issn.1006-9348.2013.12.011

2013-01-01

Abstract:In the attack stage of network intrusion,there is huge fluctuation. It is hard to detect the network in- trusion. Traditionally,the prevention fluctuation method was reducing the network connection,but the network con- nection time was short,it would result in network packet transmission interruption. The energy management preven- tion fluctuation method was applied in the network intrusion prevention fluctuation. The energy gradient of network in- trusion was designed. The largest invasion species number section and the largest invasion profile were determined. The longitudinal control invasion rule and lateral control invasion rule were designed correspondingly. The simulation system was established based on Matlab- simulink. Simulation results show that the network intrusion is reduced with new method,the intrusion range is reduced greatly,and the fluctuation decreases greatly. The intrusion detection ac- curacy rate increases by 34. 2%.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

YX Jiang,C Lin,ZG Shan,Z Chen

2004-01-01

Abstract:The main problem existed in the Network-based Intrusion Detection System (NIDS) is that the data-processing ability of classical centralized intrusion detection architecture does dissatisfy the increasing requirement of high-speed network. To resolve this problem, especially in real-time online intrusion detection, a NIDS cluster scheme is firstly introduced in this paper. Secondly, given the high resource demands and the special load-balancing characteristics in NIDS cluster, three optimized polices to improve the performance of NIDS cluster are proposed, i.e. Early Simple Packet Filter (ESPF), Adaptive Hash Load-Balancing (AHLB) algorithm, Priority Scheduling with Buffer Limited (PSBL). All the optimized measures are in collaboration with one another and provide the NIDS cluster scalability, adaptability, and high performance. Moreover, with the goal of analyzing the performance of NIDS cluster a Stochastic Petri Net (SPN) model is proposed. To cope with the well-known state space explosion problem, we propose an approximate analysis technique, which can significantly reduce the computing complexity of the model. In the end, the numerical results of the performance analysis for those schemes are presented, and some valuable conclusions are recommended which are suitable for NIDS cluster to achieve high performance.

Majid Nezakatolhoseini,Mohammad Amin Taherkhani

DOI: https://doi.org/10.5121/ijnsa.2012.4504

2012-11-04

Abstract:Nowadays efficient usage of high-tech security tools and appliances is considered as an important criterion for security improvement of computer networks. Based on this assumption, Intrusion Detection and Prevention Systems (IDPS) have key role for applying the defense in depth strategy. In this situation, by increasing network bandwidth in addition to increasing number of threats, Network-based IDPSes have been faced with performance challenge for processing of huge traffic in the networks. A general solution for this bottleneck is exploitation of efficient hardware architectures for performance improvement of IDPS. In this paper a framework for analysis and performance evaluation of application specific instruction set processors is presented for usage in application of attack detection in Networkbased Intrusion Detection Systems(NIDS). By running this framework as a security application on V850, OR1K, MIPS32, ARM7TDMI and PowerPC32 microprocessors, their performance has been evaluated and analyzed. For performance improvement, the compiler optimization levels are employed and at the end; base on O2 optimization level a new combination of optimization flags is presented. The experiments show that the framework results 18.10% performance improvements for pattern matching on ARM7TDMI microprocessors.

Networking and Internet Architecture

Xiao-ning KANG,Dong-xing JIANG,Cheng ZHANG,Qi-xin LIU,Lin ZHOU,Hai-yan WU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.11.014

2005-01-01

Abstract:Network security is getting more important as the Internet evolves.Attacks like DoS,DDoS have become major attack methods on gigabit networks,not to mention the worms have used up network bandwidth.Traditional IDSes could not handle massive network data efficiently or block detected attacks in time.Focusing on those problems,this paper designed a distributed intrusion detection and blocking system which can run on high-speed networks efficiently,which is also known as IPS(Intrusion Prevention System).

Shuai Jiang,Xiaolong Xu

DOI: https://doi.org/10.1007/978-3-030-34637-9_12

2019-01-01

Abstract:In the era of network and big data, network information security has become a major issue. Intrusion Detection System (IDS) is an essential component of network security facilities, which utilizes network traffic data to detect attacks. IDS can adopt data analysis and data mining technologies to detect attacks to network systems. However, the computational overhead of IDS is too large to serve for real-time detection due to the redundancy and irrelevant features in the network traffic dataset. We hence analyze seven classification algorithms for intrusion detection, where we separately perform data preprocessing with two kinds of dimensionality reduction techniques, Principal Component Analysis (PCA) and Singular Value Decomposition (SVD), to improve the performance of IDS. The experimental results on the NSL-KDD dataset indicate that the classification algorithms with dimensionality reduction outstands in detection rate and detection speed. Meanwhile, SVD demonstrate its superiority to PCA in boosting these algorithms.

Amilia Anggraeni,Jafaruddin Gusti Amri Ginting,Syariful Ikhwan

DOI: https://doi.org/10.20895/infotel.v14i4.813

2022-11-01

JURNAL INFOTEL

Abstract:Computer networks are built to achieve the main goal of communicating with each other . During the transmission process, it is expected that information can be conveyed quickly, efficiently and safely. Network security serves to avoid damage or even data loss caused by attacker activities during the communication process. Security aspects that need to be maintained in data information are Confidentiality, Integrity and Availability. Intrusion Prevention System is a solution that can maintain network security from various attacks. The Intrusion Prevention System will act as a protector on the network by detecting and preventing suspicious traffic on nodes in a network. The Intrusion Prevention System in its implementation has several tools which are used in this study, namely Snort and IPTables. Testing is done by performing attacks on the Web Server. The attacks carried out are Port Scanning, DDoS attacks and Brute Force. The results of this study are based on the CIA Triad with the three attacks having different characteristics in terms of cause and effect. On the defense side, Port Scanning and Brute Force can be easily prevented by IPS, but in DDoS attacks there are differences in results between drop and reject rule. In a DDoS attack with an action drop rule, it can recover the web server in 160 seconds while the action reject rule can be restored at 145 seconds which normally can be recovered in a DDoS attack in 165 seconds. The IPS server can also reduce resources when there is a DDoS attack by 9.2% .

Asmaa Shaker Ashoor,Sharad Gore

DOI: https://doi.org/10.1007/978-3-642-22540-6_48

2011-01-01

Abstract:This paper discusses difference between Intrusion Detection system and intrusion Prevention System (IDS/IPS) technology in computer networks. The differences between deployment of these system in networks in which IDS are out of band in system, means it cannot sit within the network path but IPS are in-line in the system, means it can pass through in between the devices.IDS generates only alerts if anomaly traffic passes in network traffic, it would be false positive or false negative, means IDS detects only malicious activities but no action taken on those activities but IPS has feature of detection and prevention with auto or manual action taken on those detected malicious activities like drop or block or terminate the connections. Here IDS and IPS systems stability, performance and accuracy wise result are comparing in this paper.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

LIU Wei,YANG Lin,LI Quan-lin

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.01.009

2011-01-01

Computer Science

Abstract:Authentication mechanism has important meanings to network security defence.Most researchers mainly focus on putting forward new authentication methods and analyzing the security of authentication protocols,but ignoring the research of quantitative analysis on authentication method.By analyzing the system of authentication as a quasi-birth-and-death process,establishing a two-dimensional queuing model,the steady probabilities distribution can be obtained to compute some important indices.The experimental results prove that the general analytical method can effectively evaluate the performance of authentication method.

Pengchao Yao,Xuan Wang,Zebang Zhang,Bingjing Yan,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.1016/j.aei.2023.102338

IF: 8.8

2024-01-01

Advanced Engineering Informatics

Abstract:Cyberspace intrusions targeting modern industrial cyber-physical systems (ICPSs) are considered highly persistent and stealthy penetration processes that can result in catastrophic consequences for industrial infrastructures. Existing studies predominantly concentrated on detection and defense strategies for specific stages of intrusions without much knowledge of underlying system operational mechanisms, characteristics and evolutionary patterns. In this paper, we present a novel approach that integrates statistical knowledge and game theory to establish a comprehensive security model covering various aspects, including anomaly detection, behavioral analysis, strategy generation and impact assessment. Specifically, a statistical model, i.e. Poisson intrusion model (PIM), is developed to characterize the probabilistic properties of intrusions by leveraging knowledge of their occurrence patterns and frequencies. A Bayesian inference-based model is proposed to analyze the intrusion behaviors for anomaly detection. Then, by integrating statistical knowledge of intrusions and detections, a Markov game model is formulated to characterize the interactive actions and strategies between attackers and defenders throughout the intrusion process. Further, the cross-layer impact is assessed by quantifying the potential consequences under corresponding cyber security conditions in terms of production performance degradation and unintended incident losses. Finally, the proposed approach is validated through extensive experiments for power plant operational scenarios.

Muhamad Felemban,Yahya Javeed,Jason Kobes,Thamir Qadah,Arif Ghafoor,Walid Aref

DOI: https://doi.org/10.48550/arXiv.1810.02061

2018-10-04

Cryptography and Security

Abstract:Data-intensive applications exhibit increasing reliance on Database Management Systems (DBMSs, for short). With the growing cyber-security threats to government and commercial infrastructures, the need to develop high resilient cyber systems is becoming increasingly important. Cyber-attacks on DBMSs include intrusion attacks that may result in severe degradation in performance. Several efforts have been directed towards designing an integrated management system to detect, respond, and recover from malicious attacks. In this paper, we propose a data Partitioning-based Intrusion Management System (PIMS, for short) that can endure intense malicious intrusion attacks on DBMS. The novelty in PIMS is the ability to contain the damage into data partitions, termed Intrusion Boundaries (IBs, for short). The IB Demarcation Problem (IBDP, for short) is formulated as a mixed integer nonlinear programming. We prove that IBDP is NP-hard. Accordingly, two heuristic solutions for IBDP are introduced. The proposed architecture for PIMS includes novel IB-centric response and recovery mechanisms, which executes compensating transactions. PIMS is prototyped within PostgreSQL, an open-source DBMS. Finally, empirical and experimental performance evaluation of PIMS are conducted to demonstrate that intelligent partitioning of data tuples improves the overall availability of the DBMS under intrusion attacks.

Zhuowei Li,Amitabha Das

DOI: https://doi.org/10.48550/arXiv.cs/0410068

2004-10-26

Cryptography and Security

Abstract:Anomaly-based intrusion detection (AID) techniques are useful for detecting novel intrusions into computing resources. One of the most successful AID detectors proposed to date is stide, which is based on analysis of system call sequences. In this paper, we present a detailed formal framework to analyze, understand and improve the performance of stide and similar AID techniques. Several important properties of stide-like detectors are established through formal proofs, and validated by carefully conducted experiments using test datasets. Finally, the framework is utilized to design two applications to improve the cost and performance of stide-like detectors which are based on sequence analysis. The first application reduces the cost of developing AID detectors by identifying the critical sections in the training dataset, and the second application identifies the intrusion context in the intrusive dataset, that helps to fine-tune the detectors. Such fine-tuning in turn helps to improve detection rate and reduce false alarm rate, thereby increasing the effectiveness and efficiency of the intrusion detectors.

Ying Chen,Junho Hong,Chen-Ching Liu

DOI: https://doi.org/10.1109/tsg.2016.2614603

IF: 10.275

2018-01-01

IEEE Transactions on Smart Grid

Abstract:Cyber intrusions to substations are critical issues to a power grid, which must be defended and mitigated. Essentially, to better understand a cyber intrusion, reconnaissance activities should be modeled. Then, strategies of cyber attacker and defender can be studied, which help to identify substations vulnerable to cyber-attacks. In this paper, a successful intrusion is regarded as a probabilistic event related to reconnaissance activities. Its probability can be approximated by the Poisson distribution of the number of vulnerabilities discovered by the attacker. Furthermore, models of intrusion and defense in competition for control of the substations are proposed using Markov decision process (MDP). Key characteristics of target substation, attacker and defender are considered for determining probabilistic state transitions related to intrusion and defense actions. Thus, by solving the MDP models, the optimal strategies (action policies) of both the attacker and defender can be obtained. With these optimal strategies, the cyber security status of a substation can be evaluated within varied time frames. The case study validates the proposed models and method, including time-based strategies of the attacker and defender.

Kun Meng,Chuang Lin,Yuanzhuo Wang,Yang Yang

2009-01-01

Abstract:Based on the technology of dynamic diversity backups, an intrusion tolerant system is proposed which guarantees the performance of the system and does not degrade drastically when it is exposed to outside attacks. By analyzing the consequence of the attacks, we give the attack model and model of the proposed intrusion tolerant system by General Stochastic Petri Net (GSPN). Through it, we can evaluate the efficiency of the intrusion tolerant system (ITS) based on the dynamic diversity backups. In the end of the paper, we analyze the proposed system with three diversity backups and random schedule strategy among the backups by the tool SPNP (Stochastic Petri Net package). The results show that the ITS is affected lightly under the heave attacks, which implies that the system can defend most intrusion effectively.

Guangfeng Guo,Junxing Zhang,Zhanfei Ma

DOI: https://doi.org/10.2298/csis200206049g

2021-01-01

Computer Science and Information Systems

Abstract:As traditional networks, the software-defined campus network also suffers from intrusion attacks. Current solutions for intrusion prevention cannot meet the requirements of the campus network. Existing methods of attack traceback are either limited to specific protocols or incur high overhead. To protect the data center (DC) of the campus network from internal and external attacks, we propose an Intrusion Prevention System (IPS) based on the coordinated control between the detection engine, the attack traceback agent, and the software-defined control plane. Our solution includes a novel algorithm to infer the best switch port for defending different attacks of varied scales based on the inverse HSA (Header Space Analysis) and the global view of the software-defined controller. The proposed scheme can effectively and timely block the malicious traffic not only protecting victim hosts from attacks but also preventing the whole network from suffering unwanted transmission burden. The proposed IPS is deployed on the bypass of the DC switch and collects network traffic by port mirroring. Compared with the traditional serial deployment, the new design helps defend the DC internal attacks, reduce the probability of network congestion, and avoid the single point of failure. The experimental results show that the overhead of our IPS is very low, which enables it to meet the real-time requirements. The average defense time is between 10 and 14 ms for the data center internal attacks of different scales. For external attacks, the maximum defense time is about 76 ms for a large-scale network with 100 switches.

computer science, information systems, software engineering

SUN Xian-jun,ZHU Liang,GAO Zhi-min,LIN Chuang,LIU Wei-dong

2008-01-01

Abstract:Our society is heavily dependent on a wide variety of distributed information system.The essential service of distributed information system must be available even when undesirable events such as attack,network failures,or natural disasters happen.In this paper we assess the survivability of distributed information with essential service exposed to failures.We have developed analytic models using stochastic Petri net.In order to avoid state space explosion while addressing large networks we reduce our models firstly,then give a composite model by combining performance and recovery models.The modeling approaches are applied to an information system example.Finally,the simulation by Matlab shows us the measures of survivability varying with repair rate and failure rate clearly.