Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

Wei Li,Zengwei Yan,Renwei He,Liming Zong,Fan Zhang,Yanjun Zhan

DOI: https://doi.org/10.1109/iwcmc55113.2022.9824972

2022-01-01

Abstract:Wireless communication is the basis for ensuring the safe and efficient operation of rail transit trains. The advantages of 5G technology such as high reliability, high speed and low latency make it a very broad application prospect in the field of rail transit. However, 5G networks also face corresponding security threats in application, such as various network attacks. The communication-based train control (CBTC) systems are vulnerable to network attacks, which can easily lead to emergency braking or collision of trains when it was attacked. In order to protect network security, the intrusion detection systems (IDS) can be used. The IDS currently applied to the CBTC systems have problems such as low detection rate and high false rate. Therefore, this paper proposes an intrusion detection system based on machine learning, and simulates the real network environment by using KDD99 data. First, the data is preprocessed and feature extracted. Then two methods of decision tree and neural network are used to train the classifiers. In addition, the multiple classifiers are trained on the basis of the binary classifiers. Finally, we test the performance of the classifiers. The results show that the classifiers have a good detection accuracy of network traffic.

He Lu,Yanan Zhao,Yajing Song,Yang Yang,Guanjie He,Haiyang Yu,Yilong Ren

DOI: https://doi.org/10.1007/s10586-024-04376-9

2024-04-14

Cluster Computing

Abstract:Communication-based train control (CBTC) system is a typical cyber-physical system with open wireless communication that is vulnerable to attacks. To protect the security of wireless communication in the CBTC system, machine learning-based intrusion detection system (IDS) has been extensively researched. However, the performance of a machine learning-based IDS highly depends on feature design, and the spatial and temporal correlation of network data attributes makes it difficult to design features manually. Meanwhile, this type of IDS can only detect known attacks that are contained in the training dataset and fail to detect new attacks (i.e., zero-day attacks). To cope with the above issue, we propose a novel IDS based on transfer learning for the CBTC system. The proposed IDS leverages an optimized one-dimensional convolutional neural network block and long short-term memory to automatically extract spatial and temporal features from the original data. Furthermore, a knowledge transfer method is utilized to transfer the features to enable zero-day attack detection. We evaluate the proposed IDS on a dataset representing the CBTC system network data. The results show that the proposed IDS can achieve 99.32% accuracy for known attacks and 93.21% average F1-Score for zero-day attacks.

computer science, information systems, theory & methods

Zhangwei Yu,Yan Liu,Guoqi Xie,Renfa Li,Siming Liu,Laurence T. Yang

DOI: https://doi.org/10.1109/tii.2022.3202539

IF: 12.3

2022-12-17

IEEE Transactions on Industrial Informatics

Abstract:Intelligent connected vehicle is rapidly growing with the 5-G technology; the diversity of functional interfaces has significantly expanded the avenues of attack, making automotive controller area network (CAN) more vulnerable to cyberthreats. Automotive CAN network attacks are a direct threat to traffic safety, and in this study, we explore the use of intrusion detection techniques for mitigating cyberattacks. However, most automotive CAN network intrusion detection technologies are not capable of defending against sophisticated attacks, making it extremely challenging for detecting intrusions in practice. In this article, we propose a novel time interval conditional entropy method for detecting intrusions in automotive CAN networks. The time interval conditional entropy intrusion detection method is not susceptible to interference and is capable of detecting a variety of attacks. In our experiments, the conditional entropy values of regular communication messages are collected and utilized to distinguish and detect the attacks. The time interval conditional entropy detection method is implemented and evaluated in our controller area net-work bus (CAN-BUS) network platform. The experiments show that our method has higher detection accuracy and is easier to deploy compared to existing automotive CAN network intrusion detection methods.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Heng Zhang,Yinchu Wang,Yawen Xue,Ruilong Deng,Hongran Li,Jian Zhang

DOI: https://doi.org/10.23919/ccc63176.2024.10662787

2024-01-01

Abstract:Industrial network control systems (INCSs) are easy to be targeted by attackers due to their high economic value. Most of the existing defense methods are deployed at the network boundary, which causes high-security risks to INCS once an attacker enters the system. In addition, many existing intrusion detection systems (IDSs) build detection models based on historical data. When INCS lacks sufficient historical data, it is difficult to build detection models with high accuracy. In this paper, we propose a trust assessment model for INCS based on Fourier series fitting employing concept of zero trust to assess the real-time trust of INCS. The model alerts when INCS has low trust. We test two data injection attacks in the experiment to prove the effectiveness of our approach.

Gao Jian,Yu Huadong,Wang Hongmian,Bai Huifeng,Huo Chao,Zhang Ganghong

DOI: https://doi.org/10.1051/itmconf/20224703015

2022-01-01

ITM Web of Conferences

Abstract:Along with the computer, communication, control, the rapid development of automation technology, based on the analysis of the information security requirements, combined with the trusted computing provide security solution, the communication control information security interaction model and the key technology to realize information security interaction, put forward a real-time evaluation model based on credible global terminal entities. By introducing penalty factor and time factor, the evaluation method is improved from single evaluation to global evaluation. Taking the user information collection system as an example, the information security communication model of behavior trust measurement mechanism is simulated. The simulation results show that this model has the ability of continuous trust measurement in dynamic uncertain network environment, and can accurately determine the trust of terminal entities in real time, and it is more realistic, which lays a good foundation for the research of trust connection, trust management and trust decision based on trust measurement.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.3390/electronics8121545

IF: 2.9

2019-01-01

Electronics

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanisms. An improved intrusion detection system (IDS), which is strongly correlated to specific industrial scenarios, is necessary for modern ICS. On one hand, this paper outlines three kinds of attack models, including infiltration attacks, creative forging attacks, and false data injection attacks. On the other hand, a two stage IDS is proposed, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on the autoregressive integrated moving average (ARIMA), can forecast the traffic of the ICS network in the short term and detect infiltration attacks precisely according to the abnormal changes in traffic patterns. Furthermore, the anomaly detection model, using a one class support vector machine (OCSVM), is able to detect malicious control instructions by analyzing the key field in Ethernet/IP packets. The confusion matrix is selected to testify to the effectiveness of the proposed method, and two other innovative IDSs are used for comparison. The experiment results show that the proposed two stage IDS in this paper has an outstanding performance in detecting infiltration attacks, forging attacks, and false data injection attacks compared with other IDSs.

Qian Wang,Zhaojun Lu,Gang Qu

DOI: https://doi.org/10.48550/arXiv.1808.04046

2018-08-13

Abstract:Dozens of Electronic Control Units (ECUs) can be found on modern vehicles for safety and driving assistance. These ECUs also introduce new security vulnerabilities as recent attacks have been reported by plugging the in-vehicle system or through wireless access. In this paper, we focus on the security of the Controller Area Network (CAN), which is a standard for communication among ECUs. CAN bus by design does not have sufficient security features to protect it from insider or outsider attacks. Intrusion detection system (IDS) is one of the most effective ways to enhance vehicle security on the insecure CAN bus protocol. We propose a new IDS based on the entropy of the identifier bits in CAN messages. The key observation is that all the known CAN message injection attacks need to alter the CAN ID bits and analyzing the entropy of such bits can be an effective way to detect those attacks. We collected real CAN messages from a vehicle (2016 Ford Fusion) and performed simulated message injection attacks. The experimental results showed that our entropy based IDS can successfully detect all the injection attacks without disrupting the communication on CAN.

Cryptography and Security

Ming-Song CHEN,Yong-Xiang BAO,Hai-Ying SUN,Wei-Kai MIAO,Xiao-Hong CHEN,Ting-Liang ZHOU

DOI: https://doi.org/10.13328/j.cnki.jos.005217

2017-01-01

Abstract:Communication-based train control system (CBTC) has become the mainstream infrastructure for the railway signal systems around the world.Unlike traditional track circuit-based railway control systems,CBTC adopts a more flexible and accurate control mechanism to provide uninterrupted services to enable guarantee safeguard between adjacent trains and protection for over-speeding.Therefore,CBTC significantly improves the efficiency and safety of train-based transportation.Although CBTC can accurately conduct real-time control,its design and implementation are extremely complex due to the integration of heterogeneous computation,communication and control components.Consequently,breakdowns caused by CBTC design flaws are inevitable.Therefore,how to guarantee the trustworthiness of CBTC,as for any typical safety-critical system,becomes a big challenge for researchers and practitioners.Due to the huge success in both hardware and software domains,formal methods are now considered as a promising means for trustworthy construction of CBTC systems.This article surveys the three most important stages during the trustworthy construction of CBTC systems,i.e.,requirement analysis,design modeling,and bottom-level implementation.It not only comprehensively presents the important roles of the state-of-the-art formal methods and tools during the trustworthy CBTC construction,but also introduces the development trends as well as technical challenges for future CBTC.

Yi Yang,Hai-Qing Xu,Lei Gao,Y.B. Yuan,Kieran McLaughlin,Sakir Sezer

DOI: https://doi.org/10.1109/TPWRD.2016.2603339

IF: 4.825

2017-01-01

IEEE Transactions on Power Delivery

Abstract:Emerging cybersecurity vulnerabilities in supervisory control and data acquisition (SCADA) systems are becoming urgent engineering issues for modern substations. This paper proposes a novel intrusion detection system (IDS) tailored for cybersecurity of IEC 61850 based substations. The proposed IDS integrates physical knowledge, protocol specifications, and logical behaviors to provide a comprehens...

Bowen Wang,Yuance Zhang,Zhaojing Zhang,Hongxing Hu,Geguang Pu

DOI: https://doi.org/10.4271/2023-01-0044

2023-01-01

Abstract:Intrusion Detection Systems (IDS), technically speaking, is to monitor the network, system, and operation status according to certain security policies, and try to find various attack attempts, attacks or attack results to ensure the confidentiality, integrity and availability of network system resources. Automotive intrusion detection systems can identify and alert by analyzing in-vehicle traffic and log when software applications or devices with malicious activity exist, or the in-vehicle network is tampered and injected. But unfortunately, automotive cybersecurity researchers hardly produce a comprehensive detection method due to the confidential nature of Controller Area Network (CAN) DBC format files, which is a standard long maintained by car manufacturers.In this paper, an enhanced intrusion detection method is proposed based on the double-decision-tree to classify different attack models for in-vehicle CAN network without the need to obtain complete DBC files. Unlike the existing method that is using data from the simulated CAN traffic traces, we construct three attack models based on real CAN bus traffic collected from Pentium T99. A totally new data split method is provided to divide training set, validation set and test dataset. Three experiments are set to verify this new data split method and the results show that we have achieved high accuracy in the recognition of the three types of attacks, and the model has high operating efficiency.

Qi Qiao,Daojing He,Yun Gao,Sencun Zhu,Jiahao Gao,Sammy Chan

DOI: https://doi.org/10.1109/secon48991.2020.9158421

2020-01-01

Abstract:While integrated electronic systems (IESs) are widely used in military and civilian applications, their security issues are barely studied. By analyzing the architecture of the system and the characteristics of bus communication, this paper proposes an intrusion detection method based on the message sequence and behavioral rules of subsystems. According to the bus protocol, messages are divided into periodic and aperiodic messages. For the previous, we adopt sequence analysis and propose an algorithm that extract the sequence intelligently to determine if there are anomalies. For aperiodic messages, we detect the anomalies by modeling the system behaviors as decision trees. Through implementing experiments on our simulation system, we demonstrate that the proposed detection is more accurate than the existing schemes while incurring both lower false negative rate and lower false positive rate.

Abdullahi Chowdhury,Gour Karmakar,Joarder Kamruzzaman,Rajkumar Das,S H Shah Newaz

DOI: https://doi.org/10.3390/s23104646

2023-05-10

Abstract:The increasing attacks on traffic signals worldwide indicate the importance of intrusion detection. The existing traffic signal Intrusion Detection Systems (IDSs) that rely on inputs from connected vehicles and image analysis techniques can only detect intrusions created by spoofed vehicles. However, these approaches fail to detect intrusion from attacks on in-road sensors, traffic controllers, and signals. In this paper, we proposed an IDS based on detecting anomalies associated with flow rate, phase time, and vehicle speed, which is a significant extension of our previous work using additional traffic parameters and statistical tools. We theoretically modelled our system using the Dempster-Shafer decision theory, considering the instantaneous observations of traffic parameters and their relevant historical normal traffic data. We also used Shannon's entropy to determine the uncertainty associated with the observations. To validate our work, we developed a simulation model based on the traffic simulator called SUMO using many real scenarios and the data recorded by the Victorian Transportation Authority, Australia. The scenarios for abnormal traffic conditions were generated considering attacks such as jamming, Sybil, and false data injection attacks. The results show that the overall detection accuracy of our proposed system is 79.3% with fewer false alarms.

T. Liu,Z. Wang,H. Wang,K. Lu

DOI: https://doi.org/10.15837/ijccc.2012.3.1391

IF: 2.635

2014-01-01

International Journal of Computers Communications & Control

Abstract:Intrusion Detection System (IDS) typically generates a huge number of alerts with high false rate, especially in the large scale network, which result in a huge challenge on the efficiency and accuracy of the network attack detection. In this paper, an entropy-based method is proposed to analyze the numerous IDS alerts and detect real network attacks. We use Shannon entropy to examine the distribution of the source IP address, destination IP address, source threat and destination threat and datagram length of IDS alerts; employ Renyi cross entropy to fuse the Shannon entropy vector to detect network attack. In the experiment, we deploy the Snort to monitor part of Xi’an Jiaotong University (XJTU) campus network including 32 C-class network (more than 4000 users), and gather more than 40,000 alerts per hour on average. The entropy-based method is employed to analyze those alerts and detect network attacks. The experiment result shows that our method can detect 96% attacks with very low false alert rate.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.

Daxin Tian,Yuzhou Li,Yunpeng Wang,Xuting Duan,Congyu Wang,WenYang Wang,Rong Hui,Peng Guo

DOI: https://doi.org/10.1007/978-3-319-74176-5_25

2018-01-01

Abstract:The CAN-Bus is currently the most widely used vehicle bus network technology, but it is designed for needs of vehicle control system, having massive data and lacking of information security mechanisms and means. The Intrusion Detection System (IDS) based on machine learning is an efficient active information security defense method and suitable for massive data processing. We use a machine learning algorithm-Gradient Boosting Decision Tree (GBDT) in IDS for CAN-Bus and propose a new feature based on entropy as the feature construction of GBDT algorithm. In detection performance, the IDS based on GBDT has a high True Positive (TP) rate and a low False Positive (FP) rate.

Lei Zhang,Yan Sun,Hongliang Pan,Lijuan Shi

DOI: https://doi.org/10.1109/ISCTech58360.2022.00023

2022-01-01

Abstract:The train-ground wireless communication network and the ground wired backbone communication network in the urban rail transit signal system urgently need intelligent fault diagnosis technology. Taking the DCS of CBTC as the research object, this paper proposes a heterogeneous variable fault information processing method based on the adaptive, self-evolutionary and traceable characteristics of the high-confidence system, establishes a fault intelligent diagnosis model, implements the fuzzy method, and realizes the overall fault diagnosis accuracy can reach 91.96%, meeting the design requirements of the high-confidence system under the high-confidence intelligent diagnosis and evaluation.

Weicheng Qiu,Yinghua Ma,Xiuzhen Chen,Haiyang Yu,Lixing Chen

DOI: https://doi.org/10.1016/j.cose.2022.102709

IF: 5.105

2022-01-01

Computers & Security

Abstract:Cyber-attacks are becoming increasingly sophisticated, posing greater challenges in accurately detecting intrusions. Failure to prevent intrusions could degrade the credibility of security services. Intrusion Detection System (IDS) is one of the most effective paradigms to identify attack behaviors. This paper proposes a novel hybrid intrusion detection system called DST-IDS. The proposed method employs both packet-based and flow-based intrusion detection techniques and combines them with Dempster-Shafer Theory (DST). DST-IDS has an ensemble-like framework. It takes both traffic flows and their first N packets as inputs; flow-based IDS aims to predict traffic flows and packet-based IDS detects attacks in the corresponding packets; DST is then applied to fuse predictions of flow-based IDS and packet-based IDS to a final detection result. We also design a novel data collection/processing tool in DST-IDS to reduce the data volume required to perform intrusion detection and enable early detection. In addition, DST-IDS is designed to work with heterogeneous data distribution where the distribution of the training dataset can differ from the data distribution during implementation. This property drastically improves the practicality of DST-IDS. We run experiments on public datasets and real networks to evaluate the proposed method. The experimental results show that DST-IDS outperforms state-of-the-art benchmarks in terms of intrusion detection accuracy and detection speed. Particularly, DST-IDS provides real-time detection in real networks and handles well heterogeneous data distribution.

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.