Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

WANG Xiaodong,ZHU Miaoliang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.07.055

2005-01-01

Abstract:This paper puts forward an intellective network safe guard system based on a multi-agent system structure. The purpose of the system is to defend the intrusion of campus-wide network. It is based on IDXP and the focus is blackboard. This system can deal with multi-levels and many ways of anti-intrusions, which has self-determination. It is proved to have a good performance by spot tests.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

郑凯元,叶茂,赵欣

DOI: https://doi.org/10.3969/j.issn.1008-0570.2008.36.020

2008-01-01

Abstract:With the development of World Wide Web network,the network risk occurs here and there around of us. Our information risks various intrusions and computer virus. To observe and prevent the intrusions is on the edge,a new network security technology called IPS came forth these years. The IPS can detect and prevent network intrusions in time. A Winpcap based IPS(WNIPS) includ-ing the design and implementation is present in this paper. The WNIPS will capture net packets via the NDIS,and then detect in-trusions by analyzing and statistic. It can update the firewall rules while detecting the intrusions,taking the advantage this function,the WNIPS can detect and prevent all the known intrusions and some unknown intrusions.

LI Ming-xin,SHE Kun

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.01.017

2007-01-01

Abstract:In order to implement intrusion detection based on NDIS,according to NDIS intermediate driver's basic principle,using driver development kit that Microsoft provided,capture all raw data packets at data link layer.Because of NDIS intermediate driver locate inside of Windows kernel,with hardware relation close,can't keep away from and independent of protocol layer,so must self-defining analysis that protocol type.Describing the detailed implement codes,according to detection principle,analyzing in depth various intrusion behaviors and characteristic and raw data packets,combine with NDIS intermediate driverand detection principle,revea-ling attack and port stealth scan might be appear,to achieve the goal of intrusion detection.

Bin Liu,Zhitang Li,Yao Li,Zhanchun Li

DOI: https://doi.org/10.1117/12.657361

2005-01-01

Abstract:Network intrusion detection systems (NIDS) are important parts of network security architecture. Although many NIDS have been proposed, there is little effort to expand the current set of NIDS to support IPv6 protocol. This paper presents the design and implementation of a Network-based Intrusion Detection System that supports both IPv6 protocol and IPv4 protocol. It characters rules based logging to perform content pattern matching and detect a variety of attacks and probes from IPv4 and IPv6. There are four primary subsystems to make it up: packet capture, packet decoder, detection engine, and logging and alerting subsystem. A new approach to packet capture that combined NAPI with MMAP is proposed in this paper. The test results show that the efficiency of packet capture can be improved significantly by this method. Several new attack tools for IPv6 have been developed for intrusion detection evaluation. Test shows that more than 20 kinds of IPv6 attacks can be detected by this system and it also has a good performance under heavy traffic load.

Hui-ran WANG,Rui-fang MA

DOI: https://doi.org/10.3969/j.issn.1674-649X.2005.01.017

2005-01-01

Abstract:The first step in understanding of traffic is capturing packets from the network. This paper introduces two approaches to develop the traffic capturer/monitor, one of which is based on NDIS (Network Driver Interface Specification), the other is based on WinPcap. The later is discussed in details. This paper outlines the WinPcap architecture. The functions exported by WinPcap are classified in three types. On this classification, we can accurately configure the developing environment, e.g. define the preprocessors, set working directories. Three basic functions, i.e. pcapfindalldevsex(), pcapopen(), and pcapnextex(), are interpreted thoroughly. In the end, a step-by-step example is given with its outcomes.

Shengli Liu

2007-01-01

Abstract:A traffic-analysis-based honeypot for Windows system is designed and implemented.Based on the library of IDS rules,the network driver of Windows DDK and NDIS middle-ware technology are used to realize filtering and diversion of network flow.This mechanism diverts the unauthorized flow from reaching the real server.In the meantime,it collects a vast amount of “hacking techniques” from the unauthorized flow to continuously adapt the system to the various “hacking techniques”.It improves the efficiency of Honeypot and protects the real servers.

Chao Kong,Bo Yang,Zhiping Jia,Zhenxiang Chen

DOI: https://doi.org/10.1109/MINES.2009.66

2009-01-01

Abstract:An Intrusion Detection System (IDS) implements pattern matching approach on the network traffic to find the malicious packets carrying attack signatures. In this paper, a common Field Programmable Gate Array (FPGA) based on-board hardware architecture which is compatible with both ordinary string and Perl Compatible Regular Expression (PCRE) pattern matching is proposed to accelerate IDS. Furthermore, a flexible storage structure which is suitable for many general hardware matching algorithms and an optimized combinational logic circuit structure for PCRE matching are designed. With the synchronization of a connection decoder, ordinary string matching module coordinates with PCRE matching module to implement string-PCRE mixed rule.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.3390/electronics8121545

IF: 2.9

2019-01-01

Electronics

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanisms. An improved intrusion detection system (IDS), which is strongly correlated to specific industrial scenarios, is necessary for modern ICS. On one hand, this paper outlines three kinds of attack models, including infiltration attacks, creative forging attacks, and false data injection attacks. On the other hand, a two stage IDS is proposed, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on the autoregressive integrated moving average (ARIMA), can forecast the traffic of the ICS network in the short term and detect infiltration attacks precisely according to the abnormal changes in traffic patterns. Furthermore, the anomaly detection model, using a one class support vector machine (OCSVM), is able to detect malicious control instructions by analyzing the key field in Ethernet/IP packets. The confusion matrix is selected to testify to the effectiveness of the proposed method, and two other innovative IDSs are used for comparison. The experiment results show that the proposed two stage IDS in this paper has an outstanding performance in detecting infiltration attacks, forging attacks, and false data injection attacks compared with other IDSs.

段海新,吴建平

DOI: https://doi.org/10.13328/j.cnki.jos.2001.09.015

2001-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:An integrative taxonomy for intrusion detection technologies is proposed, which can specify accurately existing intrusion detection methods. Aiming at multiple-domain environments, a distributed cooperative intrusion detection system (DCIDS) is designed, which implements cooperative intrusion detection through efficient, secure information exchange among IDSes in different domain. The architecture of intrusion detection systems is described, as well as its four components: sensor, analyzer, manager and user-interface. Some key issues are also discussed, including secure communication and selection of detection places.

Zhao-xin ZHANG,Bin-xing FANG,Ming-zeng HU

DOI: https://doi.org/10.3969/j.issn.1007-5321.2006.02.030

2006-01-01

Abstract:The architecture of information capture for the high-speed network environment was proposed. The different network bandwidth adaptive problem was well solved by the extensible network detection model. It has been found that real-time data stream capture from high-bandwidth networks, high-performance multi-thread TCP/IP (transmission control protocol/Internet protocol) protocol stack, and protocol analysis platform based on PLUGINs have captured and assembled the information wonderfully. The architecture integrated these technologies effectively will solve the problems such as the large-scale detection, high-speed data stream, ensuring the in-time, security and veracity of the information on multi-road and high-speed networks.

陈丽丽,李卫,管晓宏,祝春华

DOI: https://doi.org/10.3969/j.issn.1000-7180.2004.06.035

2004-01-01

Abstract:NIDS (Network Intrusion Detection System) as an important security protection tool has become a hotspot for research. We introduce the basic concept of IDS and its primary components and common classification first, then we present the framework of a net-based IDS and its implementation in detail. We put forward our views about the current research of IDS and its prospect last.

XU Ning,LAI Hai-guang,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.02.019

2006-01-01

Abstract:An improved algorithm based on the ideas of Boyer-Moore method to search for multiple patterns is presented.The application of this algorithm in a network intrusion detection system is also discussed.The experiments demonstrate good improvement in matching time.

Xiang Zhengtao,Chen Li,Dong Yabo

DOI: https://doi.org/10.3969/j.issn.1008-5483.2008.01.007

2008-01-01

Abstract:Based on the analysis of worm propagating mechanism and the framework of Bro—an intrusion detection system,the Bro-based worm detection system is designed and implemented.The failure frequency of FCC(First Contact Connections) and heavy-tailed property based worm detection algorithm is used as the kernel of the detection system.The detecting system extends the policy script interpreter of Bro,which sends the detecting results to the share memory based on the implementation of the policy script of the detecting algorithm.The results in the share memory are then sent to the monitor based on the SNMP,which is convenient for real-time monitoring the network worms.The worm detection system can detect network worm hosts quickly and accurately.

Hongmin Cai,Naiqi Wu

DOI: https://doi.org/10.1109/WCINS.2010.5541796

2010-01-01

Abstract:With the fast development of computer network, the problem of network security becomes more and more serious. The single firewall can not solve the problem entirely and an intrusion detection system is helpful. This paper presents the design and development of a distributed intrusion detection system to protect the network security. Experiments shows that it works well.

ZHANG Jun,SU Pu-rui,FENG Deng-guo

2006-01-01

Journal of Computer Applications

Abstract:The technology of Intrusion Detection is one of the important measures to protect the networks.Host-based intrusion detection is used to protect the key hosts.A flexible loading intrusion detection based on system-call was introduced in this paper.This system improved the common data collection method,and adopted virtual equipment driversto acquire system call.This method brings small influence on system,is easy to load and unload,and provides the standard interface. The data analysis integrates the two detection methods: anomaly and misuse,which provides corresponding detection models and introduces the noise filtering function.