曾剑平,郭东辉

DOI: https://doi.org/10.19884/j.1672-5220.2007.02.028

2007-01-01

Abstract:Markov model is usually selected as the base model of user action in the intrusion detection system （IDS）. However, the performance of the IDS depends on the status space of Markov model and it will degrade as the space dimension grows. Here, Markov Graph Model （MGM） is proposed to handle this issue. Specification of the model is described, and several methods for probability computation with MGM are also presented. Based on MGM, algorithms for building user model and predicting user action are presented. And the performance of these algorithms such as computing complexity, prediction accuracy, and storage requirement of MGM are analyzed.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Qiumei Cheng,Chunming Wu,Bin Hu,Dezhang Kong,Boyang Zhou

DOI: https://doi.org/10.1109/globecom38437.2019.9013291

2019-01-01

Abstract:The intrusion response system is dedicated to automatically respond to sophisticated network intrusions, which is a sequential decision-making problem for autonomous agents. The current Markov decision process (MDP) or stochastic games based solutions suffer from several weaknesses: (i) The MDPbased approach is unable to explicitly model the opponents; (ii) The Nash equilibrium approach of stochastic games cannot handle the condition with multi equilibria. Existing studies have not considered the cognitive ability of the agent and lack of explicit opponent modeling. Inspired by recursive reasoning, this paper introduces a theory of mind (ToM)-based stochastic game-theoretic approach to reason about the beliefs and behaviors of the attackers. Each agent maintains different order ToM beliefs concerning his opponent with explicit opponent modeling. In order to accurately predict the attacker's action with nested beliefs, we utilize the Bayesian attack graph (BAG) to model multi-step attacks scenarios. In addition, the agent is allowed to learn from new information to adjust his beliefs and learning speed. Simulation results validate that ToM modeling performs well in the intrusion response system than random defense actions. Besides, a defender with first-order ToM beliefs always wins an attacker with zero-order ToM beliefs.

Xinmiao Zhang

DOI: https://doi.org/10.2478/amns.2023.1.00434

2023-06-21

Applied Mathematics and Nonlinear Sciences

Abstract:Abstract In the era of people’s access to information, the network has undergone tremendous development, the connection patterns of network attacks have become endless, and the number of attack network methods is increasing year by year. Based on the Markov model, the author studies the problem of network security authentication and aims to determine the truth of network security. In this way, network security managers can identify current network security issues, and we can gain a better understanding of the current network situation so that we can update our current security network promptly. The development process proposed by the author is simulated and the obtained results are all compared and evaluated. The experimental results show that the hidden Markov model algorithm is improved, the network security situation is better recognized, and the accuracy of the n network security problem is better known. At the same time, it is known to predict network security problems in the future according to the application model of predicting network security problems. Tests have shown that the development process is feasible and effective.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

Gauri Kalnoor,S. Gowrishankar

DOI: https://doi.org/10.1007/s41870-021-00748-1

2021-09-24

International Journal of Information Technology

Abstract:Significant growth of smart home devices is adopted, which provides security, convenience, and energy efficiency for users, in recent years. As an instance, consider a secured smart camera that detects movements of unauthorized objects, whereas the fire accidents can be detected by smoke sensors. Though, a surface for new cyber threats is some of the most recent examples that are open up in this field. Furthermore, recent examples also show that the distributed denial of service (DDoS) attacks are performed by misusing the smart devices which are hacked violating the privacy rules. In this proposed work, the application of machine learning in an environment of smart homes is explored so that the anomalous activities that occur can be identified. The sensor data at the network level is trained using a model based on the Markov chain known as hidden Markov model (HMM) and is created using smart devices and multiple sensors from a testbed. The model generated using HMM achieves 97% accuracy while detecting potential anomalies where attacks are indicated. In this approach, we construct the model and differentiate the analysed results with existing techniques. The starting step for securing IoT networks is intrusion detection and the next step is the intruders prediction which provides an active defence against the incoming attacks. The model employs an algorithm that does not depend on specific domain knowledge. The work has achieved an improvement in prediction accuracy of 5% for an alert category over the current variable length methods of Markov chain intrusion prediction, as they provided information more for a possible defence. The DDoS attack is considered as a coordinated attack mainly carried out based on a large scale depending on whether the target system’s resources or services are available. Thus, the novel approach also describes a novel machine learning-based technique using an algorithm known as variational dynamic Bayesian algorithm which helps to obtain a HMM with the number of parameters and model states which are optimized for the prediction of a DDoS attack. This procedure conquers the speed of a moderate combination HMM approach.

Zhaocui Li,Huichuan Liu,Chunyan Wu

DOI: https://doi.org/10.1080/23742917.2022.2120293

2022-09-10

Journal of Cyber Security Technology

Abstract:The traditional security detection and defense methods are relatively backward, and there are many problems, such as high false alarm and missed alarm rate, and detection lag, which have been difficult to meet the requirements of computer security defense. In order to strengthen the active defense of computer network security and improve the classification and prediction performance of computer network security events, a computer network security risk assessment model based on mrmr Ig feature selection model and attack graph model is proposed. The mrmr Ig feature selection model is used to classify the characteristics of security events, and the hidden Markov chain model and attack graph model are used to predict the attack intention. The experimental results show that the classification accuracy rate of the model is 99.79%, the false alarm rate and the false alarm rate are 0.11% and 0.18%, respectively. The model can accurately predict attacks in real time, and can provide reference for timely taking targeted computer network security reinforcement and active defense measures.

Ying Chen,Junho Hong,Chen-Ching Liu

DOI: https://doi.org/10.1109/tsg.2016.2614603

IF: 10.275

2018-01-01

IEEE Transactions on Smart Grid

Abstract:Cyber intrusions to substations are critical issues to a power grid, which must be defended and mitigated. Essentially, to better understand a cyber intrusion, reconnaissance activities should be modeled. Then, strategies of cyber attacker and defender can be studied, which help to identify substations vulnerable to cyber-attacks. In this paper, a successful intrusion is regarded as a probabilistic event related to reconnaissance activities. Its probability can be approximated by the Poisson distribution of the number of vulnerabilities discovered by the attacker. Furthermore, models of intrusion and defense in competition for control of the substations are proposed using Markov decision process (MDP). Key characteristics of target substation, attacker and defender are considered for determining probabilistic state transitions related to intrusion and defense actions. Thus, by solving the MDP models, the optimal strategies (action policies) of both the attacker and defender can be obtained. With these optimal strategies, the cyber security status of a substation can be evaluated within varied time frames. The case study validates the proposed models and method, including time-based strategies of the attacker and defender.

DOI: https://doi.org/10.36652/0869-4931-2024-78-5-230-234

2024-01-01

Abstract:Attack graphs are a popular area of research that display all the paths an trespasser can take to penetrate a network. Existing graph generation methods rely heavily on expert opinion regarding network vulnerabilities and topology. An intrusion detection system based on graph-directed analytics of the big data analytics, which is based on machine learning, is proposed, which made it possible to obtain good accuracy results and a high level of attack detection during its testing. Keywords attack, graph, detection, machine learning, network

Xiaoxue Ma,Yun Li,Yan Gao

DOI: https://doi.org/10.1007/s11276-023-03382-w

IF: 2.701

2023-06-14

Wireless Networks

Abstract:For the current problems of complex network state, difficulty in fast response to intrusion and poor adaptation of response decision in fog computing environment, in this paper, we propose an intrusion response decision method based on a combination of deep learning and reinforcement learning based on game theory (Minimax-DQN). First, a Markov game is used as the standard to construct the intrusion response decision model in the fog computing environment. Second, two different sets of random variables are defined considering the possible behavioral choices taken by the attacker and the fog computing intrusion detection systems (FC-IDS), and the continuous state space formed by the game between the attacker and the FC-IDS is processed using a deep Q-network. Finally, the Minimax algorithm is used to solve the optimal value function in a specific state, and the best intrusion response strategy is obtained according to the training output after the training is completed. Three sets of experiments are conducted to compare the results of the Minimax-DQN algorithm, the DQN algorithm and the random strategy. The experimental results data prove that the model and the proposed algorithm can greatly improve the probability of IDS winning in the game process with the attacker, and thus effectively solve the problem of intrusion response decision in fog environment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chao Wang,Yunxiao Sun,Sicai Lv,Chonghua Wang,Hongri Liu,Bailing Wang

DOI: https://doi.org/10.3390/electronics12040930

IF: 2.9

2023-02-13

Electronics

Abstract:Intrusion detection systems (IDSs) play a significant role in the field of network security, dealing with the ever-increasing number of network threats. Machine learning-based IDSs have attracted a lot of interest owing to their powerful data-driven learning capabilities. However, it is challenging to train the supervised learning algorithms when there are no attack data at hand. Semi-supervised anomaly detection algorithms, which train the model with only normal data, are more suitable. In this study, we propose a novel semi-supervised anomaly detection-based IDS that leverages the capabilities of representation learning and two anomaly detectors. In detail, the autoencoder (AE) is applied to extract representative features of normal data in the first step, and then two semi-supervised detectors, the one-class support vector machine (OCSVM) and Gaussian mixture model (GMM), are trained on the derived features. The two detectors collaborate to detect anomalous samples. The OCSVM predicts the abnormal samples initially, and after that, the GMM is applied to recheck the misclassified samples further. The experiments demonstrate that the AE improves the detection rate, and two detectors are more promising than a single one.

engineering, electrical & electronic,computer science, information systems,physics, applied

Anmin Xie,Cong Tang,Nike Gui,Zhuhua Cai,Jian-bin Hu,Zhong Chen

DOI: https://doi.org/10.1109/ICC.2010.5502655

2010-01-01

Abstract:To protect our networks against malicious intrusions, we need to evaluate these networks security. Previous works on attack graphs have provided meaningful conclusions on security measurement. However, large attack graphs are still hard to be understood vividly, and few suggestions have been proposed to prevent inside malicious attackers from attacking networks. To address these problems, we propose a novel approach to evaluate network security based on adjacency matrixes, which are constructed from existing attack graphs. With our model, we use gray scale images to show overall security vividly, and get quantitative evaluation scores. Moreover, we create a prioritized list of potential threatening hosts, which can help network administrators to harden network step by step. Analysis on computation cost shows that the upper bound computation cost of our measurement methodology is O(N3), which could be completed in real time. We also give an example to show how to put our methods in practice.

Delu Li

DOI: https://doi.org/10.2478/amns.2023.1.00001

2023-04-28

Applied Mathematics and Nonlinear Sciences

Abstract:Abstract With the advent of technological society, data and intelligence have become the directional trend of development, and the network security of smart campus has become the focus of public attention day by day. The personalization of college students and the development of intelligent analytics have brought about a whole new change in privacy protection. The intertwining of campus networks and privacy protection is a complex and very real issue, and research based on the privacy protection of college students has become more urgent. Using Markov model as a computational analysis tool, this paper deeply investigates the security and usage degree of smart campus network security technology, and it propose a complete Markov- network security technology system. The calculation shows that the intrusion detection system has the highest security of 51% and the widest usage of 63%. This is followed by firewall technology with 19% security and 26% usage. Based on the above techniques, the system security of the proposed Markov-network security technique is 57%, which is much better than the 43% of the traditional network model.

Jing Xu,Christian R. Shelton

DOI: https://doi.org/10.1613/jair.3050

2014-01-16

Abstract:Intrusion detection systems (IDSs) fall into two high-level categories: network-based systems (NIDS) that monitor network behaviors, and host-based systems (HIDS) that monitor system calls. In this work, we present a general technique for both systems. We use anomaly detection, which identifies patterns not conforming to a historic norm. In both types of systems, the rates of change vary dramatically over time (due to burstiness) and over components (due to service difference). To efficiently model such systems, we use continuous time Bayesian networks (CTBNs) and avoid specifying a fixed update interval common to discrete-time models. We build generative models from the normal training data, and abnormal behaviors are flagged based on their likelihood under this norm. For NIDS, we construct a hierarchical CTBN model for the network packet traces and use Rao-Blackwellized particle filtering to learn the parameters. We illustrate the power of our method through experiments on detecting real worms and identifying hosts on two publicly available network traces, the MAWI dataset and the LBNL dataset. For HIDS, we develop a novel learning method to deal with the finite resolution of system log file time stamps, without losing the benefits of our continuous time model. We demonstrate the method by detecting intrusions in the DARPA 1998 BSM dataset.

Artificial Intelligence,Cryptography and Security

Xiaofan Zhou,Simon Yusuf Enoch,Dong Seong Kim

DOI: https://doi.org/10.48550/arXiv.2207.05436

2022-07-12

Cryptography and Security

Abstract:It is challenging for a security analyst to detect or defend against cyber-attacks. Moreover, traditional defense deployment methods require the security analyst to manually enforce the defenses in the presence of uncertainties about the defense to deploy. As a result, it is essential to develop an automated and resilient defense deployment mechanism to thwart the new generation of attacks. In this paper, we propose a framework based on Markov Decision Process (MDP) and Q-learning to automatically generate optimal defense solutions for networked system states. The framework consists of four phases namely; the model initialization phase, model generation phase, Q-learning phase, and the conclusion phase. The proposed model collects real network information as inputs and then builds them into structural data. We implement a Q-learning process in the model to learn the quality of a defense action in a particular state. To investigate the feasibility of the proposed model, we perform simulation experiments and the result reveals that the model can reduce the risk of network systems from cyber attacks. Furthermore, the experiment shows that the model has shown a certain level of flexibility when different parameters are used for Q-learning.

Ankur Chowdhary,Sailik Sengupta,Adel Alshamrani,Dijiang Huang,Abdulhakim Sabur

DOI: https://doi.org/10.1109/iccnc.2019.8685647

2019-02-01

Abstract:Large scale cloud networks consist of distributed networking and computing elements that process critical information and thus security is a key requirement for any environment. Unfortunately, assessing the security state of such networks is a challenging task and the tools used in the past by security experts such as packet filtering, firewall, Intrusion Detection Systems (IDS) etc., provide a reactive security mechanism. In this paper, we introduce a Moving Target Defense (MTD) based proactive security framework for monitoring attacks which lets us identify and reason about multi-stage attacks that target software vulnerabilities present in a cloud network. We formulate the multi-stage attack scenario as a two-player zero-sum Markov Game (between the attacker and the network administrator) on attack graphs. The rewards and transition probabilities are obtained by leveraging the expert knowledge present in the Common Vulnerability Scoring System (CVSS). Our framework identifies an attacker’s optimal policy and places countermeasures to ensure that this attack policy is always detected, thus forcing the attacker to use a sub-optimal policy with higher cost.

Yuxiang Li,Haiming Wang,Hongkui Yu,Changquan Ren,Qingjia Geng

DOI: https://doi.org/10.4304/jnw.8.6.1322-1328

2013-01-01

Abstract:According to the 31th statistical reports of China Internet network information center (CNNIC), by the end of December 2012, the number of Chinese netizens has reached 564 million, and the scale of mobile Internet users also reached 420 million. But when the network brings great convenience to people's life, it also brings huge threat in the life of people. So through collecting and analyzing the information in the computer system or network we can detect any possible behaviors that can damage the availability, integrity and confidentiality of the computer resource, and make timely treatment to these behaviors which have important research significance to improve the operation environment of network and network service. At present, the Neural Network, Support Vector machine (SVM) and Hidden Markov Model, Fuzzy inference and Genetic Algorithms are introduced into the research of network intrusion detection, trying to build a healthy and secure network operation environment. But most of these algorithms are based on the total sample and it also hypothesizes that the number of the sample is infinity. But in the field of network intrusion the collected data often cannot meet the above requirements. It often shows high latitudes, variability and small sample characteristics. For these data using traditional machine learning methods are hard to get ideal results. In view of this, this paper proposed a Generalized Multi-Kernel Learning method to applied to network intrusion detection. The Generalized Multi-Kernel Learning method can be well applied to large scale sample data, dimension complex, containing a large number of heterogeneous information and so on. The experimental results show that applying GMKL to network attack detection has high classification precision and low abnormal practical precision.

Udaya Sampath K. Perera Miriya Thanthrige,Jagath Samarabandu,Xianbin Wang

DOI: https://doi.org/10.48550/arXiv.1610.07276

2016-10-24

Abstract:Intrusion detection is only a starting step in securing IT infrastructure. Prediction of intrusions is the next step to provide an active defense against incoming attacks. Current intrusion prediction methods focus mainly on prediction of either intrusion type or intrusion category and do not use or provide contextual information such as source and target IP address. In addition most of them are dependant on domain knowledge and specific scenario knowledge. The proposed algorithm employs a bag-of-words model together with a hidden Markov model which not depend on specific domain knowledge. Since this algorithm depends on a training process it is adaptable to different conditions. A key advantage of the proposed algorithm is the inclusion of contextual data such as source IP address, destination IP range, alert type and alert category in its prediction, which is crucial for an eventual response. Experiments conducted using a public data set generated over 2500 alert predictions and achieved accuracy of 81% and 77% for single step and five step predictions respectively for prediction of the next alert cluster. It also achieved an accuracy of prediction of 95% and 92% for single step and five step predictions respectively for prediction of the next alert category. The proposed methods achieved a prediction accuracy improvement of 5% for alert category over existing variable length Markov chain intrusion prediction methods, while providing more information for a possible defense.

Cryptography and Security

Wei LIU,Quan-lin LI,Li RUI

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.09.011

2015-01-01

Abstract:Intrusion prevention system (IPS) is a crucial defensive measure against malicious attacks to information system. However, the improper IPS conifguration can have a negative impact on network performances in terms of end-to-end delay or packets loss. Most researchers mainly focus on putting forward new IPS and analyzing the different methodologies, but ignoring the research of quantitative analysis on IPS. By analyzing the system as a quasi-birth-and –death process, this paper obtains the steady probabilities distribution to compute some important indices by establishing a two-dimensional Markov chain model. The experimental results prove that the general analytical method can effectively evaluate the performances of IPS, and also testify the correctness of the model indirectly.

Jingyu Hua,Takashi Nishide,Kouichi Sakurai

DOI: https://doi.org/10.1109/SAINT.2010.107

2010-01-01

Abstract:Model-based intrusion detection works by comparing a process's runtime behavior with a pre-computed normal program model. This paper studies this technology from the viewpoint of abstract interpretation theory. We regard different program behavior models used to perform intrusion detection as different abstractions of the concrete trace semantics of programs. Based on this point, we formally define model-based intrusion detection and present a generic generation algorithm for program models on a provided abstraction domain. Eventually, we discuss how to use this mechanism to implement a real intrusion detection model proposed by us before.