Da-long LIU,Dong-qin FENG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2018.09.014

2018-01-01

Abstract:As industrial control system is threatened by sinusoidal attack, the mathematical model was established using a typical loop of the control system; the Fourier transform and wavelet analysis was used to analyze its different characteristics in the aspect of attack ability and concealment. Then, an algorithm was developed against sinusoidal attack using multi-scale principal component analysis (MSPCA) with online implementation. Simulation of sinusoidal attack on Tenessee Eastman (TE) process show that sinusoidal attack not only causes physical damage, but also conceals the damage. When the frequency of sinusoidal attack is higher, the attack can not be detected by the traditional principal component analysis (PCA) method, meanwhile, our method can detect the attack quickly and accurately.

Dinghua Wang,Dongqin Feng

DOI: https://doi.org/10.1109/iaeac.2018.8577543

2018-01-01

Abstract:Supervisory control and data acquisition system is an important part of the country's critical infrastructure, but its inherent network characteristics are vulnerable to attack by intruders. The vulnerability of supervisory control and data acquisition system was analyzed, combining common attacks such as information scanning, response injection, command injection and denial of service in industrial control systems, and proposed an intrusion detection model based on graphical features. The time series of message transmission were visualized, extracting the vertex coordinates and various graphic area features to constitute a new data set, and obtained classification model of intrusion detection through training. An intrusion detection experiment environment was built using tools such as MATLAB and power protocol testers. IEC 60870-5-104 protocol which is widely used in power systems had been taken as an example. The results of tests have good effectiveness.

Xianjing Li,Dongqin Feng

DOI: https://doi.org/10.1109/iciscae48440.2019.221645

2019-01-01

Abstract:Currently, the industrial control systems (ICS) have faced many changeable and complexed attacks. Apart from normal attack, there are also many variations, which put ICS into a huge hidden danger. Under this circumstance, the traditional detection techniques cannot identify the special variation types of attacks, effectively, comprehensively nor accurately. Therefore, a detection method named principal component analysis (PCA) with cosine similarity and support vector machine (SVM) is proposed. Moreover, the method is applied to detect the square wave attack in ICS. The detection method is executed as follows. Firstly, the raw signals are classified, by selecting proper length. Secondly, PCA method are used to reduce the dimension. Based on the first normal signal, the cosine similarity coefficients between the first normal part and the rest are calculated. Hence, the attack-feature vectors are composed by similarity coefficients. Next, data after that is selected to serve as the SVM training sample, replenishing the attack features. As for simulation, the cascade control loop of a typical industrial control system is chosen. The results show that the method can detect the signals, timely and accurately, no matter periodic square wave attack or aperiodic. For system, the proposed method and model can judge the security state of ICS. Above all, this method provides accurate decision-making suggestions to security management personnel.

Yanjie Li,Xiaoyu Ji,Chenggang Li,Xiaofeng Xu,Wei Yan,Xu Yan,Yanjiao Chen,Wenyuan Xu

DOI: https://doi.org/10.1109/iceiec49280.2020.9152334

2020-01-01

Abstract:In recent years, artificial intelligence has been widely used in the field of network security, which has significantly improved the effect of network security analysis and detection. However, because the power industrial control system is faced with the problem of shortage of attack data, the direct deployment of the network intrusion detection system based on artificial intelligence is faced with the problems of lack of data, low precision, and high false alarm rate. To solve this problem, we propose an anomaly traffic detection method based on cross-domain knowledge transferring. By using the TrAdaBoost algorithm, we achieve a lower error rate than using LSTM alone.

Wei Wang,Xiaohong Guan,Xiangliang Zhang

DOI: https://doi.org/10.1016/j.comcom.2007.10.010

IF: 5.047

2008-01-01

Computer Communications

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. Most current intrusion detection models lack the ability to process massive audit data streams for real-time anomaly detection. In this paper, we present an effective anomaly intrusion detection model based on Principal Component Analysis (PCA). The model is more suitable for high speed processing of massive data streams in real-time from various data sources by considering the frequency property of audit events than by use of the transition property or the correlation property. It can serve as a general framework that a practical Intrusion Detection Systems (IDS) can be implemented in various computing environments. In this method, a multi-pronged anomaly detection model is used to monitor various computer system and network behaviors. Three sources of data, system call data from the University of New Mexico (lpr) and from KLINNS Lab of Xi'an Jiaotong University (ftp), shell command data from AT&T Research laboratory, and network data from MIT Lincoln Lab, are used to validate the model and the method. The frequencies of individual system calls generated by one process and of individual commands embedded in one command block as well as features extracted in one network connection are transformed into an input data vector. Our method is employed to reduce the high dimensional data vectors and thus the detection is handled in a lower dimension with high efficiency and low use of system resources. The distance between a vector and its reconstruction in the reduced subspace is used for anomaly detection. Empirical results show that our model is promising in terms of detection accuracy and computational efficiency, and thus amenable for real-time intrusion detection.

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Jianlei Gao,Senchun Chai,Baihai Zhang,Yuanqing Xia

DOI: https://doi.org/10.3390/en12071223

IF: 3.2

2019-03-29

Energies

Abstract:Recently, network attacks launched by malicious attackers have seriously affected modern life and enterprise production, and these network attack samples have the characteristic of type imbalance, which undoubtedly increases the difficulty of intrusion detection. In response to this problem, it would naturally be very meaningful to design an intrusion detection system (IDS) to effectively and quickly identify and detect malicious behaviors. In our work, we have proposed a method for an IDS-combined incremental extreme learning machine (I-ELM) with an adaptive principal component (A-PCA). In this method, the relevant features of network traffic are adaptively selected, where the best detection accuracy can then be obtained by I-ELM. We have used the NSL-KDD standard dataset and UNSW-NB15 standard dataset to evaluate the performance of our proposed method. Through analysis of the experimental results, we can see that our proposed method has better computation capacity, stronger generalization ability, and higher accuracy.

energy & fuels

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Wen-Lin Chu,Chih-Jer Lin,Ke-Neng Chang

DOI: https://doi.org/10.3390/app9214579

2019-10-28

Applied Sciences

Abstract:Traditional network attack and hacking models are constantly evolving to keep pace with the rapid development of network technology. Advanced persistent threat (APT), usually organized by a hacker group, is a complex and targeted attack method. A long period of strategic planning and information search usually precedes an attack on a specific goal. Focus is on a targeted object and customized specific methods are used to launch the attack and obtain confidential information. This study offers an attack detection system that enables early discovery of the APT attack. The system uses the NSL-KDD database for attack detection and verification. The main method uses principal component analysis (PCA) for feature sampling and the enhancement of detection efficiency. The advantages and disadvantages of using the classifiers are then compared to detect the dataset, the classifier supports the vector machine, naive Bayes classification, the decision tree and neural networks. Results of the experiments show the support vector machine (SVM) to have the highest recognition rate, reaching 97.22% (for the trained subdata A). The purpose of this study was to establish an APT early warning model mechanism, that could be used to reduce the impact and influence of APT attacks.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Tao Feng,Manfang Dou

DOI: https://doi.org/10.1007/s10489-020-02090-8

IF: 5.3

2021-01-06

Applied Intelligence

Abstract:In view of the difficulty of existing intrusion detection methods in dealing with new forms, large scale, and high concealment of network intrusion behaviors, this paper presents a weighted intrusion detection model of the dynamic selection (WIDMoDS) based on data features. The aim is to customize intrusion detection models for network intrusion data sets of different types, sizes and structures. First, according to data features, single classifiers are clustered using a hierarchical clustering algorithm based on the classifiers evaluation indicators, and then, the classifiers selection is by means of accuracy of the single classifiers, in addition, the data-classifier applicable indicators (DCAI) and of the classifiers performances are used for calculating the weights of subjective and objective, and then calculating combined weight ranks. Finally, a custom intrusion detection model is generated by the Weight-voting (W-voting) algorithm. Our experiments show that this model can optimize the number of classifiers based on the data sets features, reduce the problem of redundant or insufficient classifiers in the ensemble process. A new network intrusion detection model of combining the classifier characteristics with the dataset attributes can improve the accuracy of intrusion detection.

computer science, artificial intelligence

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Zhisheng Zhang,Xuejun Zhu,Jionghua Jin

DOI: https://doi.org/10.1109/CONIELECOMP.2007.99

2007-01-01

Abstract:The design of multivariate control charts for automatic anomaly detection in computer networks is a challenging research issue due to the complexity of the data structure of the network operational data. In general, the design of statistical multivariate control charts is limited to a Gaussian distribution assumption or a pre-known probability distribution model, which is hardly applicable to the computer operation data. The paper is motivated by this timely need to develop SVC (support vector clustering) based multivariate control charts, which do not require the data to have a pre-known probability distribution model. The proposed method is validated through the simulations by comparing with the popularly used statistical T2 multivariate control charts. The effectiveness of the method is also demonstrated through automatic anomaly detection of typical computer intrusions.

Rula Abdulwahid Mohammed,Youssef A. Bazzi

DOI: https://doi.org/10.47001/irjiet/2024.802001

2024-01-01

International Research Journal of Innovations in Engineering and Technology

Abstract:The ever-evolving cybersecurity sector requires robust intrusion detection systems (IDS). Traditional rules-based measures are no longer sufficient due to the complexity of cyber threats, requiring new approaches. This study presents the architecture of an intrusion detection system combining machine learning and principal component analysis (PCA) to increase network security. A network traffic classification system was built and tested on the NSL-KDD dataset and used PCA for dimensionality reduction. The results were cross-validated to reduce overfitting and ensure generalizability of the model. Low-variance precision refers to the consistency of the cross-validation fold. The combination of PCA and machine learning models exceeds previous studies with an F1 score for the random forest model of over 99%. The study improves intrusion detection and network protection against cyber-attacks.

Jingcheng Zhao,Xiaomeng Li,Yaofu Cao,Junwen Liu,Junlu Yan,Chengwei Li

DOI: https://doi.org/10.1088/1742-6596/2078/1/012067

2021-11-01

Journal of Physics: Conference Series

Abstract:Abstract In recent years, international industrial control network security incidents have occurred frequently. As a core component of the industrial control field, intelligent power control systems are increasingly threatened by external network attacks. Based on the current research status of power industrial control network security, closely combining the development of active monitoring and defense technology in the public network field and the problems encountered by network security operators in actual work, this paper uses data mining methods to study the power control system network security situation awareness technology. Combing operational data collection and integrated processing, situation index screening and extraction, we use wavelet neural network analysis method to train the sampled data set, and finally calculate the true value of the network security status through deep intelligent learning. Finally, we conclude that the artificial intelligence algorithm based on wavelet neural network can be used for power control system network security situation awareness. In actual work, it can predict the situation value for a period of time in the future and assist network security personnel in judgment and decision-making.

Wonsik Nam,Han-Jin Cho,

DOI: https://doi.org/10.30693/smj.2024.13.3.45

2024-03-29

Korean Institute of Smart Media

Abstract:In today's growing threat environment, rapid and effective detection and response to security events is essential. To solve these problems, many companies and organizations respond to security threats by introducing security control systems. However, existing security control systems are experiencing difficulties due to the complexity and diverse characteristics of security events. In this study, we propose an automated integrated security control system model based on artificial intelligence. It is based on deep learning, an artificial intelligence technology, and provides effective detection and processing functions for various security events. To this end, the model applies various artificial intelligence algorithms and machine learning methods to overcome the limitations of existing security control systems. The proposed model reduces the operator's workload, ensures efficient operation, and supports rapid response to security threats.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Zhenhui Wang,Dezhi Han,Ming Li,Han Liu,Mingming Cui

DOI: https://doi.org/10.1080/09540091.2022.2051434

2022-04-07

Connection Science

Abstract:Network abnormal traffic detection can monitor the network environment in real time by extracting and analysing network traffic characteristics, and plays an important role in network security protection. In order to solve the problems that the existing detection methods cannot fully learn the spatio-temporal characteristics of data, the classification accuracy is not high, and the detection time and accuracy are susceptible to the influence of redundant data in the sample. Thus, this paper proposes a network abnormal detection method (PCSS) integrating principal component analysis (PCA) and single-stage headless face detector algorithms (SSH). PCSS applies the PCA algorithm to the data preprocessing to eliminate the interference of redundant data. At the same time, PCSS also combines feature fusion and SSH to enhance the feature extraction of unclear features data, and effectively improve the detection speed and accuracy. Simulation experiments based on IDS2017 and IDS2012 data sets are carried out in this paper. Experimental results show that PCSS is obviously superior to other detection models in detection speed and accuracy, which provides a new method for efficiently detecting traffic attacks.

computer science, artificial intelligence, theory & methods

Jionghua Jin,Xuejun Zhu

2006-01-01

Abstract:The intrusion detection in computer networks is a complex research problem, which requires the understanding of computer networks and the mechanism of intrusions, the configuration of sensors and the collected data, the selection of the relevant attributes, and the monitor algorithms for online detection. It is critical to develop general methods for data dimension reduction, effective monitoring algorithms for intrusion detection, and means for their performance improvement. This dissertation is motivated by the timely need to develop statistics-based machine learning methods for effective detection of computer network anomalies. Three fundamental research issues related to data dimension reduction, control charts design and performance improvement have been addressed accordingly. The major research activities and corresponding contributions are summarized as follows: (1) Filter and Wrapper models are integrated to extract a small number of the informative attributes for computer network intrusion detection. A two-phase analyses method is proposed for the integration of Filter and Wrapper models. The proposed method has successfully reduced the original 41 attributes to 12 informative attributes while increasing the accuracy of the model. The comparison of the results in each phase shows the effectiveness of the proposed method. (2) Supervised kernel based control charts for anomaly intrusion detection. We propose to construct control charts in a feature space. The first contribution is the use of multi-objective Genetic Algorithm in the parameter pre-selection for SVM based control charts. The second contribution is the performance evaluation of supervised kernel based control charts. (3) Unsupervised kernel based control charts for anomaly intrusion detection. Two types of unsupervised kernel based control charts are investigated: Kernel PCA control charts and Support Vector Clustering based control charts. The applications of SVC based control charts on computer networks audit data are also discussed to demonstrate the effectiveness of the proposed method. Although the developed methodologies in this dissertation are demonstrated in the computer network intrusion detection applications, the methodologies are also expected to be applied to other complex system monitoring, where the database consists of a large dimensional data with non-Gaussian distribution.