ID-based proxy re-signature without pairing

Several new attacks have been identified in CRNs such as primary user emulation, dynamic spectrum access (DSA), and jamming attacks. Such types of attacks can severely impact network performance, specially in terms of the over all achieved network throughput. In response to that, intrusion detection system (IDS) based on anomaly and signature detection is recognized as an effective candidate solution to handle and mitigate these types of attacks. In this paper, we present an intrusion detection system for CRNs (CR-IDS) using the anomaly-based detection (ABD) approach. The proposed ABD algorithm provides the ability to effectively detect the different types of CRNs security attacks. CR-IDS contains different cooperative components to accomplish its desired functionalities which are monitoring, feature generation and selection, rule generation, rule based system, detection module, action module, impact analysis and learning module. Our simulation results show that CR-IDS can detect DSA attacks with high detection rate and very low false negative and false positive probabilities.     

Divided two-part adaptive intrusion detection system

The main objective of this paper is to design a more complete intrusion detection system solution. The paper presents an efficient approach for reducing the rate of alerts using divided two-part adaptive intrusion detection system (DTPAIDS). The proposed DTPAIDS has a high degree of autonomy in tracking suspicious activity and detecting positive intrusions. The proposed DTPAIDS is designed with the aim of reducing the rate of detected false positive intrusion through two achievements. The first achievement is done by implementing adaptive self-learning neural network in the proposed DTPAIDS to gives it the ability to be automatic adaptively system based on Radial Basis Functions (RBF) neural network. The second achievement is done through dividing the proposed intrusion detection system IDS into two parts. The first part is IDS₁, which is installed in the front of firewall and responsible for checking each entry user’s packet and deciding if the packet considered is an attack or not. The second is IDS₂, which is installed behind the firewall and responsible for detecting only the attacks which passed the firewall. This proposed approach for IDS exhibits a lower false alarm rate when detects novel attacks. The simulation tests are conducted using DARPA 1998 dataset. The experimental results show that the proposed DTPAIDS [1] reduce false positive rate, [2] detects intrusion occurrence sensitively and precisely, [3] accurately self–adapts diagnoser model, thus improving its detection accuracy.     

A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection

Extensive research activities have been observed on network-based intrusion detection systems (IDSs). However, there are always some attacks that penetrate trafficprofiling- based network IDSs. These attacks often cause very serious damages such as modifying host critical files. A host-based anomaly IDS is an effective complement to the network IDS in addressing this issue. This article proposes a simple data preprocessing approach to speed up a hidden Markov model (HMM) training for system-call-based anomaly intrusion detection. Experiments based on a public database demonstrate that this data preprocessing approach can reduce training time by up to 50 percent with unnoticeable intrusion detection performance degradation, compared to a conventional batch HMM training scheme. More than 58 percent data reduction has been observed compared to our prior incremental HMM training scheme. Although this maximum gain incurs more degradation of false alarm rate performance, the resulting performance is still reasonable.     

遗传算法优化的混合神经网络入侵检测系统

针对入侵检测系统大都采用单一的检测模式,难以有效地处理漏报、误报和对未知攻击无法有效识别的问题,分析不同类型网络流量的特征,文中提出一种将BP网络、遗传算法和Snort相结合的混合式入侵检测系统,综合了异常检测和误用检测的优点,克服了单一检测模式的不足。实验结果表明,该方法能有效提高入侵检测系统的检测率和准确率。     

Novel intrusion prediction mechanism based on honeypot log similarity

The current network‐based intrusion detection systems have a very high rate of false alarms, and this phenomena results in significant efforts to gauge the threat level of the anomalous traffic. In this paper, we propose an intrusion detection mechanism based on honeypot log similarity analysis and data mining techniques to predict and block suspicious flows before attacks occur. With honeypot logs and association rule mining, our approach can reduce the false alarm problem of intrusion detection because only suspicious traffic would be present in the honeypots. The proposed mechanism can reduce human effort, and the entire system can operate automatically. The results of our experiments indicate that the honeypot prediction system is practical for protecting assets from attacks or misuse.     

基于粗糙集-支持向量机理论的过滤误报警方法

为过滤入侵检测系统报警数据中的误报警,根据报警的根源性和时间性总结出了区分真报警和误报警的19个相关属性,并提出了一种基于粗糙集-支持向量机理论的过滤误报警的方法。该方法首先采用粗糙集理论去除相关属性中的冗余属性,然后将具有约简后的10个属性的报警数据集上的误报警过滤问题转化为分类问题,采用支持向量机理论构造分类器以过滤误报警。实验采用由网络入侵检测器Snort监控美国国防部高级研究计划局1999年入侵评测数据(DARPA99)产生的报警数据,结果表明提出的方法在漏报警约增加1.6%的代价下,可过滤掉约98%的误报警。该结果优于文献中使用相同数据、相同入侵检测系统的其它方法的结果。     

加权关联规则在网络入侵检测系统中的应用

为了解决将关联规则算法应用于入侵检测系统后,在提高系统检测率的同时系统误报率增加的问题,将加权关联规则算法应用于入侵模式的挖掘中,在一定程度上提高了入侵检测的检测率,并降低了误报率。在此基础上,提出了采用加权关联规则算法的网络入侵检测系统的结构。     

新的入侵检测数据融合模型——IDSFP

以多传感器数据融合技术为基础,提出了新的入侵检测融合模型——IDSFP。其具有对多个IDS入侵检测系统的警报进行关联、聚合,产生对安全态势判断的度量,从而构成证据的特点。IDSFP应用D-S证据理论来形成对当前安全态势进行评估的信息,并动态地反馈、调整网络中各个IDS(intrusiondetectionsystem),加强对与攻击意图有关的数据的检测,进而提高IDS检测效率,降低系统的误报率和漏报率。     

A new ontology‐based multi agent framework for intrusion detection

Ontologies play an essential role in knowledge sharing and exploration, especially in multiagent systems. Intrusion is an unauthorized activity in a network, which is achieved by either active manner (information gathering) or passive manner (harmful packet forwarding). Most of the existing intrusion detection system (IDS) suffers from the following issues: it is usually adjusted to detect known service level network attacks and leaves from vulnerable to original and novel malicious attacks. Thus, it provides low accuracy and detection rate, which are the important problems of existing IDS. To overwhelm these drawbacks, an ontology‐based multiagent IDS framework is developed in this work for intrusion detection. The main intention of this work is to detect the network attacks with the help of multiple detection agents. In this analysis, there are 3 different types of agents, ie, IDS broker, deputy commander, and response agent, which are used to prevent and detect the attacks in a network. The novel concept of this work is based on the concept of signature matching; it identifies and detects the attackers with the help of multiple agents.     

Using discriminant analysis to detect intrusions in external communication for self-driving vehicles

Security systems are a necessity for the deployment of smart vehicles in our society. Security in vehicular ad hoc networks is crucial to the reliable exchange of information and control data. In this paper, we propose an intelligent Intrusion Detection System (IDS) to protect the external communication of self-driving and semi self-driving vehicles. This technology has the ability to detect Denial of Service (DoS) and black hole attacks on vehicular ad hoc networks (VANETs). The advantage of the proposed IDS over existing security systems is that it detects attacks before they causes significant damage. The intrusion prediction technique is based on Linear Discriminant Analysis (LDA) and Quadratic Discriminant Analysis (QDA) which are used to predict attacks based on observed vehicle behavior. We perform simulations using Network Simulator 2 to demonstrate that the IDS achieves a low rate of false alarms and high accuracy in detection.     

入侵检测系统的规则研究与基于机器学习的入侵检测系统模型

入侵检测系统（IDS）分为异常检测模型和误用检测模型。异常检测模型首先总结正常操作应该具有的特征，得出正常操作的模型，对后续的操作进行监视，一旦发现偏离正常统计学意义上的操作模式，即进行报警。误用检测模型是收集入侵检测行为的特征，建立相关的规则库，在后续的检测过程中，将收集到的数据与规则库中的特征代码进行比较，得出是否是入侵的结论。本文主要研究了入侵检测系统中的规则的建立，并通过在基于误用检测的Snort入侵检测系统中增加一个规则学习模块——LERAD，提出了一个基于机器学习的入侵检测系统模型。     

An intrusion detection system based on combining probability predictions of a tree of classifiers

Intrusion detection system (IDS) represents an unavoidable tool to secure our network. It is considered as a second defense line against the different form of attacks. The principal limits of the current IDSs are their inability to combine the detection of the new form of attacks with high detection rate and low false alarm rate. In this paper, we propose an intrusion detection system based on the combination of the probability predictions of a tree of classifiers. Specifically, our model is composed of 2 layers. The first one is a tree of classifiers. The second layer is a classifier that combines the probability predictions of the tree. The built tree contains 4 levels where each node of this tree represents a classifier. The first node classifies the connections in 2 clusters: Denial of Service attacks and Cluster 2. Then, the second node classifies the connections of the Cluster 2 in Probing attacks and Cluster 3. The third node classifies the connections of the Cluster 3 in Remote‐to‐Local attacks and Cluster 4. Finally, the last node classifies the connections of the Cluster 4 in User‐to‐Root attacks and Normal connections. The second layer contains the last classifier that combines the probability predictions of the first layer and take the final decision. The experiments on KDD'99 and NSL‐KDD show that our model gives a low false alarm rate and the highest detection rate. Furthermore, our model is more precise than the recent intrusion detection system models with accuracy equal to 96.27% for KDD'99 and 89.75% for NSL‐KDD.     

Early warning model of network intrusion based on D-S evidence theory

Application of data fusion technique in intrusion detection is the trend of nextgeneration Intrusion Detection System (IDS). In network security, adopting security early warning technique is feasible to effectively defend against attacks and attackers. To do this, correlative information provided by IDS must be gathered and the current intrusion characteristics and situation must be analyzed and estimated. This paper applies D-S evidence theory to distributed intrusion detection system for fusing information from detection centers, making clear intrusion situation, and improving the early warning capability and detection efficiency of the IDS accordingly.     

入侵检测系统可信问题研究及改进方法

误报率和漏报率影响入侵检测系统检测结果的可信性.通过从理论上分析误报和漏报产生的原因,提出了多检测系统协同工作提高检测可信度的方法.多检测系统结果融合时采用推进贝叶斯分类方法,给每个检测模型不同的权值,将分类结果加权求和,选择值最大的作为最终分类.实验分析表明,该方法降低了系统的漏报率和误报率,提高了报警的可信度.     

车联网中基于神经网络的入侵检测方案

车联网的入侵检测（IDS）可用于确认交通事件通知中描述的事件的真实性。当前车联网IDS多采用基于冗余数据的一致性检测方案,为降低IDS对冗余数据的依赖性,提出了一个基于神经网络的入侵检测方案。该方案可描述大量交通事件类型,并综合使用了反向传播（BP）和支持向量机（SVM）2种学习算法。这2种算法分别适用于个人安全驾驶速度快与高效交通系统检测率高的应用。仿真实验和性能分析表明,本方案具有较快的入侵检测速度,且具有较高的检测率和较低的虚警率。     

FuzMet: a fuzzy‐logic based alert prioritization engine for intrusion detection systems

Intrusion detection systems (IDSs) are designed to monitor a networked environment and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large, making their evaluation by security analysts a difficult task. Management is complicated by the need to configure the different components of alert evaluation systems. In addition, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide results that are inaccurate and difficult to manage. Thus the tuning of an IDS alert management system in order to provide optimal results remains a major challenge, which is further complicated by the large spectrum of potential attacks the system can be subject to. This paper considers the specification and configuration issues of FuzMet, a novel IDS alert management system which employs several metrics and a fuzzy‐logic based approach for scoring and prioritizing alerts. In addition, it features an alert rescoring technique that leads to a further reduction in the number of alerts. Comparative results between SNORT scores and FuzMet alert prioritization onto a real attack dataset are presented, along with a simulation‐based investigation of the optimal configuration of FuzMet. The results prove the enhanced intrusion detection accuracy brought by our system. Copyright © 2011 John Wiley & Sons, Ltd.     

基于系统调用子集的入侵检测

入侵检测技术是入侵检测系统(IDS)的重要内容.根据系统调用的作用效果对系统调用进行划分,在此基础上提出基于系统调用的一个子集(W子集)的入侵检测技术.实验表明,与基于系统调用全集的方法相比,基于W子集的入侵检测技术具有较低的误报率,且所需存储空间代价和计算代价都较小,因而更加适合于实时入侵检测.     

一种针对基于SVM入侵检测系统的毒性攻击方法

在机器学习被广泛应用的背景下,本文提出一种针对基于SVM（Support Vector Machine）入侵检测系统的新颖攻击方法——毒性攻击.该方法通过篡改训练数据,进而误导SVM的机器学习过程,降低入侵检测系统的分类模型对攻击流量的识别率.本文把这种攻击建模为最优化问题,利用数值方法得到攻击样本.通过包含多种攻击类型的NSL-KDD数据集进行实验,从攻击流量的召回率和精度这两个指标对攻击效果进行评估,与已有方法相比,实验结果表明本文方法可更有效地降低入侵检测系统的识别率.本文希望通过该研究进一步认识针对机器学习的新颖攻击,为下一步研究对应的防御机制提供研究基础.     

基于ARMA模型的CFAR网络入侵检测方法研究

提出了一种基于ARMA网络流量模型的CFAR入侵检测系统。采用ARMA模型对网络流量进行预测,并运用雷达信号处理中的恒误警CFAR技术,选取检测阀值以判定是否存在入侵信号。利用林肯实验室DARPA数据对系统进行试验,结果表明,此方法与AR预测模型相比,具有更高的检测率和更低的误警率。     

基于网络的入侵检测技术应用研究

随着近几年网络攻击的事故频频出现,其影响范围越来越广泛,入侵检测作为一种主动的安全防御手段,通过对网络上的数据流进行实时分析,发现潜在的入侵威胁,最大限度地提高网络的安全保障能力。文章在分析入侵检测系统概念的基础上,设计并分析了基于网络的入侵检测系统的主要模块,并指出了入侵检测系统的不足与发展趋势。