Visualization of big data security: a case study on the KDD99 cup data set

Cyber security has been thrust into the limelight in the modern technological era because of an array of attacks often bypassing untrained intrusion detection systems (IDSs). Therefore, greater attention has been directed on being able deciphering better methods for identifying attack types to train IDSs more effectively. Keycyber-attack insights exist in big data; however, an efficient approach is required to determine strong attack types to train IDSs to become more effective in key areas. Despite the rising growth in IDS research, there is a lack of studies involving big data visualization, which is key. The KDD99 data set has served as a strong benchmark since 1999; therefore, we utilized this data set in our experiment. In this study, we utilized hash algorithm, a weight table, and sampling method to deal with the inherent problems caused by analyzing big data; volume, variety, and velocity. By utilizing a visualization algorithm, we were able to gain insights into the KDD99 data set with a clear identification of “normal” clusters and described distinct clusters of effective attacks.     

FPGA-Based Network Traffic Security： Design and Implementation Using C5.0 Decision Tree Classifier

In this work, a hardware intrusion detection system （IDS） model and its implementation are introduced to perform online real-time traffic monitoring and analysis. The introduced system gathers some advantages of many IDSs： hardware based from implementation point of view, network based from system type point of view, and anomaly detection from detection approach point of view. In addition, it can detect most of network attacks, such as denial of services （DOS）, leakage, etc. from detection behavior point of view and can detect both internal and external intruders from intruder type point of view. Gathering these features in one IDS system gives lots of strengths and advantages of the work. The system is implemented by using field programmable gate array （FPGA）, giving a more advantages to the system. A C5.0 decision tree classifier is used as inference engine to the system and gives a high detection ratio of 99.93%.     

Fooling intrusion detection systems using adversarially autoencoder

Due to the increasing cyber-attacks, various Intrusion Detection Systems (IDSs) have been proposed to identify network anomalies. Most existing machine learning-based IDSs learn patterns from the features extracted from network traffic flows, and the deep learning-based approaches can learn data distribution features from the raw data to differentiate normal and anomalous network flows. Although having been used in the real world widely, the above methods are vulnerable to some types of attacks. In this paper, we propose a novel attack framework, Anti-Intrusion Detection AutoEncoder (AIDAE), to generate features to disable the IDS. In the proposed framework, an encoder transforms features into a latent space, and multiple decoders reconstruct the continuous and discrete features, respectively. Additionally, a generative adversarial network is used to learn the flexible prior distribution of the latent space. The correlation between continuous and discrete features can be kept by using the proposed training scheme. Experiments conducted on NSL-KDD, UNSW-NB15, and CICIDS2017 datasets show that the generated features indeed degrade the detection performance of existing IDSs dramatically.     

一种针对基于SVM入侵检测系统的毒性攻击方法

在机器学习被广泛应用的背景下,本文提出一种针对基于SVM（Support Vector Machine）入侵检测系统的新颖攻击方法——毒性攻击.该方法通过篡改训练数据,进而误导SVM的机器学习过程,降低入侵检测系统的分类模型对攻击流量的识别率.本文把这种攻击建模为最优化问题,利用数值方法得到攻击样本.通过包含多种攻击类型的NSL-KDD数据集进行实验,从攻击流量的召回率和精度这两个指标对攻击效果进行评估,与已有方法相比,实验结果表明本文方法可更有效地降低入侵检测系统的识别率.本文希望通过该研究进一步认识针对机器学习的新颖攻击,为下一步研究对应的防御机制提供研究基础.     

Integration of mobility and intrusion detection for wireless ad hoc networks

One of the main challenges in building intrusion detection systems (IDSs) for mobile ad hoc networks (MANETs) is to integrate mobility impacts and to adjust the behaviour of IDSs correspondingly. In this paper, we first introduce two different approaches, a Markov chain‐based approach and a Hotelling's T² test based approach, to construct local IDSs for MANETs. We then demonstrate that nodes' moving speed, a commonly used parameter in tuning IDS performances, is not an effective metric to tune IDS performances under different mobility models. To solve this problem, we further propose an adaptive scheme, in which suitable normal profiles and corresponding proper thresholds can be selected adaptively by each local IDS through periodically measuring its local link change rate, a proposed unified performance metric. We study the proposed adaptive mechanism at different mobility levels, using different mobility models such as random waypoint model, random drunken model, and obstacle mobility model. Simulation results show that our proposed adaptive scheme is less dependent on the underlying mobility models and can further reduce false positive ratio. Copyright © 2006 John Wiley & Sons, Ltd.     

基于XML的分布式多步骤入侵特征语言

分布式多步骤入侵的证据可能分散在不同的节点中,很多告警是多步骤攻击中的一个步骤,因此IDS有必要收集并关联不同来源的信息.本文提出了一种完全非集中方式,将分布式多步骤入侵场景建模为分布于被保护网络系统中多个节点上的检测子任务序列.文章为这种模式提出了一种基于XML的分布式多步骤入侵场景描述语言.     

An incremental intrusion detection system using a new semi‐supervised stream classification method

In recent years, the utilization of machine learning and data mining techniques for intrusion detection has received great attention by both security research communities and intrusion detection system (IDS) developers. In intrusion detection, the most important constraints are the imbalanced class distribution, the scarcity of the labeled data, and the massive amounts of network flows. Moreover, because of the dynamic nature of the network flows, applying static learned models degrades the detection performance significantly over time. In this article, we propose a new semi‐supervised stream classification method for intrusion detection, which is capable of incremental updating using limited labeled data. The proposed method, called the incremental semi‐supervised flow network‐based IDS (ISF‐NIDS), relies on an incremental mixed‐data clustering, a new supervised cluster adjustment method, and an instance‐based learning. The ISF‐NIDS operates in real time and learns new intrusions quickly using limited storage and processing power. The experimental results on the KDD99, Moore, and Sperotto benchmark datasets indicate the superiority of the proposed method compared with the existing state‐of‐the‐art incremental IDSs.     

Network intrusion detection

Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. The intrusion detection problem is becoming a challenging task due to the proliferation of heterogeneous computer networks since the increased connectivity of computer systems gives greater access to outsiders and makes it easier for intruders to avoid identification. Intrusion detection systems (IDSs) are based on the beliefs that an intruder's behavior will be noticeably different from that of a legitimate user and that many unauthorized actions are detectable. Typically, IDSs employ statistical anomaly and rulebased misuse models in order to detect intrusions. A number of prototype IDSs have been developed at several institutions, and some of them have also been deployed on an experimental basis in operational systems. In the present paper, several host-based and network-based IDSs are surveyed, and the characteristics of the corresponding systems are identified. The host-based systems employ the host operating system's audit trails as the main source of input to detect intrusive activity, while most of the network-based IDSs build their detection mechanism on monitored network traffic, and some employ host audit trails as well. An outline of a statistical anomaly detection algorithm employed in a typical IDS is also included     

Random-Forests-Based Network Intrusion Detection Systems

Prevention of security breaches completely using the existing security technologies is unrealistic. As a result, intrusion detection is an important component in network security. However, many current intrusion detection systems (IDSs) are rule-based systems, which have limitations to detect novel intrusions. Moreover, encoding rules is time-consuming and highly depends on the knowledge of known intrusions. Therefore, we propose new systematic frameworks that apply a data mining algorithm called random forests in misuse, anomaly, and hybrid-network-based IDSs. In misuse detection, patterns of intrusions are built automatically by the random forests algorithm over training data. After that, intrusions are detected by matching network activities against the patterns. In anomaly detection, novel intrusions are detected by the outlier detection mechanism of the random forests algorithm. After building the patterns of network services by the random forests algorithm, outliers related to the patterns are determined by the outlier detection algorithm. The hybrid detection system improves the detection performance by combining the advantages of the misuse and anomaly detection. We evaluate our approaches over the Knowledge Discovery and Data Mining 1999 (KDD’99) dataset. The experimental results demonstrate that the performance provided by the proposed misuse approach is better than the best KDD’99 result; compared to other reported unsupervised anomaly detection approaches, our anomaly detection approach achieves higher detection rate when the false positive rate is low; and the presented hybrid system can improve the overall performance of the aforementioned IDSs.      

ID-based proxy re-signature without pairing

Several new attacks have been identified in CRNs such as primary user emulation, dynamic spectrum access (DSA), and jamming attacks. Such types of attacks can severely impact network performance, specially in terms of the over all achieved network throughput. In response to that, intrusion detection system (IDS) based on anomaly and signature detection is recognized as an effective candidate solution to handle and mitigate these types of attacks. In this paper, we present an intrusion detection system for CRNs (CR-IDS) using the anomaly-based detection (ABD) approach. The proposed ABD algorithm provides the ability to effectively detect the different types of CRNs security attacks. CR-IDS contains different cooperative components to accomplish its desired functionalities which are monitoring, feature generation and selection, rule generation, rule based system, detection module, action module, impact analysis and learning module. Our simulation results show that CR-IDS can detect DSA attacks with high detection rate and very low false negative and false positive probabilities.     

车联网中基于神经网络的入侵检测方案

车联网的入侵检测（IDS）可用于确认交通事件通知中描述的事件的真实性。当前车联网IDS多采用基于冗余数据的一致性检测方案,为降低IDS对冗余数据的依赖性,提出了一个基于神经网络的入侵检测方案。该方案可描述大量交通事件类型,并综合使用了反向传播（BP）和支持向量机（SVM）2种学习算法。这2种算法分别适用于个人安全驾驶速度快与高效交通系统检测率高的应用。仿真实验和性能分析表明,本方案具有较快的入侵检测速度,且具有较高的检测率和较低的虚警率。     

利用有限状态机的无线网状网的入侵检测

Wireless Mesh Networks is vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, lack of centralized monitoring and management point. The raditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features. In this paper, we propose a distributed intrusion detection approach based on timed automata. A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then we construct the Finite State Machine (FSM) by the way of manually abstracting the correct behaviors of the node according to the routing protocol of Dynamic Source Routing (DSR). The monitor nodes can verify every node's behavior by the Finite State Machine (FSM), and validly detect real-time attacks without signatures of intrusion or trained data. Compared with the architecture where each node is its own IDS agent, our approach is much more efficient while maintaining the same level of effectiveness. Finally, we evaluate the intrusion detection method through simulation experiments.     

Hybrid Fuzzy Adaptive Wiener Filtering with Optimization for Intrusion Detection

Intrusion detection plays a key role in detecting attacks over networks, and due to the increasing usage of Internet services, several security threats arise. Though an intrusion detection system (IDS) detects attacks efficiently, it also generates a large number of false alerts, which makes it difficult for a system administrator to identify attacks. This paper proposes automatic fuzzy rule generation combined with a Wiener filter to identify attacks. Further, to optimize the results, simplified swarm optimization is used. After training a large dataset, various fuzzy rules are generated automatically for testing, and a Wiener filter is used to filter out attacks that act as noisy data, which improves the accuracy of the detection. By combining automatic fuzzy rule generation with a Wiener filter, an IDS can handle intrusion detection more efficiently. Experimental results, which are based on collected live network data, are discussed and show that the proposed method provides a competitively high detection rate and a reduced false alarm rate in comparison with other existing machine learning techniques.     

Design and analysis of intrusion detection systems for wireless mesh networks

Intrusion is any unwanted activity that can disrupt the normal functions of wired or wireless networks. Wireless mesh networking technology has been pivotal in providing an affordable means to deploy a network and allow omnipresent access to users on the Internet. A multitude of emerging public services rely on the widespread, high-speed, and inexpensive connectivity provided by such networks. The absence of a centralized network infrastructure and open shared medium makes WMNs particularly susceptible to malevolent attacks, especially in multihop networks. Hence, it is becoming increasingly important to ensure privacy, security, and resilience when designing such networks. An effective method to detect possible internal and external attack vectors is to use an intrusion detection system. Although many Intrusion Detection Systems (IDSs) were proposed for Wireless Mesh Networks (WMNs), they can only detect intrusions in a particular layer. Because WMNs are vulnerable to multilayer security attacks, a cross-layer IDS are required to detect and respond to such attacks. In this study, we analyzed cross-layer IDS options in WMN environments. The main objective was to understand how such schemes detect security attacks at several OSI layers. The suggested IDS is verified in many scenarios, and the experimental results show its efficiency.     

基于HMM的分布式拒绝服务攻击检测方法

文章根据分布式拒绝服务攻击（DDoS）的本质特点，提出了一种基于隐马尔可夫模型（HMM）的DDoS攻击检测方法。该方法通过IP地址信息库．保存当前常用服务的源IP地址，然后对新到数据包的IP地址用HMM建模。通过离线训练，更新IP地址信息库，优化HMM参数。在线检测时，IP地址信息库在线学习更新，HMM实时检测．并根据检测结果通过边界路由器进行积极响应。实验结果显示，该方法具有很好的检测效果，并能及时响应，保持常用服务的延续性。     

A new ontology‐based multi agent framework for intrusion detection

Ontologies play an essential role in knowledge sharing and exploration, especially in multiagent systems. Intrusion is an unauthorized activity in a network, which is achieved by either active manner (information gathering) or passive manner (harmful packet forwarding). Most of the existing intrusion detection system (IDS) suffers from the following issues: it is usually adjusted to detect known service level network attacks and leaves from vulnerable to original and novel malicious attacks. Thus, it provides low accuracy and detection rate, which are the important problems of existing IDS. To overwhelm these drawbacks, an ontology‐based multiagent IDS framework is developed in this work for intrusion detection. The main intention of this work is to detect the network attacks with the help of multiple detection agents. In this analysis, there are 3 different types of agents, ie, IDS broker, deputy commander, and response agent, which are used to prevent and detect the attacks in a network. The novel concept of this work is based on the concept of signature matching; it identifies and detects the attackers with the help of multiple agents.     

FD-DBN: Flow directed deep belief network for accurate anomaly detection in cloud computing

Security becomes the key concern in a cloud environment, as the servers are distributed throughout the globe and involve the circulation of highly sensitive data. Intrusions in the cloud are common because of the huge network traffic that paves the way for intruders to breach traditional security systems with sophisticated software. To avoid such problems, intrusion detection systems (IDSs) have been introduced by various researchers. Each IDS was developed to achieve a particular objective, that is, providing security by detecting intrusions. Most of the available IDS are inefficient and are unable to provide accurate classification. Also, some of them are computationally expensive to be implemented in practical scenarios. This article proposes a new and efficient IDS framework that can accurately classify the intrusion type through effective training to address the existing drawbacks. The proposed framework, named flow directed deep belief network (FD-DBN), involves three main phases: pre-processing, clustering, and classification. In pre-processing, certain data mining operations are carried out to clean the data. The clustering phase is carried out using the game-based k-means (GBKM) clustering algorithm. The clustered data is then provided as input to the FD-DBN classification framework, where the training process is carried out. The deep belief network (DBN) training is performed with dataset features, and the flow direction algorithm is adopted for tuning the weight parameters of DBN. Through tuning, the model yielded accurate classification outcomes. The simulations are done in Python 3.6, and the results proved that the proposed framework is much more effective than the existing IDS frameworks.     

Early warning model of network intrusion based on D-S evidence theory

Application of data fusion technique in intrusion detection is the trend of nextgeneration Intrusion Detection System (IDS). In network security, adopting security early warning technique is feasible to effectively defend against attacks and attackers. To do this, correlative information provided by IDS must be gathered and the current intrusion characteristics and situation must be analyzed and estimated. This paper applies D-S evidence theory to distributed intrusion detection system for fusing information from detection centers, making clear intrusion situation, and improving the early warning capability and detection efficiency of the IDS accordingly.     

Optimized deep learning-based intrusion detection for wireless sensor networks

The technological innovations and wide use of Wireless Sensor Network (WSN) applications need to handle diverse data. These huge data possess network security issues as intrusions that cannot be neglected or ignored. An effective strategy to counteract security issues in WSN can be achieved through the Intrusion Detection System (IDS). IDS ensures network integrity, availability, and confidentiality by detecting different attacks. Regardless of efforts by various researchers, the domain is still open to obtain an IDS with improved detection accuracy with minimum false alarms to detect intrusions. Machine learning models are deployed as IDS, but their potential solutions need to be improved in terms of detection accuracy. The neural network performance depends on feature selection, and hence, it is essential to bring an efficient feature selection model for better performance. An optimized deep learning model has been presented to detect different types of attacks in WSN. Instead of the conventional parameter selection procedure for Convolutional Neural Network (CNN) architecture, a nature-inspired whale optimization algorithm is included to optimize the CNN parameters such as kernel size, feature map count, padding, and pooling type. These optimized features greatly improved the intrusion detection accuracy compared to Deep Neural network (DNN), Random Forest (RF), and Decision Tree (DT) models.     

入侵检测技术研究现状与未来发展

入侵检测技术是一种主动防御型安全技术,可以弥补传统安全技术的不足.文章对入侵检测技术进行了归类,介绍了两种通用的入侵检测方法:一种是根据采集点的不同,将IDS分为基于主机的IDS和基于网络的IDS;另外一种是根据检测所基于的原则不同,将入侵检测系统划分为异常检测IDS和误用检测IDS.文章还对入侵检测技术的未来发展方向进行了讨论.