网络入侵检测系统中的警报聚类

到目前为止,网络管理员对入侵检测系统(IDS)所产生的警报还是以在辅助工具下的手工操作进行整理,从而得到一个高级别的攻击描述。为了有效融合多种入侵检测系统报警信息,提高警告的准确性,警报聚类自动分析工具被建议使用来产生高级别的攻击描述。除此之外,警报聚类自动分析工具还可以有效地分析威胁,融合不同的信息源,例如来自于不同IDS中的信息源。该文提出了新的警报聚类系统,以便把来自于多种IDS所产生的警报进行警报聚类,产生攻击描述。实验结果表明,通过警报聚类模块有效地总结攻击可以产生高级别的警报,并大幅度地减少了要提交给管理员的警报数量。此外,以这些高级别警报为基础还可以进一步地进行威胁分析。     

Intrusion detection in computer networks by a modular ensemble of one-class classifiers

Since the early days of research on intrusion detection, anomaly-based approaches have been proposed to detect intrusion attempts. Attacks are detected as anomalies when compared to a model of normal (legitimate) events. Anomaly-based approaches typically produce a relatively large number of false alarms compared to signature-based IDS. However, anomaly-based IDS are able to detect never-before-seen attacks. As new types of attacks are generated at an increasing pace and the process of signature generation is slow, it turns out that signature-based IDS can be easily evaded by new attacks. The ability of anomaly-based IDS to detect attacks never observed in the wild has stirred up a renewed interest in anomaly detection. In particular, recent work focused on unsupervised or unlabeled anomaly detection, due to the fact that it is very hard and expensive to obtain a labeled dataset containing only pure normal events.The unlabeled approaches proposed so far for network IDS focused on modeling the normal network traffic considered as a whole. As network traffic related to different protocols or services exhibits different characteristics, this paper proposes an unlabeled Network Anomaly IDS based on a modular Multiple Classifier System (MCS). Each module is designed to model a particular group of similar protocols or network services. The use of a modular MCS allows the designer to choose a different model and decision threshold for different (groups of) network services. This also allows the designer to tune the false alarm rate and detection rate produced by each module to optimize the overall performance of the ensemble. Experimental results on the KDD-Cup 1999 dataset show that the proposed anomaly IDS achieves high attack detection rate and low false alarm rate at the same time.     

Intrusion detection alarms reduction using root cause analysis and clustering

As soon as the Intrusion Detection System (IDS) detects any suspicious activity, it will generate several alarms referring to as security breaches. Unfortunately, the triggered alarms usually are accompanied with huge number of false positives. In this paper, we use root cause analysis to discover the root causes making the IDS triggers these false alarms; most of these root causes are not attacks. Removing the root causes enhances alarms quality in the future. The root cause instigates the IDS to trigger alarms that almost always have similar features. These similar alarms can be clustered together; consequently, we have designed a new clustering technique to group IDS alarms and to produce clusters. Then, each cluster is modeled by a generalized alarm. The generalized alarms related to root causes are converted (by the security analyst) to filters in order to reduce future alarms’ load. The suggested system is a semi-automated system helping the security analyst in specifying the root causes behind these false alarms and in writing accurate filtering rules. The proposed clustering method was verified with three different datasets, and the averaged reduction ratio was about 74% of the total alarms. Application of the new technique to alarms log greatly helps the security analyst in identifying the root causes; and then reduces the alarm load in the future.     

网络入侵报警信息实时融合处理模型

针对分布式入侵检测和网络安全预警所需要解决的问题,对多传感器数据融合技术进行了研究。在分析IDS警报信息之间的各种复杂关系的基础上,提出了一个警报信息实时融合处理模型,并根据该模型建立警报信息融合处理系统。实时融合来自多异构IDS传感器的警报信息,形成关于入侵事件的攻击序列图,在此基础上进行威胁评估及攻击预测。该模型拓展了漏报推断功能,以减少漏报警带来的影响,使得到的攻击场景更为完整。实验结果表明,根据该模型建立的融合处理系统应用效果好,具有很高的准确率和警报缩减率。     

Detecting and preventing replay attacks in industrial automation networks operated with profinet IO

Modern industrial facilities consist of controllers, actuators and sensors that are connected via traditional IT equipment. The ongoing integration of these systems into the communication network yields to new threats and attack possibilities. In industrial networks, often distinct communication protocols like Profinet IO (PNIO) are used. These protocols are often not supported by typical network security tools. In this work, we present two attack techniques that allow to take over the control of a PNIO device, enabling an attacker to replay previously recorded traffic. We model attack detection rules and propose an intrusion detection system (IDS) for industrial networks which is capable of detecting those replay attacks by correlating alerts from traditional IT IDS with specific PNIO alarms. As an additional effort, we introduce defense in depth mechanisms in order to prevent those attacks from taking effect in the physical world. Thereafter, we evaluate our IDS in a physical demonstrator and compare it with another IDS dedicated to securing PNIO networks. In a conceptual design, we show how network segmentation with flow control allows for preventing some, but not all of the attacks.     

MANET分簇IDS报文丢弃攻击全局感知方案

在分析现有报文丢弃攻击检测算法的基础上,提出了一种基于簇首协作的报文丢弃攻击全局感知方案,利用IDS簇首协同监视节点报文收发状态,改进现有算法的监测方式和节点状态判定算法。仿真结果表明,该算法具有良好的检测率和误检率,在规避网络中的恶意节点以及维护网络正常吞吐量等方面具有较好的性能。     

基于改进混沌粒子群的聚类检测算法研究

针对入侵检测系统特征报警聚类质量低、冗余告警的不足,提出基于改进混沌自适应粒子群优化的IDS 特征 报警聚类方法。该方法结合混沌算法特性和改进粒子群算法自适应惯性权重系数以及对非线性动态学习因子进行改善,引导 粒子群在混沌与稳定之间交替波动,保证粒子运动惯性,更利于趋近最优。本方法能够克服PSO算法的过早收敛、“惰性”反 应等缺点,利于聚类中心更能趋向全局最优。实验结果表明,本文粒子群参数改进算法提高了特征报警聚类质量,具有较高的 检测率和较低的误报率。     

无线局域网非授权用户入侵行为分析及检测*

针对当前流行的破解有线等效加密无线局域网密钥进而盗用上网资源的现象,研究了相关产品的攻击手段.对其提供的交互式重放攻击、ARP注入攻击、chopchop攻击和分片攻击四种攻击方式,通过跟踪记录攻击过程,分析了它们的攻击原理.在借鉴KDD99等特征提取方法的基础上,提取了9个用于识别攻击的流量统计特征,并利用支持向量机设...     

基于DS证据理论的无线传感器网络MAC层安全研究*

研究了无线传感器网络MAC层安全问题,分析了现有无线传感器网络MAC层协议安全体系的不足之处,针对无线传感器网络遭到非法入侵的情况,提出了一个基于D-S证据理论的MAC层入侵检测机制。该机制利用碰撞率、数据包平均等待时间、RTS包到达率以及邻居节点的报警作为证据,对网络的状态进行实时的分析检测,根据网络的状态作出响应。该算法能够应用于现有的MAC协议如S-MAC、IEEE 802.15.4中,仿真结果表明,该算法能够较好地抵御针对MAC层的攻击,保证网络的安全运行。     

Evolving Clusters for Network Intrusion Detection System Using Genetic-X-Means Algorithm

ABSTRACT

With the rapid growth of Internet communication and the availability of tools to intrude the network, an intrusion detection system (IDS) has become indispensable. Clustering algorithm utilize a distance metric in order to partition data points such that patterns within a single group have the same characteristics from those in a different group. The proposed system builds a clustering engine using genetic-X-means that can assign each new event to a cluster to determine its type. This is in contrast to approaches used by existing clustering-based IDSs, which require the number of attack types in advance. Genetic-X-means handle recently evolving attacks by clustering them into respective classes, and if the attack pattern deviates largely from the existing cluster it is grouped into a new class. Genetic paradigm employs a weighted sum fitness function to choose the predominant features, which reveals the occurrence of intrusions. The weighted sum fitness function used here is dependent on problem instance and not just on the problem class. As the data patterns include categorical attributes, an influence calculation formula which converts categorical attribute to numerical attribute is proposed. The experimental results obtained in this work show that the system attains improvement in terms of detection rate when compared to a conventional IDS. Experiments show that this system can be deployed in a real network or database environment for effective detection of both existing and new attacks.     

New data mining technique to enhance IDS alarms quality

The intrusion detection systems (IDSs) generate large number of alarms most of which are false positives. Fortunately, there are reasons for triggering alarms where most of these reasons are not attacks. In this paper, a new data mining technique has been developed to group alarms and to produce clusters. Hereafter, each cluster abstracted as a generalized alarm. The generalized alarms related to root causes are converted to filters to reduce future alarms load. The proposed algorithm makes use of nearest neighboring and generalization concepts to cluster alarms. As a clustering algorithm, the proposed algorithm uses a new measure to compute distances between alarms features values. This measure depends on background knowledge of the monitored network, making it robust and meaningful. The new data mining technique was verified with many datasets, and the averaged reduction ratio was about 82% of the total alarms. Application of the new technique to alarms log greatly helps the security analyst in identifying the root causes; and then reduces the alarm load in the future.     

Deciding optimal entropic thresholds to calibrate the detection mechanism for variable rate DDoS attacks in ISP domain: honeypot based approach

High bandwidth DDoS attacks consume more resources and have direct impact at ISP level in contrast to low rate DDoS attacks which lead to graceful degradation of network and are mostly undetectable. Although an array of detection schemes have been proposed, current requirement is a real time DDoS detection mechanism that adapts itself to varying network conditions to give minimum false alarms. DDoS attacks that disturb the distribution of traffic features in ISP domain are reflected by entropic variations on in stream samples. We propose honeypot detection for attack traffic having statistically similar distribution features as legitimate traffic. Next we propose to calibrate the detection mechanism for minimum false alarm rate by varying tolerance factor in real time. Simulations are carried out in ns-2 at different attack strengths. We also report our experimental results over MIT Lincoln lab dataset and its subset KDD 99 dataset. Results show that the proposed approach is comparable to previously reported approaches with an advantage of variable rate attack detection with minimum false positives and negatives.     

针对网络入侵检测系统的攻击及防御

Internet的使用越来越广泛,随之而来的网络安全已成为人们关注的焦点。入侵检测系统作为一种对付攻击的有效手段,已为越来越多的单位所采用。然而一旦攻击者发现目标网络中部署有入侵检测系统IDS,那么IDS往往成为他们首选的攻击目标。该文详细分析了针对网络IDS的几种攻击类型,即过载攻击、崩溃攻击和欺骗攻击,以及如何防御这些攻击,这对于IDS的设计具有一定的借鉴意义。     

一种追踪DDoS攻击源的算法

提出了一个追踪DDoS攻击源的算法,将攻击源快速锁定到规模相对较小的AS实体中,确定攻击源所属的AS自治域系统。由入侵检测系统的网络数据包采集器负责处理网络中传输的报文,采集到的数据经加工处理后,识别、记录和分析攻击行为或异常情况,形成入侵攻击报警信息数据,对入侵攻击的路径路由进行反追踪以形成有效的入侵攻击路径路由图。实验表明,该算法比PPM算法在计算负载上更有效。     

基于网络安全知识库的入侵检测模型

在网络安全知识库系统的基础上,提出一个基于网络安全基础知识库系统的入侵检测模型,包括数据过滤、攻击企图分析和态势评估引擎。该模型采用进化型自组织映射发现同源的多目标攻击;采用时间序列分析法获取的关联规则来进行在线的报警事件的关联,以识别时间上分散的复杂攻击;最后对主机级和局域网系统级威胁分别给出相应的评估指标以及对应的量化评估方法。相比现有的IDS,该模型的结构更加完整,可利用的知识更为丰富,能够更容易地发现协同攻击并有效降低误报率。     

路由器端基于模式聚集的流量控制研究

不断发展的DoS/DDoS攻击对Internet安全是一个严重的威胁,传统的IDS针对DoS/DDoS攻击的防御方法并不能减少路由器上的攻击流量。文中提出了一种新的运行在核心路由器上的基于多层模式聚集的流量控制机制,它根据不同协议的统计特征设计出不同聚集模式,使用轻量级的协议分析和多层聚集来控制流量。实验证明该机制不但简化了包分类的复杂性,对攻击手段的变化还有一定的免疫性,能对恶意攻击包进行有效过滤,实现在骨干网络上限制非法流量的目的。     

Prevention of selective black hole attacks on mobile ad hoc networks through intrusion detection systems

A black hole attack on a MANET refers to an attack by a malicious node, which forcibly acquires the route from a source to a destination by the falsification of sequence number and hop count of the routing message. A selective black hole is a node that can optionally and alternately perform a black hole attack or perform as a normal node. In this paper, several IDS (intrusion detection system) nodes are deployed in MANETs in order to detect and prevent selective black hole attacks. The IDS nodes must be set in sniff mode in order to perform the so-called ABM (Anti-Blackhole Mechanism) function, which is mainly used to estimate a suspicious value of a node according to the abnormal difference between the routing messages transmitted from the node. When a suspicious value exceeds a threshold, an IDS nearby will broadcast a block message, informing all nodes on the network, asking them to cooperatively isolate the malicious node. This study employs ns2 to validate the effect of the proposed IDS deployment, as IDS nodes can rapidly block a malicious node, without false positives, if a proper threshold is set.     

A lightweight distributed detection algorithm for DDAO attack on RPL routing protocol in Internet of Things

A significant increase in the number of connected devices in the Internet of Things poses a key challenge to efficiently handling the attacks in routing protocols such as Routing Protocol for Low Power and Lossy Networks (RPL). The attacks on RPL are partly studied in the literature, and the proposed solutions typically overlook the appropriate trade-off among the detection rate and communication and computational overhead. This study aimed at introducing a new attack called Dropped Destination Advertisement Object (DDAO) and a new Intrusion Detection System (IDS) to counter this attack in RPL protocol. DDAO attack adversely affects the network by preventing the creation of the downward routes through not forwarding Destination Advertisement Object (DAO) messages and sending fake Destination Advertisement Object Acknowledgment (DAO-ACK) messages to the DAO source. A distributed lightweight IDS is proposed in this study to detect and counter DDAO attacks by monitoring the behavior of parents against forwarded DAO messages. According to the evaluations conducted on the Cooja simulator under different real-world conditions, the proposed IDS can detect DDAO attacks with high accuracy, precision, and True Positive Rate (TPR) and low False Positive Rate (i.e., close to zero). Additionally, compared to RPL, the proposed IDS improves Packet Delivery Rate (PDR) by 158 percent when countering attacks.     

A distributed parallel alarm management strategy for alarm reduction in chemical plants

A distributed parallel alarm management strategy based on massive historical alarms and distributed clustering algorithm is proposed to reduce the number of alarms presented to operators in modern chemical plants. Due to the large and growing scale of historical alarms as the basis of analysis, it is difficult for traditional alarm management strategy to store and analyze all alarms efficiently. In this paper, by designing the row key and storage structure in a distributed extensible NoSQL database, the strategy spreads alarm data in a group of commercial machines, which ensures the capacity and scalability of the whole system. Meanwhile, Distributed Parallel Query Model (DPQM) proposed as a unified query model provides efficient query and better integration of distributed platform. Based on the characteristics of alarms and time-delay correlation of alarm occurrence, alarm similarity criteria are proposed to effectively identify repetitive and homologous alarms. In order to group massive alarm data, a new distributed clustering algorithm is designed to work concurrently in MapReduce frameworks. The test results using alarm data from real chemical plants show that the strategy is better than traditional method based on MySQL at system performance, and provides excellent redundant alarm suppression in both normal situation and alarm flooding situation.     

蜜罐与入侵检测系统协作模型的研究

介绍了蜜罐与入侵检测协作系统的设计模型。实现协作的方法是用无监督聚类对蜜罐系统中记录的数据进行分类,标记类别,再用决策树提取出入侵规则,最后把提取出的新入侵规则添加到入侵检测系统的规则库中。目的是使入侵检测系统可以检测出新入侵行为。仿真实验验证了模型的有效性。