A boosting approach for intrusion detection

Intrusion detection can be essentially regarded as a classification problem, namely, distinguishing normal profiles from intrusive behaviors. This paper introduces boosting classification algorithm into the area of intrusion detection to learn attack signatures. Decision tree algorithm is used as simple base learner of boosting algorithm. Furthermore, this paper employs the Principle Component Analysis （PCA） approach, an effective data reduction approach, to extract the key attribute set from the original high-dimensional network traffic data. KDD CUP 99 data set is used in these experiments to demonstrate that boosting algorithm can greatly improve the classification accuracy of weak learners by combining a number of simple ＂weak learners＂. In our experiments, the error rate of training phase of boosting algorithm is reduced from 30.2% to 8% after 10 iterations. Besides, this paper also compares boosting algorithm with Support Vector Machine （SVM） algorithm and shows that the classification accuracy of boosting algorithm is little better than SVM algorithm＇s. However, the generalization ability of SVM algorithm is better than boosting algorithm.     

Reduce‐complexity fuzzy‐inference‐based iterative multiuser detection for wireless communication systems

In recent years, combining multiuser detection and intelligence computer scheme have received considerable attention. In this paper, adaptive fuzzy‐inference multistage matrix wiener filtering (FI‐MMWF) techniques, based on the minimum mean‐square error criterion, are proposed for ultra‐wideband (UWB) impulse radio communication systems. These FI‐MMWF‐based algorithms employ a time‐varying fuzzy‐inference‐controlled filter stage. Consequently, the proposed approaches accomplish a substantial saving in complexity without trading off the system performance and dynamic‐tracking characteristic. In addition, the fuzzy‐logic‐controlled matrix conjugate gradient algorithm is adopted to reduce the system complexity without trading off the bit‐error‐rate (BER). Simulations are conducted to evaluate the convergence and tracking behavior of the proposed MMWF algorithm, and the BER of the time‐hopping‐UWB system in a realistic UWB channel is investigated. Copyright © 2011 John Wiley & Sons, Ltd.     

基于模式匹配的告警关联

告警关联技术是入侵检测领域中一个新的发展方向，它对解决目前入侵检测系统存在的告警数量大、告警信息含量少、虚警数量大等问题具有十分重要的意义。文章介绍了在我们设计开发的分布式协同入侵检测系统（DACIDS）中通过对入侵行为模式的匹配而进行告警关联的方法。入侵行为模式是定义在时问基础上的一组谓词公式，其实质是通过时间限制联系在一起的入侵事件的集合。该方法在对大量告警进行关联的同时，对虚警的处理尤为有效。     

分布式入侵检测系统中动态克隆选择算法的设计

在介绍人工免疫系统基本概念的基础上,讨论了基于人工免疫的入侵检测算法,重点讨论阴性选择算法和克隆选择算法,提出了一个基于人工免疫的入侵检测系统的模型,并针对传统克隆选择算法耗时性大的缺点对算法进行优化设计。理论分析和实验表明,算法的检测效率有了明显的改善。     

NETWORK INTRUSION DETECTION METHOD BASED ON RS-MSVM

A new method called RS-MSVM （Rough Set and Multi-class Support Vector Machine） is proposed for network intrusion detection. This method is based on rough set followed by MSVM for attribute reduction and classification respectively, The number of attributes of the network data used in this paper is reduced from 41 to 30 using rough set theory. The kernel function of HVDM-RBF （Heterogeneous Value Difference Metric Radial Basis Function）, based on the heterogeneous value difference metric of heterogeneous datasets, is constructed for the heterogeneous network data. HVDM-RBF and one-against-one method are applied to build MSVM. DARPA （Defense Advanced Research Projects Agency） intrusion detection evaluating data were used in the experiment. The testing results show that our method outperforms other methods mentioned in this paper on six aspects： detection accuracy, number of support vectors, false positive rate, falsc negative rate, training time and testing time.     

A novel intrusion detection mode based on understandable neural network trees

Several data mining techniques such as Hidden Markov Model （HMM）, artificial neural network, statistical techniques and expert systems are used to model network packets in the field of intrusion detection. In this paper a novel intrusion detection mode based on understandable Neural Network Tree （NNTree） is presented. NNTree is a modular neural network with the overall structure being a Decision Tree （DT）, and each non-terminal node being an Expert Neural Network （ENN）. One crucial advantage of using NNTrees is that they keep the non-symbolic model ENN＇s capability of learning in changing environments. Another potential advantage of using NNTrees is that they are actually ＂gray boxes＂ as they can be interpreted easily if the number of inputs for each ENN is limited. We showed through experiments that the trained NNTree achieved a simple ENN at each non-terminal node as well as a satisfying recognition rate of the network packets dataset. We also compared the performance with that of a three-layer backpropagation neural network. Experimental results indicated that the NNTree based intrusion detection model achieved better performance than the neural network based intrusion detection model.     

Collaborative techniques for intrusion detection in mobile ad-hoc networks

In this paper, we present two intrusion detection techniques for mobile ad-hoc networks, which use collaborative efforts of nodes in a neighborhood to detect a malicious node in that neighborhood. The first technique is designed for detection of malicious nodes in a neighborhood of nodes in which each pair of nodes in the neighborhood are within radio range of each other. Such a neighborhood of nodes is known as a clique [12]. The second technique is designed for detection of malicious nodes in a neighborhood of nodes, in which each pair of nodes may not be in radio range of each other but where there is a node among them which has all the other nodes in its one-hop vicinity. This neighborhood is identical to a cluster as mentioned in [12]. Both techniques use message passing between the nodes. A node called the monitor node initiates the detection process. Based on the messages that it receives during the detection process, each node determines the nodes it suspects to be malicious and send votes to the monitor node. The monitor node upon inspecting the votes determines the malicious nodes from among the suspected nodes. Our intrusion detection system is independent of any routing protocol. We give the proof of correctness of the first algorithm, which shows that it correctly detects the malicious nodes always when there is no message loss. We also show with the help of simulations that both the algorithms give good performance even when there are message losses arising due to unreliable channel.     

A new ontology‐based multi agent framework for intrusion detection

Ontologies play an essential role in knowledge sharing and exploration, especially in multiagent systems. Intrusion is an unauthorized activity in a network, which is achieved by either active manner (information gathering) or passive manner (harmful packet forwarding). Most of the existing intrusion detection system (IDS) suffers from the following issues: it is usually adjusted to detect known service level network attacks and leaves from vulnerable to original and novel malicious attacks. Thus, it provides low accuracy and detection rate, which are the important problems of existing IDS. To overwhelm these drawbacks, an ontology‐based multiagent IDS framework is developed in this work for intrusion detection. The main intention of this work is to detect the network attacks with the help of multiple detection agents. In this analysis, there are 3 different types of agents, ie, IDS broker, deputy commander, and response agent, which are used to prevent and detect the attacks in a network. The novel concept of this work is based on the concept of signature matching; it identifies and detects the attackers with the help of multiple agents.     

Design and analysis of intrusion detection systems for wireless mesh networks

Intrusion is any unwanted activity that can disrupt the normal functions of wired or wireless networks. Wireless mesh networking technology has been pivotal in providing an affordable means to deploy a network and allow omnipresent access to users on the Internet. A multitude of emerging public services rely on the widespread, high-speed, and inexpensive connectivity provided by such networks. The absence of a centralized network infrastructure and open shared medium makes WMNs particularly susceptible to malevolent attacks, especially in multihop networks. Hence, it is becoming increasingly important to ensure privacy, security, and resilience when designing such networks. An effective method to detect possible internal and external attack vectors is to use an intrusion detection system. Although many Intrusion Detection Systems (IDSs) were proposed for Wireless Mesh Networks (WMNs), they can only detect intrusions in a particular layer. Because WMNs are vulnerable to multilayer security attacks, a cross-layer IDS are required to detect and respond to such attacks. In this study, we analyzed cross-layer IDS options in WMN environments. The main objective was to understand how such schemes detect security attacks at several OSI layers. The suggested IDS is verified in many scenarios, and the experimental results show its efficiency.     

A wrapper‐based feature selection for improving performance of intrusion detection systems

Along with expansion in using of Internet and computer networks, the privacy, integrity, and access to digital resources have been faced with permanent risks. Due to the unpredictable behavior of network, the nonlinear nature of intrusion attempts, and the vast number of features in the problem environment, intrusion detection system (IDS) is regarded as the main problem in the security of computer networks. A feature selection technique helps to reduce complexity in terms of both the executive load and the storage by selecting the optimal subset of features. The purpose of this study is to identify important and key features in building an IDS. To improve the performance of IDS, this paper proposes an IDS that its features are optimally selected using a new hybrid method based on fruit fly algorithm (FFA) and ant lion optimizer (ALO) algorithm. The simulation results on the dataset KDD Cup99, NSL‐KDD, and UNSW‐NB15 have shown that the FFA–ALO has an acceptable performance according to the evaluation criteria such as accuracy and sensitivity than previous approaches.     

An FPGA-based network intrusion detection system with on-chip network interfaces

Network intrusion detection systems (NIDS) are critical network security tools that help protect computer installations from malicious users. Traditional software-based NIDS architectures are becoming strained as network data rates increase and attacks intensify in volume and complexity. In recent years, researchers have proposed using FPGAs to perform the computationally-intensive components of intrusion detection analysis. In this work, we present a new NIDS architecture that integrates the network interface hardware and packet analysis hardware into a single FPGA chip. This integration enables a higher performance and more flexible NIDS platform. To demonstrate the benefits of this technique, we have implemented a complete and functional NIDS in a Xilinx Virtex II Pro FPGA that performs in-line packet analysis and filtering on multiple Gigabit Ethernet links using rules from the open-source Snort attack database.     

A simplified QRD-<Emphasis Type="Italic">M</Emphasis> signal detection algorithm for MIMO-OFDM systems

QR Decompositon with an M-algorithm (QRD-M) has good performance with low complexity, which is considered as a promising technique in Multiple-Input Multiple-Output (MIMO) detections. This paper presented a simplified QRD-M algorithm for MIMO Orthogonal Frequency Division Multiplexing (MIMO-OFDM) systems. In the proposed scheme, each surviving path is expanded only to partial branches in order to carry out a limited tree search. The nodes are expanded on demand and sorted in a distributed manner, based on the novel expansion scheme which can pre-determine the children’s ascending order by their local distances. Consequently, the proposed scheme can significantly decrease the complexity compared with conventional QRD-M algorithm. Hence, it is especially attractive to VLSI implementation of the high-throughput MIMO-OFDM systems. Simulation results prove that the proposed scheme can achieve a performance very close to the conventional QRD-M algorithm.     

Artificial intelligence based ensemble approach for intrusion detection systems

Internet attacks pose a severe threat to most of the online resources and are a prime concern of security administrators these days. In spite of many efforts, the security techniques are unable to detect the intrusions accurately. Most of the methods suffer from the limitations of a high false positive rate, low detection rate and provide one solution which lacks the classification trade-offs. In this work, an effective two-stage method is proposed to produce a pool of non-dominating solutions or Pareto optimal solutions as base models and their ensembles for detecting the intrusions accurately. It generates Pareto optimal solutions to a chromosome structure in stage 1 formulating Pareto front. Whereas, another approximation to the Pareto front of optimal solutions is made to obtain non-dominating ensembles in the second stage. The final prediction ensemble solutions are computed from individual predictions using majority voting approach. Applicability of the suggested method is validated using benchmark dataset NSL-KDD dataset. The experimental results show that the recommended method provides better results than conventional ensemble techniques. The recommended method is also adequate to generate Pareto optimal solutions that address the issue of improving detection accuracy for minority as well as majority attack classes along with handling classification tradeoff problem. The proposed method resulted detection accuracy of 97% with FPR of 2% for KDD dataset respectively. The most attractive feature of the proposed method is that both generation of base classifier and their ensemble thereof are multi-objective in nature addressing the issue of low detection accuracy and classification tradeoffs.     

FPS‐MAC: Fuzzy priority scheduling‐based MAC protocol for intelligent monitoring systems

Recent advances in microelectronics have encouraged the implementation of a wireless sensor network (WSN) in intelligent monitoring systems (IMSs). The IMS for time‐critical applications requires timely and reliable data delivery without sacrificing the energy efficiency of the network. This paper proposes FPS‐MAC, a fuzzy priority scheduling‐based medium access control protocol, designed for event critical traffic in hierarchical WSN. The FPS‐MAC allows time‐critical event traffic to opportunistically steal the data slots allocated for periodic data traffic in event‐based situations. Additionally, a fuzzy logic‐based slot scheduling mechanism is introduced to provide guaranteed and timely medium access to emergency traffic load and ensures the quality‐of‐service (QoS) requirements of IMSs. Both analytical and simulation results for data throughput, energy consumption, and transmission delay of FPS‐MAC, TLHA, E‐BMA, and BMA‐RR have been analyzed to demonstrate the superiority of the proposed FPS‐MAC protocol.     

Statistical fingerprint‐based intrusion detection system (SF‐IDS)

Intrusion detection systems (IDS) are systems aimed at analyzing and detecting security problems. The IDS may be structured into misuse and anomaly detection. The former are often signature/rule IDS that detect malicious software by inspecting the content of packets or files looking for a “signature” labeling malware. They are often very efficient, but their drawback stands in the weakness of the information to check (eg, the signature), which may be quickly dated, and in the computation time because each packet or file needs to be inspected. The IDS based on anomaly detection and, in particular, on statistical analysis have been originated to bypass the mentioned problems. Instead of inspecting packets, each traffic flow is observed so getting a statistical characterization, which represents the fingerprint of the flow. This paper introduces a statistical analysis based intrusion detection system, which, after extracting the statistical fingerprint, uses machine learning classifiers to decide whether a flow is affected by malware or not. A large set of tests is presented. The obtained results allow selecting the best classifiers and show the performance of a decision maker that exploits the decisions of a bank of classifiers acting in parallel.     

An orchestrated NoC prioritization mechanism for heterogeneous CPU-GPU systems

In a heterogeneous CPU-GPU multicore system that contains various types of computation units as well as on-chip storage units, the on-chip interconnection network is a critical shared resource responsible for sending coherence and memory traffic. On-chip traffic originated from or designated to different components has different performance and throughput requirements. A naive or un-optimized traffic prioritization mechanism usually results in suboptimal system performance. In this work, we quantify the performance/throughput requirements for both CPU and GPU applications, abstract critical information, and propose a network prioritization mechanism which effectively coordinates the on-chip traffic to improve overall system performance.     

Support vector machine‐based equalisation for direct‐sequence ultra wideband systems

We proposed the support vector machine (SVM)‐based equalisation schemes for direct‐sequence ultra wideband (UWB) systems. The severe intersymbol interference caused by the UWB channel was formulated as a pattern classification problem in the SVM‐based equaliser, which operates in two main modes: training and detection. We also applied the least squares support vector classifiers (LS‐SVCs) to reduce the training complexity and sparse LS‐SVCs to reduce the detection complexity, with little performance loss compared to SVCs. Simulation results confirm the outperformance of the proposed equalisers over the conventional rake receiver with the same order of complexity for detection, especially when no channel information is known at the receiver. Also, the SVM‐based equalisers in the line‐of‐sight scenario provide a performance close to the case with additive white Gaussian noise only. Copyright © 2011 John Wiley & Sons, Ltd.     

An Intrusion Detection System based on evidence theory and Rough Set Theory

In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both the evidence theory and Rough Set Theory (RST). Evidence theory is an effective tool in dealing with un-certainty question. It relies on the expert knowledge to provide evidences, needing the evidences to be inde-pendent, and this make it difficult in application. To solve this problem, a hybrid system of rough sets and evidence theory is proposed. Firstly, simplification are made based on Variable Precision Rough Set (VPRS) conditional entropy. Thus, the Basic Belief Assignment (BBA) for all evidences can be calculated. Secondly, Dempster’s rule of combination is used, and a decision-making is given. In the proposed approach, the diffi-culties in acquiring the BBAs are solved, the correlativity among the evidences is reduced and the subjectiv-ity of evidences is weakened. An illustrative example in an intrusion detection shows that the two theories combination is feasible and effective.     

Fixed-point blind adaptive multiuser detection algorithm for IR UWB systems in multipath channel

Using the hypothesis that data transmitted by different users are statistically independent of each other, this paper proposes a fixed-point blind adaptive multiuser detection algorithm for Time-Hopping (TH) Impulse Radio (IR) Ultra Wide Band (UWB) systems in multipath channel, which is based on Inde-pendent Component Analysis (ICA) idea. The proposed algorithm employs maximizing negentropy criterion to separate the data packets of different users. Then the user characteristic sequences are utilized to identify the data packet order of the desired user. This algorithm only needs the desired user’s characteristic se-quence instead of channel information, power information and time-hoping code of any user. Due to using hypothesis of statistical independence among users, the proposed algorithm has the outstanding Bit Error Rate (BER) performance and the excellent ability of near-far resistance. Simulation results demonstrate that this algorithm has the performance close to that of Maximum-Likelihood (ML) algorithm and is a subopti-mum blind adaptive multiuser detection algorithm of excellent near-far resistance and low complexity.     

A trust mechanism-based channel assignment and routing scheme in cognitive wireless mesh networks with intrusion detection

Cognitive Wireless Mesh Networks (CWMN) is a novel wireless network which combines the advantage of Cognitive Radio (CR) and wireless mesh networks. CWMN can realize seamless integration of heterogeneous wireless networks and achieve better radio resource utilization. However, it is particularly vulnerable due to its features of open medium, dynamic spectrum, dynamic topology, and multi-top routing, etc.. Being a dynamic positive security strategy, intrusion detection can provide powerful safeguard to CWMN. In this paper, we introduce trust mechanism into CWMN with intrusion detection and present a trust establishment model based on intrusion detection. Node trust degree and the trust degree of data transmission channels between nodes are defined and an algorithm of calculating trust degree is given based on distributed detection of attack to networks. A channel assignment and routing scheme is proposed, in which selects the trusted nodes and allocates data channel with high trust degree for the transmission between neighbor nodes to establish a trusted route. Simulation results indicate that the scheme can vary channel allocation and routing dynamically according to network security state so as to avoid suspect nodes and unsafe channels, and improve the packet safe delivery fraction effectively.