An intelligent tutor for intrusion detection on computer systems

Intrusion detection is the process of identifying unauthorized usage of a computer system. It is an important skill for computer-system administrators. It is difficult to learn on the job because it is needed only occasionally but can be critical. We describe a tutor incorporating two programs. The first program uses artificial-intelligence planning methods to generate realistic audit files reporting actions of a variety of simulated users (including intruders) of a Unix computer system. The second program simulates the system afterwards, and asks the student to inspect the audit and fix the problems caused by the intruders. This program uses intrusion-recognition rules to itself infer the problems, planning methods to figure how best to fix them, plan-inference methods to track student actions, and tutoring rules to tutor intelligently. Experiments show that students using the tutor learn a significant amount in a short time.     

BLoCNet: a hybrid,dataset-independent intrusion detection system using deep learning

International Journal of Information Security - Intrusion detection systems (IDS) identify cyber attacks given a sample of network traffic collected from real-world computer networks. As a powerful...     

MOVIH-IDS: A mobile-visualization hybrid intrusion detection system

A novel hybrid artificial intelligent system for intrusion detection, called MObile-VIsualization Hybrid IDS (MOVIH-IDS), is presented in this study. A hybrid model built by means of a multiagent system that incorporates an unsupervised connectionist intrusion detection system (IDS) has been defined to guaranty an efficient computer network security architecture. This hybrid IDS facilitates the intrusion detection in dynamic networks, in a more flexible and adaptable manner. The proposed improvement of the system in this paper includes deliberative agents characterized by the use of an unsupervised connectionist model to identify intrusions in computer networks. This hybrid IDS has been probed through several real anomalous situations related to the simple network management protocol as it is potentially dangerous. Experimental results probed the successful detection of such attacks through MOVIH-IDS.     

Immunocomputing for intelligent intrusion detection

Based on immunocomputing, this paper describes an approach to intrusion detection. The approach includes both low-level signal processing (feature extraction) and high-level (intelligent) pattern recognition. The key model is the formal immune network (FIN) including apoptosis (programmed cell death) and immunization, both controlled by cytokines (messenger proteins). Such FIN can be formed from the network traffic signals using discrete tree transforms, singular value decomposition, and the proposed index of inseparability as a measure of quality of FIN. Recent results suggest that the approach outperforms (by training time and accuracy) state-of-the-art approaches of computational intelligence.     

A hybrid network intrusion detection system using simplified swarm optimization (SSO)

The network intrusion detection techniques are important to prevent our systems and networks from malicious behaviors. However, traditional network intrusion prevention such as firewalls, user authentication and data encryption have failed to completely protect networks and systems from the increasing and sophisticated attacks and malwares. In this paper, we propose a new hybrid intrusion detection system by using intelligent dynamic swarm based rough set (IDS-RS) for feature selection and simplified swarm optimization for intrusion data classification. IDS-RS is proposed to select the most relevant features that can represent the pattern of the network traffic. In order to improve the performance of SSO classifier, a new weighted local search (WLS) strategy incorporated in SSO is proposed. The purpose of this new local search strategy is to discover the better solution from the neighborhood of the current solution produced by SSO. The performance of the proposed hybrid system on KDDCup 99 dataset has been evaluated by comparing it with the standard particle swarm optimization (PSO) and two other most popular benchmark classifiers. The testing results showed that the proposed hybrid system can achieve higher classification accuracy than others with 93.3% and it can be one of the competitive classifier for the intrusion detection system.     

基于ARM的嵌入式智能入侵检测系统设计

为实现区域管理的智能化和科学化,结合实际项目,设计了一套基于ARM的嵌入式智能入侵检测系统。系统采用低成本、低功耗的ARM11芯片作为处理核心,利用嵌入式Linux实现远程实时的视频监控以及入侵检测功能,具有部署方便、稳定性高、抗干扰强、价格低廉以及智能管理的特点。     

GMDH-based networks for intelligent intrusion detection

Network intrusion detection has been an area of rapid advancement in recent times. Similar advances in the field of intelligent computing have led to the introduction of several classification techniques for accurately identifying and differentiating network traffic into normal and anomalous. Group Method for Data Handling (GMDH) is one such supervised inductive learning approach for the synthesis of neural network models. Through this paper, we propose a GMDH-based technique for classifying network traffic into normal and anomalous. Two variants of the technique, namely, Monolithic and Ensemble-based, were tested on the KDD-99 dataset. The dataset was preprocessed and all features were ranked based on three feature ranking techniques, namely, Information Gain, Gain Ratio, and GMDH by itself. The results obtained proved that the proposed intrusion detection scheme yields high attack detection rates, nearly 98%, when compared with other intelligent classification techniques for network intrusion detection.     

A hybrid intrusion detection system design for computer network security

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.     

A research using hybrid RBF/Elman neural networks for intrusion detection system secure model

A hybrid RBF/Elman neural network model that can be employed for both anomaly detection and misuse detection is presented in this paper. The IDSs using the hybrid neural network can detect temporally dispersed and collaborative attacks effectively because of its memory of past events. The RBF network is employed as a real-time pattern classification and the Elman network is employed to restore the memory of past events. The IDSs using the hybrid neural network are evaluated against the intrusion detection evaluation data sponsored by U.S. Defense Advanced Research Projects Agency (DARPA). Experimental results are presented in ROC curves. Experiments show that the IDSs using this hybrid neural network improve the detection rate and decrease the false positive rate effectively.     

采用数据挖掘和代理技术的入侵检测系统研究

入侵检测系统是一种检测网络入侵行为并能够主动保护自己免受攻击的一种网络安全技术,是网络防火墙的合理补充.介绍了应用几种数据挖掘方法进行入侵检测的过程,并在此基础上提出了一个采用数据挖掘技术的基于代理的网络入侵检测系统模型.该模型由一定数量的代理组成,训练和检测过程完全不同与其它系统.由于代理的自学习能力,该系统具有自适应性和可扩展性.     

A hybrid intelligent system for fault detection and sensor fusion

In this paper, an efficient new hybrid approach for multiple sensor fusion and fault detection is proposed, addressing the problem with multiple faults, which is based on conventional fuzzy soft clustering and artificial immune systems. For this new approach, requires no prior knowledge or information about the sensors, or the system behavior, and no learning processes are required.The proposed hybrid approach consists of two main phases. In the first phase a single fuser for the input sensor signals is generated using the fuzzy clustering c-means algorithm. The fused output is based on the cluster centers that contain the maximum number of the input elements. In the second phase a fault detector was generated base on the artificial immune system AIS.     

A feature reduced intrusion detection system using ANN classifier

Rapid increase in internet and network technologies has led to considerable increase in number of attacks and intrusions. Detection and prevention of these attacks has become an important part of security. Intrusion detection system is one of the important ways to achieve high security in computer networks and used to thwart different attacks. Intrusion detection systems have curse of dimensionality which tends to increase time complexity and decrease resource utilization. As a result, it is desirable that important features of data must be analyzed by intrusion detection system to reduce dimensionality. This work proposes an intelligent system which first performs feature ranking on the basis of information gain and correlation. Feature reduction is then done by combining ranks obtained from both information gain and correlation using a novel approach to identify useful and useless features. These reduced features are then fed to a feed forward neural network for training and testing on KDD99 dataset. Pre-processing of KDD-99 dataset has been done to normalize number of instances of each class before training. The system then behaves intelligently to classify test data into attack and non-attack classes. The aim of the feature reduced system is to achieve same degree of performance as a normal system. The system is tested on five different test datasets and both individual and average results of all datasets are reported. Comparison of proposed method with and without feature reduction is done in terms of various performance metrics. Comparisons with recent and relevant approaches are also tabled. Results obtained for proposed method are really encouraging.     

Collaborative trust aware intelligent intrusion detection in VANETs

Trust aware Collaborative Learning Automata based Intrusion Detection System (T-CLAIDS) for VANETs is proposed in this paper. Learning Automata (LA) are assumed to be deployed on vehicles in the network to capture the information about the different states of the vehicles on the road. A Markov Chain Model (MCM) is constructed for representation of states and their transitions in the network. Transitions from one state to other are dependent upon the density of the vehicles in a particular region. A new classifier is designed for detection of any malicious activity in the network and is tuned based upon the new parameter called as Collaborative Trust Index (CTI) so that it covers all possible types of attacks in the network. An algorithm for detection of abnormal events using the defined classifier is also proposed. The results obtained show that T-CLAIDS performs better than the other existing schemes with respect to parameters such as false alarm ratio, detection ratio and overhead generated.     

工业控制系统IDS技术研究综述

工业控制系统(Industrial Control System,ICS)作为工业大脑,与互联网连接的趋势越来越明显,但是开放的同时也暴露出严重的脆弱性问题。入侵检测作为重要的安全防御措施,能及时发现可能或潜在的入侵行为。论文从ICS网络安全现状及国家法律政策入手,首先介绍了ICS系统架构及其特点,给出了IDS入侵检测系统(Intrusion Detection System,IDS)的介绍,其次从误用入侵检测、异常入侵检测两个方面,对现有的ICS IDS的技术、算法的研究现状进行分析,最后针对当前ICS IDS的发展与应用现状,对整个ICS IDS的研究趋势进行了展望。     

An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection module and a decision support system combining the results of these two detection modules. The proposed anomaly detection module uses a Self-Organizing Map (SOM) structure to model normal behavior. Deviation from the normal behavior is classified as an attack. The proposed misuse detection module uses J.48 decision tree algorithm to classify various types of attacks. The principle interest of this work is to benchmark the performance of the proposed hybrid IDS architecture by using KDD Cup 99 Data Set, the benchmark dataset used by IDS researchers. A rule-based Decision Support System (DSS) is also developed for interpreting the results of both anomaly and misuse detection modules. Simulation results of both anomaly and misuse detection modules based on the KDD 99 Data Set are given. It is observed that the proposed hybrid approach gives better performance over individual approaches.     

IPv6网络混合式入侵检测与防护系统设计

从局域网的角度,针对IPv6网络和IPv6/IPv4混合网络所具有的特性,如由隧道的广泛应用、端到端IPsec的广泛应用、对移动用户的支持等引起的网络边界的模糊化和网络拓扑结构的动态变化,提出了基于边界防护、子网防护、隧道和IPsec端点主机防护、移动和关键服务器主机防护的混合式入侵检测与防护系统设计方案,并论证了该方案的有效行和可实施性。     

A hybrid method consisting of GA and SVM for intrusion detection system

In this paper, a hybrid method of support vector machine and genetic algorithm (GA) is proposed and its implementation in intrusion detection problem is explained. The proposed hybrid algorithm is employed in reducing the number of features from 45 to 10. The features are categorized into three priorities using GA algorithm as the highest important is the first priority and the lowest important is placed in the third priority. The feature distribution is done in a way that 4 features are placed in the first priority, 4 features in the second, and 2 features in the third priority. The results reveal that the proposed hybrid algorithm is capable of achieving a true-positive value of 0.973, while the false-positive value is 0.017.     

Alcohol consumption detection through behavioural analysis using intelligent systems

We describe in this paper a new methodology for blood alcohol content (BAC) estimation of a subject. Rather than using external devices to determine the BAC value of a subject, we perform a behaviour analysis of this subject using intelligent systems. We monitor the user’s actions in an ordinary task and label those data to various measured BAC values. The obtained data-set is then used to train learning systems to detect alcoholic consumption and perform BAC estimation. We obtain good results on a mono-user base, and lower results with multiple users. We improve the results by combining multiple classifiers and regression algorithms.     

Modeling and analysis of networked control systems using stochastic hybrid systems

This paper aims at familiarizing the reader with Stochastic Hybrid Systems (SHSs) and enabling her to use these systems to model and analyze Networked Control Systems (NCSs). Towards this goal, we introduce two different models of SHSs and a set of theoretical tools for their analysis. In parallel with the presentation of the mathematical models and results, we provide a few simple examples that illustrate the use of SHSs to models NCSs.