Optimal configuration of firewall, IDS and vulnerability scan by game theory

The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system （IDS） and vulnerability scan by game theory. The Nash equilibrium for two portfolios of only deploying IDS and vulnerability scan and deploying all the technologies is investigated by backward induction. The results show that when the detection rates of IDS and vulnerability scan are low, the firm will not only inspect every user who raises an alarm, but also a fraction of users that do not raise an alarm; when the detection rates of IDS and vulnerability scan are sufficiently high, the firm will not inspect any user who does not raise an alarm, but only inspect a fraction of users that raise an alarm. Adding firewall into the information system impacts on the benefits of firms and hackers, but does not change the optimal strategies of hackers, and the optimal investigation strategies of IDS are only changed in certain cases. Moreover, the interactions between IDS ＆ vulnerability scan and firewall ＆ IDS are discussed in detail.

The Application of Weighted Association Rules in Host-Based Intrusion Detection System

Association rules are useful for determining correlations between items. Applying association rules to intrusion detection system (IDS) can improve the detection rate, but false positive rate is also increased. Weighted association rules are used in this paper to mine intrustion models, which can increase the detection rate and decrease the false positive rate by some extent. Based on this, the structure of host-based IDS using weighted association rules is proposed.

An analysis method of topological relations between Snort rules

It is difficult to knowall the relations between Snort rules. To deal with this problem, the topological relations between Snort rules are classified based on the set theory, and a method for calculating the topological relations between Snort rules is proposed. In the existing methods for analyzing the relations of Snort rules, the relations are usually determined only according to the header information of the Snort rules. Without considering the actions of Snort rules, the proposed method improves upon the existing methods and it can classify and calculate the topological relations between Snort rules according to both headers and options information of Snort rules. In addition, the proposed method is implemented by the functional language Haskell. The experimental results showthat the topological relations between Snort rules can be calculated rapidly and effectively. The proposed method also provides an important basis for conflict detection in the succeeding Snort rules.

魔高一尺

入侵是指一些人(称为“黑客”、“骇客”)试图进入或者滥用你的系统。滥用的范围是很广泛的．包括从严重的偷窃机密数据到一些次要的事情．比如滥用你的电子邮件系统发送垃圾邮件(对许多人而言，这是更常见的)。入侵检测系统(IDS)是用来检测这些入侵的系统．一般来说，IDS可以有如下的分类：

Anomaly-based model for detecting HTTP-tunnel traffic using network behavior analysis

Increasing time-spent online has amplified users＇ exposure to tile tilreat oI miormanon leakage. Although existing security systems （such as firewalls and intrusion detection systems） can satisfy most of the security requirements of network administrators, they are not suitable for detecting the activities of applying the HTTP-tunnel technique to steal users＇ private information. This paper focuses on a network behavior-based method to address the limitations of the existing protection systems. At first, it analyzes the normal network behavior pattern over HTI＇P traffic and select four features. Then, it pres- ents an anomaly-based detection model that applies a hierarchical clustering technique and a scoring mechanism. It also uses real-world data to validate that the selected features are useful. The experiments have demonstrated that the model could achieve over 93% hit-rate with only about 3% false- positive rate. It is regarded confidently that the approach is a complementary technique to the existing security systems.

AN INTRUSION DETECTION SYSTEM BASED ON EVIDENCE THEORY AND ROUGH SET THEORY

In this paper,we propose a novel Intrusion Detection System (IDS) architecture utilizing both the evidence theory and Rough Set Theory (RST). Evidence theory is an effective tool in dealing with uncertainty question. It relies on the expert knowledge to provide evidences,needing the evidences to be independent,and this make it difficult in application. To solve this problem,a hybrid system of rough sets and evidence theory is proposed. Firstly,simplification are made based on Variable Precision Rough Set (VPRS) conditional entropy. Thus,the Basic Belief Assignment (BBA) for all evidences can be calculated. Secondly,Dempster’s rule of combination is used,and a decision-making is given. In the proposed approach,the difficulties in acquiring the BBAs are solved,the correlativity among the evidences is reduced and the subjectivity of evidences is weakened. An illustrative example in an intrusion detection shows that the two theories combination is feasible and effective.

Real-valued multi-area self set optimization in immunity-based network intrusion detection system

The real-valued self set in immunity-based network intrusion detection system （INIDS） has some defects： multi-area and overlapping, which are ignored before. The detectors generated by this kind of self set may have the problem of boundary holes between self and nonself regions, and the generation efficiency is low, so that, the self set needs to be optimized before generation stage. This paper proposes a self set optimization algorithm which uses the modified clustering algorithm and Gaussian distribution theory. The clustering deals with multi-area and the Gaussian distribution deals with the overlapping. The algorithm was tested by Iris data and real network data, and the results show that the optimized self set can solve the problem of boundary holes, increase the efficiency of detector generation effectively, and improve the system＇s detection rate.

AN IMMUNITY-BASED SECURITY ARCHITECTURE FOR MOBILE AD HOC NETWORKS

This paper focuses on investigating immunological principles in designing a multi-agent security architecture for intrusion detection and response in mobile ad hoc networks. In this approach, the immunity-based agents monitor the situation in the network. These agents can take appropriate actions according to the underlying security policies. Specifically, their activities are coordinated in a hierarchical fashion while sensing, communicating, decision and generating responses. Such an agent can learn and adapt to its environment dynamically and can detect both known and unknown intrusions. The proposed intrusion detection architecture is designed to be flexible, extendible, and adaptable that can perform real-time monitoring. This paper provides the conceptual view and a general framework of the proposed system. In the end, the architecture is illustrated by an example to show it can prevent the attack efficiently.

The analysis of application of data mining technology in the system of intrusion detection

With the economic development and the popularity of application of electronic computer, electronic commerce has rapid development. More and more commerce and key business has been carried on the lnternet because Internet has the features of interaction, openness, sharing and so on. However, during the daily commerce, people worry about the security of the network system. So a new technology which can detect the unusual behavior in time has been invented in order to protect the security of network system. The system of intrusion detection needs a lot of new technology to protect the data of the network system. The application of data mining technology in the system of intrusion detection can provide a better assistant to the users to analyze the data and improve the accuracy of the checking system.

An immunity-based technique to detect network intrusions

This paper briefly reviews other people’s works on negative selection algorithm and their shortcomings. With a view to the real problem to be solved, authors bring forward two assumptions, based on which a new immune algorithm, multi-level negative selection algorithm, is developed. In essence, compared with Forrest’s negative selection algorithm, it enhances detector generation efficiency. This algorithm integrates clonal selection process into negative selection process for the first time. After careful analyses, this algorithm was applied to network intrusion detection and achieved good results.

A virtual machine-based invasion detection system for the virtual computing environment

Under virtualization idea based on large-scale dismantling and sharing, the implementing of network interconnection of calculation components and storage components by loose coupling, which are tightly coupling in traditional server, achieves computing capacity, storage capacity and service capacity distri- bution according to need in application-level. Under the new server model, the segregation and protection of user space and system space as well as the security monitoring of virtual resources are the important factors of ultimate security guarantee. This article presents a large-scale and expansible distributed invasion detection system of virtual computing environment based on virtual machine. The system supports security monitoring management of global resources and provides uniform view of security attacks under virtual computing environment, thereby protecting the user applications and system security under capacity services domain.

Personalized Trust Management for Open and Flat P2P Communities

A personalized trust management scheme is proposed to help peers build up trust between each other in open and flat P2P communities. This scheme totally abandons the attempt to achieve a global view. It evaluates trust from a subjective point of view and gives personalized decision support to each peer. Simulation experiments prove its three advantages: free of central control, stronger immunity to misleading recommendations, and limited traffic overload.

Hybrid Optimization of Support Vector Machine for Intrusion Detection

Support vector machine (SVM) technique has recently become a research focus in intrusion detection field for its better generalization performance when given less priori knowledge than other soft-computing techniques. But the randomicity of parameter selection in its implement often prevents it achieving expected performance. By utilizing genetic algorithm (GA) to optimize the parameters in data preprocessing and the training model of SVM simultaneously, a hybrid optimization algorithm is proposed in the paper to address this problem. The experimental results demonstrate that it’s an effective method and can improve the performance of SVM-based intrusion detection system further.

A Simulation Environment for Intrusion Detection System in IEC 61850 Based Substation Automation System

Greater complexity and interconnectivity across systems embracing electrical power technologies has meant that cyber-security issues have attracted significant attention. In this paper a simulation environment for intrusion detection system in IEC 61850 standard-based substation automation system is provided to test simulated attacks on IEDs （intelligent electronic devices）. Intrusion detection is the process of detecting malicious attacker, so it is an effective and mature security mechanism to protect electrical facility. However, it is not harnessed when securing IEC 61850 automated substation. To prove the detection capability of the system testing environment was developed to analyze and test attacks simulated with different test cases. It shows that the simulation environment works accordingly to various network traffic scenarios and eventually proves the functionality of intrusion detection system to be later deployed in the real IEC 61850 based substation automation system site.

Research on the Computer Network Protocol Test Model based on Genetic and Random Walk Algorithm

In this paper, we conduct research on the computer network protocol test model based on genetic and random walk algorithm.Network protocol is the abstract concept, is important in the process of the development of network system. Fully understand and grasp of thenetwork protocols for managers is there is a big diffi cult. Network covert channel is the evaluation of intrusion detection system and fi rewallsecurity performance of an important means, the paper will start from the angle of the attacker, the fl aws of the research, and use this kind ofdefect to realize network covert channel, the random walk algorithm will be feasible for dealing with this issue. For achieving this, we integratethe genetic and random walk algorithm for systematic optimization.

Research on the Network Intrusion Detection System based on Modified Particle Swarm Optimization Algorithm

In this paper, we conduct research on the network intrusion detection system based on the modified particle swarm optimization algorithm. Computer interconnection ability put forward the higher requirements for the system reliability design, the need to ensure that the system can support various communication protocols to guarantee the reliability and security of the network. At the same time also require network system, the server or products have strong ability of fault tolerance and redundancy, better meet the needs of users, to ensure the safety of the information data and the good operation of the network system. For this target, we propose the novel paradigm for the enhancement of the modern computer network that is innovative.

Real-Time Distributed Fiber Optic Sensor for Security Systems： Performance, Event Classification and Nuisance Mitigation

The success of any perimeter intrusion detection system depends on three important performance parameters： the probability of detection （POD）, the nuisance alarm rate （NAR）, and the false alarm rate （FAR）. The most fundamental parameter, POD, is normally related to a number of factors such as the event of interest, the sensitivity of the sensor, the installation quality of the system, and the reliability of the sensing equipment. The suppression of nuisance alarms without degrading sensitivity in fiber optic intrusion detection systems is key to maintaining acceptable performance. Signal processing algorithms that maintain the POD and eliminate nuisance alarms are crucial for achieving this. In this paper, a robust event classification system using supervised neural networks together with a level crossings （LCs） based feature extraction algorithm is presented for the detection and recognition of intrusion and non-intrusion events in a fence-based fiber-optic intrusion detection system. A level crossings algorithm is also used with a dynamic threshold to suppress torrential rain-induced nuisance alarms in a fence system. Results show that rain-induced nuisance alarms can be suppressed for rainfall rates in excess of 100mm/hr with the simultaneous detection of intrusion events. The use of a level crossing based detection and novel classification algorithm is also presented for a buried pipeline fiber optic intrusion detection system for the suppression of nuisance events and discrimination of intrusion events. The sensor employed for both types of systems is a distributed bidirectional fiber-optic Mach-Zehnder （MZ） interferometer.