The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system (IDS) and vulnerability scan by game theory. The Nash...The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system (IDS) and vulnerability scan by game theory. The Nash equilibrium for two portfolios of only deploying IDS and vulnerability scan and deploying all the technologies is investigated by backward induction. The results show that when the detection rates of IDS and vulnerability scan are low, the firm will not only inspect every user who raises an alarm, but also a fraction of users that do not raise an alarm; when the detection rates of IDS and vulnerability scan are sufficiently high, the firm will not inspect any user who does not raise an alarm, but only inspect a fraction of users that raise an alarm. Adding firewall into the information system impacts on the benefits of firms and hackers, but does not change the optimal strategies of hackers, and the optimal investigation strategies of IDS are only changed in certain cases. Moreover, the interactions between IDS & vulnerability scan and firewall & IDS are discussed in detail.展开更多
Association rules are useful for determining correlations between items. Applying association rules to intrusion detection system (IDS) can improve the detection rate, but false positive rate is also increased. Weight...Association rules are useful for determining correlations between items. Applying association rules to intrusion detection system (IDS) can improve the detection rate, but false positive rate is also increased. Weighted association rules are used in this paper to mine intrustion models, which can increase the detection rate and decrease the false positive rate by some extent. Based on this, the structure of host-based IDS using weighted association rules is proposed.展开更多
It is difficult to knowall the relations between Snort rules. To deal with this problem, the topological relations between Snort rules are classified based on the set theory, and a method for calculating the topologic...It is difficult to knowall the relations between Snort rules. To deal with this problem, the topological relations between Snort rules are classified based on the set theory, and a method for calculating the topological relations between Snort rules is proposed. In the existing methods for analyzing the relations of Snort rules, the relations are usually determined only according to the header information of the Snort rules. Without considering the actions of Snort rules, the proposed method improves upon the existing methods and it can classify and calculate the topological relations between Snort rules according to both headers and options information of Snort rules. In addition, the proposed method is implemented by the functional language Haskell. The experimental results showthat the topological relations between Snort rules can be calculated rapidly and effectively. The proposed method also provides an important basis for conflict detection in the succeeding Snort rules.展开更多
Increasing time-spent online has amplified users' exposure to tile tilreat oI miormanon leakage. Although existing security systems (such as firewalls and intrusion detection systems) can satisfy most of the securi...Increasing time-spent online has amplified users' exposure to tile tilreat oI miormanon leakage. Although existing security systems (such as firewalls and intrusion detection systems) can satisfy most of the security requirements of network administrators, they are not suitable for detecting the activities of applying the HTTP-tunnel technique to steal users' private information. This paper focuses on a network behavior-based method to address the limitations of the existing protection systems. At first, it analyzes the normal network behavior pattern over HTI'P traffic and select four features. Then, it pres- ents an anomaly-based detection model that applies a hierarchical clustering technique and a scoring mechanism. It also uses real-world data to validate that the selected features are useful. The experiments have demonstrated that the model could achieve over 93% hit-rate with only about 3% false- positive rate. It is regarded confidently that the approach is a complementary technique to the existing security systems.展开更多
In this paper,we propose a novel Intrusion Detection System (IDS) architecture utilizing both the evidence theory and Rough Set Theory (RST). Evidence theory is an effective tool in dealing with uncertainty question. ...In this paper,we propose a novel Intrusion Detection System (IDS) architecture utilizing both the evidence theory and Rough Set Theory (RST). Evidence theory is an effective tool in dealing with uncertainty question. It relies on the expert knowledge to provide evidences,needing the evidences to be independent,and this make it difficult in application. To solve this problem,a hybrid system of rough sets and evidence theory is proposed. Firstly,simplification are made based on Variable Precision Rough Set (VPRS) conditional entropy. Thus,the Basic Belief Assignment (BBA) for all evidences can be calculated. Secondly,Dempster’s rule of combination is used,and a decision-making is given. In the proposed approach,the difficulties in acquiring the BBAs are solved,the correlativity among the evidences is reduced and the subjectivity of evidences is weakened. An illustrative example in an intrusion detection shows that the two theories combination is feasible and effective.展开更多
The real-valued self set in immunity-based network intrusion detection system (INIDS) has some defects: multi-area and overlapping, which are ignored before. The detectors generated by this kind of self set may hav...The real-valued self set in immunity-based network intrusion detection system (INIDS) has some defects: multi-area and overlapping, which are ignored before. The detectors generated by this kind of self set may have the problem of boundary holes between self and nonself regions, and the generation efficiency is low, so that, the self set needs to be optimized before generation stage. This paper proposes a self set optimization algorithm which uses the modified clustering algorithm and Gaussian distribution theory. The clustering deals with multi-area and the Gaussian distribution deals with the overlapping. The algorithm was tested by Iris data and real network data, and the results show that the optimized self set can solve the problem of boundary holes, increase the efficiency of detector generation effectively, and improve the system's detection rate.展开更多
With the economic development and the popularity of application of electronic computer, electronic commerce has rapid development. More and more commerce and key business has been carried on the lnternet because Inter...With the economic development and the popularity of application of electronic computer, electronic commerce has rapid development. More and more commerce and key business has been carried on the lnternet because Internet has the features of interaction, openness, sharing and so on. However, during the daily commerce, people worry about the security of the network system. So a new technology which can detect the unusual behavior in time has been invented in order to protect the security of network system. The system of intrusion detection needs a lot of new technology to protect the data of the network system. The application of data mining technology in the system of intrusion detection can provide a better assistant to the users to analyze the data and improve the accuracy of the checking system.展开更多
This paper focuses on investigating immunological principles in designing a multi-agent security architecture for intrusion detection and response in mobile ad hoc networks. In this approach, the immunity-based agents...This paper focuses on investigating immunological principles in designing a multi-agent security architecture for intrusion detection and response in mobile ad hoc networks. In this approach, the immunity-based agents monitor the situation in the network. These agents can take appropriate actions according to the underlying security policies. Specifically, their activities are coordinated in a hierarchical fashion while sensing, communicating, decision and generating responses. Such an agent can learn and adapt to its environment dynamically and can detect both known and unknown intrusions. The proposed intrusion detection architecture is designed to be flexible, extendible, and adaptable that can perform real-time monitoring. This paper provides the conceptual view and a general framework of the proposed system. In the end, the architecture is illustrated by an example to show it can prevent the attack efficiently.展开更多
This paper briefly reviews other people’s works on negative selection algorithm and their shortcomings. With a view to the real problem to be solved, authors bring forward two assumptions, based on which a new immune...This paper briefly reviews other people’s works on negative selection algorithm and their shortcomings. With a view to the real problem to be solved, authors bring forward two assumptions, based on which a new immune algorithm, multi-level negative selection algorithm, is developed. In essence, compared with Forrest’s negative selection algorithm, it enhances detector generation efficiency. This algorithm integrates clonal selection process into negative selection process for the first time. After careful analyses, this algorithm was applied to network intrusion detection and achieved good results.展开更多
A personalized trust management scheme is proposed to help peers build up trust between each other in open and flat P2P communities. This scheme totally abandons the attempt to achieve a global view. It evaluates trus...A personalized trust management scheme is proposed to help peers build up trust between each other in open and flat P2P communities. This scheme totally abandons the attempt to achieve a global view. It evaluates trust from a subjective point of view and gives personalized decision support to each peer. Simulation experiments prove its three advantages: free of central control, stronger immunity to misleading recommendations, and limited traffic overload.展开更多
Support vector machine (SVM) technique has recently become a research focus in intrusion detection field for its better generalization performance when given less priori knowledge than other soft-computing techniques....Support vector machine (SVM) technique has recently become a research focus in intrusion detection field for its better generalization performance when given less priori knowledge than other soft-computing techniques. But the randomicity of parameter selection in its implement often prevents it achieving expected performance. By utilizing genetic algorithm (GA) to optimize the parameters in data preprocessing and the training model of SVM simultaneously, a hybrid optimization algorithm is proposed in the paper to address this problem. The experimental results demonstrate that it’s an effective method and can improve the performance of SVM-based intrusion detection system further.展开更多
Greater complexity and interconnectivity across systems embracing electrical power technologies has meant that cyber-security issues have attracted significant attention. In this paper a simulation environment for int...Greater complexity and interconnectivity across systems embracing electrical power technologies has meant that cyber-security issues have attracted significant attention. In this paper a simulation environment for intrusion detection system in IEC 61850 standard-based substation automation system is provided to test simulated attacks on IEDs (intelligent electronic devices). Intrusion detection is the process of detecting malicious attacker, so it is an effective and mature security mechanism to protect electrical facility. However, it is not harnessed when securing IEC 61850 automated substation. To prove the detection capability of the system testing environment was developed to analyze and test attacks simulated with different test cases. It shows that the simulation environment works accordingly to various network traffic scenarios and eventually proves the functionality of intrusion detection system to be later deployed in the real IEC 61850 based substation automation system site.展开更多
Under virtualization idea based on large-scale dismantling and sharing, the implementing of network interconnection of calculation components and storage components by loose coupling, which are tightly coupling in tra...Under virtualization idea based on large-scale dismantling and sharing, the implementing of network interconnection of calculation components and storage components by loose coupling, which are tightly coupling in traditional server, achieves computing capacity, storage capacity and service capacity distri- bution according to need in application-level. Under the new server model, the segregation and protection of user space and system space as well as the security monitoring of virtual resources are the important factors of ultimate security guarantee. This article presents a large-scale and expansible distributed invasion detection system of virtual computing environment based on virtual machine. The system supports security monitoring management of global resources and provides uniform view of security attacks under virtual computing environment, thereby protecting the user applications and system security under capacity services domain.展开更多
In this paper, we conduct research on the computer network protocol test model based on genetic and random walk algorithm.Network protocol is the abstract concept, is important in the process of the development of net...In this paper, we conduct research on the computer network protocol test model based on genetic and random walk algorithm.Network protocol is the abstract concept, is important in the process of the development of network system. Fully understand and grasp of thenetwork protocols for managers is there is a big diffi cult. Network covert channel is the evaluation of intrusion detection system and fi rewallsecurity performance of an important means, the paper will start from the angle of the attacker, the fl aws of the research, and use this kind ofdefect to realize network covert channel, the random walk algorithm will be feasible for dealing with this issue. For achieving this, we integratethe genetic and random walk algorithm for systematic optimization.展开更多
In this paper, we conduct research on the network intrusion detection system based on the modified particle swarm optimization algorithm. Computer interconnection ability put forward the higher requirements for the sy...In this paper, we conduct research on the network intrusion detection system based on the modified particle swarm optimization algorithm. Computer interconnection ability put forward the higher requirements for the system reliability design, the need to ensure that the system can support various communication protocols to guarantee the reliability and security of the network. At the same time also require network system, the server or products have strong ability of fault tolerance and redundancy, better meet the needs of users, to ensure the safety of the information data and the good operation of the network system. For this target, we propose the novel paradigm for the enhancement of the modern computer network that is innovative.展开更多
基金The National Natural Science Foundation of China(No.71071033)the Innovation Project of Jiangsu Postgraduate Education(No.CX10B_058Z)
文摘The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system (IDS) and vulnerability scan by game theory. The Nash equilibrium for two portfolios of only deploying IDS and vulnerability scan and deploying all the technologies is investigated by backward induction. The results show that when the detection rates of IDS and vulnerability scan are low, the firm will not only inspect every user who raises an alarm, but also a fraction of users that do not raise an alarm; when the detection rates of IDS and vulnerability scan are sufficiently high, the firm will not inspect any user who does not raise an alarm, but only inspect a fraction of users that raise an alarm. Adding firewall into the information system impacts on the benefits of firms and hackers, but does not change the optimal strategies of hackers, and the optimal investigation strategies of IDS are only changed in certain cases. Moreover, the interactions between IDS & vulnerability scan and firewall & IDS are discussed in detail.
文摘Association rules are useful for determining correlations between items. Applying association rules to intrusion detection system (IDS) can improve the detection rate, but false positive rate is also increased. Weighted association rules are used in this paper to mine intrustion models, which can increase the detection rate and decrease the false positive rate by some extent. Based on this, the structure of host-based IDS using weighted association rules is proposed.
基金The National Natural Science Foundation of China(No.60973122,61572256)
文摘It is difficult to knowall the relations between Snort rules. To deal with this problem, the topological relations between Snort rules are classified based on the set theory, and a method for calculating the topological relations between Snort rules is proposed. In the existing methods for analyzing the relations of Snort rules, the relations are usually determined only according to the header information of the Snort rules. Without considering the actions of Snort rules, the proposed method improves upon the existing methods and it can classify and calculate the topological relations between Snort rules according to both headers and options information of Snort rules. In addition, the proposed method is implemented by the functional language Haskell. The experimental results showthat the topological relations between Snort rules can be calculated rapidly and effectively. The proposed method also provides an important basis for conflict detection in the succeeding Snort rules.
基金Supported by the National Natural Science Foundation of China(No.61070185,61003261)the Knowledge Innovation Program of the Chinese Academy of Sciences(No.XDA06030200)
文摘Increasing time-spent online has amplified users' exposure to tile tilreat oI miormanon leakage. Although existing security systems (such as firewalls and intrusion detection systems) can satisfy most of the security requirements of network administrators, they are not suitable for detecting the activities of applying the HTTP-tunnel technique to steal users' private information. This paper focuses on a network behavior-based method to address the limitations of the existing protection systems. At first, it analyzes the normal network behavior pattern over HTI'P traffic and select four features. Then, it pres- ents an anomaly-based detection model that applies a hierarchical clustering technique and a scoring mechanism. It also uses real-world data to validate that the selected features are useful. The experiments have demonstrated that the model could achieve over 93% hit-rate with only about 3% false- positive rate. It is regarded confidently that the approach is a complementary technique to the existing security systems.
基金Supported by the National Natural Science Foundation of China (No. 60774029)
文摘In this paper,we propose a novel Intrusion Detection System (IDS) architecture utilizing both the evidence theory and Rough Set Theory (RST). Evidence theory is an effective tool in dealing with uncertainty question. It relies on the expert knowledge to provide evidences,needing the evidences to be independent,and this make it difficult in application. To solve this problem,a hybrid system of rough sets and evidence theory is proposed. Firstly,simplification are made based on Variable Precision Rough Set (VPRS) conditional entropy. Thus,the Basic Belief Assignment (BBA) for all evidences can be calculated. Secondly,Dempster’s rule of combination is used,and a decision-making is given. In the proposed approach,the difficulties in acquiring the BBAs are solved,the correlativity among the evidences is reduced and the subjectivity of evidences is weakened. An illustrative example in an intrusion detection shows that the two theories combination is feasible and effective.
基金Supported by the National Natural Science Foundation of China (No. 60671049, 61172168)and Graduate Innovation Project of Heilongjiang (No. YJSCX2011-034HLI)
文摘The real-valued self set in immunity-based network intrusion detection system (INIDS) has some defects: multi-area and overlapping, which are ignored before. The detectors generated by this kind of self set may have the problem of boundary holes between self and nonself regions, and the generation efficiency is low, so that, the self set needs to be optimized before generation stage. This paper proposes a self set optimization algorithm which uses the modified clustering algorithm and Gaussian distribution theory. The clustering deals with multi-area and the Gaussian distribution deals with the overlapping. The algorithm was tested by Iris data and real network data, and the results show that the optimized self set can solve the problem of boundary holes, increase the efficiency of detector generation effectively, and improve the system's detection rate.
文摘With the economic development and the popularity of application of electronic computer, electronic commerce has rapid development. More and more commerce and key business has been carried on the lnternet because Internet has the features of interaction, openness, sharing and so on. However, during the daily commerce, people worry about the security of the network system. So a new technology which can detect the unusual behavior in time has been invented in order to protect the security of network system. The system of intrusion detection needs a lot of new technology to protect the data of the network system. The application of data mining technology in the system of intrusion detection can provide a better assistant to the users to analyze the data and improve the accuracy of the checking system.
基金Supported by the National High Technology Develop ment 863 Program of China (No.2003AA148010)Key Technologies R&D Program of China (No.2002DA103A03-07).
文摘This paper focuses on investigating immunological principles in designing a multi-agent security architecture for intrusion detection and response in mobile ad hoc networks. In this approach, the immunity-based agents monitor the situation in the network. These agents can take appropriate actions according to the underlying security policies. Specifically, their activities are coordinated in a hierarchical fashion while sensing, communicating, decision and generating responses. Such an agent can learn and adapt to its environment dynamically and can detect both known and unknown intrusions. The proposed intrusion detection architecture is designed to be flexible, extendible, and adaptable that can perform real-time monitoring. This paper provides the conceptual view and a general framework of the proposed system. In the end, the architecture is illustrated by an example to show it can prevent the attack efficiently.
基金Project (No. 60073034) supported by the National Natural Sci-ence Foundation of China
文摘This paper briefly reviews other people’s works on negative selection algorithm and their shortcomings. With a view to the real problem to be solved, authors bring forward two assumptions, based on which a new immune algorithm, multi-level negative selection algorithm, is developed. In essence, compared with Forrest’s negative selection algorithm, it enhances detector generation efficiency. This algorithm integrates clonal selection process into negative selection process for the first time. After careful analyses, this algorithm was applied to network intrusion detection and achieved good results.
基金Supported by the National High-Tech Research and Development Plan of China (863) (No.2003AA142160)
文摘A personalized trust management scheme is proposed to help peers build up trust between each other in open and flat P2P communities. This scheme totally abandons the attempt to achieve a global view. It evaluates trust from a subjective point of view and gives personalized decision support to each peer. Simulation experiments prove its three advantages: free of central control, stronger immunity to misleading recommendations, and limited traffic overload.
基金This work was supported by the Research Grant of SEC E-Institute :Shanghai High Institution Grid and the Science Foundation ofShanghai Municipal Commission of Science and Technology No.00JC14052
文摘Support vector machine (SVM) technique has recently become a research focus in intrusion detection field for its better generalization performance when given less priori knowledge than other soft-computing techniques. But the randomicity of parameter selection in its implement often prevents it achieving expected performance. By utilizing genetic algorithm (GA) to optimize the parameters in data preprocessing and the training model of SVM simultaneously, a hybrid optimization algorithm is proposed in the paper to address this problem. The experimental results demonstrate that it’s an effective method and can improve the performance of SVM-based intrusion detection system further.
文摘Greater complexity and interconnectivity across systems embracing electrical power technologies has meant that cyber-security issues have attracted significant attention. In this paper a simulation environment for intrusion detection system in IEC 61850 standard-based substation automation system is provided to test simulated attacks on IEDs (intelligent electronic devices). Intrusion detection is the process of detecting malicious attacker, so it is an effective and mature security mechanism to protect electrical facility. However, it is not harnessed when securing IEC 61850 automated substation. To prove the detection capability of the system testing environment was developed to analyze and test attacks simulated with different test cases. It shows that the simulation environment works accordingly to various network traffic scenarios and eventually proves the functionality of intrusion detection system to be later deployed in the real IEC 61850 based substation automation system site.
基金Supported by the High Technology Research and Development Programme of China (No. 2003AA1Z2070 ) and the National Natural Science Foundation of China (No. 90412013).
文摘Under virtualization idea based on large-scale dismantling and sharing, the implementing of network interconnection of calculation components and storage components by loose coupling, which are tightly coupling in traditional server, achieves computing capacity, storage capacity and service capacity distri- bution according to need in application-level. Under the new server model, the segregation and protection of user space and system space as well as the security monitoring of virtual resources are the important factors of ultimate security guarantee. This article presents a large-scale and expansible distributed invasion detection system of virtual computing environment based on virtual machine. The system supports security monitoring management of global resources and provides uniform view of security attacks under virtual computing environment, thereby protecting the user applications and system security under capacity services domain.
文摘In this paper, we conduct research on the computer network protocol test model based on genetic and random walk algorithm.Network protocol is the abstract concept, is important in the process of the development of network system. Fully understand and grasp of thenetwork protocols for managers is there is a big diffi cult. Network covert channel is the evaluation of intrusion detection system and fi rewallsecurity performance of an important means, the paper will start from the angle of the attacker, the fl aws of the research, and use this kind ofdefect to realize network covert channel, the random walk algorithm will be feasible for dealing with this issue. For achieving this, we integratethe genetic and random walk algorithm for systematic optimization.
文摘In this paper, we conduct research on the network intrusion detection system based on the modified particle swarm optimization algorithm. Computer interconnection ability put forward the higher requirements for the system reliability design, the need to ensure that the system can support various communication protocols to guarantee the reliability and security of the network. At the same time also require network system, the server or products have strong ability of fault tolerance and redundancy, better meet the needs of users, to ensure the safety of the information data and the good operation of the network system. For this target, we propose the novel paradigm for the enhancement of the modern computer network that is innovative.
