IDS告警融合与关联模型的研究

入侵检测是保障网络安全的重要手段,针对现有入侵检测系统中告警数量多、协调性差等问题,论文提出了一种具有告警融合与关联功能的告警处理系统模型,该模型冗余告警量少、整体检测能力强,并能进行攻击企图的预测,能有效提高入侵检测的效率,有助于进一步增强网络的健壮性。     

网络安全事件的关联分析方法的比较研究

随着当前攻击手段和技术的日益复杂化,一次入侵事件往往需要多个步骤才能完成,这些步骤都是彼此相关的。但是传统的入侵检测集中于检测底层的入侵或异常,所检测到的结果也仅仅是一次完整入侵的一部分,所以不能将不同的报警结合起来以发现入侵的逻辑步骤或者入侵背后的攻击策略。关联分析技术将不同分析器上产生的报警进行融合与关联分析,极大地减少了报警的数量,降低了入侵检测的误报率,并且适当的减少了入侵检测的漏报率。文中在对网络安全事件关联分析方法的系统结构进行分析后,着重介绍了当前比较流行的几种网络安全事件关联分析方法,最后对各种方法进行了比较研究。     

人工免疫原理在网络入侵检测系统中的研究

文章分析了人工免疫系统的原理,简单建立了一种基于否定选择算法的网络入侵检测系统,引入了一种用于异常事件识别的r-字符块匹配规则,并对规则存在的漏洞进行了分析。     

Optimized deep learning-based intrusion detection for wireless sensor networks

The technological innovations and wide use of Wireless Sensor Network (WSN) applications need to handle diverse data. These huge data possess network security issues as intrusions that cannot be neglected or ignored. An effective strategy to counteract security issues in WSN can be achieved through the Intrusion Detection System (IDS). IDS ensures network integrity, availability, and confidentiality by detecting different attacks. Regardless of efforts by various researchers, the domain is still open to obtain an IDS with improved detection accuracy with minimum false alarms to detect intrusions. Machine learning models are deployed as IDS, but their potential solutions need to be improved in terms of detection accuracy. The neural network performance depends on feature selection, and hence, it is essential to bring an efficient feature selection model for better performance. An optimized deep learning model has been presented to detect different types of attacks in WSN. Instead of the conventional parameter selection procedure for Convolutional Neural Network (CNN) architecture, a nature-inspired whale optimization algorithm is included to optimize the CNN parameters such as kernel size, feature map count, padding, and pooling type. These optimized features greatly improved the intrusion detection accuracy compared to Deep Neural network (DNN), Random Forest (RF), and Decision Tree (DT) models.     

基于系统调用特征的入侵检测研究

对网络服务程序进行攻击是非法用户入侵系统的主要途径 ,针对关键程序的入侵检测近年来受到重视 .该文提出的CTBIDS检测模型在利用系统调用特征树描述程序行为特征的基础上 ,通过异常有限积累判别程序入侵 ,既能体现异常状况的长期积累 ,也能很好地反映入侵的异常局部性原理 .此外 ,该文通过统计分析方法确定入侵判别参数 ,使得入侵判别更加准确 .测试及试用结果表明CTBIDS能有效检测出针对关键程序的攻击     

An incremental intrusion detection system using a new semi‐supervised stream classification method

In recent years, the utilization of machine learning and data mining techniques for intrusion detection has received great attention by both security research communities and intrusion detection system (IDS) developers. In intrusion detection, the most important constraints are the imbalanced class distribution, the scarcity of the labeled data, and the massive amounts of network flows. Moreover, because of the dynamic nature of the network flows, applying static learned models degrades the detection performance significantly over time. In this article, we propose a new semi‐supervised stream classification method for intrusion detection, which is capable of incremental updating using limited labeled data. The proposed method, called the incremental semi‐supervised flow network‐based IDS (ISF‐NIDS), relies on an incremental mixed‐data clustering, a new supervised cluster adjustment method, and an instance‐based learning. The ISF‐NIDS operates in real time and learns new intrusions quickly using limited storage and processing power. The experimental results on the KDD99, Moore, and Sperotto benchmark datasets indicate the superiority of the proposed method compared with the existing state‐of‐the‐art incremental IDSs.     

Study of Intrusion Detection Systems

Modern network systems have much trouble in security vulnerabilities such as buffer overflow, bugs in Microsoft Internet, sensor network routing protocol too simple, security flaws of applications, and operating systems. Moreover, wireless devices such as smart phones, personal digital assistants （PDAs）, and sensors have become economically feasible because of technological advances in wireless communication and manufacturing of small and low-cost sensors. There are typologies of vulnerabilities to be exploited in these devices. In order to improve securities, many mechanisms are adopted, including authentication, cryptography, access control, and intrusion detection systems （IDS）. In general, intrusion detection techniques can be categorized into two groups： misuse detection and anomaly detection. The misuse detection systems use patterns of weB-known attacks or weak spots of the systems to identify intrusions. The weakness of misuse detection systems is unable to detect any future （unknown） intrusion until corresponding attack signatures are intruded into the signature database. Anomaly detection methods try to determine whether the deviation is from the established normal usage patterns or not. The critical success of anomaly detection relies on the model of normal behaviors.     

Android平台下的安全检测软件的设计与实现

本文为了阻止Android手机恶意软件病毒的危害,分析了入侵病毒的类型,提出了一个基于Android平台的安全检测软件的设计方案,并实现了该方案。该软件基于Android的体系机构,结合Android体系自身的特点,实现了查杀病毒、检测支付环境、监听电话短信、检测流量等功能,保障了用户的安全。经过真机和模拟机测试,该软件能够有效查杀病毒、检测到潜在的病毒危害并及时采取措施,达到了设计目的。     

入侵检测中基于SVM的两级特征选择方法

针对入侵检测中的特征优化选择问题,提出基于支持向量机的两级特征选择方法。该方法将基于检测率与误报率比值的特征评测值作为特征筛选的评价指标,先采用过滤模式中的Fisher分和信息增益分别过滤噪声和无关特征,降低特征维数;再基于筛选出来的交叉特征子集,采用封装模式中的序列后向搜索算法,结合支持向量机选取最优特征子集。仿真测试结果表明,采用该方法筛选出来的特征子集具有更好的分类性能,并有效降低了系统的建模时间和测试时间。     

面向融合网络的广电双向接入网入侵检测系统

针对广电接入网边界缺乏安全防护措施的现状,提出一种面向融合网络的广电接入网入侵检测系统,并实例化为SunGnet703,可检测并实时阻断进出接入网边界的各类网络攻击.系统具有“非配合”部署、高可靠性运行、“隐形”确保自身安全、全维数据分析4个特点,可为广电接入网边界提供一种简便易行的安全防护方法和实际系统.