• Title/Summary/Keyword: real time intrusion detection system

Search Result 87, Processing Time 0.027 seconds

Design and Implementation of Real-Time and High Speed Detection Engine for Network Intrusion Detection System (실시간 고속 네트워크 침입 탐지 엔진 설계 및 구현)

  • 조혜영;김주홍;장종수;김대영
    • Proceedings of the Korean Information Science Society Conference
    • /
    • 2003.04d
    • /
    • pp.307-309
    • /
    • 2003
  • 초고속 인터넷 망이 빠른 속도로 구축이 되고, 네트워크에 대한 해커나 침입자들의 수가 급속히 증가함에 따라, 실시간 고속 패킷 처리가 가능한 네트워크 침입 탐지 시스템이 요구되고 있다. 이러한 실시간 고속 네트워크 침입 탐지 시스템의 핵심 기술로써 수신된 패킷에서 침입 정보를 고속으로 탐지해내는 침입 탐지 엔진 기술은 필수적이다. 본 논문에서는 인텔의 IXP1200 네트워크 프로세서를 기반으로 하는 하드웨어 구조상에서 고성능 네트워크 침입 탐지 시스템을 위한 실시간 고속 탐지 엔진 구조와 프로그래밍 방법을 제안하였다.

  • PDF

Adaptive Intrusion Detection System Based on SVM and Clustering (SVM과 클러스터링 기반 적응형 침입탐지 시스템)

  • Lee, Han-Sung;Im, Young-Hee;Park, Joo-Young;Park, Dai-Hee
    • Journal of the Korean Institute of Intelligent Systems
    • /
    • v.13 no.2
    • /
    • pp.237-242
    • /
    • 2003
  • In this paper, we propose a new adaptive intrusion detection algorithm based on clustering: Kernel-ART, which is composed of the on-line clustering algorithm, ART (adaptive resonance theory), combining with mercer-kernel and concept vector. Kernel-ART is not only satisfying all desirable characteristics in the context of clustering-based IDS but also alleviating drawbacks associated with the supervised learning IDS. It is able to detect various types of intrusions in real-time by means of generating clusters incrementally.

An Intrusion Detection Method by Tracing Root Privileged Processes (Root 권한 프로세스 추적을 통한 침입 탐지 기법)

  • Park, Jang-Su;Ahn, Byoung-Chul
    • The KIPS Transactions:PartC
    • /
    • v.15C no.4
    • /
    • pp.239-244
    • /
    • 2008
  • It is not enough to reduce damages of computer systems by just patching vulnerability codes after incidents occur. It is necessary to detect and block intrusions by boosting the durability of systems even if there are vulnerable codes in systems. This paper proposes a robust real-time intrusion detection method by monitoring root privileged processes instead of system administrators in Linux systems. This method saves IP addresses of users in the process table and monitors IP addresses of every root privileged process. The proposed method is verified to protect vulnerable programs against the buffer overflow by using KON program. A configuration protocol is proposed to manage systems remotely and host IP addresses are protected from intrusions safely through this protocol.

An Integrated Model based on Genetic Algorithms for Implementing Cost-Effective Intelligent Intrusion Detection Systems (비용효율적 지능형 침입탐지시스템 구현을 위한 유전자 알고리즘 기반 통합 모형)

  • Lee, Hyeon-Uk;Kim, Ji-Hun;Ahn, Hyun-Chul
    • Journal of Intelligence and Information Systems
    • /
    • v.18 no.1
    • /
    • pp.125-141
    • /
    • 2012
  • These days, the malicious attacks and hacks on the networked systems are dramatically increasing, and the patterns of them are changing rapidly. Consequently, it becomes more important to appropriately handle these malicious attacks and hacks, and there exist sufficient interests and demand in effective network security systems just like intrusion detection systems. Intrusion detection systems are the network security systems for detecting, identifying and responding to unauthorized or abnormal activities appropriately. Conventional intrusion detection systems have generally been designed using the experts' implicit knowledge on the network intrusions or the hackers' abnormal behaviors. However, they cannot handle new or unknown patterns of the network attacks, although they perform very well under the normal situation. As a result, recent studies on intrusion detection systems use artificial intelligence techniques, which can proactively respond to the unknown threats. For a long time, researchers have adopted and tested various kinds of artificial intelligence techniques such as artificial neural networks, decision trees, and support vector machines to detect intrusions on the network. However, most of them have just applied these techniques singularly, even though combining the techniques may lead to better detection. With this reason, we propose a new integrated model for intrusion detection. Our model is designed to combine prediction results of four different binary classification models-logistic regression (LOGIT), decision trees (DT), artificial neural networks (ANN), and support vector machines (SVM), which may be complementary to each other. As a tool for finding optimal combining weights, genetic algorithms (GA) are used. Our proposed model is designed to be built in two steps. At the first step, the optimal integration model whose prediction error (i.e. erroneous classification rate) is the least is generated. After that, in the second step, it explores the optimal classification threshold for determining intrusions, which minimizes the total misclassification cost. To calculate the total misclassification cost of intrusion detection system, we need to understand its asymmetric error cost scheme. Generally, there are two common forms of errors in intrusion detection. The first error type is the False-Positive Error (FPE). In the case of FPE, the wrong judgment on it may result in the unnecessary fixation. The second error type is the False-Negative Error (FNE) that mainly misjudges the malware of the program as normal. Compared to FPE, FNE is more fatal. Thus, total misclassification cost is more affected by FNE rather than FPE. To validate the practical applicability of our model, we applied it to the real-world dataset for network intrusion detection. The experimental dataset was collected from the IDS sensor of an official institution in Korea from January to June 2010. We collected 15,000 log data in total, and selected 10,000 samples from them by using random sampling method. Also, we compared the results from our model with the results from single techniques to confirm the superiority of the proposed model. LOGIT and DT was experimented using PASW Statistics v18.0, and ANN was experimented using Neuroshell R4.0. For SVM, LIBSVM v2.90-a freeware for training SVM classifier-was used. Empirical results showed that our proposed model based on GA outperformed all the other comparative models in detecting network intrusions from the accuracy perspective. They also showed that the proposed model outperformed all the other comparative models in the total misclassification cost perspective. Consequently, it is expected that our study may contribute to build cost-effective intelligent intrusion detection systems.

Anomaly Detection Performance Analysis of Neural Networks using Soundex Algorithm and N-gram Techniques based on System Calls (시스템 호출 기반의 사운덱스 알고리즘을 이용한 신경망과 N-gram 기법에 대한 이상 탐지 성능 분석)

  • Park, Bong-Goo
    • Journal of Internet Computing and Services
    • /
    • v.6 no.5
    • /
    • pp.45-56
    • /
    • 2005
  • The weak foundation of the computing environment caused information leakage and hacking to be uncontrollable, Therefore, dynamic control of security threats and real-time reaction to identical or similar types of accidents after intrusion are considered to be important, h one of the solutions to solve the problem, studies on intrusion detection systems are actively being conducted. To improve the anomaly IDS using system calls, this study focuses on neural networks learning using the soundex algorithm which is designed to change feature selection and variable length data into a fixed length learning pattern, That Is, by changing variable length sequential system call data into a fixed iength behavior pattern using the soundex algorithm, this study conducted neural networks learning by using a backpropagation algorithm. The backpropagation neural networks technique is applied for anomaly detection of system calls using Sendmail Data of UNM to demonstrate its performance.

  • PDF

Implementation of Real-time Sensor Monitoring System on Zigbee Module (Zigbee 모듈을 이용한 실시간 센서 모니터링 시스템 구현)

  • Kim, Gwang-Hyun
    • The Journal of the Korea institute of electronic communication sciences
    • /
    • v.6 no.2
    • /
    • pp.312-318
    • /
    • 2011
  • USN technology will be applied to various fields such as logistics, transportation, government, health, welfare and environment and will be settled down by basic infrastructure of a future society. In this study, we analyzed sensor networks structure based on IEEE 802.15.4 and implemented the sensor monitoring system using Zigbee modules. For implementation of real-time sensor monitoring system, we designed Linux-based development environment and the sensor-specific component. The result of this paper may be utilized in such areas lighting system, intrusion detection, fire detection, detection and notification of abnormal conditions.

Real-Time Intrusion Detection System based on Network Packets (네트워크 패킷을 기반으로 한 실시간 침입 탐지 시스템)

  • 이경하;은유진;김기현;임채호;정태명
    • Proceedings of the Korea Institutes of Information Security and Cryptology Conference
    • /
    • 1997.11a
    • /
    • pp.429-438
    • /
    • 1997
  • 인터넷의 역기능 현상으로부터 시스템을 보호하고 소유한 정보를 지키려는 노력은 다양한 보안 시스템의 개발로 이어졌다. 보안 시스템은 시스템을 기반으로 한 것과 네트워크를 기반으로 한 것으로 나눌 수 있는데, 본 논문에서는 네트워크 기반의 보안 시스템을 설계하였고, 설계된 시스템으로부터 가능한 침입탐지 기술들을 언급하고 있다.

  • PDF

The development of intrusion sensor using the variations of speckle patterns (스페클 패턴을 이용한 침입자 센서의 개발)

  • 엄년식;김요희;양승국;오상기;박재희;강신원
    • Proceedings of the IEEK Conference
    • /
    • 2000.06b
    • /
    • pp.119-122
    • /
    • 2000
  • The speckle pattern is formed by laser light from a multimode optical fiber. The speckle fluctuation is the result of interference among propagation modes when the optical fiber is subjected to a mechanical distortion at any point along its length. The experiments were carried on for the study of the feasibility of producing an intrusion detection system using the speckle fluctuation. The speckle fluctuation signals were monitored at real time by an oscilloscope which was connected with an amplifier and a filter. The experiment results showed that the intrusion sensor had enough sensitivity to detect an intruder.

  • PDF

Flow-based Anomaly Detection Using Access Behavior Profiling and Time-sequenced Relation Mining

  • Liu, Weixin;Zheng, Kangfeng;Wu, Bin;Wu, Chunhua;Niu, Xinxin
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.10 no.6
    • /
    • pp.2781-2800
    • /
    • 2016
  • Emerging attacks aim to access proprietary assets and steal data for business or political motives, such as Operation Aurora and Operation Shady RAT. Skilled Intruders would likely remove their traces on targeted hosts, but their network movements, which are continuously recorded by network devices, cannot be easily eliminated by themselves. However, without complete knowledge about both inbound/outbound and internal traffic, it is difficult for security team to unveil hidden traces of intruders. In this paper, we propose an autonomous anomaly detection system based on behavior profiling and relation mining. The single-hop access profiling model employ a novel linear grouping algorithm PSOLGA to create behavior profiles for each individual server application discovered automatically in historical flow analysis. Besides that, the double-hop access relation model utilizes in-memory graph to mine time-sequenced access relations between different server applications. Using the behavior profiles and relation rules, this approach is able to detect possible anomalies and violations in real-time detection. Finally, the experimental results demonstrate that the designed models are promising in terms of accuracy and computational efficiency.

An Intrusion Prevention Model Using Fuzzy Cognitive Maps on Denial of Service Attack (서비스 거부 공격에서의 퍼지인식도를 이용한 침입 방지 모델)

  • 이세열;김용수;심귀보;양재원
    • Proceedings of the Korean Institute of Intelligent Systems Conference
    • /
    • 2002.12a
    • /
    • pp.258-261
    • /
    • 2002
  • 최근 네트워크 취약점 검색 방법을 이용한 침입 공격이 증가하는 추세이며 이런 공격에 대하여 적절하게 실시간 탐지 및 대응 처리하는 침입방지시스템(IPS: Intrusion Prevention System)에 대한 연구가 지속적으로 이루어지고 있다. 본 논문에서는 시스템에 허락을 얻지 않은 서비스거부 공격(Denial of Service Attack) 기술 중 TCP의 신뢰성 및 연결 지향적 전송서비스로 종단간에 이루어지는 3-Way Handshake를 이용한 Syn Flooding Attack에 대하여 침입시도패킷 정보를 수집, 분석하고 퍼지인식도(FCM : Fuzzy Cognitive Maps)를 이용한 침입시도여부결정 및 대응 처리하는 네트워크 기반의 실시간 탐지 및 방지 모델(Network based Real Time Scan Detection & Prevention Model)을 제안한다.