基于信息论的入侵检测最佳响应方案

doi:10.11959/j.issn.1000-436x.2020111

Abstract

Abstract:

Intrusion detection system (IDS) often inevitably presents major security risks caused by FPs and FNs.However,at present,an effective solution has not been found.In order to solve this problem,an optimal response model of intrusion detection based on information theory was proposed.Firstly,the intruder and IDS in the process of intrusion detection were abstracted into random variables,and the attack and defense model of intruder and IDS was constructed according to the results of the confrontation.Secondly,the defense channel of IDS was designed according to the attack and defense model,then the correct detection of IDS was transformed into the problem of successful transmission of 1 bit information in defensive channel.Finally,the defensive capability of the system was measured by analyzing the channel capacity of the defensive channel,the maximum mutual information of the defensive channel was the defensive limit capability of the IDS,and the corresponding strategy distribution was the optimal response strategy of the defensive capability of the system.The experimental results show that the scheme can effectively reduce the loss caused by FPs and FNs.

Key words: intrusion detection system, average mutual information, channel capacity, detection rate, response scheme

CLC Number:

TP309

Youliang TIAN,Yulong WU,Qiuxian LI. Optimum response scheme of intrusion detection based on information theory[J]. Journal on Communications, 2020, 41(7): 121-130.

Figures/Tables 9

References 31

[1]	WU S X , BANZHAF W W . The use of computational intelligence in intrusion detection systems:a review[J]. Applied Soft Computing, 2010,10(1): 1-35.
[2]	ZHU J M , RAGHUNATHAN S . Evaluation model of information security technologies based on game theoretic[J]. Chinese Journal of Computers, 2009,32(4): 828-834.
[3]	RHEE H , RYU Y . Evaluation of intrusion detection systems under a resource constraint[J]. ACM Transaction on Information and System Security, 2008,11(4): 95-118.
[4]	CAVUSOGLU H , RAGHUNATHAN M S . The value of intrusion detection systems in information technology security architecture[J]. Information Systems Research, 2005,16(1): 28-46.
[5]	TIAN Y L , LI Q X , HU J ,et al. Secure limitation analysis of public-key cryptography for smart card settings[J]. World Wide Web, 2020(23): 1423-1440.
[6]	SUBBA B , BISWAS S , KARMAKAR S . False alarm reduction in signature-based IDS:game theory approach[J]. Security and Communication Networks, 2016,9(18): 4865-4881.
[7]	ANDERSON J P . Computer security threat monitoring and surveillance[Z].[S.n.:s.l.],(1980-04-15)[2020-03-24]. [S.n.:s.l.],
[8]	DENNING D E . An intrusion-detection model[J]. IEEE Transactions on Software Engineering, 1987,13(2): 222-232.
[9]	ATHANASIADES N , ABLER R , LEVINE J ,et al. Intrusion detection testing and benchmarking methodologies[J]. IEEE Proceedings First IEEE International Workshop on Information Assurance, 2003: 63-72.
[10]	JIANG J C , MA H T , REN D E ,et al. A survey of intrusion detection research on network security[J]. Journal of Software, 2000,11(11): 1460-1466.
[11]	PAXSON V . Bro:a system for detecting network intruders in realtime[J]. Computer Networks, 1999,31(23-24): 2435-2463.
[12]	GARCíA-TEODORO P , DíAZ-VERDEJO P , MACIá-FERNáNDEZ G .et al. Anomaly-based network intrusion detection:techniques,systems and challenges[J]. Computers ＆ Security, 2009,28(1-2): 18-28.
[13]	LIN W C , KE S W , TSAI C F . CANN:an intrusion detection system based on combining cluster centers and nearest neighbors[J]. Knowledge-Based Systems, 2015,78: 13-21.
[14]	CHEN P , DESMET L , HUYGENS C . A study on advanced persistent threats[C]// 15th International Conference on Communications and Multimedia Security. New York:ACM Press, 2014: 63-72.
[15]	FRIEDBERG I , SKOPIK F , SETTANNI G ,et al. Combating advanced persistent threats[J]. Computers ＆ Security, 2015,48(C): 35-57.
[16]	ZHANG Y , PAN X M , QING Z L ,et al. APT attacks and defenses[J]. Journal of Tsinghua University (Science and Technology), 2017(11): 10-16.
[17]	RUBIO J E , ALCARAZ C , ROMAN R ,et al. Current cyber-defense trends in industrial control systems[J]. Computers ＆ Security, 2019:87.
[18]	LUH R , JANICKE H , SCHRITTWIESER S . AIDIS:detecting and classifying anomalous behavior in ubiquitous kernel processes[J]. Computers ＆ Security, 2019(84): 120-147.
[19]	MOON D , IM H , KIM I ,et al. DTB-IDS:an intrusion detection system based on decision tree using behavior analysis for preventing APT attacks[J]. The Journal of Supercomputing, 2015(73): 1-15.
[20]	VRIES J D , HOOGSTRAATEN H , BERG J V D ,et al. Systems for detecting advanced persistent threats:a development roadmap using intelligent data analysis[C]// International Conference on Cyber Security. Piscataway:IEEE Press, 2013.
[21]	PIETRASZEK T , . Using adaptive alert classification to reduce false positives in intrusion detection[C]// International Workshop on Recent Advances in Intrusion Detection—RAID 2004. Berlin:Springer, 2004: 102-124.
[22]	HACHMI F , BOUJENFA K , LIMAM M . Enhancing the accuracy of intrusion detection systems by reducing the rates of false positives and false negatives through multi-objective optimization[J]. Journal of Network ＆ Systems Management, 2019,27(1): 93-120.
[23]	ZONOUZ S A , KHURANA H , SANDERS W H ,et al. RRE:a game-theoretic intrusion Response and Recovery Engine[J]. IEEE Transactions on Parallel and Distributed systems, 2013,25(2): 395-406.
[24]	CUPPENS N , CUPPENS F , VERAGRA J ,et al. An ontology-based approach to react to network attacks[J]. International Journal of Information ＆ Computer Security, 2008,3(3/4): 280-305.
[25]	吴姚睿, 刘淑芬 . 基于攻击群模型的协同入侵的响应方法[J]. 电子学报, 2009,37(11): 2416-2419.
	WU Y R , LIU S F . A response method for cooperative intrusions based on the attack group model[J]. Acta Electronica Sinica, 2009,37(11): 2416-2419.
[26]	TIAN Y L , GUO J , WU Y L ,et al. Towards attack and defense views of rational delegation of computation[J]. IEEE Access, 2019,PP(99):1.
[27]	杨义先, 钮心忻 . 安全通讯[M]. 北京: 电子工业出版社, 2018.
	YANG Y X , NIU X X . The general theory of information security[M]. Beijing: Publishing House of Electronics IndustryPress, 2018.
[28]	LIN W C , KE S W , TSAI C F . CANN:an intrusion detection system based on combining cluster centers and nearest neighbors[J]. Knowledge-Based Systems, 2015(78): 13-21.
[29]	MOUSTAFA N , SLAY J . UNSW-NB15:a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)[C]// 2015 Military Communications and Information Systems Conference. Piscataway:IEEE Press, 2015: 1-6.
[30]	MOUSTAFA N , SLAY J . The evaluation of network anomaly detection systems:statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set[J]. Information Security Journal A Global Perspective, 2016,25(1-3): 1-14.
[31]	彭凌西, 谢冬青, 付颖芳 ,等. 基于危险理论的自动入侵响应系统模型[J]. 通信学报, 2012,33(1): 136-144.
	PENG L X , XIE D Q , FU Y F ,et al. Automated intrusion response system model based on danger theory[J]. Journal on Communications, 2012,33(1): 136-144.

Metrics

Recommended 0

No Suggested Reading articles found!

事件描述	执行检查	事件概率	X	Y	防守期望开销
攻击者入侵，IDS报警	是	P ₁ρ₁	0	1	P ₁ρ₁c+(1-?)dP₁ρ₁
	否	P ₁(1-ρ₁)	1	0	P ₁(1-ρ)d1
攻击者入侵，IDS未报警	是	P ₂ρ₂	0	1	P ₂ρ₂c+(1-?)dP₂ρ₂
	否	P ₂(1-ρ₂)	1	0	P ₂(1-ρ)d2
攻击者未入侵，IDS报警	是	P ₃ρ₁	0	0	P ₃ρ₁c
	否	P ₃(1-ρ₁)	0	1	0
攻击者未入侵，IDS未报警	是	P ₄ρ₂	0	0	P ₄ρ₂c
	否	P ₄(1-ρ₂)	0	1	0

类别	统计数/条
正常事件	37 000
Fuzzers攻击	677
分析攻击	583
拒绝服务攻击	11 132
Exploits漏洞攻击	6 062
泛型攻击	18 871
侦察攻击	3 496
Shellcode攻击	378
蠕虫攻击	44
合计	82 332

参数描述	参数值
IDS的正确检测率P_C	51.5%
IDS的漏检率1-P_C	48.5%
IDS的误警报率P_F	30.7%
系统遭受攻击的平均概率φ	55.1%
管理员对一次事件进行响应的开销c	20
防守方未对一次攻击执行响应的损失d	50
响应攻击所减少损失的比例?	80%

方案	响应准确率	系统开销/bit
本文方案	61.2%	2 170 691
文献[3]方案	47.6%	2 402 100
文献[4]方案	55.3%	1 981 301
完全信任IDS方案	41.5%	2 031 310

Optimum response scheme of intrusion detection based on information theory

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 31

Related Articles 15

Metrics

Recommended 0

[1]	Shenghai CHEN, Xiaoqin YAN, Sai LI, Liang YANG. Performance analysis of dual-hop PLC-FSO communication system [J]. Journal on Communications, 2021, 42(10): 243-250.
[2]	Wei SUN,Peng ZHANG,Yongquan HE,Lichao XING. Attack detection method based on spatiotemporal event correlation in intranet environment [J]. Journal on Communications, 2020, 41(1): 33-41.
[3]	Peng SONG,Caixia SU,Taifei ZHAO,Jinni CHEN,Lei ZHU,Xiaodan ZHANG. Channel capacity analysis of non-line-of-sight ultraviolet communication in noncoplanar geometry based on traversing tiny unit method [J]. Journal on Communications, 2019, 40(5): 144-152.
[4]	Xinwei YAO,Mengna ZHANG,Chaochao WANG,Wanliang WANG. Modeling and analysis of multiple access channel capacity based on hybrid energy storage and energy harvesting [J]. Journal on Communications, 2018, 39(8): 150-159.
[5]	Xin-yu LIU,Jian WENG,Yue ZHANG,Bing-wen FENG,Jia-si WENG. Android malware detection based on APK signature information feedback [J]. Journal on Communications, 2017, 38(5): 190-198.
[6]	Chi ZHANG,Bi-qing ZENG,Jin-song YANG,Xiao-hong XIE. Requirements-oriented spectrum sharing for OFDMA cognitive radio networks [J]. Journal on Communications, 2015, 36(8): 192-206.
[7]	Bing LI,Fan WEI,Bao-ming BAI,Xiao MA. Fundamental performance limits of CPM coded modulation system [J]. Journal on Communications, 2014, 35(3): 183-192.
[8]	. Fundamental performance limits of CPM coded modulation system [J]. Journal on Communications, 2014, 35(3): 21-192.
[9]	. Analysis of MIMO antenna array based on electromagnetic vector sensor [J]. Journal on Communications, 2013, 34(5): 1-11.
[10]	Wan-tuan LUO,Xu-ming FANG,Meng CHENG,Xiang-juan ZHOU. Transmission scheme and capacity analysis of onboard multi-antenna system in high-speed train [J]. Journal on Communications, 2013, 34(3): 90-98.
[11]	Xiao-bo XU,Qin-qin JIANG,Kang-feng ZHENG,Bin WU,Yi-xian YANG. IDS alert clustering algorithm based on chaotic particle swarm optimization [J]. Journal on Communications, 2013, 34(3): 105-110.
[12]	Jie ZHOU,Jing-feng CHEN,Lin QIU,Kikuchi HISAKAZU. Effect of mutual coupling and antenna correlation on MIMO system in three-dimensional spatial channel models [J]. Journal on Communications, 2012, 33(6): 1-10.
[13]	Yue-bing CHEN,Chao FENG,Quan ZHANG,Chao-jing TANG. Integrated artificial immune system for intrusion detection [J]. Journal on Communications, 2012, 33(2): 125-131.
[14]	Wei-dang LU,Xuan-li WU,Xue-jun SHA,Nai-tong ZHANG. Resource allocation in OFDM fixed relay system with one relay multi-source [J]. Journal on Communications, 2011, 32(9): 26-32.
[15]	Yue-heng LI,Jing ZHAO,Mei-yan JU,Xing-hui YIN. New method to improve the channel capacity and capacit ability of 4-element MIMO systems with close antenna spacing [J]. Journal on Communications, 2011, 32(6): 86-92.