Weizhi Meng

EFM: Enhancing the performance of signature-based network intrusion detection systems using enhanced filter mechanism

Abstract Signature-based network intrusion detection systems (NIDSs) have been widely deployed in current network security infrastructure. However, these detection systems suffer from some limitations such as network packet overload, expensive signature matching and massive false alarms in a large-scale network environment. In this paper, we aim to develop an enhanced filter mechanism (named EFM ) to comprehensively mitigate these issues, which consists of three major components: a context-aware blacklist-based packet filter, an exclusive signature matching component and a KNN-based false alarm filter. The experiments, which were conducted with two data sets and in a network environment, demonstrate that our proposed EFM can overall enhance the performance of a signature-based NIDS such as Snort in the aspects of packet filtration, signature matching improvement and false alarm reduction without affecting network security.

When Intrusion Detection Meets Blockchain Technology: A Review

With the purpose of identifying cyber threats and possible incidents, intrusion detection systems (IDSs) are widely deployed in various computer networks. In order to enhance the detection capability of a single IDS, collaborative intrusion detection networks (or collaborative IDSs) have been developed, which allow IDS nodes to exchange data with each other. However, data and trust management still remain two challenges for current detection architectures, which may degrade the effectiveness of such detection systems. In recent years, blockchain technology has shown its adaptability in many fields, such as supply chain management, international payment, interbanking, and so on. As blockchain can protect the integrity of data storage and ensure process transparency, it has a potential to be applied to intrusion detection domain. Motivated by this, this paper provides a review regarding the intersection of IDSs and blockchains. In particular, we introduce the background of intrusion detection and blockchain, discuss the applicability of blockchain to intrusion detection, and identify open challenges in this direction.

A survey on OpenFlow-based Software Defined Networks

Software-Defined Networking (SDN) has been proposed as an emerging network architecture, which consists of decoupling the control planes and data planes of a network. Due to its openness and standardization, SDN enables researchers to design and implement new innovative network functions and protocols in a much easier and flexible way. In particular, OpenFlow is currently the most deployed SDN concept, which provides communication between the controller and the switches. However, the dynamism of programmable networks also brings potential new security challenges relating to various attacks such as scanning, spoofing attacks, denial-of-service (DoS) attacks and so on. In this survey, we aim to give particular attention to OpenFlow-based SDN and present an up-to-date view to existing security challenges and countermeasures in the literature. This effort attempts to simulate more research attention to these issues in future OpenFlow and& SDN development.

A bayesian inference-based detection mechanism to defend medical smartphone networks against insider attacks

With the increasing digitization of the healthcare industry, a wide range of devices (including traditionally non-networked medical devices) are Internet- and inter-connected. Mobile devices (e.g. smartphones) are one common device used in the healthcare industry to improve the quality of service and experience for both patients and healthcare workers, and the underlying network architecture to support such devices is also referred to as medical smartphone networks (MSNs). MSNs, similar to other networks, are subject to a wide range of attacks (e.g. leakage of sensitive patient information by a malicious insider). In this work, we focus on MSNs and present a compact but efficient trust-based approach using Bayesian inference to identify malicious nodes in such an environment. We then demonstrate the effectiveness of our approach in detecting malicious nodes by evaluating the deployment of our proposed approach in a real-world environment with two healthcare organizations.

Design of intelligent KNN-based alarm filter using knowledge-based alert verification in intrusion detection

Network intrusion detection systems NIDSs have been widely deployed in various network environments to defend against different kinds of network attacks. However, a large number of alarms especially unwanted alarms such as false alarms and non-critical alarms could be generated during the detection, which can greatly decrease the efficiency of the detection and increase the burden of analysis. To address this issue, we advocate that constructing an alarm filter in terms of expert knowledge is a promising solution. In this paper, we develop a method of knowledge-based alert verification and design an intelligent alarm filter based on a multi-class k-nearest-neighbor classifier to filter out unwanted alarms. In particular, the alarm filter employs a rating mechanism by means of expert knowledge to classify incoming alarms to proper clusters for labeling. We further analyze the effect of different classifier settings on classification accuracy with two alarm datasets. In the evaluation, we investigate the performance of the alarm filter with a real dataset and in a network environment, respectively. Experimental results indicate that our alarm filter can effectively filter out a number of NIDS alarms and can achieve a better outcome under the advanced mode. Copyright

Enhancing collaborative intrusion detection networks against insider attacks using supervised intrusion sensitivity-based trust management model

To defend against complex attacks, collaborative intrusion detection networks (CIDNs) have been developed to enhance the detection accuracy, which enable an IDS to collect information and learn experience from others. However, this kind of networks is vulnerable to malicious nodes which are utilized by insider attacks (e.g., betrayal attacks). In our previous research, we developed a notion of intrusion sensitivity and identified that it can help improve the detection of insider attacks, whereas it is still a challenge for these nodes to automatically assign the values. In this article, we therefore aim to design an intrusion sensitivity-based trust management model that allows each IDS to evaluate the trustworthiness of others by considering their detection sensitivities, and further develop a supervised approach, which employs machine learning techniques to automatically assign the values of intrusion sensitivity based on expert knowledge. In the evaluation, we compare the performance of three different supervised classifiers in assigning sensitivity values and investigate our trust model under different attack scenarios and in a real wireless sensor network. Experimental results indicate that our trust model can enhance the detection accuracy of malicious nodes and achieve better performance as compared with similar models. HighlightsWe proposed a supervised learning approach to help automatically allocate the values of intrusion sensitivity.We compared the performance of three supervised classifiers in allocating sensitivity values.We evaluated our approach under both simulated and real environments.

Design of Intrusion Sensitivity-Based Trust Management Model for Collaborative Intrusion Detection Networks

Network intrusions are becoming more and more sophisticated to detect. To mitigate this issue, intrusion detection systems (IDSs) have been widely deployed in identifying a variety of attacks and collaborative intrusion detection networks (CIDNs) have been proposed which enables an IDS to collect information and learn experience from other IDSs with the purpose of improving detection accuracy. A CIDN is expected to have more power in detecting attacks such as denial-of-service (DoS) than a single IDS. In real deployment, we notice that each IDS has different levels of sensitivity in detecting different types of intrusions (i.e., based on their own signatures and settings). In this paper, we propose a machine learning-based approach to assign intrusion sensitivity based on expert knowledge and design a trust management model that allows each IDS to evaluate the trustworthiness of others by considering their detection sensitivities. In the evaluation, we explore the performance of our proposed approach under different attack scenarios. The experimental results indicate that by considering the intrusion sensitivity, our trust model can enhance the detection accuracy of malicious nodes as compared to existing similar models.

The effect of adaptive mechanism on behavioural biometric based mobile phone authentication

Purpose – This paper aims to design a compact scheme of behavioural biometric-based user authentication, develop an adaptive mechanism that selects an appropriate classifier in an adaptive way and conduct a study to explore the effect of this mechanism. Design/methodology/approach – As a study, the proposed adaptive mechanism was implemented using a cost-based metric, which enables mobile phones to adopt a less costly classifier in an adaptive way to build the user normal-behaviour model and detect behavioural anomalies. Findings – The user study with 50 participants indicates that our proposed mechanism can positively affect the authentication performance by maintaining the authentication accuracy at a relatively high and stable level. Research limitations/implications – The authentication accuracy can be further improved by incorporating other appropriate classifiers (e.g. neural networks) and considering other touch-gesture-related features (e.g. the speed of a touch). Practical implications – This wor...

TMGuard: A Touch Movement-Based Security Mechanism for Screen Unlock Patterns on Smartphones

Secure user authentication is a big challenge for smartphone security. To overcome the drawbacks of knowledge-based method, various graphical passwords have been proposed to enhance user authentication on smartphones. Android unlock patterns are one of the Android OS features aiming to authenticate users based on graphical patterns. However, recent studies have shown that attackers can easily compromise this unlock mechanism (i.e., by means of smudge attacks). We advocate that some additional mechanisms should be added to improve the security of unlock patterns. In this paper, we first show that users would perform a touch movement differently when interacting with the touchscreen and that users would perform somewhat stably for the same pattern after several trials. We then develop a touch movement-based security mechanism, called TMGuard, to enhance the authentication security of Android unlock patterns by verifying users’ touch movement during pattern input. In the evaluation, our user study with 75 participants demonstrate that TMGuard can positively improve the security of Android unlock patterns without compromising its usability.

Enhancing collaborative intrusion detection networks using intrusion sensitivity in detecting pollution attacks

Purpose This paper aims to propose and evaluate an intrusion sensitivity (IS)-based approach regarding the detection of pollution attacks in collaborative intrusion detection networks (CIDNs) based on the observation that each intrusion detection system may have different levels of sensitivity in detecting specific types of intrusions. Design/methodology/approach In this work, the authors first introduce their adopted CIDN framework and a newly designed aggregation component, which aims to collect feedback, aggregate alarms and identify important alarms. The authors then describe the details of trust computation and alarm aggregation. Findings The evaluation on the simulated pollution attacks indicates that the proposed approach is more effective in detecting malicious nodes and reducing the negative impact on alarm aggregation as compared to similar approaches. Research limitations/implications More efforts can be made in improving the mapping of the satisfaction level, enhancing the allocation, evaluation and update of IS and evaluating the trust models in a large-scale network. Practical implications This work investigates the effect of the proposed IS-based approach in defending against pollution attacks. The results would be of interest for security specialists in deciding whether to implement such a mechanism for enhancing CIDNs. Originality/value The experimental results demonstrate that the proposed approach is more effective in decreasing the trust values of malicious nodes and reducing the impact of pollution attacks on the accuracy of alarm aggregation as compare to similar approaches.