Download - Academy Publisher

More documents

Recommendations

Info

higher probability and converge at a high speed. At the same time, the algorithm considered the affinity of immune response in order to overcome the phenomenon of precocity. In the paper, it introduced the improved FCM algorithm into the anomaly intrusion detection V. THE IMPROVED INTRUSION DETECTION ALGOITHM BASED ON FCM How to improve the detection efficiency of IDS is the emphasis for people to research constantly. We cluster the data which is not only the numerical data but also is character data. For example, the KDD Cup 1999 network datasets, each connection instance contains 41 properties. In 41 properties, there are 3 flag properties and 38 numerical properties, at present, most of the studies were directed at the numerical properties of the sample data. If we research the hybrid attributes of the sample data, the distance can only used into the numerical data, so we used a new method to solve the problem[7], we may defined the distance between x , x and k as fallow: ( x x ) ⎧ x ≠ = ik x d jk ik , jk ⎨ 1 ⎩0 , ⑹ , xik = x jk We supposed the object data has p numerical attributes and q categorical attributes, and the distance between the objects can be defined as fallow: ' ' ( x , x ) d ( x , x ) + d ( x x ) i j n i i d = , ⑺ ' ' In (7), d n ( xi , x j ), i ≠ j numerical attributes, and ( x x ) c j j c i is the distance of the d , is the distance of the character attributes. We can get the objective function of the hybrid attributes datasets; it can change from (2), that is: N ⎧ k p m ' ' 2 J m ( U, C) = ∑∑ ⎨ uij ∑( xik − x jk ) + i= 1 ⎩ j= 1 l= 1 i k p+ q ⎫ m λ ∑uij ∑d c ( xik , x jk ) ⎬ ⑻ j= 1 l= p+ 1 ⎭ In (8), weight λ is to balance the properties of hybrid attributes datasets, and the value λ is determined by the proportion of two kinds properties; m > 1 is the fuzzy coefficient, it uses to control the blur length of U . Supposed: As n Ci and C C n Ci and c i n i c i = k p m ' ∑uij ∑( xik − x jl ) j= 1 l= 1 k p+ q m ∑uij ∑ c j= 1 l= p+ 1 j ' 2 ⑼ ( x , x ) = λ d ⑽ ik c Ci are nonnegative, we can minimize J m U, C minimization, at C to make the ( ) jk j the same time, we use the Lagrange multiplier method: u ij ( x , x ) −1 2 ⎧ ⎫ k d m ⎪ ⎡ i j ⎤ −1 ⎪ = ⎨∑ ⎢ ⎥ ⎬ , ∀i ⎪ l= 1 ⎣ d( xi , xl ) ⎦ ⎪ ⎩ ⎭ We can iterate the process with (9), (10) and (11), as m > 1, the algorithm is convergent. The improved intrusion detection algorithm based on FCM, which summarized as fallows [3]: Step1: initialize the membership matrix U with random number between 0 and 1, and satisfy (1). Step2: for the different attributes of data, respectively n use (9) and (10) to calculate the cluster centers, C i , C , i = 1, Lk. c i Step3: use (11) to calculate the new membership matrix U. Step4: calculate the value function according to (8). If it is smaller than a determined threshold or is smaller than the change with the last value function, then it will stop and output the clustering results. Otherwise, return to Step2 to continue iterating. We not only consider the numeric data, also considering the character data, when we use the method to research the sample data. It more comprehensively analyzed the data to the clustering, not only helps to reduce the rate of the false alarm and the rate of the failing alarm, at the same time, combine the method with the optimized algorithm of FCM; it can further enhance the detection efficiency. ACKNOWLEDGMENT This work is supported by Economic Commence Market Application Technology Foundation Grant by 2007gdecof004. REFERENCES [1] Theodolidis S. Pattern Recongnition[M]. Second Edition, USA: Elsevier Science, 2003. [2] Gao XB. Fuzzy Cluster Analysis and its Application[M]. XI’AN: Xidian University Press, 2004, 49–61. [3] Yang DG. Research of The Network Intrusion Detection Based on Fuzzy Clustering[J]. Computer Science, 2005, 32(1): 86–91. [4] Song QK, Hao M. Improved Fuzzy C-means Clustering Algorithm[J]. Journal Harbin University Science and Technology. 2007, 12(4):8–10. [5] Xiao LZ, Shao ZQ, Ma HH, Wang XY, Liu G. An Algorithm for Automatic Clustering Number Determination in Network Intrusion Detection[J]. Journal of Software, 2008, 19(8):2140–2148. [6] Xian JQ, Lang FH. Anomaly Detection Method Based on CSA-Based Unsupervised Fuzzy Clustering Algorithm[J]. Journal of Beijing University of Posts and Telecommunications, 2005, 28(4):103–106. [7] Li J, Gao XB, Jiao LC. A GA-Based Clustering Algorithm for Large Data Sets with Mixed Numerical and Categorical Values[J]. Journal of Electronics & Information Technology, 2004, 26(8):1203–1209. ⑾ 92
ISBN 978-952-5726-09-1 (Print) Proceedings of the Second International Symposium on Networking and Network Security (ISNNS ’10) Jinggangshan, P. R. China, 2-4, April. 2010, pp. 093-096 An Alarm Flow Decomposition Method for Security Threat Evaluation Jie Ma, and Zhitang Li Computer Science Department, Huazhong University of Science and Technology, Hubei Wuhan, China mjhust@163.com Abstract—How to analyze security alarms automatically and find useful information form them has attract a lot of interests. Although many alarm correlation approaches and risk assessment methods have been proposed, most of them were implemented with high computational complexity and time consuming, and they can not deal well with huge number of security alarms. This work focus on performing an real-time security threat evaluation. We aggregate individual alarms to alarm flows, and then process the flows instead of individual alarms. Using the Singular Spectrum Analysis (SSA) approach, we found that the alarm flow has a small intrinsic dimension, and the alarm flow can be decomposed into leading components and residual components. Leading components represent the basic part and residual components represent the noise part of the flow. To capture the main features of the leading components forming the alarm flow, we accomplish the security threat evaluation. Case based experiments real network data shows the effectiveness of the method. To the best of our knowledge, this is the first study that applies SSA on the analysis of IDS alarm flows. Index Terms—alarm flow, threat evaluation, SSA I. INTRODUCTION Internet has become a mission-critical infrastructure for governments, companies, institutions, and millions of every-day users. Because of this significant increase reliance on the Internet–based services, security and survivability of networks has become a primary concern. Intrusion Detection System (IDS) plays a vital role in the overall security infrastructure, as one last defense against attacks after secure network architecture design, secure program design and firewalls [1]. It gathers information form some key points in the computer networks, properly analyzes it and detect violations of the monitored system’s security policy. so as to extend the security management capability of the system administrators and improve the integrity of information security infrastructure. However, IDS are becoming unable to provide proper analysis and effective defense mechanism. They often report a massive number of elementary alarms of lowlevel security-related events. Since be overwhelmed by these alarms, administrators almost unable to make proper security threat evaluations in real-time. For this reason, some alarm correlation approaches were proposed. Ning et al. developed a an intrusion alarm correlator [2][3] to help human analysts to recognize multi-step attacks. Lee et al. [4][5] built a framework based on data mining techniques, such as sequential patterns mining and episodes rules, to search causal relationships between alarms to improve attack detection while maintaining a low false positive rate. Cuppens [6][7] build alert correlation systems based on matching the pre/postconditions of individual alarms. The idea of the approach is that prior attack steps prepare for later ones. Julisch proposed to find alarm clusters and generalized forms of false alarms to identify root causes [8][9], and those alarms which are not possible attributed to the root causes can be filtered out. Although these correlation approaches enable to improve the alarm handling efficiency from micro prospective, they are hard to work well with massive security alarms and with large-scale network environment. Recently, some online security threat evaluation and risk assessment methods have been developed. There are approaches employing a graph-based representation of systems [10][11], where an integrated, topological approach to network vulnerability analysis is used. But, these approaches usually follow a static procedure and cannot meet the changes in a dynamic network environment. Gehani [12] put forward a host-based method for real-time risk assessment. The model evaluates the threat probability from intrusion reports and uses predetermined attack scenarios to calculate the risk. Arnes [13] uses the Hidden Markov Model to compute the probability of the security status of the system based on observations from reporting of intrusion detection sensors. However, there are several limitations faced by these approaches. Since the high computational complexity and time cost, these approaches are still can not deal well with huge number of security alarms. In addition, the models used in these approaches should be retrained to adapt to new knowledge. Hence, it seems to be inefficient in reducing the human workload. The focus of our work is to perform the security threat evaluation in real-time. Since IDS have the ability to perform online attack detection and can dynamically report security incidents which the network is suffering, we chose IDS alarms as our processing objects and use them to make threat evaluations. Different form the approaches mentioned above, we use aggregated alarm flows instead of individual alarms. We model the alarm flow as a time series, which is a sequence of alarm intensity observations i.e. the number of alarms in a sampling interval as a time series. Only alarms generated by the same IDS and with the same signature can be © 2010 ACADEMY PUBLISHER AP-PROC-CS-10CN006 93
Page 1 and 2:
Proceedings The Second Internationa
Page 3 and 4:
Table of Contents Message from the
Page 5 and 6:
Zuming Xiao, Zhan Guo, Bin Tan, and
Page 7 and 8:
Message from the Symposium Chairs T
Page 9 and 10:
Second International Symposium on N
Page 11 and 12:
ISBN 978-952-5726-09-1 (Print) Proc
Page 13 and 14:
model that can deal with time serie
Page 15 and 16:
ISBN 978-952-5726-09-1 (Print) Proc
Page 17 and 18:
training for the Wushu competition
Page 19 and 20:
ISBN 978-952-5726-09-1 (Print) Proc
Page 21 and 22:
information, called weak uncertain
Page 23 and 24:
Student side Student side Student s
Page 25 and 26:
ISBN 978-952-5726-09-1 (Print) Proc
Page 27 and 28:
If we define element of student as
Page 29 and 30:
ISBN 978-952-5726-09-1 (Print) Proc
Page 31 and 32:
QoS, each frame data is divided int
Page 33 and 34:
ISBN 978-952-5726-09-1 (Print) Proc
Page 35 and 36:
for Imaging Two and Three Phase Flo
Page 37 and 38:
ISBN 978-952-5726-09-1 (Print) Proc
Page 39 and 40:
A. Profiling&following control algo
Page 41 and 42:
Research and Realization about Conv
Page 43 and 44:
PDF document structure is a tree st
Page 45 and 46:
ISBN 978-952-5726-09-1 (Print) Proc
Page 47 and 48:
support 10 Mb / s. But ENC28J60 onl
Page 49 and 50:
ISBN 978-952-5726-09-1 (Print) Proc
Page 51 and 52: condition the first byte output of
Page 53 and 54: ISBN 978-952-5726-09-1 (Print) Proc
Page 55 and 56: According to maximum membership deg
Page 59 and 60: ubber according to the mass ratio o
Page 61 and 62: Ⅲ. AN IMPROVED DNA ALGORITHM FOR
Page 63 and 64: Ⅴ.CONCLUSION REMARKS DNA computer
Page 65 and 66: its first child q 1 on the left, th
Page 67 and 68: chains can greatly improve efficien
Page 69 and 70: II. RELATED WORK A. Mobile Service
Page 71 and 72: special services. SOAP is used to b
Page 73 and 74: detection methods of DDoS attacks m
Page 75 and 76: Step4 calculate the new subordinate
Page 77 and 78: Figure 1. An analysis of the partit
Page 81 and 82: The preceding three formulas can be
Page 85 and 86: And the decay speed of buffer seque
Page 89 and 90: distance of view point. Given that
Page 93 and 94: Ⅳ. EVALUATION OF BLENDED LEARNING
Page 97 and 98: symmetric with respect to the origi
Page 101: each sample belongs to each categor
Page 105 and 106: A. Data Preparing To generate our t
Page 109 and 110: oth α and β . determination of Qu
Page 113 and 114: Strong earthquake 0.1< M L
Page 117 and 118: indirect causes, and the logical re
Page 119 and 120: egression. Granger causality test i
Page 121 and 122: B. Evaluation We have evaluated thi
Page 123 and 124: used as a source and neighboring ce
Page 125 and 126: Figure 3. Drainage networks generat
Page 127 and 128: Combinational logic unit failures i
Page 129 and 130: Tabal.1 Combinational fault logic t
Page 131 and 132: under the endorsement of both the m
Page 133 and 134: TABLE I. DESCRIPTION OF PROPOSITION
Page 135 and 136: Figure 2. The process of the invers
Page 137 and 138: Figure 9. (a)the original image.(b)
Page 141 and 142: In order to reduce to the number of
Page 145 and 146: that studying being going to be to
Page 147 and 148: Reference[10] analyzed the evolutio
Page 149 and 150: module, communication module, apper
Page 151 and 152: After the comprehensive performance
Page 153 and 154:
system testing can be seen that the
Page 155 and 156:
III. AUTONOMIC RESOURCE ALLOCATION
Page 157 and 158:
The QoE i (T i ) is the ith user’
Page 159 and 160:
ISBN 978-952-5726-09-1 (Print) Proc
Page 161 and 162:
nodes will be formed one cluster, t
Page 163 and 164:
ISBN 978-952-5726-09-1 (Print) Proc
Page 165 and 166:
Where n is the number of data point
Page 167 and 168:
ISBN 978-952-5726-09-1 (Print) Proc
Page 169 and 170:
Keyboard event Application User mod
Page 171 and 172:
ISBN 978-952-5726-09-1 (Print) Proc
Page 173 and 174:
SQL Azure will eventually include a
Page 175 and 176:
ISBN 978-952-5726-09-1 (Print) Proc
Page 177 and 178:
The nodes in the suffix tree are dr
Page 179 and 180:
[3] Y. Li, S. M. Chung, and J. D. H
Page 181 and 182:
some drilling fluid produces hydrog
Page 183 and 184:
"normalization", whose membership b
Page 185 and 186:
and minimum structural elements in
Page 187 and 188:
esults of the spatial transform par
Page 189 and 190:
B. Research on protocol actions Com
Page 191 and 192:
ACKNOWLEDGMENT This work is funded
Page 193 and 194:
A. Problem Description In a small b
Page 195 and 196:
[4] Huang, Hung, and J. Y. jen Hsu.
Page 197 and 198:
Further by calculating, the followi
Page 199 and 200:
TABLE II. THE CONCENTRATION BETWEEN
Page 201 and 202:
private key that obtained by using
Page 203 and 204:
ISBN 978-952-5726-09-1 (Print) Proc
Page 205 and 206:
ontology, and the domain dictionary
Page 207 and 208:
ISBN 978-952-5726-09-1 (Print) Proc
Page 209 and 210:
Eq.4 is NP-hard and can be solved b
Page 211 and 212:
ISBN 978-952-5726-09-1 (Print) Proc
Page 213 and 214:
Where: G i is the selection field o
Page 215 and 216:
If there is X j in a generation, wh
Page 217 and 218:
Theorem 2.4([10]). Let L 1 and L 2
Page 219 and 220:
The relation between the lattice im
Page 221 and 222:
Figure 2. Example of single-step de
Page 223 and 224:
evocation and the fourth group stor
Page 225 and 226:
focused mainly on rule-based forms
Page 227 and 228:
Ⅵ. CONCLUSION Figure 6. The Flask
Page 229 and 230:
EDCF in comparison with DCF, has so
Page 231 and 232:
B. Simulation results and analysis
Page 233 and 234:
ISBN 978-952-5726-09-1 (Print) Proc
Page 235 and 236:
in routing table. When search resou
Page 237 and 238:
ISBN 978-952-5726-09-1 (Print) Proc
Page 239 and 240:
others through the selective emotio
Page 241 and 242:
such as weather information, techno
Page 243 and 244:
the opening window, a related page
Page 245 and 246:
1) Process context storage areas. I
Page 247 and 248:
V. CONCLUSION In this thesis, sCPU-
Page 249 and 250:
main types of horizontal search env
Page 251 and 252:
Enterprise Portal security provides
Page 253 and 254:
() t = [ S () t S () t ] T N S ,...
Page 255 and 256:
[2] Kumaravel, N., and Kavitha, V.,
Page 257 and 258:
output, so BP network has been wide
Page 259 and 260:
input to the artificial neural netw
Page 261 and 262:
(2) In a process (tokens from outsi
Page 263 and 264:
The reduction process consists of t
Page 265 and 266:
all eight normal vectors are identi
Page 267 and 268:
is B object , and the number of emp
Page 269 and 270:
xi, j y' = εα ( (1 + tanh( )) −
Page 271 and 272:
Error 8000 7000 6000 5000 4000 3000
Page 273 and 274:
Architecture (AMBA) a new bus archi
Page 275 and 276:
In order to ensure the smooth proce
Page 277 and 278:
ISBN 978-952-5726-09-1 (Print) Proc
Page 279 and 280:
In this paper, we adopt two Sobel o
Page 281 and 282:
ISBN 978-952-5726-09-1 (Print) Proc
Page 283 and 284:
four layers.The far right of the gr
Page 285 and 286:
ISBN 978-952-5726-09-1 (Print) Proc
Page 287 and 288:
TABLE II. OPERATIONAL EMPLOYEE TABL
Page 289 and 290:
A. Object-relational Type To audit
Page 291 and 292:
to execution time. Also, DBA would
Page 293 and 294:
Liping Chen .......................
show all

Download - Academy Publisher

Create successful ePaper yourself

Delete template?

Save as template?