Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Editor IJCATR
Network Intrusion detection and Countermeasure Election in virtual network systems (NICE) are used to establish a
defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into
the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion
detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to
compromise VMs, thus preventing zombie VMs. NICE includes two main phases: deploy a lightweight mirroring-based network
intrusion detection agent (NICE-A) on each cloud server to capture and analyze cloud traffic. A NICE-A periodically scans the virtual
system vulnerabilities within a cloud server to establish Scenario Attack Graph (SAGs), and then based on the severity of identified
vulnerability toward the collaborative attack goals, NICE will decide whether or not to put a VM in network inspection state. Once a
VM enters inspection state, Deep Packet Inspection (DPI) is applied, and/or virtual network reconfigurations can be deployed to the
inspecting VM to make the potential attack behaviors prominent.
A system for-denial-of-service-attack-detection-based-on-multivariate-correla...LeMeniz Infotech
A system for-denial-of-service-attack-detection-based-on-multivariate-correlation-analysis.Interconnected systems, such as Web servers, database servers, cloud computing servers etc, are now under threads from network attackers
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Editor IJCATR
Network Intrusion detection and Countermeasure Election in virtual network systems (NICE) are used to establish a
defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into
the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion
detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to
compromise VMs, thus preventing zombie VMs. NICE includes two main phases: deploy a lightweight mirroring-based network
intrusion detection agent (NICE-A) on each cloud server to capture and analyze cloud traffic. A NICE-A periodically scans the virtual
system vulnerabilities within a cloud server to establish Scenario Attack Graph (SAGs), and then based on the severity of identified
vulnerability toward the collaborative attack goals, NICE will decide whether or not to put a VM in network inspection state. Once a
VM enters inspection state, Deep Packet Inspection (DPI) is applied, and/or virtual network reconfigurations can be deployed to the
inspecting VM to make the potential attack behaviors prominent.
A system for-denial-of-service-attack-detection-based-on-multivariate-correla...LeMeniz Infotech
A system for-denial-of-service-attack-detection-based-on-multivariate-correlation-analysis.Interconnected systems, such as Web servers, database servers, cloud computing servers etc, are now under threads from network attackers
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09849539085, 09966235788 or mail us - ieeefinalsemprojects@gmail.co¬m-Visit Our Website: www.finalyearprojects.org
A review of security attacks and intrusion detection schemes in wireless sens...ijwmn
Wireless sensor networks are currently the greatest innovation in the field of telecommunications. WSNs
have a wide range of potential applications, including security and surveillance, control, actuation and
maintenance of complex systems and fine-grain monitoring of indoor and outdoor environments. However
security is one of the major aspects of Wireless sensor networks due to the resource limitations of sensor
nodes. Those networks are facing several threats that affect their functioning and their life. In this paper we
present security attacks in wireless sensor networks, and we focus on comparison and analysis of recent
Intrusion Detection schemes in WSNs.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
In order to the rapid growth of the network application, new kinds of network attacks are emerging
endlessly. So it is critical to protect the networks from attackers and the Intrusion detection
technology becomes popular. Therefore, it is necessary that this security concern must be articulate
right from the beginning of the network design and deployment. The intrusion detection technology is the
process of identifying network activity that can lead to a compromise of security policy. Lot of work has
been done in detection of intruders. But the solutions are not satisfactory. In this paper, we propose a
novel Distributed Intrusion Detection System using Multi Agent In order to decrease false alarms and
manage misuse and anomaly detects
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysisijceronline
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Review of Security Issues in Mobile Wireless Sensor NetworksEswar Publications
MWSNs are finding applicability in wide range of applications. Applications spread from day to day utilities to military and surveillance, where they may sense information about vehicular movements around border. Considering the importance of data being sent by these nodes, threat of compromising them has also increased. This paper aims to explore various types of attacks and tries to classify them based on some common parameter. Better understanding of various attacks, their style of functioning and point of penetration can help researchers devise better preventive measures.
A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...IJNSA Journal
The emerging mobile technology has brought revolutionized changes in the computer era. One such technology of networking is Mobile Ad hoc Networks (MANETS), where the mobility and infrastructure less of the nodes takes predominant roles. These features make MANETS more vulnerable to attacks. As the research continues several aspects can be explored in this area. At the very first it can be the problem of how to make the cross layer detection of attacks more efficient and work well. Since every layer in the network deals with different type of attacks, a possible viewpoint to those attack scenarios can be presented so that it can be extended in the later part. It becomes necessary to figure out the security solution architecture if there are different detection results generated by different layers. Secondly, there
should be a measure of the network metrics to show increased performance. The paper presents such a defensive mechanism cross layered architecture which strives to identify and correct misbehaviour in MANETS especially with respect to routing layer. The evaluation of the proposed solution is also given with results obtained to show the performance of the network.
SECURED AODV TO PROTECT WSN AGAINST MALICIOUS INTRUSIONIJNSA Journal
One of the security issues in Wireless Sensor Networks (WSN) is intrusion detection. In this paper, we propose a new defence mechanism based on the Ad hoc On-Demand Vector (AODV) routing protocol. AODV is a reactive protocol designed for ad hoc networks and has excellent flexibility to be adapted to a new secure version. The main objective of the proposed secured AODV routing protocol is to protect WSN against malicious intrusion and defend against adversary attacks. This secured AODV protocol works well with the WSN dynamics and topology changes due to limited available resources. It establishes secure multi-hop routing between sensor nodes with high confidence, integrity, and availability. The secured AODV utilizes an existing intrusion dataset that facilitates new collection from all the exchanged packets in the network. The protocol monitors end to end delay and avoid any additional overhead over message transfer between sensor nodes. The experimental results showed that this secured AODV could be used to fight against malicious attacks such as black hole attacks and avoid caused large transmission delays.
Wireless Sensor Networks: An Overview on Security Issues and ChallengesIJAEMSJORNAL
Wireless Sensor Networks (WSNs) are formed by deploying as large number of sensor nodes in an area for the surveillance of generally remote locations. A typical sensor node is made up of different components to perform the task of sensing, processing and transmitting data. WSNs are used for many applications in diverse forms from indoor deployment to outdoor deployment. The basic requirement of every application is to use the secured network. Providing security to the sensor network is a very challenging issue along with saving its energy. Many security threats may affect the functioning of these networks. WSNs must be secured to keep an attacker from hindering the delivery of sensor information and from forging sensor information as these networks are build for remote surveillance and unauthorized changes in the sensed data may lead to wrong information to the decision makers. This paper gives brief description about various security issues and security threats in WSNs.
A technical review and comparative analysis of machine learning techniques fo...IJECEIAES
Machine learning techniques are being widely used to develop an intrusion detection system (IDS) for detecting and classifying cyber attacks at the network-level and the host-level in a timely and automatic manner. However, Traditional Intrusion Detection Systems (IDS), based on traditional machine learning methods, lacks reliability and accuracy. Instead of the traditional machine learning used in previous researches, we think deep learning has the potential to perform better in extracting features of massive data considering the massive cyber traffic in real life. Generally Mobile Ad Hoc Networks have given the low physical security for mobile devices, because of the properties such as node mobility, lack of centralized management and limited bandwidth. To tackle these security issues, traditional cryptography schemes can-not completely safeguard MANETs in terms of novel threats and vulnerabilities, thus by applying Deep learning methods techniques in IDS are capable of adapting the dynamic environments of MANETs and enables the system to make decisions on intrusion while continuing to learn about their mobile environment. An IDS in MANET is a sensoring mechanism that monitors nodes and network activities in order to detect malicious actions and malicious attempt performed by Intruders. Recently, multiple deep learning approaches have been proposed to enhance the performance of intrusion detection system. In this paper, we made a systematic comparison of three models, Inceprtion architecture convolutional neural network (Inception-CNN), Bidirectional long short-term memory (BLSTM) and deep belief network (DBN) on the deep learning-based intrusion detection systems, using the NSL-KDD dataset containing information about intrusion and regular network connections, the goal is to provide basic guidance on the choice of deep learning models in MANET.
A hierarchical security framework for defending against sophisticated attacks...redpel dot com
A hierarchical security framework for defending against sophisticated attacks on wireless sensor networks in smart cities
for more ieee paper / full abstract / implementation , just visit www.redpel.com
A NOVEL TWO-STAGE ALGORITHM PROTECTING INTERNAL ATTACK FROM WSNSIJCNC
Wireless sensor networks (WSNs) consists of small nodes with constrain capabilities. It enables numerous
applications with distributed network infrastructure. With its nature and application scenario, security of
WSN had drawn a great attention. In malicious environments for a functional WSN, security mechanisms
are essential. Malicious or internal attacker has gained attention as the most challenging attacks to
WSNs. Many works have been done to secure WSN from internal attacks but most of them relay on either
training data set or predefined thresholds. It is a great challenge to find or gain knowledge about the
Malicious. In this paper, we develop the algorithm in two stages. Initially, Abnormal Behaviour
Identification Mechanism (ABIM) which uses cosine similarity. Finally, Dempster-Shafer theory (DST)is
used. Which combine multiple evidences to identify the malicious or internal attacks in a WSN. In this
method we do not need any predefined threshold or tanning data set of the nodes.
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEEMEMTECHSTUDENTPROJECTS
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09849539085, 09966235788 or mail us - ieeefinalsemprojects@gmail.co¬m-Visit Our Website: www.finalyearprojects.org
A review of security attacks and intrusion detection schemes in wireless sens...ijwmn
Wireless sensor networks are currently the greatest innovation in the field of telecommunications. WSNs
have a wide range of potential applications, including security and surveillance, control, actuation and
maintenance of complex systems and fine-grain monitoring of indoor and outdoor environments. However
security is one of the major aspects of Wireless sensor networks due to the resource limitations of sensor
nodes. Those networks are facing several threats that affect their functioning and their life. In this paper we
present security attacks in wireless sensor networks, and we focus on comparison and analysis of recent
Intrusion Detection schemes in WSNs.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
In order to the rapid growth of the network application, new kinds of network attacks are emerging
endlessly. So it is critical to protect the networks from attackers and the Intrusion detection
technology becomes popular. Therefore, it is necessary that this security concern must be articulate
right from the beginning of the network design and deployment. The intrusion detection technology is the
process of identifying network activity that can lead to a compromise of security policy. Lot of work has
been done in detection of intruders. But the solutions are not satisfactory. In this paper, we propose a
novel Distributed Intrusion Detection System using Multi Agent In order to decrease false alarms and
manage misuse and anomaly detects
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysisijceronline
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Review of Security Issues in Mobile Wireless Sensor NetworksEswar Publications
MWSNs are finding applicability in wide range of applications. Applications spread from day to day utilities to military and surveillance, where they may sense information about vehicular movements around border. Considering the importance of data being sent by these nodes, threat of compromising them has also increased. This paper aims to explore various types of attacks and tries to classify them based on some common parameter. Better understanding of various attacks, their style of functioning and point of penetration can help researchers devise better preventive measures.
A DEFENSIVE MECHANISM CROSS LAYER ARCHITECTURE FOR MANETS TO IDENTIFY AND COR...IJNSA Journal
The emerging mobile technology has brought revolutionized changes in the computer era. One such technology of networking is Mobile Ad hoc Networks (MANETS), where the mobility and infrastructure less of the nodes takes predominant roles. These features make MANETS more vulnerable to attacks. As the research continues several aspects can be explored in this area. At the very first it can be the problem of how to make the cross layer detection of attacks more efficient and work well. Since every layer in the network deals with different type of attacks, a possible viewpoint to those attack scenarios can be presented so that it can be extended in the later part. It becomes necessary to figure out the security solution architecture if there are different detection results generated by different layers. Secondly, there
should be a measure of the network metrics to show increased performance. The paper presents such a defensive mechanism cross layered architecture which strives to identify and correct misbehaviour in MANETS especially with respect to routing layer. The evaluation of the proposed solution is also given with results obtained to show the performance of the network.
SECURED AODV TO PROTECT WSN AGAINST MALICIOUS INTRUSIONIJNSA Journal
One of the security issues in Wireless Sensor Networks (WSN) is intrusion detection. In this paper, we propose a new defence mechanism based on the Ad hoc On-Demand Vector (AODV) routing protocol. AODV is a reactive protocol designed for ad hoc networks and has excellent flexibility to be adapted to a new secure version. The main objective of the proposed secured AODV routing protocol is to protect WSN against malicious intrusion and defend against adversary attacks. This secured AODV protocol works well with the WSN dynamics and topology changes due to limited available resources. It establishes secure multi-hop routing between sensor nodes with high confidence, integrity, and availability. The secured AODV utilizes an existing intrusion dataset that facilitates new collection from all the exchanged packets in the network. The protocol monitors end to end delay and avoid any additional overhead over message transfer between sensor nodes. The experimental results showed that this secured AODV could be used to fight against malicious attacks such as black hole attacks and avoid caused large transmission delays.
Wireless Sensor Networks: An Overview on Security Issues and ChallengesIJAEMSJORNAL
Wireless Sensor Networks (WSNs) are formed by deploying as large number of sensor nodes in an area for the surveillance of generally remote locations. A typical sensor node is made up of different components to perform the task of sensing, processing and transmitting data. WSNs are used for many applications in diverse forms from indoor deployment to outdoor deployment. The basic requirement of every application is to use the secured network. Providing security to the sensor network is a very challenging issue along with saving its energy. Many security threats may affect the functioning of these networks. WSNs must be secured to keep an attacker from hindering the delivery of sensor information and from forging sensor information as these networks are build for remote surveillance and unauthorized changes in the sensed data may lead to wrong information to the decision makers. This paper gives brief description about various security issues and security threats in WSNs.
A technical review and comparative analysis of machine learning techniques fo...IJECEIAES
Machine learning techniques are being widely used to develop an intrusion detection system (IDS) for detecting and classifying cyber attacks at the network-level and the host-level in a timely and automatic manner. However, Traditional Intrusion Detection Systems (IDS), based on traditional machine learning methods, lacks reliability and accuracy. Instead of the traditional machine learning used in previous researches, we think deep learning has the potential to perform better in extracting features of massive data considering the massive cyber traffic in real life. Generally Mobile Ad Hoc Networks have given the low physical security for mobile devices, because of the properties such as node mobility, lack of centralized management and limited bandwidth. To tackle these security issues, traditional cryptography schemes can-not completely safeguard MANETs in terms of novel threats and vulnerabilities, thus by applying Deep learning methods techniques in IDS are capable of adapting the dynamic environments of MANETs and enables the system to make decisions on intrusion while continuing to learn about their mobile environment. An IDS in MANET is a sensoring mechanism that monitors nodes and network activities in order to detect malicious actions and malicious attempt performed by Intruders. Recently, multiple deep learning approaches have been proposed to enhance the performance of intrusion detection system. In this paper, we made a systematic comparison of three models, Inceprtion architecture convolutional neural network (Inception-CNN), Bidirectional long short-term memory (BLSTM) and deep belief network (DBN) on the deep learning-based intrusion detection systems, using the NSL-KDD dataset containing information about intrusion and regular network connections, the goal is to provide basic guidance on the choice of deep learning models in MANET.
A hierarchical security framework for defending against sophisticated attacks...redpel dot com
A hierarchical security framework for defending against sophisticated attacks on wireless sensor networks in smart cities
for more ieee paper / full abstract / implementation , just visit www.redpel.com
A NOVEL TWO-STAGE ALGORITHM PROTECTING INTERNAL ATTACK FROM WSNSIJCNC
Wireless sensor networks (WSNs) consists of small nodes with constrain capabilities. It enables numerous
applications with distributed network infrastructure. With its nature and application scenario, security of
WSN had drawn a great attention. In malicious environments for a functional WSN, security mechanisms
are essential. Malicious or internal attacker has gained attention as the most challenging attacks to
WSNs. Many works have been done to secure WSN from internal attacks but most of them relay on either
training data set or predefined thresholds. It is a great challenge to find or gain knowledge about the
Malicious. In this paper, we develop the algorithm in two stages. Initially, Abnormal Behaviour
Identification Mechanism (ABIM) which uses cosine similarity. Finally, Dempster-Shafer theory (DST)is
used. Which combine multiple evidences to identify the malicious or internal attacks in a WSN. In this
method we do not need any predefined threshold or tanning data set of the nodes.
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEEMEMTECHSTUDENTPROJECTS
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
A Survey on Hidden Markov Model (HMM) Based Intention Prediction Techniques IJERA Editor
The extensive use of virtualization in implementing cloud infrastructure brings unrivaled security concerns for
cloud tenants or customers and introduces an additional layer that itself must be completely configured and
secured. Intruders can exploit the large amount of cloud resources for their attacks.
This paper discusses two approaches In the first three features namely ongoing attacks, autonomic prevention
actions, and risk measure are Integrated to our Autonomic Cloud Intrusion Detection Framework (ACIDF) as
most of the current security technologies do not provide the essential security features for cloud systems such as
early warnings about future ongoing attacks, autonomic prevention actions, and risk measure. The early
warnings are signaled through a new finite State Hidden Markov prediction model that captures the interaction
between the attackers and cloud assets. The risk assessment model measures the potential impact of a threat on
assets given its occurrence probability. The estimated risk of each security alert is updated dynamically as the
alert is correlated to prior ones. This enables the adaptive risk metric to evaluate the cloud’s overall security
state. The prediction system raises early warnings about potential attacks to the autonomic component,
controller. Thus, the controller can take proactive corrective actions before the attacks pose a serious security
risk to the system.
In another Attack Sequence Detection (ASD) approach as Tasks from different users may be performed on the
same machine. Therefore, one primary security concern is whether user data is secure in cloud. On the other
hand, hacker may facilitate cloud computing to launch larger range of attack, such as a request of port scan in
cloud with multiple virtual machines executing such malicious action. In addition, hacker may perform a
sequence of attacks in order to compromise his target system in cloud, for example, evading an easy-to-exploit
machine in a cloud and then using the previous compromised to attack the target. Such attack plan may be
stealthy or inside the computing environment, so intrusion detection system or firewall has difficulty to identify
it.
A Survey on Hidden Markov Model (HMM) Based Intention Prediction TechniquesIJERA Editor
The extensive use of virtualization in implementing cloud infrastructure brings unrivaled security concerns for cloud tenants or customers and introduces an additional layer that itself must be completely configured and secured. Intruders can exploit the large amount of cloud resources for their attacks. This paper discusses two approaches In the first three features namely ongoing attacks, autonomic prevention actions, and risk measure are Integrated to our Autonomic Cloud Intrusion Detection Framework (ACIDF) as most of the current security technologies do not provide the essential security features for cloud systems such as early warnings about future ongoing attacks, autonomic prevention actions, and risk measure. The early warnings are signaled through a new finite State Hidden Markov prediction model that captures the interaction between the attackers and cloud assets. The risk assessment model measures the potential impact of a threat on assets given its occurrence probability. The estimated risk of each security alert is updated dynamically as the alert is correlated to prior ones. This enables the adaptive risk metric to evaluate the cloud’s overall security state. The prediction system raises early warnings about potential attacks to the autonomic component, controller. Thus, the controller can take proactive corrective actions before the attacks pose a serious security risk to the system. In another Attack Sequence Detection (ASD) approach as Tasks from different users may be performed on the same machine. Therefore, one primary security concern is whether user data is secure in cloud. On the other hand, hacker may facilitate cloud computing to launch larger range of attack, such as a request of port scan in cloud with multiple virtual machines executing such malicious action. In addition, hacker may perform a sequence of attacks in order to compromise his target system in cloud, for example, evading an easy-to-exploit machine in a cloud and then using the previous compromised to attack the target. Such attack plan may be stealthy or inside the computing environment, so intrusion detection system or firewall has difficulty to identify it.
Machine learning techniques applied to detect cyber attacks on web applicationsVenkat Projects
Machine learning techniques applied to detect cyber attacks on web applications
The increased usage of cloud services, growing number of web applications users, changes in network infrastructure that connects devices running mobile operating systems and constantly evolving network technology cause novel challenges for cyber security. As a result, to counter arising threats, network security mechanisms, sensors and protection schemes also have to evolve, to address the needs and problems of the users. In this article, we focus on countering emerging application layer cyber attacks since those are listed as top threats and the main challenge for network and cyber security. The major contribution of the article is the proposition of machine learning approach to model normal behaviour of application and to detect cyber attacks. The model consists of patterns (in form of Perl Compatible Regular Expressions (PCRE) regular expressions) that are obtained using graph-based segmentation technique and dynamic programming. The model is based on information obtained from HTTP requests generated by client to a web server. We have evaluated our method on CSIC 2010 HTTP Dataset achieving satisfactory results.
Cyber-Defensive Architecture for Networked Industrial Control SystemsIJEACS
This paper deals with the inevitable consequence of the convenience and efficiency we benefit from the open, networked control system operation of safety-critical applications: vulnerability to such system from cyber-attacks. Even with numerous metrics and methods for intrusion detection and mitigation strategy, a complete detection and deterrence of internal code flaws and outside cyber-attacks has not been found and would not be found anytime soon. Considering the ever incompleteness of detection and prevention and the impact and consequence of mal-functions of the safety-critical operations caused by cyber incidents, this paper proposes a new computer control system architecture which assures resiliency even under compromised situations. The proposed architecture is centered on diversification of hardware systems and unidirectional communication from the proposed system in alerting suspicious activities to upper layers. This paper details the architectural structure of the proposed cyber defensive computer control system architecture for power substation applications and its validation in lab experimentation and on a cybersecurity testbed.
Hybrid Technique for Detection of Denial of Service (DOS) Attack in Wireless ...Eswar Publications
Wireless Sensor Network (WSNs) are deployed at aggressive environments which are vulnerable to various security attacks such as Wormholes, Denial of Attacks and Sybil Attacks. There are various intrusion detection techniques that are used to identify attacks in a network with high accuracy level. This paper has focused on Denial of Service attack, since it is the most common attack that affects the environment severely. Therefore a new hybrid technique combining Hidden Markov Model with Ant Colony Optimization (HMM+ACO) has been
proposed that gives improved performance than the other techniques.
USE OF MARKOV CHAIN FOR EARLY DETECTING DDOS ATTACKSIJNSA Journal
DDoS has a variety of types of mixed attacks. Botnet attackers can chain different types of DDoS attacks to confuse cybersecurity defenders. In this article, the attack type can be represented as the state of the model. Considering the attack type, we use this model to calculate the final attack probability. The final attack probability is then converted into one prediction vector, and the incoming attacks can be detected early before IDS issues an alert. The experiment results have shown that the prediction model that can make multi-vector DDoS detection and analysis easier.
Malware Detection in Cloud Computing Infrastructures
malware detection whole design and working in a short ppt effectively explaining the criteria and infrastructure
Supervisory control and data acquisition (SCADA) are applications that collect data from a system in order to automate the monitoring and controlling of its activities. Several industrial fields such as, electric utilities, water supplies and buildings' facilities have already adopted SCADA systems to increase the efficiency and reduce cost. However, the IT community is concerned about the level of security that any applied SCADA system provides. This paper concentrates on the major security threats encountered in SCADA systems. In addition, it discusses a new proposed methodology in order to increase the system security with minimal impact on efficiency. The proposed scheme provides several security services which are mutual authentication, confidentiality, data integrity and accountability.
Vulnerability Analysis of 802.11 Authentications and Encryption Protocols: CV...AM Publications
This paper analysis vulnerability of known attacks on WLAN cipher suite, authentication mechanisms and credentials using common vulnerability scoring system (CVSS).
SECURING MOBILE AGENTS IN MANET AGAINST ATTACKS USING TRUSTIJNSA Journal
The emerging trend of using mobile agents for mobile adhoc network (MANET) applications intensifies the need for protecting them. Here we propose a distributed trust based framework to protect both the agents and the host platforms (running at the nodes) especially against threats of the underlying environment where agents may get killed or rerouted by visiting hosts. The best way to defend against this situation is to prevent both the hosts and agents from communicating with the malicious ones. In this regard this paper develops a distributed reputation model of MANET using concepts from DempsterShafer theory. The agents (deployed for some purposes like ervice discovery) while roaming in the networkwork collaboratively with the hosts they visit to form a consistent trust view of MANET. An agent may exchange information about suspected nodes with a visiting host. To speed up convergence, information about an unknown node can be solicited from trusted neighborhood. Thus an inactive node, without deploying agents may also get a partial view of the network. The agents can use combination of encryption and digital signature to provide privacy and authentication services. Node mobility and the effect of environmental noise are considered. The results show the robustness of our proposed scheme even in bigger networks.
Similar to An anomalous behavior detection model in cloud computing (20)
An efficient tree based self-organizing protocol for internet of thingsredpel dot com
An efficient tree based self-organizing protocol for internet of things.
for more ieee paper / full abstract / implementation , just visit www.redpel.com
Web Service QoS Prediction Based on Adaptive Dynamic Programming Using Fuzzy ...redpel dot com
Web Service QoS Prediction Based on Adaptive Dynamic Programming Using Fuzzy Neural Networks for Cloud Services
for more ieee paper / full abstract / implementation , just visit www.redpel.com
Privacy preserving and delegated access control for cloud applicationsredpel dot com
Privacy preserving and delegated access control for cloud applications
for more ieee paper / full abstract / implementation , just visit www.redpel.com
Performance evaluation and estimation model using regression method for hadoo...redpel dot com
Performance evaluation and estimation model using regression method for hadoop word count.
for more ieee paper / full abstract / implementation , just visit www.redpel.com
Frequency and similarity aware partitioning for cloud storage based on space ...redpel dot com
Frequency and similarity aware partitioning for cloud storage based on space time utility maximization model.
for more ieee paper / full abstract / implementation , just visit www.redpel.com
Multiagent multiobjective interaction game system for service provisoning veh...redpel dot com
Multiagent multiobjective interaction game system for service provisoning vehicular cloud
for more ieee paper / full abstract / implementation , just visit www.redpel.com
Efficient multicast delivery for data redundancy minimization over wireless d...redpel dot com
Efficient multicast delivery for data redundancy minimization over wireless data centers
for more ieee paper / full abstract / implementation , just visit www.redpel.com
Cloud assisted io t-based scada systems security- a review of the state of th...redpel dot com
Cloud assisted io t-based scada systems security- a review of the state of the art and future challenges.
for more ieee paper / full abstract / implementation , just visit www.redpel.com
I-Sieve: An inline High Performance Deduplication System Used in cloud storageredpel dot com
I-Sieve: An inline High Performance Deduplication System Used in cloud storage
for more ieee paper / full abstract / implementation , just visit www.redpel.com
Architecture harmonization between cloud radio access network and fog networkredpel dot com
Architecture harmonization between cloud radio access network and fog network
for more ieee paper / full abstract / implementation , just visit www.redpel.com
A tutorial on secure outsourcing of large scalecomputation for big dataredpel dot com
A tutorial on secure outsourcing of large scalecomputation for big data
for more ieee paper / full abstract / implementation , just visit www.redpel.com
A parallel patient treatment time prediction algorithm and its applications i...redpel dot com
A parallel patient treatment time prediction algorithm and its applications in hospital.
for more ieee paper / full abstract / implementation , just visit www.redpel.com
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
An anomalous behavior detection model in cloud computing
1. TSINGHUA SCIENCE AND TECHNOLOGY
ISSNll1007-0214ll08/11llpp322–332
Volume 21, Number 3, June 2016
An Anomalous Behavior Detection Model in Cloud Computing
Xiaoming Ye, Xingshu Chen , Haizhou Wang, Xuemei Zeng, Guolin Shao, Xueyuan Yin, and Chun Xu
Abstract: This paper proposes an anomalous behavior detection model based on cloud computing. Virtual
Machines (VMs) are one of the key components of cloud Infrastructure as a Service (IaaS). The security of such
VMs is critical to IaaS security. Many studies have been done on cloud computing security issues, but research into
VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate.
More and more studies show that communication among internal nodes exhibits complex patterns. Communication
among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have
been proposed—leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses
Software-Defined Networks (SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect
known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and
control network systems. The experimental results indicate that the effectiveness of our approach is greater than
90%, and prove the feasibility of the model.
Key words: virtual machine; network behavior; anomaly detection; cloud computing
1 Introduction
Cloud computing infrastructure is a hybrid networking
system, that integrates hybrid technology, hybrid
operating systems, and hybrid hardware. Cloud
computing aims to provide on-demand, low-cost,
high-performance computing resources, and leverages
virtualization technologies to deliver storage, server,
network services, CPU, and memory[1]
.
Cloud computing has to face traditional security
threats and new generations of security threats. Cloud
computing vulnerabilities include core technology
vulnerabilities (e.g., Web applications and services,
virtualization, and cryptography), essential cloud
characteristic vulnerabilities (e.g., unauthorized
Xiaoming Ye, Xingshu Chen, Haizhou Wang, Xuemei
Zeng, Guolin Shao, Xueyuan Yin, and Chun Xu are with
the College of Computer Science, Cybersecurity Research
Institute, Sichuan University, Chengdu 610065, China. E-mail:
yexm.edu@gmail.com; chenxsh@scu.edu.cn; whzh.nc@scu.
edu.cn; zengxm@scu.edu.cn; sgllearn@163.com; yinxueyuan@
msn.com; xchun@scu.edu.cn.
To whom correspondence should be addressed.
Manuscript received: 2016-01-09; accepted: 2016-03-07
access to management interfaces, Internet protocol
vulnerabilities, etc.), and defects in known security
controls, and prevalent vulnerabilities (e.g., injection
vulnerabilities and weak authentication schemes)[2]
.
Attackers find vulnerabilities and use them to undertake
attacks. There have been many attacks against virtual
machines on cloud computing platforms, such as
various port scanning attack, attacks on hypervisors,
attacks on virtualization, backdoor channel attacks,
flooding attacks, user-to-root attacks, and insider
attacks (e.g., internal denial-of-service attacks via
zombies in the cloud)[3]
.
Virtualization technology is a core technology in
cloud computing. Virtual Machines (VMs) are key
components of cloud infrastructure. For example,
virtualization technology enables the execution of
multiple operating system environments, or VM
instances, on a single hardware system. Each VM
owns an operating system and applications. A
VM executes programs like a physical machine.
Cloud computing contains both physical and virtual
networks[4]
. Virtualization creates blind spots of
network traffic, or invisible networks, in the same
server infrastructure. Gartner[5]
represented six of the
www.redpel.com +917620593389
www.redpel.com +917620593389
2. Xiaoming Ye et al.: An Anomalous Behavior Detection Model in Cloud Computing 323
most common virtualization security risks, including
noting that “the lack of visibility and controls
on internal virtual networks created for VM-to-
VM communications blinds existing security policy
enforcement mechanisms”. He said that more than 60%
of virtual machines in production are less secure than
their physical counterparts. VMs are losing their ability
to detect and control this communication. Attacks and
data can move through the VMs without ever going out
to the physical network, which means these attacks will
not be detected by traditional tools. To deal with this
vulnerability, making all VM communications traffic
visible is the first problem that needs to be solved.
Currently, the challenge is how to establish an
effective network behavior detection system for each
VM in a cloud computing network, so that it can
accurately identify deviations from normal network
behavior of the virtual machines, and reduce cloud
security risks.
This paper proposes a model to detect anomaly
behavior for the VMs in cloud computing. This
model is a time-varying system with a number of
network traffic features. Here are the main work and
contributions of this paper:
Communications among VMs in cloud are
invisible. The model uses Software-Defined Networks
(SDN) to build a virtual network, so that the virtual
switch network traffic is through the physical network
card, then to the node where the deployed system
resides.
The model aims to detect known and unknown
anomalous behaviors.
This paper designs a control model, and adopts
hybrid techniques to analyze VM network behaviors
and control network systems.
The remainder of this paper is organized as follows.
Section 2 introduces state machine definitions and
components of the model and methods of state
analysis. Section 3 introduces Snort, data processing,
application behavior analysis, and decision analysis.
The algorithm and technologies used in this paper are
also discussed. Experiments were conducted and the
results are discussed in Section 4. Conclusions and
future work are presented in Section 5.
2 Model Overview
2.1 State definitions
Network behavior has various forms and means of
changing characteristics. We cannot describe and
identify all the anomalous behaviors of networks but
can describe states that characterize a VM under attack.
Before the attack, a malicious user tries to scan VMs
and search for vulnerabilities or ports to find the cloud
computing infrastructure security “holes”. The attacker
then has a planned, purposeful, step-by-step process to
undertake the attack, including an attack action plan,
tests, and a complete attack process. Normal VM
network behavior is a state of dynamic equilibrium.
Network attacks will affect this state, which is defined
as follows:
Definition 1 (Homeostasis, S1): Currently, the
virtual machine is running properly, the network traffic
situation is in dynamic equilibrium. Virtual machines
have vulnerabilities and other security threats, but they
have not been detected or used.
Definition 2 (Before imbalances, S2): Suppose
anomalous behaviors of network traffic are detected,
such as vulnerability scanning. In this state, VM
security threats have been detected, but have not yet
been utilized by an attacker.
Definition 3 (Imbalances early, S3): Suppose
anomalous network traffic behaviors are detected more
than once. An attacker has detected vulnerabilities in
the virtual machine, and exploited them.
Definition 4 (Imbalance, S4): Network traffic
anomalies are repeatedly detected. The VM is under
continuous cyber-attacks.
Figure 1 depicts the transition of virtual machine
states under attack. The sequence starts at state S1.
Attack behaviors make VM state S1 activate states
S2, S3, and S4. When anomalous behavior has been
controlled, the VM state returns to a state of dynamic
equilibrium.
Fig. 1 VM state transition.
www.redpel.com +917620593389
www.redpel.com +917620593389
3. 324 Tsinghua Science and Technology, June 2016, 21(3): 322–332
Through application behavior analysis, the model
determines whether or not application behavior deviates
from normal. According to this, the model can be used
to describe VM state transitions. The details of its
algorithm will be given in Section 2:3.
2.2 Components
This paper proposes a cloud computing anomalous
behavior detection model. The model can detect known
and unknown anomalous behaviors. Hybrid techniques
are used to detect anomalies. The model determines
whether the network behavior of a virtual machine
deviates from normal.
Figure 2 describes the model components and
detection processes. This model consists of VM
profiles, Snort, data processing, application behavior
analysis, state analysis modules, and decision analysis.
The VM profile module is a dataset used to store
and manage VM profiles based on traffic analysis.
Application behavior states are used to build a set of
VM profiles. The information includes the services, the
software version number, open port, IP address, MAC
address, and rules. In addition, it also includes rules for
communication among virtual machines, and between
virtual machines and physical machines. These profiles
include VM security rules among other features.
VM network traffic passes through Snort first. This
module is used to detect known anomalous behaviors.
Fig. 2 Model components.
Snort uses detection rules based on signature. The
model first executes a Snort module, which provides
known anomaly detection, improves the detection rate,
and reduces the computational cost. Then network
traffic flows into the next detection module. The Snort
model not only uses the known anomaly behavior rule
base, but also reduces the volume of traffic that must be
processed in the next module.
The model then performs application behavior
analysis. This module has two parts. In the first
part, traffic classification is performed to identify
applications. This part manipulates the training
examples and produces multiple classifiers to improve
the application classification accuracy. In the second
part, the application behavior analysis module uses
time series to build a baseline for each application.
Considering the normal network behavior of VMs,
time series analysis is used. For example, people
work during the day and rest at night. People work
from Monday to Friday and rest on Saturday and
Sunday. Other regular behaviors include data backup,
“application heartbeat”, and periodic behaviors that
are repeated. This module aims to detect unknown
anomalous behaviors. So the properties of applications
for each VM are stored. The algorithm of this module
is given below.
Finally, the results of detection from Snort and
the application behavior analysis module are saved
as anomaly records. In order to improve detection
accuracy, the decision analysis module uses the records
for in-depth analysis. The algorithm is below.
After the application behavior analysis, the VM
profile information is updated. According to this, the
model can describe the states of the VMs in cloud. The
formulas are described below.
2.3 State analysis
VM profiles have summary information about each VM
in the cloud collected from traffic. For each application,
detection results from Snort and behavior analysis are
added to the VM profiles. Other information includes
number of services, open port number, number of flows,
number of outgoing connections, number of incoming
connections, maximum value of each connection,
and duration. In addition, it also includes rules for
communication between virtual machines, as well as for
communication between virtual machines and physical
machines.
Ak represents the anomalous performance of the k-
www.redpel.com +917620593389
www.redpel.com +917620593389
4. Xiaoming Ye et al.: An Anomalous Behavior Detection Model in Cloud Computing 325
th VM in the cloud as discussed in Section 2.1. In this
method, the state of each VM is shown in three forms
A.1/
, A.2/
, and A.3/
. Its value is calculated by Eq. (1),
where n.t/ is the random noise, and r1, r2, and r3 are
parameters. vmk denotes the weight of the k-th VM
using Eq. (20). A.1/
represents the degree of deviation
of traffic periodicity of the VM using Eq. (6). A.2/
denotes the anomalous status of known applications
(app) using Eq. (11). A.3/
denotes anomalous status
of unknown applications (uapp) using Eq. (12).
The anomalous performance of VMs is
Ak D vmk.r1A.1/
C r2A.2/
C r3A.3/
/ C n.t/ (1)
Here’s how to compute A.1/
. A VM profile is a time-
varying matrix with network traffic features that can
describe the state of network traffic. A time series is
a sequence of data usually at regular intervals of time
during a specific period. The most important feature
of this type of data is that neighboring observations are
dependent on each other. This paper takes into account
history data before time T .T1, T2, and T3 are three
adjacent time before detection time T ), but also last
week’s value WT, last month’s value MT, and last years
value YT at each observing time as shown in Fig. 2.
Thus, in Eq. (2), here are six values associated with
given time, where m represents the total number of
observation characteristics. Create a time matrix Stvm
as follows:
Stvm D
0
B
@
w11 : : : w16
:::
:::
:::
wm1 : : : wm6
1
C
A (2)
Build a vector base on each time window Wi at
time t, where W1 represents T1, W2 represents T2, W3
represents T3, W4 represents WT, W5 represents MT,
and W6 represents YT.
Wi D .w1i ; w2i ; :::; wmi /T
(3)
Stvm D .W1; W2; W3; W4; W5; W6/ (4)
The model then uses Euclidean distance to measure
the transformation. It means the likelihood of an
anomalous VM state performance can be expressed by
the distance spanned by the time window vector. The
Euclidean distance can be expressed as
dist.Wi ; Wj / D
v
u
u
t
mX
kD1
.wki wkj /2 (5)
A weight ˇi is associated with each time window to
express its importance in relation to time T.
A.1/
D
1
6
6X
iD1
.ˇi dist.WT ; Wi // (6)
Here’s how to compute A.2/
. In the following
equations appi represents the i-th application. The
likelihood of anomalous application performance can
be expressed in detail by considering factors such as the
probability of presence of the application in traffic:
Fi DPrfappi g Prfanomalyjappi g D
Prfappi g fappi is suspiciousjappi g
Prfappi is anonalousjappi is suspiciousg D
F1i F2i F3i D
3Y
j D1
Fji (7)
In Eq. (7), Fi denotes the status of the i-th
application, which consists of three viewpoints F1i ,
F2i , and F3i . F1i represents the probability of the i-
th application in traffic, F2i represents the probability
of a detected anomaly in Snort or application behavior
analysis in the i-th application, but not in the results
of the decision analysis module. F3i represents the
probability of an anomaly being found in the decision
analysis module. F1i , F2i , and F3i can be calculated
by Eqs. (8) – (10).
F1i D
Number of connections to appi
Total number of connections
(8)
F2i D
Number of anomaly alert appi
Number of connections to appi
(9)
F3i D
Number of anomaly appi
Number of anomaly alert appi
(10)
A weight is associated with the importance of the
appi . k represents the number of the applications. The
normalized A.2/
from Eqs. (8) – (10) can be given as
A.2/
D
1
1 C e
kP
iD1
i
3Q
jD1
Fji
(11)
Below is the formula for computing A.3/
. The
likelihood of anomalous behavior in unknown
applications (uapp) can be expressed by considering
factors such as the probability of presence of the
unknown applications in traffic:
A.3/
D Prfuappg Prfanomalyjuappg D N1 N2
(12)
N1 D
Number of connections to uapp
Total number of connections
(13)
N2 D
Number of alerts to uapp
Total number of alerts
(14)
So the anomalous performance of the k-th VM from
www.redpel.com +917620593389
www.redpel.com +917620593389
5. 326 Tsinghua Science and Technology, June 2016, 21(3): 322–332
Eqs. (6), (11), and (12) can be calculated by Eq. (15).
Ak Dvmk
r1
n
nX
iD1
.ˇi dist.Wt ; Wi //C
r2
1 C e
kP
iD1
i
Q3
jD1 Fji
C r3
2Y
iD1
Ni
!
C n.t/ (15)
Even a single VM is considered important in the cloud
if it is connected to many VMs, which multiply the
impact of each VM. vmk is an impact factor associated
with the VM’s importance in the cloud. Now we show
how to compute vmk.
Figure 3 shows a sample connection graph. Each
node represents a VM, where Vk denotes the k-th VM,
and Pj denotes the j-th port of the VM. A connection
between V1 and V3 exists if a flow record having these
addresses is observed. Between nodes V1 and V3 there
are three edges representing three flow records from IP
address V1 to IP address V3 with different port numbers.
According to given sample, there are three edges
between V1 and V3. The vector V.k/
represents the
connections of the k-th VM with other VMs, where
V.1/
, V.2/
, and V.3/
can be expressed by Eqs. (16) –
(18). The matrix V3 3 denoting the connections of the
three VMs, is expressed by Eq. (19).
V.1/
D . 0 0 3 /T
(16)
V.2/
D . 0 0 2 /T
(17)
V.3/
D . 3 2 0 /T
(18)
V3 3 D .V.1/
; V.2/
; V.3/
/ D
0
B
@
0 0 3
0 0 2
3 2 0
1
C
A (19)
The normalized vmk can be calculated by Eq. (20),
where u represents the total number of VMs.
Fig. 3 Flow record sample for VMs connection graph.
vmk D sum .V.W; k//
uX
iD1
sum .V.W; i// (20)
The method proposed here can be used to describe
the anomalous performance of VMs. Estimating the
anomalous performance of VMs involves evaluating the
situation and trend of the states of the VMs in the cloud.
3 Model Methodology
3.1 Snort
Most security concerns have been addressed, and
applying traditional security can prevent most
intrusions by setting up defenses for each VM[6]
.
Deploying Intrusion Detection Systems (IDS) on the
critical network flow entry is also a feasible solution[7]
.
Traditional IDS[8, 9]
, intrusion prevention systems,
and firewalls can be used to detect attacks in cloud
computing.
Snort[10]
is a free and open source Network Intrusion
Prevention System (NIPS) and a Network Intrusion
Detection System (NIDS). Snort has the ability to
analyze traffic in real time and log packets. Based on
different configurations, Snort has a sniffer mode, a
packet logger mode, and a network intrusion detection
system mode[11]
.
We propose using a Bayesian classifier and Snort
to detect network intrusions in cloud computing
environments (see also closely related work in
Ref. [12]). This approach has few false positives
and affordable computational cost. An OpenFlow
and Snort-based Intrusion Prevention System
(IPS) is integrated to detect intrusions and deploy
countermeasures by reconfiguring cloud computing.
Our experimental results demonstrate the feasibility
of this approach (see also closely related work in
Ref. [13]).
3.2 Data processing
3.2.1 OpenFlow
OpenFlow is an open protocol to program a flow
table to deploy new protocols, without changing any
networking devices, and it implements programmable
networks. It thus makes it possible to experiment on
production networks, without danger to operations.
McKeown et al.[14]
pioneered the control and
forwarding separation architecture of OpenFlow.
OpenFlow maintains a FlowTable in various switches
and routers. The FlowTable includes packet-forwarding
www.redpel.com +917620593389
www.redpel.com +917620593389
6. Xiaoming Ye et al.: An Anomalous Behavior Detection Model in Cloud Computing 327
rules. According to the FlowTable, when a packet
arrives at the network device, the rule set determines
the packet forwarding. With programmable features,
OpenFlow enables networks to reconfigure based
on new rules. The paper proposed a new framework
that implements network security monitoring using
OpenFlow in cloud computing (see also closely related
work in Ref. [15]).
3.2.2 Traffic redirection
Internal virtual networks are invisible in cloud
computing because their communication traffic does not
flow in the same physical machine. Insider threats could
increase the chance of malware infection of internal
VMs and hosts from unknown neighbor applications.
Therefore, a large volume of traffic is out of control.
This model employs OpenFlow to build a virtual
network, so that the virtual switch network traffic runs
through the physical network card, and the network
traffic flows to the deployed system with our programs.
OpenFlow then allows all the network flows to be
inspected.
Figure 4 shows the virtual machine network traffic
redirection. The model makes use of OpenFlow
technology. OpenFlow can redirect the network traffic
of VMs in the same physical machine to the deployed
system. This solves the problem that the inter-VM
traffic cannot be monitored and managed. And then the
model employs OpenFlow to reconfigure control rules
to prevent attacks.
3.2.3 Algorithm
We designed Algorithm 1 to get information from
flows or packets. The data processing module includes
data packet parsing, reorganization of flow session,
packet statistics, flow statistics, and a data access
interface. NPC is the captured network package
collection, which cannot use Snort to detect anomalous
Fig. 4 Traffic redirection.
Algorithm 1: Data Processing
Input Data: NPC
Output Data: F, G, Mp, Mf
1: While NPC is not null
2: Get packet p from NPC;
3: Add data packet p to queue p
0
;
4: pi get data packet from queue p
0
;
5: if (p not null) then
6: gi parse the header fields of data packet pi ;
7: add gi to G;
8: mi compute statistic vector of data packet gi ;
9: add mi to Mp;
10: if(pi 2 flow fi ) then
11: add pi to flow fi ;
12: fi update attributes of flow fi ;
13: if (pi is the last packet of flow fi ) then
14: ni compute statistic vector of flow fi ;
15: add ni to Mf;
16: end if
17: else
18: create fi ;
19: add pi to flow fi ;
20: fi initialize attributes of flow fi ;
21: add fi to F ;
22: end if
23: end if
24: end while
network behaviors; F is a flow attribute vector set; and
fi is a property of the flow. G is a data packet attributes
vector set and gi is an attribute of a packet. Mp is a
vector of statistical properties of a packet. Mf is a vector
of statistical properties of the flow.
A function of the data processing module is to
prepare the dataset used by other modules. The system
provides a uniform data access interface in order to
perform quick and effective behavior detection.
3.3 Application behavior analysis
3.3.1 Application classification
The variety of network applications in cloud computing
has dramatically increased along with the growth of
users. Accurate application traffic identification and
classification is important for anomaly detection. This
paper represents four goals of traffic classification,
one of which is detecting unknown application or
malicious flows[16]
. Based on different grained
features of network traffic, our research focuses on
packet and flow data for traffic classification. At the
packet level, the information is collected from packet
headers and, optionally, parts of the payload. The
www.redpel.com +917620593389
www.redpel.com +917620593389
7. 328 Tsinghua Science and Technology, June 2016, 21(3): 322–332
IP quintuple of transport protocol, source IP address,
destination IP address, source port, and destination
port are common properties of a flow. At the flow
level, the information can be collected from flow
statistics. Network traffic classification has attracted
many researchers over the past few years[17–20]
. We
focus on behaviors of applications when they deviate
from normal behavior. This is a motivation of the work
presented in this paper.
The main characteristics of the network traffic used
to identify the application are number of packets or
bytes per second, number of packets payload (only one
byte), number of packets payload (greater than one
byte), sequence of number of byte on the first five
packets payload, Dstatis of packets payload, Dstatis of
packets interval, and Dstatis of TTL. Dstatis represents
the statistical value of one characteristic, which contains
minimum, maximum, variance, mean, median, and
deviation.
Application behavior analysis consists of two
steps. The first step aims to identify applications.
This module manipulates the training examples and
produces multiple classifiers to improve the application
classification accuracy. The second step aims to detect
anomalous behaviors of the application. This paper
adopts the AdaBoost algorithm given in Ref. [21].
AdaBoost produces a sequence of k classifiers, such as
K-Means, Support Vector Machines (SVM), etc. The
weight for all training examples is equal at beginning.
In each iteration, the error of the previous classifier is
calculated. If it is too large, delete the iteration and
exit. Training examples that are incorrectly classified
by the previous classifiers are given higher weights for
the next classifier[22]
. The iteration stops until the error
rate reaches a predetermined value.
Figure 5 shows the process of application
classification. A application classifier is learned
from the labelled training samples during the training
phase and then the class label of every application is
obtained from the trained classifier in the classification
phase. Traffic samples that contain various applications
(such as HTTP, QQ, PPLIVE, DNS, SSH, MSN, POP3,
etc.) are collected. The module then uses time series
technology to analyze applications. As mentioned
previously, each module will get information from the
data processing module. After identifying applications,
this module gets various applications as input and then
we use time series analysis method to detect anomalies
based on application behaviors.
Fig. 5 Classification processing.
3.3.2 Time series analysis
The characteristics of networking behaviors are also
closely correlated with history data (T1, T2, T3, WT,
MT, and YT using Eq. (21)) as mentioned in Section
2.3. The time series is defined as in Ref. [23].
TS D fT1; T2; T3; WT; MT; YTg (21)
C D .C1; C2; :::; Cm/ represents the value of the time
T , where m is the total number of the application
characteristics, and Ci represents the value of the
i-th feature can be any characteristic of a network
application (such as byte counts, packet counts, number
of connection requests, source mask bits, destination
mask bits, incoming and outgoing traffic, duration,
average connection duration, protocol, packet rate,
maximum or average packet, etc.). OC is the predicted
value at time T. Â determines whether the application
behavior deviates from normal. This means that some
deviation between the forecast values and the values can
be observed. This deviation is given by Eq. (22).
Â.T / D C.T / OC.T / D .Â1; Â2; :::; Âm/ (22)
Here’s how to compute OC using Eq. (23). jTSj
denotes the size of the set TS.
OCi D
1
jTSj
sum .Ci .t// D
1
jTSj
.Ci .T1/ C Ci .T2/C
Ci .T3/ C Ci .MT/ C Ci .YT// (23)
However, if the detection time is too short, you
cannot show a regularity; if the time is too long you
will have a lot of historical data as a basis, which is the
next key issue to be resolved, along with determining
threshold Â.
3.4 Decision analysis
In order to improve detection accuracy, the decision
analysis module uses the anomaly records for in-depth
www.redpel.com +917620593389
www.redpel.com +917620593389
8. Xiaoming Ye et al.: An Anomalous Behavior Detection Model in Cloud Computing 329
analysis, where the various computation processes
are described in Algorithm 2. This module uses
a self-training algorithm, which is an incremental
algorithm. The known and unknown records of
anomalous behaviors are used to construct a sample
library. In this module, a Naive Bayesian classifier[22]
is trained with the labeled set, which is applied to
classify the unlabeled set. Then, the highest-confidence
samples are added to the labeled samples. This process
iterates until all the unlabeled samples are added to
the labeled samples.
The features A D .A1; A2; :::; Am/ are extracted
from anomaly records, which are used to construct a
sample library. If a number of labeled samples meet
the condition, the system will get results through self-
learning. The number of labeled samples will affect
the final result, which is the next problem to be
solved. Naive Bayesian is a classifier F. The task of
classification can be regarded as estimating the class
posterior probabilities. In this module, there are two
classes. One is anomalous behaviors, the other is normal
behaviors.
Each sample is assigned to its most probable
class. The self-training algorithm[22]
is given. Z is
labeled samples, .a1; a2; :::; am/ represents observed
attributes. Using label samples Z, train Naive Bayesian
Algorithm 2: Decision Analysis
Input Data: Features of Network Traffic
Output Data: y D fyes, nog
1: Train classifier F use labeled samples Z;
2: While unlabelled samples is not null
3: F.Q/;
4: for r 1 to jQj do
5: Compute per class Pr.C D cj /
6: Compute per feature Pr.Ai D ai jC D cj /
7: c1 D Pr.c D yes/
jAjQ
iD1
Pr.A D ˛i jc D yes/
8: c2 D Pr.c D no/
jAjQ
iD1
Pr.A D ˛i jc D no/
9: if (c1 > c2 and c1 > ") then
10: q:y D yes;
11: end if
12: if (c2 > c1 and c2 > ") then
13: q:y D no;
14: end if
15: Add q:y to Z;
16: remove q from Q;
17: end for
18: end while
classifiers F. This classification is then used to classify
the unlabeled sample Q; then the highest confidence
samples are added to the labeled samples. This process
iterates until all the unlabeled data have been given class
labels. This module aims to find out which applications
have anomalous behaviors.
4 Experiments
The approach is able to establish a behavioral baseline
of normal network activity for each service, and
then when network activity deviates from a baseline,
anomalous activity will be detected. Zhao et al.[24]
proposed detection botnets for classifying network
traffic behavior, and that it is possible to identify
the presence of existing and unknown botnet activity
with high accuracy. Lin et al.[25]
proposed a behavior-
based approach that can detect known and even
unknown malware. Koch et al.[26]
used behavior-
based techniques to detect intrusions in encrypted
environments. Behavior profiles of each VM and
service are used to detect cooperative anomalous
behavior in our approach.
In order to detect anomalous network behaviors in
cloud computing, we propose the model presented in
Fig. 2. For illustration purposes, a cloud environment
with several nodes is set up and we have used
this platform to develop the security architecture for
IaaS[27]
. We deploy an experimental cloud computing
platform based on a QEMU emulator v2.0.0 (Debian
2.0.0+dfsg-2ubuntu1), OpenStack IceHouse, and Open-
Flow v1.3.
We use the KDD-99 dataset as training data, which is
used for the Third International Knowledge Discovery
and Data Mining Tools Competition[28]
. It contains
4 898 431 network connections with 41 network traffic
features. There are seven discrete-valued features,
and others are continuous-valued features. KDD-99
is well-known and widely used for network attack
detection[29–31]
. The system will first preprocess some
text features into numeric features. As shown in Table
1, the service type “UDP” is mapped to 2. Then
the system transforms continuous-valued features into
discrete-valued features.
KDD-99 is partitioned into ten equal-size disjoint
subsets as training data, including six services in Table
1. For testing purposes, our system focuses on the
same types of application traffic. Table 2 shows data
distribution of connection records on six services, and
www.redpel.com +917620593389
www.redpel.com +917620593389
9. 330 Tsinghua Science and Technology, June 2016, 21(3): 322–332
Table 1 Data transformation.
Types Class Value
Protocol
TCP 1
UDP 2
ICMP 3
Service
login 1
http 2
shell 3
smtp 4
ssh 5
telnet 6
average accuracy of classification.
In this experiment, the dataset is partitioned into ten
equal-size disjoint subsets. The 10-fold cross-validation
method is used. As shown in Fig. 6, this approach
is able to classify almost one hundred percent of
normal traffic. Detection of attack traffic decreases by
approximate 3%-8% when the dataset is unbalanced for
each class, which is left for future work. The results
show that the proposed algorithms are able to classify a
majority of the attack traffic. The experimental results
indicate that the effectiveness of our approach is more
than 90%, and the model can detect attacks accurately.
A Receiver Operating Characteristic (ROC) curve is
used to evaluate classification results. We aggregate the
classification results, and demonstrate the effectiveness
of this model. Figure 7 shows ROC curves for six
Table 2 Data distribution on six services.
Service type Attack (%) Accuracy (%) Attack precision (%)
login 100.0000 99.9020 99.9899
http 0.6491 99.6813 95.8351
shell 99.5243 99.7106 99.7106
smtp 1.2252 99.8299 92.7589
ssh 99.3488 99.8095 99.9900
telnet 47.9308 92.1981 90.6363
services. Considering some acceptable behaviors can be
classified as unacceptable, we plan to further evaluate
the proposed approach using false negative analysis in
the future. In terms of the per-service attack sample rate,
“login”, “shell”, and “ssh” have the best classification
performance across all services, due to the existence
of large and long-duration attack flows in the training
data. The effectiveness of the algorithms are evaluated
in terms of its ability to distinguish attack traffic from
normal traffic. We focus on the six services in this work
and leave other types of services for future work. The
experimental results show the feasibility and accuracy
of our proposed approach.
5 Conclusion
This paper presents an anomalous behavior detection
model in cloud computing that takes into account hybrid
data sources and hybrid approaches. Our proposed
detection model can deal with both discrete and
continuous attributes. Experimental results show that
it has high precision values and low recall values. The
model uses SDN programmable technology to solve
the inter-VM network traffic that cannot be monitored.
The VM states are analyzed to propose efficient
countermeasures to fuse several analysis approaches for
preventing and handling the anomalous traffic of VMs.
A good direction for future work would be to study
weights of samples and optimizing parameters of the
proposed algorithm. We also hope to combine a deep
learning algorithm and genetic algorithms to improve
the accuracy of the model.
Acknowledgment
This work was supported by the National Natural Science
Foundation of China (No. 61272447) and the National
Fig. 6 Classification precision on ten subsets.
www.redpel.com +917620593389
www.redpel.com +917620593389
10. Xiaoming Ye et al.: An Anomalous Behavior Detection Model in Cloud Computing 331
Fig. 7 ROC curves of six services.
Key Technologies Research and Development Program of
China (No. 2012BAH18B05).
References
[1] N. Antonopoulos and L. Gillam, Cloud Computing:
Principles, Systems and Applications. Springer Science
Business Media, 2010.
[2] B. Grobauer, T. Walloschek, and E. Stocker, Understanding
cloud computing vulnerabilities, IEEE Security & Privacy,
vol. 9, no. 2, pp. 50–57, 2011.
[3] U. Oktay and O. K. Sahingoz, Attack types and
intrusion detection systems in cloud computing, in
2013 6th
International Information Security & Cryptology
Conference, 2013, pp. 71–76.
[4] R. George, Cloud Application Architectures: Building
Applications and Infrastructure in the Cloud. O’Reilly
Media, Inc., 2009.
[5] Gartner Press Release, Gartnesr says 60 percent
of virtualized servers will be less secure than the
physical servers they replace through 2012, http://
www.gartner.com/newsroom/id/1322414, 2015.
[6] J. H. Lee, M. W. Park, J. H. Eom, and T. M. Chung,
Multilevel intrusion detection system and log management
in cloud computing, in Advanced Communication
Technology (ICACT), 2011 13th International Conference
on. IEEE, 2011, pp. 552–555.
[7] U. Tupakula, V. Varadharajan, and N. Akku, Intrusion
detection techniques for infrastructure as a service
cloud, in Dependable Dependable, Autonomic and Secure
Computing (DASC), 2011 IEEE Ninth International
Conference on, 2011, pp. 744–751.
[8] P. Casas, J. Mazel, P. Owezarski, P. Casas, and J.
Mazel, Unsupervised network intrusion detection systems:
Detecting the unknown without knowledge, Computer
Communications, vol. 35, no. 7, pp. 772–783, 2012.
[9] L. Koc, T. A. Mazzuchi, and S. Sarkani, A network
intrusion detection system based on a hidden na¨ıve Bayes
multiclass classifier, Expert Systems with Applications, vol.
39, no. 18, pp. 13492–13500, 2012.
[10] Snort, https://www.snort.org, 2015.
[11] Snort Users Manual, http://manual.snort.org, 2015.
[12] C. N. Modi, D. R. Patel, A. Patel, and R. Muttukrishnan,
Bayesian classifier and Snort based network intrusion
detection system in cloud computing, in Computing
Communication & Networking Technologies (ICCCNT),
2012 Third International Conference on, 2012, pp. 1–7.
[13] T. Xing, D. Huang, L. Xu, C. J. Chung, and P. Khatkar,
Snortflow: A openflow-based intrusion prevention system
in cloud environment, in Research and Educational
Experiment Workshop (GREE), 2013 Second GENI, 2013,
pp. 89–92.
[14] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar,
L. Peterson, J. Rexford, S. Shenker, and J. Turner,
OpenFlow: Enabling innovation in campus networks,
Computer Communication Review, vol. 38, no. 2, pp. 69–
74, 2008.
[15] S. Shin and G. Gu, CloudWatcher: Network security
monitoring using OpenFlow in dynamic cloud networks
(or: How to provide security monitoring as a service in
clouds?), in Network Protocols (ICNP), 2012 20th IEEE
International Conference on, 2012, pp. 1–6.
[16] A. Callado, C. Kamienski, G. Szabo, B. P. Ger, J.
Kelner, S. Fernandes, and D. Sadok, A survey on internet
traffic identification, IEEE Communications Surveys and
Tutorials - COMSUR, vol. 11, no. 3, pp. 37–52, 2009.
[17] J. Zhang, Y. Xiang, W. Zhou, and Y. Wang, Unsupervised
traffic classification using flow statistical properties and IP
packet payload, Journal of Computer and System Sciences,
vol. 79, no. 5, pp. 573–585, 2013.
[18] J. Zhang, Y. Xiang, Y. Wang, W. Zhou, Y. Xiang, and
Y. Guan, Network traffic classification using
www.redpel.com +917620593389
www.redpel.com +917620593389
11. 332 Tsinghua Science and Technology, June 2016, 21(3): 322–332
correlation information, IEEE Transactions on Parallel
and Distributed Systems, vol. 24, no. 1, pp. 104–117, 2013.
[19] Y. Jin, N. Duffield, J. Erman, P. Haffner, S. Sen, and Z.
Zhang, A modular machine learning system for flow-level
traffic classification in large networks, ACM Transactions
on Knowledge Discovery From Data (TKDD), vol. 6, no.1,
p. 4, 2012.
[20] A. Tongaonkar, R. Torres, M. Iliofotou, R. Keralapura,
and A. Nucci, Towards self adaptive network traffic
classification, Computer Communications, vol. 56, no. 1,
pp. 35–46, 2015.
[21] Y. Freund and R. E. Schapire, Experiments with a new
boosting algorithm, in Int’l Conf. Machine Learning
(ICML), 1996, pp. 148–156.
[22] B. Liu, M. J. Carey, and S. Ceri, Web Data Mining.
Springer, 2011.
[23] G. E. P. Box, G. M. Jenkins, and G. C. Reinsel, Time Series
Analysis: Forecasting and Control. John Wiley & Sons,
2008.
[24] D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani,
and D. Garant, Botnet detection based on traffic behavior
analysis and flow intervals, Computers & Security, vol. 39,
pp. 2–16, 2013.
[25] Y. D. Lin, Y. C. Lai, C. N. Lu, P. K. Hsu, and
C. Y. Lee, Three-phase behavior-based detection and
classification of known and unknown malware, Security
and Communication Networks, vol. 8, no. 11, pp. 2004–
2015, 2015.
[26] R. Koch, M. Golling, and G. D. Rodosek, Behavior-
based intrusion detection in encrypted environments,
Communications Magazine, vol. 52, no. 7, pp. 124–131,
2014.
[27] L. Chen, X. S. Chen, J. F. Jiang, X. Y. Yin, and G. L.
Shao, Research and practice of dynamic network security
architecture for IaaS platforms, Tsinghua Science and
Technology, vol. 19, no. 5, pp. 496–507, 2014.
[28] KDD Cup 1999 Data, http://kdd.ics.uci.edu/databases/
kddcup99/kddcup99.html, 2015.
[29] P. A. R. Kumar and S. Selvakumar, Detection of distributed
denial of service attacks using an ensemble of adaptive and
hybrid neuro-fuzzy systems, Computer Communications,
vol. 36, no. 3, pp. 303–319, 2013.
[30] S. S. Sathya, R. G. Ramani, and K. Sivaselvi, Discriminant
analysis based feature selection in kdd intrusion dataset,
International Journal of Computer Applications, vol. 31,
no. 11, pp. 1–7, 2011.
[31] P. Casas, J. Mazel, and P. Owezarski, Unsupervised
network intrusion detection systems: Detecting the
unknown without knowledge, Computer Communications,
vol. 35, no. 7, pp. 772–783, 2011.
Xiaoming Ye is a PhD candidate at
College of Computer Science of Sichuan
University. She got the BE degree from
College of Information Engineering of
Jiangnan University in 2005 and MS
degree from College of Computer Science
of Sichuan University in 2008. Her
research interests include cyber security
and big data analytics.
Xingshu Chen received the PhD degree
from Sichuan University in 2004. She
is now a professor of the College of
Computer Science and Cybersecurity
Research Institute of Sichuan University.
She is the member of China Information
Security Standardization Technical
Committee. Her research interests include
cloud computing, cloud security, distributed file system, big
data processing, network protocol analysis, and new media
supervision.
Haizhou Wang received the BE degree
and PhD degree from College of Computer
Science, Sichuan University, China, in
2008 and 2014, respectively. From 2013
to 2014, he visited University of Toronto.
He is currently a lecturer in the College
of Computer Science, Sichuan University,
China. His research interests include peer-
to-peer streaming system, information security, and network
measurement.
Xuemei Zeng is a PhD candidate at
College of Computer Science of Sichuan
University. She received the MS degree
from Computer Science College of Sichuan
University in 2004. Her current research
interests include computer and network
security, big data, and cloud computing
security.
Guolin Shao is a PhD candidate of
College of Computer Science of Sichuan
University. He got the BE degree from
Sichuan University in 2013. His general
research interests lie in cyber security.
Xueyuan Yin is a PhD candidate at
College of Computer Science of Sichuan
University. He got the BE degree from
Sichuan University in 2008. His research
interests mainly focus on computer
network and information security.
Chun Xu received the PhD degree from
Sichuan University in 2008. He is now
an associate professor of the College
of Cybersecurity Research Institute of
Sichuan University. His research interests
mainly focus on computer network and
information security.
www.redpel.com +917620593389
www.redpel.com +917620593389