Biblio

Intrusion detection systems (IDSs) are widely deployed in the industrial control systems to protect network security. IDSs typically generate a huge number of alerts, which are time-consuming for system operators to process. Most of the alerts are individually insignificant false alarms. However, it is not the best solution to discard these alerts, as they can still provide useful information about network situation. Based on the study of characteristics of alerts in the industrial control systems, we adopt an enhanced method of exponentially weighted moving average (EWMA) control charts to help operators in processing alerts. We classify all detection signatures as regular and irregular according to their frequencies, set multiple control limits to detect anomalies, and monitor regular signatures for network security situational awareness. Extensive experiments have been performed using real-world alert data. Simulation results demonstrate that the proposed enhanced EWMA method can greatly reduce the volume of alerts to be processed while reserving significant abnormal information.

Firewall is the first defense line for network security. Packet filtering is a basic function in firewall, which filter network packets according to a series of rules called firewall policy. The design of firewall policy is invariably under the instruction of security policy, which is a generic guideline that lists the needs for network access permissions. The design of firewall policy should observe the regulations of security policy. However, even for IPv4 firewall policy, it is extremely difficult to keep the consistency between security policy and firewall policy. Some consistency decision methods of security policy and IPv4 firewall policy were proposed. However, the address space of IPv6 address is a very large, the existing consistency decision methods can not be directly used to deal with IPv6 firewall policy. To resolve the above problem, in this paper, we use a formal technique to decide the consistency between IPv6 firewall policy and security policy effectively and rapidly. We also developed a prototype model and evaluated the effectiveness of the proposed method.

With the rapid development of communication net-work, the types and quantities of network traffic data have in-creased substantially. What followed was the frequent occurrence of versatile cyber attacks. As an important part of network security, the network-based intrusion detection system (NIDS) can monitor and protect the network equippments and terminals in real time. The traditional detection methods based on deep learning (DL) are always in supervised manners in NIDS, which can automatically build end-to-end detection model without man-ual feature extraction and selection by domain experts. However, supervised learning methods require large-scale labeled data, yet capturing large labeled datasets is a very cubersome, tedious and time-consuming manual task. Instead, unsupervised learning is an effective way to overcome this problem. Nonetheless, the ex-isting unsupervised methods are prone to low detection efficiency and are difficult to train. In this paper we propose a novel NIDS method called PGAN based on generative adversarial network (GAN) to detect the abnormal traffic from the perspective of Anomaly Detection, which leverage the competitive speciality of adversarial training to learn the normal traffic. Based on the public dataset CICIDS2017, three experimental results show that PGAN can significantly outperform other unsupervised methods like stacked autoencoder (SAE) and isolation forest (IF).