Huiqiang Wang

Bio: Huiqiang Wang is an academic researcher from Harbin Engineering University. The author has contributed to research in topics: Network security & Intrusion detection system. The author has an hindex of 9, co-authored 41 publications receiving 231 citations.

A hidden Markov models-based anomaly intrusion detection method

Abstract: Intrusion detection has emerged as an important approach to security problems. The existing techniques are analyzed, and then an effective anomaly detection method based on HMMs (hidden Markov models) is proposed to learn patterns of Unix processes. Fixed-length sequences of system calls were extracted from traces of programs to train and test models. The RP (relative probability) value, which uses short sequences as inputs, is computed to classify normal and abnormal behaviors. The algorithm is simple and can be directly applied. Experiments on sendmail and lpr traces demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.

Network security situation awareness based on heterogeneous multi-sensor data fusion and neural network

Abstract: Network Security Situation Awareness (NSSA) is a hot research realm in the area of network security, which helps security analysts to solve the challenges they encounter. This paper mainly focuses on a NSSA which is based on heterogeneous multi-sensor data fusion using neural network. We designed a NSSA model and discussed it in detail. We adopted Snort and NetFlow as sensors to gather real network traffic and fused them using a multi-layer feed-forward neural network that can solve a multi-class problem. We presented an effective and simple feature reduction approach to decrease the input vector and improve the real-time characteristic of fusion engine. In addition, we described a situation generation mechanism in order to provide the real security situation of the monitored networks. Our model is proved to be feasible and effective through a series of experiments, using real network traffic.

WNN-based network security situation quantitative prediction method and its optimization

Abstract: The accurate and real-time prediction of network security situation is the premise and basis of preventing intrusions and attacks in a large-scale network. In order to predict the security situation more accurately, a quantitative prediction method of network security situation based on Wavelet Neural Network with Genetic Algorithm (GAWNN) is proposed. After analyzing the past and the current network security situation in detail, we build a network security situation prediction model based on wavelet neural network that is optimized by the improved genetic algorithm and then adopt GAWNN to predict the non-linear time series of network security situation. Simulation experiments prove that the proposed method has advantages over Wavelet Neural Network (WNN) method and Back Propagation Neural Network (BPNN) method with the same architecture in convergence speed, functional approximation and prediction accuracy. What is more, system security tendency and laws by which security analyzers and administrators can adjust security policies in near real-time are revealed from the prediction results as early as possible.

Intrusion detection based on hidden Markov model

Abstract: The intrusion detection technologies of the network security are researched, and the technologies of pattern recognition are used to intrusion detection. Intrusion detection rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. Hidden Markov Model (HMM) has been successfully used in speech recognition and some classification areas. Since Anomaly Intrusion Detection can be treated as a classification problem, some basic ideas have been proposed on using HMM to model normal behavior. The experiments have showed that the method based on HMM is effective to detect anomalistic behaviors.

Quantification of Network Security Situational Awareness Based on Evolutionary Neural Network

Abstract: The proposal of network security situational awareness (NSSA) research means a breakthrough and an innovation to the traditional network security technologies, and it has become a new hot research topic in network security field. Combined with evolutionary strategy and neural network, a quantitative method of network security situational awareness is proposed in this paper. Evolutionary strategy is used to optimize the parameters of neural network, and then the evolutionary neural network model is established to extract the network security situational factors, so the quantification of network security situation is achieved. Finally simulated experiment is done to validate that the evolutionary neural network model can extract situational factors and the model has better generalization ability, which supports the network security technical technologies greatly.

Intrusion detection and Big Heterogeneous Data: a Survey

Abstract: Intrusion Detection has been heavily studied in both industry and academia, but cybersecurity analysts still desire much more alert accuracy and overall threat analysis in order to secure their systems within cyberspace. Improvements to Intrusion Detection could be achieved by embracing a more comprehensive approach in monitoring security events from many different heterogeneous sources. Correlating security events from heterogeneous sources can grant a more holistic view and greater situational awareness of cyber threats. One problem with this approach is that currently, even a single event source (e.g., network traffic) can experience Big Data challenges when considered alone. Attempts to use more heterogeneous data sources pose an even greater Big Data challenge. Big Data technologies for Intrusion Detection can help solve these Big Heterogeneous Data challenges. In this paper, we review the scope of works considering the problem of heterogeneous data and in particular Big Heterogeneous Data. We discuss the specific issues of Data Fusion, Heterogeneous Intrusion Detection Architectures, and Security Information and Event Management (SIEM) systems, as well as presenting areas where more research opportunities exist. Overall, both cyber threat analysis and cyber intelligence could be enhanced by correlating security events across many diverse heterogeneous sources.

Quantified security is a weak hypothesis: a critical survey of results and assumptions

Abstract: This paper critically surveys previous work on quantitative representation and analysis of security. Such quantified security has been presented as a general approach to precisely assess and control security. We classify a significant part of the work between 1981 and 2008 with respect to security perspective, target of quantification, underlying assumptions and type of validation. The result shows how the validity of most methods is still strikingly unclear. Despite applying a number of techniques from fields such as computer science, economics and reliability theory to the problem it is unclear what valid results exist with respect to operational security. Quantified security is thus a weak hypothesis because a lack of validation and comparison between such methods against empirical data. Furthermore, many assumptions in formal treatments are not empirically well-supported in operational security and have been adopted from other fields. A number of risks are present with depending on quantitative methods with limited or no validation.

Survey of Attack Projection, Prediction, and Forecasting in Cyber Security

Abstract: This paper provides a survey of prediction, and forecasting methods used in cyber security. Four main tasks are discussed first, attack projection and intention recognition, in which there is a need to predict the next move or the intentions of the attacker, intrusion prediction, in which there is a need to predict upcoming cyber attacks, and network security situation forecasting, in which we project cybersecurity situation in the whole network. Methods and approaches for addressing these tasks often share the theoretical background and are often complementary. In this survey, both methods based on discrete models, such as attack graphs, Bayesian networks, and Markov models, and continuous models, such as time series and grey models, are surveyed, compared, and contrasted. We further discuss machine learning and data mining approaches, that have gained a lot of attention recently and appears promising for such a constantly changing environment, which is cyber security. The survey also focuses on the practical usability of the methods and problems related to their evaluation.