张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

Theuns Verwoerd,Ray Hunt

DOI: https://doi.org/10.1016/s0140-3664(02)00037-3

IF: 5.047

2002-09-01

Computer Communications

Abstract:Recent security incidents and analysis have demonstrated that manual response to such attacks is no longer feasible. Intrusion detection systems (IDS) offer techniques for modelling and recognising normal and abusive system behaviour. Such methodologies include statistical models, immune system approaches, protocol verification, file and taint checking, neural networks, whitelisting, expression matching, state transition analysis, dedicated languages, genetic algorithms and burglar alarms. This paper describes these techniques including an IDS architectural outline and an analysis of IDS probe techniques finishing with a summary of associated technologies.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ozgur Depren,Murat Topallar,Emin Anarim,M. Kemal Ciliz

DOI: https://doi.org/10.1016/j.eswa.2005.05.002

IF: 8.5

2005-11-01

Expert Systems with Applications

Abstract:In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection module and a decision support system combining the results of these two detection modules. The proposed anomaly detection module uses a Self-Organizing Map (SOM) structure to model normal behavior. Deviation from the normal behavior is classified as an attack. The proposed misuse detection module uses J.48 decision tree algorithm to classify various types of attacks. The principle interest of this work is to benchmark the performance of the proposed hybrid IDS architecture by using KDD Cup 99 Data Set, the benchmark dataset used by IDS researchers. A rule-based Decision Support System (DSS) is also developed for interpreting the results of both anomaly and misuse detection modules. Simulation results of both anomaly and misuse detection modules based on the KDD 99 Data Set are given. It is observed that the proposed hybrid approach gives better performance over individual approaches.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Jeyavim Sherin R. C.,Parkavi K.

DOI: https://doi.org/10.1049/cmu2.12831

IF: 1.345

2024-09-14

IET Communications

Abstract:Intrusion detection systems (IDS) monitor network activity to detect unusual patterns indicative of security breaches. However, many existing IDS solutions struggle with accurately identifying attacks within packet capture (PCAP) files. To address this limitation, a deep learning‐based dual IDS model is proposed. Utilizing the Cyber Intelligence Centre‐Distributed Denial of Service Attack 2019 dataset, this model begins by extracting features and attributes from PCAP files. Experimental results demonstrate that this model achieves 98.18% accuracy and 98.73% precision in classification tasks, significantly outperforming existing approaches. These findings highlight the effectiveness of the proposed system in enhancing intrusion detection capabilities. The rise of suspicious activities in network communication, driven by increased internet accessibility, necessitates the development of advanced intrusion detection systems (IDS). Existing IDS solutions often exhibit poor performance in detecting suspicious activity and fail to identify various attack types within packet capture (PCAP) files, which monitor network traffic. This paper proposes a deep learning‐based dual IDS model designed to address these issues. The process begins with utilizing the CSE‐CIC‐IDS2019 dataset to extract features from PCAP files. Suspicious activities are detected using the Exponential Geometric‐Gaussian Error Linear Units‐Gated Recurrent Unit (EG‐GELU‐GRU) method. Normal data undergoes further feature extraction and preprocessing through Log ZScore‐Jacosine Density‐Based Spatial Clustering of Applications with Noise (LZ‐JC‐DBSCAN). Feature selection is optimized using the Entropy Pearson R Correlation‐Red Panda optimization algorithm. Suspicious files are flagged, while load balancing is performed on normal data. Attack detection is achieved through word embedding with the Glorot Kaufman‐bidirectional encoder representations from transformers technique and classification via the EG‐GELU‐GRU model. Attacked packets are blocked, and the method is reapplied for attack‐type classification. Experimental results using Python demonstrate the model's superior performance, achieving 98.18% accuracy and 98.73% precision, surpassing existing approaches and significantly enhancing intrusion detection capabilities.

engineering, electrical & electronic

Dr.D.S. John Deva Prasanna,Dr.K. Punitha,Dr.M. Naga Raju,Dr.F. Rahman,Kamlesh Kumar Yadav

DOI: https://doi.org/10.58346/jisis.2024.i3.024

2024-08-30

Abstract:One crucial thing that hackers always do is gather information about the state of networks by breaking into files and systems that are used in defense models. Threats can get into these platforms. Much information is constantly coming into and going out of systems and people. To find potentially harmful security trends, the Intrusion Detection System (IDS) has to look through this growing amount of data. Our surroundings and choices now make it very hard to quickly and correctly find intrusions. To find people who try to get into a communication system without permission, creating an intrusion detection system (IDS) that uses big data techniques to handle large amounts of complex data is essential. This work uses artificial intelligence (AI), which is aware of a vast amount of data, to make an IDS that is very good at dealing with these problems. The study created a unique structure for the Long Short-Term Memory (LSTM) method, which can find complex links and long-lasting patterns in arriving at network traffic data. By using this method, the system can successfully lower the number of false warnings and improve the accuracy of the IDS that was created. Big Data Analysis (BDA) could make the AI methods discussed in this study more useful. These methods are currently slow because they are very complicated. Using these techniques makes running the complicated model go more quickly. The researchers used the tool on the Spark platform for in-depth studies. The NSL-KDD database was used to train for the tests. The results show that the algorithm is better than other IDS systems regarding how often it finds problems, how usually it sets off fake alarms, how accurate it is, how efficiently it works, and how long it takes to train.

Anuja R. Nair,Bhavyang Dave,Shivani Desai,Tarjni Vyas

DOI: https://doi.org/10.1109/ICAIS50930.2021.9395992

2021-03-25

Abstract:Nowadays the large amount of sensitive data set is a traverse through different devices and communication channels and continuously new invention in computer network technology, security problem comes out increasingly, and it has become difficult to ignore because the day is day intruders discover new attacks so it is necessary to protect from those attacks and Intrusion Detection System play important role in network security. That’s why to develop the advanced Intrusion Detection System (IDSs). Traditional Intrusion Detection Technologies faces a high false-positive rate, low accuracy, and many more problems. However, to detect the new attacks and analyze a large amount of data is one of the challenges in IDS. To improve the security of people now, adopt advanced technologies for protection. Deep learning is the rising area which deals with the large scale of data in a promising way. Also, various complex applications have been accomplishing by deep learning. Deep learning is a vast field of machine learning based on a hierarchical concept that teaches a computer to do what humans can do naturally: learn by observation. So, it will be composed of layers which might be multiple layers are called hidden layers which are neurons which is help to get the output using those hidden layers. Deep learning can govern broad-scale data and has shown efficient output in that field. This approach is helped with its mechanism to large data with efficient training time and provides good accuracy. However, there are some limitations to using deep learning in IDS. The proposed research work will discuss how deep-learning is used or which algorithm is used based on deep learning in the Intrusion Detection System to enhance the performance, its features, and also different approaches, limitations, and future implementations are discussed.

Computer Science,Engineering

Zhuowei Li,Amitabha Das

DOI: https://doi.org/10.48550/arXiv.cs/0410068

2004-10-26

Cryptography and Security

Abstract:Anomaly-based intrusion detection (AID) techniques are useful for detecting novel intrusions into computing resources. One of the most successful AID detectors proposed to date is stide, which is based on analysis of system call sequences. In this paper, we present a detailed formal framework to analyze, understand and improve the performance of stide and similar AID techniques. Several important properties of stide-like detectors are established through formal proofs, and validated by carefully conducted experiments using test datasets. Finally, the framework is utilized to design two applications to improve the cost and performance of stide-like detectors which are based on sequence analysis. The first application reduces the cost of developing AID detectors by identifying the critical sections in the training dataset, and the second application identifies the intrusion context in the intrusive dataset, that helps to fine-tune the detectors. Such fine-tuning in turn helps to improve detection rate and reduce false alarm rate, thereby increasing the effectiveness and efficiency of the intrusion detectors.

Jianping Zeng,Donghui Guo

2009-01-01

Abstract:Now days, difierent kinds of IDS systems are availablefor serving in the network distributed system, but thesesystems mainly concentrate on network-based and host-based detection. It is inconvenient to integrate these sys-tems into distributed application servers for application-based intrusion detection. An agent-based IDS that canbe smoothly integrated into the applications of enterpriseinformation systems is proposed in this paper and we dis-cuss the system architecture, agent structure, and integra-tion mechanism. Our IDS system consists of three kindsof agents, namely, client agent, server agent and commu-nication agent. This paper also explains how to integrateagents with an access control model for getting better se-curity performance. By introducing standard protocolssuch as KQML, IDMEF into the design of agent, ouragent-based IDS shows how to build more °exible soft-ware applications. Keywords: Agent-based, IDMEF, intrusion detection,KQML 1 Introduction Many application services, such as e-business, remote ed-ucation and Internet-based design, etc, are necessary tobe distributed over the Internet. However, because theInternet is an open society so that anyone can access theresource on it, then the application system may confrontwith all kinds of attacks or intrusions, such as Denial ofService (DoS), port scan, illegal intrusion by hacking userinformation, etc.Of all these security events, illegal intrusion is a moreserious issue. But standard security deployments such asflrewalls are limited in their efiectiveness because of sim-ple access control mode and also the intrusion methodsare evolving fast. Once an attacker has breached the flre-wall, he can roam at will through the network [13]. Thismakes intrusion detection system (IDS) very importantand necessary. Traditionally, there are two main classesof IDSs: host-based and network-based systems. A host-based IDS monitors the detailed activity of a particularhost, while network-based IDS monitors networks of com-puters and other devices such as, routers, gateways, andprimarily detects intrusion by sni–ng and analyzing datafrom network tra–c. Network and host-based IDSs, canbe further classifled based on two methods of detection[17]: anomaly detection and misuse detection.However, Masquerading attack is a typical intrusionand it can be a more serious threat to the security ofcomputer systems and the computational infrastructure[15]. By this kind of attacks, an assailant attempts toimpersonate a legitimate user after gaining access to thislegitimate user’s account. So, the assailant can fully un-derstand the information he gets. While by other kinds ofattacks, he just gets some segment of data or encrypteddata, which is much more di–cult to be understood. Awell-known instance of masquerader activity is about aFBI mode [15]. Since masquerading attack happens ex-actly at application layer, we call the methods to detectthis kind intrusion as application-based intrusion detec-tion. Application-based intrusion is more di–cult to bedetected and the detection program is usually unable toget satisfactory performance for the following reasons:1) Data about user action on system is much more di–-cult to be collected than network-based or host-baseddetection, because of the independency of applicationsystem.2) Application-based detection can degrade the perfor-mance of corresponding application system due tothe extra work that should be done in the process ofdata collection and analysis.3) A masquerader may happen to have similar behav-ioral patterns as the legitimate user, therefore it canescape detection and successfully cause damage un-der the cover of seemingly normal behavior [4].

YU-XIN DING,MIN XIAO,AI-WU LIU,Yu-Xin Ding,Min Xiao,Ai-Wu Liu

DOI: https://doi.org/10.1109/icmlc.2009.5212282

2009-07-01

Abstract:Since most of current intrusion detection systems (IDS) only use one of the two detection methods, misused detection or anomaly detection, both of them have their own limitations. In this paper, the technique that combines misuse detection system with anomaly detection system (ADS) is used. The hybrid intrusion detection system (HIDS) contains three sub-modules, misused detection module, anomaly detection module and signature generation module. The basis of misused detection module is snort. Anomaly detection module is constructed by using frequent episode rule. And signature generation module is based on a variant of Apriori algorithm. Misused detection module uses the signature of attacks to detection the known attacks. Anomaly detection module can detect the unknown attacks and signature generation module extracts the signature of attacks that are detected by ADS module, and maps the signatures into snort rules.

M. Ali Aydın,A. Halim Zaim,K. Gökhan Ceylan

DOI: https://doi.org/10.1016/j.compeleceng.2008.12.005

2009-05-01

Abstract:Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Sudhanshu Sekhar Tripathy,Bichitrananda Behera

2023-10-01

Abstract:The escalation of hazards to safety and hijacking of digital networks are among the strongest perilous difficulties that must be addressed in the present day. Numerous safety procedures were set up to track and recognize any illicit activity on the network's infrastructure. IDS are the best way to resist and recognize intrusions on internet connections and digital technologies. To classify network traffic as normal or anomalous, Machine Learning (ML) classifiers are increasingly utilized. An IDS with machine learning increases the accuracy with which security attacks are detected. This paper focuses on intrusion detection systems (IDSs) analysis using ML techniques. IDSs utilizing ML techniques are efficient and precise at identifying network assaults. In data with large dimensional spaces, however, the efficacy of these systems degrades. correspondingly, the case is essential to execute a feasible feature removal technique capable of getting rid of characteristics that have little effect on the classification process. In this paper, we analyze the KDD CUP-'99' intrusion detection dataset used for training and validating ML models. Then, we implement ML classifiers such as Logistic Regression, Decision Tree, K-Nearest Neighbour, Naive Bayes, Bernoulli Naive Bayes, Multinomial Naive Bayes, XG-Boost Classifier, Ada-Boost, Random Forest, SVM, Rocchio classifier, Ridge, Passive-Aggressive classifier, ANN besides Perceptron (PPN), the optimal classifiers are determined by comparing the results of Stochastic Gradient Descent and back-propagation neural networks for IDS, Conventional categorization indicators, such as "accuracy, precision, recall, and the f1-measure, have been used to evaluate the performance of the ML classification algorithms.

Cryptography and Security

N.Jaisankar,R.Saravanan,K. Durai Swamy

DOI: https://doi.org/10.48550/arXiv.1004.0602

2010-04-05

Abstract:An intrusion detection system framework using mobile agents is a layered framework mechanism designed to support heterogeneous network environments to identify intruders at its best. Traditional computer misuse detection techniques can identify known attacks efficiently, but perform very poorly in other cases. Anomaly detection has the potential to detect unknown attacks; however, it is a very challenging task since its aim is to detect unknown attacks without any priori knowledge about specific intrusions. This technology is still at its early stage. The objective of this paper is that the system can detect anomalous user activity. Existing research in this area focuses either on user activity or on program operation but not on both simultaneously. In this paper, an attempt to look at both concurrently is presented. Based on an intrusion detection framework [1], a novel user anomaly detection system has been implemented and conducted several intrusion detection experiments in a simulated environment by analyzing user activity and program operation activities. The proposed framework is a layered framework, which is designed to satisfy the core purpose of IDS, and allows detecting the intrusion as quickly as possible with available data using mobile agents. This framework was mainly designed to provide security for the network using mobile agent mechanisms to add mobility features to monitor the user processes from different computational systems. The experimental results have shown that the system can detect anomalous user activity effectively.

Networking and Internet Architecture,Cryptography and Security

Jianping Zeng,Donghui Guo

DOI: https://doi.org/10.5220/0002516401760181

2005-01-01

Abstract:More and more application services are provided and distributed over the Internet for public access. However, the security of distributed application severs is becoming a serious problem due to many possible attacks, such as deny of service, illegal intrusion, etc. Because of weakness of the firewall systems in ensuring security, intrusion detection system (IDS) becomes popular. Now, many kinds of IDS systems are available for serving in the Internet distributed system, but these systems mainly concentrate on networkbased and host-based detection. It is inconvenience to integrate these systems to distributed application servers for application-based intrusion detection. An agent-based IDS that can be smoothly integrated into applications of enterprise information systems is proposed in this paper. We will introduce its system architecture, agent structure, integration mechanism, and etc. In such an IDS system, there are three kinds of agents, i.e. client agent, server agent and communication agent. This paper is also to explain how to integrate agents with access control model for getting better security performance. By introducing standard protocol such as KQML, IDMEF into the design of agent, our agent-based IDS shows much more flexible for built in different kinds of software application system.

Kumar, Prabhat,Islam, A. K. M. Najmul

DOI: https://doi.org/10.1007/s12559-024-10309-w

IF: 4.89

2024-06-11

Cognitive Computation

Abstract:Industrial Cyber-Physical Systems (ICPSs) are becoming more and more networked and essential to modern infrastructure. This has led to an increase in the complexity of their dynamics and the challenges of protecting them from advanced cyber threats have escalated. Conventional intrusion detection systems (IDS) often struggle to interpret high-dimensional, sequential data efficiently and extract meaningful features. They are characterized by low accuracy and a high rate of false positives. In this article, we adopt the computational design science approach to design an IDS for ICPS, driven by Generative AI and cognitive computing. Initially, we designed a Long Short-Term Memory-based Sparse Variational Autoencoder (LSTM-SVAE) technique to extract relevant features from complex data patterns efficiently. Following this, a Bidirectional Recurrent Neural Network with Hierarchical Attention (BiRNN-HAID) is constructed. This stage focuses on proficiently identifying potential intrusions by processing data with enhanced focus and memory capabilities. Next, a Cognitive Enhancement for Contextual Intrusion Awareness (CE-CIA) is designed to refine the initial predictions by applying cognitive principles. This enhances the system's reliability by effectively balancing sensitivity and specificity, thereby reducing false positives. The final stage, Interpretive Assurance through Activation Insights in Detection Models (IAA-IDM), involves the visualizations of mean activations of LSTM and GRU layers for providing in-depth insights into the decision-making process for cybersecurity analysts. Our framework undergoes rigorous testing on two publicly accessible industrial datasets, ToN-IoT and Edge-IIoTset, demonstrating its superiority over both baseline methods and recent state-of-the-art approaches.

computer science, artificial intelligence,neurosciences

Cynthia Anthony,Walid Elgenaidi,Muzaffar Rao

DOI: https://doi.org/10.3390/electronics13050809

IF: 2.9

2024-02-20

Electronics

Abstract:This research work highlights significant achievements in the domain of intrusion detection systems (IDSs) for autonomous vehicles, which are crucial in enhancing their safety, reliability, and cybersecurity. This study introduces an approach that leverages non-tree-based machine learning algorithms, such as K-nearest neighbors and ensemble learning, to develop an IDS tailored for autonomous vehicles. These algorithms were employed because of their ability to process complex and large datasets with less likeliness for overfitting, their scalability, and their ability to adapt to changing conditions in real time. These algorithms effectively handle imbalanced data, enhancing the detection accuracy of both normal and intrusive instances. The IDS's performance was validated through the utilization of three real-world datasets, CAN intrusion, CICIDS2017, and NSL-KDD, where the proposed non-tree-based IDS (NTB-MTH-IDS) was measured with the standard measurement metrics: accuracy, precision, F1-score, and recall, including specificity and sensitivity. Notably, the results indicate that K-nearest neighbors and stacking, as part of NTB-MTH-IDS, has an accuracy of 99.00%, 98.57%, and 97.57%, and F1-scores of 99.00%, 98.79%, and 97.54% in the CICIDS2017, NSL-KDD, and CAN datasets, respectively. The results of this research can lead to establishing a robust intrusion detection framework, thereby ensuring the safety and reliability of autonomous vehicles. Through this achievement, road users, passengers, and pedestrians are safeguarded against the consequences of potential cyber threats.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxp026

2009-01-01

The Computer Journal

Abstract:Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.

Vegard Berge,Chunlei Li

2024-10-26

Abstract:Traditional intrusion detection systems (IDSs) often rely on either network traffic or process data, but this single-source approach may miss complex attack patterns that span multiple layers within industrial control systems (ICSs) or persistent threats that target different layers of operational technology systems. This study investigates whether combining both network and process data can improve attack detection in ICSs environments. Leveraging the SWaT dataset, we evaluate various machine learning models on individual and combined data sources. Our findings suggest that integrating network traffic with operational process data can enhance detection capabilities, evidenced by improved recall rates for cyber attack classification. Serving as a proof-of-concept within a limited testing environment, this research explores the feasibility of advancing intrusion detection through a multi-source data approach in ICSs. Although the results are promising, they are preliminary and highlight the need for further studies across diverse datasets and refined methodologies.

Cryptography and Security

N. D. Patel,B. M. Mehtre,Rajeev Wankar

DOI: https://doi.org/10.1007/s10207-023-00792-x

2024-04-26

International Journal of Information Security

Abstract:An intrusion detection system (IDS) is a system that monitors network traffic for malicious activity and generates alerts. In anomaly-based detection, machine learning (ML) algorithms exploit various statistical and probabilistic methods to learn from past or historical experience and detect valuable patterns from large, unstructured, and complex datasets. ML-based network intrusion detection aims to identify malicious behavior and alert a system administrator when an intruder tries to penetrate the network. This paper deals with the study, strategic construction, and implementation of a network intrusion detection model based on ML methods. Among the available IDS datasets, five of the most relevant are chosen for the experimental analysis, which are NSL-KDD-2009, CIC-IDS2017, CIC-IDS2018, IoTID20, and UNSW-NB15 datasets. In order to reduce the computation time in the training sample and achieve computational complexity , we propose a computationally efficient and feasible algorithmic framework for analyzing the network traffic data. The developed approach mainly consists of two phases, i.e., "Scatter Matrices and Eigenvalue Computation based feature Selection" and "Classification procedure for the reduced dimension data." Experimental evaluation of various test case scenarios for the chosen datasets is carried out in the simulation setting. It is observed that the test results outperform the existing intrusion detection methods for detecting certain attack categories.

computer science, information systems, theory & methods, software engineering