Panagis Sarantos,John Violos,Aris Leivadeas

DOI: https://doi.org/10.1016/j.jpdc.2024.105010

IF: 4.542

2024-11-18

Journal of Parallel and Distributed Computing

Abstract:Intrusion Detection systems (IDS) are alerting cybersecurity tools that analyze network traffic in order to identify suspicious activity and known threats. State of the art IDS rely on supervised machine learning models which are trained to categorize the network flow with a historical labeled dataset. Nonetheless, next-generation networks are characterized as heterogeneous and dynamic. The heterogeneity can make every network environment to be significantly different and the dynamicity means that new threats are constantly emerging. These two factors raise the research question if a supervised machine learning based IDS can work efficiently in a network environment different from the one that generated its labeled training data. In this paper, we first give an answer to this research question and next try to propose a semi-supervised learning approach that can be generalized sufficiently in a different network environment using unlabeled data, taking into consideration that unlabeled data are much easier and cheap to be collected compared to labeled ones. In order to have a proof of concept we made experiments with two labeled datasets CIC-IDS2017, CIC-IDS2018 which are publicly available and one unlabeled dataset PS-Azure2023 which we constructed for this work and make it also publicly available. The results confirm our assumption and the applicability of the semi-supervised learning paradigm for the design of IDS.

computer science, theory & methods

Md. Ashraf Uddin,Sunil Aryal,Mohamed Reda Bouadjenek,Muna Al-Hawawreh,Md. Alamin Talukder

2024-03-17

Abstract:The rapid expansion of varied network systems, including the Internet of Things (IoT) and Industrial Internet of Things (IIoT), has led to an increasing range of cyber threats. Ensuring robust protection against these threats necessitates the implementation of an effective Intrusion Detection System (IDS). For more than a decade, researchers have delved into supervised machine learning techniques to develop IDS to classify normal and attack traffic. However, building effective IDS models using supervised learning requires a substantial number of benign and attack samples. To collect a sufficient number of attack samples from real-life scenarios is not possible since cyber attacks occur occasionally. Further, IDS trained and tested on known datasets fails in detecting zero-day or unknown attacks due to the swift evolution of attack patterns. To address this challenge, we put forth two strategies for semi-supervised learning based IDS where training samples of attacks are not required: 1) training a supervised machine learning model using randomly and uniformly dispersed synthetic attack samples; 2) building a One Class Classification (OCC) model that is trained exclusively on benign network traffic. We have implemented both approaches and compared their performances using 10 recent benchmark IDS datasets. Our findings demonstrate that the OCC model based on the state-of-art anomaly detection technique called usfAD significantly outperforms conventional supervised classification and other OCC based techniques when trained and tested considering real-life scenarios, particularly to detect previously unseen attacks.

Cryptography and Security,Machine Learning

Mert Nakıp,Erol Gelenbe

DOI: https://doi.org/10.1109/TIFS.2024.3402148

2024-05-15

Abstract:This paper proposes a novel Self-Supervised Intrusion Detection (SSID) framework, which enables a fully online Deep Learning (DL) based Intrusion Detection System (IDS) that requires no human intervention or prior off-line learning. The proposed framework analyzes and labels incoming traffic packets based only on the decisions of the IDS itself using an Auto-Associative Deep Random Neural Network, and on an online estimate of its statistically measured trustworthiness. The SSID framework enables IDS to adapt rapidly to time-varying characteristics of the network traffic, and eliminates the need for offline data collection. This approach avoids human errors in data labeling, and human labor and computational costs of model training and data collection. The approach is experimentally evaluated on public datasets and compared with well-known {machine learning and deep learning} models, showing that this SSID framework is very useful and advantageous as an accurate and online learning DL-based IDS for IoT systems.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Erxue Min,Jun Long,Qiang Liu,Jianjing Cui,Zhiping Cai,Junbo Ma

DOI: https://doi.org/10.1007/978-3-030-00012-7_30

2018-01-01

Abstract:Network Intrusion Detection Systems (NIDSs) are increasingly crucial due to the expansion of computer networks. Detection techniques based on machine learning have attracted extensive attention for their capability to detect novel attacks. However, they require a large amount of labeled training data to train an effective model, which is difficult and expensive to obtain. To this effect, it is critically important to build models which can learn from unlabeled or partially-labeled data. In this paper, we propose an autoencoder-based framework, i. e., SU-IDS, for semi-supervised and unsupervised network intrusion detection. The framework augments the usual clustering (or classification) loss with an auxiliary loss of autoencoder, and thus achieves a better performance. The experimental results on the classic NSL-KDD dataset and the modern CICIDS2017 dataset show the superiority of our proposed models.

Ozgur Depren,Murat Topallar,Emin Anarim,M. Kemal Ciliz

DOI: https://doi.org/10.1016/j.eswa.2005.05.002

IF: 8.5

2005-11-01

Expert Systems with Applications

Abstract:In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection module and a decision support system combining the results of these two detection modules. The proposed anomaly detection module uses a Self-Organizing Map (SOM) structure to model normal behavior. Deviation from the normal behavior is classified as an attack. The proposed misuse detection module uses J.48 decision tree algorithm to classify various types of attacks. The principle interest of this work is to benchmark the performance of the proposed hybrid IDS architecture by using KDD Cup 99 Data Set, the benchmark dataset used by IDS researchers. A rule-based Decision Support System (DSS) is also developed for interpreting the results of both anomaly and misuse detection modules. Simulation results of both anomaly and misuse detection modules based on the KDD 99 Data Set are given. It is observed that the proposed hybrid approach gives better performance over individual approaches.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Dr.D.S. John Deva Prasanna,Dr.K. Punitha,Dr.M. Naga Raju,Dr.F. Rahman,Kamlesh Kumar Yadav

DOI: https://doi.org/10.58346/jisis.2024.i3.024

2024-08-30

Abstract:One crucial thing that hackers always do is gather information about the state of networks by breaking into files and systems that are used in defense models. Threats can get into these platforms. Much information is constantly coming into and going out of systems and people. To find potentially harmful security trends, the Intrusion Detection System (IDS) has to look through this growing amount of data. Our surroundings and choices now make it very hard to quickly and correctly find intrusions. To find people who try to get into a communication system without permission, creating an intrusion detection system (IDS) that uses big data techniques to handle large amounts of complex data is essential. This work uses artificial intelligence (AI), which is aware of a vast amount of data, to make an IDS that is very good at dealing with these problems. The study created a unique structure for the Long Short-Term Memory (LSTM) method, which can find complex links and long-lasting patterns in arriving at network traffic data. By using this method, the system can successfully lower the number of false warnings and improve the accuracy of the IDS that was created. Big Data Analysis (BDA) could make the AI methods discussed in this study more useful. These methods are currently slow because they are very complicated. Using these techniques makes running the complicated model go more quickly. The researchers used the tool on the Spark platform for in-depth studies. The NSL-KDD database was used to train for the tests. The results show that the algorithm is better than other IDS systems regarding how often it finds problems, how usually it sets off fake alarms, how accurate it is, how efficiently it works, and how long it takes to train.

Zhiqiang Liu,Mohi-Ud-Din Ghulam,Ye Zhu,Xuanlin Yan,Lifang Wang,Zejun Jiang,Jianchao Luo

DOI: https://doi.org/10.1007/978-981-15-0637-6_40

2019-01-01

Abstract:With the astonishing development of the Internet and its applications in the last decade, cyberattacks are changing quickly, and the necessity of protection for communication network has improved tremendously. As the primary defense, the intrusion detection system plays a crucial role in making sure the network security. Key to intrusion detection system is actually to determine a variety of attacks effectively as well as to adjust to a constantly changing threat scenario. DNN or Deep Neural Network on NSL-KDD dataset for effective detection of an attack. Firstly, the dataset was preprocessed and normalized and then fed to the DNN algorithm to create a model. For testing purpose, entire dataset of NSL-KDD was used. Finally, to analyze the accuracy and precision of the DNN model, we use accuracy and precision matrices. The proposed DNN-based strategy enhances network anomaly detection and opens new analysis gateway for intrusion detection systems.

Chandan Kumar,Sarfaraj Alam Ansari,Md. Sarfaraj Alam Ansari

DOI: https://doi.org/10.1016/j.eswa.2024.123853

IF: 8.5

2024-04-05

Expert Systems with Applications

Abstract:The integration of the Internet of Things with Software-Defined Networking offers a flexible approach to managing Software-Defined Internet of Things (SD-IoT) applications. However, this architecture is vulnerable to attacks, which may compromise the user's sensitive data. To mitigate this risk, an Intrusion Detection System (IDS) is employed. The IDS model is developed using Machine Learning (ML) algorithms. However, the effectiveness of the ML-based IDS model depends on the optimal number of features used during training. The conventional approach for selecting the optimum feature subset is through hit-and-trial methods, which is a limitation. Moreover, interpreting IDS predictions on malicious flow detection in SD-IoT applications is challenging. So, in this research study, an explainable, lightweight IDS model based on a nature-inspired algorithm is proposed. Lightweight IDS required minimal features selected using the proposed technique based on the Sheep Flock Optimization Algorithm and Least Absolute Shrinkage Selection Operator (SFOA-LASSO). LASSO uses the α value to measure the cost function and eliminate the redundant features. Eliminating the traditional method, we used the SFOA to obtain the α value. Further, the selected minimal features are used to build an ML-based IDS model. The proposed IDS model is experimentally evaluated on the SD-IoT dataset, which attains high performance in terms of detection rate and accuracy. To understand the prediction made by the IDS, the Shapley values are calculated and plotted using summary and beeswarm plot. The proposed model also performs well when tested on the CIC-IoT-2023 dataset. The obtained results are compared with recent state-of-the-art studies to show the model's robustness.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Lirui Deng,Youjian Zhao,Heng Bao

DOI: https://doi.org/10.1007/978-981-19-8285-9_5

2022-01-01

Abstract:AbstractThe network intrusion detection system (NIDS) plays an essential role in network security. Although many data-driven approaches from the field of machine learning have been proposed to increase the efficacy of NIDSs, it still suffers from extreme data imbalance and the performance of existing algorithms depends highly on training datasets. To counterpart the class-imbalanced problem in network intrusion detection, it is necessary for models to capture more representative clues within same categories instead of learning from only classification loss. In this paper, we proposed a self-supervised adversarial learning approach for intrusion detection, which utilize instance-level discrimination for better representation learning and employs a adversarial perturbation styled data augmentation to improve the robustness of NIDS on rarely seen attacking types. State-of-the-art result was achieved on multiple frequently-used datasets and experiment conducted on cross-dataset setting demonstrated good generalization ability.

Xiaoxia Liu,Daojing He,Yun Gao,Sencun Zhu,Sammy Chan

DOI: https://doi.org/10.1109/srds51746.2020.00028

2020-01-01

Abstract:With the increasing applications of integrated electronic systems (IESs), especially in security critical application scenarios like satellites and aircraft, new vulnerabilities and attacks have emerged recently. To detect the attacks, we propose TLP-IDS, a real-time intrusion detection system (IDS). TLP-IDS includes two layers of detection modules, one based on time and sequence logic and the other based on historical data. For the modules in the first layer, periodic and aperiodic messages are distinguished based on variations of message intervals, and we learnd from the idea of Markov decision process (MDP) in reinforcement learning (RL) to automatically learn the logical relationship between sequences. In the second layer, an online sequence extreme learning machine (OS-ELM) method is deployed to fit the data and further combined with the Weibull distribution function for prediction and detection. To evaluate our system, we implement several attack scenarios on a test bed, and measure the detection performance. Experimental results show that our system can quickly and effectively detect various attacks.

Zachary Tauscher,Yushan Jiang,Kai Zhang,Jian Wang,Houbing Song

DOI: https://doi.org/10.48550/arXiv.2108.08394

2021-08-19

Abstract:With massive data being generated daily and the ever-increasing interconnectivity of the world's Internet infrastructures, a machine learning based intrusion detection system (IDS) has become a vital component to protect our economic and national security. In this paper, we perform a comprehensive study on NSL-KDD, a network traffic dataset, by visualizing patterns and employing different learning-based models to detect cyber attacks. Unlike previous shallow learning and deep learning models that use the single learning model approach for intrusion detection, we adopt a hierarchy strategy, in which the intrusion and normal behavior are classified firstly, and then the specific types of attacks are classified. We demonstrate the advantage of the unsupervised representation learning model in binary intrusion detection tasks. Besides, we alleviate the data imbalance problem with SVM-SMOTE oversampling technique in 4-class classification and further demonstrate the effectiveness and the drawback of the oversampling mechanism with a deep neural network as a base model.

Cryptography and Security,Machine Learning

Abdulsalam O. Alzahrani,Mohammed J. F. Alenazi

DOI: https://doi.org/10.3390/fi13050111

2021-04-28

Future Internet

Abstract:Software-defined Networking (SDN) has recently developed and been put forward as a promising and encouraging solution for future internet architecture. Managed, the centralized and controlled network has become more flexible and visible using SDN. On the other hand, these advantages bring us a more vulnerable environment and dangerous threats, causing network breakdowns, systems paralysis, online banking frauds and robberies. These issues have a significantly destructive impact on organizations, companies or even economies. Accuracy, high performance and real-time systems are essential to achieve this goal successfully. Extending intelligent machine learning algorithms in a network intrusion detection system (NIDS) through a software-defined network (SDN) has attracted considerable attention in the last decade. Big data availability, the diversity of data analysis techniques, and the massive improvement in the machine learning algorithms enable the building of an effective, reliable and dependable system for detecting different types of attacks that frequently target networks. This study demonstrates the use of machine learning algorithms for traffic monitoring to detect malicious behavior in the network as part of NIDS in the SDN controller. Different classical and advanced tree-based machine learning techniques, Decision Tree, Random Forest and XGBoost are chosen to demonstrate attack detection. The NSL-KDD dataset is used for training and testing the proposed methods; it is considered a benchmarking dataset for several state-of-the-art approaches in NIDS. Several advanced preprocessing techniques are performed on the dataset in order to extract the best form of the data, which produces outstanding results compared to other systems. Using just five out of 41 features of NSL-KDD, a multi-class classification task is conducted by detecting whether there is an attack and classifying the type of attack (DDoS, PROBE, R2L, and U2R), accomplishing an accuracy of 95.95%.

Daojing He,Xiaoxia Liu,Jiajia Zheng,Sammy Chan,Sencun Zhu,Weidong Min,Nadra Guizani

DOI: https://doi.org/10.1109/mnet.001.1900480

IF: 10.294

2020-01-01

IEEE Network

Abstract:With the recent advancement in AI technology, IDSs reinforced by AI have been adopted to ensure system and network security. Unfortunately, computational and storage overheads of such systems prevent them from being deployed in IESs. To overcome the challenges that restrict the applicability of intrusion detection for IESs, we propose a lightweight and intelligent IDS. The proposed system first generates the behavioral specifications that characterize the normal communication of an IES. Based on specifications, Gini index and the generalized system attributes are exploited to detect abnormal communications. To reduce the false positive rate, the data that do not abide the behavioral specifications is passed to a Naive Bayes classifier for further classification. Our experimental results show that the proposed system can achieve 95.84 percent accuracy and thus holds great promise for deployment in IESs as a lightweight and efficient IDS.

Xinchen Zhang,Running Zhao,Zhihan Jiang,Zhicong Sun,Yulong Ding,Edith C.H. Ngai,Shuang-Hua Yang

2024-02-02

Abstract:The rapid expansion of the Internet of Things (IoT) has raised increasing concern about targeted cyber attacks. Previous research primarily focused on static Intrusion Detection Systems (IDSs), which employ offline training to safeguard IoT systems. However, such static IDSs struggle with real-world scenarios where IoT system behaviors and attack strategies can undergo rapid evolution, necessitating dynamic and adaptable IDSs. In response to this challenge, we propose AOC-IDS, a novel online IDS that features an autonomous anomaly detection module (ADM) and a labor-free online framework for continual adaptation. In order to enhance data comprehension, the ADM employs an Autoencoder (AE) with a tailored Cluster Repelling Contrastive (CRC) loss function to generate distinctive representation from limited or incrementally incoming data in the online setting. Moreover, to reduce the burden of manual labeling, our online framework leverages pseudo-labels automatically generated from the decision-making process in the ADM to facilitate periodic updates of the ADM. The elimination of human intervention for labeling and decision-making boosts the system's compatibility and adaptability in the online setting to remain synchronized with dynamic environments. Experimental validation using the NSL-KDD and UNSW-NB15 datasets demonstrates the superior performance and adaptability of AOC-IDS, surpassing the state-of-the-art solutions. The code is released at

Cryptography and Security

Xiaofeng Qiu,Xinran Wang

DOI: https://doi.org/10.1109/ICCT56141.2022.10073098

2022-11-11

Abstract:Deep learning techniques have become an increasingly popular solution for network intrusion detection system (NIDS). Semi-supervised deep anomaly detection methods used in network intrusion detection always need a high proportion of labeled samples and do not have good robustness. To solve these problems, we propose ATSAD: a novel semi-supervised anomaly detection method which is an improvement of the state-of-the-art method Deep SAD (Deep Semi-Supervised Anomaly Detection). Our main idea is to make the model pay more attention to important features of input data. We use an attention network to make the idea come true. We define a new objective function so that the attention network and the mapping network of Deep SAD can be trained together. Our evaluations show ATSAD has the best performance and good robustness compared with other methods on the dataset CSE-CIC-IDS2018.

Computer Science

Xinran Zheng,Shuo Yang,Xingjun Wang

2023-08-01

Abstract:Deep learning-based fine-grained network intrusion detection systems (NIDS) enable different attacks to be responded to in a fast and targeted manner with the help of large-scale labels. However, the cost of labeling causes insufficient labeled samples. Also, the real fine-grained traffic shows a long-tailed distribution with great class imbalance. These two problems often appear simultaneously, posing serious challenges to fine-grained NIDS. In this work, we propose a novel semi-supervised fine-grained intrusion detection framework, SF-IDS, to achieve attack classification in the label-limited and highly class imbalanced case. We design a self-training backbone model called RI-1DCNN to boost the feature extraction by reconstructing the input samples into a multichannel image format. The uncertainty of the generated pseudo-labels is evaluated and used as a reference for pseudo-label filtering in combination with the prediction probability. To mitigate the effects of fine-grained class imbalance, we propose a hybrid loss function combining supervised contrastive loss and multi-weighted classification loss to obtain more compact intra-class features and clearer inter-class intervals. Experiments show that the proposed SF-IDS achieves 3.01% and 2.71% Marco-F1 improvement on two classical datasets with 1% labeled, respectively.

Cryptography and Security

Meng Huang,Wenshan Li,Junjiang He,Xiaolong Lan,Tao Li,Nian Zhang

DOI: https://doi.org/10.1007/s44196-024-00498-5

IF: 2.259

2024-04-30

International Journal of Computational Intelligence Systems

Abstract:Anomaly detection is a critical line of defense to ensure the network security of industrial cyber-physical systems. However, a significant issue in the anomaly detection is the insufficient labels of anomaly classes. With emergence of the new and unknown network attacks, accurately labeling these attacks can be a costly task. The issue of inadequate labeling may negatively impact the detection performance of many existing anomaly detection methods. To meet this gap, this paper proposes a semi-supervised collaborative learning paradigm called IDG-SemiAD, based on an immune detector generation algorithm. First, we design an immune detector generation algorithm based on a chaos map to generate abnormal samples from self-samples. Then, these abnormal samples are combined with self-samples and given specific labels to form a new training set. Finally, the LightGBM classifier is used for training and detection. Experiments on the widely used public dataset BATADAL show that the proposed IDG-SemiAD outperforms the classical v-detector method in terms of recall and f-score, with improvements of 8.2% and 8%, respectively, and outperforms deep learning-based anomaly detection methods, with a maximum improvements of up to 89.7% and 59.5% respectively.

computer science, artificial intelligence, interdisciplinary applications

Vikash Kumar,Ditipriya Sinha,Ayan Kumar Das,Subhash Chandra Pandey,Radha Tamal Goswami

DOI: https://doi.org/10.1007/s10586-019-03008-x

2019-10-29

Cluster Computing

Abstract:Intrusion detection system (IDS) has been developed to protect the resources in the network from different types of threats. Existing IDS methods can be classified as either anomaly based or misuse (signature) based or sometimes combination of both. This paper proposes a novel misuse based intrusion detection system to detect five categories such as: Exploit, DOS, Probe, Generic and Normal in a network. Further, most of the related works on IDS are based on KDD99 or NSL-KDD 99 data set. These data sets are considered obsolete to detect recent types of attacks and have no significance. In this paper UNSW-NB15 data set is considered as the offline dataset to design own integrated classification based model for detecting malicious activities in the network. Performance of the proposed integrated classification based model is considerably high compared to other existing decision tree based models to detect these five categories. Moreover, this paper generates its own real time data set at NIT Patna CSE lab (RTNITP18) which acts as the working example of proposed intrusion detection model. This RTNITP18 dataset is considered as a test data set to evaluate the performance of the proposed intrusion detection model. The performance analysis of the proposed model with UNSW-NB15 (benchmark data set) and real time data set (RTNITP18) shows higher accuracy, attack detection rate, mean F-measure, average accuracy, attack accuracy, and false alarm rate in comparison to other existing approaches. Proposed IDS model acts as the dog watcher to detect different types of threat in the network.

Yakubu Imrana,Yanping Xiang,Liaqat Ali,Zaharawu Abdul-Rauf

DOI: https://doi.org/10.1016/j.eswa.2021.115524

IF: 8.5

2021-01-01

Expert Systems with Applications

Abstract:The rise in computer networks and internet attacks has become alarming for most service providers. It has triggered the need for the development and implementation of intrusion detection systems (IDSs) to help prevent and or mitigate the challenges posed by network intruders. Over the years, intrusion detection systems have played and continue to play a very significant role in spotting network attacks and anomalies. Numerous researchers around the globe have proposed many IDSs to combat the threat of network invaders. However, most of the previously proposed IDSs have high rates of raising false alarms. Additionally, most existing models suffer the difficulty of detecting the different attack types, especially User-to-Root (U2R) and Remote-to-Local (R2L) attacks. These two types of attacks often appear to have lower detection accuracy for the existing models. Hence, in this paper, we propose a bidirectional Long-Short-Term-Memory (BiDLSTM) based intrusion detection system to handle the challenges mentioned above. To train and measure our model's performance, we use the NSL-KDD dataset, a benchmark dataset for most IDSs. Experimental results show and validate the effectiveness of the BiDLSTM approach. It outperforms conventional LSTM and other state-of-the-art models in terms of accuracy, precision, recall, and F-score values. It also has a much more reduced false alarm rate than the existing models. Furthermore, the BiDLSTM model achieves a higher detection accuracy for U2R and R2L attacks than the conventional LSTM.