Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Weicheng Qiu,Yinghua Ma,Xiuzhen Chen,Haiyang Yu,Lixing Chen

DOI: https://doi.org/10.1016/j.cose.2022.102709

IF: 5.105

2022-01-01

Computers & Security

Abstract:Cyber-attacks are becoming increasingly sophisticated, posing greater challenges in accurately detecting intrusions. Failure to prevent intrusions could degrade the credibility of security services. Intrusion Detection System (IDS) is one of the most effective paradigms to identify attack behaviors. This paper proposes a novel hybrid intrusion detection system called DST-IDS. The proposed method employs both packet-based and flow-based intrusion detection techniques and combines them with Dempster-Shafer Theory (DST). DST-IDS has an ensemble-like framework. It takes both traffic flows and their first N packets as inputs; flow-based IDS aims to predict traffic flows and packet-based IDS detects attacks in the corresponding packets; DST is then applied to fuse predictions of flow-based IDS and packet-based IDS to a final detection result. We also design a novel data collection/processing tool in DST-IDS to reduce the data volume required to perform intrusion detection and enable early detection. In addition, DST-IDS is designed to work with heterogeneous data distribution where the distribution of the training dataset can differ from the data distribution during implementation. This property drastically improves the practicality of DST-IDS. We run experiments on public datasets and real networks to evaluate the proposed method. The experimental results show that DST-IDS outperforms state-of-the-art benchmarks in terms of intrusion detection accuracy and detection speed. Particularly, DST-IDS provides real-time detection in real networks and handles well heterogeneous data distribution.

Zhang Zhao,Zhang Yong,Guo Da,Song Mei

DOI: https://doi.org/10.1007/s13042-020-01264-7

2021-01-01

International Journal of Machine Learning and Cybernetics

Abstract:Network intrusion detection systems (IDSs) based on deep learning have reached fairly accurate attack detection rates. But these deep learning approaches usually have been performed in a closed-set protocol that only known classes appear in training are considered during classification, the existing IDSs will fail to detect the unknown attacks and misclassify them as the training known classes, hence are not scalable. Furthermore, these IDSs are not efficient for updating the deep detection model once new attacks are discovered. To address those problems, we propose a scalable IDS towards detecting, discovering, and learning unknown attacks, it has three components. Firstly, we propose the open-set classification network (OCN) to detect unknown attacks, OCN based on the convolutional neural network adopts the nearest class mean (NCM) classifier, two new loss are designed to jointly optimize it, including Fisher loss and maximum mean discrepancy (MMD) loss. Subsequently, the semantic embedding clustering method is proposed to discover the hidden unknown attacks from all unknown instances detected by OCN. Then we propose the incremental nearest cluster centroid (INCC) method for learning the discovered unknown attacks through updating the NCM classifier. Extensive experiments on KDDCUP'99 dataset and CICIDS2017 dataset indicate that our OCN outperforms the state-of-the-art comparison methods in detecting multiple types of unknown attacks. Our experiments also verify the feasibility of the semantic embedding clustering method and INCC in discovering and learning unknown attacks.

Xuefei Tian,Chenlu Li,Aijuan Qian,Xiaoju Dong

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom51426.2020.00077

2020-01-01

Abstract:The network environment is increasingly complex, resulting in the explosive growth of network traffic logs. Discovering the patterns of these logs and detecting various cyber-attacks and anomalies have become a widespread concern. However, traditional network analysis techniques and Intrusion Detection System (IDS) have limited ability to identify and respond to the malicious activities hidden in dynamic and long-duration time series. This paper proposes a novel visual analysis system, combining visual analysis and machine learning model, to better reveal the pattern of various traffic logs, detect and classify abnormal network behaviors from enormous traffic logs. The system supports interactive exploration in data space and comparative analysis of the normal and abnormal pattern. It could help users analyze traffic logs conveniently and identify network intrusions efficiently. Besides, a supervised classifier in our system supports the prediction of a single traffic log which facilitates users' analysis of the patterns of traffic logs. A case study conducted on the CICIDS-2017 dataset demonstrates the feasibility of our system.

Chuan Yue,Lide Wang,Dengrui Wang,Ruifeng Duo,Haipeng Yan

DOI: https://doi.org/10.1155/2021/3913515

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The train communication Ethernet (TCE) of modern intelligent trains is under an ever-increasing threat of serious network attacks. Denial of service (DoS) and man in the middle (MITM), the two most destructive attacks against TCE, are difficult to detect by conventional methods. Aiming at their highly time-correlated properties, a novel dynamic temporal convolutional network-based intrusion detection system (DyTCN-IDS) is proposed in this paper to detect these temporal attacks. A semiphysical TCE testbed that is capable of simulating real situations in TCE-based trains is first built to generate an effective dataset for training and testing. DyTCN-IDS consists of two phases, and in the first phase, systematic feature engineering is designed to optimize the dataset. In the second phase, a basic detection model that is good at dealing with temporal features is first built by utilizing the temporal convolutional network with several architectural optimizations. Then, in order to decrease the computational consumption waste on network packet sequences with different lengths of inner temporal relationships, dynamic neural network technology is further adopted to optimize the basic detection model. Diverse experiments were carried out to evaluate the proposed system from different angles. The experimental results indicate that our system is easy to train, converges fast, costs less computational resources, and achieves satisfying detection performance with a macro false alarm rate of 0.09%, a macro F-score of 99.39%, and an accuracy of 99.40%. Compared to some canonical DL-based IDS and some latest IDS, our system acquires the best overall detection performance as well.

Bin Li,Yijie Wang,Kele Xu,Li Cheng,Zhiquan Qin

DOI: https://doi.org/10.1016/j.cose.2022.102719

IF: 5.105

2022-01-01

Computers & Security

Abstract:We study the problem of active intrusion detection over network traffic streams. Existing works create clusters for known classes and manually label instances outside the clusters for detecting novel attack classes and concept drift, yet several challenges are present. First, these methods assume that different classes of network traffic distribute far from each other in feature space, while similar attack classes could violate this assumption. It makes the true novel classes and concept drift undetectable, therefore a degraded performance. Second, prior works depending on heavily calculating and retraining cannot achieve efficient incremental updates over the infinite and high-speed streams of network traffic. Last, related methods rarely leverage the domain knowledge in intrusion detection. To address these issues, we propose DFAID , a D ensity-aware and F eature-deviated A ctive I ntrusion D etection framework over network traffic streams. We first design the mask density score and the feature deviation score to maximize the effectiveness of labeled instances, effectively detecting novel attack classes and the concept drift when similar classes exist. Then, DFAID leverages robust incremental clustering structures to group instances in local regions, relieving the burden on the speed and reducing effects of noisy instances. Last, we further present DFAID-DK by incorporating the D omain K nowledge of temporal correlations between network attacks to correct the wrong predictions. Extensive experiments on two well-known benchmarks, CIC-IDS2017 and ISCX-2012, demonstrate that DFAID and its variation DFAID-DK both achieve significant improvement compared with related methods in terms of f1-score (21.7%, 22.7%) on average, and its running speed is an order of magnitude faster.

Anbang Wang,Xinyu Gong,Jialiang Lu

DOI: https://doi.org/10.1109/smartcloud.2019.00028

2019-01-01

Abstract:With the development of network technology and the updating of intelligent networking devices, the variety of cyber attacks and the number of users being attacked are increasing. Intrusion Detection Systems (IDS) are commonly used in the field of network security to detect anomalous activity and behavior. Many previous works have achieved high detection accuracy on standard testing data sets by implementing mature Machine Learning (ML) algorithms. Inspired by the network ontology researches,, we propose two Long Short-Term Memory (LSTM) based IDSs with deep feature extraction: multi-class feature extraction IDS and dual-class feature extraction IDS. Through our experiments on the CICIDS2017 data set, we have found that multi-class feature extraction IDS can better identify the types of cyber attacks while the dual-class feature extraction IDS can better recall new attacks. We conclude that when the structure and characteristics of the classifier are limited, a reasonable selection of the feature extraction space can help improve the characteristics of the classifier and better achieve the downstream tasks in the security field.

Jie Fu,Lina Wang,Jianpeng Ke,Kang Yang,Rongwei Yu

DOI: https://doi.org/10.1016/j.eswa.2024.125687

IF: 8.5

2025-01-01

Expert Systems with Applications

Abstract:Due to the heterogeneous and dynamic nature of networks, modeling spatiotemporal correlations has become a trend. Although spatiotemporal-based network intrusion detection systems (NIDSs) enhance the performance of intrusion classification, they still suffer from inadequacies in the multi-classification of intrusions and model generalization ability. First, the static attack topologies of network traffic always ignore some important information; Second, the interaction between spatial and temporal dimensions is rarely considered. To mitigate these issues, this paper proposes TSIDS, a spatiotemporal analysis-based approach that extracts the interaction of network behaviors for intrusion detection. TSIDS combines the spatial analysis module to extract spatial information between different events, and the temporal analysis module to learn the temporal dependencies from historical traffic data. To model spatial correlations of temporal features, we propose a feature fusion module based on our customized gating Multilayer Perceptron (cgMLP). The experimental results on four datasets show that our work is effective in intrusion detection, especially multi-classification, and outperforms other baseline methods.

Liu Zhiqiang,Lin Zhijun,Gong Ting,Shi Yucheng,Mohi-Ud-Din Ghulam

DOI: https://doi.org/10.1007/978-981-15-5859-7_24

2020-01-01

Abstract:Recently, the increasing number of machine learning algorithms has been used in network intrusion detection system (NIDS) to detect abnormal behaviors in the network. Many available datasets were created to evaluate the performance of the model, such as KDD CUP99 and NSL-KDD. However, with the increasing scale of data and the emergence of advanced attacks, conventional machine learning algorithms can hardly perform well. Fortunately, the development of deep learning provides new direction for solving these problems. In this paper, in order to detect novel attacks in a network and improve detection efficiency, we proposed a flexible framework based on deep neural network (DNN). In our framework, we apply different feature reduction methods and activation functions to get the best performance. Moreover, through changing hyper-parameter of the model, we select better network structure. To evaluate our framework, we select ISCX 2012 and CICIDS 2017 as a benchmark and apply the proposed framework to these datasets. As a result, we observe high accuracy rate and low FAR for both binary and multi-class classifications. Overall, our proposed framework is universal and useful for detecting zero-day attacks.

Gu Haoran,Lai Yingxu,Wang Yipeng,Liu Jing,Sun Motong,Mao Beifeng

DOI: https://doi.org/10.1007/s00521-022-06965-4

2022-01-01

Neural Computing and Applications

Abstract:Owing to the development of industrial production, the hidden danger in industrial control systems (ICSs) has considerably increased, causing challenges in traditional safety defense methods. The combination of machine-learning or deep-learning algorithms and intrusion detection systems (IDSs) has become the mainstream method for solving this problem. However, these methods depend on a massive amount of high-quality attack traffic data, which cannot be obtained easily owing to the independence and unique characteristics of ICSs. In this study, we apply the reconstructed convolutional neural network and a data expansion algorithm named CenterBorderline_SMOTE (CB_SMOTE) to an IDS and propose data expansion intrusion detection system (DEIDS). The DEIDS is an end-to-end detection model that learns representative attack features from raw traffic and classifies them in a unified framework. Moreover, we adopt the classification activation map structure, which can deeply mine the potential characteristics of traffic and enhance the effectiveness of attack features. While enhancing the data quality, we introduce the designed CB_SMOTE algorithm into DEIDS to expand the data and solve the problem of insufficient attack data in the system. Our comprehensive experiments on different open datasets indicate that DEIDS achieves an excellent performance (97 $$\%$$ detection accuracy) and outperforms the state-of-the-art methods. The experimental results also show that our method has high efficiency and high accuracy in processing ICSs datasets.

Rasoul Jafari Gohari,Laya Aliahmadipour,Marjan Kuchaki Rafsanjani

2024-09-05

Abstract:Software Defined Networks (SDN) face many security challenges today. A great deal of research has been done within the field of Intrusion Detection Systems (IDS) in these networks. Yet, numerous approaches still rely on deep learning algorithms. These algorithms suffer from complexity in implementation, high processing power and high memory consumption. In addition to security issues, firstly, the number of datasets that are based on SDN protocols are very small. Secondly, the ones that are available encompass numerous attacks in the network and do not focus on a single attack. For this reason, to introduce an SDN-based IDS with a focus on Distributed Denial of Service (DDoS) attacks, it is necessary to generate a DDoS-oriented dataset whose features can train a high-quality IDS. In this work, in order to address two important challenges in SDNs, initially, we generate three DDoS attack datasets based on three common and different network topologies. In the second step, using the Convolutional Tsetlin Machine (CTM), we introduce a lightweight IDS for DDoS attack dubbed CTMBIDS. The lightweight nature of the CTMBIDS stems from its low memory consumption and also its interpretability compared to the existing complex deep learning models. The low usage of system resources for the CTMBIDS makes it an ideal choice for an optimal software that consumes the SDN controllers least amount of memory. Also, in order to ascertain the quality of the generated datasets, we compare the CTMBIDS empirical results with the DDoS attacks of the KDDCup99 benchmark dataset as well. Since the main focus of this work is on a lightweight IDS, the results show the CTMBIDS performs much more efficiently than deep learning based approaches. Furthermore, the results also show in most datasets, the proposed method has relatively equal or better accuracy and also consumes much less memory than the existing methods.

Cryptography and Security

Ghulam Mohi-Ud-Din,Jiangbin Zheng,Zhiqiang Liu,Muhammad Asim,Jiajun Chen,Jinjing Liu,Zhijun Lin

DOI: https://doi.org/10.1109/vrhciai57205.2022.00051

2022-01-01

Abstract:Network traffic data has developed into an appealing target for attacks as new network communication services have drawn more attention. Due to the enormous number of data these systems create, conventional intrusion detection systems (IDS) cannot detect intruder behaviors in large-scale network systems. To detect malicious assaults early on, an effective IDS must be able to scan massive volumes of network traffic data quickly. In order to identify various types of intrusion in network systems, this study introduces a unique distributed network IDS (NIDS). The suggested NIDS is built on a distributed random forest that can analyze huge amounts of data quickly. The two steps of the suggested method are the traffic gathering module and the attack detection module. In VANETs, the random forest method was employed for real-time DDoS attack detection. A variety of performance criteria, including accuracy, precision, recall, and F1 score, were tested on the system to confirm the performance of the suggested framework. The proposed method achieves improved classification accuracy, according to the results. The suggested approach is suitable for complicated systems with high speed and low false alarm rates that require real-time intrusion detection.

Hao Zhang,Jie-Ling Li,Xi-Meng Liu,Chen Dong

DOI: https://doi.org/10.1016/j.future.2021.03.024

IF: 7.307

2021-01-01

Future Generation Computer Systems

Abstract:A robust network intrusion detection system (NIDS) plays an important role in cyberspace security for protecting confidential systems from potential threats. In real world network, there exists complex correlations among the various types of network traffic information, which may be respectively attributed to different abnormal behaviors and should be make full utilized in NIDS. Regarding complex network traffic information, traditional learning based abnormal behavior detection methods can hardly meet the requirements of the real world network environment. Existing methods have not taken into account the impact of various modalities of data, and the mutual support among different data features. To address the concerns, this paper proposes a multi-dimensional feature fusion and stacking ensemble mechanism (MFFSEM), which can detect abnormal behaviors effectively. In order to accurately explore the connotation of traffic information, multiple basic feature datasets are established considering different aspects of traffic information such as time, space, and load. Then, considering the association and correlation among the basic feature datasets, multiple comprehensive feature datasets are set up to meet the requirements of real world abnormal behavior detection. In specific, stacking ensemble learning is conducted on multiple comprehensive feature datasets, and thus an effective multi-dimensional global anomaly detection model is accomplished. The experimental results on the dataset KDD Cup 99, NSL-KDD, UNSW-NB15, and CIC-IDS2017 have shown that MFFSEM significantly outperforms the basic and meta classifiers adopted in our method. Furthermore, its detection performance is superior to other well-known ensemble approaches. (C) 2021 Elsevier B.V. All rights reserved.

Zhiqiang Liu,Mohi-Ud-Din Ghulam,Ye Zhu,Xuanlin Yan,Lifang Wang,Zejun Jiang,Jianchao Luo

DOI: https://doi.org/10.1007/978-981-15-0637-6_40

2019-01-01

Abstract:With the astonishing development of the Internet and its applications in the last decade, cyberattacks are changing quickly, and the necessity of protection for communication network has improved tremendously. As the primary defense, the intrusion detection system plays a crucial role in making sure the network security. Key to intrusion detection system is actually to determine a variety of attacks effectively as well as to adjust to a constantly changing threat scenario. DNN or Deep Neural Network on NSL-KDD dataset for effective detection of an attack. Firstly, the dataset was preprocessed and normalized and then fed to the DNN algorithm to create a model. For testing purpose, entire dataset of NSL-KDD was used. Finally, to analyze the accuracy and precision of the DNN model, we use accuracy and precision matrices. The proposed DNN-based strategy enhances network anomaly detection and opens new analysis gateway for intrusion detection systems.

Bo Hu,Jinxi Wang,Yifan Zhu,Tan Yang

DOI: https://doi.org/10.3390/electronics8090968

IF: 2.9

2019-01-01

Electronics

Abstract:Network Intrusion Detection System (NIDS) is one of the key technologies to prevent network attacks and data leakage. In combination with machine learning, intrusion detection has achieved great progress in recent years. However, due to the diversity of intrusion types, the representation learning ability of the existing models is still deficient, which limits the further improvement of the detection performance. Meanwhile, with the increasing of model complexity, the training time becomes longer and longer. In this paper, we propose a Dynamic Deep Forest method for network intrusion detection. It uses cascade tree structure to strengthen the representation learning ability. At the same time, the training process is accelerated due to small-scale parameter fitting and dynamic level-growing strategy. The proposed Dynamic Deep Forest is a tree-based ensemble approach and consists of two parts. The first part, Multi-Grained Traversing, uses selectors to pick up features as complete as possible. The selectors are constructed dynamically so that the training process will stop as soon as the optimal feature combination is found. The second part, Cascade Forest, introduces level-by-level tree structures. It has fewer hyper-parameters and follows a dynamic level-growing strategy to reduce model complexity. In experiments, we evaluate our model on network intrusion dataset KDD’99. The results show that the Dynamic Deep Forest method obtains higher recall and precision through a short time of model training. Moreover, the Dynamic Deep Forest method has lower risk of misclassification, which is more stable and reliable in a real network environment.

Ezgi Zorarpaci

DOI: https://doi.org/10.1016/j.engappai.2024.108162

IF: 8

2024-03-10

Engineering Applications of Artificial Intelligence

Abstract:Due to the widespread use of the internet, computer network systems may be exposed to different types of attacks. For this reason, the intrusion detection systems (IDSs) are often used to protect the network systems. Network traffic data (i.e., network packets) includes many features. However, most of them are irrelevant and can lead to a decrease in the runtime and/or the detection performance of the IDS. Although various data mining methods have been applied to improve the effectiveness of IDS, research regarding IDSs having high detection rates and better runtime performance (i.e., lower computational cost) is ongoing. On the other hand, the dimensionality reduction techniques help to eliminate unnecessary features and reduce the computation time of a classification algorithm. In the literature, the feature selection methods (i.e., filter and wrapper) have been widely used for the dimensionality reduction in IDSs. Although the wrapper feature selection techniques outperform the filters, they are time-consuming. Again, the ensemble classifiers can achieve higher detection rates for IDSs compared to the stand-alone classifiers, but they require more computation time to build the model. In order to improve the runtime performance and the detection rate of IDS, a swift wrapper feature selection and a speedy ensemble classifier are proposed in this study. For the dimensionality reduction, the swift wrapper feature selection (i.e., DBDE-QDA) is used, which consists of dichotomous binary differential evolution (DBDE) and quadratic discriminant analysis (QDA). For attack detection, the speedy ensemble classifier is used, which combines Holte's 1R, random tree, and reduced error pruning tree. In the experiments, the NSL-KDD, UNSW-NB15, and CICDDoS2019 datasets are used. According to the experimental results, the proposed IDS reaches 95%–97.4%, 82.7%, and 99.5%–99.9% detection rates for the NSL-KDD, UNSW-NB15, and CICDDoS2019 datasets. In this way, the proposed IDS competes with the state-of-the-art methods in terms of detection rate and false alarm rate. In addition, the proposed IDS has a lower computational cost than the state-of-the-art methods. Moreover, DBDE-QDA reduces the dimension by 60.97%–82.92%, 73.46%, and 96.55%–98.85% for the NSL-KDD, UNSW-NB15, and CICDoS2019 datasets.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Jieren Cheng,Jianping Yin,Yun Liu,Zhiping Cai,Chengkun Wu

DOI: https://doi.org/10.1007/978-3-642-10847-1_17

2009-01-01

Abstract:Detection of Distributed denial of service (DDoS) attacks is currently a hot topic in both industry and academia. We present an IP flow interaction algorithm (IFI) merging multi-feature of normal flow and DDoS attack flow. Using IFI time series describe the state of network flow, we propose an efficient DDoS attack detection method based on IFI time series (DADF). DADF employs an adaptive parameter estimate algorithm and detects DDoS attack by associating with the states of IFI time series and an alert evaluation mechanism. Experiment results demonstrate that IFI can well fuse the multiple features of normal flow and DDoS attack flow and it is efficient to be used to distinguish normal flow from DDoS attack flow; DADF can fast detect DDoS attack with higher detection rate and lower false alarm rate under relatively large normal background flows.