Wei Yang,Yao Shan,Jiaxuan Wang,Yu Yao

DOI: https://doi.org/10.1007/s10586-024-04338-1

2024-03-18

Cluster Computing

Abstract:The openness and interconnectedness of industrial control systems (ICSs) is increasing, leading to a heightened risk of network-based attacks. Although research on industrial intrusion detection is ongoing, current methods often overlook the unique characteristics of industrial control flows. This study introduced an industrial network intrusion detection algorithm based on the improved gray wolf optimizer (IGWO) gated recurrent unit (GRU) model. Starting with the temporal aspects of industrial control network traffic, a simple GRU was chosen as the network model. By integrating the gray wolf optimizer (GWO) with autonomous learning methods, the algorithm could address the slow convergence caused by large volumes of industrial control network traffic. In response to the slow convergence of the GWO and its low optimization accuracy, this study developed the improved gray wolf optimizer (IGWO). By simulating an intrusion detection system (IDS) using datasets from the Natural Gas Pipeline Control System and Secure Water Treatment (SWaT) datasets, the experimental results demonstrated that the IGWO-GRU algorithm exhibited considerable advantages in terms of accuracy, false alarm rate, and false report rate, thereby enhancing the security capabilities of ICSs.

computer science, information systems, theory & methods

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Yixin Jiang,Yunan Zhang,Xiaoyun Kuang,Aidong Xu,Xuzhu Dong,Shiyong Dai,Jinhua Huang

DOI: https://doi.org/10.1109/ei256261.2022.10116191

2022-01-01

Abstract:Industrial control network intrusion detection system has higher requirements for detection rate, false positive rate, and real-time performance. In order to solve this problem, this paper proposed a new type of feature extractor abstracting mapping from the original low-level feature set to the high-level feature set. This feature extractor is composed of 3 heterogeneous sub-feature extractors 1D CNN, LSTM, and SAE. Secondly, the integrated feature set passes through a random forest (RF) classifier. Thirdly, combined with the regularity and stability of the industrial control network, a suspected host inspection method is designed based on the sequential hypothesis testing of real-time network traffic. This method uses the individual learner results of the above 3 feature extractors. Combining the above, two-stage fusion (SHT-RF) is carried out to realize real-time industrial control network intrusion detection, and achieve the purpose of improving the detection rate and enhancing the robustness of the system. Finally, it is verified on the CICIDS2017 data set. The detection rate of the proposed method is 99.59%, and the false positive rate is 0.09%. Compared with other machine learning methods, it has achieved a good improvement effect.

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Kai Jin,Lei Zhang,Yujie Zhang,Duo Sun,Xiaoyuan Zheng

DOI: https://doi.org/10.3390/electronics12204329

IF: 2.9

2023-10-19

Electronics

Abstract:The current mainstream intrusion detection models often have a high false negative rate, significantly affecting intrusion detection systems' (IDSs) practicability. To address this issue, we propose an intrusion detection model based on a multi-scale one-dimensional convolutional neural network module (MS1DCNN), an efficient channel attention module (ECA), and two bidirectional long short-term memory modules (BiLSTMs). The proposed hybrid MS1DCNN-ECA-BiLSTM model uses the MS1DCNN module to extract features with a different granularity from the input data and uses the ECA module to enhance the weight of important features. Finally, the model carries out sequence learning through two BiLSTM layers. We use the dung beetle optimizer (DBO) to optimize the hyperparameters in the model to obtain better classification results. Additionally, we use the synthetic minority oversampling technique (SMOTE) to fill several samples to reduce the local false negative rate. In this paper, we train and test the model using accurate network data from a water storage industrial control system. In the multi-classification experiment, the model's accuracy was 97.04%, the precision was 97.17%, and the false negative rate was 2.95%; in the binary classification experiment, the accuracy and false negative rate were 99.30% and 0.7%. Compared with other mainstream methods, our model has a higher score. This study provides a new algorithm for the intrusion detection of industrial control systems.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ying Gao,Jixiang Chen,Hongyue Miao,Binjie Song,Yiqin Lu,Weiqiang Pan

DOI: https://doi.org/10.1109/tcss.2021.3135586

2022-01-01

IEEE Transactions on Computational Social Systems

Abstract:Thanks to the great advancement of cognitive computing, artificial intelligence, big data, and the Internet of Things (IoT) technologies, the fusion of the physical and virtual worlds is changing people’s lifestyles. Although the research and deployment of cyber-physical systems (CPSs) are notably promoted by cognitive computing, the reliability and large-scale application of CPSs are still significantly challenged by some security issues. Therefore, it is meaningful to clarify and address the weaknesses of current intrusion detection methods for CPSs and enhance the ability to identify, analyze, and predict to improve the performance of intrusion detection. In this article, we first propose a novel self-learning spatial distribution algorithm, named Euclidean distance-based between-class learning (EBC learning), which improves between-class learning by calculating the Euclidean distance (ED) among $k$ -nearest neighbors of different classes. In addition, a cognitive computing-based intrusion detection method named border-line SMOTE and EBC learning based on random forest (BSBC-RF) is also proposed based on the EBC learning for industrial CPSs. The experimental results over a real industrial traffic dataset show that the proposed EBC learning has strong spatial constraint capability and can improve the prediction and recognition performance. Compared with the eight state-of-the-art methods, the proposed method has an ACC exceeding 99.5%, false alarm rate (FAR) less than 0.06%, and $F1$ close to 0.99, which is still superior to other ones.

Yichi Zhang,Chunhua Yang,Keke Huang,Yonggang Li

DOI: https://doi.org/10.1109/tnse.2022.3184975

IF: 6.6

2022-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Industrial Internet-of-Things (IIoT) are highly vulnerable to cyber-attacks due to their open deployment in unattended environments. Intrusion detection is an efficient solution to improve security. However, because the labeled samples are difficult to obtain, and the sample categories are imbalanced in real applications, it is difficult to obtain a reliable model. In this paper, a general framework for intrusion detection is proposed based on graph neural network technologies. In detail, a network embedding feature representation is proposed to deal with the high dimensional, redundant but categories imbalanced and rare labeled data in IIoT. To avoid the influence caused by the inaccurate network structure, a network constructor with refinement regularization is designed to amend it. At last, the network embedding representation weights and network constructor are trained together. The high accuracy and robust properties of the proposed method were verified by conducting intrusion detection tasks based on public datasets. Compared with several state-of-art algorithms, the proposed framework outperforms these methods in many evaluation metrics. In addition, a hard-in-the-loop platform is designed to test the performance in real environments. The results show that the method can not only identify different attacks but also distinguish between cyber-attacks and physical failures.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Zhendong Wang,Xin Yang,Zhiyuan Zeng,Daojing He,Sammy Chan

DOI: https://doi.org/10.1007/s12083-024-01749-0

2024-01-01

Abstract:With the continual evolution of network technologies, the Internet of Things (IoT) has permeated various sectors of society. However, over the past decade, the annual discovery of cyberattacks has shown an exponential surge, inflicting severe damage to economic development. Aiming at the high false alarm rate, poor classification performance and overfitting problems in current intrusion detection systems, this paper proposes an efficient hierarchical intrusion detection model named ET-DCANET. Initially, the extreme random tree algorithm is employed for feature selection to meticulously curate the optimal feature subset. Subsequently, the dilated convolution and dual attention mechanism (including channel attention and spatial attention) are introduced, and a strategy of gradual transition from coarse-grained learning to fine-grained learning is proposed by gradually narrowing the expansion rate of cavity convolution, and the DCNN and dual attention modules are progressively refined to effectively utilize the synergy of DCNN and Attention to extract spatial and temporal features. This gradual transition from coarse-grained learning to fine-grained learning helps to better balance global and local information when dealing with complex data, and improves the performance and generalization ability of the model. To confront the class imbalance issue within the dataset, a novel loss function, EQLv2, is introduced as a substitute for the conventional cross-entropy (CE) loss. This innovation directs the model's focus toward minority class samples, ultimately enhancing the overall performance of the model. The proposed model shows excellent intrusion detection on the NSL-KDD, UNSW-NB15, and X-IIoTID datasets with accuracy rates of 99.68

Kai Yang,JiaMing Wang,MinJing Li

DOI: https://doi.org/10.1038/s41598-024-70094-2

2024-08-20

Abstract:In the field of Industrial Internet of Things (IIoT), existing intrusion detection models face challenges in three main areas: low accuracy in detecting attack traffic, feature redundancy when dealing with high-dimensional and complex attack traffic, making it difficult to capture critical information, and a tendency to favor learning common categories while neglecting rare categories when handling imbalanced data. To tackle these challenges, this study introduces an intrusion detection method that combines an attention mechanism, Bidirectional Gated Recurrent Units (BiGRU), and Inception Convolutional Neural Network (Inception-CNN) to enhance the model's detection rate. Simultaneously, the method employs a mixed sampling strategy for data resampling to address the bias learning issue caused by data imbalance. Additionally, the method employs a hybrid sampling strategy for data resampling to address the bias learning issue caused by data imbalance. It also incorporates denoising techniques to handle potential dataset noise introduced by hybrid sampling. Furthermore, a feature selection method combining Pearson correlation coefficient and Random Forest is applied to eliminate feature redundancy, enhancing the model's ability to capture crucial information from high-dimensional attack traffic. Experimental validation on internationally recognized datasets (Edge-IIoTset, CIC-IDS2017, and CIC IoT 2023) affirms the reliability of the proposed intrusion detection method. This approach underscores the significance of intrusion detection in the security of Industrial IoT and showcases its potential in addressing pertinent challenges in network security.

Bing Hu,Yuanguo Bi,Mingjian Zhi,Kuan Zhang,Feihong Yan,Qian Zhang,Zheng Liu

DOI: https://doi.org/10.1109/tii.2021.3133300

IF: 12.3

2022-06-01

IEEE Transactions on Industrial Informatics

Abstract:The unprecedented development of intelligent manufacturing requires to customize and change the network traffic strategies frequently. With the advantages of highagility and programmability, software-defined networking can dynamically manage industrial networks, which makes it a promising networking technology for intelligent manufacturing. However, the software-defined industrial network architecture is vulnerable to network attacks, which may degrade manufacturing productivity, and even cause accidents. In this article, we propose a deep learning-based one-class intrusion detection scheme (DO-IDS) to improve the security of industrial networks. Firstly, DO-IDS periodically extracts the flow statistics of the industrial network traffic to generate network status features. Then, it utilizes a deep learning-based dimension reduction approach to filter redundant features. In addition, a deep learning-based one-class detector is designed to calculate the abnormal scores of the network status features. Finally, we conduct extensive simulations, which demonstrates that DO-IDS can detect abnormal traffic with enhanced accuracy and high efficiency.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Guangxia Lia,Yulong Shena,Peilin Zhaob,Xiao Lu,Jia Liu,Yangyang Liu,Steven C. H. Hoi

DOI: https://doi.org/10.48550/arXiv.1912.03589

IF: 5.414

2019-12-08

Machine Learning

Abstract:Industrial control systems are critical to the operation of industrial facilities, especially for critical infrastructures, such as refineries, power grids, and transportation systems. Similar to other information systems, a significant threat to industrial control systems is the attack from cyberspace---the offensive maneuvers launched by "anonymous" in the digital world that target computer-based assets with the goal of compromising a system's functions or probing for information. Owing to the importance of industrial control systems, and the possibly devastating consequences of being attacked, significant endeavors have been attempted to secure industrial control systems from cyberattacks. Among them are intrusion detection systems that serve as the first line of defense by monitoring and reporting potentially malicious activities. Classical machine-learning-based intrusion detection methods usually generate prediction models by learning modest-sized training samples all at once. Such approach is not always applicable to industrial control systems, as industrial control systems must process continuous control commands with limited computational resources in a nonstop way. To satisfy such requirements, we propose using online learning to learn prediction models from the controlling data stream. We introduce several state-of-the-art online learning algorithms categorically, and illustrate their efficacies on two typically used testbeds---power system and gas pipeline. Further, we explore a new cost-sensitive online learning algorithm to solve the class-imbalance problem that is pervasive in industrial intrusion detection systems. Our experimental results indicate that the proposed algorithm can achieve an overall improvement in the detection rate of cyberattacks in industrial control systems.

Jun Wang,Changfu Si,Zhen Wang,Qiang Fu

DOI: https://doi.org/10.32604/cmc.2024.050223

2024-01-01

Abstract:Nowadays, with the rapid development of industrial Internet technology, on the one hand, advanced industrial control systems (ICS) have improved industrial production efficiency. However, there are more and more cyber-attacks targeting industrial control systems. To ensure the security of industrial networks, intrusion detection systems have been widely used in industrial control systems, and deep neural networks have always been an effective method for identifying cyber attacks. Current intrusion detection methods still suffer from low accuracy and a high false alarm rate. Therefore, it is important to build a more efficient intrusion detection model. This paper proposes a hybrid deep learning intrusion detection method based on convolutional neural networks and bidirectional long short-term memory neural networks (CNN-BiLSTM). To address the issue of imbalanced data within the dataset and improve the model’s detection capabilities, the Synthetic Minority Over-sampling Technique-Edited Nearest Neighbors (SMOTE-ENN) algorithm is applied in the preprocessing phase. This algorithm is employed to generate synthetic instances for the minority class, simultaneously mitigating the impact of noise in the majority class. This approach aims to create a more equitable distribution of classes, thereby enhancing the model’s ability to effectively identify patterns in both minority and majority classes. In the experimental phase, the detection performance of the method is verified using two data sets. Experimental results show that the accuracy rate on the CICIDS-2017 data set reaches 97.7%. On the natural gas pipeline dataset collected by Lan Turnipseed from Mississippi State University in the United States, the accuracy rate also reaches 85.5%.

Guolou Ping,Xiaojun Ye

DOI: https://doi.org/10.1109/ijcnn55064.2022.9892858

2022-01-01

Abstract:The constant emergence of previously unseen applications and network attacks on the ever-changing Internet poses a serious challenge to traditional intrusion detection solutions. This paper aims to develop an intrusion detection system capable of distinguishing between past seen malicious and benign behaviors and inferring unseen ones. We formulate the problem of seen/unseen intrusion detection as an openset detection problem for known malicious, known benign and unknown behaviors, where unknown ones include both unseen malicious and benign behaviors. Subsequently, we propose an open-set intrusion detection system, OpenIDS, which addresses the problem through three modules: the MinMax autoencoder, the classifier, and the pseudo extreme value machine. The MinMax autoencoder maximizes the difference between the known malicious traffic and benign traffic and places unknown traffic in between. The deep classifier takes the basic traffic features and the discriminative traffic features extracted by the MinMax autoencoder as input to achieve the known intrusion detection. The completely modeled pseudo extreme value machine gets used to calibrate the penultimate layer activation of the classifier and then infers the unknown traffic by thresholding the calibrated scores. Experiments performed on datasets USTC-TFC2016 & CSE-CIC-IDS2018+ show that the proposed scheme is better than previously baseline models and can be effectively applied to realistic network environments.

Wanjun LIU,Jitao QIN,Haicheng QU

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017102502

2018-01-01

Abstract:Since the intrusion detection method based on One-Class Support Vector Machine (OCSVM) can not detect internal abnormal points and outliers,which leads to the deviation of decision function from training samples.A new OCSVM anomaly detection function combining DBSCAN (Density-Based Spatial Clustering of Applications with Noise) and K-means was proposed.Firstly,the outliers in the training data were removed by DBSCAN algorithm to eliminate the influence of outliers.Then,K-means clustering method was used to classify normal data clusters,so that the internal abnormal points could be selected.Finally,a one-class classifier for each data cluster was created to detect exception data by OCSVM algorithm.The experimental results on industrial control networks show that the combined classifier can detect the intrusion attacks of the industrial control network by using normal data,and it can improve the detection effect of OCSVM algorithm.In intrusion detection experiment of gas pipeline,the overall detection rate of the proposed method is 91.81％,while the overall detection rate of OCSVM algorithm is 80.77％.

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.3390/electronics8121545

IF: 2.9

2019-01-01

Electronics

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanisms. An improved intrusion detection system (IDS), which is strongly correlated to specific industrial scenarios, is necessary for modern ICS. On one hand, this paper outlines three kinds of attack models, including infiltration attacks, creative forging attacks, and false data injection attacks. On the other hand, a two stage IDS is proposed, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on the autoregressive integrated moving average (ARIMA), can forecast the traffic of the ICS network in the short term and detect infiltration attacks precisely according to the abnormal changes in traffic patterns. Furthermore, the anomaly detection model, using a one class support vector machine (OCSVM), is able to detect malicious control instructions by analyzing the key field in Ethernet/IP packets. The confusion matrix is selected to testify to the effectiveness of the proposed method, and two other innovative IDSs are used for comparison. The experiment results show that the proposed two stage IDS in this paper has an outstanding performance in detecting infiltration attacks, forging attacks, and false data injection attacks compared with other IDSs.

Ankang Chu,Yingxu Lai,Jing Liu

DOI: https://doi.org/10.1155/2019/6757685

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:Intrusion detection is essential for ensuring the security of industrial control systems. However, conventional intrusion detection approaches are unable to cope with the complexity and ever-changing nature of industrial intrusion attacks. In this study, we propose an industrial control intrusion detection approach based on a combined deep learning model for communication processes that use the Modbus protocol. Initially, the network packets are classified as carrying information and noncarrying information based on key fields according to the communication protocol used. Next, a template comparison approach is employed to detect the network packets that do not carry any information. Furthermore, an approach based on a GoogLeNet-long short-term memory model is used to detect the network packets that do carry information. This approach involves network packet sequence construction, feature extraction, and time-series level detection. Subsequently, the detected intrusions are classified into multiple categories through a Softmax classifier. A gas pipeline dataset of the Modbus protocol is used to evaluate the proposed approach and compare it with existing strategies. The accuracy, false-positive rate, and miss rate are 97.56%, 2.42%, and 2.51%, respectively, thus confirming that the proposed approach is suitable for intrusion detection in industrial control systems.

Jiashu Wu,Hao Dai,Kenneth B. Kent,Jerome Yen,Chengzhong Xu,Yang Wang

2024-01-08

Abstract:As IoT devices become widely, it is crucial to protect them from malicious intrusions. However, the data scarcity of IoT limits the applicability of traditional intrusion detection methods, which are highly data-dependent. To address this, in this paper we propose the Open-Set Dandelion Network (OSDN) based on unsupervised heterogeneous domain adaptation in an open-set manner. The OSDN model performs intrusion knowledge transfer from the knowledge-rich source network intrusion domain to facilitate more accurate intrusion detection for the data-scarce target IoT intrusion domain. Under the open-set setting, it can also detect newly-emerged target domain intrusions that are not observed in the source domain. To achieve this, the OSDN model forms the source domain into a dandelion-like feature space in which each intrusion category is compactly grouped and different intrusion categories are separated, i.e., simultaneously emphasising inter-category separability and intra-category compactness. The dandelion-based target membership mechanism then forms the target dandelion. Then, the dandelion angular separation mechanism achieves better inter-category separability, and the dandelion embedding alignment mechanism further aligns both dandelions in a finer manner. To promote intra-category compactness, the discriminating sampled dandelion mechanism is used. Assisted by the intrusion classifier trained using both known and generated unknown intrusion knowledge, a semantic dandelion correction mechanism emphasises easily-confused categories and guides better inter-category separability. Holistically, these mechanisms form the OSDN model that effectively performs intrusion knowledge transfer to benefit IoT intrusion detection. Comprehensive experiments on several intrusion datasets verify the effectiveness of the OSDN model, outperforming three state-of-the-art baseline methods by 16.9%.

Machine Learning,Artificial Intelligence,Cryptography and Security

Shuyuan Xu,Linsen Li,Hangjun Yang,Junhua Tang

DOI: https://doi.org/10.1109/ictai52525.2021.00213

2021-01-01

Abstract:Intrusion detection can distinguish between normal traffic and intrusions. It can be abstracted as a classification problem to use deep learning tools. However, there are unknown intrusions in the real network environment, and their detection is an open set recognition problem. Existing methods such as OpenMax only calculate classification probabilities more smartly, but they can’t explicitly teach the network to recognize features of unknown classes. To improve the ability of deep learning tools to deal with intrusion detection problems based on the open set, the KCC (Known Central Clustering) method is proposed in this paper and is compatible with the existing network architectures. Considering that the high-dimensional vectors in the embedding space represent the deep features, different classes of intrusions in this space have their clusters. By introducing CD-loss (Class Distance-loss), we can get the centers of different class clusters. By introducing negative samples as the unknown classes for training, we can get the threshold of the known classes and reject unknown intrusions by comparing them with fuzzy distance. Experiments on CIC-IDS2017 and CIC-DDoS2019 datasets show that the KCC method improves the classification accuracy of known intrusions and reduces the misclassification rate of unknown intrusions.