Wei Wang,Xiaohong Guan,Xiangliang Zhang

DOI: https://doi.org/10.1007/978-3-540-28648-6_105

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer security in recent years. In this paper, a new intrusion detection method based on Principle Component Analysis (PCA) with low overhead and high efficiency is presented. System call data and command sequences data are used as information sources to validate the proposed method. The frequencies of individual system calls in a trace and individual commands in a data block are computed and then data column vectors which represent the traces and blocks of the data are formed as data input. PCA is applied to reduce the high dimensional data vectors and distance between a vector and its projection onto the subspace reduced is used for anomaly detection. Experimental results show that the proposed method is promising in terms of detection accuracy, computational expense and implementation for real-time intrusion detection.

Guisong Liu,Zhang Yi,Shangming Yang

DOI: https://doi.org/10.1016/j.neucom.2006.10.146

IF: 6

2007-01-01

Neurocomputing

Abstract:Most of existing intrusion detection (ID) models with a single-level structure can only detect either misuse or anomaly attacks. A hierarchical ID model using principal component analysis (PCA) neural networks is proposed to overcome such shortages. In the proposed model, PCA is applied for classification and neural networks are used for online computing. Experimental results and comparative studies based on the 1998 DARPA evaluation data sets are given, which show the proposed model can classify the network connections with satisfying performance.

Wei Wang,Xiaohong Guan,Xiangliang Zhang

DOI: https://doi.org/10.1016/j.comcom.2007.10.010

IF: 5.047

2008-01-01

Computer Communications

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. Most current intrusion detection models lack the ability to process massive audit data streams for real-time anomaly detection. In this paper, we present an effective anomaly intrusion detection model based on Principal Component Analysis (PCA). The model is more suitable for high speed processing of massive data streams in real-time from various data sources by considering the frequency property of audit events than by use of the transition property or the correlation property. It can serve as a general framework that a practical Intrusion Detection Systems (IDS) can be implemented in various computing environments. In this method, a multi-pronged anomaly detection model is used to monitor various computer system and network behaviors. Three sources of data, system call data from the University of New Mexico (lpr) and from KLINNS Lab of Xi'an Jiaotong University (ftp), shell command data from AT&T Research laboratory, and network data from MIT Lincoln Lab, are used to validate the model and the method. The frequencies of individual system calls generated by one process and of individual commands embedded in one command block as well as features extracted in one network connection are transformed into an input data vector. Our method is employed to reduce the high dimensional data vectors and thus the detection is handled in a lower dimension with high efficiency and low use of system resources. The distance between a vector and its reconstruction in the reduced subspace is used for anomaly detection. Empirical results show that our model is promising in terms of detection accuracy and computational efficiency, and thus amenable for real-time intrusion detection.

Da-long LIU,Dong-qin FENG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2018.09.014

2018-01-01

Abstract:As industrial control system is threatened by sinusoidal attack, the mathematical model was established using a typical loop of the control system; the Fourier transform and wavelet analysis was used to analyze its different characteristics in the aspect of attack ability and concealment. Then, an algorithm was developed against sinusoidal attack using multi-scale principal component analysis (MSPCA) with online implementation. Simulation of sinusoidal attack on Tenessee Eastman (TE) process show that sinusoidal attack not only causes physical damage, but also conceals the damage. When the frequency of sinusoidal attack is higher, the attack can not be detected by the traditional principal component analysis (PCA) method, meanwhile, our method can detect the attack quickly and accurately.

Xin Xu,Xuening Wang

DOI: https://doi.org/10.1007/11527503_82

2005-01-01

Abstract:Network intrusion detection is an important technique in computer security. However, the performance of existing intrusion detection systems (IDSs) is unsatisfactory since new attacks are constantly developed and the speed of network traffic volumes increases fast. To improve the performance of IDSs both in accuracy and speed, this paper proposes a novel adaptive intrusion detection method based on principal component analysis (PCA) and support vector machines (SVMs). By making use of PCA, the dimension of network data patterns is reduced significantly. The multi-class SVMs are employed to construct classification models based on training data processed by PCA. Due to the generalization ability of SVMs, the proposed method has good classification performance without tedious parameter tuning. Dimension reduction using PCA may improve accuracy further. The method is also superior to SVMs without PCA in fast training and detection speed. Experimental results on KDD-Cup99 intrusion detection data illustrate the effectiveness of the proposed method.

Rula Abdulwahid Mohammed,Youssef A. Bazzi

DOI: https://doi.org/10.47001/irjiet/2024.802001

2024-01-01

International Research Journal of Innovations in Engineering and Technology

Abstract:The ever-evolving cybersecurity sector requires robust intrusion detection systems (IDS). Traditional rules-based measures are no longer sufficient due to the complexity of cyber threats, requiring new approaches. This study presents the architecture of an intrusion detection system combining machine learning and principal component analysis (PCA) to increase network security. A network traffic classification system was built and tested on the NSL-KDD dataset and used PCA for dimensionality reduction. The results were cross-validated to reduce overfitting and ensure generalizability of the model. Low-variance precision refers to the consistency of the cross-validation fold. The combination of PCA and machine learning models exceeds previous studies with an F1 score for the random forest model of over 99%. The study improves intrusion detection and network protection against cyber-attacks.

Jun Zheng,Yujie Zhou

DOI: https://doi.org/10.1080/09720529.2017.1310979

2017-07-04

Journal of Discrete Mathematical Sciences and Cryptography

Abstract:Intrusion detection algorithm is a hot topic in the field of computer and network safety. The large load and high dimensionality of original network data collected by network traffic collector will reduce the detection efficiency and accuracy. Therefore, dimensionality reduction is necessary for original network data. Principal component analysis (PCA) is a common method for dimensionality reduction, but it only extracts principal components from the input data without considering the explanatory power of principal components on the output variables. To address this problem, we improve on the conventional PCA algorithm and apply this method to intrusion detection. Experiment shows that the improved PCA algorithm achieves better effect in dimensionality reduction and intrusion detection.

Xianjing Li,Dongqin Feng

DOI: https://doi.org/10.1109/iciscae48440.2019.221645

2019-01-01

Abstract:Currently, the industrial control systems (ICS) have faced many changeable and complexed attacks. Apart from normal attack, there are also many variations, which put ICS into a huge hidden danger. Under this circumstance, the traditional detection techniques cannot identify the special variation types of attacks, effectively, comprehensively nor accurately. Therefore, a detection method named principal component analysis (PCA) with cosine similarity and support vector machine (SVM) is proposed. Moreover, the method is applied to detect the square wave attack in ICS. The detection method is executed as follows. Firstly, the raw signals are classified, by selecting proper length. Secondly, PCA method are used to reduce the dimension. Based on the first normal signal, the cosine similarity coefficients between the first normal part and the rest are calculated. Hence, the attack-feature vectors are composed by similarity coefficients. Next, data after that is selected to serve as the SVM training sample, replenishing the attack features. As for simulation, the cascade control loop of a typical industrial control system is chosen. The results show that the method can detect the signals, timely and accurately, no matter periodic square wave attack or aperiodic. For system, the proposed method and model can judge the security state of ICS. Above all, this method provides accurate decision-making suggestions to security management personnel.

Insha Ullah,Kerrie Mengersen,Rob J Hyndman,James McGree

DOI: https://doi.org/10.48550/arXiv.2107.12592

2021-07-27

Abstract:Organizations such as government departments and financial institutions provide online service facilities accessible via an increasing number of internet connected devices which make their operational environment vulnerable to cyber attacks. Consequently, there is a need to have mechanisms in place to detect cyber security attacks in a timely manner. A variety of Network Intrusion Detection Systems (NIDS) have been proposed and can be categorized into signature-based NIDS and anomaly-based NIDS. The signature-based NIDS, which identify the misuse through scanning the activity signature against the list of known attack activities, are criticized for their inability to identify new attacks (never-before-seen attacks). Among anomaly-based NIDS, which declare a connection anomalous if it expresses deviation from a trained model, the unsupervised learning algorithms circumvent this issue since they have the ability to identify new attacks. In this study, we use an unsupervised learning algorithm based on principal component analysis to detect cyber attacks. In the training phase, our approach has the advantage of also identifying outliers in the training dataset. In the monitoring phase, our approach first identifies the affected dimensions and then calculates an anomaly score by aggregating across only those components that are affected by the anomalies. We explore the performance of the algorithm via simulations and through two applications, namely to the UNSW-NB15 dataset recently released by the Australian Centre for Cyber Security and to the well-known KDD'99 dataset. The algorithm is scalable to large datasets in both training and monitoring phases, and the results from both the simulated and real datasets show that the method has promise in detecting suspicious network activities.

Cryptography and Security,Methodology

Zhenhui Wang,Dezhi Han,Ming Li,Han Liu,Mingming Cui

DOI: https://doi.org/10.1080/09540091.2022.2051434

2022-04-07

Connection Science

Abstract:Network abnormal traffic detection can monitor the network environment in real time by extracting and analysing network traffic characteristics, and plays an important role in network security protection. In order to solve the problems that the existing detection methods cannot fully learn the spatio-temporal characteristics of data, the classification accuracy is not high, and the detection time and accuracy are susceptible to the influence of redundant data in the sample. Thus, this paper proposes a network abnormal detection method (PCSS) integrating principal component analysis (PCA) and single-stage headless face detector algorithms (SSH). PCSS applies the PCA algorithm to the data preprocessing to eliminate the interference of redundant data. At the same time, PCSS also combines feature fusion and SSH to enhance the feature extraction of unclear features data, and effectively improve the detection speed and accuracy. Simulation experiments based on IDS2017 and IDS2012 data sets are carried out in this paper. Experimental results show that PCSS is obviously superior to other detection models in detection speed and accuracy, which provides a new method for efficiently detecting traffic attacks.

computer science, artificial intelligence, theory & methods

You Chen,Yang Li,Xue-Qi Cheng,Li Guo

DOI: https://doi.org/10.1109/icct.2006.341992

2006-01-01

Abstract:An appropriate feature set helps to build efficient decision model as well as reduced feature set lights up the training and testing process considerably. In this paper, we propose a new approach to build efficient Intrusion detection system (IDS) based on principal component analysis and C4.5. Our method is able to significantly decrease training and testing times while retaining high detection rates with low false positives rates as well as stable feature selection results. We have examined the feasibility of our approach by conducting several experiments using KDD 1999 CUP intrusion dataset. The experimental results show the feasibility of our approach to enable one to building efficient IDS.

Wen Jie Tian,Ji Cheng Liu

DOI: https://doi.org/10.1109/WNIS.2009.78

2009-01-01

Abstract:To overcome the deficiencies of low accuracy and high false alarm rate in network intrusion detection system, an integrated Intrusion detection model based on support vector regression (SVR) and principal components analysis (PCA) is proposed in the paper. Utilizing the character that PCA algorithm can keep the discernability of original dataset after reduction, the reduces of the original dataset are calculated and used to train individual SVR classifier for ensemble, which increase the diversity between individual classifiers, and consequently, increase the detection accuracy. To validate the effectiveness of the proposed method, simulation experiments are performed based on the KDD 99 dataset. The results show that the proposed method is a promised ensemble method owning to its high diversity, high detection accuracy and faster speed in intrusion detection.

HH Gao,HH Yang,XY Wang

2005-01-01

Abstract:This paper proposes a novel intrusion detection approach by applying kernel principal component analysis (KPCA) for intrusion feature extraction and followed by support vector machine (SVM) for classification. The MIT's KDD Cup 99 dataset is used to evaluate these feature extraction methods, and classification performances achieved by SVM with PCA and KPCA feature extraction are compared with those obtained by PCR and KPCR classification method, and by SVM without application of feature extraction, The results clearly demonstrate that feature extraction can greatly reduce the dimension of input space without degrading the classifiers' performance. Among these methods, the best performance is achieved by SVM using only four principal components extracted by KPCA.

Guisong Liu,Zhang Yi,Shangming Yang

2007-01-01

Abstract:A new intrusion detection approach based on supervised principal components neural networks (PCNN) is proposed in this paper. The classifier design, is discussed in detail by applying generalized hebbian algorithm (GHA) neural networks to online feature extraction. An experimental threshold epsilon is required For anomaly detection., but a competition. among particular instrusion detectors is performed for misuse detection. Experimental results and the comparisons to other approaches in recent literature are reported.

Guisong Liu,Zhang Yi

DOI: https://doi.org/10.1007/11760191_35

2006-01-01

Abstract:This paper proposes a method to detect network intrusions by using the PCASOM (principal components analysis and self-organizing map) neural networks. A modified unsupervised learning algorithm which is more suitable for intrusion detection is presented. Experiments are carried out to illustrate the performance of the proposed method by using DARPA 1998 evaluation data sets. It shows that the proposed method can cluster the network connections into proper clusters with high detection rate and relatively low false alarm rate.

Bin Wen,Guolong Chen

DOI: https://doi.org/10.1007/978-3-642-35211-9_50

2012-01-01

Abstract:In network security situation awareness system, the data are characterized by huge quantities, numerous features, redundancy, etc. These features may seriously impact the efficiency of situation evaluation and prediction. This paper proposes a principal component analysis algorithm based on projection pursuit (PP-PCA) to solve these problems. Combined with particle swarm optimization and exterior point penalty function, PP-PCA projects the data onto one-dimensional plane then figures out several composite indicators which play leading roles. The simulate experiment shows that it can overcome the redundancy and improve the efficiency of the situation evaluation and prediction.

徐晶,陶新民

DOI: https://doi.org/10.3724/sp.j.1087.2009.02459

2009-01-01

Journal of Computer Applications

Abstract:To solve the problems of difficult obtaining of the abnormal samples in network intrusion detection application and overfitting of conventional classifications due to the abnormal data unevenly distributed,a novel one-class detection model based on Kernel Principal Component Analysis(KPCA)space similarity and immune principle was presented.The KPCA was employed to extract the nonlinear distribution characteristics of normal samples,and normal samples' characteristic sub-space was consequently established.Other samples' projection onto the sub-space was used to be the metrics of similarity with the normal sub-space.In order to efficiently explore the available abnormal training samples,self-adaptive incorporated immune items were adopted to improve the performance of the proposed model's detection.The kernel function's parameters and threshold value setting were also analyzed and the deciding model based on the Particle Swarm Optimization(TPO)was provided.The detection scheme based on KPCA space similarity was compared with Multi-Layer Perception(MLP),Support Vector Machine(SVM)and Self-Organizing Map(SOM)detection techniques in the experiments.The experimental results illustrate the correctness and effectiveness of the investigated techniques.

Ting LIU,Xiaojie LIU,Weiran YUE

DOI: https://doi.org/10.3969/j.issn.2095-347X.2017.02.006

2017-01-01

Abstract:In the process of intrusion detection,how to select the effective data feature is an important link of the process of detection.Commonly used feature selection methods are not able to reduce dimension so good that detection time too long.According to this,This paper presents a method to intrusion detection feature selection based on principal component analysis.It carries on the PCA transformation to the original data.Then analysising the weight of each component by the transform matrix.Finally,select the most representative feature from the original by the transform weight.The experimental results show that the features selected by the method presented in this paper are enough representative.At the same time the detection time is reduced and the detection efficiency is improved on the basis of ensuring the detection rate.

Ling Huang, XuanLong Nguyen, Minos Garofalakis, Michael Jordan, Anthony Joseph, Nina Taft

2006-01-01

Abstract:We consider the problem of network anomaly detection in large distributed systems. In this setting, Principal Component Analysis (PCA) has been proposed as a method for discover-ing anomalies by continuously tracking the projection of the data onto a residual subspace. This method was shown to work well empirically in highly aggregated networks, that is, those with a limited number of large nodes and at coarse time scales. This approach, how-ever, has scalability limitations. To overcome these limitations, we develop a PCA-based anomaly detector in which adaptive local data (cid: 2) lters send to a coordinator just enough data to enable accurate global detection. Our method is based on a stochastic matrix perturba-tion analysis that characterizes the tradeoff between the accuracy of anomaly detection and the amount of data communicated over the network.

LIU Yong,SUN Dong-hong,CHEN You,WANG Wan-shan

DOI: https://doi.org/10.3969/j.issn.1005-3026.2010.07.006

2010-01-01

Abstract:A feature selection algorithm can improve efficiently the detection speed and result, with irrelevant and redundant data eliminated and denoised in an intrusion detection system. Taking advantage of the algorithm, a new hybrid feature selection algorithm based on the principal component analysis (PCA) in combination with decision tree algorithm (C4.5) was proposed to develop a lightweight intrusion detection system. Verifying the proposed algorithm in detail via tests with the KDD 1999 dataset, the algorithm was proved that it is available to not only ensure the high detection rate and low false alarm rate but also improve obviously the training/testing time of the intrusion detection system. Furthermore, as a result of comparative tests, the algorithm is superior to GA-SVM algorithm in training/testing time, detection rate and false alarm rate.