Jiang Zhong,Xiongbing Deng,Luosheng Wen,Yong Feng

DOI: https://doi.org/10.1109/icicta.2009.324

2009-01-01

Abstract:In this paper, an novel unsupervised intrusion detection method is presented, in which the anomalies was specified by choosing a reference measure mu which determines a density and a level value rho. in order to reveal the relationship between the distribution of connection feature data sets and the reference measure mu, we proposed a new method to design SVM classifier based on RBF core, and apply this algorithm to estimate density level set for the data set, through which the anomaly network connections have been detected. Experimental results on the real network data set showed that the new method is competitive with others in that the false alarm rate is kept low without many missed detections.

Zhong Jiang,Wen Luosheng,Feng Yong,Ye Chun Xiao

DOI: https://doi.org/10.1109/nas.2008.41

2008-01-01

Abstract:Recently the machine learning-based intrusion detection approaches have been subjected to extensive researches because they can detect both misuse and anomaly. One way to describe anomalies is by saying that anomalies are not concentrated. It leads to the problem of finding level sets for the data generating density. This learning problem may be converted as a binary classification problem. In this paper, we propose a new method to design RBF classifier based on multiple granularities immune network, and apply this algorithm to detection the data density level set. Experimental results on the real network data set showed that the new classifier has higher detection rate and lower false positive rate than traditional RBF classifier.

Xiejun Ni,Daojing He,Sammy Chan,Farooq Ahmad

DOI: https://doi.org/10.1007/978-3-319-39555-5_12

2016-01-01

Abstract:Intrusion detection systems (IDSs) play a significant role to effectively defend our crucial computer systems or networks against attackers on the Internet. Anomaly detection is an effective way to detect intrusion, which can discover patterns that do not conform to expected behavior. The mainstream approaches of ADS (anomaly detection system) are using data mining technology to automatically extract normal pattern and abnormal ones from a large set of network data and distinguish them from each other. However, supervised or semi-supervised approaches in data mining rely on data label information. This is not practical when the network data is large-scale. In this paper, we propose a two-stage approach, unsupervised feature selection and density peak clustering to tackle label lacking situations. First, the density-peak based clustering approach is introduced for network anomaly detection, which considers both distance and density nature of data. Second, to achieve better performance of clustering process, we use maximal information coefficient and feature clustering to remove redundant and irrelevant features. Experimental results show that our method can get rid of useless features of high-dimensional data and achieves high detection accuracy and efficiency in the meanwhile.

赵欣,叶茂,朱莺嘤,郑凯元

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.05.027

2010-01-01

Abstract:Network intrusion detection is an important aspect of information security.Many good results in this aspect have been obtained in recent years.Most of them face the problem of low detection rate.The network connection's attributes which have the character of obvious distinction between normal and abnormal are often chosen by experts to judge whether the new network connections are normal.This method has some randomness which affects the detection rate.A method which aims to choose attributes based on the inherent law of normal network connections is proposed.The attributes can be chosen such that the high dimensional data can be transformed to one dimension automatically.The method of sequence data mining is used to find the rules of normal network connections.The new network connections can be detected by these rules.An experiment has been done on the datum of KDD99.The result indicates that the method of this paper has high detection rate.

Xiujuan Wang,Chenxi Zhang,Kangfeng Zheng

DOI: https://doi.org/10.1109/cc.2016.7559072

2016-01-01

China Communications

Abstract:Intrusion detection aims to detect intrusion behavior and serves as a complement to firewalls. It can detect attack types of malicious network communications and computer usage that cannot be detected by idiomatic firewalls. Many intrusion detection methods are processed through machine learning. Previous literature has shown that the performance of an intrusion detection method based on hybrid learning or integration approach is superior to that of single learning technology. However, almost no studies focus on how additional representative and concise features can be extracted to process effective intrusion detection among massive and complicated data. In this paper, a new hybrid learning method is proposed on the basis of features such as density, cluster centers, and nearest neighbors (DCNN). In this algorithm, data is represented by the local density of each sample point and the sum of distances from each sample point to cluster centers and to its nearest neighbor. k-NN classifier is adopted to classify the new feature vectors. Our experiment shows that DCNN, which combines K-means, clustering-based density, and k-NN classifier, is effective in intrusion detection.

Xu Tao,Zhang Wei,Li XuHong,Wang Xia,Pan Wenwen

DOI: https://doi.org/10.2991/iccmcee-15.2015.244

2015-01-01

Abstract:The rapid development of the Internet makes distributed computing has become a mainstream application, network openness, connectivity, shared characteristics, so that the risk of suffering from the growing network intrusions. How to ensure the network and information security has become very important in the field of security issues. From the initial access control mechanisms to combine packet filtering and application layer gateway firewall technology, each is not the perfect solution. Intrusion detection is a network and information security architecture an important part of the intrusion detection system put forward higher requirements. Current greatest weakness of the face of live flowers audit records cannot be quickly mass intrusion detection and high false positive rate of serious impact on system performance. This paper proposes a new intrusion detection method, and on this basis, based on data mining developed based anomaly intrusion detection system prototype network.

Yang Li,Binxing Fang,Li Guo

DOI: https://doi.org/10.1007/978-3-540-72383-7_150

2007-01-01

Abstract:Network anomaly detection has been a hot topic in the past years. However, high false alarm rate, difficulties in obtaining exact clean data for the modeling of normal patterns and the deterioration of detection rate because of "unclean" training set always make it not as good as we expect. Therefore, we propose a novel data mining method for network anomaly detection in this paper. Experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positives, low false positives as well as with high confidence than the state-of-the-art anomaly detection methods. Furthermore, even provided with not purely "clean" data (unclean data), the proposed method is still robust and effective.

Yanqing Yang,Kangfeng Zheng,Chunhua Wu,Xinxin Niu,Yixian Yang,Yanqing Yang,Kangfeng Zheng,Chunhua Wu,Xinxin Niu,Yixian Yang

DOI: https://doi.org/10.3390/app9020238

2019-01-10

Applied Sciences

Abstract:Machine learning plays an important role in building intrusion detection systems. However, with the increase of data capacity and data dimension, the ability of shallow machine learning is becoming more limited. In this paper, we propose a fuzzy aggregation approach using the modified density peak clustering algorithm (MDPCA) and deep belief networks (DBNs). To reduce the size of the training set and the imbalance of the samples, MDPCA is used to divide the training set into several subsets with similar sets of attributes. Each subset is used to train its own sub-DBNs classifier. These sub-DBN classifiers can learn and explore high-level abstract features, automatically reduce data dimensions, and perform classification well. According to the nearest neighbor criterion, the fuzzy membership weights of each test sample in each sub-DBNs classifier are calculated. The output of all sub-DBNs classifiers is aggregated based on fuzzy membership weights. Experimental results on the NSL-KDD and UNSW-NB15 datasets show that our proposed model has higher overall accuracy, recall, precision and F1-score than other well-known classification methods. Furthermore, the proposed model achieves better performance in terms of accuracy, detection rate and false positive rate compared to the state-of-the-art intrusion detection methods.

Renyu Liu,Qingsheng Zhu

DOI: https://doi.org/10.1109/ijcnn.2018.8489336

2018-01-01

Abstract:As a kind of network security protection technology, intrusion detection technology has become one of the hot topics in the field of network security. In order to solve the problem that the methods of network anomaly detection have a high requirement on the purity of the normal data-set, and that the existing methods based on outlier detection need to set an anomaly threshold manually. Combining with the idea of Natural Neighborhood Graph, a network anomaly detection method (NAD-NNG) is proposed. In order to eliminate noise points or mislabel points and reduce the time complexity of anomalies detection, the algorithm uses the Natural Neighborhood Graph to cluster the normal data-set. Also, the algorithm can adaptively obtain a percentage value β for setting the anomaly threshold. Experiments on KDDCUP99 show that compared with the other two algorithms, the proposed method can achieve a higher detection rate based on a tolerable false alarm rate.

Y Feng,ZF Wu,KG Wu,ZY Xiong,Y Zhou

DOI: https://doi.org/10.1109/icmlc.2005.1527630

2005-01-01

Abstract:An approach to network intrusion detection is investigated, based on swarm intelligence. The basic idea of the method is to produce the cluster by swarm intelligence-based clustering. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on swarm intelligence can settle these problems effectively. The experiment result shows that our approach can detect unknown intrusions efficiently in the real network connections.

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Weiwei Chen,Fangang Kong,Feng Mei,Guiqin Yuan,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity.2017.56

2017-01-01

Abstract:Network Anomaly Detection plays an important part in network security. Among the state-of-the-art approaches, unsupervised anomaly detection is effective when dealing with unlabelled data. However, these approaches also suffer from high false positive rate. We observed that different methods have their own defects and advantages. Inspired by this observation, we provide a new ensemble clustering(NEC) method to detect novel anomalies. In our system,we can get higher detection rate and lower false positive rate compared with existed apporaches as verified over NSL-KDD 2009 dataset.

HU Liang,REN Wei-wu,REN Fei,LIU Xiao-bo,JIN Gang

DOI: https://doi.org/10.3321/j.issn:1671-5489.2009.05.021

2009-01-01

Abstract:This paper proposes an Anomaly Detection algorithm based on Improved Density Clustering(ADIDC).The improved algorithm adopts clustering features separately on individual characteristic arranges and weighting features by the correlativity between the features and the normal profile.It can solve the frequent problem of the high false positive rate on clustering in the application of anomaly detection.A series of experiments on well known KDD Cup 1999 dataset demonstrates that it has a lower false positive rate,especially ensuring high detection rate with respect to the traditional anomaly detection methods.The detection of the special attack which resembles the normal act is obviously improved.In addtion,the detection performace can be further optimized by feature selection via feature weights.It makes the proposed algorithm more suitable for the real-time detection.

SHI ZHONG,TAGHI M. KHOSHGOFTAAR,NAEEM SELIYA

DOI: https://doi.org/10.1142/s0218539307002568

2007-04-01

International Journal of Reliability, Quality and Safety Engineering

Abstract:Recently data mining methods have gained importance in addressing network security issues, including network intrusion detection — a challenging task in network security. Intrusion detection systems aim to identify attacks with a high detection rate and a low false alarm rate. Classification-based data mining models for intrusion detection are often ineffective in dealing with dynamic changes in intrusion patterns and characteristics. Consequently, unsupervised learning methods have been given a closer look for network intrusion detection. We investigate multiple centroid-based unsupervised clustering algorithms for intrusion detection, and propose a simple yet effective self-labeling heuristic for detecting attack and normal clusters of network traffic audit data. The clustering algorithms investigated include, k-means, Mixture-Of-Spherical Gaussians, Self-Organizing Map, and Neural-Gas. The network traffic datasets provided by the DARPA 1998 offline intrusion detection project are used in our empirical investigation, which demonstrates the feasibility and promise of unsupervised learning methods for network intrusion detection. In addition, a comparative analysis shows the advantage of clustering-based methods over supervised classification techniques in identifying new or unseen attack types.

H. P. Yao,Y. Q. Liu,C. Fang

DOI: https://doi.org/10.15837/ijccc.2016.4.2315

IF: 2.635

2016-01-01

International Journal of Computers Communications & Control

Abstract:Anomaly network detection is a very important way to analyze and detect malicious behavior in network. How to effectively detect anomaly network flow under the pressure of big data is a very important area, which has attracted more and more researchers' attention. In this paper, we propose a new model based on big data analysis, which can avoid the influence brought by adjustment of network traffic distribution, increase detection accuracy and reduce the false negative rate. Simulation results reveal that, compared with k-means, decision tree and random forest algorithms, the proposed model has a much better performance, which can achieve a detection rate of 95.4% on normal data, 98.6% on DoS attack, 93.9% on Probe attack, 56.1% on U2R attack, and 77.2% on R2L attack.

Jiang Zhong,Zhiguo Li,Yong Feng,Cunxiao Ye

DOI: https://doi.org/10.1109/ISDA.2006.253762

2006-01-01

Abstract:Recently the machine learning-based intrusion detection approaches have been subjected to extensive researches because they can detect both misuse and anomaly. In this paper, we propose a new method to design classifier based on multiple granularities immune network. Firstly a multiple granularities immune network (MGIN) algorithm is employed to reduce the data and get the candidate hidden neurons and construct an original RBF network including all candidate neurons. Secondly, the removing redundant neurons procedure is used to get a smaller network. Experimental results on the real network data set show that the new classifier has higher detection and lower false positive rate than traditional RBF classifier.

LI Yang,FANG Bin-xing,GUO Li,TIAN Zhi-hong,ZHANG Yong-zheng,JIANG Wei

DOI: https://doi.org/10.1145/1229285.1229292

2007-01-01

Abstract:Intrusion detection is a critical component of secure information systems. Network anomaly detection has been an active and difficult research topic in the field of Intrusion Detection for many years. However, it still has some problems unresolved. They include high false alarm rate, difficulties in obtaining exactly clean data for the modeling of normal patterns and the deterioration of detection rate because of some "noisy" data in the training set. In this paper, we propose a novel network anomaly detection method based on improved TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) machine learning algorithm. A series of experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positive rate, low false positive rate and high confidence than the state-of-the-art anomaly detection methods. In addition, even interfered by "noisy" data (unclean data), the proposed method is robust and effective. Moreover, it still retains good detection performance after employing feature selection aiming at avoiding the "curse of dimensionality".

Hua Tang,Hairui Yang

2009-01-01

Journal of Information and Computational Science

Abstract:Intrusion detection is an important technology of network and information security guaranty. Anomaly detection is based on profiles that represent normal behavior of users, hosts or networks and detects attacks as significant deviations from these profiles. Recently, the works related to anomaly-based intrusion detection have attracted considerable attention because the anomaly detection technique can handle previously unknown intrusion methods effectively. In this paper, a new anomaly detection method based on data mining and data fields in physics is proposed, and the performance of the proposed method are comparatively evaluated and discussed. The results of experiments demonstrate that the detection performance of our approach is satisfying. 1548-7741/ Copyright © 2009 Binary Information Press.

Shingo Mabu,Wenjing Li,Nannan Lu,Yu Wang,Kotaro Hirasawa

DOI: https://doi.org/10.1109/CEC.2010.5586302

IF: 4.7662

2010-01-01

Evolutionary Computation

Abstract:With the rapid growth of the Internet, to make sure of the computer security has been a crucial problem, therefore, many techniques for Intrusion detection have been proposed in order to detect network attacks efficiently. On the other hand, data mining algorithms based on Genetic Network Programming (GNP) have been proposed recently. GNP is a graph-based evolutionary algorithm and can extract many important class association rules by making use of the distinguished representation ability of the graph structures. In this paper, a probabilistic classification is proposed and combined with the class association rule mining of GNP, and applied to Network intrusion detection for the performance evaluation. The proposed method creates a joint probability density function of normal and intrusion accesses and use it to efficiently classify new access data into normal, known intrusion or unknown intrusion. It is clarified from the experimental results that the proposed method shows high classification accuracy compared to the method without probabilistic classification.

Xiaotao Wei,Houkuan Huang,Shengfeng Tian

DOI: https://doi.org/10.1007/11760191_38

2006-01-01

Abstract:A modified RBF (radial basis function)-based neural network is proposed for network anomaly detection. Special attention is given to the determination of the parameters of the hidden layer. We propose a novel grid-based approach to compress and cluster the training data. The number, center and radii of the RBFs are determined according to the clustering result. At the detecting stage, we expand each input node with a sigmoid function to meet the type of input data. Experimental result on KDD 99 intrusion detection datasets shows that our RBF based IDS has high detection rate while maintaining a low false positive rate. It also shows the remarkable ability of our IDS to detect new type of attacks.