Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Weiming Hu,Wei Hu,Steve Maybank

DOI: https://doi.org/10.1109/tsmcb.2007.914695

2005-01-01

Abstract:Network intrusion detection aims at distinguishing the attacks on the Internet from normal use of the Internet. It is an indispensable part of the information security system. Due to the variety of network behaviors and the rapid development of attack fashions, it is necessary to develop fast machine-learning-based intrusion detection algorithms with high detection rates and low false-alarm rates. In this correspondence, we propose an intrusion detection algorithm based on the AdaBoost algorithm. In the algorithm, decision stumps are used as weak classifiers. The decision rules are provided for both categorical and continuous features. By combining the weak classifiers for continuous features and the weak classifiers for categorical features into a strong classifier, the relations between these two different types of features are handled naturally, without any forced conversions between continuous and categorical features. Adaptable initial weights and a simple strategy for avoiding overfitting are adopted to improve the performance of the algorithm. Experimental results show that our algorithm has low computational complexity and error rates, as compared with algorithms of higher computational complexity, as tested on the benchmark sample data.

Wei Guo,Zhenyu Luo,Hexiong Chen,Feilu Hang,Jun Zhang,Hilal Al Bayatti

DOI: https://doi.org/10.2478/amns.2022.2.0171

2022-07-15

Applied Mathematics and Nonlinear Sciences

Abstract:Abstract Boosting is an ensemble learning method that combines a set of weak learners into a strong learner to minimize training errors. AdaBoost algorithm, as a typical boosting algorithm, transforms weak learners or predictors to strong predictors in order to solve problems of classification. With remarkable usability and effectiveness, AdaBoost algorithm has been widely used in many fields, such as face recognition, speech enhancement, natural language processing, and network intrusion detection. In the large-scale enterprise network environment, more and more companies have begun to build trustworthy networks to effectively defend against hacker attacks. However, since trustworthy networks use trusted flags to verify the legitimacy of network requests, it cannot effectively identify abnormal behaviors in network data packets. This paper applies Adaboost algorithm in trustworthy network for anomaly intrusion detection to improve the defense capability against network attacks. This method uses a simple decision tree as the base weak learner, and uses AdaBoost algorithm to combine multiple weak learners into a strong learner by re-weighting the samples. This paper uses the real data of trustworthy network for experimental verification. The experimental results show that the average precision of network anomaly detection method based on AdaBoost algorithm is more than 0.999, indicating that it has a significant detection effect on abnormal network attacks and normal network access. Therefore, the proposed method can effectively improve the security of trustworthy networks.

HH Tong,CR Li,JR He,QA Tran,HX Duan,X Li

DOI: https://doi.org/10.1109/icmlc.2005.1527494

2005-01-01

Abstract:As a crucial issue in computer network security, anomaly detection is receiving more and more attention from both application and theoretical point of view. In this paper, by introducing boosting technique, a novel anomaly detection scheme is proposed. On the whole, the proposed scheme is based on Ada-Boost and can be viewed as an extension of Ada-Boost in terms of both probability density estimation (PDE) and confidence area estimation (CAE). Different kinds of base learners are adopted and investigated in the proposed scheme. Systematic experimental results on DARPA 1999 dataset validate the effectiveness of the proposed scheme.

Wu Liu,Hai-Xin Duan,Ping Ren,Jianping Wu

DOI: https://doi.org/10.1109/ICNC.2010.5583161

2010-01-01

Abstract:Anomaly Detection is very difficult in network security management. In this paper, we consider anomaly detection using an improved probabilistic neural networks. We first introduce a Basic Adaptive Boost Algorithm (BABA) and analysis its drawbacks and then introduce an Improved Adaptive Boost Algorithm (IABA) to classify the detected event as normal or intrusive.

XU Jiao-na,LI Cheng,LI Wei,TANG Fa-gen,LI Yun-chun

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.05.051

2008-01-01

Abstract:Due to the diversity and quickly growth of modern network and distributed systems, intelligent anomaly detection can play an importantrole in monitoring and controlling network systems. This paper presents a network anomaly detection model based on enhanced Nave Bayesianclassifier. Mutual information in information theory is used as basis of the algorithm of feature selection. Experimental results show that the networkanomaly detection model performs better in detection of DoS and probing attack, and has lower false positive.

Tich Phuoc Tran,Longbing Cao,Dat Tran,Cuong Duc Nguyen

DOI: https://doi.org/10.48550/arXiv.0911.0485

2009-11-03

Abstract:This article applies Machine Learning techniques to solve Intrusion Detection problems within computer networks. Due to complex and dynamic nature of computer networks and hacking techniques, detecting malicious activities remains a challenging task for security experts, that is, currently available defense systems suffer from low detection capability and high number of false alarms. To overcome such performance limitations, we propose a novel Machine Learning algorithm, namely Boosted Subspace Probabilistic Neural Network (BSPNN), which integrates an adaptive boosting technique and a semi parametric neural network to obtain good tradeoff between accuracy and generality. As the result, learning bias and generalization variance can be significantly minimized. Substantial experiments on KDD 99 intrusion benchmark indicate that our model outperforms other state of the art learning algorithms, with significantly improved detection accuracy, minimal false alarms and relatively small computational complexity.

Neural and Evolutionary Computing,Machine Learning

Zhao Yueai,Chen Junjie

DOI: https://doi.org/10.1109/dbta.2009.116

2009-01-01

Journal of Computer Applications

Abstract:In view of the current problems of HNIDS (high-speed network intrusion detection system), such as high packet loss rate, slow pace of testing for attacks and unbalanced data for detection. This paper presents a novel approach for HNIDS by taking two-stage strategy with load balancing model, In the on-line phase, the system captures the packets from network and split into small according the type of protocol, then detected intrusion though each sensor. In the off-line, training dataset are used to build model, which can detected intrusion. We discuss different approaches to unbalanced data, empirically evaluate the SMOTE over-sampling approaches, AdaBoost and random forests algorithm. We also discuss the approaches for selecting features. Finally report our experimental results over the KDD'99 datasets. The results show that SMOTE and the AdaBoost Algorithm by using random forests as weak learner not only can provides better performance to small class, but also has lower build model time.

Shadi Aljawarneh,Monther Aldwairi,Muneer Bani Yassein

DOI: https://doi.org/10.1016/j.jocs.2017.03.006

IF: 3.817

2018-03-01

Journal of Computational Science

Abstract:Efficiently detecting network intrusions requires the gathering of sensitive information. This means that one has to collect large amounts of network transactions including high details of recent network transactions. Assessments based on meta-heuristic anomaly are important in the intrusion related network transaction data’s exploratory analysis. These assessments are needed to make and deliver predictions related to the intrusion possibility based on the available attribute details that are involved in the network transaction. We were able to utilize the NSL-KDD data set, the binary and multiclass problem with a 20% testing dataset. This paper develops a new hybrid model that can be used to estimate the intrusion scope threshold degree based on the network transaction data’s optimal features that were made available for training. The experimental results revealed that the hybrid approach had a significant effect on the minimisation of the computational and time complexity involved when determining the feature association impact scale. The accuracy of the proposed model was measured as 99.81% and 98.56% for the binary class and multiclass NSL-KDD data sets, respectively. However, there are issues with obtaining high false and low false negative rates. A hybrid approach with two main parts is proposed to address these issues. First, data needs to be filtered using the Vote algorithm with Information Gain that combines the probability distributions of these base learners in order to select the important features that positively affect the accuracy of the proposed model. Next, the hybrid algorithm consists of following classifiers: J48, Meta Pagging, RandomTree, REPTree, AdaBoostM1, DecisionStump and NaiveBayes. Based on the results obtained using the proposed model, we observe improved accuracy, high false negative rate, and low false positive rule.

computer science, theory & methods, interdisciplinary applications

Zhao Yueai,Chen Junjie

DOI: https://doi.org/10.3969/j.issn.1000-386X.2010.04.042

2010-01-01

Abstract:It is an important research topic to improve detection rate and reduce false alarm rate in the field of intrusion detection.Basing on in-depth research on rare classes classification and applying ensemble learning to intrusion detection,we utilise the detection model which splits data stream in high speed network to classify the network data packets according to their protocol types,and then forward them to each detector.Each detector takes C4.5 classifier as the weak classifier and forms an enhanced general detection function by ensemble learning AdaBoost algorithm.We also further compose rare classes with the SMOTE technique,and make simulation experiments on KDD‘99 dataset.Experiment results indicate that this method can effectively improve the detection rate of rare classes.

Amin Shahraki,Mahmoud Abbasi,Øystein Haugen

DOI: https://doi.org/10.1016/j.engappai.2020.103770

IF: 8

2020-09-01

Engineering Applications of Artificial Intelligence

Abstract:<p>Computer networks have been experienced ever-increasing growth since they play a critical role in different aspects of human life. Regarding the vulnerabilities of computer networks, they should be monitored regularly to detect intrusions and attacks by using high-performance Intrusion Detection Systems (IDSs). IDSs try to differentiate between normal and abnormal behaviors to recognize intrusions. Due to the complex behavior of malicious entities, it is crucially important to adopt machine learning methods for intrusion detection with a fine performance and low time complexity. Boosting approach is considered as a way to deal with this challenge. In this paper, we prepare a clear summary of the latest progress in the context of intrusion detection methods, present a technical background on boosting, and demonstrate the ability of the three well-known boosting algorithms (Real Adaboost, Gentle Adaboost, and Modest Adaboost) as IDSs by using five IDS public benchmark datasets. The results show that the Modest AdaBoost has a higher error rate compared to Gentle and Real AdaBoost in IDSs. Besides, in the case of IDSs, Gentle and Real AdaBoost show the same performance as they have about 70% lower error rates compared to Modest Adaboost, however, Modest AdaBoost is about 7% faster than them. In addition, as IDSs need to retrain the model frequently, the results show that Modest AdaBoost has a much lower performance than Gentle and Real AdaBoost in case of error rate stability.</p>

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Qin Zhao,Jizhou Sun,Song Zhang

DOI: https://doi.org/10.1109/ccece.2004.1344977

2004-01-01

Abstract:For some years we have recognized that, no matter what preventive security we have in Internet community, compromises can and will occur. Accordingly, intrusion detection systems have become "must haves" for virtually all large installations. In this paper a new detection paradigm is designed to improve the veracity and efficiency of detection system. Our proposed hybrid and hierarchical NIDS both monitors the payload of network data in Network Layer and also analyzes network-based attacks as anomalies in Application Layer using statistical processing and classification. Both the advantages of signature-match and anomaly-analysis techniques are exploited in our system. Naïve Bayes analysis algorithm is used in our prototype to implement and enhance the ability of our detection system. Various performance tests are conducted to evaluate our system's effectiveness and efficiency. According to the test reports, the detect rate of NIDS is improved and the negative false alarms are sharply decreased. Machine-learning function is therefore able to be added to our system.

LI Yuan-bing,FANG Ding-yi,WU Xiao-nan,CHEN Xiao-jiang

DOI: https://doi.org/10.3321/j.issn:1001-506x.2005.09.042

2005-01-01

Abstract:Neural network can be used in anomaly detection. In order to improve the traditional IDS (intrusion detection system) performance, we often had to change the network structure itself and detection algorism. And because intrusion techniques are most changeful and unpredictable, we can not always use the fixed detection techniques to catch exactly all possible intrusions. It is therefore important to investigate novel detection methods and IDS models. In this paper, a model of intrusion detection system based on BP neural network is proposed through analyzing characteristic of program behavior. Some details and issues on the design and implementation of the model are discussed and an experiment is also given.

Quanmin Wang,Xuan Wei

DOI: https://doi.org/10.1145/3377644.3377660

2020-01-10

Abstract:Network intrusion detection is a detection technology which is based on the characteristics of network behavior. In recent years, network intrusion detection, as a research focus in the field of information security, had a rapid development. Redundant and irrelevant features in data have caused a long-term problem in network traffic classification. These features not only slow down the process of classification but also prevent a classifier from making accurate decisions, especially when coping with big data. In this paper, an improved binary particle swarm optimization (BPSO) was proposed to remove redundant features. This method can compress data volumes and reduce the detection time. On this basis, weight adjustment strategies of Adaboost algorithm are improved to alleviate the phenomenon of over-fitting. The performance of the improved Adaboost classifier is evaluated using two intrusion detection evaluation datasets, namely KDD Cup 99 and NSL-KDD dataset. The evaluation results show that our approach has lower false alarm rate, higher accuracy rate and F-Score.

Yunpeng Wang,Yuzhou Li,Daxin Tian,Congyu Wang,WenYang Wang,Rong Hui,Peng Guo,Haijun Zhang

DOI: https://doi.org/10.1007/978-3-319-72823-0_53

2017-01-01

Abstract:Intrusion Detection System is a pattern recognition task whose aim is to detect and report the occurrence of abnormal or unknown network behaviors in a given network system being monitored. In this paper, we propose a machine learning model, advanced Naive Bayesian Classification (NBC-A) which is based on NBC and ReliefF algorithm, to be used in the novel IDS. We use ReliefF algorithm to give every attribute of network behavior in KDD’99 dataset a weight that reflects the relationship between attributes and final class for better classification results. The novel IDS has a higher True Positive (TP) rate and a lower False Positive (FP) rate in detection performance.

Zan Xin,Han Jiuqiang,Zhang Junjie,Zheng Qinghua,Han Chongzhao

DOI: https://doi.org/10.1007/s11767-005-0201-z

2007-01-01

Journal of Electronics (China)

Abstract:Intrusion detection can be essentially regarded as a classification problem, namely, distinguishing normal profiles from intrusive behaviors. This paper introduces boosting classification algorithm into the area of intrusion detection to learn attack signatures. Decision tree algorithm is used as simple base learner of boosting algorithm. Furthermore, this paper employs the Principle Component Analysis (PCA) approach, an effective data reduction approach, to extract the key attribute set from the original high-dimensional network traffic data. KDD CUP 99 data set is used in these experiments to demonstrate that boosting algorithm can greatly improve the classification accuracy of weak learners by combining a number of simple “weak learners”. In our experiments, the error rate of training phase of boosting algorithm is reduced from 30.2% to 8% after 10 iterations. Besides, this paper also compares boosting algorithm with Support Vector Machine (SVM) algorithm and shows that the classification accuracy of boosting algorithm is little better than SVM algorithm’s. However, the generalization ability of SVM algorithm is better than boosting algorithm.

Cai Long-zheng,Yu Shmg-sheng,Wang Xiao-feng,Zhou Jing-li

DOI: https://doi.org/10.1007/s11741-006-0083-9

2006-01-01

Abstract:Anomaly detection is a key element of intrusion detection systems and a necessary complement of widely used misuse intrusion detection systems. Data sources used by network intrusion detection, like network packets or connections, often contain both numeric and nominal features. Both of these features contain important information for intrusion detection. These two features, on the other hand, have different characteristics. This paper presents a new network based anomaly intrusion detection approach that works well by building profiles for numeric and nominal features in different ways. During training, for each numeric feature, a normal profile is build through statistical distribution inference and parameter estimation, while for each nominal feature, a normal profile is setup through statistical method. These profiles are used as detection models during testing to judge whether a data being tested is benign or malicious. Experiments with the data set of 1999 DARPA (defense advanced research project agency) intrusion detection evaluation show that this approach can detect attacks effectively.

Dewan Md. Farid,Nouria Harbi,Mohammad Zahidur Rahman

DOI: https://doi.org/10.48550/arXiv.1005.4496

IF: 14.4

2010-05-25

Artificial Intelligence

Abstract:In this paper, a new learning algorithm for adaptive network intrusion detection using naive Bayesian classifier and decision tree is presented, which performs balance detections and keeps false positives at acceptable level for different types of network attacks, and eliminates redundant attributes as well as contradictory examples from training data that make the detection model complex. The proposed algorithm also addresses some difficulties of data mining such as handling continuous attribute, dealing with missing attribute values, and reducing noise in training data. Due to the large volumes of security audit data as well as the complex and dynamic properties of intrusion behaviours, several data miningbased intrusion detection techniques have been applied to network-based traffic data and host-based data in the last decades. However, there remain various issues needed to be examined towards current intrusion detection systems (IDS). We tested the performance of our proposed algorithm with existing learning algorithms by employing on the KDD99 benchmark intrusion detection dataset. The experimental results prove that the proposed algorithm achieved high detection rates (DR) and significant reduce false positives (FP) for different types of network intrusions using limited computational resources.

Yali Yuan,Liuwei Huo,Yachao Yuan,Zhixiao Wang

DOI: https://doi.org/10.1177/1550147719846052

IF: 1.938

2019-06-01

International Journal of Distributed Sensor Networks

Abstract:Network intrusion detection is a relatively mature research topic, but one that remains challenging particular as technologies and threat landscape evolve. Here, a semi-supervised tri-Adaboost (STA) algorithm is proposed. In the algorithm, three different Adaboost algorithms are used as the weak classifiers (both for continuous and categorical data), constituting the decision stumps in the tri-training method. In addition, the chi-square method is used to reduce the dimension of feature and improve computational efficiency. We then conduct extensive numerical studies using different training and testing samples in the KDDcup99 dataset and discover the flows demonstrated that (1) high accuracy can be obtained using a training dataset which consists of a small number of labeled and a large number of unlabeled samples. (2) The algorithm proposed is reproducible and consistent over different runs. (3) The proposed algorithm outperforms other existing learning algorithms, even with only a small amount of labeled data in the training phase. (4) The proposed algorithm has a short execution time and a low false positive rate, while providing a desirable detection rate.

computer science, information systems,telecommunications