Jiang Wei,Min Yao,Jun Yan

DOI: https://doi.org/10.1109/ISISE.2008.17

2008-01-01

Abstract:Clustering is one of the important means of Intrusion detection. In order to overcome the disadvantages of fuzzy C-means algorithm, this paper presents a kind of improved fuzzy C-means algorithm (IFCM for short). IFCM algorithm reduces the infection of isolated point by means of weighting the degree of membership for objects to be clustered, and avoids the subjectivity in choosing the number of clustering by introducing the function of validity. Then, IFCM algorithm is used to intrusion detection, and satisfactory experiment effects are obtained. © 2008 IEEE.

Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Bin Xie,Xinyu Dong,Changguang Wang

DOI: https://doi.org/10.1155/2021/9322368

2021-08-04

Wireless Communications and Mobile Computing

Abstract:The existing wireless network intrusion detection algorithms based on supervised learning confront many challenges, such as high false detection rate, difficulty in finding unknown attack behaviors, and high cost in obtaining labeled training data sets. This paper presents an improved k -means clustering algorithm for detecting intrusions on wireless networks based on Federated Learning. The proposed algorithm allows multiple participants to train a global model without sharing their private data and can expand the amount of data in the training model and protect the local data of each participant. Furthermore, the cosine distance of multiple perspectives is introduced in the algorithm to measure the similarity between network data objects in the improved k -means clustering process, making the clustering results more reasonable and the judgment of network data behavior more accurate. The AWID, an open wireless network attack data set, is selected as the experimental data set. Its dimensionality reduces by the method of principal component analysis (PCA). Experimental results show that the improved k -means clustering intrusion detection algorithm based on Federated Learning has better performance in detection rate, false detection rate, and detection of unknown attack types.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lu Lv,Wenhai Wang,Zeyin Zhang,Xinggao Liu

DOI: https://doi.org/10.1016/j.knosys.2020.105648

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Intrusion detection is a challenging technology in the area of cyberspace security for protecting a system from malicious attacks. A novel accurate and effective misuse intrusion detection system that relies on specific attack signatures to distinguish between normal and malicious activities is therefore presented to detect various attacks based on an extreme learning machine with a hybrid kernel function (HKELM). First, the derivation and proof of the proposed hybrid kernel are given. A combination of the gravitational search algorithm (GSA) and differential evolution (DE) algorithm is employed to optimize the parameters of HKELM, which improves its global and local optimization abilities during prediction attacks. In addition, the kernel principal component analysis (KPCA) algorithm is introduced for dimensionality reduction and feature extraction of the intrusion detection data. Then, a novel intrusion detection approach, KPCA-DEGSA-HKELM, is obtained. The proposed approach is eventually applied to the classic benchmark KDD99 dataset, the real modern UNSW-NB15 dataset and the industrial intrusion detection dataset from the Tennessee Eastman process. The numerical results validate both the high accuracy and the time-saving benefit of the proposed approach.

Die Zhang,Zhen Zhang

DOI: https://doi.org/10.1109/EIECC60864.2023.10456717

2023-12-22

Abstract:Network abnormal traffic intrusion detection technology is an important research field of network security today. Hybrid intrusion detection technology overcomes the shortcomings of single detection and retains their advantages, achieving high detection rate and high accuracy, so it is widely used in existing network abnormal traffic detection. However, the optimization of the high false alarm rate of anomaly detection in existing hybrid intrusion detection is imperfect, resulting in a large room for improvement in the detection accuracy of hybrid intrusion detection. In response to the above problems, this paper proposes a hybrid intrusion detection method based on Cluster Marking-k-means. By adding a classifier to the anomaly-based detection module, the detection results are secondary classified to reduce False alarm rate, thus improving the overall detection accuracy of the method. The experiment uses NSL-KDD and CICIDS2017 datasets to verify the effectiveness of the method. The results show that the method proposed in this article improves the average F1 score by 1.19% compared to the comparative method.

Computer Science

Chenhui Gao,Wenzhi Chen,Feiping Nie,Weizhong Yu,Feihu Yan

DOI: https://doi.org/10.1016/j.knosys.2022.109452

IF: 8.139

2022-01-01

Knowledge-Based Systems

Abstract:Applications in many domains such as text mining and natural language processing need to deal with high-dimensional data. High-dimensional data may present better clustering characteristics on a selected low-dimensional subspace. Subspace clustering is to project the data onto a low-dimensional subspace before clustering. Traditional subspace clustering methods employ eigenvalue decomposition to find the projection of the input data and perform K-means or kernel K-means to obtain the clustering matrix. This kind of methods is not only inefficient, but also adopts a two-step method to generate an approximate solution. Although Discriminative K-means (DisKmeans) integrates dimensionality reduction and clustering into a joint framework and solves the optimization problem by kernel K-means, such method needs to find the centroids in the kernel space and class labels iteratively and has a square time complexity. Accordingly, in this paper, we propose an algorithm, namely Fast DisKmeans (FDKM), to obtain the cluster indicator matrix in a direct way. Moreover, our proposed method has a linear time complexity, which is a significant reduction compared with the squared time complexity of DisKmeans. We also demonstrate that solving the object function of DisKmeans is equivalent to representing the cluster assignment matrix by a low-dimensional linear mapping of the data. Based on this observation, we propose the second algorithm, namely Iterative Fast DisKmeans (IFDKM), which also has a linear time complexity. A series of experiments were conducted on several datasets, and the experimental results showed the superior performance of FDKM and IFDKM.

Kaijian Liu,Zhen Fan,Meiqin Liu,Senlin Zhang

DOI: https://doi.org/10.1109/cyber.2018.8688271

2018-01-01

Abstract:This paper reviews the problem of instrusion detection for Smart Home and different approach to detect instrusion. A hybrid instrusion detection method based on Convolutional Neural Networks(CNN) and K-means is proposed in this paper. At smart home device node, K-means is used to generate the rule base by clustering, then Principal Component Analysis(PCA) is used to extract the dimensionality reduced features. During the test process, PCA is also used to extract the dimensionality reduced features, the feature matching is performed with the rule base to determine the intrusion data. At the smart home server side, a CNN model is proposed to detect the specific type of intrusion. Combined with Synthetic Minority Oversampling Technique(SMOTE) and under sampling techniques, the CNN model has great performance in reducing missing report rate(MRR) in minority categories. The results of the experiment conducted in KDD99 dataset show that such a hybrid method can improve the detection rate of smart home intrusion detection system and reduce MRR in minority categories.

Weigang Liu

DOI: https://doi.org/10.1155/2022/4927504

2022-06-10

Wireless Communications and Mobile Computing

Abstract:Attacks on network systems are becoming more and more common, the current state of increasingly sophisticated attack methods, the emergence of intrusion prevention technology is the inevitable result of the development of computer technology and network technology, and research on intrusion prevention has become a new focus of network security technology research in recent years. In order to ensure the security of computer network confidential information, the authors propose a semisupervised clustering intrusion detection algorithm. An overview of machine learning, followed by an explanation of the theory of cluster analysis, simulation experiments were carried out using the K -means algorithm and the semisupervised clustering algorithm proposed by the author, for 10,000 records, the K -means clustering algorithm and the semisupervised clustering algorithm described in this paper are used, respectively, and intrusion detection data tests were performed. At the same time, different K values were selected, three datasets were selected from "kddcup.newtestdata_10_percent_corrected," the test data were tested separately, and their average value was taken as the test result. From the simulation results, the detection rate of the semisupervised clustering algorithm is higher than that of the K -means clustering algorithm, and the false alarm rate and K -means algorithms have also been improved. Therefore, the author's semisupervised algorithm enhances the stability of the system, and the performance of the K -means algorithm is improved to a certain extent. When the value of K gradually increases, the false alarm rate also increases; however, when K is 20, the detection rate is maximized, from this, it can be known that when K is 20, its detection rate reaches 91.76%, and the false alarm rate is 8.54%. The detection rate of the author's algorithm is significantly higher than the other two algorithms, the false positive rate is slightly higher than K -means, and the false positive rate is lower than that of the other algorithm, proving the superior performance of our algorithm.

computer science, information systems,telecommunications,engineering, electrical & electronic

Mahdieh Maazalahi,Soodeh Hosseini

DOI: https://doi.org/10.1007/s10586-024-04510-7

2024-05-08

Cluster Computing

Abstract:In this research paper, we propose a two-stage hybrid approach that uses machine learning techniques and meta-heuristic algorithms. The first step, known as data preparation, involves converting string values to numeric format and subsequently normalizing the data. To increase the performance beyond the limitations of traditional methods, we use population-based meta-heuristic algorithms, namely Atom Search Optimization (ASO) and Equilibrium Optimization (EO), for feature selection, aiming to achieve global optimization. The second step, called attack detection, focuses on distinguishing normal traffic from malicious traffic. To improve the performance of this step, we use K-means clustering and firefly algorithm (FA). In addition, an elitism method is randomly integrated. The resulting approach is called ASO-EO-FA-K-means. We evaluate the performance of our proposed method using two datasets, namely NSL-KDD, UNSW_NB15, and KDD_CUP99. To establish a benchmark, we compare our method with other approaches including Particles Swarm Optimization (PSO), Genetic, Grey Wolf Optimization (GWO), Ant colony optimization (ACO), Harris Hawk Optimization (HHO), NSGA-2, Multi-objective PSO, Multi-objective GWO, learning vector quantization (LVQ), XGBoost, particle swarm optimization based on C4.5 (PSO-C4.5) and genetic algorithm based on multilayer perceptron (GA-MLP)) we compare. The evaluation results show that the proposed method achieves the highest accuracy and the lowest error rate in three datasets NSL-KDD and UNSW_NB15 KDD-CUP99 with accuracy values of 0.998, 0.995 and 0.995, respectively. In addition, our method shows superior efficiency in terms of computation time. In general, our research shows the effectiveness of the ASO-EO-FA-K-means method in intrusion detection and provides better accuracy and efficiency compared to alternative approaches. In all three data sets, the results have shown that NSL-KDD data set with MSE 0.012, accuracy value 0.998 has obtained better results than other data sets.

computer science, information systems, theory & methods

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Quan ZHOU,Feng-Ying ZHAO,Chong-Jun WANG,Shi-Fu CHEN

DOI: https://doi.org/10.3969/j.issn.1003-6059.2008.04.015

2008-01-01

Abstract:The solution based on multi-approaches of data mining involving k-means, C4.5, Naive Bayes, Bayes net and Co-training is proposed in order to deal with the major problems of intrusion detection dataset such as class balance, class overlapping, noise, distributions etc. The experiment results show its validity.

Qifan Yang,Lina Wang

DOI: https://doi.org/10.4028/www.scientific.net/amm.651-653.547

2014-01-01

Applied Mechanics and Materials

Abstract:Fuzzy C-means clustering algorithm (FCM) is widely applied to the intrusion detection. To acquire a better division for intrusion data, a new method (DEFCM) presented in the paper which combines FCM and differential evolution algorithm (DE) is found application. As a start, several randomly initiated partitions are optimized by FCM, and then the result is provided to differential evolution algorithm. After that, the combined result is sent to FCM again to adjust the partition and obtain the final answer. The method can improve detection performance effectively. The KDDCUP1999 data set is used in the simulation experiment, and the result proves that the DEFCM algorithm has a comparatively high detection rate in intrusion detection.

Mr. Abdul Khadar A,Modem Tharun Kumar,Sharath K N,Sukesh V N,Tejaswini K N

DOI: https://doi.org/10.48175/ijarsct-5052

2022-06-23

Abstract:In imbalanced network traffic, malicious cyber-attacks can often hide in large amounts of normal data. It exhibits a high degree of stealth and obfuscation in cyberspace, making it difficult for Network Intrusion Detection System (NIDS) to ensure the accuracy and timeliness of detection. This paper researches machine learning and deep learning for intrusion detection in imbalanced network traffic. It proposes a novel Difficult Set Sampling Technique (DSSTE) algorithm to tackle the class imbalance problem. First, use the Edited Nearest Neighbor (ENN) algorithm to divide the imbalanced training set into the difficult set and the easy set. Next, use the K- Means algorithm to compress the majority samples in the difficult set to reduce the majority. Zoom in and out the minority samples’ continuous attributes in the difficult set synthesize new samples to increase the minority number. Finally, the easy set, the compressed set of majority in the difficult, and the minority in the difficult set are combined with its augmentation samples to make up a new training set. The algorithm reduces the imbalance of the original training set and provides targeted data augment for the minority class that needs to learn. It enables the classifier to learn the differences in the training stage better and improve classification performance. To verify the proposed method, we conduct experiments on the classic intrusion dataset NSL-KDD. We use classical classification models: random forest(RF), Support Vector Machine (SVM), XGBoost, Long and Short- term Memory (LSTM), Adaboost, AlexNet, Mini- VGGNet.

Xiao-run LI,Guang-zhou ZHAO,Liao-ying ZHAO

DOI: https://doi.org/10.3785/j.issn.1008-973X.2008.04.007

2008-01-01

Abstract:An improved kernel direct discriminant analysis(IKDDA) was proposed to compute the optimal discriminant vectors for the kernel-based Fisher discriminant analysis in singular cases.Based on the reproducing kernel theory,the kernel within-class and the kernel between-class scatter matrices were defined,then the Fisher discriminant criterion in the high-dimensional feature space was transformed to the kernel Fisher discriminant criterion.According to the isomorphic mapping theory and the singular value decomposition theorem,the maximum of the kernel Fisher discriminant criterion could be skillfully acquired by solving the minimum of its reciprocal in a small space,thus the final solution could be acquired not to take account of the null space and non-null space of the kernel within-class scatter matrices separately.Experimental results on the ORL and the UMIST face image database indicate that the proposed method can achieve lower error rate and quicker speed compared with other methods.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Quanmin Wang,Xuan Wei

DOI: https://doi.org/10.1145/3377644.3377660

2020-01-10

Abstract:Network intrusion detection is a detection technology which is based on the characteristics of network behavior. In recent years, network intrusion detection, as a research focus in the field of information security, had a rapid development. Redundant and irrelevant features in data have caused a long-term problem in network traffic classification. These features not only slow down the process of classification but also prevent a classifier from making accurate decisions, especially when coping with big data. In this paper, an improved binary particle swarm optimization (BPSO) was proposed to remove redundant features. This method can compress data volumes and reduce the detection time. On this basis, weight adjustment strategies of Adaboost algorithm are improved to alleviate the phenomenon of over-fitting. The performance of the improved Adaboost classifier is evaluated using two intrusion detection evaluation datasets, namely KDD Cup 99 and NSL-KDD dataset. The evaluation results show that our approach has lower false alarm rate, higher accuracy rate and F-Score.

Yang Liu,Shuaifeng Ma,Xinxin Du

DOI: https://doi.org/10.1109/access.2020.3044069

IF: 3.9

2021-01-01

IEEE Access

Abstract:The traditional K-means algorithm is very sensitive to the selection of the initial clustering point and the calculation of the distance measure, which is likely to result in the convergence of only partly optimal solutions. An improved k-means algorithm is proposed to solve the problem of unbalanced clustering effect caused by the fact that the first initial clustering centre falls in the non-dense region of the boundary in the initial clustering centre optimisation process. An improved k-means algorithm for initial clustering centres is proposed, namely, the optimal matching algorithm for K-means clustering, and related experimental analysis of the algorithm is carried out. The improved algorithm first selects the initial points of the traditional K-means clustering algorithm and analyses the clustering results. Then, the initial clustering centre selection and distance determination were tested and the clustering effect was evaluated by introducing the contour coefficient. Experiments on both artificial data sets and UCI data sets show that the algorithm can achieve better clustering results. The experimental results indicate that the improved algorithm has a much higher clustering quality than the traditional K-means algorithm and other improved algorithms.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhong Wang,Guiquan Liu,Guo, J.C.

DOI: https://doi.org/10.1109/IWISA.2009.5072717

2009-01-01

Abstract:K-means algorithm is one of the most popular clustering algorithms. However, it is sensitive to initialized partition and the circular dataset. To attack this problem, this paper introduced an improved k-means algorithm based on multiple feature points. The algorithm selects a number of feature points as cluster centroids unlike the traditional algorithm which only uses one centroid. In addition, the algorithm calculates the weighted distance to distribute the data point and to build the new feature points set. Theoretical analysis shows that the improved algorithm and the traditional algorithm are in the same order of magnitude. The experimental results on artificial data show that the improved algorithm is better than the traditional algorithm. Experiment on real data gives appropriate parameters. © 2009 IEEE.

Xue Li,Jin-long Fei,Jue Wang,Zan Qi

DOI: https://doi.org/10.1109/ITNEC56291.2023.10082305

2023-02-24

Abstract:Feature selection methods for classification are crucial for intrusion detection techniques using machine learning. High-dimensional features in intrusion detection data affect computational complexity, consume more used resources and more time for data analysis, and the irrelevant and redundant features among them often hinder the performance of classifiers and mislead the classification task. Therefore, it is challenging to select more relevant features from intrusion detection data containing many such features. In this paper, we propose an efficient feature selection algorithm that first considers the correlation between features and the redundancy of pairs of features with respect to class labels based on an improved Pearson correlation coefficient, and later improves the evaluation function based on conditional mutual information to obtain a final subset of features with the goal of improving the classification rate and accuracy. The proposed feature selection method based on improved conditional mutual information is compared with three existing feature selection methods on the frequently studied public benchmark intrusion detection dataset NSL-KDD. The experimental results show that the features selected by the proposed method in this paper lead to a significant reduction in execution time while resulting in higher classification accuracy.

Computer Science

SHI ZHONG,TAGHI M. KHOSHGOFTAAR,NAEEM SELIYA

DOI: https://doi.org/10.1142/s0218539307002568

2007-04-01

International Journal of Reliability, Quality and Safety Engineering

Abstract:Recently data mining methods have gained importance in addressing network security issues, including network intrusion detection — a challenging task in network security. Intrusion detection systems aim to identify attacks with a high detection rate and a low false alarm rate. Classification-based data mining models for intrusion detection are often ineffective in dealing with dynamic changes in intrusion patterns and characteristics. Consequently, unsupervised learning methods have been given a closer look for network intrusion detection. We investigate multiple centroid-based unsupervised clustering algorithms for intrusion detection, and propose a simple yet effective self-labeling heuristic for detecting attack and normal clusters of network traffic audit data. The clustering algorithms investigated include, k-means, Mixture-Of-Spherical Gaussians, Self-Organizing Map, and Neural-Gas. The network traffic datasets provided by the DARPA 1998 offline intrusion detection project are used in our empirical investigation, which demonstrates the feasibility and promise of unsupervised learning methods for network intrusion detection. In addition, a comparative analysis shows the advantage of clustering-based methods over supervised classification techniques in identifying new or unseen attack types.