胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Fang Yu Ke,Fu Yan,Zhou Jun Lin

DOI: https://doi.org/10.1109/wkdd.2010.51

2009-01-01

Abstract:The traditional IDS can not effectively manage the new continuously changing intrusion detection attacks. To deal with the problem, data mining based intrusion detection methods have been the hot fields in intrusion detection research. An outlier mining based adaptive intrusion detection framework is proposed in this paper. In the proposed framework, the outliers are firstly detected by similarity coefficient. And then, the clusters are built on the detected outlier data set and the improved association rule algorithm is employed on the clusters. Finally, the rules generated by association rule algorithm will be adaptively added into the current intrusion detection rule base. The experiments performed on simulated data and KDD99 from UCI data set have shown the effectiveness of proposed methods.

杨建华,蒋玉明,彭轮

DOI: https://doi.org/10.3969/j.issn.1008-0570.2009.24.011

2009-01-01

Abstract:In this paper an intrusion detection system based on data mining is proposed,and its main idea is to apply data mining methods to learn rules that can capture normal and intrusion activities from pre-processed audit data that contain network connection information. Put forward a method to improve the Apriori algorithm,whose I/O is quite surprising when scanning the database. To improve the method is feasible;the normal rules in the knowledge database in IDS are mined. And the experiment indicates that the model can produce new rules,which approve the validity and the feasibility of the IDS.

Yu-Xin Ding,Hai-Sen Wang,Qing-Wei Liu

DOI: https://doi.org/10.1109/icmlc.2008.4620604

2008-01-01

Abstract:Traditional intrusion detection systems focus on low-level attacks, and only generate isolated alerts. They can't rind logical relations among alerts. In addition, IDS's accuracy is low, a lot of alerts are false alerts. So it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. To solve this problem different intrusion scenario detection methods are proposed. In this paper a data mining method is used to find the attack scenarios. Firstly redundancy alerts are checked and deleted, then attack scenario patterns are mined by using the associate-rule algorithms which is an improved Apriori algorithm. These mined scenario patterns are used to rind attack scenarios. In (his paper 1999 DARPA intrusion detection scenario specific datasets are used as the experimental data and the corresponding results are shown. Compared with current scenario detection methods which depend on human knowledge to define attack scenarios, our methods use data mining method to find the scenarios automatically. Our experimental results demonstrate the potential of the proposed method.

Huiping Chen,Jiandong Wang,Feiyue Ye,Yu Wang

2005-01-01

Abstract:An intrusion detection (ID) model is proposed based on the fuzzy data mining method. A major difficulty of anomaly ID is that patterns of the normal behavior change with time. In addition, an actual intrusion with a small deviation may match normal patterns. So the intrusion behavior cannot be detected by the detection system. To solve the problem, fuzzy data mining technique is utilized to extract patterns representing the normal behavior of a network. A set of fuzzy association rules mined from the network data are shown as a model of ”normal behaviors”. To detect anomalous behaviors, fuzzy association rules are generated from new audit data and the similarity with sets mined from ”normal” data is computed. If the similarity values are lower than a threshold value, an alarm is given. Furthermore, genetic algorithms are used to adjust the fuzzy membership functions and to select an appropriate set of features.

杨向荣,宋擒豹,沈钧毅

DOI: https://doi.org/10.3321/j.issn:0253-987X.2002.02.016

2002-01-01

Abstract:An efficient method based on data mining is presented for detecting network intrusion. According to this method, user's behavior patterns are mined from IP packets, and used to build user's behavior rules base automatically. By comparing similarity, the new method can be used to detect known and unknown network attacks in real-time. The user's behavior patterns mining algorithm IDSPADE is described in detail, which is the most important part of DMIDS. The experimental results indicate that this algorithm is efficient enough to meet the needs of active detect novel intrusion. Compared with most existing systems by using the pure knowledge engineering approaches, the algorithm is more intelligent and adaptive.

Quan ZHOU,Feng-Ying ZHAO,Chong-Jun WANG,Shi-Fu CHEN

DOI: https://doi.org/10.3969/j.issn.1003-6059.2008.04.015

2008-01-01

Abstract:The solution based on multi-approaches of data mining involving k-means, C4.5, Naive Bayes, Bayes net and Co-training is proposed in order to deal with the major problems of intrusion detection dataset such as class balance, class overlapping, noise, distributions etc. The experiment results show its validity.

ZHANG Jin-rong,LIU Feng,ZHAO Zhi-hong,LUO Bin

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.24.052

2009-01-01

Abstract:There are many problems such as poor adaptability,limited extensibility and experts hand-coding in traditional intrusion detection systems.Data mining-based intrusion detection techniques can extract knowledge and patterns of abnormal intrusions and normal user profiles from training data automatically,hence resolving the problems of tradition IDS properly.Main applications of data mining to network intrusion detection are surveied,i.e.clustering analysis,classification analysis,association rule analysis and sequential patterns analysis.Basic principles of each as well as latest research and improvements.At last,a summary of existing problems and future research directions is given.

吕志军,袁卫忠,仲海骏,黄皓,曾庆凯,谢立

DOI: https://doi.org/10.3969/j.issn.1002-137x.2004.10.015

2004-01-01

Computer Science

Abstract:Intrusion detection system(IDS)must be capable of detecting new and unknown attacks. In this paper, we propose an Anomaly Detection System based on Data Mining(ADESDM). Firstly, ADESDM mine suspicious behaviors in the protocol header, ports and application data with strong association rules and weak association rules; then, it sends the suspicious behaviors to the Deciding Module based on Bayesian Belief Net (DMBBN). In real network communications, the attributes, such as time, direction, ports and IP addresses, are influencing each other. The DMBBN illustrates the conditional probabilities and relationship among the above attributes, and uses them to determine whether the suspicious behaviors are normal ones or attacks. Thus, system can reduce the false alarm rate.

J Guan,Dx Liu,T Wang

DOI: https://doi.org/10.1007/978-3-540-24767-8_74

2004-01-01

Abstract:Two data mining methods (association rule mining and frequent episode mining) have been proved to fit to the intrusion detection problem. But the normal and the intrusions in computer networks are hard to predict as the boundaries between them cannot be well defined. This prediction process may generate false alarms in many anomaly based intrusion detection systems. This paper presented a method to realize that the false alarm rate in determining intrusive activities can be reduced with fuzzy logic. A set of fuzzy rules can be used to define the normal and abnormal behavior in a computer network, and fuzzy data mining algorithms can be applied over such rules to determine when an intrusion is in progress. In this paper, we have introduced modifications of these methods that mine fuzzy association rules and fuzzy frequent episodes and have described off-line methods that utilize these fuzzy methods for anomaly detection from audit data. We describe experiments that explore their applicability for intrusion detection. Experimental results indicate that fuzzy data mining can provide effective approximate anomaly detection.

吕锡香,杨波,裴昌幸,苏晓龙

DOI: https://doi.org/10.3969/j.issn.1001-2400.2004.04.020

2004-01-01

Journal of Xidian University

Abstract:We discuss our research in developing the detection engine of the intrusion detection system. The key ideas are to combine the slide window into the data mining technique to design the base detection engine which is the essential share of the meta detection engine. In addition, Apriori, a kind of data mining algorithm, is improved to mine network data. The improved algorithm does not scan all items in database and only links the items in the same list, so the detection efficiency is improved greatly. Also, other key details in IDS are put forward.

Wu Liu,Jian-Ping Wu,Hai-Xin Duan,Xing Li

DOI: https://doi.org/10.1007/11540007_96

2006-01-01

Abstract:In this paper, we apply data mining techniques to construct intrusion detection patterns. We mine both system audit data and network traffic data for consistent and useful patterns of program and user behavior, and use an iterative low-frequency-finder mining algorithm to find the low frequency but important patterns.

YUAN Chao-hua,BAI Wen-yang

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.04.032

2006-01-01

Abstract:This paper presents a model of database intrusion detection system,which uses data mining on the audit data in database systems to derive user profiles that describe normal behavior of users.The profiles can be used to detect abnormal behavior of users.

Qing Ye,Xiaoping Wu,Gaofeng Huang

DOI: https://doi.org/10.1109/ICFCC.2010.5497340

2010-01-01

Abstract:An intrusion is defined as any set of actions that compromise the integrity, confidentiality or availability of a resource. Data mining is to identify valid, novel, potentially useful, and ultimately understandable patterns in massive data. It is demanding to apply data mining techniques to detect various intrusions. This paper presents an approach to detect intrusion based on data mining frame work. In the framework, intrusion detection is thought of as clustering. The reduction algorithm is presented to cancel the redundant attribute set and obtain the optimal attribute set to form the input of the FCM. To find the reasonable initial centers easily, the advanced FCM is established, which improves the performance of intrusion detection since the traffic is large and the types of attack are various. In the illustrative example, the number of attributes is reduced greatly and the detection is in a high precision for the attacks of DoS and Probe, a low false positive rate in all types of attacks. ©2010 IEEE.

Lei Zhang,Jianqing Zhang,Yong Chen,Shaowen Liao

DOI: https://doi.org/10.1109/icicta.2018.00074

2018-01-01

Abstract:In this paper, a hybrid intrusion detection model based on data mining, which is commonly used in network security anomaly detection, is proposed that combines anomaly detection with misuse detection technology. Two test stages were formed and applied to the instrusion detection system in the process of large-scale network traffic detection. On the basis of improving the detection ability of the massive information detection system, the security of the data source of the intrusion detection system was ensured.

Wei Wang,Xiaohong Guan,Xiangliang Zhang,Liwei Yang

DOI: https://doi.org/10.1016/j.cose.2006.05.005

IF: 5.105

2006-01-01

Computers & Security

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework. In recent years, it has been a widely studied topic in computer network security. In this paper, we present two methods, namely, the Hidden Markov Models (HMM) method and the Self Organizing Maps (SOM) method, to profile normal program behavior for anomaly intrusion detection based on computer audit data. The HMM method utilizes the transition property of events while SOM method relies on the frequency property of events. Two data sets, CERT synthetic Sendmail system call data collected in the University of New Mexico (UNM) and Live FTP system call data collected in the CNSIS lab of Xi'an Jiaotong University, were used to assess the two methods. Testing results show that the HMM method using the transition property of events produces good detection performance while high computational expense is required both for training and detection. The HMM method is better than other two methods reported previously in terms of detection accuracy for the same data set. The SOM method considering the frequency property of events, on the other hand, is suitable for real-time intrusion detection because of its capability of processing a large amount of data with low computational overhead.

Guojun Mao,Xindong Wu,Xuxian Jiang

DOI: https://doi.org/10.1080/18756891.2012.670519

2012-01-01

Abstract:Computer intrusions are taking place everywhere, and have become a major concern for information security. Most intrusions to a computer system may result from illegitimate or irregular calls to the operating system, so analyzing the system-call sequences becomes an important and fundamental technique to detect potential intrusions. This paper proposes two models based on data mining technology, respectively called frequency patterns (FP) and tree patterns (TP) for intrusion detection. FP employs a typical method of sequential mining based on frequency analysis, and uses a short sequence model to find out quickly frequent sequential patterns in the training system-call sequences. TP makes use of the technique of tree pattern mining, and can get a quality profile from the training system-call sequences of a given system. Experimental results show that FP has good performances in training and detecting intrusions from short system-call sequences, and TP can achieve a high detection precision in handling long sequences.

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.