Lin-hui Zhao,Yumin Wang,Jing Xiao,Ya-ping Dai,Fang-yan Dong,Hai-le Liu

DOI: https://doi.org/10.1109/icnsc.2007.372890

2007-01-01

Abstract:Based on the Danger theory, the immune network theory and the decision templates fusion algorithm, a three-level-module adaptive intrusion detection system (TAIDS) is presented in this paper. To consider the effect of danger signals, the results of decision templates algorithm are redefined by adding a kind of suspicion signal. So, the detection templates should be modified online, and a template-adjustable adaptive decision fusion algorithm is proposed. There are two benefits in the TAIDS. First, when it is difficult to distinguish current behaviors depending on familiar features, The TAIDS will discriminate them by means of danger theory, making false alarms reduced and the ability of identifying novel attacks enhanced. Second, the adaptive decision templates algorithm allows detection templates to modify dynamically without periodical updating. Experiments are carried out on KDD-CUP-99 database to verify the performance of this system. The false positive rate is 2.27%,and the accuracies on known attacks and on unknown attacks are respectively 97.67% and 98.75%.

Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

HUANG Xiao-tao,LI Sha

DOI: https://doi.org/10.1109/icbecs.2010.5462467

2008-01-01

Abstract:A layered multi-agent detection model for abnormal intrusion, based on danger theory, is presented according to the research on the danger theory and artificial immunity. The model, with three layers in the frame, conducts the real time monitoring and danger judgment on the host computer and network resource before it recognizes the nonself, and then the danger signal activates the immunity recognition. The danger judgment conducted by cloud model can recognize the harmful self and harmful nonself effectively, which ensures the system safety and improves the performance of detection system. Thus, the probability of misinformation and omission will decrease to some extent.

Weiwu Ren,Liang Hu,Kuo Zhao,Jianfeng Chu

DOI: https://doi.org/10.12733/jcis6597

2013-01-01

Journal of Computational Information Systems

Abstract:Decision tree and hierarchical clustering in application of the field of intrusion detection have its own advantages and disadvantages. For purposes of covering up the shortcomings of each other and searching an optimal balance between them, a multiple-level hybrid intrusion detection system based on hierarchical clustering and decision tree has been proposed. Misuse modules and anomaly modules are organized by a multiple-level hybrid tree. According to the actual performance, misuse module or anomaly module is selected to be the detector. A series of experiment results on well-known KDD Cup 1999 data sets indicate that the hybrid model has good performance in both detection and real time. © 2013 by Binary Information Press.

Lingxi Peng,Xudong Zhu,Jian Zhang,Rui Fan,Chunlin Liang,Jinquan Zeng,Caiming Liu

2009-01-01

Journal of Information and Computational Science

Abstract:A novel inspired intrusion detection system paradigm based on danger theory (NIIDS) is proposed. The danger theory, which depicts the immune system, is quite similar to the problems of network security, has been considering potential recognitional application values in network security problems. However, the definition of pivotal danger signals have not yet been defined in present literatures, which is also a hard problem that translate the danger theory into the realms of network security and limit its further application. In this paper, the definition danger signals are given. Furthermore, mathematic equations of the danger evaluation and danger alert are built in turn. NIIDS solves the problems of huge alerts and low quality of alert information, and can also evaluate the real-time intrusion attack and anomaly menace, which are troublesome in the existed intrusion detection models. Simulations of this model were performed, and the comparison experiment results show that NIIDS surmounts the current computer immune system and traditional intrusion detection models. Copyright ©2009 Binary Information Press.

Wenhao Wang,Chen Zhang,Quan Zhang

DOI: https://doi.org/10.1007/978-3-662-43908-1_15

2014-01-01

Abstract:In order to solve non-real time problem in traditional intrusion detection technologies, this paper proposes an anomaly detection model based on cloud model and danger theory. First using cloud model as a tool to evaluate the diversity factors between test data and the standard data set, then covert it into signal input of DCA to detect abnormality degree of system. Meanwhile, a dendritic cell algorithm based on data segmented detection is proposed in order to raise real-time response of the system. The paper use KDDCUP99 data sets to validate membership of normal data and detection rate of this model. Experimental results show that the model can effectively distinguish between normal data and abnormal data, and also improve the system anomaly detection capabilities.

Xu Chun,Chen Xing-Shu,Zhao Hui,Jiang Yu-Ming,Liu Nian,Wang Tie-Fang

DOI: https://doi.org/10.1109/ISDPE.2007.108

2007-01-01

Abstract:Denial of Service (DoS) attack is one of the most common network attacks on network in the present. Usually DoS attack is often executed in fraudulent way, so they have the characteristic of fraudulence and danger. A new method of DoS intrusion detection based on the immune danger theory is presented in the paper, according to the characteristic of DoS intrusion. In the method a definition of danger signal with a formula of computing it quantificationally, is presented And the method is tested by experiment in which DoS intrusion is detected in the real-time way. The results of the experiment show that the method can not only detect DoS intrusion in the real-time way, but also have the advantage of working with less false positive rate and with faster response. It is an effective method for DoS intrusion detection.

GAO Zheng,CHEN Shu-yu,LI Guo-yong

2010-01-01

Abstract:Aiming at the shortages of misuse detection and anomaly detection in intrusion detection system,on basis of researching hybrid intrusion detection system,a new design of hybrid intrusion detection system was proposed by studying it.Misuse detection module is based on Snort's pattern rules database.Anomaly detection is to use self-organizing neural network for data clustering,and then to classify these data by supervised learning vector quantization.Simulation of the key modules in this system was done successfully,and results show that the system improved capabilities and accuracy of the hybrid intrusion detection system.

Chun XU,Xiao-jie LIU,Tao LI,Hui ZHAO,Nian LIU,Sun-jun LIU

DOI: https://doi.org/10.3969/j.issn.1009-3087.2007.05.023

2007-01-01

Abstract:A new denial of service intrusion detection model based on the immune danger theory was presented, according to the characteristic of denial of service intrusion. The model and the antibody evolution algorithm were designed and realized. In the model, antigen/antibody was classified by consanguinity, the procedure of antigen ap-optosis and necrosis were defined, and both danger signal and risk of network were calculated. This model can detect denial of service intrusion by the danger signal and risk of network. The results of the experiment showed that the method can not only keep the advantages of self-learning and self-adaptation of intrusion detection based on tradition artificial immune artificial immune, but also decrease the false positive rate by 87.5%.

Jinquan Zeng,Yan Fu,Jianbing Hu,AnLong Chen,Lingxi Peng

2008-01-01

Journal of Information and Computational Science

Abstract:Artificial Immune System (AIS) has been successful in many realms, especially in computer security, and the correlative algorithms rely on self-nonself discrimination, as stipulated in classical immunology. But when the algorithms are used in practical applications, scaling problems of self and nonself, computational efficiency, and the changing problems of self and nonself have to be addressed. Meanwhile, immunologists are increasingly finding faults with traditional self-nonself discrimination and a new Danger Theory (DT) is emerging. This new theory suggests that Human Immune System (HIS) is more concerned with damages than nonself and HIS reacts to threats through the correlation of danger signals. Based on the DT, within the context of computer system, immune response model is presented. In the model, the definitions of the danger signal, response type and intensity, and etc. are given. Then the producing method of the danger signal is put forth, and they are significant in incorporating the DT into computer security applications. 1548-7741/Copyright © 2008 Binary Information Press October 2008.

XU Chun,WU Liang-fu,CHEN Xing-shu,YOU Hong-yue,LIU Xue-hong

DOI: https://doi.org/10.15961/j.jsuese.2011.03.024

2011-01-01

Abstract:Based on immune danger theory,a danger zone generating mechanism,a danger zone radius calculation method and the calculating formula of the danger signals signal_0 by antigen necrosis and the antigen detected danger signals signal_1 were given according to the intrusion detection application.In addition,a detection algorithm in the danger zone was presented according to the signal_0 and signal_1.The experiments showed that the proper selection of the dangerous area radius is helpful for the improvement of the efficiency of intrusion detection system,and make both the false negative rate and false detection rates remained at a lower level.

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.

Liu Zhiqiang,Lin Zhijun,Gong Ting,Shi Yucheng,Mohi-Ud-Din Ghulam

DOI: https://doi.org/10.1007/978-981-15-5859-7_24

2020-01-01

Abstract:Recently, the increasing number of machine learning algorithms has been used in network intrusion detection system (NIDS) to detect abnormal behaviors in the network. Many available datasets were created to evaluate the performance of the model, such as KDD CUP99 and NSL-KDD. However, with the increasing scale of data and the emergence of advanced attacks, conventional machine learning algorithms can hardly perform well. Fortunately, the development of deep learning provides new direction for solving these problems. In this paper, in order to detect novel attacks in a network and improve detection efficiency, we proposed a flexible framework based on deep neural network (DNN). In our framework, we apply different feature reduction methods and activation functions to get the best performance. Moreover, through changing hyper-parameter of the model, we select better network structure. To evaluate our framework, we select ISCX 2012 and CICIDS 2017 as a benchmark and apply the proposed framework to these datasets. As a result, we observe high accuracy rate and low FAR for both binary and multi-class classifications. Overall, our proposed framework is universal and useful for detecting zero-day attacks.

Yuanchun Zhu,Ying Tan

DOI: https://doi.org/10.1007/978-3-642-21515-5_45

2011-01-01

Abstract:This paper proposes a Danger Theory (DT) based learning (DTL) model for combining classifiers. Mimicking the mechanism of DT, three main components of the DTL model, namely signal I, danger signal and danger zone, are well designed and implemented so as to define an immune based interaction between two grounding classifiers of the model. In addition, a self-trigger process is added to solve conflictions between the two grounding classifiers. The proposed DTL model is expected to present a more accuracy learning method by combining classifiers in a way inspired from DT. To illustrate the application prospects of the DTL model, we apply it to a typical learning problem - e-mail classification, and investigate its performance on four benchmark corpora using 10-fold cross validation. It is shown that the proposed DTL model can effectively promote the performance of the grounding classifiers.

Sahar. Soussa,T. Nazmy,M. Hashem,Sahar Selim

Abstract:Intrusion detection is a critical process in network security. Nowadays new intelligent techniques have been used to improve the intrusion detection process. This paper proposes a hybrid intelligent intrusion detection system to improve the detection rate for known and unknown attacks. We examined different neural network & decision tree techniques. The proposed model consists of multi-level based on hybrid neural network and decision tree. Each level is implemented with the technique which gave best experimental results. From our experimental results with different network data, our model achieves correct classification rate of 93.2%, average detection rate about 95.6%; 99.5% for known attacks and 87% for new unknown attacks, and 9.4% false alarm rate. Keywords-component; network intrusion detection; neural network; Decision Tree; NSL-KDD dataset

Engineering,Computer Science

Xianwei Gao,Chun Shan,Changzhen Hu,Zequn Niu,Zhen Liu

DOI: https://doi.org/10.1109/access.2019.2923640

IF: 3.9

2019-01-01

IEEE Access

Abstract:In recent years, advanced threat attacks are increasing, but the traditional network intrusion detection system based on feature filtering has some drawbacks which make it difficult to find new attacks in time. This paper takes NSL-KDD data set as the research object, analyses the latest progress and existing problems in the field of intrusion detection technology, and proposes an adaptive ensemble learning model. By adjusting the proportion of training data and setting up multiple decision trees, we construct a MultiTree algorithm. In order to improve the overall detection effect, we choose several base classifiers, including decision tree, random forest, kNN, DNN, and design an ensemble adaptive voting algorithm. We use NSL-KDD Test+ to verify our approach, the accuracy of the MultiTree algorithm is 84.2%, while the final accuracy of the adaptive voting algorithm reaches 85.2%. Compared with other research papers, it is proved that our ensemble model effectively improves detection accuracy. In addition, through the analysis of data, it is found that the quality of data features is an important factor to determine the detection effect. In the future, we should optimize the feature selection and preprocessing of intrusion detection data to achieve better results.

Kai Jin,Lei Zhang,Yujie Zhang,Duo Sun,Xiaoyuan Zheng

DOI: https://doi.org/10.3390/electronics12204329

IF: 2.9

2023-10-19

Electronics

Abstract:The current mainstream intrusion detection models often have a high false negative rate, significantly affecting intrusion detection systems' (IDSs) practicability. To address this issue, we propose an intrusion detection model based on a multi-scale one-dimensional convolutional neural network module (MS1DCNN), an efficient channel attention module (ECA), and two bidirectional long short-term memory modules (BiLSTMs). The proposed hybrid MS1DCNN-ECA-BiLSTM model uses the MS1DCNN module to extract features with a different granularity from the input data and uses the ECA module to enhance the weight of important features. Finally, the model carries out sequence learning through two BiLSTM layers. We use the dung beetle optimizer (DBO) to optimize the hyperparameters in the model to obtain better classification results. Additionally, we use the synthetic minority oversampling technique (SMOTE) to fill several samples to reduce the local false negative rate. In this paper, we train and test the model using accurate network data from a water storage industrial control system. In the multi-classification experiment, the model's accuracy was 97.04%, the precision was 97.17%, and the false negative rate was 2.95%; in the binary classification experiment, the accuracy and false negative rate were 99.30% and 0.7%. Compared with other mainstream methods, our model has a higher score. This study provides a new algorithm for the intrusion detection of industrial control systems.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xinwei Yuan,Shu Han,Wei Huang,Hongliang Ye,Xianglong Kong,Fan Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103644

2023-12-06

Abstract:Deep learning based intrusion detection systems (DL-based IDS) have emerged as one of the best choices for providing security solutions against various network intrusion attacks. However, due to the emergence and development of adversarial deep learning technologies, it becomes challenging for the adoption of DL models into IDS. In this paper, we propose a novel IDS architecture that can enhance the robustness of IDS against adversarial attacks by combining conventional machine learning (ML) models and Deep Learning models. The proposed DLL-IDS consists of three components: DL-based IDS, adversarial example (AE) detector, and ML-based IDS. We first develop a novel AE detector based on the local intrinsic dimensionality (LID). Then, we exploit the low attack transferability between DL models and ML models to find a robust ML model that can assist us in determining the maliciousness of AEs. If the input traffic is detected as an AE, the ML-based IDS will predict the maliciousness of input traffic, otherwise the DL-based IDS will work for the prediction. The fusion mechanism can leverage the high prediction accuracy of DL models and low attack transferability between DL models and ML models to improve the robustness of the whole system. In our experiments, we observe a significant improvement in the prediction performance of the IDS when subjected to adversarial attack, achieving high accuracy with low resource consumption.

Cryptography and Security,Artificial Intelligence