Lin Hui

DOI: https://doi.org/10.3969/j.issn.1004-3918.2012.07.021

2012-01-01

Abstract:The author analyzes the structure of WinPcap and the function of WinPcap provided for user detailed,according to the network protocol and port to filter network data,introduces fuzzy clustering to IDS,and uses KDD99 data set to take some experiment.The result shows that this system can detect intrusion data effectively.

MA Xiao-chun,GAO Xiang,GAO De-yuan

DOI: https://doi.org/10.3969/j.issn.1000-7180.2005.04.036

2005-01-01

Abstract:Intrusion Detection System (IDS) is an important part of the computer network security. According to the analysis of two intrusion detection models, this paper presents a clustering based method for unsupervised anomaly detection, and does some experiments using the KDD99 cup dataset. This method is proved to be with high performances by the results.

YU-FANG ZHANG,ZHONG-YANG XIONG,XIU-QIONG WANG

DOI: https://doi.org/10.1109/ICMLC.2005.1527342

2005-01-01

Abstract:The research on distributed intrusion detection system (DIDS) is a rapidly growing area of interest because the existence of centralized intrusion detection system (IDS) techniques is increasingly unable to protect the global distributed information infrastructure. Distributed analysis employed by Agent-based DIDS is an accepted fabulous method. Clustering-based intrusion detection technique overcomes the drawbacks of relying on labeled training data which most current anomaly-based intrusion detection depend on. Clustering-based DIDS technique according to the advantages of two techniques is presented. For effectively choosing the attacks, twice clustering is employed: the first clustering is to choose the candidate anomalies at Agent IDS and the second clustering is to choose the true attack at central IDS. At last, through experiment on the KDD CUP 1999 data records of network connections verified that the methods put forward is better.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Ma Li,Bai Lin,Jiao Li-cheng,Chen Chang-guo

DOI: https://doi.org/10.1109/iccias.2006.294205

2006-01-01

Abstract:Adaptive polyclonal algorithm is the improved one of clonal selection algorithm, and its convergence speed is much faster. This paper intends to direct a novel clustering analysis by means of the affinity function that the adaptive polyclonal clustering strategy affects. The clustering algorithm has the advantage that it does not depend on priori knowledge and has nothing to do data distribution, effectively overcoming the disadvantage that some existing algorithms are sensitive to initialization and easy to be trapped into the local optima. This algorithm clusters large data sets with mixed numeric and categorical values effectively. The intrusion detection system based on this algorithm can deal with massive unlabeled data to distinguish between normal and anomaly and even can detect unknown attacks. The computer comparison-contrast simulations through the KDD CUP 99 datasets show that the algorithm discussed in this paper has much superior detection rate and less false positive rate when compared with AiNet algorithm, the algorithm of L. Portnoy (2000) and the algorithm of L. Jing and L. Fang (2004)

Kai Peng,Victor C. M. Leung,Qingjia Huang

DOI: https://doi.org/10.1109/ACCESS.2018.2810267

IF: 3.9

2018-01-01

IEEE Access

Abstract:Intrusion detection system (IDS) provides an important basis for the network defense. Due to the development of the cloud computing and social network, massive amounts of data are generated, which inevitably brings much pressure to IDS. And therefore, it becomes crucial to efficiently divide the data into different classes over big data according to data features. Moreover, we can further determine whether one is normal behavior or not based on the classes information. Although the clustering approach based on K-means for IDS has been well studied, unfortunately directly using it in big data environment may suffer from inappropriateness. On the one hand, the efficiency of data clustering needs to be improved. On the other hand, differ from the classification, there is no unified evaluation indicator for clustering issue, and thus, it is necessary to study which indicator is more suitable for evaluating the clustering results of IDS. In this paper, we propose a clustering method for IDS based on Mini Batch K-means combined with principal component analysis. First, a preprocessing method is proposed to digitize the strings and then the data set is normalized so as to improve the clustering efficiency. Second, the principal component analysis method is used to reduce the dimension of the processed data set aiming to further improve the clustering efficiency, and then mini batch K-means method is used for data clustering. More specifically, we use K-means++ to initialize the centers of cluster in order to avoid the algorithm getting into the local optimum, in addition, we choose the Calsski Harabasz indicator so that the clustering result is more easily determined. Compared with the other methods, the experimental results and the time complexity analysis show that our proposed method is effective and efficient. Above all, our proposed clustering method can be used for IDS over big data environment.

Di He,Xin Chen,Danping Zou,Ling Pei,Lingge Jiang

DOI: https://doi.org/10.1109/iscas.2018.8350994

2018-01-01

Abstract:In the computer network intrusion detection system, data objects, mapped from original space, are analyzed based on kernel clustering algorithm. During the process of kernel clustering, some representative points are introduced to represent a cluster. In just one iteration, the distance between a data object and representative points of a cluster is computed to partition the data objects. The clustering results contain normal data and abnormal data, which achieve the goal of intrusion detection. At the same time, KDD CUP 1999 dataset is used to make simulations. The results show that the proposed algorithm has higher detecting probability under the condition of low constant false alarm rate compared with K-Means clustering algorithm and SVM.

YG Liu,KF Chen,XF Liao,W Zhang

DOI: https://doi.org/10.1016/j.patcog.2003.09.011

IF: 8

2004-01-01

Pattern Recognition

Abstract:Traditional intrusion detection methods lack extensibility in face of changing network configurations as well as adaptability in face of unknown attack types. Meanwhile, current machine-learning algorithms need labeled data for training first, so they are computational expensive and sometimes misled by artificial data. In this paper, a new detection algorithm, the Intrusion Detection Based on Genetic Clustering (IDBGC) algorithm, is proposed. It can automatically establish clusters and detect intruders by labeling normal and abnormal groups. Computer simulations show that this algorithm is effective for intrusion detection.

Hongying Zheng,Xiaofeng Liao,Lin Ni

IF: 1.019

2006-01-01

Chinese Journal of Electronics

Abstract:In this paper, a new detection method, Intrusion detection based on unsupervised clustering and simulated annealing algorithm (IDCSA), is proposed, it can automatically establish clusters and detect intruders by labeling normal and abnormal groups, IDCSA combines partitional clustering with simulated annealing. Firstly, clustering is described as assignment problem and clusters are established using partitional clustering. Secondly, simulated annealing algorithm is used to optimize the clustering results and find a near-optimal partitioning instead of local optimizing results. The experiments with KDD cup 1999 show that IDCSA is effective for intrusion detection.

Liu Fang,Qu Bo,Chen Rongsheng

DOI: https://doi.org/10.1007/978-3-540-30549-1_127

2004-01-01

Abstract:Immune clone selection algorithm is a new intelligent algorithm which can effectively overcome the prematurity and slow convergence speed of traditional evolution algorithm because of the clonal selection strategy and clonal mutation strategy. We apply the immune clonal selection algorithm to the process of modeling normal behavior. We compare our algorithm with the algorithm which applies the genetic algorithm to intrusion detection and applies the negative selection algorithm of the artificial immune system to intrusion detection in the dataset kddcup99. The experiment results have shown that the rule set obtained by our algorithm can detect unknown attack behavior effectively and have higher detection rate and lower false positive rate.

S. Gokul Pran,Sivakami Raja,S. Jeyasudha

DOI: https://doi.org/10.1002/acs.3771

IF: 3.369

2024-03-14

International Journal of Adaptive Control and Signal Processing

Abstract:Summary Intrusion detection is a cyber‐security method that is significant for network security. It is utilized to detect behaviors that compromise security and privacy within a network or in the context of a computer system. To enhance the identification, an Intrusion Detection System Based on the Beetle Swarm Optimization and K‐RMS Clustering Algorithm cluster‐based hybrid classifiers is proposed in this manuscript. Here, the data is amassed from CICIDS2017 dataset. Then the data is preprocessed to eradicate the unwanted noise. After completing the preprocessed data, it can be clustered by using K‐RMS clustering algorithm. This algorithm cluster the entire data to the associated cluster set depending on the data behavior. The classification algorithm is considered to predict the data as normal or attacking behaviors. The hybrid classification is used to predict the data. The solitary predictor aims to achieve high detection rates and accuracy. The hybrid classifiers, such as support vector machines, artificial neural networks are applied to recognize the normal or intruder. The performance of the SVM‐ANN‐IDS method attains 22.05%, 15.87%, 27.25% higher accuracy, 23.90% and 28.53% higher precision, 29.29%, 19.19% and 23.27% higher specificity and 18.28%, 24.36% and 27.49% greater recall when compared to the existing models, like developing novel deep‐learning model to improve network intrusion categorization (DNN‐IDS), Intrusion identification scheme on real‐time data traffic under machine learning techniques along feature selection method (RNN‐SVM‐IDS) and recurrent deep learning basis feature fusion ensemble meta‐classifier for intellectual network intrusion identification scheme (RNN‐IDS) respectively.

automation & control systems,engineering, electrical & electronic

Binita Bohara,Jay Bhuyan,Fan Wu,Junhua Ding

DOI: https://doi.org/10.5121/ijnsa.2020.12101

2020-01-01

Abstract:In the present world, it is difficult to realize any computing application working on a standalone computing device without connecting it to the network. A large amount of data is transferred over the network from one device to another. As networking is expanding, security is becoming a major concern. Therefore, it has become important to maintain a high level of security to ensure that a safe and secure connection is established among the devices. An intrusion detection system (IDS) is therefore used to differentiate between the legitimate and illegitimate activities on the system. There are different techniques are used for detecting intrusions in the intrusion detection system. This paper presents the different clustering techniques that have been implemented by different researchers in their relevant articles. This survey was carried out on 30 papers and it presents what different datasets were used by different researchers and what evaluation metrics were used to evaluate the performance of IDS. This paper also highlights the pros and cons of each clustering technique used for IDS, which can be used as a basis for future work.

Y Feng,KG Wu,ZF Wu,J Zhong,H Li

DOI: https://doi.org/10.1142/9789812701534_0110

2005-01-01

Abstract:A clustering algorithm based on swarm intelligence is systematically proposed for anomaly intrusion detection. The basic idea of our approach is to produce the cluster by swarm intelligence-based clustering. Instead of using the linear segmentation function of the CSI model, here we propose to use a nonlinear probability conversion function and can help to solve linearly inseparable problems. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach can settle these problems effectively. The experiment result shows that out approach can detect unknown intrusions efficiently in the real network connections.

ZHONG Jiang,WU Kai-Gui,WU Zhong-Fu,LI Ji,OU Ling

2005-01-01

Computer Science

Abstract:Traditional intrusion detection methods lack extensibility in face of changing network configurations as well as adaptability in face of unknown attack types. Meanwhile, current machine-learning algorithms need labeled data for training first, so they are computational expensive and somethaes misled by artificial data. In this paper, a new detection algorithm, the Intrusion Detection Based on Immune Clustering algorithm, is proposed. It can automatically establish clusters and detect intruders by compute the outlier factor of each data item. Computer simulations show that this algorithm is effective for intrusion detection.

Weiwu Ren,Liang Hu,Kuo Zhao,Jianfeng Chu

DOI: https://doi.org/10.12733/jcis6597

2013-01-01

Journal of Computational Information Systems

Abstract:Decision tree and hierarchical clustering in application of the field of intrusion detection have its own advantages and disadvantages. For purposes of covering up the shortcomings of each other and searching an optimal balance between them, a multiple-level hybrid intrusion detection system based on hierarchical clustering and decision tree has been proposed. Misuse modules and anomaly modules are organized by a multiple-level hybrid tree. According to the actual performance, misuse module or anomaly module is selected to be the detector. A series of experiment results on well-known KDD Cup 1999 data sets indicate that the hybrid model has good performance in both detection and real time. © 2013 by Binary Information Press.

Liang Hu, Nurbol,Xiaobo Liu,Kuo Zhao

2010-01-01

Journal of Information and Computational Science

Abstract:This paper proposed a new algorithm based on time stamped hierarchical clustering for intrusion detection. It incrementally clusters incoming data objects of normal behavior, and produces a precise model. Using each clusters time stamp, the algorithm can dynamically remove some expired clusters from the model, and also can produces some new cluster, that makes our clustering method more suitable for real network environment. Experiments with KDDCUP 1999 data set show our algorithm is less sensitive to noise data objects than ADWICE, and has low computer resource consumptions. Copyright © 2010 Binary Information Press.

Kai Bu,Mingjie Xu,Xuan Liu,Jiaqing Luo,Shigeng Zhang

DOI: https://doi.org/10.1109/mass.2014.12

2014-01-01

Abstract:Cloning attacks seriously impede the security of Radio-Frequency Identification (RFID) applications. In this paper, we tackle deterministic clone detection for anonymous RFID systems without tag identifiers (IDs) as a priori. Existing clone detection protocols either cannot apply to anonymous RFID systems due to necessitating the knowledge of tag IDs or achieve only probabilistic detection with a few clones tolerated. We propose two protocols, BASE and DeClone, toward fast and deterministic clone detection for large anonymous RFID systems. BASE leverages the observation that clone tags make tag cardinality exceed ID cardinality. DeClone is built on a recent finding that clone tags cause collisions that are hardly reconciled through rearbitration. For DeClone to achieve detection certainty, we design breadth first tree traversal toward quickly verifying unreconciled collisions and hence the cloning attack. We validate their detection performance through analysis and simulation. The results show that BASE delivers faster detection for small systems while DeClone for large ones especially when clone ratio increases.

Yong Feng,Jiang Zhong,Chun-xiao Ye,Zhong-fu Wu

DOI: https://doi.org/10.1109/ISDA.2006.253761

2006-01-01

Abstract:Due to the fact that it is more and more improbable to a system administrator to recognize and manually intervene to stop an attack, there is an increasing recognition that ID systems should have a lot to earn on following its basic principles on the behavior of complex natural systems, namely in what refers to self-organization, allowing for a real distributed and collective perception of this phenomena. A clustering model based on Self-Organizing Ant Colony Networks (CSOACN) is systematically proposed for intrusion detection system. Instead of using the linear segmentation function of the CSI model, here we propose to use a nonlinear probability conversion function and can help to solve linearly inseparable problems. Using a set of benchmark data from 1998 DARPA, we demonstrate that the efficiency and accuracy of CSOACN.

Guowei Wu,Lin Yao,Kai Yao

DOI: https://doi.org/10.1109/ICIA.2006.305969

2007-01-01

Abstract:In this paper, we introduce an adaptive clustering algorithm for intrusion detection based on wavecluster which was introduced by Gholamhosein in 1999 and used with success in image processing. Because of the non-stationary characteristic of network traffic, we extend and develop an adaptive wavecluster algorithm for intrusion detection. Using the multiresolution property of wavelet transforms, we can effectively identify arbitrarily shaped clusters at different scales and degrees of detail, moreover, applying wavelet transform removes the noise from the original feature space and make more accurate cluster found. Experimental results on KDD-99 intrusion detection dataset show the efficiency and accuracy of this algorithm. A detection rate above 96% and a false alarm rate below 3% are achieved. The time complexity of the adaptive wavecluster algorithm is O(N) ,which is comparatively low than other algorithm

SHI ZHONG,TAGHI M. KHOSHGOFTAAR,NAEEM SELIYA

DOI: https://doi.org/10.1142/s0218539307002568

2007-04-01

International Journal of Reliability, Quality and Safety Engineering

Abstract:Recently data mining methods have gained importance in addressing network security issues, including network intrusion detection — a challenging task in network security. Intrusion detection systems aim to identify attacks with a high detection rate and a low false alarm rate. Classification-based data mining models for intrusion detection are often ineffective in dealing with dynamic changes in intrusion patterns and characteristics. Consequently, unsupervised learning methods have been given a closer look for network intrusion detection. We investigate multiple centroid-based unsupervised clustering algorithms for intrusion detection, and propose a simple yet effective self-labeling heuristic for detecting attack and normal clusters of network traffic audit data. The clustering algorithms investigated include, k-means, Mixture-Of-Spherical Gaussians, Self-Organizing Map, and Neural-Gas. The network traffic datasets provided by the DARPA 1998 offline intrusion detection project are used in our empirical investigation, which demonstrates the feasibility and promise of unsupervised learning methods for network intrusion detection. In addition, a comparative analysis shows the advantage of clustering-based methods over supervised classification techniques in identifying new or unseen attack types.