Jun Long,Jian-Ping Yin,En Zhu,Wen-Tao Zhao

DOI: https://doi.org/10.1109/icmlc.2008.4620568

2008-01-01

Abstract:Intrusion detection systems (IDS) protect computer systems by providing alerts which might be caused by malicious attacks. Learning methods were introduced into intrusion detection to automatically improve the performance using history data. Yet high quality data requires heavy labor of experts or expensive monitoring process. Meanwhile, IDS should minimize a nonuniform cost of the misclassification. In the paper, we aim to reduce the burden of labeling data for constructing the intrusion detection classifier with the least misclassification cost. We proposed a novel active cost-sensitive learning method for intrusion detection using the technologies of active learning and cost-sensitive learning. The proposed method uses a popular cost-sensitive learning method Metacost as the base classifier and a sampling criterion of the largest misclassification cost. The results of the experiments on intrusion detection datasets of KDDCUP 99 show that the proposed method is effective.

Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Wenke Lee,Wei Fan,Matthew Miller,Salvatore J. Stolfo,Erez Zadok

DOI: https://doi.org/10.3233/jcs-2002-101-202

2002-01-01

Journal of Computer Security

Abstract:Intrusion detection systems (IDSs) must maximize the realization of security goals while minimizing costs. In this paper, we study the problem of building cost-sensitive intrusion detection models. We examine the major cost factors associated with an IDS, which include development cost, operational cost, damage cost due to successful intrusions, and the cost of manual and automated response to intrusions. These cost factors can be qualified according to a defined attack taxonomy and site-specific security policies and priorities. We define cost models to formulate the total expected cost of an IDS, and present cost-sensitive machine learning techniques that can produce detection models that are optimized for user-defined cost metrics. Empirical experiments show that our cost-sensitive modeling and deployment techniques are effective in reducing the overall cost of intrusion detection.

English Else

Aikaterini Mitrokotsa*,Christos Dimitrakakis,Christos Douligeris

DOI: https://doi.org/10.1007/978-0-387-85555-4_3

2009-01-01

Abstract:Intrusion Detection is an invaluable part of computer networks defense. An important consideration is the fact that raising false alarms carries a significantly lower cost than not detecting attacks. For this reason, we examine how cost-sensitive classification methods can be used in Intrusion Detection systems. The performance of the approach is evaluated under different experimental conditions, cost matrices and different classification models, in terms of expected cost, as well as detection and false alarm rates. We find that even under unfavourable conditions, cost-sensitive classification can improve performance significantly, if only slightly.

Boris Ndjia Njike,Xavier Siebert

2023-10-01

Abstract:Cost-sensitive learning is a common type of machine learning problem where different errors of prediction incur different costs. In this paper, we design a generic nonparametric active learning algorithm for cost-sensitive classification. Based on the construction of confidence bounds for the expected prediction cost functions of each label, our algorithm sequentially selects the most informative vector points. Then it interacts with them by only querying the costs of prediction that could be the smallest. We prove that our algorithm attains optimal rate of convergence in terms of the number of interactions with the feature vector space. Furthermore, in terms of a general version of Tsybakov's noise assumption, the gain over the corresponding passive learning is explicitly characterized by the probability-mass of the boundary decision. Additionally, we prove the near-optimality of obtained upper bounds by providing matching (up to logarithmic factor) lower bounds.

Machine Learning,Statistics Theory

Yang LI,Bin-Xing FANG,Li GUO,Zhi-Hong TIAN

DOI: https://doi.org/10.3321/j.issn:0254-4164.2007.08.029

2007-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Supervised network intrusion detection has been an active and difficult research topic in the field of intrusion detection for many years. However, there still exist some unresolved and scarcely addressed problems such as the difficulties in obtaining adequate qualified attack data for the supervised classifiers to model the attack patterns, the data acquisition task is always time-consuming and greatly relies on the domain experts, etc. Based on these, the authors first propose a novel supervised intrusion detection method based on TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) data mining algorithm. Moreover, the authors introduce active learning method to select the most qualified data for training and thus assist TCM-KNN effectively in fulfilling the intrusion detection task. Experimental results demonstrate the proposed method has better results both in detection rate and false positives than the state-of-the-art intrusion detection methods. The method can also ensure good detection performance after optimizations by using instance selection and feature selection mechanisms. Therefore, it is more suitable for the real network applications than the traditional ones.

Steven McElwee,James Cannady

DOI: https://doi.org/10.48550/arXiv.1912.12673

2019-12-29

Cryptography and Security

Abstract:Intrusion detection has focused primarily on detecting cyberattacks at the event-level. Since there is such a large volume of network data and attacks are minimal, machine learning approaches have focused on improving accuracy and reducing false positives, but this has frequently resulted in overfitting. In addition, the volume of intrusion detection alerts is large and creates fatigue in the human analyst who must review them. This research addresses the problems associated with event-level intrusion detection and the large volumes of intrusion alerts by applying active learning and cyber situation awareness. This paper includes the results of two experiments using the UNSW-NB15 dataset. The first experiment evaluated sampling approaches for querying the oracle, as part of active learning. It then trained a Random Forest classifier using the samples and evaluated its results. The second experiment applied cyber situation awareness by aggregating the detection results of the first experiment and calculating the probability that a computer system was part of a cyberattack. This research showed that moving the perspective of event-level alerts to the probability that a computer system was part of an attack improved the accuracy of detection and reduced the volume of alerts that a human analyst would need to review.

ZHENG En-hui,LI Ping,SONG Zhi-huan

DOI: https://doi.org/10.3321/j.issn:1001-0920.2006.04.025

2006-01-01

Abstract:Classical methods of designing classifier generally pursue more highly accuracy based on the assumption that all misclassifications have the same cost and the sample number of each class is approximately equal.However,the assumption is not valid in some real applications such as fraud detection and medical diagnosis,so that classification algorithms without taking different misclassification cost into account do not perform well.Based on standard support vector machines(SVM),the algorithm of cost-sensitive SVM(CS-SVM) is proposed by integrating misclassification cost of each sample into standard SVM.Experimental results show that CS-SVM is effective.

DUAN Dan-qing,CHEN Song-qiao,YANG Wei-ping

2006-01-01

Abstract:The Intrusion Detection System(IDS) has become an important part of network security.However, the traditional abnormal detection is heavily dependent on the large training samples to get high detection precision,but it is difficult to obtain sufficient training data in a real network environment. In order to solve the problem of excessive expense caused by obtaining the training samples,we use the SVM(Support Vector Machine)active learning algorithm in network intrusion detection. Compared with the traditional self-learning algorithm, our experiment shows that the active learning algorithm can immensely reduce the number of training samples and the training time,thus efficiently improving the performance of classification in IDSs.

Duan Danqing,Chen Songqiao,Yang Weiping

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.01.037

2006-01-01

Abstract:Intrusion Detection System(IDS)has become an important part of network security,the traditional abnormal detection are heavily dependent on the large training data set to get high accuracy rate,but to obtain sufficient training data is difficult in real network environment.In order to solve the problem of the excessive expense caused by obtaining the training data set,in this paper,we use the Support Vector Machine(SVM)active learning algorithm in network intrusion detection.Compared with the traditional self-learning algorithm,our experiment shows,active learning algorithm can immensely reduce the number of the training date and improve the performance of classifier in intrusion detection system.

Keze Wang,Liang Lin,Xiaopeng Yan,Ziliang Chen,Dongyu Zhang,Lei Zhang

DOI: https://doi.org/10.1109/tnnls.2018.2852783

IF: 14.255

2019-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:Though quite challenging, leveraging large-scale unlabeled or partially labeled data in learning systems (e.g., model/classifier training) has attracted increasing attentions due to its fundamental importance. To address this problem, many active learning (AL) methods have been proposed that employ up-to-date detectors to retrieve representative minority samples according to predefined confidence or uncertainty thresholds. However, these AL methods cause the detectors to ignore the remaining majority samples (i.e., those with low uncertainty or high prediction confidence). In this paper, by developing a principled active sample mining (ASM) framework, we demonstrate that cost-effective mining samples from these unlabeled majority data are a key to train more powerful object detectors while minimizing user effort. Specifically, our ASM framework involves a switchable sample selection mechanism for determining whether an unlabeled sample should be manually annotated via AL or automatically pseudolabeled via a novel self-learning process. The proposed process can be compatible with mini-batch-based training (i.e., using a batch of unlabeled or partially labeled data as a one-time input) for object detection. In this process, the detector, such as a deep neural network, is first applied to the unlabeled samples (i.e., object proposals) to estimate their labels and output the corresponding prediction confidences. Then, our ASM framework is used to select a number of samples and assign pseudolabels to them. These labels are specific to each learning batch based on the confidence levels and additional constraints introduced by the AL process and will be discarded afterward. Then, these temporarily labeled samples are employed for network fine-tuning. In addition, a few samples with low-confidence predictions are selected and annotated via AL. Notably, our method is suitable for object categories that are not seen in the unlabeled data during the learning process. Extensive experiments on two public benchmarks (i.e., the PASCAL VOC 2007/2012 data sets) clearly demonstrate that our ASM framework can achieve performance comparable to that of the alternative methods but with significantly fewer annotations.

Akshay Krishnamurthy,Alekh Agarwal,Tzu-Kuo Huang,Hal Daume,John Langford,Hal Daume III

DOI: https://doi.org/10.48550/arXiv.1703.01014

IF: 5.414

2017-03-03

Machine Learning

Abstract:We design an active learning algorithm for cost-sensitive multiclass classification: problems where different errors have different costs. Our algorithm, COAL, makes predictions by regressing to each label's cost and predicting the smallest. On a new example, it uses a set of regressors that perform well on past data to estimate possible costs for each label. It queries only the labels that could be the best, ignoring the sure losers. We prove COAL can be efficiently implemented for any regression family that admits squared loss optimization; it also enjoys strong guarantees with respect to predictive performance and labeling effort. We empirically compare COAL to passive learning and several active learning baselines, showing significant improvements in labeling effort and test cost on real-world datasets.

Ohad Volk,Gonen Singer

DOI: https://doi.org/10.48550/arXiv.2111.07382

IF: 5.414

2021-11-14

Machine Learning

Abstract:We design a new adaptive learning algorithm for misclassification cost problems that attempt to reduce the cost of misclassified instances derived from the consequences of various errors. Our algorithm (adaptive cost sensitive learning - AdaCSL) adaptively adjusts the loss function such that the classifier bridges the difference between the class distributions between subgroups of samples in the training and test data sets with similar predicted probabilities (i.e., local training-test class distribution mismatch). We provide some theoretical performance guarantees on the proposed algorithm and present empirical evidence that a deep neural network used with the proposed AdaCSL algorithm yields better cost results on several binary classification data sets that have class-imbalanced and class-balanced distributions compared to other alternative approaches.

Qian Quan,Geng Huan-tong,Wang Xu-fa

DOI: https://doi.org/10.1007/bf02831678

2004-01-01

Wuhan University Journal of Natural Sciences

Abstract:This paper introduces the cost-sensitive feature weighting strategy and its application in intrusion detection. Cost factors and cost matrix are proposed to demonstrate the misclassification cost for IDS. How to get the whole minimal risk, is mainly discussed in this paper in detail. From experiments, it shows that although decision cost based weight learning exists somewhat attack misclassification, it can achieve relatively low misclassification costs on the basis of keeping relatively high rate of recognition precision.

Chao Liu,Zhaojun Gu,Jialiang Wang

DOI: https://doi.org/10.1109/access.2021.3082147

IF: 3.9

2021-01-01

IEEE Access

Abstract:Digital assets have come under various network security threats in the digital age. As a kind of security equipment to protect digital assets, intrusion detection system (IDS) is less efficient if the alert is not timely and IDS is useless if the accuracy cannot meet the requirements. Therefore, an intrusion detection model that combines machine learning with deep learning is proposed in this paper. The model uses the k-means and the random forest (RF) algorithms for the binary classification, and distributed computing of these algorithms is implemented on the Spark platform to quickly classify normal events and attack events. Then, by using the convolutional neural network (CNN), long short-term memory (LSTM), and other deep learning algorithms, the events judged as abnormal are further classified into different attack types finally. At this stage, adaptive synthetic sampling (ADASYN) is adopted to solve the unbalanced dataset. The NSL-KDD and CIS-IDS2017 datasets are used to evaluate the performance of the proposed model. The experimental results show that the proposed model has better TPR for most of attack events, faster data preprocessing speed, and potentially less training time. In particular, the accuracy of multi-target classification can reach as high as 85.24% in the NSL-KDD dataset and 99.91% in the CIC-IDS2017 dataset.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xin Xu

2006-01-01

Abstract:In recent years, intrusion detection has emerged as an important technique for network security. Due to the large volumes of security audit data as well as complex and dynamic properties of intrusion behaviors, to optimize the performance of intrusion detection systems (IDSs) becomes an important open problem. In this paper, a general framework of adaptive intrusion detection based on machine learning is presented. In the framework, three perspectives of challenging problems are explored, which include feature extraction, classifier construction and pattern prediction for sequential data. It is illustrated that the three perspectives of research challenges are mainly suitable for machine learning methods using unsupervised, supervised and reinforcement learning algorithms, respectively. Several recently developed machine learning algorithms, including a multi-class support vector machine with principal component analysis (PCA) for feature reduction and a reinforcement learning algorithm for sequential prediction, are applied and evaluated both on network-based traffic data and on host-based program behaviors. Experiments on the KDD99 intrusion detection data set and the system call data from University of New Mexico show very promising results for the machine learning approaches to adaptive intrusion detection. Some directions for future research works are also discussed.

Saher Esmeir,Shaul Markovitch

DOI: https://doi.org/10.1613/jair.2602

2014-01-15

Abstract:Machine learning techniques are gaining prevalence in the production of a wide range of classifiers for complex real-world applications with nonuniform testing and misclassification costs. The increasing complexity of these applications poses a real challenge to resource management during learning and classification. In this work we introduce ACT (anytime cost-sensitive tree learner), a novel framework for operating in such complex environments. ACT is an anytime algorithm that allows learning time to be increased in return for lower classification costs. It builds a tree top-down and exploits additional time resources to obtain better estimations for the utility of the different candidate splits. Using sampling techniques, ACT approximates the cost of the subtree under each candidate split and favors the one with a minimal cost. As a stochastic algorithm, ACT is expected to be able to escape local minima, into which greedy methods may be trapped. Experiments with a variety of datasets were conducted to compare ACT to the state-of-the-art cost-sensitive tree learners. The results show that for the majority of domains ACT produces significantly less costly trees. ACT also exhibits good anytime behavior with diminishing returns.

Machine Learning

Zachary Tauscher,Yushan Jiang,Kai Zhang,Jian Wang,Houbing Song

DOI: https://doi.org/10.48550/arXiv.2108.08394

2021-08-19

Abstract:With massive data being generated daily and the ever-increasing interconnectivity of the world's Internet infrastructures, a machine learning based intrusion detection system (IDS) has become a vital component to protect our economic and national security. In this paper, we perform a comprehensive study on NSL-KDD, a network traffic dataset, by visualizing patterns and employing different learning-based models to detect cyber attacks. Unlike previous shallow learning and deep learning models that use the single learning model approach for intrusion detection, we adopt a hierarchy strategy, in which the intrusion and normal behavior are classified firstly, and then the specific types of attacks are classified. We demonstrate the advantage of the unsupervised representation learning model in binary intrusion detection tasks. Besides, we alleviate the data imbalance problem with SVM-SMOTE oversampling technique in 4-class classification and further demonstrate the effectiveness and the drawback of the oversampling mechanism with a deep neural network as a base model.

Cryptography and Security,Machine Learning

Haiyan Xuan,Mohith Manohar

2023-12-04

Abstract:As Artificial Intelligence (AI) technologies continue to gain traction in the modern-day world, they ultimately pose an immediate threat to current cybersecurity systems via exploitative methods. Prompt engineering is a relatively new field that explores various prompt designs that can hijack large language models (LLMs). If used by an unethical attacker, it can enable an AI system to offer malicious insights and code to them. In this paper, an enhanced intrusion detection system (IDS) that utilizes machine learning (ML) and hyperparameter tuning is explored, which can improve a model's performance in terms of accuracy and efficacy. Ultimately, this improved system can be used to combat the attacks made by unethical hackers. A standard IDS is solely configured with pre-configured rules and patterns; however, with the utilization of machine learning, implicit and different patterns can be generated through the models' hyperparameter settings and parameters. In addition, the IDS will be equipped with multiple datasets so that the accuracy of the models improves. We evaluate the performance of multiple ML models and their respective hyperparameter settings through various metrics to compare their results to other models and past research work. The results of the proposed multi-dataset integration method yielded an accuracy score of 99.9% when equipped with the XGBoost and random forest classifiers and RandomizedSearchCV hyperparameter technique.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Ruki Harwahyu,Fajar Henri Erasmus Ndolu,Marlinda Vasty Overbeek

DOI: https://doi.org/10.11591/ijece.v14i2.pp1691-1699

2024-04-01

International Journal of Electrical and Computer Engineering (IJECE)

Abstract:In imbalanced network traffic, malicious cyberattacks can be hidden in a large amount of normal traffic, making it difficult for intrusion detection systems (IDS) to detect them. Therefore, anomaly-based IDS with machine learning is the solution. However, a single machine learning cannot accurately detect all types of attacks. Therefore, a hybrid model that combines long short-term memory (LSTM) and random forest (RF) in three layers is proposed. Building the hybrid model starts with Nearmiss-2 class balancing, which reduces normal samples without increasing minority samples. Then, feature selection is performed using chi-square and RF. Next, hyperparameter tuning is performed to obtain the optimal model. In the first and second layers, LSTM and RF are used for binary classification to detect normal data and attack data. While the third layer model uses RF for multiclass classification. The hybrid model verified using the CSE-CIC-IDS2018 dataset, showed better performance compared to the single algorithm. For multiclass classification, the hybrid model achieved 99.76% accuracy, 99.76% precision, 99.76% recall, and 99.75% F1-score.