Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Lu Lv,Wenhai Wang,Zeyin Zhang,Xinggao Liu

DOI: https://doi.org/10.1016/j.knosys.2020.105648

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Intrusion detection is a challenging technology in the area of cyberspace security for protecting a system from malicious attacks. A novel accurate and effective misuse intrusion detection system that relies on specific attack signatures to distinguish between normal and malicious activities is therefore presented to detect various attacks based on an extreme learning machine with a hybrid kernel function (HKELM). First, the derivation and proof of the proposed hybrid kernel are given. A combination of the gravitational search algorithm (GSA) and differential evolution (DE) algorithm is employed to optimize the parameters of HKELM, which improves its global and local optimization abilities during prediction attacks. In addition, the kernel principal component analysis (KPCA) algorithm is introduced for dimensionality reduction and feature extraction of the intrusion detection data. Then, a novel intrusion detection approach, KPCA-DEGSA-HKELM, is obtained. The proposed approach is eventually applied to the classic benchmark KDD99 dataset, the real modern UNSW-NB15 dataset and the industrial intrusion detection dataset from the Tennessee Eastman process. The numerical results validate both the high accuracy and the time-saving benefit of the proposed approach.

Jie Yang,Xin Chen,Xudong Xiang,Jianxiong Wan

DOI: https://doi.org/10.1109/cmc.2010.73

2010-01-01

Abstract:A hybrid intrusion detection approach combing both misuse detection and anomaly detection can detect newly discovered attacks while maintaining a relatively high detection rate. This paper presents a novel hybrid intrusion detection system based on protocol analysis and decision tree algorithms. Performance evaluation of the proposed system is conducted using Generalized Stochastic Petri Nets (GSPN). Simulation results show that this hybrid system can reach a high detection rate.

Sahar. Soussa,T. Nazmy,M. Hashem,Sahar Selim

Abstract:Intrusion detection is a critical process in network security. Nowadays new intelligent techniques have been used to improve the intrusion detection process. This paper proposes a hybrid intelligent intrusion detection system to improve the detection rate for known and unknown attacks. We examined different neural network & decision tree techniques. The proposed model consists of multi-level based on hybrid neural network and decision tree. Each level is implemented with the technique which gave best experimental results. From our experimental results with different network data, our model achieves correct classification rate of 93.2%, average detection rate about 95.6%; 99.5% for known attacks and 87% for new unknown attacks, and 9.4% false alarm rate. Keywords-component; network intrusion detection; neural network; Decision Tree; NSL-KDD dataset

Engineering,Computer Science

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.

GAO Zheng,CHEN Shu-yu,LI Guo-yong

2010-01-01

Abstract:Aiming at the shortages of misuse detection and anomaly detection in intrusion detection system,on basis of researching hybrid intrusion detection system,a new design of hybrid intrusion detection system was proposed by studying it.Misuse detection module is based on Snort's pattern rules database.Anomaly detection is to use self-organizing neural network for data clustering,and then to classify these data by supervised learning vector quantization.Simulation of the key modules in this system was done successfully,and results show that the system improved capabilities and accuracy of the hybrid intrusion detection system.

Li Zou,Xuemei Luo,Yan Zhang,Xiao Yang,Xiangwen Wang

DOI: https://doi.org/10.1109/access.2023.3251354

IF: 3.9

2023-01-01

IEEE Access

Abstract:Network intrusion detection is an important technology in national cyberspace security strategy and has become a research hotspot in various cyberspace security issues in recent years. The development of effective and efficient intelligent network intrusion detection methods using advanced machine learning algorithms is of great importance for defending against various network intrusions in complex network environments. In this study, a network intrusion detection method based on decision tree twin support vector machine and hierarchical clustering, named HC-DTTWSVM, is proposed, which can effectively detect different categories of network intrusion. First, the hierarchical clustering algorithm is applied to construct the decision tree for network traffic data, where the bottom-up merging approach is used to maximize the separation of the upper nodes of the decision tree, which reduces the error accumulation in the construction of the decision tree. Then, twin support vector machines are embedded in the constructed decision tree to implement the network intrusion detection model, which can effectively detect the network intrusion category in a top-down manner. The detection performance of the proposed HC-DTTWSVM method is evaluated on NSL-KDD and UNSW-NB15 intrusion detection benchmark datasets. Experimental results show that HC-DTTWSVM can effectively detect different categories of network intrusion and achieves comparable detection performance compared to some of the recently proposed network intrusion detection methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Die Zhang,Zhen Zhang

DOI: https://doi.org/10.1109/EIECC60864.2023.10456717

2023-12-22

Abstract:Network abnormal traffic intrusion detection technology is an important research field of network security today. Hybrid intrusion detection technology overcomes the shortcomings of single detection and retains their advantages, achieving high detection rate and high accuracy, so it is widely used in existing network abnormal traffic detection. However, the optimization of the high false alarm rate of anomaly detection in existing hybrid intrusion detection is imperfect, resulting in a large room for improvement in the detection accuracy of hybrid intrusion detection. In response to the above problems, this paper proposes a hybrid intrusion detection method based on Cluster Marking-k-means. By adding a classifier to the anomaly-based detection module, the detection results are secondary classified to reduce False alarm rate, thus improving the overall detection accuracy of the method. The experiment uses NSL-KDD and CICIDS2017 datasets to verify the effectiveness of the method. The results show that the method proposed in this article improves the average F1 score by 1.19% compared to the comparative method.

Computer Science

Hu Liang,Ren Wei-wu,Ren Fei

DOI: https://doi.org/10.1109/AICI.2009.239

2009-01-01

Abstract:Most anomaly detection methods can not be fit for the changing and complex network. High noise and updating normality profiles not in time will lead to high false alarm rate. In this paper, a new anomaly detection algorithm using improved hierarchy clustering, called ADIHC, is proposed in this paper. It applies an improved hierarchy clustering tree to organize clusters which are obtained by density-based partitioning method. We extend the clustering algorithm and apply branch and bound method for filtering noise. With the help of two advantages: filtering noise and updating normality profiles at any time, our algorithm is suitable for the changing and complex network. A series of experimental results on well known KDD Cup 1999 dataset indicate that ADIHC has superior performance of detection and meets more real-time requirements of intrusion detection system.

Lei Zhang,Jianqing Zhang,Yong Chen,Shaowen Liao

DOI: https://doi.org/10.1109/icicta.2018.00074

2018-01-01

Abstract:In this paper, a hybrid intrusion detection model based on data mining, which is commonly used in network security anomaly detection, is proposed that combines anomaly detection with misuse detection technology. Two test stages were formed and applied to the instrusion detection system in the process of large-scale network traffic detection. On the basis of improving the detection ability of the massive information detection system, the security of the data source of the intrusion detection system was ensured.

Jia Liu,Wang Yinchai,Teh Chee Siong,Xinjin Li,Liping Zhao,Fengrui Wei

DOI: https://doi.org/10.21203/rs.3.rs-1770107/v1

2022-01-01

Abstract:Abstract Intrusion detection is a fuzzy classification problem. Intrusion detection can detect the attack behaviors of hackers in advance. For generating a visualizing architecture for identifying intrusions, this study proposes an approach that combines ANFIS (Adaptive Network-based Fuzzy Inference System), DT (Decision Tree), and K-means clustering algorithm for visualizing the deep pattern of intrusion detection. The ANFIS generates complex and fuzzy combinations of selected attributes. To reduce the rules generation of ANFIS, Pearson Correlation analysis is used to select attributes that highly relate to the target. Meanwhile, standard deviation analysis and a proposed adaptive K-means algorithm are used for determining the interval division of selected attributes. Then, the CART (classification and regression tree) is used to identify the deep mode in generated rules and selected attributes. The architecture of the proposed algorithm is a hybrid visualizing approach. The architecture can identify deep and hybrid features in intrusion detection. The proposed algorithm was trained, validated, and tested on the NSL-KDD dataset. Using 22 attributes that highly relate to the target, the performance of the proposed method achieved a 99.86% detection rate and 0.14% false alarm rate, which is better than many classifiers. Besides, the visualizing model can help us visually identify the complex pattern of intrusions and analyze the pattern of various intrusions.

Jia Liu,Wang Yinchai,Teh Chee Siong,Xinjin Li,Liping Zhao,Fengrui Wei

DOI: https://doi.org/10.1038/s41598-022-23765-x

2022-12-01

Abstract:For generating an interpretable deep architecture for identifying deep intrusion patterns, this study proposes an approach that combines ANFIS (Adaptive Network-based Fuzzy Inference System) and DT (Decision Tree) for interpreting the deep pattern of intrusion detection. Meanwhile, for improving the efficiency of training and predicting, Pearson Correlation analysis, standard deviation, and a new adaptive K-means are used to select attributes and make fuzzy interval decisions. The proposed algorithm was trained, validated, and tested on the NSL-KDD (National security lab-knowledge discovery and data mining) dataset. Using 22 attributes that highly related to the target, the performance of the proposed method achieves a 99.86% detection rate and 0.14% false alarm rate on the KDDTrain+ dataset, a 77.46% detection rate on the KDDTest+ dataset, which is better than many classifiers. Besides, the interpretable model can help us demonstrate the complex and overlapped pattern of intrusions and analyze the pattern of various intrusions.

Hongxiao Fei,Hsi-Che Lin

2012-01-01

Computer Engineering and Applications Journal

Abstract:Aiming at the problems of high-dimensional massive data collected in the intrusion detection system,complexity and low accuracy by the model constructed by decision tree,the attributes of the network connections related with intrusion are selected because of the advantage about rough set,and then the model built by decision tree is used to classify the network connections in prediction,so a method for network intrusion detection has been developed,which is based on the attributes'reduction of rough set and the predictive classification of decision tree hybrid in this paper.Experimental results show that the predominance has been proved,the accuracy has been improved in detecting DoS attacks largely and in detecting Probe and R2L attacks,at the same time,the rate of false alarm has been decreased notably.

LIN Hui,ZHU Jun-ping

2009-01-01

Abstract:On the base of discussing the basic concepts and characters of clone clustering, the advantage of IDS is explored based on clone clustering. According to the medium and small enterprise actual demand, the clone clustering algorithm is mainly presented, the intrusion detection system CCIDS (clone clustering based intrusion detection system) based on CC algorithm is designed and imple-mented. the experimental results using KDD CUP99 dataset show that this algorithm can achieve higher detection rate of known or unknown attacks and lower false positive rate.

Wei Pan,Weihua Li

DOI: https://doi.org/10.1007/11576235_58

2005-01-01

Abstract:Intrusion Detection is an essential and critical component of network security systems. The key ideas are to discover useful patterns or features that describe user behavior on a system, and use the set of relevant features to build classifiers that can recognize anomalies and known intrusions, hopefully in real time. In this paper, a hybrid neural network technique is proposed, which consists of the self-organizing map (SOM) and the radial basis function (RBF) network, aiming at optimizing the performance of the recognition and classification of novel attacks for intrusion detection. The optimal network architecture of the RBF network is determined automatically by the improved SOM algorithm. The intrusion feature vectors are extracted from a benchmark dataset (the KDD-99) designed by DARPA. The experimental results demonstrate that the proposed approach performance especially in terms of both efficient and accuracy.

Yongjin Liu,Na Li,Leina Shi,FangPing Li

DOI: https://doi.org/10.1109/EDT.2010.5496597

2010-01-01

Abstract:How to find the intrusion behaviors is a problem that troubled the intrusion detection field for years. Until now, there is not a good method to solve it, epically in a realistic context. Most methods are effective on small data sets, but when used to the massive data of IDS, the effectiveness seems to be unsatisfactory. In this paper, a new method based on decision tree is discussed to solve the problem of low detection rate of massive data. ©2010 IEEE.

Liang Hu,Wei-wu Ren,Fei Ren

DOI: https://doi.org/10.1109/icise.2009.225

2009-01-01

Abstract:Traditional anomaly detection methods lack adaptive captivity in complex and heterogeneous network. Especially while facing high noise environments or the situation of updating profiles not in time, intrusion detection systems will have high false alarm rate. In this paper, a new anomaly detection algorithm based on hierarchical clustering, called ADBHC, is proposed. ADBHC generates clusters using density-based partitioning method which has less computational cost. It uses the improved hierarchical clustering tree to implement fast scalable and adaptive anomaly detection. The improved hierarchical clustering tree supports updating profiles at any time. We extend the clustering algorithm and apply branch and bound mechanism for filtering noise. With the help of two advantages: filtering noise and updating profiles at any time, our algorithm is effective enough to meet adaptive requirements. A series of experiment results on well known KDD Cup 1999 dataset indicate that ADBHC has low false alarm rate, high detection rate and a certain adaptive captivity in the progress of self-updating.

Mingjun Wei,Yufang Liu,Xuebin Chen,Jianmin Li

DOI: https://doi.org/10.1109/ICFN.2010.68

2010-01-01

Abstract:This paper presented that intrusion detection is an effective technique to protect Web server. Misused-based intrusion detection is used to detect Web-based attacks. It went deeply into Decision Tree technique; the traditional misused-based matching method was improved by using decision tree technique and the speed of detection process has been significantly improved. Its efficiency was verified by example.

Mubarak Albarka Umar,Chen Zhanfang,Yan Liu

DOI: https://doi.org/10.48550/arXiv.2009.13067

2020-09-24

Abstract:Due to the size and nature of intrusion detection datasets, intrusion detection systems (IDS) typically take high computational complexity to examine features of data and identify intrusive patterns. Data preprocessing techniques such as feature selection can be used to reduce such complexity by eliminating irrelevant and redundant features in the dataset. The objective of this study is to analyze the efficiency and effectiveness of some feature selection approaches namely, wrapper-based and filter-based modeling approaches. To achieve that, a hybrid of feature selection algorithm in combination with wrapper and filter selection processes is designed. We propose a wrapper-based hybrid intrusion detection modeling with a decision tree algorithm to guide the selection process. Five machine learning algorithms are used on the wrapper and filter-based feature selection methods to build IDS models using the UNSW-NB15 dataset. The three filter-based methods namely, information gain, gain ratio, and relief are used for comparison to determine the efficiency and effectiveness of the proposed approach. Furthermore, a fair comparison with other state-of-the-art intrusion detection approaches is also performed. The experimental results show that our approach is quite effective in comparison to state-of-the-art works, however, it takes high computational time in comparison to the filter-based methods whilst achieves similar results. Our work also revealed unobserved issues about the conformity of the UNSW-NB15 dataset.

Cryptography and Security