ZHAO Jian-hua,LI Wei-hua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.12.032

2012-01-01

Abstract:In order to improve the classification effectiveness of Self-organizing feature Mapping(SOM) neural network,this paper designs a Supervised Self-organizing feature Mapping(SSOM) network,which adds output layer into the network structure based on input layer and competitive layer.According to different prediction category of input samples,SSOM selects different formula to adjust weights and train network.Through combinations of two weights,SSOM realizes the regression and statistic of the sample classes.Experiments on KDD CUP99 dataset show that SSOM has better classification ability and higher intrusion detection rate.

Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Chaoyi MA,Jian XU,Hong ZHANG

DOI: https://doi.org/10.16652/j.issn.1004-373x.2015.23.022

2015-01-01

Abstract:Intrusion detection is one of the main measures to ensure the Internet safety,and has important significance to recognize and diagnose the network intrusion. In this paper,the thought of self?organization mapping(SOM)is introduced into the network intrusion detection,and a network intrusion detection algorithm based on SOM is proposed. The neighborhood densi?ty of output neurone in SOM neural network is ranked. The method of setting the neighborhood density threshold in combination with receiver operating characteristic(ROC)curve makes the intrusion detection results express by neighborhood density of the output neurone. The disadvantage that the clustering results of output neurone itself are hard to understand has been overcome, which is caused by the distortion generating in SOM neural network training. The simulation experiments of the algorithm show that the algorithm is effective,and has appreciable detection rate.

Wei Pan,Weihua Li

DOI: https://doi.org/10.1007/11576235_58

2005-01-01

Abstract:Intrusion Detection is an essential and critical component of network security systems. The key ideas are to discover useful patterns or features that describe user behavior on a system, and use the set of relevant features to build classifiers that can recognize anomalies and known intrusions, hopefully in real time. In this paper, a hybrid neural network technique is proposed, which consists of the self-organizing map (SOM) and the radial basis function (RBF) network, aiming at optimizing the performance of the recognition and classification of novel attacks for intrusion detection. The optimal network architecture of the RBF network is determined automatically by the improved SOM algorithm. The intrusion feature vectors are extracted from a benchmark dataset (the KDD-99) designed by DARPA. The experimental results demonstrate that the proposed approach performance especially in terms of both efficient and accuracy.

Dianbo Jiang,Yahui Yang,Min Xia

DOI: https://doi.org/10.1109/IAS.2009.247

2009-01-01

Abstract:Neural networks approach is an advanced methodology used for intrusion detection. As a type of neural network, Self-organizing Maps (SOM) is getting more attention in the field of intrusion detection.In this paper, some improvements on SOM algorithm are made in order to increase detection rate and improve the stability of intrusion detection, include: (1) Modify the strategy of “winner-take-all” to decrease underutilized or completely unutilized neurons. (2) Introduce interaction weight which describes the effect between each neuron in the output layer to enhance the relationships between the input pattern and the weights of all the nodes when adjusting weights; The improved SOM is implemented and applied to the intrusion detection. The validities and feasibilities of the improved SOM are confirmed through experiments on KDD Cup 99 datasets. The experiment result shows that the detection rate has been increased by employing the improved SOM.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

王飞,钱玉文,王执铨

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.12.056

2010-01-01

Abstract:This paper proposes an intrusion detection model based on Artificial Immune System(AIS)/Self Organizing Map(SOM).It detects anomaly attack by AIS,and applies SOM to the detected-anomaly classification.This model can detect the unknown attaction and get more information about intrusion due to the combinition with the advantages of misuse detection and anomaly detection,and simulates it with KDDCUP 99 data.Experimental results show that the method is effective,which can classify the detected anomaly connections and give more information about such anomaly connection with low false rate and high positive rate.

Yong Feng,Kaigui Wu,Zhongfu Wu,Zhongyang Xiong

DOI: https://doi.org/10.1007/11427469_69

2005-01-01

Abstract:An approach to network intrusion detection is investigated, based on dynamic self-organizing maps (DSOM) neural network clustering. The basic idea of the method is to produce the cluster by DSOM. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on DSOM clustering can settle these problems effectively. The experiment result shows that our approach can detect unknown intrusions efficiently in the real network connections.

Yong Feng,Jiang Zhong,Zhong-yang Xiong,Chun-xiao Ye,Kai-gui Wu

DOI: https://doi.org/10.1007/978-1-4020-8387-7_167

2008-01-01

Abstract:A clustering analysis model based on dynamic self-organizing maps (DSOM) and swarm intelligence (SI) is systematically proposed for intrusion detection system. The basic idea of the model is to produce the cluster by DSOM and SI. With the classified data instances, the detection classifier can be established. And then the detection classifier can be used in real intrusion detection. Experimental results show that our detection classifier maintained a higher performance than SVM, LGP, DT and K-NN.

Fei Wang,Yuwen Qian,Yuewei Dai,Zhiquan Wang

DOI: https://doi.org/10.1109/CMC.2010.9

2010-01-01

Abstract:For solving the problem of less information getting about unknown intrusions in anomaly detection, a model based on hybrid SVM/SOM is proposed. Firstly, C-SVM is used to find out the anomalous connections, and then, a packet filtering scheme is used to remove the known intrusions, which is performed by one-class SVM, after that, the identified unknown intrusions are projected onto the output grid by SOM. Finally, the experimental results, which use kddcup99 dataset, show high detection rate with low false rate and can get more information about the unknown intrusion.

Yun Xiao,Chongzhao Han

2006-01-01

Abstract:Traditional intrusion detection systems (IDSs) focus on low-level attacks and anomalies, and raise alerts independently, though there may be logical connections between them. In this paper, a method of correlating intrusion alerts into attack scenarios based on the improved evolving self-organizing map (IESOM) was proposed. IESOM gives a rational formula to calculate the initial values of connection strengths instead of assigning some experiential or tentative constants as connection strength values in ESOM. IESOM is an evolving extension of the self-organizing map (SOM) model, which allows for an evolvable network structure and very fast incremental learning. System of correlating intrusion alerts into attack scenarios based on IESOM has four functions of filtering, aggregation, condensing and combination, and the visual attack scenarios are given as the output of the system. The results on LLS DDOS1.0 and real-word dataset B prove that our method is useful and effective.

Yong Hou,Xuefeng Zheng

DOI: https://doi.org/10.1109/ICAIE.2010.5641414

2010-01-01

Abstract:In this paper, we describe an implementation of a type of SOM - Quantum Self Organized Map (QSOM). The training process of QSOM networks can be described in terms of input pattern presentation and quantum states of weight update by quantum rotation gates. We implemented and applied the QSOM to the network intrusion detection. The validities and feasibilities of the QSOM are confirmed through experiments on KDD Cup 99 datasets. The experiment result shows that the QSOM has great potential ability to increase the detection rate for a general network intrusion detection system.

Yang Chen,Nami Ashizawa,Seanglidet Yean,Chai Kiat Yeo,Naoto Yanai

DOI: https://doi.org/10.48550/arXiv.2008.12686

2020-08-28

Abstract:In the information age, a secure and stable network environment is essential and hence intrusion detection is critical for any networks. In this paper, we propose a self-organizing map assisted deep autoencoding Gaussian mixture model (SOMDAGMM) supplemented with well-preserved input space topology for more accurate network intrusion detection. The deep autoencoding Gaussian mixture model comprises a compression network and an estimation network which is able to perform unsupervised joint training. However, the code generated by the autoencoder is inept at preserving the topology of the input space, which is rooted in the bottleneck of the adopted deep structure. A self-organizing map has been introduced to construct SOMDAGMM for addressing this issue. The superiority of the proposed SOM-DAGMM is empirically demonstrated with extensive experiments conducted upon two datasets. Experimental results show that SOM-DAGMM outperforms state-of-the-art DAGMM on all tests, and achieves up to 15.58% improvement in F1 score and with better stability.

Machine Learning,Cryptography and Security,Social and Information Networks

Hou Yong,Feng Zheng Xue

DOI: https://doi.org/10.1109/icsem.2010.118

2010-01-01

Abstract:Intrusion Detection is a critical process in network security. Neural networks approach is an advanced methodology used for intrusion detection. Self-organizing Maps (SOM) neural network is getting more attention in the field of intrusion detection. In this paper, a type of SOM - Quantum Growing Hierarchical Self Organized Map (QGHSOM) are made in order to improve the stability of intrusion detection and increase detection rate. The training process of QGHSOM networks can be described in terms of input pattern presentation and quantum states of weight update by quantum rotation gates. The QGHSOM is implemented and applied to the intrusion detection. The validities and feasibilities of the QGHSOM are confirmed through experiments on KDD Cup 99 datasets. The experiment result shows that the detection rate has been increased by employing the QGHSOM.

ZHANG Hong-bo,KUANG Yin-hu

DOI: https://doi.org/10.3969/j.issn.1006-2475.2009.09.026

2009-01-01

Abstract:Intrusion detection system is an important part of network's security system.Aimed at the problem of false positive,false negative and lower self-adaptive capability in the artifieial Immunity system,the four kinds of important classification algorithms in ODM,i.e.,Decision Tree Classification algorithm,Support Vector Machine Classification algorithm,Naive Bayes algorithm and Binary Logistic Regression algorithm,are used to model and test on the experimental datum.By summing up the experiments,the paper establishes a database-centric intrusion detection model based on the common model,and states the composition and work flow of the model.

Simon T. Powers,Jun He

DOI: https://doi.org/10.1016/j.ins.2007.11.028

2012-08-03

Abstract:Network intrusion detection is the problem of detecting unauthorised use of, or access to, computer systems over a network. Two broad approaches exist to tackle this problem: anomaly detection and misuse detection. An anomaly detection system is trained only on examples of normal connections, and thus has the potential to detect novel attacks. However, many anomaly detection systems simply report the anomalous activity, rather than analysing it further in order to report higher-level information that is of more use to a security officer. On the other hand, misuse detection systems recognise known attack patterns, thereby allowing them to provide more detailed information about an intrusion. However, such systems cannot detect novel attacks. A hybrid system is presented in this paper with the aim of combining the advantages of both approaches. Specifically, anomalous network connections are initially detected using an artificial immune system. Connections that are flagged as anomalous are then categorised using a Kohonen Self Organising Map, allowing higher-level information, in the form of cluster membership, to be extracted. Experimental results on the KDD 1999 Cup dataset show a low false positive rate and a detection and classification rate for Denial-of-Service and User-to-Root attacks that is higher than those in a sample of other works.

Neural and Evolutionary Computing,Cryptography and Security

Jesse Ables,Thomas Kirby,William Anderson,Sudip Mittal,Shahram Rahimi,Ioana Banicescu,Maria Seale

DOI: https://doi.org/10.48550/arXiv.2207.07465

2022-07-15

Cryptography and Security

Abstract:Modern Artificial Intelligence (AI) enabled Intrusion Detection Systems (IDS) are complex black boxes. This means that a security analyst will have little to no explanation or clarification on why an IDS model made a particular prediction. A potential solution to this problem is to research and develop Explainable Intrusion Detection Systems (X-IDS) based on current capabilities in Explainable Artificial Intelligence (XAI). In this paper, we create a Self Organizing Maps (SOMs) based X-IDS system that is capable of producing explanatory visualizations. We leverage SOM's explainability to create both global and local explanations. An analyst can use global explanations to get a general idea of how a particular IDS model computes predictions. Local explanations are generated for individual datapoints to explain why a certain prediction value was computed. Furthermore, our SOM based X-IDS was evaluated on both explanation generation and traditional accuracy tests using the NSL-KDD and the CIC-IDS-2017 datasets.

Dennis Ippoliti,Xiaobo Zhou

DOI: https://doi.org/10.1109/icccn.2010.5560165

2010-01-01

Abstract:The growing hierarchical self organizing map (GHSOM) has been shown to be an effective technique to facilitate anomaly detection. However, existing approaches based on GHSOM are not able to adapt online to the ever-changing problem domain of network intrusion. This results in low accuracy in identifying network intrusions, particularly "unknown" attacks. In this paper, we propose an adaptive GHSOM based approach (A-GHSOM) to network intrusion detection. It consists of four significant enhancements: enhanced threshold-based training, dynamic input normalization, feedback-based quantization error threshold adaptation, and prediction confidence filtering and forwarding. We test the capability of the A-GHSOM approach for intrusion detection using the KDD'99 dataset. Extensive experimental results demonstrate that compared with eight representative intrusion detection approaches, A-GHSOM achieves significant overall accuracy improvement and significant improvement in identifying "unknown" attacks while maintaining low false-positive rates. It achieves an overall accuracy rate of 99.63%, and 94.04% accuracy rate in identifying "unknown" attacks while the false positive rate is 1.8%.

王飞,钱玉文,王执铨

DOI: https://doi.org/10.3969/j.issn.1002-0411.2010.02.002

IF: 1.24

2010-01-01

Information and Computation

Abstract:In view of the lack of information about anomalous connections in anomaly detection approach,an anomaly detection model based on hybrid clustering and self organizing map(SOM) is proposed.Firstly,a clustering algorithm is proposed in order to detect anomalous connections,and then the SOM is applied to classifying the pre-detected anomalous connections,through which high level information about anomalous connections is acquired.Finally the experimental data are used for simulation.The experiment result shows that this model is effective,and can classify the detected anomalous connections and give more information about that connection from the category which it belongs to.The model has a high efficiency of the detection and classification with low false rate.

Guisong Liu,Zhang Yi

DOI: https://doi.org/10.1007/11760191_35

2006-01-01

Abstract:This paper proposes a method to detect network intrusions by using the PCASOM (principal components analysis and self-organizing map) neural networks. A modified unsupervised learning algorithm which is more suitable for intrusion detection is presented. Experiments are carried out to illustrate the performance of the proposed method by using DARPA 1998 evaluation data sets. It shows that the proposed method can cluster the network connections into proper clusters with high detection rate and relatively low false alarm rate.