LONG Xiao-fei,FENG Yan,WANG Rui-jie

DOI: https://doi.org/10.3969/j.issn.1000-7024.2007.03.016

2007-01-01

Abstract:For lackness of knowledge about the context of network hosts,most signature-based NIDSs produce too many false positives,which prevent the administrators from focusing their efforts on real dangerous alerts quickly.A mechanism in NIDS is proposed,which makes a decision before pattern matching to filter unnecessary intrusion rules for matching,by utilizing the software information of the target hosts,to mitigate false positives drastically.This method is implemented in the prototype system.The result of testing on typical intranet shows that this method surely mitigate false positives and improve quality of alerts in NIDS.

Chen Guanlin,Feng Yan,Wang Zebing

DOI: https://doi.org/10.3969/j.issn.1000-0801.2010.10.014

2010-01-01

Abstract:Nowadays wireless intrusion prevention systems have become the research hotspot with the fast development of WLAN.In this paper,we first introduce the common attack methods for WLAN,and then present the framework of the wireless IPS with a distributed pre-decision engine,which can predict the future actions and direct active responses to these actions.We implement an improved model with extended detection rules for conducting intrusion plan and making pre-decision,by gathering wireless device information and importing supporting degree of intrusion plan in plan recognition.Experimental results showed that the distributed pre-decision engine can not only improve wireless intrusion detection and prevention performance,also reduce false negatives and false positives evidently.

Hassan Hadi Al-Maksousy,Michele C. Weigle,Cong Wang

DOI: https://doi.org/10.1109/ths.2018.8574174

2018-01-01

Abstract:Malware detection is an important problem. We propose an efficient real-time system to detect and classify malware based on network behavior using deep neural networks. We show that the splitting of the system into two neural networks, detection and analysis, is the key to increasing accuracy. Therefore, this approach allows for the construction of a real-time monitoring system with very low CPU usage. Finally, we provide a comparison analysis of four machine learning classifiers for this task.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Qiaomu Jiang,Huifang Chen,Lei Xie,Kuang Wang

DOI: https://doi.org/10.1109/smartgridcomm.2017.8340659

2017-01-01

Abstract:State estimation plays a critical role in the smart grid systems. However, according to recent researches, it is evident that a well-designed false data injection attack (FDIA) can bypass the security system and mislead the state estimator. Therefore, detecting such kind of attack efficiently is critical to ensuring the reliability of the smart grid systems. In this paper, we study the real-time FDIA detection mechanism. In the proposed mechanism, we use a residual prewhitening procedure to resolve the problem in the existing real-time FDIA detection mechanism, which is the covariance matrix of the residual is not full rank. Then, we construct a two-sided vector parameter test statistic, and propose a real-time FDIA detection method based on the cumulative sum (CUSUM) of the one-shot statistic. Moreover, the asymptotic closed-form expressions of the detection performance of the proposed method, in terms of the false-alarm period and the average detection delay, are theoretically derived. Numerical results validate that the proposed real-time detection method can detecte the FDIA efficiently.

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxp026

2009-01-01

The Computer Journal

Abstract:Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.

Weitong CHEN,Yuntao QIAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.16.050

2006-01-01

Abstract:This paper presents a network intrusion detection method based on Rough Set theory,and use a hybrid method with genetic algorithm to find a possibly short reduct which can reduce computing time.The result of the experiment shows that this model has high detection rate and low false reject rate in detecting DoS and probe attacks,and performs well in detecting R2L and U2R attacks either.

AMBAREEN SIRAJ,RAYFORD B. VAUGHN,SUSAN M. BRIDGES

DOI: https://doi.org/10.1142/s0219622004001057

2004-06-01

Abstract:This paper describes the use of artificial intelligence techniques in the creation of a network-based decision engine for decision support in an Intelligent Intrusion Detection System (IIDS). In order to assess overall network health, the decision engine fuses outputs from different intrusion detection sensors serving as "experts" and then analyzes the integrated information to present an overall security view of the system for the security administrator. This paper reports on the workings of a decision engine that has been successfully embedded into the IIDS architecture being built at the Center for Computer Security Research, Mississippi State University. The decision engine uses Fuzzy Cognitive Maps (FCM)s and fuzzy rule-bases for causal knowledge acquisition and to support the causal knowledge reasoning process.

computer science, information systems, artificial intelligence, interdisciplinary applications,operations research & management science

Shuai Jiang,Xiaolong Xu

DOI: https://doi.org/10.1007/978-3-030-34637-9_12

2019-01-01

Abstract:In the era of network and big data, network information security has become a major issue. Intrusion Detection System (IDS) is an essential component of network security facilities, which utilizes network traffic data to detect attacks. IDS can adopt data analysis and data mining technologies to detect attacks to network systems. However, the computational overhead of IDS is too large to serve for real-time detection due to the redundancy and irrelevant features in the network traffic dataset. We hence analyze seven classification algorithms for intrusion detection, where we separately perform data preprocessing with two kinds of dimensionality reduction techniques, Principal Component Analysis (PCA) and Singular Value Decomposition (SVD), to improve the performance of IDS. The experimental results on the NSL-KDD dataset indicate that the classification algorithms with dimensionality reduction outstands in detection rate and detection speed. Meanwhile, SVD demonstrate its superiority to PCA in boosting these algorithms.

Peng Chen,Yunfei Guo,Jianpeng Zhang,Yawen Wang,Hongchao Hu

DOI: https://doi.org/10.1109/ICCC51575.2020.9345300

2020-01-01

Abstract:Intrusion Detection System (IDS) plays a vital role in cybersecurity. One major challenge in state-of-the-art IDS is that the Advanced Persistent Threats (APTs) cannot be well detected. Deep Neural Networks (DNNs) extract latent features of input data, which is considered to be able to capture intrinsic property of APTs, to detect APTs. However, DNN is not well used in APT detection. In this paper, a DNN model is utilized for intrusion detection and a novel method of preprocessing is proposed to improve the performance of the detection algorithms. We consider the statistical characteristics of training set to be the statistical characteristics of test set and detection set. Experiment results show that our preprocessing methodology achieves a better performance in terms of accuracy, recall and F1 Score than traditional preprocessing methods, which means a better detection for APTs.

Yuhan Suo,Senchun Chai,Runqi Chai,Zhong-Hua Pang,Yuanqing Xia,Guo-Ping Liu

DOI: https://doi.org/10.1109/TIFS.2023.3340098

2023-12-18

Abstract:In large-scale networks, communication links between nodes are easily injected with false data by adversaries. This paper proposes a novel security defense strategy from the perspective of attack detection scheduling to ensure the security of the network. Based on the proposed strategy, each sensor can directly exclude suspicious sensors from its neighboring set. First, the problem of selecting suspicious sensors is formulated as a combinatorial optimization problem, which is non-deterministic polynomial-time hard (NP-hard). To solve this problem, the original function is transformed into a submodular function. Then, we propose an attack detection scheduling algorithm based on the sequential submodular optimization theory, which incorporates \emph{expert problem} to better utilize historical information to guide the sensor selection task at the current moment. For different attack strategies, theoretical results show that the average optimization rate of the proposed algorithm has a lower bound, and the error expectation is bounded. In addition, under two kinds of insecurity conditions, the proposed algorithm can guarantee the security of the entire network from the perspective of the augmented estimation error. Finally, the effectiveness of the developed method is verified by the numerical simulation and practical experiment.

Systems and Control

Mohammed Misbahuddin,Sachin Narayanan,Bishwa Ranjan Ghosh

DOI: https://doi.org/10.48550/arXiv.1004.0594

2010-04-05

Abstract:Intrusion Detection & Prevention Systems generally aims at detecting / preventing attacks against Information systems and networks. The basic task of IDPS is to monitor network & system traffic for any malicious packets/patterns and hence to prevent any unwarranted incidents which leads the systems to insecure state. The monitoring is done by checking each packet for its validity against the signatures formulated for identified vulnerabilities. Since, signatures are the heart & soul of an Intrusion Detection and Prevention System (IDPS), we, in this paper, discuss two methodologies we adapted in our research effort to improve the current Intrusion Detection and Prevention (IDP) systems. The first methodology RUDRAA is for formulating, verifying & validating the potential signatures to be used with IDPS. The second methodology DSP-FED is aimed at processing the signatures in less time with our proposed fast elimination method using DFA. The research objectives of this project are 1) To formulate & process potential IPS signatures to be used with Intrusion prevention system. 2) To propose a DFA based approach for signature processing which, upon a pattern match, could process the signatures faster else could eliminate it efficiently if not matched

Cryptography and Security

Chongzhen Zhang,Yanli Chen,Yang Meng,Fangming Ruan,Runze Chen,Yidan Li,Yaru Yang

DOI: https://doi.org/10.1155/2021/6610675

IF: 1.968

2021-01-25

Security and Communication Networks

Abstract:Traditional machine learning-based intrusion detection often only considers a single algorithm to identify intrusion data, lack of the flexibility method, low detection rate, no handing high-dimensional data, and cannot solve these problems well. In order to improve the performance of intrusion detection system, a novel general intrusion detection framework was proposed in this paper, which consists of five parts: preprocessing module, autoencoder module, database module, classification module, and feedback module. The data processed by the preprocessing module are compressed by the autoencoder module to obtain a lower-dimensional reconstruction feature, and the classification result is obtained through the classification module. Compressed features of each traffic are stored in the database module which can both provide retraining and testing for the classification module and restore these features to the original traffic for postevent analysis and forensics. For evaluation of the framework performance proposed, simulation was conducted with the CICIDS2017 dataset to the real traffic of the network. As the experimental results, the accuracy of binary classification and multiclass classification is better than previous work, and high-level accuracy was reached for the restored traffic. At the last, the possibility was discussed on applying the proposed framework to edge/fog networks.

computer science, information systems,telecommunications

孙云,黄皓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.09.059

2008-01-01

Abstract:Intrusion Detection System(IDS) has been harassed by false positive and false negative problem.Common IDS using single detection mode is hard to solve this problem effectively.This paper analyzes the characteristics of network flow and presents a new method,called hybrid IDS,combining misuse detection mode and anomaly detection mode,the method can overcome the shortcomings of IDS using single mode.Experiments show that the new method can improve IDS detection rate and decrease false alerts effectively.

Rahul Adhao,Vinod Pachghare

DOI: https://doi.org/10.47164/ijngc.v13i4.455

2022-11-18

INTERNATIONAL JOURNAL OF NEXT-GENERATION COMPUTING

Abstract:In today's high-speed network, the existing Intrusion Detection System (IDS) approaches experience more false alarm rates with low detection capability. Nowadays, IDS needs to analyze a considerable amount of data. The larger the amount of data results in the longer the time to analyze it, which delays attack detection. The IDS usability is defined as its capability to trigger an alarm early enough to minimize the damage that an ongoing attack can cause and provide a reduced range of warning (false alarm). These underline the necessity of feature selection in IDS to identify the informative features and overlook the irrelevant or redundant features that affect the IDS's detection rate and computational complexity. It implies that anticipating an ideal number of features from a flow-based intrusion dataset can improve IDS accuracy. Therefore, this paper proposes an ensemble of a bio-inspired algorithm (Krill Herd Algorithm) with statistical measures (Information Gain) to select optimal features for a flow-based IDS. This ensemble technique has shown improvement in the detection rate, decreases the false alarm rate, and reduces the computation time of the IDS.

Fu Xiao,Xie Li

DOI: https://doi.org/10.1109/npc.2008.26

2008-01-01

Abstract:Intrusion detection systems (IDSs) can easily create thousands of alerts per day, up to 99% of which are false positives (i.e. alerts that are triggered incorrectly by benign events). This makes it extremely difficult for managers to analyze and react to attacks. This paper presents a novel method for handling IDS alerts more efficiently. It introduces outlier detection technique into this field, and designs a special outlier detection algorithm for identifying true alerts and reducing false positives. This algorithm uses frequent attribute values mined from historical alerts as the features of false positives, and then filters false alerts by the score calculated based on these features. We also proposed a two-phrase framework, which not only can filter newcome alerts in real time, but also can learn from these alerts and automatically adjust the filtering mechanism to new situations. Moreover our method needs no domain knowledge and little human assistance, so it is more practical than current ways. We have built a prototype implementation of our method. And the experiments on DARPA 2000 and real-world data have proved that this model has high performance.

Peng Tao,Jiang Minghua

2007-01-01

Abstract:The fuzzy way tends to be more realistic and provides with more information in area of decision-making. Fuzzy patterns recognition is a technology based fuzzy sets. The packets on the network can be divided into some fuzzy sets. A schema of intrusion detection and defending based fuzzy patterns recognition is proposed. The model has two fuzzy sets (normal packets and abnormal packets), and filtering the abnormal packets by analyzing the fuzzy similarity of normal set and abnormal set. The schema is self-adaptive and self-learning.

Ezgi Zorarpaci

DOI: https://doi.org/10.1016/j.engappai.2024.108162

IF: 8

2024-03-10

Engineering Applications of Artificial Intelligence

Abstract:Due to the widespread use of the internet, computer network systems may be exposed to different types of attacks. For this reason, the intrusion detection systems (IDSs) are often used to protect the network systems. Network traffic data (i.e., network packets) includes many features. However, most of them are irrelevant and can lead to a decrease in the runtime and/or the detection performance of the IDS. Although various data mining methods have been applied to improve the effectiveness of IDS, research regarding IDSs having high detection rates and better runtime performance (i.e., lower computational cost) is ongoing. On the other hand, the dimensionality reduction techniques help to eliminate unnecessary features and reduce the computation time of a classification algorithm. In the literature, the feature selection methods (i.e., filter and wrapper) have been widely used for the dimensionality reduction in IDSs. Although the wrapper feature selection techniques outperform the filters, they are time-consuming. Again, the ensemble classifiers can achieve higher detection rates for IDSs compared to the stand-alone classifiers, but they require more computation time to build the model. In order to improve the runtime performance and the detection rate of IDS, a swift wrapper feature selection and a speedy ensemble classifier are proposed in this study. For the dimensionality reduction, the swift wrapper feature selection (i.e., DBDE-QDA) is used, which consists of dichotomous binary differential evolution (DBDE) and quadratic discriminant analysis (QDA). For attack detection, the speedy ensemble classifier is used, which combines Holte's 1R, random tree, and reduced error pruning tree. In the experiments, the NSL-KDD, UNSW-NB15, and CICDDoS2019 datasets are used. According to the experimental results, the proposed IDS reaches 95%–97.4%, 82.7%, and 99.5%–99.9% detection rates for the NSL-KDD, UNSW-NB15, and CICDDoS2019 datasets. In this way, the proposed IDS competes with the state-of-the-art methods in terms of detection rate and false alarm rate. In addition, the proposed IDS has a lower computational cost than the state-of-the-art methods. Moreover, DBDE-QDA reduces the dimension by 60.97%–82.92%, 73.46%, and 96.55%–98.85% for the NSL-KDD, UNSW-NB15, and CICDoS2019 datasets.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Sheikh Abdul Hameed Ayubkhan,Wun-She Yap,Ezra Morris,Mumtaj Begam Kasim Rawthar

DOI: https://doi.org/10.1007/s12652-022-04449-w

IF: 3.662

2022-11-08

Journal of Ambient Intelligence and Humanized Computing

Abstract:Autoencoder and conventional machine learning classifiers are widely used to design an intrusion detection system (IDS). However, noise and corruption in the high-dimensional network traffic samples will still affect the stability and performance of an autoencoder and other conventional machine learning based IDS models. The distortions in the input datasets cause deviations in the learnt patterns and always resulted in a low detection rate. Besides, the IDS classifiers use every single feature to train the samples, which makes the model consumes longer training time, computational resources and memory usage. The main aim of this proposal is to remove the distortions from the network traffic and train the IDS model in a faster manner to detect any category of intruders in the network traffic by achieving a higher detection rate in a short training time. To achieve this, we propose an intrusion detection system that combines a denoising autoencoder and LightGBM classifier. The denoising autoencoder removes the noise and corruptions in the network traffic, thereby possibly avoiding the deviations which can enhance the features learning capacity required for classification. Subsequently, to classify the samples, the LightGBM classifier is used. The classifier uses the feature histogram bins with larger gradients, thus avoiding using each feature at every iteration to accelerate the training speed and boost the predictive capacity of the model. The proposed model shows better detection performance improvement over nine benchmark datasets including CIDDS-001, CIDDS-002, ISCX-URL2016, UNSW-NB15, CIC-IDS-2017, ISCX-Tor2016, BoT-IoT, IoTID20 and Kyoto 2006+ for both binary classification and multi-classification tasks as compared to other existing IDS. The model achieves the maximum detection rate of over 99.60% for CIDDS-001, 99.90% for CIDDS-002, 97.00% for ISCX-Tor2016, 96.11% for UNSW-NB15, 99.86% for CIC-IDS17, 97.76% for ISCX-URL16, 99.91% for BoT-IoT, 97.43% for both IoTID2020 and Kyoto 2006+ datasets respectively, while the training time ranges from 1.10 to 21.78 s only. More importantly, the proposed model has higher learning and predictivity capacity which boosts the generalization capacity. The model also shows good performance in detecting all classes including the minority classes for all aforementioned datasets without any oversampling techniques. The efficiency of the model emphasizes that it can be deployed as a real-time model in any industrial network traffic that includes IoT based smart environment and fog-cloud computing network.

computer science, information systems,telecommunications, artificial intelligence

Bo-Xiang Wang,Jiann-Liang Chen,Chiao-Lin Yu

DOI: https://doi.org/10.1109/access.2022.3175886

IF: 3.9

2022-05-27

IEEE Access

Abstract:The work develops a network threat detection system, AI@NTDS, that uses the behavioral features of attackers and intelligent techniques. The proposed AI@NTDS system combines data analysis, feature extraction, and feature evaluation to construct a detection model, which supports a more straightforward strategy by which the operating system or its operators can defend against network attacks. The Linux system interaction information of SSH (Secure Shell) and Telnet are obtained from the Cowrie Honeypot and labeled according to Enterprise Tactics of MITRE ATT&CK to ensure dataset credibility. The proposed AI@NTDS system has three levels, depending on the attacker's attacks and the user's risk of damage. Fifty-two features are used to detect the network threat level. The features contain message-based features for all kinds of Linux operating instructions, host-based features for all types of information in the network connection process, and geography-based features are related to the attacker's location. AI-based algorithms LightGBM, Random Forest and the K-NN algorithm are used to verify the identification of the custom features. Finally, the detection model that is trained using the best combination of features is used to predict the test dataset. The accuracy of the proposed AI@NTDS system reaches 99%, 95.66%, and 94.08% with the LightGBM, Random Forest, and K-NN algorithms, respectively. The mutual dependencies of features and network threats are evaluated. Results of a performance analysis reveal that the proposed AI@NTDS system has an accuracy of 99.20% and an F1-score of 99.80%. It is superior to existing detection mechanisms, which it outperforms by 4% and 1% i- accuracy and F1-score, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic