Yuzhao Xu,Yanjing Sun,Zhanguo Ma,Hongjie Zhao,Yanfen Wang,Nannan Lu,,,

DOI: https://doi.org/10.20965/jaciii.2022.p0671

2022-09-20

Journal of Advanced Computational Intelligence and Intelligent Informatics

Abstract:Intrusion detection, as a technology used to monitor abnormal behavior and maintain network security, has attracted many researchers’ attention in recent years. Thereinto, association rule mining is one of the mainstream methods to construct intrusion detection systems (IDS). However, the existing association rule algorithms face the challenges of high false positive rate and low detection rate. Meanwhile, too many rules might lead to the uncertainty increase that affects the performance of IDS. In order to tackle the above problems, a modified genetic network programming (GNP) is proposed for class association rule mining. Specifically, based on the property that node connections in the directed graph structure of GNP can be used to construct attribute associations, we propose to introduce information gain into GNP node selection. The most important attributes are thus selected, and the irrelevant attributes are removed before the rule is extracted. Moreover, not only the uncertainty among the class association rules is alleviated and also time consumption is reduced. The extracted rules can be applied to any classifier without affecting the detection performance. Experiment results based on NSL-KDD and KDDCup99 verify the performance of our proposed algorithm.

Congyuan Xu,Jizhong Shen,Xin Du,Fan Zhang

DOI: https://doi.org/10.1109/access.2018.2867564

IF: 3.9

2018-01-01

IEEE Access

Abstract:To improve the performance of network intrusion detection systems (IDS), we applied deep learning theory to intrusion detection and developed a deep network model with automatic feature extraction. In this paper, we consider the characteristics of the time-related intrusion and propose a novel IDS that consists of a recurrent neural network with gated recurrent units (GRU), multilayer perceptron (MLP), and softmax module. Experiments on the well-known KDD 99 and NSL-KDD data sets show that the system has leading performance. The overall detection rate was 99.42% using KDD 99 and 99.31% using NSL-KDD with false positive rates as low as 0.05% and 0.84%, respectively. In particular, for detecting the denial of service attacks, the system achieved detection rates of 99.98% and 99.55%, respectively. Comparative experiments showed that the GRU is more suitable as a memory unit for IDS than LSTM, and proved that it is an effective simplification and improvement of LSTM. Moreover, the bidirectional GRU can reach the best performance compared with the recently published methods.

Herve Kabamba Mbikayi

DOI: https://doi.org/10.48550/arXiv.1212.0170

2012-12-02

Abstract:With the increasing number of intrusions in system and network infrastructures, Intrusion Detection Systems (IDS) have become an active area of research to develop reliable and effective solutions to detect and counter them. The use of Evolutionary Algorithms in IDS has proved its maturity over the times. Although most of the research works have been based on the use of genetic algorithms in IDS, this paper presents an approach toward the generation of rules for the identification of anomalous connections using evolution strategies . The emphasis is given on how the problem can be modeled into ES primitives and how the fitness of the population can be evaluated in order to find the local optima, therefore resulting in optimal rules that can be used for detecting intrusions in intrusion detection systems.

Cryptography and Security,Neural and Evolutionary Computing

Yinjie Ni,Shuhua Gao,Sunan Huang,Cheng Xiang,Qinyuan Ren,Tong Heng Lee

DOI: https://doi.org/10.1109/IECON48115.2021.9589599

2021-01-01

Abstract:This paper works on multiple-pursuer single-evader (MPSE) problems with a fast evader, which means multiple pursuers try to capture one evader while the evader tries to escape from the encirclement. The biggest concern is that the maximum velocity of the evader is larger than all the pursuers. Some improved strategies for the evader and pursuers based on traditional algorithms are firstly provided. Then gene expression programming (GEP) is used to generate new strategies which are better than the traditional ones. This paper shows configurations of function set, terminal set, fitness, evaluation function, and other parameters used in the GEP method, which can be implemented in other cases or similar problems.

Mohammad Sazzadul Hoque,Md. Abdul Mukit,Md. Abu Naser Bikas

DOI: https://doi.org/10.5121/ijnsa.2012.4208

2012-04-05

Abstract:Nowadays it is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. But secured data communication over internet and any other network is always under threat of intrusions and misuses. So Intrusion Detection Systems have become a needful component in terms of computer and network security. There are various approaches being utilized in intrusion detections, but unfortunately any of the systems so far is not completely flawless. So, the quest of betterment continues. In this progression, here we present an Intrusion Detection System (IDS), by applying genetic algorithm (GA) to efficiently detect various types of network intrusions. Parameters and evolution processes for GA are discussed in details and implemented. This approach uses evolution theory to information evolution in order to filter the traffic data and thus reduce the complexity. To implement and measure the performance of our system we used the KDD99 benchmark dataset and obtained reasonable detection rate.

Cryptography and Security,Neural and Evolutionary Computing,Networking and Internet Architecture

GUO Shan-Qing,XIE Li,ZENG Ying-Pei

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.09.003

2006-01-01

Abstract:Progress has been made in using machine learning techniques such as SVM and neural networks for intrusion detection,but the non-understandable detection results have prevented those algorithms from being thoroughly utilized.In this paper,the authors put forward a novel huge-data oriented method,which was based on the popular association rules extraction algorithm and targeted at the result of intrusion detection,to build real-time rules for enhancing the understanding of detection results and therefore decrease possible loss.The algorithm,by introducing local support,global confidence,CI-Tree and IX-Tree structure,employed these tree structures to build online rules for currently active intrusion.This algorithm solved a number of problems that exist in applying association rules algorithm to intrusion detection:(1)multi-scan(twice at least);(2)mass useless rules due to unbalanced distribution of attacking data;(3)unwanted frequent set produced in the old two-phase rule-building method.Experimental results have demonstrated the method's good performance in both rule building efficacy and time efficiency.

Liyan Chang,Paula Branco

DOI: https://doi.org/10.48550/arXiv.2111.13597

2021-11-27

Abstract:The high volume of increasingly sophisticated cyber threats is drawing growing attention to cybersecurity, where many challenges remain unresolved. Namely, for intrusion detection, new algorithms that are more robust, effective, and able to use more information are needed. Moreover, the intrusion detection task faces a serious challenge associated with the extreme class imbalance between normal and malicious traffics. Recently, graph-neural network (GNN) achieved state-of-the-art performance to model the network topology in cybersecurity tasks. However, only a few works exist using GNNs to tackle the intrusion detection problem. Besides, other promising avenues such as applying the attention mechanism are still under-explored. This paper presents two novel graph-based solutions for intrusion detection, the modified E-GraphSAGE, and E-ResGATalgorithms, which rely on the established GraphSAGE and graph attention network (GAT), respectively. The key idea is to integrate residual learning into the GNN leveraging the available graph information. Residual connections are added as a strategy to deal with the high-class imbalance, aiming at retaining the original information and improving the minority classes' performance. An extensive experimental evaluation of four recent intrusion detection datasets shows the excellent performance of our approaches, especially when predicting minority classes.

Cryptography and Security,Machine Learning

Jianming Shi,Tao Feng

DOI: https://doi.org/10.1155/2023/3965245

IF: 1.968

2023-04-26

Security and Communication Networks

Abstract:Aiming at the network security problem of power system cable trench control industrial Internet system, we studied an intrusion detection method applied to the embedded industrial Internet of Things gateway. This method extracts rules from the DBN-DNN deep neural network to obtain intrusion detection models that are conducive to integration into embedded systems. We first use the DBN network to reduce the dimensionality of the data, then use the DNN to train the classification model, and extract the rules from the DNN's neurons to form a rule tree for intrusion detection. The KDD CUP99 training database is used to verify the feasibility of the method, and the test is carried out in the embedded gateway. The results show that the detection method based on rule extraction used in this paper can ensure detection efficiency and accuracy compared to the traditional detection methods. At the same time, it saves more computing resources and is more conducive to integration in embedded gateway systems.

computer science, information systems,telecommunications

Lingzhi Wang,Xiangmin Shen,Weijian Li,Zhenyuan Li,R. Sekar,Han Liu,Yan Chen

DOI: https://doi.org/10.14722/ndss.2025.23822

2024-09-20

Abstract:As cyber attacks grow increasingly sophisticated and stealthy, it becomes more imperative and challenging to detect intrusion from normal behaviors. Through fine-grained causality analysis, provenance-based intrusion detection systems (PIDS) demonstrated a promising capacity to distinguish benign and malicious behaviors, attracting widespread attention from both industry and academia. Among diverse approaches, rule-based PIDS stands out due to its lightweight overhead, real-time capabilities, and explainability. However, existing rule-based systems suffer low detection accuracy, especially the high false alarms, due to the lack of fine-grained rules and environment-specific configurations. In this paper, we propose CAPTAIN, a rule-based PIDS capable of automatically adapting to diverse environments. Specifically, we propose three adaptive parameters to adjust the detection configuration with respect to nodes, edges, and alarm generation thresholds. We build a differentiable tag propagation framework and utilize the gradient descent algorithm to optimize these adaptive parameters based on the training data. We evaluate our system using data from DARPA Engagements and simulated environments. The evaluation results demonstrate that CAPTAIN enhances rule-based PIDS with learning capabilities, resulting in improved detection accuracy, reduced detection latency, lower runtime overhead, and more interpretable detection procedures and results compared to the state-of-the-art (SOTA) PIDS.

Cryptography and Security

Hao-Ting Pai,Yu-Hsuan Kang,Wen-Cheng Chung

2024-03-12

Abstract:Recent advancements in Intrusion Detection Systems (IDS), integrating Explainable AI (XAI) methodologies, have led to notable improvements in system performance via precise feature selection. However, a thorough understanding of cyber-attacks requires inherently explainable decision-making processes within IDS. In this paper, we present the Interpretable Generalization Mechanism (IG), poised to revolutionize IDS capabilities. IG discerns coherent patterns, making it interpretable in distinguishing between normal and anomalous network traffic. Further, the synthesis of coherent patterns sheds light on intricate intrusion pathways, providing essential insights for cybersecurity forensics. By experiments with real-world datasets NSL-KDD, UNSW-NB15, and UKM-IDS20, IG is accurate even at a low ratio of training-to-test. With 10%-to-90%, IG achieves Precision (PRE)=0.93, Recall (REC)=0.94, and Area Under Curve (AUC)=0.94 in NSL-KDD; PRE=0.98, REC=0.99, and AUC=0.99 in UNSW-NB15; and PRE=0.98, REC=0.98, and AUC=0.99 in UKM-IDS20. Notably, in UNSW-NB15, IG achieves REC=1.0 and at least PRE=0.98 since 40%-to-60%; in UKM-IDS20, IG achieves REC=1.0 and at least PRE=0.88 since 20%-to-80%. Importantly, in UKM-IDS20, IG successfully identifies all three anomalous instances without prior exposure, demonstrating its generalization capabilities. These results and inferences are reproducible. In sum, IG showcases superior generalization by consistently performing well across diverse datasets and training-to-test ratios (from 10%-to-90% to 90%-to-10%), and excels in identifying novel anomalies without prior exposure. Its interpretability is enhanced by coherent evidence that accurately distinguishes both normal and anomalous activities, significantly improving detection accuracy and reducing false alarms, thereby strengthening IDS reliability and trustworthiness.

Cryptography and Security,Artificial Intelligence

Yi Cui,Wenfeng Shen,Jian Zhang,Weijia Lu,Chuang Liu,Lin Sun,Si Chen

DOI: https://doi.org/10.48550/arXiv.2206.10400

2022-06-21

Cryptography and Security

Abstract:As an active network security protection scheme, intrusion detection system (IDS) undertakes the important responsibility of detecting network attacks in the form of malicious network traffic. Intrusion detection technology is an important part of IDS. At present, many scholars have carried out extensive research on intrusion detection technology. However, developing an efficient intrusion detection method for massive network traffic data is still difficult. Since Generative Adversarial Networks (GANs) have powerful modeling capabilities for complex high-dimensional data, they provide new ideas for addressing this problem. In this paper, we put forward an EBGAN-based intrusion detection method, IDS-EBGAN, that classifies network records as normal traffic or malicious traffic. The generator in IDS-EBGAN is responsible for converting the original malicious network traffic in the training set into adversarial malicious examples. This is because we want to use adversarial learning to improve the ability of discriminator to detect malicious traffic. At the same time, the discriminator adopts Autoencoder model. During testing, IDS-EBGAN uses reconstruction error of discriminator to classify traffic records.

Ruoyu Li,Qing Li,Yu Zhang,Dan Zhao,Xi Xiao,Yong Jiang

2024-03-28

Abstract:Anomaly-based network intrusion detection systems (A-NIDS) use unsupervised models to detect unforeseen attacks. However, existing A-NIDS solutions suffer from low throughput, lack of interpretability, and high maintenance costs. Recent in-network intelligence (INI) exploits programmable switches to offer line-rate deployment of NIDS. Nevertheless, current in-network NIDS are either model-specific or only apply to supervised models. In this paper, we propose Genos, a general in-network framework for unsupervised A-NIDS by rule extraction, which consists of a Model Compiler, a Model Interpreter, and a Model Debugger. Specifically, observing benign data are multimodal and usually located in multiple subspaces in the feature space, we utilize a divide-and-conquer approach for model-agnostic rule extraction. In the Model Compiler, we first propose a tree-based clustering algorithm to partition the feature space into subspaces, then design a decision boundary estimation mechanism to approximate the source model in each subspace. The Model Interpreter interprets predictions by important attributes to aid network operators in understanding the predictions. The Model Debugger conducts incremental updating to rectify errors by only fine-tuning rules on affected subspaces, thus reducing maintenance costs. We implement a prototype using physical hardware, and experiments demonstrate its superior performance of 100 Gbps throughput, great interpretability, and trivial updating overhead.

Cryptography and Security,Networking and Internet Architecture

Shubhra Dwivedi,Manu Vardhan,Sarsij Tripathi,Alok Kumar Shukla

DOI: https://doi.org/10.1007/s12065-019-00293-8

2019-09-21

Evolutionary Intelligence

Abstract:Intrusion detection has become important to network security because of the increasing connectivity between computers and internet. Various Intrusion Detection Systems have been investigated to protect web or networks using several evolutionary methods and classification techniques. In this study, we propose a new technique by combining Ensemble of Feature Selection (EFS) and Adaptive Grasshopper Optimization Algorithm (AGOA) methods, called EFSAGOA which can help to identify the types of attack. In the proposed approach, initially, EFS method is applied to rank the attribute for selecting the high ranked subset of attributes. Then, AGOA is employed to determine important attributes from the reduced datasets that can contribute to predict the networks traffic behavior. Furthermore, adaptive behavior of GOA uses to decide whether a record represents an anomaly or not, differing from some approaches acquainted in the literature. AGOA uses the Support Vector Machine (SVM) as a fitness function to choose the extremely efficient features and to maximize the classification performance. In addition, it is also applied to optimize the penalty factor (C), kernel parameter <span class="InlineEquation">\((\sigma )\)</span>, and tube size <span class="InlineEquation">\((\epsilon )\)</span> of SVM classifier. The performance of EFSAGOA has been evaluated on modern intrusion data as ISCX 2012. The experimental results demonstrate that the proposed method performs better and obtain high detection rate, accuracy, and low false alarm rate compared to other state-of-art techniques in ISCX 2012 data.

Burak Kolukisa,Bilge Kagan Dedeturk,Hilal Hacilar,Vehbi Cagri Gungor

DOI: https://doi.org/10.1016/j.csi.2023.103808

IF: 3.721

2024-04-01

Computer Standards & Interfaces

Abstract:In recent years, the widespread use of the Internet has created many issues, especially in the area of cybersecurity. It is critical to detect intrusions in network traffic, and researchers have developed network intrusion and anomaly detection systems to cope with high numbers of attacks and attack variations. In particular, machine learning and meta-heuristic methods have been widely used for network intrusion detection systems (NIDS). However, existing studies on these systems usually suffer from low performance results such as accuracy, F1-measure, false positive rate, and false negative rate, and generally do not use automatic parameter tuning techniques. To address these challenges, this study proposes a novel approach based on a logistic regression model trained using a parallel artificial bee colony (LR-ABC) algorithm with a hyper-parameter optimization technique. The performance of the proposed model is evaluated against state-of-the-art machine learning and deep learning models on two publicly available NIDS datasets. Comparative performance evaluations show that the proposed method achieved satisfactory results with accuracy of 88.25% on the UNSW-NB15 dataset and 90.11% on the NSL-KDD dataset, and F1-measures of 88.26% and 90.15%, respectively. These findings demonstrate the efficacy of the proposed LR-ABC model in enhancing the accuracy and reliability, while providing a scalable solution to adapt to the dynamic and evolving landscape of cybersecurity threats.

computer science, software engineering, hardware & architecture

Muhammad Ali Akhtar,Syed Muhammad Owais Qadri,Maria Andleeb Siddiqui,Syed Muhammad Nabeel Mustafa,Saba Javaid,Syed Abbas Ali

DOI: https://doi.org/10.1038/s41598-023-43816-1

IF: 4.6

2023-10-13

Scientific Reports

Abstract:Network security has developed as a critical research subject as a result of the Rapid advancements in the development of Internet and communication technologies over the previous decades. The expansion of networks and data has caused cyber-attacks on the systems, making it difficult for network security to detect breaches effectively. Current Intrusion Detection Systems (IDS) have several flaws, including their inability to prevent attacks on their own, the requirement for a professional engineer to administer them, and the occurrence of false alerts. As a result, a plethora of new attacks are being created, making it harder for network security to properly detect breaches. Despite the best efforts, IDS continues to struggle with increasing detection accuracy while lowering false alarm rates and detecting new intrusions. Therefore, network intrusion detection enhancement by preprocessing and generation of highly reliable algorithms is the main focus nowadays. Machine learning (ML) based IDS systems have recently been implemented as viable solutions for quickly detecting intrusions across the network. In this study, we use a combined data analysis technique with four Robust Machine learning ensemble algorithms, including the Voting Classifier, Bagging Classifier, Gradient Boosting Classifier, and Random Forest-based Bagging algorithm along with the proposed Robust genetic ensemble classifier. For each algorithm, a model is created and tested using a Network Dataset. To assess the performance of both algorithms in terms of their ability to anticipate the anomaly occurrence, graphs of performance rates have been evaluated. The suggested algorithm outperformed other methods as it shows the lowest values of mean square error (MSE) and mean absolute error (MAE). The experiments were conducted on the Network traffic dataset available on Kaggle, on the Python platform, which has limited samples. The proposed method can be applied in the future with more machine learning ensemble classifiers and deep learning techniques.

multidisciplinary sciences

Ankita Sharma,Shalli Rani,Maha Driss

DOI: https://doi.org/10.1371/journal.pone.0308206

IF: 3.7

2024-09-12

PLoS ONE

Abstract:In response to the rapidly evolving threat landscape in network security, this paper proposes an Evolutionary Machine Learning Algorithm designed for robust intrusion detection. We specifically address challenges such as adaptability to new threats and scalability across diverse network environments. Our approach is validated using two distinct datasets: BoT-IoT, reflecting a range of IoT-specific attacks, and UNSW-NB15, offering a broader context of network intrusion scenarios using GA based hybrid DT-SVM. This selection facilitates a comprehensive evaluation of the algorithm's effectiveness across varying attack vectors. Performance metrics including accuracy, recall, and false positive rates are meticulously chosen to demonstrate the algorithm's capability to accurately identify and adapt to both known and novel threats, thereby substantiating the algorithm's potential as a scalable and adaptable security solution. This study aims to advance the development of intrusion detection systems that are not only reactive but also preemptively adaptive to emerging cyber threats." During the feature selection step, a GA is used to discover and preserve the most relevant characteristics from the dataset by using evolutionary principles. Through the use of this technology based on genetic algorithms, the subset of features is optimised, enabling the subsequent classification model to focus on the most relevant components of network data. In order to accomplish this, DT-SVM classification and GA-driven feature selection are integrated in an effort to strike a balance between efficiency and accuracy. The system has been purposefully designed to efficiently handle data streams in real-time, ensuring that intrusions are promptly and precisely detected. The empirical results corroborate the study's assertion that the IDS outperforms traditional methodologies.

Pokkuluri Kiran Sree,Inampudi Ramesh Babu

DOI: https://doi.org/10.48550/arXiv.1401.3046

2014-01-14

Networking and Internet Architecture

Abstract:Network Intrusion Detection Systems (NIDS) are computer systems which monitor a network with the aim of discerning malicious from benign activity on that network. With the recent growth of the Internet such security limitations are becoming more and more pressing. Most of the current network intrusion detection systems relay on labeled training data. An Unsupervised CA based anomaly detection technique that was trained with unlabelled data is capable of detecting previously unseen attacks. This new approach, based on the Cellular Automata classifier (CAC) with Genetic Algorithms (GA), is used to classify program behavior as normal or intrusive. Parameters and evolution process for CAC with GA are discussed in detail. This implementation considers both temporal and spatial information of network connections in encoding the network connection information into rules in NIDS. Preliminary experiments with KDD Cup data set show that the CAC classifier with Genetic Algorithms can effectively detect intrusive attacks and achieve a low false positive rate. Training a NIDWCA (Network Intrusion Detection with Cellular Automata) classifier takes significantly shorter time than any other conventional techniques.

Sudip Mandal,Abhinandan Khan,Goutam Saha,Rajat K. Pal

DOI: https://doi.org/10.1155/2016/5283937

2016-02-16

Advances in Bioinformatics

Abstract:The accurate prediction of genetic networks using computational tools is one of the greatest challenges in the postgenomic era. Recurrent Neural Network is one of the most popular but simple approaches to model the network dynamics from time-series microarray data. To date, it has been successfully applied to computationally derive small-scale artificial and real-world genetic networks with high accuracy. However, they underperformed for large-scale genetic networks. Here, a new methodology has been proposed where a hybrid Cuckoo Search-Flower Pollination Algorithm has been implemented with Recurrent Neural Network. Cuckoo Search is used to search the best combination of regulators. Moreover, Flower Pollination Algorithm is applied to optimize the model parameters of the Recurrent Neural Network formalism. Initially, the proposed method is tested on a benchmark large-scale artificial network for both noiseless and noisy data. The results obtained show that the proposed methodology is capable of increasing the inference of correct regulations and decreasing false regulations to a high degree. Secondly, the proposed methodology has been validated against the real-world dataset of the DNA SOS repair network of Escherichia coli . However, the proposed method sacrifices computational time complexity in both cases due to the hybrid optimization process.

Andrei-Grigore Mari,Daniel Zinca,Virgil Dobrota

DOI: https://doi.org/10.3390/s23031315

IF: 3.9

2023-01-25

Sensors

Abstract:Intrusion detection and prevention are two of the most important issues to solve in network security infrastructure. Intrusion detection systems (IDSs) protect networks by using patterns to detect malicious traffic. As attackers have tried to dissimulate traffic in order to evade the rules applied, several machine learning-based IDSs have been developed. In this study, we focused on one such model involving several algorithms and used the NSL-KDD dataset as a benchmark to train and evaluate its performance. We demonstrate a way to create adversarial instances of network traffic that can be used to evade detection by a machine learning-based IDS. Moreover, this traffic can be used for training in order to improve performance in the case of new attacks. Thus, a generative adversarial network (GAN)—i.e., an architecture based on a deep-learning algorithm capable of creating generative models—was implemented. Furthermore, we tested the IDS performance using the generated adversarial traffic. The results showed that, even in the case of the GAN-generated traffic (which could successfully evade IDS detection), by using the adversarial traffic in the testing process, we could improve the machine learning-based IDS performance.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Uwe Aickelin,Jamie Twycross,Thomas Hesketh-Roberts

DOI: https://doi.org/10.1504/ijesdf.2007.013596,

2007-01-01

International Journal of Electronic Security and Digital Forensics

Abstract:Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and SNORT is one popular and actively developing open-source IDS that uses such a set of signatures known as SNORT rules. Our aim is to identify a way in which SNORT could be developed further by generalising rules to identify novel attacks. In particular, we attempted to relax and vary the conditions and parameters of current SNORT rules, using a similar approach to classic rule learning operators such as generalisation and specialisation. We demonstrate the effectiveness of our approach through experiments with standard data sets and show that we are able to detect previously undetected variants of various attacks.