Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Lu Lv,Wenhai Wang,Zeyin Zhang,Xinggao Liu

DOI: https://doi.org/10.1016/j.knosys.2020.105648

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Intrusion detection is a challenging technology in the area of cyberspace security for protecting a system from malicious attacks. A novel accurate and effective misuse intrusion detection system that relies on specific attack signatures to distinguish between normal and malicious activities is therefore presented to detect various attacks based on an extreme learning machine with a hybrid kernel function (HKELM). First, the derivation and proof of the proposed hybrid kernel are given. A combination of the gravitational search algorithm (GSA) and differential evolution (DE) algorithm is employed to optimize the parameters of HKELM, which improves its global and local optimization abilities during prediction attacks. In addition, the kernel principal component analysis (KPCA) algorithm is introduced for dimensionality reduction and feature extraction of the intrusion detection data. Then, a novel intrusion detection approach, KPCA-DEGSA-HKELM, is obtained. The proposed approach is eventually applied to the classic benchmark KDD99 dataset, the real modern UNSW-NB15 dataset and the industrial intrusion detection dataset from the Tennessee Eastman process. The numerical results validate both the high accuracy and the time-saving benefit of the proposed approach.

Guanghui Song,Xiaogang Jin,Genlang Chen,Yan Nie

DOI: https://doi.org/10.1109/ISKE.2010.5680860

2010-01-01

Abstract:The source data of intrusion detection system (IDS) are characteristic of heavy-flow, high-dimension and nonlinearity. A frequent problem in IDS is the choice of the right features that give rise to compact and concise representations of the network data; the other is how to improve the detection efficiency and accuracy of IDS under the small sample conditions. In order to delete the redundant and noisy features, improve the performance of IDS, we present an efficient IDS based on multiple kernel learning (MKL) method. Kernel methods are the effective approaches to intrusion detection problems. MKL methods combined with support vector machines (SVMs) can overcome some practice difficulties of IDS such as irregular data, non-flat distribution of the samples, etc. Experiments on the KDD Cup (1999) intrusion detection data set show that MKL methods have a higher detection rate and a lower false alarm rate compared to single kernel methods.

Ye Du,Ruhui Zhang,Jiqiang Liu,Meihong Li,Zhonglan Yuan

DOI: https://doi.org/10.1166/asl.2011.1489

2011-01-01

Advanced Science Letters

Abstract:Since the task of preventing all attacks is impossible, intrusion detection has now been widely accepted as an essential component in a decent security system. This paper proposes an improved anomaly intrusion detection method based on system calls to learn patterns. The detection process relies on the situation that when an attack exploits vulnerabilities in the code, new subsequences of system calls will appear. K-nearest neighbor (KNN) algorithm is selected as learning approach to estimate the deviation between normal and suspicious activities. As fixed-length patterns can not describe the system behaviors correctly, the method uses variable-length patterns to construct the normal patterns profile. Experiments demonstrate that the method can construct accurate and concise discriminator to detect intrusive action.

Ye Du,Tong Wang

DOI: https://doi.org/10.1109/kamw.2008.4810611

2008-01-01

Abstract:Intrusion detection has emerged as an important approach to security problems. This paper proposes an effective anomaly detection method based on Unix shell commands to learn patterns. By looking upon each short shell commands sequence as an instance and each observable symbol as a bag that contains some instances, the task of detecting abnormal behaviors can be mapped as multiple-instance learning. KNN algorithm and Euclidean distances are selected as learning approach and a new kernel method is proposed to calculate the deviation between normal and intrusive bags. The algorithm is simple and can be directly applied. Experiments demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.

YX Wang,J Wong,A Miner

DOI: https://doi.org/10.1109/iaw.2004.1437839

2004-01-01

Abstract:Kernel methods are widely used in statistical learning for many fields, such as protein classification and image processing. We recently extend kernel methods to intrusion detection domain by introducing a new family of kernels suitable for intrusion detection. These kernels, combined with an unsupervised learning method - one-class Support Vector Machine, are used for anomaly detection. Our experiments show that the new anomaly detection methods are able to achieve better accuracy rates than the conventional anomaly detectors.

U. Hacizade,A.Y. Kalayci

DOI: https://doi.org/10.1109/ET63133.2024.10721523

2024-09-17

Abstract:In this study, studies on intrusion detection systems have been meticulously examined and an example model of the intrusion detection system has been created. The UNSW-NB15 data set used in this process was subjected to training and testing stages with machine learning methods such as Logistic Regression, K-nearest Neighbor Algorithm, Support Vector Machines, Naive Bayes, Decision Tree and Random Forest Algorithm. By applying machine learning methods to the data used in the training phase, normal network traffic was taught and a reference model was created with this information.

Engineering,Computer Science

Guo Pu,Lijuan Wang,Jun Shen,Fang Dong

DOI: https://doi.org/10.26599/tst.2019.9010051

2021-04-01

Abstract:In recent years, machine learning-based cyber intrusion detection methods have gained increasing popularity. The number and complexity of new attacks continue to rise; therefore, effective and intelligent solutions are necessary. Unsupervised machine learning techniques are particularly appealing to intrusion detection systems since they can detect known and unknown types of attacks as well as zero-day attacks. In the current paper, we present an unsupervised anomaly detection method, which combines Sub-Space Clustering (SSC) and One Class Support Vector Machine (OCSVM) to detect attacks without any prior knowledge. The proposed approach is evaluated using the well-known NSL-KDD dataset. The experimental results demonstrate that our method performs better than some of the existing techniques.

computer science, information systems,engineering, electrical & electronic, software engineering

Yanxin Wang,Johnny Wang,Andrew S. Miner

2004-01-01

Abstract:This paper explores the methodology of using kernels and Support Vector Machine (SVM) for intrusion detection. A new insight into two well known anomaly detection algorithms - STIDE and Markov Chain anomaly detectors, is achieved using kernel theory. We introduce two new classes of kernels used for intrusion detection – STIDE kernel and Markov Chain kernel. These kernels combined with SVM are presented to achieve improvements over STIDE and Markov Chain anomaly detectors. We provide empirical evidence that the new anomaly detectors are able to achieve better results than conventional anomaly detectors and behave robustly over noisy training data.

BAO Wei-dong,XIAN Ming,XIAO Shun-ping,WANG Guo-yu,ZHANG Yi-rong

DOI: https://doi.org/10.3969/j.issn.1003-0530.2007.04.003

IF: 4.729

2007-01-01

Signal Processing

Abstract:This paper implemented an anomaly intrusion detection technique based on dual p support vector machine (dualν- SVM)with regard to labeled and unbalanced data sets often occurring in practical intrusion detection systems.The basic idea is that dif- ferent error penalty factors are provided to classes with different number,which will make classification error rates of both classes in-clined to be even.Experiments on 1999 KDD data set show that the anomaly detection technique based on dualν-SVM evidently increa- ses the detection rate of attack records with low false positive rate,while slightly decreases the detection rate of normal records compared to conventionalν-SVM.Thus the algorithm is adapted to those occasions subtle for the detection of attack records.

Ye Du,Huiqiang Wang,Yonggang Pang

DOI: https://doi.org/10.1109/wcica.2004.1342334

2004-01-01

Abstract:Intrusion detection has emerged as an important approach to security problems. The existing techniques are analyzed, and then an effective anomaly detection method based on HMMs (hidden Markov models) is proposed to learn patterns of Unix processes. Fixed-length sequences of system calls were extracted from traces of programs to train and test models. The RP (relative probability) value, which uses short sequences as inputs, is computed to classify normal and abnormal behaviors. The algorithm is simple and can be directly applied. Experiments on sendmail and lpr traces demonstrate that the method can construct accurate and concise discriminator to detect intrusive actions.

ZHANG Yi-rong,XIAN Ming,XIAO Shun-ping,WANG Guo-yu

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.09.038

2006-01-01

Abstract:The paper presents an idea of profiling normal processes according to multi-layer BP(Back Propagation) neural network.The experiment result in the 1998 DARPA intrusion detection evaluation data set and the performance comparison with K-Nearest neighbor classifier and time-delay embedding with(frequency) threshold(stide) algorithms show that the proposed algorithm achieves a high detection rate under a quite low false positive rate.

Fei Wang,Hongliang Zhu,Bin Tian,Yang Xin,Xinxin Niu,Yu Yang

DOI: https://doi.org/10.1109/icbnmt.2011.6155940

2011-01-01

Abstract:Intrusion-detection systems (IDSs) are essential tools for the security of computer systems. Anomaly detection, which uses knowledge about normal behaviors and attempts to detect intrusions by noting significant deviations, has been paid more and more attention. In this paper, we introduce a HMM-based method for anomaly detection. The proposed method is composed of two important stages: off-line training stage and on-line testing stage. In the off-line training stage, we train the normal behaviors by hidden Markov models (HMMs). In the on-line testing stage, we make the final decision based on the minimum risk Bayesian decision theory. We deploy the method on an IDS system to evaluate its performance, and the experimental results demonstrate that our method can achieve satisfying results.

Wei Ma,Yunyun Hou,Mingyu Jin,Pengpeng Jian

DOI: https://doi.org/10.1371/journal.pone.0300821

IF: 3.7

2024-03-26

PLoS ONE

Abstract:Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system's normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

multidisciplinary sciences

Shan-Qing Guo,Zhong-Hua Zhao

DOI: https://doi.org/10.1109/ISECS.2008.26

2008-01-01

Abstract:Unsupervised or supervised anomaly intrusion detection techniques have great utility with the context of network intrusion detection system. However, large amount of labeled attack instances used by supervised approaches are difficult to obtain. And this makes most existing supervised techniques hardly be implemented in the real world. Unsupervised methods are superior in their independency on prior knowledge, but it is also very difficult for these methods to achieve high detection rate as well as low false positive rate. In this paper, we proposed an anomaly intrusion detection model based on small labeled instances that outperform existing unsupervised methods with a detection performance very close to that of the supervised one. We evaluated our methods by conducting experiments with network records from the KDD CUP 1999 data set. The results showed that our algorithm is an efficient method in detecting both known and unknown attacks.

Rahul Kale,Zhi Lu,Kar Wai Fok,Vrizlynn L. L. Thing

DOI: https://doi.org/10.48550/arXiv.2212.00966

2022-12-02

Cryptography and Security

Abstract:Cyber intrusion attacks that compromise the users' critical and sensitive data are escalating in volume and intensity, especially with the growing connections between our daily life and the Internet. The large volume and high complexity of such intrusion attacks have impeded the effectiveness of most traditional defence techniques. While at the same time, the remarkable performance of the machine learning methods, especially deep learning, in computer vision, had garnered research interests from the cyber security community to further enhance and automate intrusion detections. However, the expensive data labeling and limitation of anomalous data make it challenging to train an intrusion detector in a fully supervised manner. Therefore, intrusion detection based on unsupervised anomaly detection is an important feature too. In this paper, we propose a three-stage deep learning anomaly detection based network intrusion attack detection framework. The framework comprises an integration of unsupervised (K-means clustering), semi-supervised (GANomaly) and supervised learning (CNN) algorithms. We then evaluated and showed the performance of our implemented framework on three benchmark datasets: NSL-KDD, CIC-IDS2018, and TON_IoT.

Weiwei Chen,Fangang Kong,Feng Mei,Guiqin Yuan,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity.2017.56

2017-01-01

Abstract:Network Anomaly Detection plays an important part in network security. Among the state-of-the-art approaches, unsupervised anomaly detection is effective when dealing with unlabelled data. However, these approaches also suffer from high false positive rate. We observed that different methods have their own defects and advantages. Inspired by this observation, we provide a new ensemble clustering(NEC) method to detect novel anomalies. In our system,we can get higher detection rate and lower false positive rate compared with existed apporaches as verified over NSL-KDD 2009 dataset.

Shadi Aljawarneh,Monther Aldwairi,Muneer Bani Yassein

DOI: https://doi.org/10.1016/j.jocs.2017.03.006

IF: 3.817

2018-03-01

Journal of Computational Science

Abstract:Efficiently detecting network intrusions requires the gathering of sensitive information. This means that one has to collect large amounts of network transactions including high details of recent network transactions. Assessments based on meta-heuristic anomaly are important in the intrusion related network transaction data’s exploratory analysis. These assessments are needed to make and deliver predictions related to the intrusion possibility based on the available attribute details that are involved in the network transaction. We were able to utilize the NSL-KDD data set, the binary and multiclass problem with a 20% testing dataset. This paper develops a new hybrid model that can be used to estimate the intrusion scope threshold degree based on the network transaction data’s optimal features that were made available for training. The experimental results revealed that the hybrid approach had a significant effect on the minimisation of the computational and time complexity involved when determining the feature association impact scale. The accuracy of the proposed model was measured as 99.81% and 98.56% for the binary class and multiclass NSL-KDD data sets, respectively. However, there are issues with obtaining high false and low false negative rates. A hybrid approach with two main parts is proposed to address these issues. First, data needs to be filtered using the Vote algorithm with Information Gain that combines the probability distributions of these base learners in order to select the important features that positively affect the accuracy of the proposed model. Next, the hybrid algorithm consists of following classifiers: J48, Meta Pagging, RandomTree, REPTree, AdaBoostM1, DecisionStump and NaiveBayes. Based on the results obtained using the proposed model, we observe improved accuracy, high false negative rate, and low false positive rule.

computer science, theory & methods, interdisciplinary applications

ZM Cai,XH Guan,P Shao,QK Peng,GJ Sun

DOI: https://doi.org/10.1111/1468-0394.00249

IF: 3.3

2003-01-01

Expert Systems

Abstract:Abstract: Intrusion detection is important in the defense‐in‐depth network security framework. This paper presents an effective method for anomaly intrusion detection with low overhead and high efficiency. The method is based on rough set theory to extract a set of detection rules with a minimal size as the normal behavior model from the system call sequences generated during the normal execution of a process. It is capable of detecting the abnormal operating status of a process and thus reporting a possible intrusion. Compared with other methods, the method requires a smaller size of training data set and less effort to collect training data and is more suitable for real‐time detection. Empirical results show that the method is promising in terms of detection accuracy, required training data set and efficiency.

Hanwen Wang,Biao Han,Jinshu Su,Xiaoyan Wang

DOI: https://doi.org/10.1109/smartworld.2018.00304

2018-01-01

Abstract:Intrusion detection system (IDS) plays an essential role in detecting malicious attacks and illegal network access. There are many proposed approaches using machine learning and data mining techniques in IDS to solve detection problems. However, related machine learning based intrusion detection method resulted in unsatisfying performance for U2R (user-to-root) and R2L (remote-to-local) attacks. To solve this problem, this paper proposes a novel attack detection approach that combines supervised and unsupervised learning. In this approach, we first conduct a feature selecting and weighting method that based on the relevance analysis of features. Then the features weights are applied in the proposed classifier, in which K-Means algorithm is introduced in K-NN classifier. The K-Means is utilized in the classifier to reselect and sort the nearest neighbors by measuring the distances between neighbors and centroid centers, by which way we make the K-NN classifier more robust and less sensitive to the selection of K. The experimental results based on the KDD dataset show that the proposed method not only performs well on detecting DoS, Probe and R2L attacks, it also has significant improvement for detecting U2R attacks.