Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Lu Lv,Wenhai Wang,Zeyin Zhang,Xinggao Liu

DOI: https://doi.org/10.1016/j.knosys.2020.105648

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Intrusion detection is a challenging technology in the area of cyberspace security for protecting a system from malicious attacks. A novel accurate and effective misuse intrusion detection system that relies on specific attack signatures to distinguish between normal and malicious activities is therefore presented to detect various attacks based on an extreme learning machine with a hybrid kernel function (HKELM). First, the derivation and proof of the proposed hybrid kernel are given. A combination of the gravitational search algorithm (GSA) and differential evolution (DE) algorithm is employed to optimize the parameters of HKELM, which improves its global and local optimization abilities during prediction attacks. In addition, the kernel principal component analysis (KPCA) algorithm is introduced for dimensionality reduction and feature extraction of the intrusion detection data. Then, a novel intrusion detection approach, KPCA-DEGSA-HKELM, is obtained. The proposed approach is eventually applied to the classic benchmark KDD99 dataset, the real modern UNSW-NB15 dataset and the industrial intrusion detection dataset from the Tennessee Eastman process. The numerical results validate both the high accuracy and the time-saving benefit of the proposed approach.

Yuxiang Li,Haiming Wang,Hongkui Yu,Changquan Ren,Qingjia Geng

DOI: https://doi.org/10.4304/jnw.8.6.1322-1328

2013-01-01

Abstract:According to the 31th statistical reports of China Internet network information center (CNNIC), by the end of December 2012, the number of Chinese netizens has reached 564 million, and the scale of mobile Internet users also reached 420 million. But when the network brings great convenience to people's life, it also brings huge threat in the life of people. So through collecting and analyzing the information in the computer system or network we can detect any possible behaviors that can damage the availability, integrity and confidentiality of the computer resource, and make timely treatment to these behaviors which have important research significance to improve the operation environment of network and network service. At present, the Neural Network, Support Vector machine (SVM) and Hidden Markov Model, Fuzzy inference and Genetic Algorithms are introduced into the research of network intrusion detection, trying to build a healthy and secure network operation environment. But most of these algorithms are based on the total sample and it also hypothesizes that the number of the sample is infinity. But in the field of network intrusion the collected data often cannot meet the above requirements. It often shows high latitudes, variability and small sample characteristics. For these data using traditional machine learning methods are hard to get ideal results. In view of this, this paper proposed a Generalized Multi-Kernel Learning method to applied to network intrusion detection. The Generalized Multi-Kernel Learning method can be well applied to large scale sample data, dimension complex, containing a large number of heterogeneous information and so on. The experimental results show that applying GMKL to network attack detection has high classification precision and low abnormal practical precision.

Ye Du,Youyan Guo,YongZhong He,Ying Cai

2008-01-01

Journal of Computational Information Systems

Abstract:With the ever increasing sophistication of attacking techniques, intrusion detection has been paid more attention. A novel anomaly intrusion detection method working at the level of system processes is proposed in this paper. The multiple-instance learning receives growing interests in the machine learning research field, which concerns the problem of classifying a bag of instances. By looking upon each short system call sequence as an instance and each observable symbol as a bag that contains some instances, the task of detecting abnormal behaviors can be mapped as multiple-instance learning. Thus the related techniques can be used to solve the problem, and here k-nearest neighbor with a new kernel is created as the core algorithm. Experiments using UNM data sets and comparison with other methods proved the validity of this method.

LI Yang,FANG Bin-xing,GUO Li,TIAN Zhi-hong,ZHANG Yong-zheng,JIANG Wei

DOI: https://doi.org/10.1145/1229285.1229292

2007-01-01

Abstract:Intrusion detection is a critical component of secure information systems. Network anomaly detection has been an active and difficult research topic in the field of Intrusion Detection for many years. However, it still has some problems unresolved. They include high false alarm rate, difficulties in obtaining exactly clean data for the modeling of normal patterns and the deterioration of detection rate because of some "noisy" data in the training set. In this paper, we propose a novel network anomaly detection method based on improved TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) machine learning algorithm. A series of experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positive rate, low false positive rate and high confidence than the state-of-the-art anomaly detection methods. In addition, even interfered by "noisy" data (unclean data), the proposed method is robust and effective. Moreover, it still retains good detection performance after employing feature selection aiming at avoiding the "curse of dimensionality".

Yanxin Wang,Johnny Wang,Andrew S. Miner

2004-01-01

Abstract:This paper explores the methodology of using kernels and Support Vector Machine (SVM) for intrusion detection. A new insight into two well known anomaly detection algorithms - STIDE and Markov Chain anomaly detectors, is achieved using kernel theory. We introduce two new classes of kernels used for intrusion detection – STIDE kernel and Markov Chain kernel. These kernels combined with SVM are presented to achieve improvements over STIDE and Markov Chain anomaly detectors. We provide empirical evidence that the new anomaly detectors are able to achieve better results than conventional anomaly detectors and behave robustly over noisy training data.

Satyanarayana Gunupusala,Shahu Chatrapathi Kaila

DOI: https://doi.org/10.37256/cm.5220243723

2024-06-19

Contemporary Mathematics

Abstract:Computer networks rely on Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) to ensure the security, reliability, and availability of an organization. In recent years, various approaches were developed and implemented to create effective IDSs and IPSs. This paper specifically focuses on IDSs that utilize Machine Learning (ML) techniques for improved accuracy. ML-based IDSs have verified to be successful in discovering network attacks. However, their performance tends to decline when dealing with high-dimensional data spaces. It is essential to develop a suitable feature extraction strategy that could identify and remove irrelevant features that do not significantly classification process to address this issue. Additionally, many ML-based IDSs exhibit high false positive rates and poor detection accuracy when trained on unbalanced datasets. In this study, we analyze the UNSW-NB15 IDS, which will serve as the training and testing data for our models. In order to reduce the feature space and improve the efficiency of our analysis, we leverage a filter-based feature reduction method utilizing the Pearson correlation coefficient algorithm. By identifying and selecting only the most relevant features, we are able to streamline our dataset and focus on the variables that have the highest impact on our analysis. This approach not only reduces computational complexity but also improves the interpretability of our results by eliminating unnecessary noise from the data. After applying the feature reduction technique, we proceed to implement a range of machine learning methods to perform our classification task. These include well-known algorithms such as Stacking, Extra Trees, Multi-Layer Perceptron, XGBoost, K-Nearest Neighbors, Logistic Regression, Naïve Bayes, Support Vector Machine, Random Forest, and Decision Tree. By employing a diverse set of algorithms, we are able to explore different modeling approaches and evaluate their effectiveness in accurately classifying the various types of assaults. In order to assess the performance of our classification models, we utilize a range of specialized evaluation metrics such as Root Mean Square Error (RMSE), Mean Absolute Error (MAE), R2-Score, Mean Squared Error (MSE), Precision, F1-Score, Recall, and Accuracy. These metrics provide us with a comprehensive understanding of how well our models are performing across different dimensions, including the accuracy of predictions, the level of precision in classifying different assault types, and the overall goodness-of-fit of our models. By considering multiple evaluation metrics, we are able to gain a more nuanced understanding of the strengths and weaknesses of each algorithm and make informed decisions about their suitability for our classification task. These metrics deliver a complete evaluation of the classifiers’ effectiveness in detecting community intrusions.

Yanping Shen,Kangfeng Zheng,Chunhua Wu,Yixian Yang

DOI: https://doi.org/10.3837/tiis.2020.02.013

2020-01-01

KSII Transactions on Internet and Information Systems

Abstract:The application of machine learning (ML) in intrusion detection has attracted much attention with the rapid growth of information security threat. As an efficient multi-label classifier, kernel extreme learning machine (KELM) has been gradually used in intrusion detection system. However, the performance of KELM heavily relies on the kernel selection. In this paper, a novel multiple kernel extreme learning machine (MKELM) model combining the ReliefF with nature-inspired methods is proposed for intrusion detection. The MKELM is designed to estimate whether the attack is carried out and the ReliefF is used as a preprocessor of MKELM to select appropriate features. In addition, the nature-inspired methods whose fitness functions are defined based on the kernel alignment are employed to build the optimal composite kernel in the MKELM. The KDD99, NSL and Kyoto datasets are used to evaluate the performance of the model. The experimental results indicate that the optimal composite kernel function can be determined by using any heuristic optimization method, including PSO, GA, GWO, BA and DE. Since the filter-based feature selection method is combined with the multiple kernel learning approach independent of the classifier, the proposed model can have a good performance while saving a lot of training time.

Shengfeng Tian,Chuanhuan Yin,Shaomin Mu

DOI: https://doi.org/10.1007/11893295_21

2006-01-01

Abstract:In intrusion detection systems, sequences of system calls executed by running programs can be used as evidence to detect anomalies. Markov chain is often adopted as the model in the detection systems, in which high-order Markov chain model is well suited for the detection, but as the order of the chain increases, the number of parameters of the model increases exponentially and rapidly becomes too large to be estimated efficiently. In this paper, one-class support vector machines (SVMs) using high-order Markov kernel are adopted as the anomaly detectors. This approach solves the problem of high dimension parameter space. Experiments show that this system can produce good detection performance with low computational overhead.

LI Yang,FANG Bin-Xing,GUO Li,CHEN You

DOI: https://doi.org/10.1360/jos182595

2007-01-01

Journal of Software

Abstract:Network anomaly detection has been an active and difficult research topic in the field of intrusion detection for many years. Up to now, high false alarm rate, requirement of high quality data for modeling the normal patterns and the deterioration of detection rate because of some noisy data in the training set still make it not perform as well as expected in practice. This paper presents a novel network anomaly detection method based on improved TCM-KNN (transductive confidence machines for K-nearest neighbors) machine learning algorithm, which can effectively detect anomalies using normal data for training. A series of experiments on well known KDD Cup 1999 dataset demonstrate that it has lower false positive rate, especially higher confidence under the condition of ensuring high detection rate than the traditional anomaly detection methods. In addition, even provided with training dataset contaminated by noisy data, the proposed method still holds good detection performance. Furthermore, it can be optimized without obvious loss of detection performance by adopting small dataset for training and employing feature selection aiming at avoiding the curse of dimensionality.

Mouhammad Alkasassbeh,Mohammad Almseidin

DOI: https://doi.org/10.48550/arXiv.1809.02610

2018-09-02

Abstract:Network security engineers work to keep services available all the time by handling intruder attacks. Intrusion Detection System (IDS) is one of the obtainable mechanisms that is used to sense and classify any abnormal actions. Therefore, the IDS must be always up to date with the latest intruder attacks signatures to preserve confidentiality, integrity, and availability of the services. The speed of the IDS is a very important issue as well learning the new attacks. This research work illustrates how the Knowledge Discovery and Data Mining (or Knowledge Discovery in Databases) KDD dataset is very handy for testing and evaluating different Machine Learning Techniques. It mainly focuses on the KDD preprocess part in order to prepare a decent and fair experimental data set. The J48, MLP, and Bayes Network classifiers have been chosen for this study. It has been proven that the J48 classifier has achieved the highest accuracy rate for detecting and classifying all KDD dataset attacks, which are of type DOS, R2L, U2R, and PROBE.

Networking and Internet Architecture,Cryptography and Security

Yuan Zhang,Qinghai Yang,Sangarapillai Lambotharan,Konstantinos Kyriakopoulos,Ibrahim Ghafir,Basil AsSadhan

DOI: https://doi.org/10.1109/wcsp.2019.8927907

2019-01-01

Abstract:With the rapid development of new technologies and applications of Internet, much attention has been paid to the detection of anomalies in cyberspace traffic. A series of intrusion detection techniques based on machine learning have been developed. Support vector machine (SVM), as an essential approach, has been paid close attention in this filed. Nevertheless, the existing SVM-based techniques with the training features can not efficiently detect short duration intrusions and attacks in the traffic. To tackle this issue, we propose an anomaly-based SVM detection scheme by extracting and optimizing the training features. It trains the SVM with Kullback-Leibler (KL) divergence and cross-correlation calculated by the control and data planes traffic. Following this way, the novel training method can effectively enhance the detection accuracy. And the performance of the presented scheme is validated and evaluated based on a recent realistic Internet traffic dataset. Finally, relevant results indicate that the developed method establishes the relationship between Transmission Control Protocol (TCP) traffic and intrusions. It can efficiently detect short duration intrusions and attacks in the network traffic.

Hu Ning,Tian Zhihong,Lu Hui,Du Xiaojiang,Guizani Mohsen

DOI: https://doi.org/10.1007/s13042-020-01253-w

2021-01-01

International Journal of Machine Learning and Cybernetics

Abstract:The 5G network provides higher bandwidth and lower latency for edge IoT devices to access the core business network. But at the same time, it also expands the attack surface of the core network, which makes the enterprise network face greater security threats. To protect the security of core business, the network infrastructure must be able to recognize not only the known abnormal traffic, but also new emerging threats. Intrusion Detection Systems (IDSs) are widely used to protect the core network against external intrusions. Most of the existing research works design anomaly detection models for a specific set of traffic attributes. In fact, it is difficult for us to find the specific correspondence between traffic attributes and attack behaviors. Worse, some traffic attributes will be missing in the IoT environment, which further increases the difficulty of anomaly analysis. In traditional solutions, the missing attributes are usually filled with zero or mean values. Sometimes, the attributes are directly discarded. Both of these methods may result in lower detection accuracy. To solve this problem, we propose an intrusion detection method based on multiple-kernel clustering (MKC) algorithms. Be different from zero value filling and mean value filling, the proposed method completes the absent traffic property through similarity calculation. Experimental results show that this method can effectively improve the clustering accuracy of incomplete sampled data, at the same time it can reduce the sensitivity of the anomaly detection model to the selection of traffic feature, and has a better tolerance for poor-quality traffic sampled data.

YX Wang,J Wong,A Miner

DOI: https://doi.org/10.1109/iaw.2004.1437839

2004-01-01

Abstract:Kernel methods are widely used in statistical learning for many fields, such as protein classification and image processing. We recently extend kernel methods to intrusion detection domain by introducing a new family of kernels suitable for intrusion detection. These kernels, combined with an unsupervised learning method - one-class Support Vector Machine, are used for anomaly detection. Our experiments show that the new anomaly detection methods are able to achieve better accuracy rates than the conventional anomaly detectors.

Xinda Hao,Jianmin Zhou,Xueqi Shen,Yu Yang

DOI: https://doi.org/10.32604/jqc.2020.010819

2020-01-01

Journal of Quantum Computing

Abstract:In recent years, machine learning technology has been widely used for timely network attack detection and classification. However, due to the large number of network traffic and the complex and variable nature of malicious attacks, many challenges have arisen in the field of network intrusion detection. Aiming at the problem that massive and high-dimensional data in cloud computing networks will have a negative impact on anomaly detection, this paper proposes a Bi-LSTM method based on attention mechanism, which learns by transmitting IDS data to multiple hidden layers. Abstract information and high-dimensional feature representation in network data messages are used to improve the accuracy of intrusion detection. In the experiment, we use the public data set KDD-Cup 99 for verification. The experimental results show that the model can effectively detect unpredictable malicious behaviors under the current network environment, improve detection accuracy and reduce false positive rate compared with traditional intrusion detection methods.

Lixiang Xu,Lu Bai,Jin Xiao,Qi Liu,Enhong Chen,Xiaofeng Wang,Yuanyan Tang

DOI: https://doi.org/10.1016/j.inffus.2020.08.025

IF: 18.6

2021-02-01

Information Fusion

Abstract:<p>Multiple kernel learning (MKL), as a principled classification method, selects and combines base kernels to increase the categorization accuracy of Support Vector Machines (SVMs). The group method of data handling neural network (GMDH-NN) has been applied in many fields of optimization, data mining, and pattern recognition. It can automatically seek interrelatedness in data, select an optimal structure for the model or network, and enhance the accuracy of existing algorithms. We can utilize the advantages of the GMDH-NN to build a multiple graph kernel learning (MGKL) method and enhance the categorization performance of graph kernel SVMs. In this paper, we first define a unitized symmetric regularity criterion (USRC) to improve the symmetric regularity criterion of GMDH-NN. Second, a novel structure for the initial model of the GMDH-NN is defined, which uses the posterior probability output of graph kernel SVMs. We then use a hybrid graph kernel in the <span class="math"><math>H1</math></span>-space for MGKL in combination with the GMDH-NN. This way, we can obtain a pool of optimal graph kernels with different kernel parameters. Our experiments on standard graph datasets show that this new MGKL method is highly effective.</p>

computer science, artificial intelligence, theory & methods

Guisong Liu,Xiaobin Wang

DOI: https://doi.org/10.1109/ICCIS.2008.4670871

2008-01-01

Abstract:Neural networks approach is one of the most promising methodologies for intrusion detection in network security. An integrated intrusion detection system (IIDS) scheme based on multiple neural networks is proposed. The approaches used in BIDS include principal component neural networks, growing neural gas networks and principal component self-organizing map networks. By the abilities of classification and clustering analysis of the above methods, IIDS can be adapted to both anomaly and misuse detections for intrusive outsiders. The training stage is a mixture of supervised manner and unsupervised one. Furthermore, IIDS uses the buffering and spoofing principles of address resolution protocol (ARP) to capture and refuse the insider intruders trying to log on a local area network (LAN). Therefore, IIDS is able to detect the intrusions/attacks both from the outer Internet and an inner LAN. Experiments are carried out to illustrate the performance of the proposed intrusion detection system by using the KDD CUP 1999 Intrusion Detection Evaluation dataset.

Jianli Xiao,Yuncai Liu

DOI: https://doi.org/10.3141/2324-06

IF: 1.7

2012-01-01

Transportation Research Record

Abstract:This paper presents applications of the multiple-kernel learning support vector machine (MKL-SVM) in traffic incident detection. The standard SVM was applied in traffic incident detection and achieved good results. However, the results depended greatly on the kernel function and parameters, and choosing the appropriate ones for the SVM was a procedure of trial and error. Unlike the SVM, the MKL-SVM used a convex combination of basic kernel functions instead of a single basic kernel function to construct an adaptive SVM model. This adaptive model could improve average performance in traffic incident detection just by randomly selecting the kernel function and parameters. As a result, the MKL-SVM avoided the burden of choosing the appropriate kernel function and parameters. The SVM ensemble algorithm trained many individual SVM classifiers to construct the classifier ensemble and then used this classifier ensemble to detect traffic incidents. Consequently, training occurred many times. Compared with the SVM ensemble algorithm, the training time cost of the MKL-SVM was much lower because training occurred only once. Extensive experiments were performed to evaluate the performance of three algorithms: standard SVM, SVM ensemble, and MKL-SVM. The experimental results showed that the performance of the MKL-SVM was much better than that of the standard SVM and slightly better than the SVM ensemble. More important, the performance of the MKL-SVM was stable.

Wenjia Niu,Kewen Xia,Baokai Zu,Jianchuan Bai

DOI: https://doi.org/10.1155/2017/3678487

IF: 3.12

2017-01-01

Computational Intelligence and Neuroscience

Abstract:Unlike Support Vector Machine (SVM), Multiple Kernel Learning (MKL) allows datasets to be free to choose the useful kernels based on their distribution characteristics rather than a precise one. It has been shown in the literature that MKL holds superior recognition accuracy compared with SVM, however, at the expense of time consuming computations. This creates analytical and computational difficulties in solving MKL algorithms. To overcome this issue, we first develop a novel kernel approximation approach for MKL and then propose an efficient Low-Rank MKL (LR-MKL) algorithm by using the Low-Rank Representation (LRR). It is well-acknowledged that LRR can reduce dimension while retaining the data features under a global low-rank constraint. Furthermore, we redesign the binary-class MKL as the multiclass MKL based on pairwise strategy. Finally, the recognition effect and efficiency of LR-MKL are verified on the datasets Yale, ORL, LSVT, and Digit. Experimental results show that the proposed LR-MKL algorithm is an efficient kernel weights allocation method in MKL and boosts the performance of MKL largely.

Sumedha Seniaray,Rajni Jindal

DOI: https://doi.org/10.1007/s11277-024-11602-5

IF: 2.017

2024-10-05

Wireless Personal Communications

Abstract:Data and information, being a critical part of the Internet, are vital to network security. Intrusion Detection System (IDS) is required to preserve confidentiality, data integrity, and system availability from attacks. IDS collects network data from various places that may contain features that are redundant and irrelevant, leading to an increase in processing time and low detection rate. This study proposes a three-phase network-based IDS to counter this issue. Initially, network data is captured and preprocessed. In the second phase, we perform feature extraction, selection, and ranking to obtain the optimal feature set. A novel Dynamic Mutual Information-based Genetic Algorithm for feature selection (DMI-GA), aiming to enhance the performance of machine learning (ML) techniques by identifying an optimal set of features, is also proposed in this work. Finally, well-known ML models are employed to detect intrusions within this refined set of network traffic features. Experimental results demonstrate a significant improvement in detection accuracy when the ML models are trained and tested on an optimal set of features. It is also observed that DMI-GA combined with the Random Forest classifier, achieves the highest detection accuracy of 99.94%, surpassing the performance of existing state-of-the-art anomaly-based network intrusion detection systems. A comprehensive statistical analysis of these ML methods is also conducted using 10-fold and Leave-One-Out cross-validation strategies, as it mitigates overfitting and offers a thorough evaluation of the model's performance, resulting in an average accuracy of 99.91%.

telecommunications