Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

YANG Ya-hui,JIANG Dian-bo,SHEN Qing-ni,XIA Min

DOI: https://doi.org/10.3969/j.issn.1000-436x.2011.01.016

2011-01-01

Abstract:A novel technique based on an improved growing hierarchical self-organizing maps(GHSOM) neural network for intrusion detection was presented.The improved GHSOM could deal with a metric incorporating both numerical and symbolic data,and then improved efficiency of intrusion detection.The validities and feasibilities of the improved GHSOM were confirmed through experiments on KDD Cup 99 datasets and simulated experiment datasets.The experi-ment results showes that the detection rate has been increased by employing the improved GHSOM.

Hongbo Shi,Haoyuan Xu

DOI: https://doi.org/10.1049/cp.2015.0756

2015-01-01

Abstract:According to the improvement of data mining technologies, big data now is a hot topic in various areas, such as Internet, finance, healthcare etc. As well as known, big data is collected and accumulated across a wide variety of fields fast and in real time. It is very important to find the structure from big data. In this paper, we focus on the neral network algorithm, Growing Hierarchical Self-Organizing Maps (GHSOM). GHSOM is considered that it can provide structured clustering. However, the hierarchical growing mechanism of GHSOM is faulty. This paper proposes a new enhanced GHSOM, called sGHSOM. sGHSOM solves the issue of the growing mechanism in GHSOM. We use the KDD Cup 1999 Data as the benchmark for estimating the performance of sGHSOM. The experiment results show that sGHSOM has a higher precision than GHSOM on classification. Furthermore, this paper uses actual measured DNS queries to show that sGHSOM can visualize the structure of DNS queries in time series exactly for detecting infected computers comparing with GHSOM.

ZHAO Jian-hua,LI Wei-hua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.12.032

2012-01-01

Abstract:In order to improve the classification effectiveness of Self-organizing feature Mapping(SOM) neural network,this paper designs a Supervised Self-organizing feature Mapping(SSOM) network,which adds output layer into the network structure based on input layer and competitive layer.According to different prediction category of input samples,SSOM selects different formula to adjust weights and train network.Through combinations of two weights,SSOM realizes the regression and statistic of the sample classes.Experiments on KDD CUP99 dataset show that SSOM has better classification ability and higher intrusion detection rate.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Wei Pan,Weihua Li

DOI: https://doi.org/10.1007/11576235_58

2005-01-01

Abstract:Intrusion Detection is an essential and critical component of network security systems. The key ideas are to discover useful patterns or features that describe user behavior on a system, and use the set of relevant features to build classifiers that can recognize anomalies and known intrusions, hopefully in real time. In this paper, a hybrid neural network technique is proposed, which consists of the self-organizing map (SOM) and the radial basis function (RBF) network, aiming at optimizing the performance of the recognition and classification of novel attacks for intrusion detection. The optimal network architecture of the RBF network is determined automatically by the improved SOM algorithm. The intrusion feature vectors are extracted from a benchmark dataset (the KDD-99) designed by DARPA. The experimental results demonstrate that the proposed approach performance especially in terms of both efficient and accuracy.

Dianbo Jiang,Yahui Yang,Min Xia

DOI: https://doi.org/10.1109/IAS.2009.247

2009-01-01

Abstract:Neural networks approach is an advanced methodology used for intrusion detection. As a type of neural network, Self-organizing Maps (SOM) is getting more attention in the field of intrusion detection.In this paper, some improvements on SOM algorithm are made in order to increase detection rate and improve the stability of intrusion detection, include: (1) Modify the strategy of “winner-take-all” to decrease underutilized or completely unutilized neurons. (2) Introduce interaction weight which describes the effect between each neuron in the output layer to enhance the relationships between the input pattern and the weights of all the nodes when adjusting weights; The improved SOM is implemented and applied to the intrusion detection. The validities and feasibilities of the improved SOM are confirmed through experiments on KDD Cup 99 datasets. The experiment result shows that the detection rate has been increased by employing the improved SOM.

Chen Tingting,Fang Binxing,Zheng Jun

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.05.002

2006-01-01

Abstract:This paper presents an application of a hierarchical self-organizing map(HSOM)algorithm for network anomaly detection.By growing in a top-down approach and extending the connections of neurons from horizontal dimension to both horizontal and hierarchical dimension,HSOM significantly accelerates the searching of winning neurons.Based on HSOM,a data analyzer in network anomaly detection system HSOMDA is designed and implemented.The results of experiments on DARPA 1999 dataset demonstrate its effectiveness and efficiency in anomaly detection.

Jianhong Gao,Lixin Xu,Yaping Dai

DOI: https://doi.org/10.1109/wcica.2004.1342338

2004-01-01

Abstract:Self-organizing map (SOM) neural network and pattern recognition methods were applied in this system. A two-layered SOM network was designed, containing SOM1 and SOM2. SOM1 was designed to distinguish attack patterns from normal ones, and SOM2 was designed to point out the specific type of attack patterns. The KDD benchmark dataset from the International Knowledge Discovery and Data Mining Tools Competition was employed for training and testing our prototype, and divergences were calculated for feature selection. Finally, 4 chief features were employed as input of the two SOMs. From our experimental results with different network data, our scheme achieved more than 98 percent detection rate and less than 2 percent false alarm rate, it could provide a precise and efficient way for implementing the classifier in intrusion detection.

Paolo Mignone,Roberto Corizzo,Michelangelo Ceci

DOI: https://doi.org/10.1007/s10994-023-06501-y

IF: 5.414

2024-01-24

Machine Learning

Abstract:The identification of anomalous activities is a challenging and crucially important task in sensor networks. This task is becoming increasingly complex with the increasing volume of data generated in real-world domains, and greatly benefits from the use of predictive models to identify anomalies in real time. A key use case for this task is the identification of misbehavior that may be caused by involuntary faults or deliberate actions. However, currently adopted anomaly detection methods are often affected by limitations such as the inability to analyze large-scale data, a reduced effectiveness when data presents multiple densities, a strong dependence on user-defined threshold configurations, and a lack of explainability in the extracted predictions. In this paper, we propose a distributed deep learning method that extends growing hierarchical self-organizing maps, originally designed for clustering tasks, to address anomaly detection tasks. The SOM-based modeling capabilities of the method enable the analysis of data with multiple densities, by exploiting multiple SOMs organized as a hierarchy. Our map-reduce implementation under Apache Spark allows the method to process and analyze large-scale sensor network data. An automatic threshold-tuning strategy reduces user efforts and increases the robustness of the method with respect to noisy instances. Moreover, an explainability component resorting to instance-based feature ranking emphasizes the most salient features influencing the decisions of the anomaly detection model, supporting users in their understanding of raised alerts. Experiments are conducted on five real-world sensor network datasets, including wind and photovoltaic energy production, vehicular traffic, and pedestrian flows. Our results show that the proposed method outperforms state-of-the-art anomaly detection competitors. Furthermore, a scalability analysis reveals that the method is able to scale linearly as the data volume presented increases, leveraging multiple worker nodes in a distributed computing setting. Qualitative analyses on the level of anomalous pollen in the air further emphasize the effectiveness of our proposed method, and its potential in determining the level of danger in raised alerts.

computer science, artificial intelligence

Yong Feng,Jiang Zhong,Zhong-Yang Xiong,Chun-Xiao Ye,Kai-Gui Wu

DOI: https://doi.org/10.1007/978-3-540-72393-6_113

2007-01-01

Abstract:An approach to network anomaly detection is investigated, based on dynamic self-organizing maps (DSOM) and ant colony optimization (ACO) clustering. The basic idea of the method is to produce the cluster by DSOM and ACO. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on DSOM and ACO clustering can settle these problems effectively. The experiment results show that our approach can detect unknown intrusions efficiently in the real network connections.

Yong Feng,Kaigui Wu,Zhongfu Wu,Zhongyang Xiong

DOI: https://doi.org/10.1007/11427469_69

2005-01-01

Abstract:An approach to network intrusion detection is investigated, based on dynamic self-organizing maps (DSOM) neural network clustering. The basic idea of the method is to produce the cluster by DSOM. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on DSOM clustering can settle these problems effectively. The experiment result shows that our approach can detect unknown intrusions efficiently in the real network connections.

Simon T. Powers,Jun He

DOI: https://doi.org/10.1016/j.ins.2007.11.028

2012-08-03

Abstract:Network intrusion detection is the problem of detecting unauthorised use of, or access to, computer systems over a network. Two broad approaches exist to tackle this problem: anomaly detection and misuse detection. An anomaly detection system is trained only on examples of normal connections, and thus has the potential to detect novel attacks. However, many anomaly detection systems simply report the anomalous activity, rather than analysing it further in order to report higher-level information that is of more use to a security officer. On the other hand, misuse detection systems recognise known attack patterns, thereby allowing them to provide more detailed information about an intrusion. However, such systems cannot detect novel attacks. A hybrid system is presented in this paper with the aim of combining the advantages of both approaches. Specifically, anomalous network connections are initially detected using an artificial immune system. Connections that are flagged as anomalous are then categorised using a Kohonen Self Organising Map, allowing higher-level information, in the form of cluster membership, to be extracted. Experimental results on the KDD 1999 Cup dataset show a low false positive rate and a detection and classification rate for Denial-of-Service and User-to-Root attacks that is higher than those in a sample of other works.

Neural and Evolutionary Computing,Cryptography and Security

Yun Xiao,Chongzhao Han

2006-01-01

Abstract:Traditional intrusion detection systems (IDSs) focus on low-level attacks and anomalies, and raise alerts independently, though there may be logical connections between them. In this paper, a method of correlating intrusion alerts into attack scenarios based on the improved evolving self-organizing map (IESOM) was proposed. IESOM gives a rational formula to calculate the initial values of connection strengths instead of assigning some experiential or tentative constants as connection strength values in ESOM. IESOM is an evolving extension of the self-organizing map (SOM) model, which allows for an evolvable network structure and very fast incremental learning. System of correlating intrusion alerts into attack scenarios based on IESOM has four functions of filtering, aggregation, condensing and combination, and the visual attack scenarios are given as the output of the system. The results on LLS DDOS1.0 and real-word dataset B prove that our method is useful and effective.

Yang Chen,Nami Ashizawa,Seanglidet Yean,Chai Kiat Yeo,Naoto Yanai

DOI: https://doi.org/10.48550/arXiv.2008.12686

2020-08-28

Abstract:In the information age, a secure and stable network environment is essential and hence intrusion detection is critical for any networks. In this paper, we propose a self-organizing map assisted deep autoencoding Gaussian mixture model (SOMDAGMM) supplemented with well-preserved input space topology for more accurate network intrusion detection. The deep autoencoding Gaussian mixture model comprises a compression network and an estimation network which is able to perform unsupervised joint training. However, the code generated by the autoencoder is inept at preserving the topology of the input space, which is rooted in the bottleneck of the adopted deep structure. A self-organizing map has been introduced to construct SOMDAGMM for addressing this issue. The superiority of the proposed SOM-DAGMM is empirically demonstrated with extensive experiments conducted upon two datasets. Experimental results show that SOM-DAGMM outperforms state-of-the-art DAGMM on all tests, and achieves up to 15.58% improvement in F1 score and with better stability.

Machine Learning,Cryptography and Security,Social and Information Networks

A. Madhuri,Veerapaneni Esther Jyothi,S. Phani Praveen,S. Sindhura,V. Sai Srinivas,D. Lokesh Sai Kumar

DOI: https://doi.org/10.1142/s0219265921430477

2022-01-31

Journal of Interconnection Networks

Abstract:One of the important technologies in present days is Intrusion detection technology. By using the machine learning techniques, researchers were developed different intrusion systems. But, the designed models toughness is affected by the two parameters, in that first one is, high network traffic imbalance in several categories, and another is, non-identical distribution is present in between the test set and training set in feature space. An artificial neural network (ANN) multi-level intrusion detection model with semi-supervised hierarchical [Formula: see text]-means method (HSK-means) is presented in this paper. Error rate of intrusion detection is reduced by the ANN’s accurate learning so it uses the Grasshopper Optimization Algorithm (GOA) which is analysed in this paper. Based on selection of important and useful parameters as bias and weight, error rate of intrusion detection system is reduced in the GOA algorithm and this is the main objective of the proposed system. Cluster based method is used in the pattern discovery module in order to find the unknown patterns. Here the test sample is treated as unlabelled unknown pattern or the known pattern. Proposed approach performance is evaluated by using the dataset as KDDCUP99. It is evident from the experimental findings that the projected model of GOA based semi supervised learning approach is better in terms of sensitivity, specificity and overall accuracy than the intrusion systems which are existed previously.

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.

Jiashu Wu,Hao Dai,Yang Wang,Kejiang Ye,Chengzhong Xu

DOI: https://doi.org/10.1109/jiot.2023.3239872

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Data scarcity hinders the usability of data-dependent algorithms when tackling IoT intrusion detection (IID). To address this, we utilize the data-rich network intrusion detection (NID) domain to facilitate more accurate intrusion detection for IID domains. In this article, a geometric graph alignment (GGA) approach is leveraged to mask the geometric heterogeneities between domains for better intrusion knowledge transfer. Specifically, each intrusion domain is formulated as a graph where vertices and edges represent intrusion categories and category-wise inter-relationships, respectively. The overall shape is preserved via a confused discriminator incapable to identify adjacency matrices between different intrusion domain graphs. A rotation avoidance mechanism and a center point matching mechanism are used to avoid graph misalignment due to rotation and symmetry, respectively. Besides, category-wise semantic knowledge is transferred to act as vertex-level alignment. To exploit the target data, a pseudo-label (PL) election mechanism that jointly considers network prediction, geometric property, and neighborhood information is used to produce fine-grained PL assignment. Upon aligning the intrusion graphs geometrically from different granularities, the transferred intrusion knowledge can boost IID performance. Comprehensive experiments on several intrusion data sets demonstrate state-of-the-art performance of the GGA approach and validate the usefulness of GGA-constituting components.

computer science, information systems,telecommunications,engineering, electrical & electronic

Liang Hu,Wei-wu Ren,Fei Ren

DOI: https://doi.org/10.1109/icise.2009.225

2009-01-01

Abstract:Traditional anomaly detection methods lack adaptive captivity in complex and heterogeneous network. Especially while facing high noise environments or the situation of updating profiles not in time, intrusion detection systems will have high false alarm rate. In this paper, a new anomaly detection algorithm based on hierarchical clustering, called ADBHC, is proposed. ADBHC generates clusters using density-based partitioning method which has less computational cost. It uses the improved hierarchical clustering tree to implement fast scalable and adaptive anomaly detection. The improved hierarchical clustering tree supports updating profiles at any time. We extend the clustering algorithm and apply branch and bound mechanism for filtering noise. With the help of two advantages: filtering noise and updating profiles at any time, our algorithm is effective enough to meet adaptive requirements. A series of experiment results on well known KDD Cup 1999 dataset indicate that ADBHC has low false alarm rate, high detection rate and a certain adaptive captivity in the progress of self-updating.

Shahriar Mohammadi,Mehdi Babagoli

DOI: https://doi.org/10.1007/s10207-023-00684-0

2023-04-11

Abstract:Along with the advancement of online platforms and significant growth in Internet usage, various threats and cyber-attacks have been emerging and become more complicated and perilous in a day-by-day base. Anomaly-based intrusion detection systems (AIDSs) are lucrative techniques for dealing with cybercrimes. As a relief, AIDS can be equipped with artificial intelligence techniques to validate traffic contents and tackle diverse illicit activities. A variety of methods have been proposed in the literature in recent years. Nevertheless, several important challenges like high false alarm rates, antiquated datasets, imbalanced data, insufficient preprocessing, lack of optimal feature subset, and low detection accuracy in different types of attacks have still remained to be solved. In order to alleviate these shortcomings, in this research a novel intrusion detection system that efficiently detects various types of attacks is proposed. In preprocessing, Smote-Tomek link algorithm is utilized to create balanced classes and produce a standard CICIDS dataset. The proposed system is based on gray wolf and Hunger Games Search (HGS) meta-heuristic algorithms to select feature subsets and detect different attacks such as distributed denial of services, Brute force, Infiltration, Botnet, and Port Scan. Also, to improve exploration and exploitation and boost the convergence speed, genetic algorithm operators are combined with standard algorithms. Using the proposed feature selection technique, more than 80 percent of irrelevant features are removed from the dataset. The behavior of the network is modeled using nonlinear quadratic regression and optimized utilizing the proposed hybrid HGS algorithm. The results show the superior performance of the hybrid algorithm of HGS compared to the baseline algorithms and the well-known research. As shown in the analogy, the proposed model obtained an average test accuracy rate of 99.17%, which has better performance than the baseline algorithm with 94.61% average accuracy.