YANG Ya-hui,JIANG Dian-bo,SHEN Qing-ni,XIA Min

DOI: https://doi.org/10.3969/j.issn.1000-436x.2011.01.016

2011-01-01

Abstract:A novel technique based on an improved growing hierarchical self-organizing maps(GHSOM) neural network for intrusion detection was presented.The improved GHSOM could deal with a metric incorporating both numerical and symbolic data,and then improved efficiency of intrusion detection.The validities and feasibilities of the improved GHSOM were confirmed through experiments on KDD Cup 99 datasets and simulated experiment datasets.The experi-ment results showes that the detection rate has been increased by employing the improved GHSOM.

Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Chen Tingting,Fang Binxing,Zheng Jun

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.05.002

2006-01-01

Abstract:This paper presents an application of a hierarchical self-organizing map(HSOM)algorithm for network anomaly detection.By growing in a top-down approach and extending the connections of neurons from horizontal dimension to both horizontal and hierarchical dimension,HSOM significantly accelerates the searching of winning neurons.Based on HSOM,a data analyzer in network anomaly detection system HSOMDA is designed and implemented.The results of experiments on DARPA 1999 dataset demonstrate its effectiveness and efficiency in anomaly detection.

ZHAO Jian-hua,LI Wei-hua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.12.032

2012-01-01

Abstract:In order to improve the classification effectiveness of Self-organizing feature Mapping(SOM) neural network,this paper designs a Supervised Self-organizing feature Mapping(SSOM) network,which adds output layer into the network structure based on input layer and competitive layer.According to different prediction category of input samples,SSOM selects different formula to adjust weights and train network.Through combinations of two weights,SSOM realizes the regression and statistic of the sample classes.Experiments on KDD CUP99 dataset show that SSOM has better classification ability and higher intrusion detection rate.

Hongbo Shi,Kazuhiko Iwasaki

DOI: https://doi.org/10.1109/PRDC.2013.27

2013-01-01

Abstract:We propose a new method that uses a neural network, the Growing Hierarchical Self-Organizing Map (GHSOM), to analyze the DNS query log files. Due to the structure of the DNS query frequency, infected computers are easy to detect. Our experiment shows the different DNS query structure between healthy and infected computers.

Ziqi Yuan,Haoyi Zhou,Tianyu Chen,Jianxin Li

2024-01-19

Abstract:A multitude of toxic online behaviors, ranging from network attacks to anonymous traffic and spam, have severely disrupted the smooth operation of networks. Due to the inherent sender-receiver nature of network behaviors, graph-based frameworks are commonly used for detecting anomalous behaviors. However, in real-world scenarios, the boundary between normal and anomalous behaviors tends to be ambiguous. The local heterophily of graphs interferes with the detection, and existing methods based on nodes or edges introduce unwanted noise into representation results, thereby impacting the effectiveness of detection. To address these issues, we propose PhoGAD, a graph-based anomaly detection framework. PhoGAD leverages persistent homology optimization to clarify behavioral boundaries. Building upon this, the weights of adjacent edges are designed to mitigate the effects of local heterophily. Subsequently, to tackle the noise problem, we conduct a formal analysis and propose a disentangled representation-based explicit embedding method, ultimately achieving anomaly behavior detection. Experiments on intrusion, traffic, and spam datasets verify that PhoGAD has surpassed the performance of state-of-the-art (SOTA) frameworks in detection efficacy. Notably, PhoGAD demonstrates robust detection even with diminished anomaly proportions, highlighting its applicability to real-world scenarios. The analysis of persistent homology demonstrates its effectiveness in capturing the topological structure formed by normal edge features. Additionally, ablation experiments validate the effectiveness of the innovative mechanisms integrated within PhoGAD.

Machine Learning,Social and Information Networks

Dianbo Jiang,Yahui Yang,Min Xia

DOI: https://doi.org/10.1109/IAS.2009.247

2009-01-01

Abstract:Neural networks approach is an advanced methodology used for intrusion detection. As a type of neural network, Self-organizing Maps (SOM) is getting more attention in the field of intrusion detection.In this paper, some improvements on SOM algorithm are made in order to increase detection rate and improve the stability of intrusion detection, include: (1) Modify the strategy of “winner-take-all” to decrease underutilized or completely unutilized neurons. (2) Introduce interaction weight which describes the effect between each neuron in the output layer to enhance the relationships between the input pattern and the weights of all the nodes when adjusting weights; The improved SOM is implemented and applied to the intrusion detection. The validities and feasibilities of the improved SOM are confirmed through experiments on KDD Cup 99 datasets. The experiment result shows that the detection rate has been increased by employing the improved SOM.

Paolo Mignone,Roberto Corizzo,Michelangelo Ceci

DOI: https://doi.org/10.1007/s10994-023-06501-y

IF: 5.414

2024-01-24

Machine Learning

Abstract:The identification of anomalous activities is a challenging and crucially important task in sensor networks. This task is becoming increasingly complex with the increasing volume of data generated in real-world domains, and greatly benefits from the use of predictive models to identify anomalies in real time. A key use case for this task is the identification of misbehavior that may be caused by involuntary faults or deliberate actions. However, currently adopted anomaly detection methods are often affected by limitations such as the inability to analyze large-scale data, a reduced effectiveness when data presents multiple densities, a strong dependence on user-defined threshold configurations, and a lack of explainability in the extracted predictions. In this paper, we propose a distributed deep learning method that extends growing hierarchical self-organizing maps, originally designed for clustering tasks, to address anomaly detection tasks. The SOM-based modeling capabilities of the method enable the analysis of data with multiple densities, by exploiting multiple SOMs organized as a hierarchy. Our map-reduce implementation under Apache Spark allows the method to process and analyze large-scale sensor network data. An automatic threshold-tuning strategy reduces user efforts and increases the robustness of the method with respect to noisy instances. Moreover, an explainability component resorting to instance-based feature ranking emphasizes the most salient features influencing the decisions of the anomaly detection model, supporting users in their understanding of raised alerts. Experiments are conducted on five real-world sensor network datasets, including wind and photovoltaic energy production, vehicular traffic, and pedestrian flows. Our results show that the proposed method outperforms state-of-the-art anomaly detection competitors. Furthermore, a scalability analysis reveals that the method is able to scale linearly as the data volume presented increases, leveraging multiple worker nodes in a distributed computing setting. Qualitative analyses on the level of anomalous pollen in the air further emphasize the effectiveness of our proposed method, and its potential in determining the level of danger in raised alerts.

computer science, artificial intelligence

Yong Feng,Jiang Zhong,Zhong-Yang Xiong,Chun-Xiao Ye,Kai-Gui Wu

DOI: https://doi.org/10.1007/978-3-540-72393-6_113

2007-01-01

Abstract:An approach to network anomaly detection is investigated, based on dynamic self-organizing maps (DSOM) and ant colony optimization (ACO) clustering. The basic idea of the method is to produce the cluster by DSOM and ACO. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on DSOM and ACO clustering can settle these problems effectively. The experiment results show that our approach can detect unknown intrusions efficiently in the real network connections.

Shiyuan Liu,Li Lu,Guanglan Liao,Jianping Xuan

DOI: https://doi.org/10.1007/11893028_115

2006-01-01

Abstract:Pattern discovery from time series is an important task in many applications. The unsupervised self-organizing map (SOM) has been widely used in data mining as well as in time series knowledge discovery. However, the traditional SOM has two main limitations: the static architecture and the lacking ability for the representing of hierarchical relations of the data. To overcome these limitations the growing hierarchical self-organizing map (GHSOM) is used to analyze time series in this paper. The experiments conducted on several data sets confirm that the GHSOM can form an adaptive architecture, which grows in size and depth during its training process, thus to unfold the hierarchical structure of the analyzed time series data. It is expected that this method will be effective and efficient to implement and will provide a useful practical tool for pattern discovery from large time series databases.

Wei Pan,Weihua Li

DOI: https://doi.org/10.1007/11576235_58

2005-01-01

Abstract:Intrusion Detection is an essential and critical component of network security systems. The key ideas are to discover useful patterns or features that describe user behavior on a system, and use the set of relevant features to build classifiers that can recognize anomalies and known intrusions, hopefully in real time. In this paper, a hybrid neural network technique is proposed, which consists of the self-organizing map (SOM) and the radial basis function (RBF) network, aiming at optimizing the performance of the recognition and classification of novel attacks for intrusion detection. The optimal network architecture of the RBF network is determined automatically by the improved SOM algorithm. The intrusion feature vectors are extracted from a benchmark dataset (the KDD-99) designed by DARPA. The experimental results demonstrate that the proposed approach performance especially in terms of both efficient and accuracy.

Xiaoqing Sun,Jiahai Yang,Zhiliang Wang,Heng Liu

DOI: https://doi.org/10.1109/noms47738.2020.9110462

2020-01-01

Abstract:As a fundamental component of the Internet, Domain Name System (DNS) is widely abused by attackers in various cybercrimes, making malicious domain detection an essential task in network defenses. However, some well-crafted attacks with tricky techniques can not only bypass blacklists but also make some machine learning-based detection systems infeasible. In this paper, we design HGDom, an accurate and robust malicious domain detection system based on a heterogeneous graph convolutional network method. First, we jointly analyze domain features as well as the complex relations among domains, clients, and IP addresses. To capture richer information, we introduce a Heterogeneous Information Network (HIN) to model the DNS scene. Then, we propose a novel representation method named MAGCN. With a meta-path-based attention mechanism, it can handle node features and the graph structure in HIN at the same time. To our best knowledge, this is the first work to apply GCN in cyber security analysis. Comprehensive experiments over DNS data from TUNET and CERNET2 are conducted to validate the effectiveness and superiority of our proposed methods. The comparison results show that HGDom outperforms state-of-the-art approaches with promising performance. Besides, the system is decided to be deployed in production to assist with network security management for CERNET2.

Xiaoqing Sun,Zhiliang Wang,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.1016/j.cose.2020.102057

IF: 5.105

2020-01-01

Computers & Security

Abstract:As an essential network service, the Domain Name System (DNS) is widely abused by attackers, making malicious domain detection a crucial task when combating cybercrimes. The increasing sophistication of attackers calls for new detection methods against novel threats and evasions. In this paper, we analyze the DNS scene and design an intelligent malicious domain detection system, named DeepDom. With joint consideration of both domain’s local features and their global associations, DeepDom is more accurate and is harder for attackers to evade. In DeepDom, we first represent the DNS scene as a Heterogeneous Information Network (HIN) with diverse entities like clients, domains, IP addresses, and accounts to capture richer information. Then, considering the heterogeneous and dynamic nature of DNS, we propose a novel Graph Convolutional Network (GCN) method named SHetGCN to inductively classify domain nodes in the HIN. By guiding the convolution operations with meta-path based short random walks, SHetGCN can jointly handle node features together with structural information and support inductive node embedding. We build a prototype of DeepDom and validate its effectiveness with comprehensive experiments over the DNS data collected from a real-world network, CERNET2. The comparison results demonstrate that our approaches outperform other state-of-the-art techniques.

Yun Xiao,Chongzhao Han

2006-01-01

Abstract:Traditional intrusion detection systems (IDSs) focus on low-level attacks and anomalies, and raise alerts independently, though there may be logical connections between them. In this paper, a method of correlating intrusion alerts into attack scenarios based on the improved evolving self-organizing map (IESOM) was proposed. IESOM gives a rational formula to calculate the initial values of connection strengths instead of assigning some experiential or tentative constants as connection strength values in ESOM. IESOM is an evolving extension of the self-organizing map (SOM) model, which allows for an evolvable network structure and very fast incremental learning. System of correlating intrusion alerts into attack scenarios based on IESOM has four functions of filtering, aggregation, condensing and combination, and the visual attack scenarios are given as the output of the system. The results on LLS DDOS1.0 and real-word dataset B prove that our method is useful and effective.

Yang Shi,Shupei Wang,Qinpei Zhao,Jiangfeng Li

DOI: https://doi.org/10.1007/978-3-319-69781-9_13

2017-01-01

Abstract:Security technology in computer network including anomaly detection is increasingly playing an important role in the government and protection of Internet along with its popularity. Anomaly detection uses data mining techniques to detect the unknown malicious behavior. Various hybrid approaches have been proposed in order to detect outliers more accurately recently. This paper proposes a novel hybrid of clusterings and graph to detect anomaly. We introduce a new holistic approach in a common bipartite scenario of users from intranet accessing to Internet that utilizes different types of clusterings for the individual feature data to find the outliers and then a graph model to take advantage of the relational data naming network to enhance anomaly detection. The framework solution has several advantages: taking consideration of individual feature data and relational data, keeping open to extend different types of clusterings, easily appending more domain knowledge.

Shang-Jung Wen,Jia-Ming Chang,Fang Yu

2024-07-24

Abstract:High-dimensional single-cell data poses significant challenges in identifying underlying biological patterns due to the complexity and heterogeneity of cellular states. We propose a comprehensive gene-cell dependency visualization via unsupervised clustering, Growing Hierarchical Self-Organizing Map (GHSOM), specifically designed for analyzing high-dimensional single-cell data like single-cell sequencing and CRISPR screens. GHSOM is applied to cluster samples in a hierarchical structure such that the self-growth structure of clusters satisfies the required variations between and within. We propose a novel Significant Attributes Identification Algorithm to identify features that distinguish clusters. This algorithm pinpoints attributes with minimal variation within a cluster but substantial variation between clusters. These key attributes can then be used for targeted data retrieval and downstream analysis. Furthermore, we present two innovative visualization tools: Cluster Feature Map and Cluster Distribution Map. The Cluster Feature Map highlights the distribution of specific features across the hierarchical structure of GHSOM clusters. This allows for rapid visual assessment of cluster uniqueness based on chosen features. The Cluster Distribution Map depicts leaf clusters as circles on the GHSOM grid, with circle size reflecting cluster data size and color customizable to visualize features like cell type or other attributes. We apply our analysis to three single-cell datasets and one CRISPR dataset (cell-gene database) and evaluate clustering methods with internal and external CH and ARI scores. GHSOM performs well, being the best performer in internal evaluation (CH=4.2). In external evaluation, GHSOM has the third-best performance of all methods.

Machine Learning,Information Retrieval,Genomics

Yong Feng,Kaigui Wu,Zhongfu Wu,Zhongyang Xiong

DOI: https://doi.org/10.1007/11427469_69

2005-01-01

Abstract:An approach to network intrusion detection is investigated, based on dynamic self-organizing maps (DSOM) neural network clustering. The basic idea of the method is to produce the cluster by DSOM. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach based on DSOM clustering can settle these problems effectively. The experiment result shows that our approach can detect unknown intrusions efficiently in the real network connections.

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.

Zhendong Wang,Xin Yang,Zhiyuan Zeng,Daojing He,Sammy Chan

DOI: https://doi.org/10.1007/s12083-024-01749-0

2024-01-01

Abstract:With the continual evolution of network technologies, the Internet of Things (IoT) has permeated various sectors of society. However, over the past decade, the annual discovery of cyberattacks has shown an exponential surge, inflicting severe damage to economic development. Aiming at the high false alarm rate, poor classification performance and overfitting problems in current intrusion detection systems, this paper proposes an efficient hierarchical intrusion detection model named ET-DCANET. Initially, the extreme random tree algorithm is employed for feature selection to meticulously curate the optimal feature subset. Subsequently, the dilated convolution and dual attention mechanism (including channel attention and spatial attention) are introduced, and a strategy of gradual transition from coarse-grained learning to fine-grained learning is proposed by gradually narrowing the expansion rate of cavity convolution, and the DCNN and dual attention modules are progressively refined to effectively utilize the synergy of DCNN and Attention to extract spatial and temporal features. This gradual transition from coarse-grained learning to fine-grained learning helps to better balance global and local information when dealing with complex data, and improves the performance and generalization ability of the model. To confront the class imbalance issue within the dataset, a novel loss function, EQLv2, is introduced as a substitute for the conventional cross-entropy (CE) loss. This innovation directs the model's focus toward minority class samples, ultimately enhancing the overall performance of the model. The proposed model shows excellent intrusion detection on the NSL-KDD, UNSW-NB15, and X-IIoTID datasets with accuracy rates of 99.68

Hao Lan Zhang,Roozbeh Zarei,Chaoyi Pang,Xiaohui Hu

DOI: https://doi.org/10.1007/978-3-319-06269-3_24

2014-01-01

Abstract:The rapid growth of online data, which include online transaction data, online multimedia data, online social networking data, and son on, has made huge demand for more efficient data reduction and process. Online clustering to detect/predict anomalies from multiple data streams is valuable to those applications where a credible real-time event prediction system will minimize economic losses (e. g. stock market crash) and save lives (e. g. medical surveillance in the operating theatre). This project discovers and develops effective, efficient and accurate methods for online data processing using the Self-Organizing Map (SOM) method. The SOM method is efficient for solving big data problems. The experimental results are illustrated in this paper to demonstrate the efficiency of using SOM for large data analysis based on large volume medical and online transaction data.