Li Zou,Xuemei Luo,Yan Zhang,Xiao Yang,Xiangwen Wang

DOI: https://doi.org/10.1109/access.2023.3251354

IF: 3.9

2023-01-01

IEEE Access

Abstract:Network intrusion detection is an important technology in national cyberspace security strategy and has become a research hotspot in various cyberspace security issues in recent years. The development of effective and efficient intelligent network intrusion detection methods using advanced machine learning algorithms is of great importance for defending against various network intrusions in complex network environments. In this study, a network intrusion detection method based on decision tree twin support vector machine and hierarchical clustering, named HC-DTTWSVM, is proposed, which can effectively detect different categories of network intrusion. First, the hierarchical clustering algorithm is applied to construct the decision tree for network traffic data, where the bottom-up merging approach is used to maximize the separation of the upper nodes of the decision tree, which reduces the error accumulation in the construction of the decision tree. Then, twin support vector machines are embedded in the constructed decision tree to implement the network intrusion detection model, which can effectively detect the network intrusion category in a top-down manner. The detection performance of the proposed HC-DTTWSVM method is evaluated on NSL-KDD and UNSW-NB15 intrusion detection benchmark datasets. Experimental results show that HC-DTTWSVM can effectively detect different categories of network intrusion and achieves comparable detection performance compared to some of the recently proposed network intrusion detection methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yuan Zhang,Qinghai Yang,Sangarapillai Lambotharan,Konstantinos Kyriakopoulos,Ibrahim Ghafir,Basil AsSadhan

DOI: https://doi.org/10.1109/wcsp.2019.8927907

2019-01-01

Abstract:With the rapid development of new technologies and applications of Internet, much attention has been paid to the detection of anomalies in cyberspace traffic. A series of intrusion detection techniques based on machine learning have been developed. Support vector machine (SVM), as an essential approach, has been paid close attention in this filed. Nevertheless, the existing SVM-based techniques with the training features can not efficiently detect short duration intrusions and attacks in the traffic. To tackle this issue, we propose an anomaly-based SVM detection scheme by extracting and optimizing the training features. It trains the SVM with Kullback-Leibler (KL) divergence and cross-correlation calculated by the control and data planes traffic. Following this way, the novel training method can effectively enhance the detection accuracy. And the performance of the presented scheme is validated and evaluated based on a recent realistic Internet traffic dataset. Finally, relevant results indicate that the developed method establishes the relationship between Transmission Control Protocol (TCP) traffic and intrusions. It can efficiently detect short duration intrusions and attacks in the network traffic.

ZHANG Kun,CAO Hong-xin,LIU Feng-yu,LI Qian-mu

DOI: https://doi.org/10.3969/j.issn.1005-9830.2007.04.001

2007-01-01

Abstract:In view of the problems of using traditional machine learning method to detect the network intrusions,this paper proposes a network intrusion detection model based on support vector machine(SVM).Experimental results demonstrate that the proposed model has higher detection accuracy of intrusions and avoids the limitation of the detection methods based on traditional machine learning.In the training,considering the effect of different network data features on the intrusion detection results,a new weighted feature classification method is also brought forward,which improves the accuracy of network intrusion detection.

DAI Tian-hong,WANG Ke-qi,YANG Shao-chun

2008-01-01

Abstract:According to the traits of intrusion detection and support vector machines,an abnormal detection method was presented based on the least-squares Support Vector Machine,and an intrusion detection model was built based on support vector machine,which was used for the network data collection,feature extraction,data classification and distinguishing between normal data and abnormal data.A test was conducted on the intrusion detection data of KDD CUP'99 standards by selecting the subset of data_10_percent;the 41 attributes of this subset were taken as the characteristics,and the final attribute of this subset was labeled as back,ipsweep,neptun,portsweep and normal.200 data of each kind was respectively tested.The result shows that this method can obtain a higher detection rate and a lower false warning rate.

LI Yang,FANG Bin-xing,GUO Li,TIAN Zhi-hong,ZHANG Yong-zheng,JIANG Wei

DOI: https://doi.org/10.1145/1229285.1229292

2007-01-01

Abstract:Intrusion detection is a critical component of secure information systems. Network anomaly detection has been an active and difficult research topic in the field of Intrusion Detection for many years. However, it still has some problems unresolved. They include high false alarm rate, difficulties in obtaining exactly clean data for the modeling of normal patterns and the deterioration of detection rate because of some "noisy" data in the training set. In this paper, we propose a novel network anomaly detection method based on improved TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) machine learning algorithm. A series of experimental results on the well-known KDD Cup 1999 dataset demonstrate it can effectively detect anomalies with high true positive rate, low false positive rate and high confidence than the state-of-the-art anomaly detection methods. In addition, even interfered by "noisy" data (unclean data), the proposed method is robust and effective. Moreover, it still retains good detection performance after employing feature selection aiming at avoiding the "curse of dimensionality".

Jun He,Shi-hui Zheng

DOI: https://doi.org/10.1007/s12204-014-1524-4

2014-01-01

Abstract:Intrusion detection system (IDS) is becoming a critical component of network security. However, the performance of many proposed intelligent intrusion detection models is still not competent to be applied to real network security. This paper aims to explore a novel and effective approach to significantly improve the performance of IDS. An intrusion detection model with twin support vector machines (TWSVMs) is proposed. In this model, an efficient algorithm is also proposed to determine the parameter of TWSVMs. The performance of the proposed intrusion detection model is evaluated with KDD’99 dataset and is compared with those of some recent intrusion detection models. The results demonstrate that the proposed intrusion detection model achieves remarkable improvement in intrusion detection rate and more balanced performance on each type of attacks. Moreover, TWSVMs consume much less training time than standard support vector machines (SVMs).

Xin Xu,Xuening Wang

DOI: https://doi.org/10.1007/11527503_82

2005-01-01

Abstract:Network intrusion detection is an important technique in computer security. However, the performance of existing intrusion detection systems (IDSs) is unsatisfactory since new attacks are constantly developed and the speed of network traffic volumes increases fast. To improve the performance of IDSs both in accuracy and speed, this paper proposes a novel adaptive intrusion detection method based on principal component analysis (PCA) and support vector machines (SVMs). By making use of PCA, the dimension of network data patterns is reduced significantly. The multi-class SVMs are employed to construct classification models based on training data processed by PCA. Due to the generalization ability of SVMs, the proposed method has good classification performance without tedious parameter tuning. Dimension reduction using PCA may improve accuracy further. The method is also superior to SVMs without PCA in fast training and detection speed. Experimental results on KDD-Cup99 intrusion detection data illustrate the effectiveness of the proposed method.

LI Yang,FANG Bin-Xing,GUO Li,CHEN You

DOI: https://doi.org/10.1360/jos182595

2007-01-01

Journal of Software

Abstract:Network anomaly detection has been an active and difficult research topic in the field of intrusion detection for many years. Up to now, high false alarm rate, requirement of high quality data for modeling the normal patterns and the deterioration of detection rate because of some noisy data in the training set still make it not perform as well as expected in practice. This paper presents a novel network anomaly detection method based on improved TCM-KNN (transductive confidence machines for K-nearest neighbors) machine learning algorithm, which can effectively detect anomalies using normal data for training. A series of experiments on well known KDD Cup 1999 dataset demonstrate that it has lower false positive rate, especially higher confidence under the condition of ensuring high detection rate than the traditional anomaly detection methods. In addition, even provided with training dataset contaminated by noisy data, the proposed method still holds good detection performance. Furthermore, it can be optimized without obvious loss of detection performance by adopting small dataset for training and employing feature selection aiming at avoiding the curse of dimensionality.

陈光英,张千里,李星

DOI: https://doi.org/10.3321/j.issn:1000-436x.2002.05.010

2002-01-01

Abstract:An intrusion detection system based on SVM classification technique was designed and implemented. It uses the technique of support vector machine to recognize TCP network connections without the reference of the port numbers. If a connection is recognized in a category that is different from the type of service characterized by the port number, then the connection is considered abnormal. This paper also focused on how the trace time, the feature set size and the kernel function of SVM affect the recognition error rate. Results from preliminary experiments show that our system can detect abnormal TCP network connections.

WANG TAO,GONG HUILI

DOI: https://doi.org/10.3969/j.issn.1008-0570.2006.36.031

2006-01-01

Abstract:In order to improve the safety of information system, the method of SVM based on statistics learning theory is used in the intrusion detection system, which ensures that SVM classifier has the higher accuracy in the absence of transcendent knowledge, and achieve the aim that SVM can accurately predict the abnormal state of system. By the use of this method, the limitation of traditional machine learning method is avoided and ensure the stronger extension ability.,which make intrusion detection system to have the bet- ter detecting performance.

ZHANG Kun,CAO Hong-xin,YAN Han,LIU Feng-yu

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.05.034

2006-01-01

Abstract:Apply SVM technique to network intrusion detection,and propose a network abnormal intrusion detection model based on SVM.The experimental results demonstrate that the proposed model has higher detection accuracy of intrusions,especially for some unknown attacks.It proves that SVM can effectively detect intrusion.

Tao Ma,Yang Yu,Fen Wang,Qiang Zhang,Xiaoyun Chen

DOI: https://doi.org/10.1007/978-981-10-3187-8_13

2017-01-01

Abstract:This paper proposes a novel approach called KDSVM, which utilized the k-mean techniques and advantage of feature learning with deep neural network (DNN) model and strong classifier of support vector machines (SVM) , to detection intrusion networks. KDSVM is composed of two stages. In the first step, the dataset is divided into k subset based on every sample distance by the cluster centers of k-means approach, and in the second step, testing dataset is distanced by the same cluster center and fed into the DNN model with SVM model for intrusion detection. The experimental results show that the KDSVM not only performs better than SVM, BPNN, DBN-SVM (Salama et al., Soft computing in industrial applications, 2011 [21]) and Bayes tree models in terms of detection accuracy and abnormal types of attacks found. It also provides an effective tool for the study and analysis of intrusion detection in the large network.

Xiao Yun,Han Chongzhao,Zheng Qinghua,Zhang Junjie

DOI: https://doi.org/10.1007/s11767-005-0078-x

2006-01-01

Abstract:A new method called RS-MSVM (Rough Set and Multi-class Support Vector Machine) is proposed for network intrusion detection. This method is based on rough set followed by MSVM for attribute reduction and classification respectively. The number of attributes of the network data used in this paper is reduced from 41 to 30 using rough set theory. The kernel function of HVDM-RBF (Heterogeneous Value Difference Metric Radial Basis Function), based on the heterogeneous value difference metric of heterogeneous datasets, is constructed for the heterogeneous network data. HVDM-RBF and one-against-one method are applied to build MSVM. DARPA (Defense Advanced Research Projects Agency) intrusion detection evaluating data were used in the experiment. The testing results show that our method outperforms other methods mentioned in this paper on six aspects: detection accuracy, number of support vectors, false positive rate, false negative rate, training time and testing time.

Xuefei Tian,Chenlu Li,Aijuan Qian,Xiaoju Dong

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom51426.2020.00077

2020-01-01

Abstract:The network environment is increasingly complex, resulting in the explosive growth of network traffic logs. Discovering the patterns of these logs and detecting various cyber-attacks and anomalies have become a widespread concern. However, traditional network analysis techniques and Intrusion Detection System (IDS) have limited ability to identify and respond to the malicious activities hidden in dynamic and long-duration time series. This paper proposes a novel visual analysis system, combining visual analysis and machine learning model, to better reveal the pattern of various traffic logs, detect and classify abnormal network behaviors from enormous traffic logs. The system supports interactive exploration in data space and comparative analysis of the normal and abnormal pattern. It could help users analyze traffic logs conveniently and identify network intrusions efficiently. Besides, a supervised classifier in our system supports the prediction of a single traffic log which facilitates users' analysis of the patterns of traffic logs. A case study conducted on the CICIDS-2017 dataset demonstrates the feasibility of our system.

杨敏,张焕国,傅建明,罗敏

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.03.014

2005-01-01

Abstract:This paper proposes a new anomaly intrusion detection method based on support vector data description(SVDD ). According to this method, intrusion detection is regarded as one-class classification problem. A support vector description model is built for normal data, and then known and unknown attacks can be detected using this model. This method falls into the category of unsupervised anomaly detection techniques as it can train the model with unlabeled and noisy data. Results from preliminary experiments with the KDD CUP'99 network data indicate that the method has satisfying performance.

Qian Huang,Zhen Wang,Tao Wei,Yu Chen

2006-01-01

Abstract:This paper presents an algorithm for intrusion detection, based on one-class support vector machine (SVM) and online training of SVM. The algorithm formulates intrusion detection as a one-class classification problem. The model-building part of the algorithm works even when the training data is noisy, and therefore compared with regular SVM algorithms, it imposes fewer requirements on the training set and has a higher detection rate. For the testing data containing new types of attack, the algorithm can add such data to the training set and update the training result real-time. It tests the algorithm on KDD CUP' 99 benchmark data set for intrusion detection and the result shows that the algorithm is able to shorten the training time, and in the same time, obtain a high detection rate.

Jun Ma,Guanzhong Dai,Zhong Xu

DOI: https://doi.org/10.1109/icppw.2009.6

2009-01-01

Abstract:We present a new network anomaly detection system using dissimilarity-based one-class support vector machine(DSVMC). we transform the raw data into a dissimilarity space using Dissimilarity Representations (DR). DR describe objects by their dissimilarities to a set of target class. DSVMC are constructed on these DR. We propose a framework of anomaly detection using DSVMC. A new strategy of prototype selection has been proposed to obtain better DR. We not only offer a better approach in strategy to describe to distribution of large training dataset but also reduce the computational cost of prototype selection largely. In order to deploy the ADS in real-time detection application, we use Kernel Primary Component Analysis (KPCA) to reduce the dimension of transformed data. Evaluation has been made among traditional one-class classifiers, the dissimilarity-based one class SVM classifier without optimization of DR (WSVMC) and our DSVMC on KDD-CUP'99 dataset. The results show that DSVMC can achieve high detection rate than WSVMC and more robust performance than traditional one-class classifiers.

Xuecheng Yu,Yan Huang,Yu Zhang,Mingyang Song,Zhenhong Jia

DOI: https://doi.org/10.32604/cmc.2023.044999

2024-01-01

Abstract:With the increasing dimensionality of network traffic, extracting effective traffic features and improving the identification accuracy of different intrusion traffic have become critical in intrusion detection systems (IDS). However, both unsupervised and semisupervised anomalous traffic detection methods suffer from the drawback of ignoring potential correlations between features, resulting in an analysis that is not an optimal set. Therefore, in order to extract more representative traffic features as well as to improve the accuracy of traffic identification, this paper proposes a feature dimensionality reduction method combining principal component analysis and Hotelling’s T2 and a multilayer convolutional bidirectional long short-term memory (MSC_BiLSTM) classifier model for network traffic intrusion detection. This method reduces the parameters and redundancy of the model by feature extraction and extracts the dependent features between the data by a bidirectional long short-term memory (BiLSTM) network, which fully considers the influence between the before and after features. The network traffic is first characteristically downscaled by principal component analysis (PCA), and then the downscaled principal components are used as input to Hotelling’s T2 to compare the differences between groups. For datasets with outliers, Hotelling’s T2 can help identify the groups where the outliers are located and quantitatively measure the extent of the outliers. Finally, a multilayer convolutional neural network and a BiLSTM network are used to extract the spatial and temporal features of network traffic data. The empirical consequences exhibit that the suggested approach in this manuscript attains superior outcomes in precision, recall and F1-score juxtaposed with the prevailing techniques. The results show that the intrusion detection accuracy, precision, and F1-score of the proposed MSC_BiLSTM model for the CIC-IDS 2017 dataset are 98.71%, 95.97%, and 90.22%.

computer science, information systems,materials science, multidisciplinary

Wen Jie Tian,Ji Cheng Liu

DOI: https://doi.org/10.1109/CAR.2010.5456628

2010-01-01

Abstract:Intrusion Detection Systems (IDS) are increasingly a key part of systems defense. Various approaches to Intrusion Detection are currently being used, but they are relatively in effective. Recently applying Artificial Intelligence, machine learning and data mining techniques to IDS are increasing. Artificial Intelligence plays a driving role in security services. An intrusion detection method based on neural network and particle swarm optimization algorithm (PSOA) is presented in this paper. The novel structure model has higher accuracy and faster convergence speed. With the ability of strong self-learning and faster convergence, this intrusion detection method can detect various intrusion behaviors rapidly and effectively by learning the typical intrusion characteristic information. Utilizing the character that rough set can keep the discernability of original dataset after reduction, the reduces of the original dataset are calculated and used to train neural network, which increase the detection accuracy. We apply this technique on KDD99 data set and get satisfactory results. The experimental result shows that this intrusion detection method is feasible and effective.

Jingbo Yuan,Haixiao Li,Shunli Ding,Limin Cao

DOI: https://doi.org/10.1109/IITSI.2010.72

2010-01-01

Abstract:With development and popularization of computer network, network security problems increasingly bring into prominence. Intrusion detection technique can effectively enlarge the scope of protection on network and system. An intrusion detection method based on support vector machine (SVM) is studied. Aiming at the shortcoming of SVM on detecting precision, an intrusion detection model based on improved SVM is put forward according to hypothesis test theory. To confirm the effectiveness of this approach, a simulation testing is done. The experiment results show that the improved SVM has stronger learning ability and higher accuracy and lower false positive rate.