Hassan Hadi Al-Maksousy,Michele C. Weigle,Cong Wang

DOI: https://doi.org/10.1109/ths.2018.8574174

2018-01-01

Abstract:Malware detection is an important problem. We propose an efficient real-time system to detect and classify malware based on network behavior using deep neural networks. We show that the splitting of the system into two neural networks, detection and analysis, is the key to increasing accuracy. Therefore, this approach allows for the construction of a real-time monitoring system with very low CPU usage. Finally, we provide a comparison analysis of four machine learning classifiers for this task.

Zhenpeng Liu,Nan Su,Yiwen Qin,Jiahuan Lu,Xiaofei Li

DOI: https://doi.org/10.1155/2020/6633252

2020-12-22

Mobile Information Systems

Abstract:This paper focuses on an important research problem of cyberspace security. As an active defense technology, intrusion detection plays an important role in the field of network security. Traditional intrusion detection technologies have problems such as low accuracy, low detection efficiency, and time consuming. The shallow structure of machine learning has been unable to respond in time. To solve these problems, the deep learning-based method has been studied to improve intrusion detection. The advantage of deep learning is that it has a strong learning ability for features and can handle very complex data. Therefore, we propose a deep random forest-based network intrusion detection model. The first stage uses a slide window to segment original features into many small pieces and then trains a random forest to generate the concatenated class vector as rerepresentation. The vector will be used to train the multilevel cascade parallel random forest in the second stage. Finally, the classification of the original data is determined by voting strategy after the last layer of cascade. Meanwhile, the model is deployed in Spark environment and optimizes cache replacement strategy of RDDs by efficiency sorting and partition integrity check. The experiment results indicate that the proposed method can effectively detect anomaly network behaviors, with high F1-measure scores and high accuracy. The results also show that it can cut down the average execution time on different scaled clusters.

computer science, information systems,telecommunications

An, Lei

DOI: https://doi.org/10.1007/s10586-024-04487-3

2024-05-12

Cluster Computing

Abstract:The commonly used method for network intrusion is based on pattern matching systems, but these systems do not have high detection accuracy when facing large-scale high-speed network traffic environments. In addition, when facing a wide variety of network attacks, relying solely on a certain network security technology is difficult to ensure network security. Therefore, a distributed network intrusion prevention system based on the Spark framework and dynamic information security theory model was innovatively proposed to improve the detection efficiency of network intrusion and solve these issues. The architecture and functional structure of the network intrusion prevention system were constructed by improving the random forest algorithm and Spark. In addition, the dynamic network intrusion prevention system was designed on the basis of the Policy Protection Detection Response (P2DR) model and the Protection Detection Reaction Recovery (PDRR) model to cope with the diverse network attacks and make up for the lack of dynamic defense based on improved forest algorithm and Spark. The test results showed that the network intrusion prevention system based on the improved random forest algorithm and Spark had a maximum detection time of 13,593 ms, a minimum detection time of 13,318 ms, and an average detection time of 13,468 ms when the data were 6000 pieces. The average success rate of the dynamic network intrusion prevention system based on the dynamic information security theory model was 87.72%, the average detection rate was 71.68%, and the average false alarm rate was 17.23%. The F1 values corresponding to the improved random forest algorithm under 7 different attack types of data were 0.985, 0.983, 0.876, 0.843, 0.797, 0.983, and 0.890, respectively, which were significantly better than the comparison algorithm. It can be seen that the dynamic network intrusion prevention system based on the improved random forest algorithm, Spark, and the dynamic information security theoretical model, has good performance and can effectively detect network intrusions, providing technical support for solving network intrusion problems in reality. The contribution of the research is reflected in the improvement of the detection performance of network intrusion detection systems and the reduction of detection time and false alarm rates.

computer science, information systems, theory & methods

胡敏,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.033

2004-01-01

Abstract:This paper focuses on issures related to deploying a data mining-based IDS (Intrusion Detection System) in a real time environment To overcome the limitations of traditional IDS, the corresponding solutions to accurracy, efficiency and usability is presented.These solutions impove efficiency of traditional DOS and maintain a desired accuracy level. This paper also proposed an architecture consisting of sensors, detectors, a data warehouse and model generation components. This architecture facilitates the sharing and storage of audit data and the distribution of new or updated models. Also, it improves the efficiency and scalability of the traditional IDS.

FuCheng Pan,DeZhi Han,Yuping Hu

DOI: https://doi.org/10.1504/IJES.2019.102428

2019-11-25

International Journal of Embedded Systems

Abstract:In order to realise the rapid analysis and identification of abnormal traffic in real-time networks, a distributed real-time network abnormal traffic detection system (DRNATDS) was designed, which could effectively analyse abnormal network traffic. DRNATDS provided effective real-time big data analysis platform and guaranteed network security. The paper proposes K-means algorithm based on relative density and distance, integrated with Spark Streaming and Kafka. It could effectively detect various network attacks under real-time data stream. The experimental results show that DRNATDS has good high availability and stability. Compared to other algorithms, K-means algorithm based on relative density and distance could more effectively identify abnormal network traffic and improve the recognition rate.

English Else

Brunel Elvire Bouya-Moko,Edward Kwadwo Boahen,Changda Wang

DOI: https://doi.org/10.3390/electronics11111675

IF: 2.9

2022-05-25

Electronics

Abstract:Strong network connections make the risk of malicious activities emerge faster while dealing with big data. An intrusion detection system (IDS) can be utilized for alerting suitable entities when hazardous actions are occurring. Most of the techniques used to classify intrusions lack the techniques executed with big data. This paper devised an optimization-driven deep learning technique for detecting the intrusion using the Spark model. The input data is fed to the data partitioning phase wherein the partitioning of data is done using the proposed fuzzy local information and Bhattacharya-based C-means (FLIBCM). The proposed FLIBCM was devised by combining Bhattacharya distance and fuzzy local information C-Means (FLICM). The feature selection was achieved with classwise info gained to select imperative features. The data augmentation was done with oversampling to make it apposite for further processing. The detection of intrusion was done using a deep Maxout network (DMN), which was trained using the proposed student psychology water cycle caviar (SPWCC) obtained by combining the water cycle algorithm (WCA), the conditional autoregressive value at risk by regression quantiles (CAViaR), and the student psychology-based optimization algorithm (SPBO). The proposed SPWCC-based DMN offered enhanced performance with the highest accuracy of 97.6%, sensitivity of 98%, and specificity of 97%.

engineering, electrical & electronic,computer science, information systems,physics, applied

Mohamed Abushwereb,Mouhammd Alkasassbeh,Mohammad Almseidin,Muhannad Mustafa

DOI: https://doi.org/10.48550/arXiv.2203.04347

2022-02-21

Abstract:The internet has caused tremendous changes since its appearance in the 1980s, and now, the Internet of Things (IoT) seems to be doing the same. The potential of IoT has made it the center of attention for many people, but, where some see an opportunity to contribute, others may see IoT networks as a target to be exploited. The high number of IoT devices makes them the perfect setup for staging denial-of-service attacks (DoS) that can have devastating consequences. This renders the need for cybersecurity measures such as intrusion detection systems (IDSs) evident. The aim of this paper is to build an IDS using the big data platform, Apache Spark. Apache Spark was used along with its ML library (MLlib) and the BoT-IoT dataset. The IDS was then tested and evaluated based on F-Measure (f1), as was the standard when evaluating imbalanced data. Two rounds of tests were performed, a partial dataset for minimizing bias, and the full BoT-IoT dataset for exploring big data and ML capabilities in a security setting. For the partial dataset, the Random Forest algorithm had the highest performance for binary classification at an average f1 measure of 99.7%, as well as 99.6% for main category classification, and an 88.5% f1 measure for sub category classification. As for the complete dataset, the Decision Tree algorithm scored the highest f1 measures for all conducted tests; 97.9% for binary classification, 79% for main category classification, and 77% for sub category classification.

Cryptography and Security,Networking and Internet Architecture

Ghulam Mohi-Ud-Din,Jiangbin Zheng,Zhiqiang Liu,Muhammad Asim,Jiajun Chen,Jinjing Liu,Zhijun Lin

DOI: https://doi.org/10.1109/vrhciai57205.2022.00051

2022-01-01

Abstract:Network traffic data has developed into an appealing target for attacks as new network communication services have drawn more attention. Due to the enormous number of data these systems create, conventional intrusion detection systems (IDS) cannot detect intruder behaviors in large-scale network systems. To detect malicious assaults early on, an effective IDS must be able to scan massive volumes of network traffic data quickly. In order to identify various types of intrusion in network systems, this study introduces a unique distributed network IDS (NIDS). The suggested NIDS is built on a distributed random forest that can analyze huge amounts of data quickly. The two steps of the suggested method are the traffic gathering module and the attack detection module. In VANETs, the random forest method was employed for real-time DDoS attack detection. A variety of performance criteria, including accuracy, precision, recall, and F1 score, were tested on the system to confirm the performance of the suggested framework. The proposed method achieves improved classification accuracy, according to the results. The suggested approach is suitable for complicated systems with high speed and low false alarm rates that require real-time intrusion detection.

Valerio Morfino,Salvatore Rampone

DOI: https://doi.org/10.3390/electronics9030444

IF: 2.9

2020-03-06

Electronics

Abstract:In the fields of Internet of Things (IoT) infrastructures, attack and anomaly detection are rising concerns. With the increased use of IoT infrastructure in every domain, threats and attacks in these infrastructures are also growing proportionally. In this paper the performances of several machine learning algorithms in identifying cyber-attacks (namely SYN-DOS attacks) to IoT systems are compared both in terms of application performances, and in training/application times. We use supervised machine learning algorithms included in the MLlib library of Apache Spark, a fast and general engine for big data processing. We show the implementation details and the performance of those algorithms on public datasets using a training set of up to 2 million instances. We adopt a Cloud environment, emphasizing the importance of the scalability and of the elasticity of use. Results show that all the Spark algorithms used result in a very good identification accuracy (>99%). Overall, one of them, Random Forest, achieves an accuracy of 1. We also report a very short training time (23.22 sec for Decision Tree with 2 million rows). The experiments also show a very low application time (0.13 sec for over than 600,000 instances for Random Forest) using Apache Spark in the Cloud. Furthermore, the explicit model generated by Random Forest is very easy-to-implement using high- or low-level programming languages. In light of the results obtained, both in terms of computation times and identification performance, a hybrid approach for the detection of SYN-DOS cyber-attacks on IoT devices is proposed: the application of an explicit Random Forest model, implemented directly on the IoT device, along with a second level analysis (training) performed in the Cloud.

engineering, electrical & electronic,computer science, information systems,physics, applied

Khloud Al Jallad,Mohamad Aljnidi,Mohammad Said Desouki

DOI: https://doi.org/10.48550/arXiv.2209.13961

2022-09-28

Cryptography and Security

Abstract:With the growing use of information technology in all life domains, hacking has become more negatively effective than ever before. Also with developing technologies, attacks numbers are growing exponentially every few months and become more sophisticated so that traditional IDS becomes inefficient detecting them. This paper proposes a solution to detect not only new threats with higher detection rate and lower false positive than already used IDS, but also it could detect collective and contextual security attacks. We achieve those results by using Networking Chatbot, a deep recurrent neural network: Long Short Term Memory (LSTM) on top of Apache Spark Framework that has an input of flow traffic and traffic aggregation and the output is a language of two words, normal or abnormal. We propose merging the concepts of language processing, contextual analysis, distributed deep learning, big data, anomaly detection of flow analysis. We propose a model that describes the network abstract normal behavior from a sequence of millions of packets within their context and analyzes them in near real-time to detect point, collective and contextual anomalies. Experiments are done on MAWI dataset, and it shows better detection rate not only than signature IDS, but also better than traditional anomaly IDS. The experiment shows lower false positive, higher detection rate and better point anomalies detection. As for prove of contextual and collective anomalies detection, we discuss our claim and the reason behind our hypothesis. But the experiment is done on random small subsets of the dataset because of hardware limitations, so we share experiment and our future vision thoughts as we wish that full prove will be done in future by other interested researchers who have better hardware infrastructure than ours.

Zhoukai Wang,Yinliang Zhao,Zhaorong Wang,Yuxiang Li

DOI: https://doi.org/10.1109/ISPA/IUCC.2017.00100

2017-01-01

Abstract:Intrusion prevention system is the most important and popular tool in information security. It has been widely used to identify potential threats and respond to them swiftly. However, the existing IPS based on regular expression matching is time consuming and do not support large data well, since it scans and processes input linearly. To enhance conventional approach's parallelism and improve its efficiency for processing problems with large-scale data, this paper raised a speculative parallel intrusion prevention system based on Apache Spark. In the proposed system, the input packets are speculatively divided into several chunks, and then distributed into Apache Spark for parallel processing. After processing, the results are collected and evaluated to eliminate incorrect speculations. Experiments show that for large-scale data, by comparing with the conventional approach, the proposed system could markedly shorten the execution time for intrusion prevention. It can be proved that by adopting our novel system, the efficiency of intrusion prevention can be significantly enhanced.

Abdulnaser A. Hagar,Bharti W. Gawali

DOI: https://doi.org/10.1155/2022/3131153

IF: 3.12

2022-08-27

Computational Intelligence and Neuroscience

Abstract:Keeping computers secure is becoming challenging as networks grow and new network-based technologies emerge. Cybercriminals' attack surface expands with the release of new internet-enabled products. As many cyberattacks affect businesses' confidentiality, availability, and integrity, network intrusion detection systems (NIDS) show an essential role. Network-based intrusion detection uses datasets like CSE-CIC-IDS2018 to train prediction models. With fourteen types of attacks included, the latest big data set for intrusion detection is available to the public. This work proposes three models, two deep learning convolutional neural networks (CNN), long short-term memory (LSTM), and Apache Spark, to improve the detection of all types of attacks. To reduce the dimensionality, random forests (RF) was employed to select the important features; it gave 19 from 84 features. The dataset is imbalanced; thus, oversampling and undersampling techniques reduce the imbalance ratio. The Apache Spark model produced the best results across all 15 classes, with accuracy as high as 100% for all classes, as seen by the experiments' findings. For the F1-score, Apache Spark showed the highest results with 1.00 for most classes. The findings of the three models showed outstanding results for multiclassification network intrusion detection.

mathematical & computational biology,neurosciences

Zhihao Wang,Dingde Jiang,Liuwei Huo,Wei Yang

DOI: https://doi.org/10.1007/s11276-021-02698-9

IF: 2.701

2021-01-01

Wireless Networks

Abstract:With the rapid development of cloud computing and mobile internet, massive network traffic is generated, with the raging malicious traffic and attacks. Network Intrusion Detection System plays an essential part in defending the malicious attacks. However, based on mathematical-statistical and packet verification methods, traditional network intrusion detection approaches are inadequate in detection capacity. Therefore, in this paper, we present an effective network intrusion detection approach based on sparse auto-encoder (SAE) and random forest (RF), as a mitigation way to this problem. The feature extraction power of SAE and the classification and detection power of random forest are combined to improve the detection efficiency and accuracy. And the SAE-RF (Sparse Auto-Encoder Based Random Forest) detection approach is presented. Besides, to address the irregularities and imbalance of the benchmark dataset, an ANASYN over-sampling technique is employed. Simulation and evaluation results on TensorFlow and Keras demonstrate the proposed SAE-RF model has better performance than existing approaches.

Ying Gao,Hongrui Wu,Binjie Song,Yaqia Jin,Xiongwen Luo,Xing Zeng

DOI: https://doi.org/10.1109/access.2019.2948382

IF: 3.9

2019-01-01

IEEE Access

Abstract:Security assurance in Vehicular Ad hoc Network (VANET) is a crucial and challenging task due to the open-access medium. One great threat to VANETs is Distributed Denial-of-Service (DDoS) attack because the target of this attack is to prevent authorized nodes from accessing the services. To provide high availability of VANETs, a scalable, reliable and robust network intrusion detection system should be developed to efficiently mitigate DDoS. However, big data from VANETs poses serious challenges to DDoS attack detection since the detection system require scalable methods to capture, store and process the big data. To overcome these challenges, this paper proposes a distributed DDoS network intrusion detection system based on big data technology. The proposed detection system consists of two main components: real-time network traffic collection module and network traffic detection module. To build our proposed system, we use Spark to speed up data processing and use HDFS to store massive suspicious attacks. In the network collection module, micro-batch data processing model is used to improve the real-time performance of traffic feature collection. In the traffic detection module, the classification algorithm based on Random Forest (RF) is adopted. In order to evaluate the accuracy of detection, the algorithm was evaluated and compared in the datasets, containing NSL-KDD and UNSW-NB15. The experimental results show that the proposed detection algorithm reached the accuracy rate of 99.95% and 98.75%, and the false alarm rate (FAR) of 0.05% and 1.08%, respectively, in two datasets.

computer science, information systems,telecommunications,engineering, electrical & electronic

Baojun Zhou,Jie Li,Jinsong Wu,Song Guo,Yu Gu,Zhetao Li

DOI: https://doi.org/10.1109/icc.2018.8422327

2018-01-01

Abstract:In order to cope with the increasing number of cyber attacks, network operators must monitor the whole network situations in real time. Traditional network monitoring method that usually works on a single machine, however, is no longer suitable for the huge traffic data nowadays due to its poor processing ability. In this paper, we propose a machine-learning based online Internet traffic monitoring system using Spark Streaming, a stream- processing-based big data framework, to detect DDoS attacks in real time. The system consists of three parts, collector, messaging system and stream processor. We use a correlation-based feature selection method and choose 4 most necessary network features in our machine- learning-based DDoS detection algorithm. We verify the result of feature selection method by a comparative experiment and compare the detection accuracy of 3 machine learning methods - Naïve Bayes, Logistic Regression and Decision Tree. Finally, we conduct experiments in a cluster with the standalone mode, showing that our system can detect 3 typical DDoS attacks - TCP flooding, UDP flooding and ICMP flooding at the accuracy of more than 99.3%. It also shows the system performs well even for large Internet traffic.

Ramin Atefinia,Mahmood Ahmadi

DOI: https://doi.org/10.22108/jcs.2022.131400.1085

2022-12-10

Abstract:The increase in the use of the Internet and web services and the advent of the fifth generation of cellular network technology (5G) along with ever-growing Internet of Things (IoT) data traffic will grow global internet usage. To ensure the security of future networks, machine learning-based intrusion detection and prevention systems (IDPS) must be implemented to detect new attacks, and big data parallel processing tools can be used to handle a huge collection of training data in these systems. In this paper Apache Spark, a general-purpose and fast cluster computing platform is used for processing and training a large volume of network traffic feature data. In this work, the most important features of the CSE-CIC-IDS2018 dataset are used for constructing machine learning models and then the most popular machine learning approaches, namely Logistic Regression, Support Vector Machine (SVM), three different Decision Tree Classifiers, and Naive Bayes algorithm are used to train the model using up to eight number of worker nodes. Our Spark cluster contains seven machines acting as worker nodes and one machine is configured as both a master and a worker. We use the CSE-CIC-IDS2018 dataset to evaluate the overall performance of these algorithms on Botnet attacks and distributed hyperparameter tuning is used to find the best single decision tree parameters. We have achieved up to 100% accuracy using selected features by the learning method in our experiments

Networking and Internet Architecture

Yuansheng Dong,Rong Wang,Juan He

DOI: https://doi.org/10.1109/icsess47205.2019.9040718

2019-01-01

Abstract:Computer network is vulnerable to hackers, computer viruses, and other malicious attacks. As an active defense technology, intrusion detection plays an important role in the field of network security. Traditional intrusion detection technologies face problems such as low accuracy, low detection efficiency, high false positive rate, and inability to cope with new types of intrusions. To solve these problems, we propose a real-time network intrusion detection system based on deep learning, which uses big data technology, natural language processing technology and deep learning technology. Our main contributions are as follows: (1) Use Flume as the agent for log collection to realize real-time massive log collection, using Flink as real-time computation engine. (2) Aiming at the high dimensional problem of traffic data, a self-encoder-based intrusion detection dimension reduction method is proposed, and the intrusion detection data is preprocessed, including data cleaning, coding, extraction and integration, and normalization. (3) Propos a deep learning-based intrusion detection model, AE-AlexNet, which uses Auto-Encoder AlexNet neural network. The experimental results of the intrusion detection data set KDD 99 show that the accuracy of the AE-AlexNet, model is as high as 94.32%.

Ziming Zhao,Zhaoxuan Li,Zhuoxue Song,Fan Zhang

DOI: https://doi.org/10.1109/rtss59052.2023.00045

2023-01-01

Abstract:Existing Deep Learning (DL)-based network Intrusion Detection System (IDS) is able to characterize sequence semantics of traffic and discover malicious behaviors. Yet DL models are often nonlinear and highly non-convex functions that are difficult for in-network real-time deployment, i.e., existing DL solutions are essentially offline analysis. In this paper, we present RIDS, a hardware-friendly Recurrent Neural Network (RNN) model that is co-designed with programmable switches. As its core, RIDS is powered by two tightly-coupled components: (i) rLearner, the RNN learning module with in-network deployability as the first-class requirement; and (ii) rEnforcer, the concrete pipeline design to realize rLearner-generated models inside the network dataplane. We implement a prototype of RIDS and evaluate it on our physical testbed. The experiments show that RIDS could satisfy both detection performance and high-speed bandwidth adaptation simultaneously, when none of the other existing approaches could do so. Inspiringly, RIDS realizes remarkable intrusion/malware detection effect (e.g., ∽99% F1 score) and model deployment (e.g., 100 Gbps per port), while only imposing nanoseconds of latency.

Schuartz, Fábio César

DOI: https://doi.org/10.1007/s12243-024-01046-0

2024-06-09

Annals of Telecommunications

Abstract:With the growth of computer networks worldwide, there has been a greater need to protect local networks from malicious data that travel over the network. The increase in volume, speed, and variety of data requires a more robust, accurate intrusion detection system capable of analyzing a huge amount of data. This work proposes the creation of an intrusion detection system using stream classifiers and three classification layers—with and without a reduction in the number of features of the records and three classifiers in parallel with a voting system. The results obtained by the proposed system are compared against other models proposed in the literature, using two datasets to validate the proposed system. In all cases, gains in accuracy of up to 18.52% and 3.55% were obtained, using the datasets NSL-KDD and CICIDS2017, respectively. Reductions in classification time up to 35.51% and 94.90% were also obtained using the NSL-KDD and CICIDS2017 datasets, respectively.

telecommunications

Jiake Ni,Weitao Weng,Jiayu Chen,Kai Lei

DOI: https://doi.org/10.1109/cyberc.2017.85

2017-01-01

Abstract:With the rapid development of Internet, Internet traffic and end hosts continue to grow in size. Traffic behavior analysis for a large-scale network is becoming more and more difficult. To address these challenges, this paper proposes an Internet traffic analysis approach based on community detection to discover community consisted of end hosts with similar traffic behavior in a large campus network. First, we use only the IP-to-IP information without packet payloads to model the similarity of end hosts in campus network. Then the similarity graph which represent the social behavior similarity of all end hosts is constructed. Finally, we leverage Label Propagation algorithm to discover end hosts community on the similarity graph. To satisfy demands for the scalable analysis of ever-growing Internet traffic data, a Spark-based Internet traffic analysis system is developed, including implementing the above algorithm. The experimental results based on real campus network traffic show the benefits of the proposed approach in analyzing traffic behavior of a large-scale network on host community level and detecting potential anomalous traffic behavior. The proposed approach reduces the complexity of analyzing the traffic behavior of a large network compare with analyzing individual host. In addition, the experimental results also demonstrate the Spark-based Internet traffic analysis system can analyze Internet traffic efficiently.