Zhiyuan Lv,Youjian Zhao,Haibin Li

DOI: https://doi.org/10.1109/ISCC47284.2019.8969587

2019-01-01

Abstract:Nowadays, masquerade attack caused by identity misuse is a kind of severe insider threat and a common security problem for most organizations. Although the anomaly detection based on machine learning has been applied as a common method for this problem, most existing approaches for detecting masquerade attack usually use host-based data to profile user behavior and detect anomaly. However, host-based data are too sensitive to collect, which results in poor universality and makes it difficult for enterprises to deploy. In this paper, we propose a cheap and general masquerade detection method with high accuracy to profile user network behavior and detect anomaly, using network packet sketches (IP, port, protocol, etc.). As network packet headers with standardized format are non-sensitive, our method is suitable for most enterprises and much cheaper to deploy. To validate the method, we collected more than 10 TB normal user data and 5 GB simulated masquerader data in real enterprise environment. The experimental results show that our method achieves good performance with average AUC up to 0.988 and the approach of modeling user network behavior by network packet sketches results in good time efficiency.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Bin Zhang,Xi Xiao,Weizhe Zhang,Arun Kumar Sangaiah,Ying Zhou,Xinyu Liu

DOI: https://doi.org/10.1002/ett.3858

IF: 3.6

2022-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:In-vehicle network is easy to be attacked by masquerade attackers because of the controller local area network, and there are many intrusion detection systems to solve this problem. However, the traditional methods consider the transition and frequent property, but they lose the information of the cooccurrence. In this article, a novel method based on cooccurrence matrixes is proposed, and it makes use of the cooccurrence property of the command stream, which is often ignored. There are two steps in the training process. First, a relatively large number of distinct shell commands are transformed into a smaller number of unique events by hierarchically merging shell commands. Second, considering the correlation property of audit data, the method constructs a partly normalized cooccurrence matrix to profile the valid user's normal behaviors. Although performing detection, the partly normalized cooccurrence matrixes of the current event sequences are generated. Then the distances between these matrixes and the profile matrix are calculated with sliding windows. Finally, distances are used to determine whether they are normal or not. Our method is evaluated against two standard masquerade detection datasets provided by T. Lane et al and M. Schonlau et al, respectively. The results indicate that the proposed method is promising in terms of detection accuracy, which is at least 10% higher than other four solutions, and the proposed method has fewer memory requirements, which saves at most 90% of the compared methods, and it can be conducted in parallel and is more suitable for real-time masquerade detection.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan,YE Run-guo

2011-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater access privileges,while pretending to be legitimate users.This paper proposes a novel method to distinguish legitimate users from masqueraders.The uncertainty of the user′s behavior and the relevance of the operation of shell commands are thoroughly considered.The method constructs specific highorder homogeneous Markov chain models to represent the normal behavior profiles of valid users.It defines the states by twofold hierarchical merging shell commands.Therefore this method increases the accuracy of describing the normal behavior profiles,improves the generalization of the detection system and sharply reduces the storage space.In the detection period,taking the real-time performance into account,it computes the categorical boolean variables only using the transition probabilities,which has little computation workload,and then smoothes them to get the decision values used to determine whether the monitored user′s behavior is normal or anomalous.Its performance is tested in computer simulation,showing higher detection accuracy and fewer computation costs than related methods′.The proposed method is especially suitable for on-line detection.

Xiao X,Tian X,Zhai Q,Xia S.

DOI: https://doi.org/10.1016/j.jss.2012.05.049

IF: 3.5

2012-01-01

Journal of Systems and Software

Abstract:Masquerade detection is now one of the major concerns of system security research and its difficulty is to model user behavior on the nonstationary audit data. Many previous works represent the user behavior based on fixed-length models. In this paper, we propose a variable-length model to overcome their weakness in the precision and adaptability of user profiling. In the model, the user's normal behavior is profiled by Markov chain with states of variable-length sequences. At first multiple shell command streams of different lengths are generated and different shell command sequences are hierarchically merged into several sets to form the library of general sequences. Then the variable-length behavioral patterns of a valid user are mined and the Markov chain is constructed. While performing detection, the probabilities of short state sequences are calculated, smoothed with sliding windows, and finally used to classify the monitored user's activity as normal or abnormal. Our experiments with standard datasets such as Purdue data and SEA data reveal that the proposed model can achieve higher detection accuracy, require less memory and take shorter time than the other traditional methods and is amenable for real-time intrusion detection.

ZENG Jian-ping,GUO Dong-hui

DOI: https://doi.org/10.3321/j.issn:0372-2112.2008.04.030

2008-01-01

Abstract:User activities are normally in variant forms or may be aberrant in some cases.This kind of uncertainty leads to the difficulty for current intrusion detection algorithm in deciding whether the user is masquerading or not.In the proposed algorithm,the user features are properly selected and the corresponding user trustworthiness computation methods are introduced.Different types of trustworthiness are integrated with interval type-2 fuzzy set,thus user trustworthiness is got and applied to a threshold-based decision.Theory analysis and experiments show that the proposed algorithm can handle the uncertainties that exist in user actirity or user model,so better detection performance can be achieved,compared with the detection algorithm based on ordinal fuzzy set.

Kaiyan Wang,Shaopei Ji,Lei Deng,Yanhong Liu

DOI: https://doi.org/10.1109/icbaie59714.2023.10281313

2023-01-01

Abstract:Aiming at the problems of unbalanced traffic data collected in the real network environment and inaccurate feature representation of traditional machine learning methods, this paper proposes an intrusion detection method based on RBSMOTE and double Attention. Firstly, based on a refined Borderline-SMOTE method (RB-SMOTE), the intrusion data is oversampled to solve the problem of data imbalance, and the advantages of the convolutional network in image feature extraction are used to extract Convert one-dimensional flow data into grayscale images. Then, the low-dimensional features are dimensionally updated from the channel dimension and the spatial dimension through the dual-attention network to obtain a more accurate feature representation. Finally, the softmax classifier is used to classify and predict the traffic data. This method has been verified on the NSL-KDD dataset, and its accuracy rate reaches 99.24%, which is higher than other commonly used methods.

Weiming Hu,Wei Hu,Steve Maybank

DOI: https://doi.org/10.1109/tsmcb.2007.914695

2005-01-01

Abstract:Network intrusion detection aims at distinguishing the attacks on the Internet from normal use of the Internet. It is an indispensable part of the information security system. Due to the variety of network behaviors and the rapid development of attack fashions, it is necessary to develop fast machine-learning-based intrusion detection algorithms with high detection rates and low false-alarm rates. In this correspondence, we propose an intrusion detection algorithm based on the AdaBoost algorithm. In the algorithm, decision stumps are used as weak classifiers. The decision rules are provided for both categorical and continuous features. By combining the weak classifiers for continuous features and the weak classifiers for categorical features into a strong classifier, the relations between these two different types of features are handled naturally, without any forced conversions between continuous and categorical features. Adaptable initial weights and a simple strategy for avoiding overfitting are adopted to improve the performance of the algorithm. Experimental results show that our algorithm has low computational complexity and error rates, as compared with algorithms of higher computational complexity, as tested on the benchmark sample data.

Yanfang Fu,Yishuai Du,Zijian Cao,Qiang Li,Wei Xiang

DOI: https://doi.org/10.3390/electronics11060898

IF: 2.9

2022-03-14

Electronics

Abstract:With an increase in the number and types of network attacks, traditional firewalls and data encryption methods can no longer meet the needs of current network security. As a result, intrusion detection systems have been proposed to deal with network threats. The current mainstream intrusion detection algorithms are aided with machine learning but have problems of low detection rates and the need for extensive feature engineering. To address the issue of low detection accuracy, this paper proposes a model for traffic anomaly detection named a deep learning model for network intrusion detection (DLNID), which combines an attention mechanism and the bidirectional long short-term memory (Bi-LSTM) network, first extracting sequence features of data traffic through a convolutional neural network (CNN) network, then reassigning the weights of each channel through the attention mechanism, and finally using Bi-LSTM to learn the network of sequence features. In intrusion detection public data sets, there are serious imbalance data generally. To address data imbalance issues, this paper employs the method of adaptive synthetic sampling (ADASYN) for sample expansion of minority class samples, to eventually form a relatively symmetric dataset, and uses a modified stacked autoencoder for data dimensionality reduction with the objective of enhancing information fusion. DLNID is an end-to-end model, so it does not need to undergo the process of manual feature extraction. After being tested on the public benchmark dataset on network intrusion detection NSL-KDD, experimental results show that the accuracy and F1 score of this model are better than those of other comparison methods, reaching 90.73% and 89.65%, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Jingqi Zhang,Xin Zhang,Zhaojun Liu,Fa Fu,Yihan Jiao,Fei Xu

DOI: https://doi.org/10.3390/electronics12194170

IF: 2.9

2023-10-09

Electronics

Abstract:A network intrusion detection tool can identify and detect potential malicious activities or attacks by monitoring network traffic and system logs. The data within intrusion detection networks possesses characteristics that include a high degree of feature dimension and an unbalanced distribution across categories. Currently, the actual detection accuracy of some detection models is relatively low. To solve these problems, we propose a network intrusion detection model based on multi-head attention and BiLSTM (Bidirectional Long Short-Term Memory), which can introduce different attention weights for each vector in the feature vector that strengthen the relationship between some vectors and the detection attack type. The model also utilizes the advantage that BiLSTM can capture long-distance dependency relationships to obtain a higher detection accuracy. This model combined the advantages of the two models, adding a dropout layer between the two models to improve the detection accuracy while preventing training overfitting. Through experimental analysis, the network intrusion detection model that utilizes multi-head attention and BilSTM achieved an accuracy of 98.29%, 95.19%, and 99.08% on the KDDCUP99, NSLKDD, and CICIDS2017 datasets, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zijun Hang,Yi Xie,Yuliang Lu,Yongjie Wang

DOI: https://doi.org/10.1145/3607199.3607206

2023-10-16

Abstract:Malicious traffic classification is crucial for Intrusion Detection Systems (IDS). However, traditional Machine Learning approaches necessitate expert knowledge and a significant amount of well-labeled data. Although recent studies have employed pre-training models from the Natural Language Processing domain, such as ET-BERT, for traffic classification, their effectiveness is impeded by limited input length and fixed Byte Pair Encoding. To address these challenges, this paper presents Flow-MAE, a pre-training model that employs Masked AutoEncoders (MAE) from the Computer Vision domain to achieve accurate, efficient, and robust malicious network traffic classification. Flow-MAE overcomes these challenges by utilizing burst (a generic representation of network traffic) and patch embedding to accommodate extensive traffic length. Moreover, Flow-MAE introduces a self-supervised pre-training task, the Masked Patch Model, which captures unbiased representations from bursts with varying lengths and patterns. Experimental results from six datasets reveal that Flow-MAE achieves new state-of-the-art accuracy (>0.99), efficiency (>900 samples/s), and robustness across diverse network traffic types. In comparison to the state-of-the-art ET-BERT, Flow-MAE exhibits improvements in accuracy and speed by 0.41%-1.93% and 7.8x-10.3x, respectively, while necessitating only 0.2% FLOPs and 44% memory overhead. The efficacy of the core designs is validated through few-shot learning and ablation experiments. The code is publicly available at https://github.com/NLear/Flow-MAE.

Computer Science

Xuecheng Yu,Yan Huang,Yu Zhang,Mingyang Song,Zhenhong Jia

DOI: https://doi.org/10.32604/cmc.2023.044999

2024-01-01

Abstract:With the increasing dimensionality of network traffic, extracting effective traffic features and improving the identification accuracy of different intrusion traffic have become critical in intrusion detection systems (IDS). However, both unsupervised and semisupervised anomalous traffic detection methods suffer from the drawback of ignoring potential correlations between features, resulting in an analysis that is not an optimal set. Therefore, in order to extract more representative traffic features as well as to improve the accuracy of traffic identification, this paper proposes a feature dimensionality reduction method combining principal component analysis and Hotelling’s T2 and a multilayer convolutional bidirectional long short-term memory (MSC_BiLSTM) classifier model for network traffic intrusion detection. This method reduces the parameters and redundancy of the model by feature extraction and extracts the dependent features between the data by a bidirectional long short-term memory (BiLSTM) network, which fully considers the influence between the before and after features. The network traffic is first characteristically downscaled by principal component analysis (PCA), and then the downscaled principal components are used as input to Hotelling’s T2 to compare the differences between groups. For datasets with outliers, Hotelling’s T2 can help identify the groups where the outliers are located and quantitatively measure the extent of the outliers. Finally, a multilayer convolutional neural network and a BiLSTM network are used to extract the spatial and temporal features of network traffic data. The empirical consequences exhibit that the suggested approach in this manuscript attains superior outcomes in precision, recall and F1-score juxtaposed with the prevailing techniques. The results show that the intrusion detection accuracy, precision, and F1-score of the proposed MSC_BiLSTM model for the CIC-IDS 2017 dataset are 98.71%, 95.97%, and 90.22%.

computer science, information systems,materials science, multidisciplinary

Ying-Dar Lin,Ze-Yu Wang,Po-Ching Lin,Van-Linh Nguyen,Ren-Hung Hwang,Yuan-Cheng Lai

DOI: https://doi.org/10.1016/j.jisa.2022.103248

IF: 4.96

2022-08-01

Journal of Information Security and Applications

Abstract:This work compares the performance of different combinations of data sources for intrusion detection in depth. To learn and distinguish between normal and malicious behavior, we use machine learning algorithms and train three typical models on three kinds of datasets: system logs, packet flows and host statistics. Unlike other studies, our study captures and monitors the behavior from multiple data sources in order to catch security attacks. Our aim is to figure out how to build the most effective dataset for machine learning with a combination of multiple sources. However, since there are no such datasets which have been generated from multiple sources for given attacks, we show how to build and generate a dataset with three data sources. We then compare the F1 score of the detection by applying machine learning algorithms for various combinations of the data sources. Our evaluation results show that the dataset of host statistics results in better performance (0.91) than traffic flows (0.63) and system logs (0.44) because it has the highest average F1-score in the three stages of attacks, while the other datasets may have poor F1-scores in some of the stages, particularly in the stage of impact. However, in the initial access stage of attacks, the dataset of logs performs the best (0.94), and the packet flows are suitable for detecting network DoS attacks (0.82). Furthermore, running this detection with all three data sources results in minor overheads of at most 2.1% CPU utilization. Finally, we analyze the important features of each model, such as the number of logs generated by apache-access, in.telnetd and postfix in the dataset of logs, SrcBytes and TotBytes in the dataset of flows, and MINFLT, VSTEXT and RSIZE in the dataset of statistics.

computer science, information systems

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Cai Ming Liu,Yan Zhang,Zhihui Hu,Chunming Xie

DOI: https://doi.org/10.32604/cmc.2023.045282

2024-01-01

Abstract:Artificial immune detection can be used to detect network intrusions in an adaptive approach and proper matching methods can improve the accuracy of immune detection methods. This paper proposes an artificial immune detection model for network intrusion data based on a quantitative matching method. The proposed model defines the detection process by using network data and decimal values to express features and artificial immune mechanisms are simulated to define immune elements. Then, to improve the accuracy of similarity calculation, a quantitative matching method is proposed. The model uses mathematical methods to train and evolve immune elements, increasing the diversity of immune recognition and allowing for the successful detection of unknown intrusions. The proposed model’s objective is to accurately identify known intrusions and expand the identification of unknown intrusions through signature detection and immune detection, overcoming the disadvantages of traditional methods. The experiment results show that the proposed model can detect intrusions effectively. It has a detection rate of more than 99.6% on average and a false alarm rate of 0.0264%. It outperforms existing immune intrusion detection methods in terms of comprehensive detection performance.

computer science, information systems,materials science, multidisciplinary

Yiming Wu,Gaoyun Lin,Lisong Liu,Zhen Hong,Yangyang Wang,Xing Yang,Zoe L. Jiang,Shouling Ji,Zhenyu Wen

DOI: https://doi.org/10.1109/jiot.2024.3395629

IF: 10.6

2024-07-10

IEEE Internet of Things Journal

Abstract:The rapid proliferation of Internet of Things (IoT) devices has led to an increased need for robust and efficient intrusion detection systems capable of identifying and mitigating novel threats. Traditional methods often struggle with the scarcity of labeled anomaly data, which is highly consequential, particularly in the context of IoT. In this study, we propose a novel few-shot learning (FSL) approach by leveraging a multistage attention Siamese network (MASiNet) for network traffic intrusion detection based on meta-learning framework. Unlike traditional methods, the proposed MASiNet model is capable of detecting intrusions with minimal labeled samples, addressing the challenge of scarce anomaly data. The model is trained using various attack samples and evaluates unknown samples by comparing similarities with a small set of known attack types. A well-structured cost function design, incorporating two specific losses, is introduced to optimize the effectiveness of the training process. Tested on the NSL_KDD and UNSW-NB15 data sets in a simulated FSL environment, the MASiNet model demonstrates superior performance in terms of accuracy, precision, and false alarm rate (FAR), outperforming existing methods. Furthermore, we have validated our approach through real-world evaluations. The proposed method provides an effective solution for intrusion detection in the context of FSL, offering a proficient solution that aligns with the dynamic nature of IoT networks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Guojun Chu,Jingyu Wang,Qi Qi,Haifeng Sun,Shimin Tao,Hao Yang,Jianxin Liao,Zhu Han

DOI: https://doi.org/10.1109/tdsc.2022.3228797

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Fraud detection in telecom network is a crucial problem that threatens users' privacy and property security. In recent years, fraudsters adopt more advanced camouflage strategies to avoid being detected by traditional algorithms. To deal with these new types of fraud, it is necessary to analyze the integrated spatial-temporal features, which are rarely involved in existing literature. In this paper, we propose a novel fraud detection model based on the intertwined spatial-temporal patterns of user behaviors. Specifically, we first introduce the extension of statistical and interactive features to dynamic call patterns, and build a probabilistic model to simulate users' call behaviors. Then the sequential patterns reflecting users' own behaviors are obtained by the mixture Hidden Markov Models, and the structural patterns reflecting the collaboration between users in the telecom network are obtained by the attention-based Graph-SAGE model. Finally, our model outputs a fraud score for each user to detect potential fraudsters. We conduct extensive experiments on a real-world telecom dataset. The experimental results demonstrate that our intertwined spatial-temporal call patterns can effectively represent user behavior and improve the accuracy of fraud detection compared with state-of-the-art methods. The results also validate the efficiency and the interpretability of our model.

computer science, information systems, software engineering, hardware & architecture

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.