Ying Zhong,Zhiliang Wang,Xingang Shi,Jiahai Yang,Keqin Li

DOI: https://doi.org/10.1109/tifs.2024.3402439

IF: 7.231

2024-06-04

IEEE Transactions on Information Forensics and Security

Abstract:Fine-grained attack detection is an important network security task. A large number of machine learning/deep learning(ML/DL) based algorithms have been proposed. However, attacks not present in the training set pose a challenge to the model (open-set problem). Further, ML/DL based models face the problem of adversarial attacks. Despite the large amount of work attempting to address these problems, there are still some challenges as follows. First, the open-set problem in fine-grained attack detection is difficult to solve because there is no effective representation of the distribution of unknown attacks. Second, in the open set environment, how the fine-grained attack detection model resists the adversarial attack is a more difficult problem. For example, the presence of unknown attacks poses a challenge for adversarial defense. For these reasons, we propose the RFG-HELAD model, which consists of a K classification model based on deep neural network (DNN) with contrastive learning (CL), and a classification model combining a generative adversarial networks (GAN) with two discriminators and deep k-nearest neighbors (Deep kNN). Among them, Deep kNN uses latent features from GAN and contrastive learning as input, which is essentially a distance-based out-of-distribution detection algorithm used to determine unknown attacks. The large category of unknown attacks has been added to the K classification, so it is a classification. To further improve the robustness of the RFG-HELAD model, we perform Fourier transform as well as feature fusion on the features, and also conduct adversarial training on the K classification model. Generative adversarial training of our GAN model can implicitly defend against adversarial attack. Experiments show that our model is superior to other state-of-the-art (SOTA) models in the presence of unknown attacks as well as under adversarial attacks. Especially, our model improves the accuracy by at least 18.7% over the corresponding SOTA model with adversarial defense. Further, we discuss the grounded deployment of the model and demonstrate its feasibility.

computer science, theory & methods,engineering, electrical & electronic

Mukhtar Ahmed,Jinfu Chen,Ernest Akpaku,Rexford Nii Ayitey Sosu,Ajmal Latif

DOI: https://doi.org/10.1145/3690637

IF: 2.717

2024-08-29

ACM Transactions on Privacy and Security

Abstract:With the rapid advancements in internet technology, the complexity and sophistication of network traffic attacks are increasing, making it challenging for traditional anomaly detection systems to analyze and detect malicious network attacks. The increasing advancedness of cyber threats calls for innovative approaches to identify malicious patterns within network traffic precisely. The primary issue lies in the fact that these approaches do not focus on the essential adaptive features of network traffic. We proposed an effective anomaly detection system for malicious network traffic attacks called the Deep Ensemble Learning Model (DELM). We leverage the structure of the Feedforward Deep Neural Network (FDNN), and Deep Belief Network (DBN), incorporating multiple hidden layers with non-linear activation functions. Integrating Adaptive Feature Aggregation (AFA) with the FDNN algorithm dynamically adjusts the feature aggregation process based on incoming traffic characteristics to improve adaptability. The Conditional Generative Network was employed to enhance DELM for generating data for minority classes. To improve the model’s accuracy, we applied batch normalization and data augmentation techniques for preprocessing, utilized n-gram, one-hot encoding, and feature aggregation methods for effective feature extraction. This study significantly contributes to network security by enhancing systems for detecting malicious network traffic. With its interpretability and adaptability, our proposed model shows promise in addressing the evolving cyber threat and fortifying critical network infrastructure. The experimental results demonstrate that our model performs with higher stability than the existing state-of-the-art detection approaches, as reflected by its higher accuracy, precision, recall, f1 score, and AUC-ROC.

computer science, information systems

Hao Zhang,Zude Xiao,Jason Gu,Yanhua Liu

DOI: https://doi.org/10.1007/s11227-023-05474-y

IF: 3.3

2023-06-15

The Journal of Supercomputing

Abstract:With the rapid development of network technology, the Internet has brought significant convenience to various sectors of society, holding a prominent position. Due to the unpredictable and severe consequences resulting from malicious attacks, the detection of anomalous network traffic has garnered considerable attention from researchers over the past few decades. Accurately labeling a sufficient amount of network traffic data as a training dataset within a short period of time is a challenging task, given the rapid and massive generation of network traffic data. Furthermore, the proportion of malicious attack traffic is relatively small compared to the overall traffic data, and the distribution of traffic data across different types of malicious attacks also varies significantly. To address the aforementioned challenges, this paper presents a novel network anomaly detection algorithm based on semi-supervised learning and adaptive multiclass balancing. Building upon the assumption of consistent distribution between labeled and unlabeled data, this paper introduces the multiclass split balancing strategy and the adaptive confidence threshold function. These innovative approaches aim to tackle the issue of the multiclass imbalanced in traffic data. By leveraging the mutually beneficial relationship between semi-supervised learning and ensemble learning, this paper presents the collaborative rotation forest algorithm. This algorithm is specifically designed to enhance performance of anomaly detection in an environment with label inadequacy. Several comparative experiments conducted on the NSL-KDD, UNSW-NB15, and ToN-IoT demonstrate that the proposed algorithm achieves significant improvements in performance. Specifically, it enhances precision by 1.5–5.7%, recall by 1.5−5.7%, and F-Measure by 1.4−4.3% compared to the state-of-the-art algorithms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Geying Yang,Jinyu Wu,Lina Wang,Qinghao Wang,Xiaowen Liu,Jie Fu

DOI: https://doi.org/10.1007/s10489-024-05673-x

IF: 5.3

2024-07-14

Applied Intelligence

Abstract:As the complexity and quantity of network data continue to increase, accurate and efficient anomaly detection methods become critical. Deep learning-based methods are suitable for real-time detection because they leverage neural networks to efficiently process massive amounts of data. However, for complex network environments and unknown threats, it is difficult to acquire balanced datasets for training, resulting in low model accuracy. Moreover, in a large-scale network environment, the model training process is complicated and resource-consuming, ignoring the important information hidden behind the data and poor scalability. To address these issues, we develop a novel network anomaly detection method that integrates fused feature imageization with an enhanced extreme learning machine, termed GMD-DELM. The network data stream features are transformed into images by an adaptive transformation method, generating a feature representation with highly enhanced data recognition capability. In addition, a ResNeXt network embedded with an attention mechanism is used to extract high-level features from images, enhancing the ability of deep learning networks to extract important features from network streams. Finally, we implement a network anomaly detection method established on an improved adaptive differential evolution kernel extreme learning machine. The experimental results demonstrate that the proposed model achieves notable enhancements achieved by the proposed model in reducing feature redundancy and improving accuracy compared to existing network anomaly detection models. Furthermore, our model exhibits improved stability and robustness in detecting corrupted network data containing noise.

computer science, artificial intelligence

Wanting Hu,Lu Cao,Qunsheng Ruan,Qingfeng Wu

DOI: https://doi.org/10.3390/s23115059

2023-05-25

Abstract:Network traffic anomaly detection is a key step in identifying and preventing network security threats. This study aims to construct a new deep-learning-based traffic anomaly detection model through in-depth research on new feature-engineering methods, significantly improving the efficiency and accuracy of network traffic anomaly detection. The specific research work mainly includes the following two aspects: 1. In order to construct a more comprehensive dataset, this article first starts from the raw data of the classic traffic anomaly detection dataset UNSW-NB15 and combines the feature extraction standards and feature calculation methods of other classic detection datasets to re-extract and design a feature description set for the original traffic data in order to accurately and completely describe the network traffic status. We reconstructed the dataset DNTAD using the feature-processing method designed in this article and conducted evaluation experiments on it. Experiments have shown that by verifying classic machine learning algorithms, such as XGBoost, this method not only does not reduce the training performance of the algorithm but also improves its operational efficiency. 2. This article proposes a detection algorithm model based on LSTM and the recurrent neural network self-attention mechanism for important time-series information contained in the abnormal traffic datasets. With this model, through the memory mechanism of the LSTM, the time dependence of traffic features can be learned. On the basis of LSTM, a self-attention mechanism is introduced, which can weight the features at different positions in the sequence, enabling the model to better learn the direct relationship between traffic features. A series of ablation experiments were also used to demonstrate the effectiveness of each component of the model. The experimental results show that, compared to other comparative models, the model proposed in this article achieves better experimental results on the constructed dataset.

Aiguo Chen,Yang Fu,Xu Zheng,Guoming Lu

DOI: https://doi.org/10.1016/j.cose.2021.102600

2022-03-01

Abstract:The Internet environment is exposed to diverse and increasingly numerous intrusion attacks due to its continuously expanding scale, threatening the information and assets of individuals and companies. The application of machine learning and deep learning methods has significantly improved the performance of network behavior anomaly detection (NBAD). However, existing NBAD methods based on machine learning classify network behaviors with hand-selected feature vectors, which are not flexible enough to adapt to various cyber environments and new categories of attacks, resulting in low accuracy. Moreover, high-dimensional and large-scale data have significantly increased the training, retraining, and detection time, resulting in low scalability. To solve these problems, an efficient NBAD algorithm based on deep belief networks (DBN) and long short-term memory (LSTM) networks is proposed. First, a nonlinear feature extraction method using a DBN is applied to extract features automatically and reduce the dimension of the original data while guaranteeing accuracy. Then, a light-structure LSTM network is used to obtain the classification results. The results of multiple experiments show that the proposed approach performs well in feature learning and has high accuracy while obtaining results in a timely manner and easily updating the model.

computer science, information systems

Wenqi Chen,Zhiliang Wang,Liyuan Chang,Kai Wang,Ying Zhong,Dongqi Han,Chenxin Duan,Xia Yin,Jiahai Yang,Xingang Shi

DOI: https://doi.org/10.1016/j.comnet.2024.110423

IF: 5.493

2024-01-01

Computer Networks

Abstract:The last decade has seen increasing application of machine learning to various tasks, including network anomaly detection. But anomaly detection methods using a single machine learning algorithm often fail to perform well, since network traffic can have complex and changeable patterns. Therefore, many solutions based on ensemble learning have been proposed to address this problem. However, previous studies have a essential drawback that they overlook the similarity between the weak classifiers, which may degrade the detection ability of the model. What's more, prior work use offline and supervised algorithms, which means a large amount of memory and reliable labels are necessary during the training period. In this paper, we propose ADSIM, an online, unsupervised, and similarity-aware network anomaly detection algorithm based on ensemble learning. In the training phase, ADSIM incrementally maintains a distance matrix to record the similarity between the classifiers and uses hierarchy clustering to group similar classifiers. In the detecting phase, each cluster will be assigned a weight based on the consistency of the classifier outputs within it. We evaluate ADSIM on two datasets, MAWILab and CIC-IDS-2017, and the results show that ADSIM can accurately detect various anomalies and outperforms state-of-the-art ensemble learning methods.

Yanfang Fu,Yishuai Du,Zijian Cao,Qiang Li,Wei Xiang

DOI: https://doi.org/10.3390/electronics11060898

IF: 2.9

2022-03-14

Electronics

Abstract:With an increase in the number and types of network attacks, traditional firewalls and data encryption methods can no longer meet the needs of current network security. As a result, intrusion detection systems have been proposed to deal with network threats. The current mainstream intrusion detection algorithms are aided with machine learning but have problems of low detection rates and the need for extensive feature engineering. To address the issue of low detection accuracy, this paper proposes a model for traffic anomaly detection named a deep learning model for network intrusion detection (DLNID), which combines an attention mechanism and the bidirectional long short-term memory (Bi-LSTM) network, first extracting sequence features of data traffic through a convolutional neural network (CNN) network, then reassigning the weights of each channel through the attention mechanism, and finally using Bi-LSTM to learn the network of sequence features. In intrusion detection public data sets, there are serious imbalance data generally. To address data imbalance issues, this paper employs the method of adaptive synthetic sampling (ADASYN) for sample expansion of minority class samples, to eventually form a relatively symmetric dataset, and uses a modified stacked autoencoder for data dimensionality reduction with the objective of enhancing information fusion. DLNID is an end-to-end model, so it does not need to undergo the process of manual feature extraction. After being tested on the public benchmark dataset on network intrusion detection NSL-KDD, experimental results show that the accuracy and F1 score of this model are better than those of other comparison methods, reaching 90.73% and 89.65%, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Vibekananda Dutta,Michał Choraś,Marek Pawlicki,Rafał Kozik

DOI: https://doi.org/10.3390/s20164583

2020-08-15

Abstract:Currently, expert systems and applied machine learning algorithms are widely used to automate network intrusion detection. In critical infrastructure applications of communication technologies, the interaction among various industrial control systems and the Internet environment intrinsic to the IoT technology makes them susceptible to cyber-attacks. Given the existence of the enormous network traffic in critical Cyber-Physical Systems (CPSs), traditional methods of machine learning implemented in network anomaly detection are inefficient. Therefore, recently developed machine learning techniques, with the emphasis on deep learning, are finding their successful implementations in the detection and classification of anomalies at both the network and host levels. This paper presents an ensemble method that leverages deep models such as the Deep Neural Network (DNN) and Long Short-Term Memory (LSTM) and a meta-classifier (i.e., logistic regression) following the principle of stacked generalization. To enhance the capabilities of the proposed approach, the method utilizes a two-step process for the apprehension of network anomalies. In the first stage, data pre-processing, a Deep Sparse AutoEncoder (DSAE) is employed for the feature engineering problem. In the second phase, a stacking ensemble learning approach is utilized for classification. The efficiency of the method disclosed in this work is tested on heterogeneous datasets, including data gathered in the IoT environment, namely IoT-23, LITNET-2020, and NetML-2020. The results of the evaluation of the proposed approach are discussed. Statistical significance is tested and compared to the state-of-the-art approaches in network anomaly detection.

Shiyong Dai,Yufei Zhao,Jinhua Huang,Xuxian Wang,Guifei Zhao,Lei Zhang,Ming Xie,Ziyue Guo

DOI: https://doi.org/10.1109/access.2023.3306243

IF: 3.9

2023-01-01

IEEE Access

Abstract:Network traffic anomaly detection methods can detect traffic that is significantly different from normal traffic by analyzing network traffic, and are seen as an effective means to detect unknown new attacks because they do not rely on static feature codes. However, most of the current network traffic anomaly detection methods have low accuracy and high false alarm rate. In this paper, an OS-ELM (Online Sequential Extreme Learning Machine) network traffic anomaly detection method is proposed. First, we use SMOTE to balance the data samples to improve the classification detection performance. In order to reduce the high dimensionality between data features and eliminate the redundancy, the Stacked Denoising Autoencoder (SDAE) network is adopt to reduce the dimension of the feature vectors. Finally, we test the real network traffic and analyze the effect of model structure and external noise on the detection performance, and the experimental results verify the correctness of our scheme. Compared with other detection methods based on data reconstruction, the proposed method has higher detection accuracy and better detection performance.

computer science, information systems,telecommunications,engineering, electrical & electronic

William Marfo,Deepak K. Tosh,Shirley V. Moore

DOI: https://doi.org/10.48550/arXiv.2303.07452

2023-03-14

Abstract:Due to the veracity and heterogeneity in network traffic, detecting anomalous events is challenging. The computational load on global servers is a significant challenge in terms of efficiency, accuracy, and scalability. Our primary motivation is to introduce a robust and scalable framework that enables efficient network anomaly detection. We address the issue of scalability and efficiency for network anomaly detection by leveraging federated learning, in which multiple participants train a global model jointly. Unlike centralized training architectures, federated learning does not require participants to upload their training data to the server, preventing attackers from exploiting the training data. Moreover, most prior works have focused on traditional centralized machine learning, making federated machine learning under-explored in network anomaly detection. Therefore, we propose a deep neural network framework that could work on low to mid-end devices detecting network anomalies while checking if a request from a specific IP address is malicious or not. Compared to multiple traditional centralized machine learning models, the deep neural federated model reduces training time overhead. The proposed method performs better than baseline machine learning techniques on the UNSW-NB15 data set as measured by experiments conducted with an accuracy of 97.21% and a faster computation time.

Machine Learning,Distributed, Parallel, and Cluster Computing

Emanuele Mengoli,Zhiyuan Yao,Wutao Wei

2024-02-01

Abstract:Anomaly detection plays a crucial role in ensuring network robustness. However, implementing intelligent alerting systems becomes a challenge when considering scenarios in which anomalies can be caused by both malicious and non-malicious events, leading to the difficulty of determining anomaly patterns. The lack of labeled data in the computer networking domain further exacerbates this issue, impeding the development of robust models capable of handling real-world scenarios. To address this challenge, in this paper, we propose an end-to-end anomaly detection model development pipeline. This framework makes it possible to consume user feedback and enable continuous user-centric model performance evaluation and optimization. We demonstrate the efficacy of the framework by way of introducing and bench-marking a new forecasting model -- named \emph{Lachesis} -- on a real-world networking problem. Experiments have demonstrated the robustness and effectiveness of the two proposed versions of \emph{Lachesis} compared with other models proposed in the literature. Our findings underscore the potential for improving the performance of data-driven products over their life cycles through a harmonized integration of user feedback and iterative development.

Networking and Internet Architecture,Machine Learning

Shi Dong,Yuanjun Xia,Tao Peng

DOI: https://doi.org/10.1109/tnsm.2021.3120804

2021-12-01

IEEE Transactions on Network and Service Management

Abstract:The rapid development of Internet technology has brought great convenience to our production life, and the ensuing security problems have become increasingly prominent. These problems threaten users' privacy and pose significant security risks to the normal conduct of many aspects of society, such as politics, economy, culture, and people's livelihood. The growth of the information transmission rate expands the scope of attacks and provides a more attack environment for intruders. Abnormal detection is an effective security protection technology that can monitor network transmission in real-time, effectively sense external attacks, and provide response decisions for relevant managers. The development of machine learning has also led to the development of abnormal traffic detection technology. The goal has been to use powerful and fast learning algorithms to deal with changing threats and respond in real-time. Most of the current abnormal detection research is based on simulation, using public and well-known datasets. On the one hand, the dataset contains high-dimensional massive data, which traditional machine learning methods cannot be processed. On the other hand, the labeled data scale is far behind the application requirements, and the dataset's labels are all manually labeled, so the labeling cost is exceptionally high. This paper proposes a semi-supervised Double Deep Q-Network (SSDDQN)-based optimization method for network abnormal traffic detection, mainly based on Double Deep Q-Network (DDQN), a representative of Deep Reinforcement Learning algorithm. In SSDDQN, the current network first adopts the autoencoder to reconstruct the traffic features and then uses a deep neural network as a classifier. The target network first uses the unsupervised learning algorithm K-Means clustering and then uses deep neural network prediction. The experiment uses NSL-KDD and AWID datasets for training and testing and -erforms a comprehensive comparison with existing machine learning models. The experimental results show that SSDDQN has certain advantages in time complexity and achieved good results in various evaluation metrics.

computer science, information systems

Chang Yang,Lisha Wu,Jing Xu,Yingjie Ren,Bo Tian,Zhenhua Wei

DOI: https://doi.org/10.1109/access.2024.3445533

IF: 3.9

2024-08-28

IEEE Access

Abstract:The anomaly detection in data links aims to identify the state of the link during data transmission, which is a critical task for ensuring information transmission security. Most anomaly detection methods focus solely on individual link characteristics, disregarding the inter-link structural information, thus hindering effective generalization to graph-structured data. In this study, we introduce a Graph Learning-based Data Link Anomaly Detection model (GLDAE) that considers both the link features and the communication network structure. Specifically, GLDAE comprises a graph enhancement module, a link feature autoencoder, a structure autoencoder, and a discriminator, enabling simultaneous learning of edge features and the latent representation of the graph structure. Moreover, to enhance the model's generalization capability, we employ contrastive learning between the original graph and its enhanced version. Additionally, to achieve joint learning of edge features and graph structure, we integrate edge feature embeddings and structure embeddings as inputs to the decoder. Finally, utilizing the well-trained encoder to encode link features and derive a new feature representation, we feed it into an MLP classifier to determine the link's status. Experimental evaluations were conducted on four authentic datasets (NF-UNSW-NB15, NF-UNSW-NB15-v2, NF-ToN-IoT, NF-ToN-IoT-v2), comparing our model against state-of-the-art baseline models, showcasing the substantial potential of our approach.

computer science, information systems,telecommunications,engineering, electrical & electronic

Fuguang Bao,Yongqiang Wu,Zhaogang Li,Yongzhao Li,Lili Liu,Guanyu Chen

DOI: https://doi.org/10.1155/2020/9084704

IF: 2.3

2020-09-17

Complexity

Abstract:High-dimensional and unbalanced data anomaly detection is common. Effective anomaly detection is essential for problem or disaster early warning and maintaining system reliability. A significant research issue related to the data analysis of the sensor is the detection of anomalies. The anomaly detection is essentially an unbalanced sequence binary classification. The data of this type contains characteristics of large scale, high complex computation, unbalanced data distribution, and sequence relationship among data. This paper uses long short-term memory networks (LSTMs) combined with historical sequence data; also, it integrates the synthetic minority oversampling technique (SMOTE) algorithm and K-nearest neighbors (kNN), and it designs and constructs an anomaly detection network model based on kNN-SMOTE-LSTM in accordance with the data characteristic of being unbalanced. This model can continuously filter out and securely generate samples to improve the performance of the model through kNN discriminant classifier and avoid the blindness and limitations of the SMOTE algorithm in generating new samples. The experiments demonstrated that the structured kNN-SMOTE-LSTM model can significantly improve the performance of the unbalanced sequence binary classification.

mathematics, interdisciplinary applications,multidisciplinary sciences

Christopher Nixon,Mohamed Sedky,Justin Champion,Mohamed Hassan

DOI: https://doi.org/10.1016/j.eswa.2024.123439

IF: 8.5

2024-02-12

Expert Systems with Applications

Abstract:Machine learning based intrusion detection systems monitor network data streams for cyber attacks. Challenges in this space include detecting unknown attacks, adapting to changes in the data stream such as changes in underlying behavior, the human cost of labeling data to retrain the machine learning model and the processing and memory constraints of a real-time data stream. Failure to manage the aforementioned factors could result in missed attacks, degraded detection performance, unnecessary expense or delayed detection times. This research proposes a new semi-supervised network data stream anomaly detection method, Split Active Learning Anomaly Detector (SALAD), which combines our novel Adaptive Anomaly Threshold and Stochastic Anomaly Threshold with Fading Factor methods. A novel Reconstruction Error based Distance from Threshold strategy is proposed and evaluated as part of an active stream framework to demonstrate reduction in labeling costs. The proposed methods are evaluated with the KDD Cup 1999, and UNSW-NB15 data sets, using the scikit-multiflow framework. Results demonstrated that the proposed SALAD method offered equivalent performance to full labeled and alternative Naïve Bayes (NB) and Hoeffding Adaptive Tree (HAT) methods, with a labeling budget of just 20%, significantly reducing the required human expertise to annotate the network data. Processing times of the SALAD method were demonstrated to be significantly lower than NB and HAT methods, allowing for greatly improved responsiveness to attacks occurring in real time.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Muhammad Muntazir Khan,Muhammad Zubair Rehman,Abdullah Khan,Eimad Abusham

DOI: https://doi.org/10.1049/ell2.13235

2024-07-17

Electronics Letters

Abstract:The contributions of the paper are as follows: The introduction of an ensemble learning‐based stacking classifier for anomaly detection in communication network traffic. The utilization of base classifiers such as K‐nearest neighbour (KNN), logistic regression (LR), Naive Bayes (NB), and decision tree (DT), with Support Vector Machines (SVM) as a meta‐classifier for anomaly detection. A comprehensive comparison of accuracy, precision, recall, and F‐measure between the proposed model and individual models, including KNN, NB, DT, LDA, LR, and SVM. In recent years, the internet has not only enhanced the quality of our lives but also made us susceptible to high‐frequency cyber‐attacks on communication networks. Detecting such attacks on network traffic is made possible by intrusion detection systems (IDS). IDSs can be broadly divided into two groups based on the type of detection they provide. According to the established rules, the first signature‐based IDS detects threats. Secondly, anomaly‐based IDS detects abnormal conditions in the network. Various machine and deep learning approaches have been used to detect anomalies in network traffic in the past. To improve the detection of anomalies in network traffic, researchers have compared several machine learning models, such as support vector machines (SVM), logistic regressions (LRs), K‐Nearest Neighbour (KNN), Nave Bayes (NBs), and boosting algorithms. The accuracy, precision, and recall of many studies have been satisfactory to an extent. Therefore, this paper proposes an ensemble learning‐based stacking classifier (ELSC) to achieve a better accuracy rate. In the proposed ELSC algorithm, KNN, NB, LR, and Decision Trees (DT) served as the base classifiers, while SVM served as the meta classifier. Based on a Network Intrusion detection dataset provided by Kaggle.com, ELSC is compared to base classifiers such as KNN, NB, LR, DT, SVM, and Linear Discriminate Analysis. As a result of the simulations, the proposed ELBS stacking classifier was found to outperform the other comparative models and converge with an accuracy of 99.4%.

engineering, electrical & electronic

Mingshu He,Xiaojuan Wang,Peng Wei,Liu Yang,Yinglei Teng,Renjian Lyu

DOI: https://doi.org/10.1109/tnsm.2024.3352586

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Anomaly detection plays an essential role in network security and traffic classification. Many studies have focused on anomaly detection to improve network security, including machine learning and deep learning methods. These methods often require numerous samples and must obtain the results by classifying the entire data set, thereby limiting their inflexibility. Although transfer and multitask learning have achieved some results in the model’s transferability, these methods must manually label or reprocess the test set. These problems limit the application of previous methods in network security management. To solve these problems, we propose a transferable and adaptable network intrusion detection system (TA-NIDS) based on deep reinforcement learning. The interaction process between the agent and the environment varies every time. A small-scale data set can be used to produce many interactive processes. Therefore, robustness is guaranteed when there are few samples. Then, a reasonable reward function allows the agent to learn how to first choose outliers without classifying the entire data set. This makes the TA-NIDS more adaptable to the scene when we prioritize apparent outliers. More importantly, the original features are transformed into the state of the environment, so no requirement exists for the feature dimension. Furthermore, the general rather than the specific state of one data set makes the model transferable to other data sets. The experimental results for IDS2017, IDS2018, NSL-KDD, UNSW-NB15 and CIC-IoT2023 show that the proposed framework maintains good accuracy when prioritizing outliers and transferability are prioritized simultaneously.

computer science, information systems

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Sumaiya Thaseen Ikram,Aswani Kumar Cherukuri,Babu Poorva,Pamidi Sai Ushasree,Yishuo Zhang,Xiao Liu,Gang Li

DOI: https://doi.org/10.2478/cait-2021-0037

2021-09-01

Cybernetics and Information Technologies

Abstract:Abstract Intrusion Detection Systems (IDSs) utilise deep learning techniques to identify intrusions with maximum accuracy and reduce false alarm rates. The feature extraction is also automated in these techniques. In this paper, an ensemble of different Deep Neural Network (DNN) models like MultiLayer Perceptron (MLP), BackPropagation Network (BPN) and Long Short Term Memory (LSTM) are stacked to build a robust anomaly detection model. The performance of the ensemble model is analysed on different datasets, namely UNSW-NB15 and a campus generated dataset named VIT_SPARC20. Other types of traffic, namely unencrypted normal traffic, normal encrypted traffic, encrypted and unencrypted malicious traffic, are captured in the VIT_SPARC20 dataset. Encrypted normal and malicious traffic of VIT_SPARC20 is categorised by the deep learning models without decrypting its contents, thus preserving the confidentiality and integrity of the data transmitted. XGBoost integrates the results of each deep learning model to achieve higher accuracy. From experimental analysis, it is inferred that UNSW_ NB results in a maximal accuracy of 99.5%. The performance of VIT_SPARC20 in terms of accuracy, precision and recall are 99.4%. 98% and 97%, respectively.