Gang Kou,Yi Peng,Yong Shi,Zhengxin Chen,Xiaojun Chen

DOI: https://doi.org/10.1007/978-3-540-30537-8_16

2004-01-01

Abstract:The early and reliable detection and deterrence of malicious attacks, both from external and internal sources are a crucial issue for today's e-business. There are various methods available today for intrusion detection; however, every method has its limitations and new approaches should still be explored. The objectives of this study are twofold: one is to discuss the formulation of Multiple Criteria Quadratic Programming (MCQP) approach, and to investigate the applicability of the quadratic classification method to the intrusion detection problem. The demonstration of successful Multiple Criteria Quadratic Programming application in intrusion detection can add another option to network security toolbox. The classification results are examined by cross-validation and improved by an ensemble method. The results demonstrated that MCQP is excellent and stable. Furthermore, the outcome of MCQP can be improved by the ensemble method.

Gang Kou,Yi Peng,Yong Shi,Zhengxin Chen

DOI: https://doi.org/10.1109/ICDMW.2006.122

2006-01-01

Abstract:The growing number of computer network attacks or intrusions has caused huge lost to companies, organizations, and governments during the last decade. Intrusion detection, which aims at identifying and predicting network attacks, is a fast developing area that has attracted attention from both industry and academia. Technologies have been developed to detect network intrusions using theories and methods from statistics, machine learning, soft computing, mathematics, and many other fields. We have previously proposed multiple criteria linear programming (MCLP) and multiple criteria nonlinear programming (MCNP) models for two-group intrusion detection. Although these models achieve good results in two-group classification problems, they perform poorly on multi-group situations. In order to solve the problem, we introduce the kernel concept into multiple criteria models in this paper. Experimental results show that the new model provides both high classification accuracies and low false alarm rates in three-group and four-group intrusion detection. Keywords: Network intrusion detection, Security, Multiple criteria mathematical programming, Multi-group classification.

Gang Kou,Nian Yan,Yi Peng,Yong Shi,Zhengxin Chen

DOI: https://doi.org/10.1109/ICSSSM.2005.1500112

2005-01-01

Abstract:The early and reliable detection of malicious attacks is a crucial issue for today's network security and survivability. Different types of attacks may need different responses. Therefore, it is a meaningful task to predict the category of malicious attacks and take appropriate reactions. The goal of this research is to apply multiple-criteria linear programming (MCLP) method to the multi-group intrusion classification problem. Specifically, we first collect a multigroup network intrusion dataset using Tenable NeWT Security Scanner. Five attack types and total of 9061 data records were captured. After that, MCLP five-group model was applied to the NeWT dataset. The classification accuracy of MCLP was compared with sees, a decision-tree-based classification tool. The experimental results of this research indicate that MCLP achieves comparable classification accuracy to sees.

Gang Kou,Yi Peng,Zhengxin Chen,Yong Shi

DOI: https://doi.org/10.1016/j.ins.2008.10.025

IF: 8.1

2009-01-01

Information Sciences

Abstract:Multi-class classification problems are harder to solve and less studied than binary classification problems. The goal of this paper is to present a multi-criteria mathematical programming (MCMP) model for multi-class classification. Furthermore, we introduce the concept of e-support vector to facilitate computation of large-scale applications. Instead of finding the optimal solution for a convex mathematical programming problem, the computation of optimal solution for the model requires only matrix computation. Using two network intrusion datasets, we demonstrate that the proposed model can achieve both high classification accuracies and low false alarm rates for multi-class network intrusion classification.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Lu Lv,Wenhai Wang,Zeyin Zhang,Xinggao Liu

DOI: https://doi.org/10.1016/j.knosys.2020.105648

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Intrusion detection is a challenging technology in the area of cyberspace security for protecting a system from malicious attacks. A novel accurate and effective misuse intrusion detection system that relies on specific attack signatures to distinguish between normal and malicious activities is therefore presented to detect various attacks based on an extreme learning machine with a hybrid kernel function (HKELM). First, the derivation and proof of the proposed hybrid kernel are given. A combination of the gravitational search algorithm (GSA) and differential evolution (DE) algorithm is employed to optimize the parameters of HKELM, which improves its global and local optimization abilities during prediction attacks. In addition, the kernel principal component analysis (KPCA) algorithm is introduced for dimensionality reduction and feature extraction of the intrusion detection data. Then, a novel intrusion detection approach, KPCA-DEGSA-HKELM, is obtained. The proposed approach is eventually applied to the classic benchmark KDD99 dataset, the real modern UNSW-NB15 dataset and the industrial intrusion detection dataset from the Tennessee Eastman process. The numerical results validate both the high accuracy and the time-saving benefit of the proposed approach.

G Kou,XT Liu,Y Peng,Y Shi,M Wise,WX Xu

DOI: https://doi.org/10.1080/10556780310001600953

2003-01-01

Abstract:It is well known that data mining has been implemented by statistical regressions, induction decision tree, neural networks, rough set, fuzzy set and etc. This paper promotes a multiple criteria linear programming (MCLP) approach to data mining based on linear discriminant analysis. This paper first describes the fundamental connections between MCLP and data mining, including several general models of MCLP approaches. Given the general models, it focuses on a designing architecture of MCLP-data mining algorithms in terms of a process of real-life business intelligence. This architecture consists of finding MCLP solutions, preparing mining scores, and interpreting the knowledge patterns. Secondly, this paper elaborates the software development of the MCLP-data mining algorithms. Based on a pseudo coding, two versions of software (SAS- and Linux-platform) will be discussed. Finally, the software performance analysis over business and experimental databases is reported to show its mining and prediction power. As a part of the performance analysis, a series of data testing comparisons between the MCLP and induction decision tree approaches are demonstrated. These findings suggest that the MCLP-data mining techniques have a great potential in discovering knowledge patterns from a large-scale real-life database or data warehouse.

Yong Shi,Yi Peng,Weixuan Xu,Xiaowo Tang

DOI: https://doi.org/10.1142/s0219622002000038

2002-01-01

International Journal of Information Technology & Decision Making

Abstract:Data mining becomes a cutting-edge information technology tool in today's competitive business world. It helps the company discover previously unknown, valid, and actionable information from various and large databases for crucial business decisions. This paper provides a promising approach of data mining to classify the credit cardholders' behavior through multiple criteria linear programming. After reviewing the history of linear discriminant analyses, we will describe first a model for classifying two-group (e.g. bad or good) credit cardholder behaviors, and then a three-group (e.g. bad, normal, or good) credit model. Besides the discussion of the modeling structure, we will utilize the well-known commercial software package SAS to implement this technology by using a real-life credit card data warehouse. A number of potential business and financial applications will be finally summarized.

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Jian Luo,Yiying Zhang,Yannian Wu,Yao Xu,Xiaoyan Guo,Boxiang Shang

DOI: https://doi.org/10.3390/electronics12040949

IF: 2.9

2023-02-16

Electronics

Abstract:Network intrusion data are characterized by high feature dimensionality, extreme category imbalance, and complex nonlinear relationships between features and categories. The actual detection accuracy of existing supervised intrusion-detection models performs poorly. To address this problem, this paper proposes a multi-channel contrastive learning network-based intrusion-detection method (MCLDM), which combines feature learning in the multi-channel supervised contrastive learning stage and feature extraction in the multi-channel unsupervised contrastive learning stage to train an effective intrusion-detection model. The objective is to research whether feature enrichment and the use of contrastive learning for specific classes of network intrusion data can improve the accuracy of the model. The model is based on an autoencoder to achieve feature reconstruction with supervised contrastive learning and for implementing multi-channel data reconstruction. In the next stage of unsupervised contrastive learning, the extraction of features is implemented using triplet convolutional neural networks (TCNN) to achieve the classification of intrusion data. Through experimental analysis, the multichannel contrastive learning network-based intrusion-detection method achieves 98.43% accuracy in dataset CICIDS17 and 93.94% accuracy in dataset KDDCUP99.

engineering, electrical & electronic,computer science, information systems,physics, applied

G Kou,Y Peng,Y Shi,Wx Xu

DOI: https://doi.org/10.1007/3-540-44862-4_7

2003-01-01

Abstract:In this paper, we present a set of classification models by using multiple criteria linear programming (MCLP) to discover the various behaviors of credit cardholders. In credit card portfolio management, predicting the cardholder's spending behavior is a key to reduce the risk of bankruptcy. Given a set of predicting variables (attributes) that describes all possible aspects of credit cardholders, we first present a set of general classification models that can theoretically handle any size of multiple-group cardholders' behavior problems. Then, we implement the algorithm of the classification models by using SAS and Linux. platforms. Finally, we test the models on a special case where the cardholders' behaviors are predefined as five classes: (i) bankrupt charge-off; (ii) non-bankrupt charge-off; (iii) delinquent; (iv) current and (v) outstanding on a real-life credit card data warehouse. As a part of the performance analysis, a data testing comparison between the MCLP and induction decision tree approaches is demonstrated. These findings suggest that the MCLP-data mining techniques have a great potential in discovering knowledge patterns from a large-scale real-life database or data warehouse.

Yuxiang Li,Haiming Wang,Hongkui Yu,Changquan Ren,Qingjia Geng

DOI: https://doi.org/10.4304/jnw.8.6.1322-1328

2013-01-01

Abstract:According to the 31th statistical reports of China Internet network information center (CNNIC), by the end of December 2012, the number of Chinese netizens has reached 564 million, and the scale of mobile Internet users also reached 420 million. But when the network brings great convenience to people's life, it also brings huge threat in the life of people. So through collecting and analyzing the information in the computer system or network we can detect any possible behaviors that can damage the availability, integrity and confidentiality of the computer resource, and make timely treatment to these behaviors which have important research significance to improve the operation environment of network and network service. At present, the Neural Network, Support Vector machine (SVM) and Hidden Markov Model, Fuzzy inference and Genetic Algorithms are introduced into the research of network intrusion detection, trying to build a healthy and secure network operation environment. But most of these algorithms are based on the total sample and it also hypothesizes that the number of the sample is infinity. But in the field of network intrusion the collected data often cannot meet the above requirements. It often shows high latitudes, variability and small sample characteristics. For these data using traditional machine learning methods are hard to get ideal results. In view of this, this paper proposed a Generalized Multi-Kernel Learning method to applied to network intrusion detection. The Generalized Multi-Kernel Learning method can be well applied to large scale sample data, dimension complex, containing a large number of heterogeneous information and so on. The experimental results show that applying GMKL to network attack detection has high classification precision and low abnormal practical precision.

SHI ZHONG,TAGHI M. KHOSHGOFTAAR,NAEEM SELIYA

DOI: https://doi.org/10.1142/s0218539307002568

2007-04-01

International Journal of Reliability, Quality and Safety Engineering

Abstract:Recently data mining methods have gained importance in addressing network security issues, including network intrusion detection — a challenging task in network security. Intrusion detection systems aim to identify attacks with a high detection rate and a low false alarm rate. Classification-based data mining models for intrusion detection are often ineffective in dealing with dynamic changes in intrusion patterns and characteristics. Consequently, unsupervised learning methods have been given a closer look for network intrusion detection. We investigate multiple centroid-based unsupervised clustering algorithms for intrusion detection, and propose a simple yet effective self-labeling heuristic for detecting attack and normal clusters of network traffic audit data. The clustering algorithms investigated include, k-means, Mixture-Of-Spherical Gaussians, Self-Organizing Map, and Neural-Gas. The network traffic datasets provided by the DARPA 1998 offline intrusion detection project are used in our empirical investigation, which demonstrates the feasibility and promise of unsupervised learning methods for network intrusion detection. In addition, a comparative analysis shows the advantage of clustering-based methods over supervised classification techniques in identifying new or unseen attack types.

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.

Jakiur Rahman,Jaskaran Singh,Soumen Nayak,Biswajit Jena,Lopamudra Mohanty,Narpinder Singh,John R. Laird,Rajesh Singh,Deepak Garg,Narendra N. Khanna,Mostafa M. Fouda,Luca Saba,Jasjit S. Suri

DOI: https://doi.org/10.1080/08839514.2024.2376983

IF: 2.777

2024-07-13

Applied Artificial Intelligence

Abstract:Intrusion detection systems (IDS) play a critical role in ensuring the security and integrity of computer networks. There is a constant demand for the development of powerful, novel, and generalized methods for IDS that can accurately detect and classify intrusions. In this study, we aim to evaluate the benefits of linear classifiers (LC) and nonlinear classifiers (NLC) in IDS. We employed ten machine learning (ML) classifiers, consisting of five LC and five NLC. These classifiers underwent cross-validation for performance evaluation, unseen analysis, statistical tests, and power analysis on measuring the minimum sample size. Four hypotheses were formulated and validated on five processed intrusion attack datasets. NLC outperformed LC, with a mean accuracy (ACC)/area-under-the-curve (AUC) increase of 22.26%/20.3% on the WUSTL-EHMS dataset, with improvements of ACC/AUC by 5.5%/2.3% on the UNSW-NB15 dataset. In the unseen analysis, NLC achieved an ACC/AUC increase of 21.9%/21.8% when trained on WUSTL-EHMS and tested on UNSW-NB15. Lastly, when using a mixed dataset of WUSTL-EHMS and UNSW-NB15, NLC demonstrated an ACC/AUC increase of 11.67%/5.5%. The model performed well in cross-validation protocols, and the statistical tests yielded significant p-values. NLC provides generalized and robust solutions to detect intrusion attacks, ensuring the integrity and security of computer networks.

computer science, artificial intelligence,engineering, electrical & electronic

Celestine Iwendi,Suleman Khan,Joseph Henry Anajemba,Mohit Mittal,Mamdouh Alenezi,Mamoun Alazab

DOI: https://doi.org/10.3390/s20092559

IF: 3.9

2020-04-30

Sensors

Abstract:The pursuit to spot abnormal behaviors in and out of a network system is what led to a system known as intrusion detection systems for soft computing besides many researchers have applied machine learning around this area. Obviously, a single classifier alone in the classifications seems impossible to control network intruders. This limitation is what led us to perform dimensionality reduction by means of correlation-based feature selection approach (CFS approach) in addition to a refined ensemble model. The paper aims to improve the Intrusion Detection System (IDS) by proposing a CFS + Ensemble Classifiers (Bagging and Adaboost) which has high accuracy, high packet detection rate, and low false alarm rate. Machine Learning Ensemble Models with base classifiers (J48, Random Forest, and Reptree) were built. Binary classification, as well as Multiclass classification for KDD99 and NSLKDD datasets, was done while all the attacks were named as an anomaly and normal traffic. Class labels consisted of five major attacks, namely Denial of Service (DoS), Probe, User-to-Root (U2R), Root to Local attacks (R2L), and Normal class attacks. Results from the experiment showed that our proposed model produces 0 false alarm rate (FAR) and 99.90% detection rate (DR) for the KDD99 dataset, and 0.5% FAR and 98.60% DR for NSLKDD dataset when working with 6 and 13 selected features.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Die Zhang,Zhen Zhang

DOI: https://doi.org/10.1109/EIECC60864.2023.10456717

2023-12-22

Abstract:Network abnormal traffic intrusion detection technology is an important research field of network security today. Hybrid intrusion detection technology overcomes the shortcomings of single detection and retains their advantages, achieving high detection rate and high accuracy, so it is widely used in existing network abnormal traffic detection. However, the optimization of the high false alarm rate of anomaly detection in existing hybrid intrusion detection is imperfect, resulting in a large room for improvement in the detection accuracy of hybrid intrusion detection. In response to the above problems, this paper proposes a hybrid intrusion detection method based on Cluster Marking-k-means. By adding a classifier to the anomaly-based detection module, the detection results are secondary classified to reduce False alarm rate, thus improving the overall detection accuracy of the method. The experiment uses NSL-KDD and CICIDS2017 datasets to verify the effectiveness of the method. The results show that the method proposed in this article improves the average F1 score by 1.19% compared to the comparative method.

Computer Science

Guanghui Song,Xiaogang Jin,Genlang Chen,Yan Nie

DOI: https://doi.org/10.1109/ISKE.2010.5680860

2010-01-01

Abstract:The source data of intrusion detection system (IDS) are characteristic of heavy-flow, high-dimension and nonlinearity. A frequent problem in IDS is the choice of the right features that give rise to compact and concise representations of the network data; the other is how to improve the detection efficiency and accuracy of IDS under the small sample conditions. In order to delete the redundant and noisy features, improve the performance of IDS, we present an efficient IDS based on multiple kernel learning (MKL) method. Kernel methods are the effective approaches to intrusion detection problems. MKL methods combined with support vector machines (SVMs) can overcome some practice difficulties of IDS such as irregular data, non-flat distribution of the samples, etc. Experiments on the KDD Cup (1999) intrusion detection data set show that MKL methods have a higher detection rate and a lower false alarm rate compared to single kernel methods.

Sudhanshu Sekhar Tripathy,Bichitrananda Behera

2023-10-01

Abstract:The escalation of hazards to safety and hijacking of digital networks are among the strongest perilous difficulties that must be addressed in the present day. Numerous safety procedures were set up to track and recognize any illicit activity on the network's infrastructure. IDS are the best way to resist and recognize intrusions on internet connections and digital technologies. To classify network traffic as normal or anomalous, Machine Learning (ML) classifiers are increasingly utilized. An IDS with machine learning increases the accuracy with which security attacks are detected. This paper focuses on intrusion detection systems (IDSs) analysis using ML techniques. IDSs utilizing ML techniques are efficient and precise at identifying network assaults. In data with large dimensional spaces, however, the efficacy of these systems degrades. correspondingly, the case is essential to execute a feasible feature removal technique capable of getting rid of characteristics that have little effect on the classification process. In this paper, we analyze the KDD CUP-'99' intrusion detection dataset used for training and validating ML models. Then, we implement ML classifiers such as Logistic Regression, Decision Tree, K-Nearest Neighbour, Naive Bayes, Bernoulli Naive Bayes, Multinomial Naive Bayes, XG-Boost Classifier, Ada-Boost, Random Forest, SVM, Rocchio classifier, Ridge, Passive-Aggressive classifier, ANN besides Perceptron (PPN), the optimal classifiers are determined by comparing the results of Stochastic Gradient Descent and back-propagation neural networks for IDS, Conventional categorization indicators, such as "accuracy, precision, recall, and the f1-measure, have been used to evaluate the performance of the ML classification algorithms.

Cryptography and Security

Zhen-wei HU,Yong SHI,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.12.027

2017-01-01

Abstract:Traditional intrusion detection method is unable to meet the needs of big-data era in accuracy and effectiveness, while the machine-learning algorithm is becoming main-stream. Now the main research focuses on machine-learning algorithm in support vector machines, and however it also has its own defects. Therefore, other excellent classification algorithms in machine learning are introduced. In addition, the classical NSL-KDD data set is used to compare the accuracy of the algorithm, and the applicable environment analyzed, thus to provide a basis for intrusion detection analysis in different scenarios in the future. After using the data set to complete the model training, the ROC curve, accuracy and other indicators are used to evaluate the model, and fairly good results are acquired.