Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Ming Liu,Zhi Xue,Xiangjian He,Jinjun Chen

DOI: https://doi.org/10.48550/arxiv.2109.11821

2021-01-01

Abstract: Following the current big data trend, the scale of real-time system call traces generated by Linux applications in a contemporary data center may increase excessively. Due to the deficiency of scalability, it is challenging for traditional host-based intrusion detection systems deployed on every single host to collect, maintain, and manipulate those large-scale accumulated system call traces. It is inflexible to build data mining models on one physical host that has static computing capability and limited storage capacity. To address this issue, we propose SCADS, a corresponding solution using Apache Spark in the Google cloud environment. A set of Spark algorithms are developed to achieve the computational scalability. The experiment results demonstrate that the efficiency of intrusion detection can be enhanced, which indicates that the proposed method can apply to the design of next-generation host-based intrusion detection systems with system calls.

Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Hao Zhang,Shumin Dai,Yongdan Li,Wenjun Zhang

DOI: https://doi.org/10.1109/pccc.2018.8711068

2018-01-01

Abstract:With the rapid increase in Internet services, network traffic data has become very large and complex, increasing the possibility of intrusions. The traditional intrusion detection system (IDS) cannot detect intrusion behaviors among such high-speed traffic data. A real-time network IDS should be able to process large amounts of network traffic data as quickly as possible to detect malicious traffic as early as possible. Therefore, in this paper, we propose a network intrusion detection framework based on a distributed random forest capable of handling high-speed traffic data. This framework consists of three parts: a data capturing part based on NetFlow, a preprocessing data part and a classification-based intrusion detection part. In this paper, we apply the random forest classification algorithm and adapt it to the Apache Spark distributed processing system to realize real-time detection. To verify the effectiveness of the framework, we implement the system and perform several comparison experiments. The results show that the system has satisfactory efficiency and accuracy compared to existing systems and thus is very suitable for the real-time detection of network intrusion, with a large capacity and high speed.

Ming Liu,Zhi Xue,Xiangjian He

DOI: https://doi.org/10.1109/mce.2020.3048314

2020-01-01

IEEE Consumer Electronics Magazine

Abstract:The embedded system is an essential component of the Internet of Everything. Recently, host-based intrusion detection techniques have been widely applied to embedded systems effectively. However, the traditional standalone intrusion detection system has several shortcomings in terms of efficiency and scalability. In this article, a two-tier scalable intrusion detection framework is designed for embedded systems to address these shortcomings. The framework is based on Spark and is deployed in the cloud environment. The experiments show that the proposed framework can effectively improve the detection efficiency and scalability.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Mohd. Rehan Ghazi,N. S. Raghava

DOI: https://doi.org/10.3934/era.2024060

2024-01-01

Electronic Research Archive

Abstract:With the use of cloud computing, which provides the infrastructure necessary for the efficient delivery of smart city services to every citizen over the internet, intelligent systems may be readily integrated into smart cities and communicate with one another. Any smart system at home, in a car, or in the workplace can be remotely controlled and directed by the individual at any time. Continuous cloud service availability is becoming a critical subscriber requirement within smart cities. However, these cost-cutting measures and service improvements will make smart city cloud networks more vulnerable and at risk. The primary function of Intrusion Detection Systems (IDS) has gotten increasingly challenging due to the enormous proliferation of data created in cloud networks of smart cities. To alleviate these concerns, we provide a framework for automatic, reliable, and uninterrupted cloud availability of services for the network data security of intelligent connected devices. This framework enables IDS to defend against security threats and to provide services that meet the users' Quality of Service (QoS) expectations. This study's intrusion detection solution for cloud network data from smart cities employed Spark and Waikato Environment for Knowledge Analysis (WEKA). WEKA and Spark are linked and made scalable and distributed. The Hadoop Distributed File System (HDFS) storage advantages are combined with WEKA's Knowledge flow for processing cloud network data for smart cities. Utilizing HDFS components, WEKA's machine learning algorithms receive cloud network data from smart cities. This research utilizes the wrapper-based Feature Selection (FS) approach for IDS, employing both the Pigeon Inspired Optimizer (PIO) and the Particle Swarm Optimization (PSO). For classifying the cloud network traffic of smart cities, the tree-based Stacking Ensemble Method (SEM) of J48, Random Forest (RF), and eXtreme Gradient Boosting (XGBoost) are applied. Performance evaluations of our system were conducted using the UNSW-NB15 and NSL-KDD datasets. Our technique is superior to previous works in terms of sensitivity, specificity, precision, false positive rate (FPR), accuracy, F1 Score, and Matthews correlation coefficient (MCC).

mathematics

Brunel Elvire Bouya-Moko,Edward Kwadwo Boahen,Changda Wang

DOI: https://doi.org/10.3390/electronics11111675

IF: 2.9

2022-05-25

Electronics

Abstract:Strong network connections make the risk of malicious activities emerge faster while dealing with big data. An intrusion detection system (IDS) can be utilized for alerting suitable entities when hazardous actions are occurring. Most of the techniques used to classify intrusions lack the techniques executed with big data. This paper devised an optimization-driven deep learning technique for detecting the intrusion using the Spark model. The input data is fed to the data partitioning phase wherein the partitioning of data is done using the proposed fuzzy local information and Bhattacharya-based C-means (FLIBCM). The proposed FLIBCM was devised by combining Bhattacharya distance and fuzzy local information C-Means (FLICM). The feature selection was achieved with classwise info gained to select imperative features. The data augmentation was done with oversampling to make it apposite for further processing. The detection of intrusion was done using a deep Maxout network (DMN), which was trained using the proposed student psychology water cycle caviar (SPWCC) obtained by combining the water cycle algorithm (WCA), the conditional autoregressive value at risk by regression quantiles (CAViaR), and the student psychology-based optimization algorithm (SPBO). The proposed SPWCC-based DMN offered enhanced performance with the highest accuracy of 97.6%, sensitivity of 98%, and specificity of 97%.

engineering, electrical & electronic,computer science, information systems,physics, applied

Junjiang He,Cong Tang,Wenshan Li,Tao Li,Li Chen,Xiaolong Lan

DOI: https://doi.org/10.1109/tifs.2023.3324388

IF: 7.231

2023-11-25

IEEE Transactions on Information Forensics and Security

Abstract:Host-based intrusion detection systems (HIDS) have been widely acknowledged as an effective approach for detecting and mitigating malicious activities. Among various data sources utilized in HIDS, system call traces have gained significant popularity due to their inherent advantage of providing fine-grained information. Nevertheless, conventional feature extraction techniques relying on system calls tend to overlook the issue of high-dimensional sparse feature space. In this paper, we conduct a theoretical analysis to investigate the underlying causes of the sparsity problem. Subsequently, we propose an anti-sparse theory (anti-ST) as a solution to address this issue. Then, we design a multi-granularity feature extraction method (MGFE), which also meets the prerequisite mathematical conditions of the anti-ST. By applying this method, we effectively reduce the size of the feature space and minimize the number of generated features, thus mitigating sparsity. Furthermore, leveraging this approach, we propose a robust and anti-sparsity host intrusion detection framework, known as the MGFE-based Host Intrusion Detection Framework (BR-HIDF). A series of experiments were conducted to evaluate the proposed framework and compare it with the state-of-the-art method. The results demonstrate that our framework achieves impressive accuracy (97.26%), precision (97.62%), recall (96.85%), and F1 score (97.23%) in the intrusion detection task, surpassing existing frameworks. Moreover, the proposed framework significantly reduces the time overhead by 38.80%, exhibiting the highest AUC value of 0.992. Furthermore, we enhance the robustness of the detection system by integrating host-based and network-based detection, which provides greater flexibility in identifying various types of attacks.

computer science, theory & methods,engineering, electrical & electronic

Zhenpeng Liu,Nan Su,Yiwen Qin,Jiahuan Lu,Xiaofei Li

DOI: https://doi.org/10.1155/2020/6633252

2020-12-22

Mobile Information Systems

Abstract:This paper focuses on an important research problem of cyberspace security. As an active defense technology, intrusion detection plays an important role in the field of network security. Traditional intrusion detection technologies have problems such as low accuracy, low detection efficiency, and time consuming. The shallow structure of machine learning has been unable to respond in time. To solve these problems, the deep learning-based method has been studied to improve intrusion detection. The advantage of deep learning is that it has a strong learning ability for features and can handle very complex data. Therefore, we propose a deep random forest-based network intrusion detection model. The first stage uses a slide window to segment original features into many small pieces and then trains a random forest to generate the concatenated class vector as rerepresentation. The vector will be used to train the multilevel cascade parallel random forest in the second stage. Finally, the classification of the original data is determined by voting strategy after the last layer of cascade. Meanwhile, the model is deployed in Spark environment and optimizes cache replacement strategy of RDDs by efficiency sorting and partition integrity check. The experiment results indicate that the proposed method can effectively detect anomaly network behaviors, with high F1-measure scores and high accuracy. The results also show that it can cut down the average execution time on different scaled clusters.

computer science, information systems,telecommunications

Len Wirz,Asipan Ketphet,Rinrada Tanthanathewin,S. Fugkeaw

DOI: https://doi.org/10.1109/jcsse54890.2022.9836264

2022-06-22

Abstract:Owing to the efficient resource management, accessibility, and high service availability, cloud computing has been leveraged by several intensive-data processing applications such as big data analytics, social media applications. These applications are typically based on the development of web service and web application. Even though web-based technology offers effective communication and implementation, it has been susceptible to various kinds of attack. In this paper, we investigate possible attacks on REST which is a commonly used protocol for the web service implementation. In REST, HTTP requests are mapped to GET, POST, PUT, and DELETE that have been proven to be prone to common attacks including Automated Brute Forcing on web-based login, HTTP flood attacks, SQL injections (SQLi), and Cross-Site Scripting (XSS). To this end, we propose a design and implementation of the cloud-based IDS to detect such attacks by employing Apache Kafka and Spark streaming to classify and process the high volume of user inputs in REST HTTP communication. To detect the anomalous inputs, we apply the signature-based approach to construct an IDS engine based on a set of known attack patterns that will be leveraged by the Spark Streaming. Specifically, we introduce a new string comparison collection that improves the False Positive (FP) rate in SQL injection detection, which has been a major issue in most proposed IDS currently available. In our experiment, the system is able to determine malicious patterns with high performance as well as to generate SMS alerts and log the event in a Google Cloud Storage Bucket in an efficient manner.

Engineering,Computer Science

Mohamed Abushwereb,Mouhammd Alkasassbeh,Mohammad Almseidin,Muhannad Mustafa

DOI: https://doi.org/10.48550/arXiv.2203.04347

2022-02-21

Abstract:The internet has caused tremendous changes since its appearance in the 1980s, and now, the Internet of Things (IoT) seems to be doing the same. The potential of IoT has made it the center of attention for many people, but, where some see an opportunity to contribute, others may see IoT networks as a target to be exploited. The high number of IoT devices makes them the perfect setup for staging denial-of-service attacks (DoS) that can have devastating consequences. This renders the need for cybersecurity measures such as intrusion detection systems (IDSs) evident. The aim of this paper is to build an IDS using the big data platform, Apache Spark. Apache Spark was used along with its ML library (MLlib) and the BoT-IoT dataset. The IDS was then tested and evaluated based on F-Measure (f1), as was the standard when evaluating imbalanced data. Two rounds of tests were performed, a partial dataset for minimizing bias, and the full BoT-IoT dataset for exploring big data and ML capabilities in a security setting. For the partial dataset, the Random Forest algorithm had the highest performance for binary classification at an average f1 measure of 99.7%, as well as 99.6% for main category classification, and an 88.5% f1 measure for sub category classification. As for the complete dataset, the Decision Tree algorithm scored the highest f1 measures for all conducted tests; 97.9% for binary classification, 79% for main category classification, and 77% for sub category classification.

Cryptography and Security,Networking and Internet Architecture

Qingtang Xia,Tianjia Chen,Wei Xu

DOI: https://doi.org/10.1109/cit.2016.31

2016-01-01

Abstract:Many attacks originate from inside, and security problems within cloud-computing platforms are becoming more and more severe. Although many Intrusion Detection System (IDS) help monitor and protect the inbound and outbound traffic of data centers, it is still challenging to deploy IDS inside a cloudcomputing platform due to extremely high bandwidth within, and the lack of a single ingress point to deploy the IDS. This paper presents two ideas allowing traditional IDS to be adopted to the cloud environment: software-defined-networking (SDN) based packet collection and a hybrid sampling algorithm to significantly reduce workload on the IDS. We integrate our data collector in the Open vSwitch of every physical server, making packets capturing highly efficient. Our hybrid sampling algorithm combines both flow statistics and IDS feedback to intelligently choose which packets to sample. The sampling rate is determined by the current workload in the cloud, and thus minimizing the effects to normal workload. We evaluate our prototype CIDS on a 125-server production OpenStack cloud using real world attack traces, and demonstrate the effectiveness of our approach.

Zayed alhaddad, Mostafa Hanoune, Abdelaziz Mamouni

DOI: https://doi.org/10.17762/ijcnis.v8i3.1950

2022-04-17

International Journal of Communication Networks and Information Security (IJCNIS)

Abstract:In recent years, Cloud computing has emerged as a new paradigm for delivering highly scalable and on-demand shared pool IT resources such as networks, servers, storage, applications and services through internet. It enables IT managers to provision services to users faster and in a cost-effective way. As a result, this technology is used by an increasing number of end users. On the other hand, existing security deficiencies and vulnerabilities of underlying technologies can leave an open door for intruders. Indeed, one of the major security issues in Cloud is to protect against distributed attacks and other malicious activities on the network that can affect confidentiality, availability and integrity of Cloud resources. In order to solve these problems, we propose a Collaborative Network Intrusion Detection System (C-NIDS) to detect network attacks in Cloud by monitoring network traffic, while offering high accuracy by addressing newer challenges, namely, intrusion detection in virtual network, monitoring high traffic, scalability and resistance capability. In our NIDS framework, we use Snort as a signature based detection to detect known attacks, while for detecting network anomaly, we use Support Vector Machine (SVM). Moreover, in this framework, the NIDS sensors deployed in Cloud operate in collaborative way to oppose the coordinated attacks against cloud infrastructure and knowledge base remains up-to-date.

Zhoukai Wang,Yinliang Zhao,Zhaorong Wang,Yuxiang Li

DOI: https://doi.org/10.1109/ISPA/IUCC.2017.00100

2017-01-01

Abstract:Intrusion prevention system is the most important and popular tool in information security. It has been widely used to identify potential threats and respond to them swiftly. However, the existing IPS based on regular expression matching is time consuming and do not support large data well, since it scans and processes input linearly. To enhance conventional approach's parallelism and improve its efficiency for processing problems with large-scale data, this paper raised a speculative parallel intrusion prevention system based on Apache Spark. In the proposed system, the input packets are speculatively divided into several chunks, and then distributed into Apache Spark for parallel processing. After processing, the results are collected and evaluated to eliminate incorrect speculations. Experiments show that for large-scale data, by comparing with the conventional approach, the proposed system could markedly shorten the execution time for intrusion prevention. It can be proved that by adopting our novel system, the efficiency of intrusion prevention can be significantly enhanced.

Ming Liu,Zhi Xue,Xianghua Xu,Changmin Zhong,Jinjun Chen

DOI: https://doi.org/10.1145/3214304

IF: 16.6

2019-01-01

ACM Computing Surveys

Abstract:In a contemporary data center, Linux applications often generate a large quantity of real-time system call traces, which are not suitable for traditional host-based intrusion detection systems deployed on every single host. Training data mining models with system calls on a single host that has static computing and storage capacity is time-consuming, and intermediate datasets are not capable of being efficiently handled. It is cumbersome for the maintenance and updating of host-based intrusion detection systems (HIDS) installed on every physical or virtual host, and comprehensive system call analysis can hardly be performed to detect complex and distributed attacks among multiple hosts. Considering these limitations of current system-call-based HIDS, in this article, we provide a review of the development of system-call-based HIDS and future research trends. Algorithms and techniques relevant to system-call-based HIDS are investigated, including feature extraction methods and various data mining algorithms. The HIDS dataset issues are discussed, including currently available datasets with system calls and approaches for researchers to generate new datasets. The application of system-call-based HIDS on current embedded systems is studied, and related works are investigated. Finally, future research trends are forecast regarding three aspects, namely, the reduction of the false-positive rate, the improvement of detection efficiency, and the enhancement of collaborative security.

Ming Liu,Zhi Xue,Xianghua Xu,Changmin Zhong,Jinjun Chen

DOI: https://doi.org/10.1145/3214304

2019-01-01

Abstract:In a contemporary data center, Linux applications often generate a large quantity of real-time system call traces, which are not suitable for traditional host-based intrusion detection systems deployed on every single host. Training data mining models with system calls on a single host that has static computing and storage capacity is time-consuming, and intermediate datasets are not capable of being efficiently handled. It is cumbersome for the maintenance and updating of host-based intrusion detection systems (HIDS) installed on every physical or virtual host, and comprehensive system call analysis can hardly be performed to detect complex and distributed attacks among multiple hosts. Considering these limitations of current system-call-based HIDS, in this article, we provide a review of the development of system-call-based HIDS and future research trends. Algorithms and techniques relevant to system-call-based HIDS are investigated, including feature extraction methods and various data mining algorithms. The HIDS dataset issues are discussed, including currently available datasets with system calls and approaches for researchers to generate new datasets. The application of system-call-based HIDS on current embedded systems is studied, and related works are investigated. Finally, future research trends are forecast regarding three aspects, namely, the reduction of the false-positive rate, the improvement of detection efficiency, and the enhancement of collaborative security.

Syed Mohamed Thameem Nizamudeen

DOI: https://doi.org/10.1186/s13677-023-00509-4

2023-09-23

Journal of Cloud Computing

Abstract:In the current era, a tremendous volume of data has been generated by using web technologies. The association between different devices and services have also been explored to wisely and widely use recent technologies. Due to the restriction in the available resources, the chance of security violation is increasing highly on the constrained devices. IoT backend with the multi-cloud infrastructure to extend the public services in terms of better scalability and reliability. Several users might access the multi-cloud resources that lead to data threats while handling user requests for IoT services. It poses a new challenge in proposing new functional elements and security schemes. This paper introduces an intelligent Intrusion Detection Framework (IDF) to detect network and application-based attacks. The proposed framework has three phases: data pre-processing, feature selection and classification. Initially, the collected datasets are pre-processed using Integer- Grading Normalization (I-GN) technique that ensures a fair-scaled data transformation process. Secondly, Opposition-based Learning- Rat Inspired Optimizer (OBL-RIO) is designed for the feature selection phase. The progressive nature of rats chooses the significant features. The fittest value ensures the stability of the features from OBL-RIO. Finally, a 2D-Array-based Convolutional Neural Network (2D-ACNN) is proposed as the binary class classifier. The input features are preserved in a 2D-array model to perform on the complex layers. It detects normal (or) abnormal traffic. The proposed framework is trained and tested on the Netflow-based datasets. The proposed framework yields 95.20% accuracy, 2.5% false positive rate and 97.24% detection rate.

Valerio Morfino,Salvatore Rampone

DOI: https://doi.org/10.3390/electronics9030444

IF: 2.9

2020-03-06

Electronics

Abstract:In the fields of Internet of Things (IoT) infrastructures, attack and anomaly detection are rising concerns. With the increased use of IoT infrastructure in every domain, threats and attacks in these infrastructures are also growing proportionally. In this paper the performances of several machine learning algorithms in identifying cyber-attacks (namely SYN-DOS attacks) to IoT systems are compared both in terms of application performances, and in training/application times. We use supervised machine learning algorithms included in the MLlib library of Apache Spark, a fast and general engine for big data processing. We show the implementation details and the performance of those algorithms on public datasets using a training set of up to 2 million instances. We adopt a Cloud environment, emphasizing the importance of the scalability and of the elasticity of use. Results show that all the Spark algorithms used result in a very good identification accuracy (>99%). Overall, one of them, Random Forest, achieves an accuracy of 1. We also report a very short training time (23.22 sec for Decision Tree with 2 million rows). The experiments also show a very low application time (0.13 sec for over than 600,000 instances for Random Forest) using Apache Spark in the Cloud. Furthermore, the explicit model generated by Random Forest is very easy-to-implement using high- or low-level programming languages. In light of the results obtained, both in terms of computation times and identification performance, a hybrid approach for the detection of SYN-DOS cyber-attacks on IoT devices is proposed: the application of an explicit Random Forest model, implemented directly on the IoT device, along with a second level analysis (training) performed in the Cloud.

engineering, electrical & electronic,computer science, information systems,physics, applied

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.