Wu Heyi,Hu Aiqun,Song Yubo,Bu Ning,Jia Xuefei

DOI: https://doi.org/10.1109/mines.2012.38

2012-01-01

Abstract:Whether the most important features can be extracted to reduce the dimension of the features or not is crucial to improving the efficiency and performance of the Intrusion Detection System (IDS). In this paper, an intrusion detection feature extraction method based on the complex network theory and the MST algorithm is proposed. The method takes the features of the network connections as nodes of a scale-free model, then detects the clusters of the network and extracts the key nodes of the model. The extracted nodes can be used in the IDS to detect the existence of intrusions. The result shows that the detection rate of the method is almost 1 percent lower than that of the Principal Component Analysis (PCA) algorithm, but the efficiency is improved by 13 percent. At last, how to apply the method to the intrusion detection pattern match is discussed.

Xue Li,Jin-long Fei,Jue Wang,Zan Qi

DOI: https://doi.org/10.1109/ITNEC56291.2023.10082305

2023-02-24

Abstract:Feature selection methods for classification are crucial for intrusion detection techniques using machine learning. High-dimensional features in intrusion detection data affect computational complexity, consume more used resources and more time for data analysis, and the irrelevant and redundant features among them often hinder the performance of classifiers and mislead the classification task. Therefore, it is challenging to select more relevant features from intrusion detection data containing many such features. In this paper, we propose an efficient feature selection algorithm that first considers the correlation between features and the redundancy of pairs of features with respect to class labels based on an improved Pearson correlation coefficient, and later improves the evaluation function based on conditional mutual information to obtain a final subset of features with the goal of improving the classification rate and accuracy. The proposed feature selection method based on improved conditional mutual information is compared with three existing feature selection methods on the frequently studied public benchmark intrusion detection dataset NSL-KDD. The experimental results show that the features selected by the proposed method in this paper lead to a significant reduction in execution time while resulting in higher classification accuracy.

Computer Science

Ting Huang,Wenbo Chen,Ruisheng Zhang

DOI: https://doi.org/10.2991/amcce-17.2017.11

2017-01-01

Abstract:The rapid development of information technology generates high dimension and large scale data, which puts severer challenges to network security. Feature selection is proposed for the reduction of data dimension so that features of original data are utmostly retained and improving the effectiveness of data processing. This paper proposes a new method of feature extraction by combining two algorithms. Firstly, removes some noise and irrelevant features after researching for correlation between features and categories; Secondly, furtherly optimize subsets to select key features through feature selection algorithm, whose Evaluate Function is based on clustering algorithm. KDDCUP9910% datasets is used to testify the experiment, whose result shows the method guarantees effective detection rate and reducing the data dimension effectively at the same time , the effectiveness of data detection is improved.

Swapnil Mane,Vaibhav Khatavkar,Niranjan Gijare,Pranav Bhendawade

2023-04-04

Abstract:An Intrusion detection system (IDS) is essential for avoiding malicious activity. Mostly, IDS will be improved by machine learning approaches, but the model efficiency is degrading because of more headers (or features) present in the packet (each record). The proposed model extracts practical features using Non-negative matrix factorization and chi-square analysis. The more number of features increases the exponential time and risk of overfitting the model. Using both techniques, the proposed model makes a hierarchical approach that will reduce the features quadratic error and noise. The proposed model is implemented on three publicly available datasets, which gives significant improvement. According to recent research, the proposed model has improved performance by 4.66% and 0.39% with respective NSL-KDD and CICD 2017.

Cryptography and Security

Zhang Xue-qin,Gu Chun-hua

DOI: https://doi.org/10.3969/j.issn.1000-565X.2010.01.016

2010-01-01

Abstract:In order to eliminate redundant features,reduce the system burden of storage and computation,and improve the performance of the classifier for network intrusion detection,a method to extract network intrusion detection feature is proposed based on the Fisher score and the support vector machine(SVM).Then,in accordance with KDD′99 network intrusion detection dataset,the feature significance rankings for the mixed attack and four single attacks are respectively obtained by using the proposed method.By extracting important features,a SVM classifier is thus constructed.Experimental results show that,as compared with the classifier constructed based on all features,the new classifier is of approximately equivalent accuracy and dramatically low training and testing time cost.

彭小金,武小年

DOI: https://doi.org/10.3969/j.issn.1008-1151.2014.03.002

2014-01-01

Abstract:In order to remove the redundancy and noise characteristics in network intrusion detection data set, reduce the data processing difficulty and improve the detection performance, a intrusion detection method based on feature selection and support vector machine is proposed. The method using the proposed feature selection algorithm base on the model of support vector machine classifier to select the best combination of features is applied to intrusion detection systems. Simulation results show that this method can not only reduce the number of features, thereby decreasing the training and testing time, but also improve the classification accuracy of intrusion detection.

Xuecheng Yu,Yan Huang,Yu Zhang,Mingyang Song,Zhenhong Jia

DOI: https://doi.org/10.32604/cmc.2023.044999

2024-01-01

Abstract:With the increasing dimensionality of network traffic, extracting effective traffic features and improving the identification accuracy of different intrusion traffic have become critical in intrusion detection systems (IDS). However, both unsupervised and semisupervised anomalous traffic detection methods suffer from the drawback of ignoring potential correlations between features, resulting in an analysis that is not an optimal set. Therefore, in order to extract more representative traffic features as well as to improve the accuracy of traffic identification, this paper proposes a feature dimensionality reduction method combining principal component analysis and Hotelling’s T2 and a multilayer convolutional bidirectional long short-term memory (MSC_BiLSTM) classifier model for network traffic intrusion detection. This method reduces the parameters and redundancy of the model by feature extraction and extracts the dependent features between the data by a bidirectional long short-term memory (BiLSTM) network, which fully considers the influence between the before and after features. The network traffic is first characteristically downscaled by principal component analysis (PCA), and then the downscaled principal components are used as input to Hotelling’s T2 to compare the differences between groups. For datasets with outliers, Hotelling’s T2 can help identify the groups where the outliers are located and quantitatively measure the extent of the outliers. Finally, a multilayer convolutional neural network and a BiLSTM network are used to extract the spatial and temporal features of network traffic data. The empirical consequences exhibit that the suggested approach in this manuscript attains superior outcomes in precision, recall and F1-score juxtaposed with the prevailing techniques. The results show that the intrusion detection accuracy, precision, and F1-score of the proposed MSC_BiLSTM model for the CIC-IDS 2017 dataset are 98.71%, 95.97%, and 90.22%.

computer science, information systems,materials science, multidisciplinary

ZHU Wen-jie,WANG Qiang

DOI: https://doi.org/10.3969/j.issn.1007-130X.2013.06.008

2013-01-01

Abstract:In traditional SVM based intrusion detection approaches, both core function construction and feature selection use prior knowdege. Due to this, they are not only inefficient but also inaccurate. It is observed that integrating information entropy theory into SVM-based intrusion detection can enhance both the precision and the speed. Concludely speaking, SVM-based entropy intrusion detection algorithms are made up of two aspects: on one hand, setting sample confidence vector as core function's constructor of SVM algorithm can guarantee the mapping relationship between training sample and optimization classification plane. Also, the intrusion detection’s maximum interval can be acquired. On the other hand, simplifying feature subset with samples's entropy as metric standard can not only shrink the computing scale but also improve the speed. Experiments prove that the SVM based entropy intrusion detection algoritm outperfomrs other tradional algorithms.

Anbang Wang,Xinyu Gong,Jialiang Lu

DOI: https://doi.org/10.1109/smartcloud.2019.00028

2019-01-01

Abstract:With the development of network technology and the updating of intelligent networking devices, the variety of cyber attacks and the number of users being attacked are increasing. Intrusion Detection Systems (IDS) are commonly used in the field of network security to detect anomalous activity and behavior. Many previous works have achieved high detection accuracy on standard testing data sets by implementing mature Machine Learning (ML) algorithms. Inspired by the network ontology researches,, we propose two Long Short-Term Memory (LSTM) based IDSs with deep feature extraction: multi-class feature extraction IDS and dual-class feature extraction IDS. Through our experiments on the CICIDS2017 data set, we have found that multi-class feature extraction IDS can better identify the types of cyber attacks while the dual-class feature extraction IDS can better recall new attacks. We conclude that when the structure and characteristics of the classifier are limited, a reasonable selection of the feature extraction space can help improve the characteristics of the classifier and better achieve the downstream tasks in the security field.

Zhang Xue-qin,Gu Chun-hua,Lin Jia-jin

DOI: https://doi.org/10.1109/chinacom.2006.344739

2006-01-01

Abstract:Support vector machine (SVM) has been applied to intrusion detection system (IDS) for its abilities to perform classification and regression. But for large-scale network intrusion detection problem, since solving a support vector machine is a typical quadratic optimization problem, which is influenced by the dimension and quantity of examples, many problems arise. KDDCUP'99 was used as the experiment dataset in this paper. A feature selection technology based on Fisher score was presented and used to construct a reduced feature subset of KDDCUP'99 dataset. SVM was used as a classifier. Experiment was run. The experiment results show, using Fisher score combined with SVM to select the important features is an effective method to reduce the dimension of the example feature space, and the classification accuracy has not dramatically decreased comparing to the original feature space.

Yong SONG,Zhiping CAI

DOI: https://doi.org/10.14188/j.1671-8836.2018.02.004

2018-01-01

Abstract:In the era of big data,intrusion detection is widely used as an important means of network security.Different characteristics of network intrusion detection data have different dimension and dimension units.In order to eliminate the influence of dimension between feature attributes,normalization is usually done before data analysis.Most of the normalized processing only considers the distribution of the attribute value itself without objectively evaluating its influence on the category information or other characteristic attributes.Aiming at this problem,this paper proposes a method of normalizing network intrusion detection data based on information theory.For the continuous feature attributes,the joint information gain is taken as an evaluation method of interval segmentation,and normalization is done according to the proportion of the interval category.For the discrete feature attributes,normalization is done according to the proportion of the conditional entropy.Simulation results using NSL-KDD dataset show that the method can not only improve the convergence of learning algorithms,but also improve the detection rate of classification model and reduce the false alarm rate of classification model.

Jingping Song,Zhiliang Zhu,Peter Scully,Chris Price

DOI: https://doi.org/10.4304/jcp.9.7.1542-1546

2014-01-01

Journal of Computers

Abstract:As network-based technologies become omnipresent, intrusion detection and prevention for these systems become increasingly important. This paper proposed a modified mutual information-based feature selection algorithm (MMIFS) for intrusion detection on the KDD Cup 99 dataset. The C4.5 classification method was used with this feature selection method. In comparison with dynamic mutual information feature selection algorithm (DMIFS), we can see that most performance aspects are improved. Furthermore, this paper shows the relationship between performance, efficiency and the number of features selected.

LIU Yong,SUN Dong-hong,CHEN You,WANG Wan-shan

DOI: https://doi.org/10.3969/j.issn.1005-3026.2010.07.006

2010-01-01

Abstract:A feature selection algorithm can improve efficiently the detection speed and result, with irrelevant and redundant data eliminated and denoised in an intrusion detection system. Taking advantage of the algorithm, a new hybrid feature selection algorithm based on the principal component analysis (PCA) in combination with decision tree algorithm (C4.5) was proposed to develop a lightweight intrusion detection system. Verifying the proposed algorithm in detail via tests with the KDD 1999 dataset, the algorithm was proved that it is available to not only ensure the high detection rate and low false alarm rate but also improve obviously the training/testing time of the intrusion detection system. Furthermore, as a result of comparative tests, the algorithm is superior to GA-SVM algorithm in training/testing time, detection rate and false alarm rate.

XIE Yu-xin,LIU Yan-heng,ZHU Jian-qi,SUN Xin,FU Feng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.13.033

2011-01-01

Abstract:A hybrid intrusion detection model is presented against the high false positive and false negative rate in Intrusion Detection System(IDS).This model constructs two feature extractors based on Kernel Principle Component Analysis(KPCA) and Kernel Independent Component Analysis(KICA),and uses a novel ensemble approach to learn the results produced by the extractors.It has capacity of processing large-scale data by using distributed neural network to learn the ensemble results,and obtains the optimal detection result by means of feedback regulating to change the ensemble learning weight.KDD CUP'99 is adopted in experiment and the result shows the model gets the lower false negative rate and false positive rate besides the higher accuracy.

Huiwen Wang,Jie Gu,Shanshan Wang

DOI: https://doi.org/10.1016/j.knosys.2017.09.014

IF: 8.139

2017-01-01

Knowledge-Based Systems

Abstract:Network security is becoming increasingly important in our daily lives—not only for organizations but also for individuals. Intrusion detection systems have been widely used to prevent information from being compromised, and various machine-learning techniques have been proposed to enhance the performance of intrusion detection systems. However, higher-quality training data is an essential determinant that could improve detection performance. It is well known that the marginal density ratio is the most powerful univariate classifier. In this paper, we propose an effective intrusion detection framework based on a support vector machine (SVM) with augmented features. More specifically, we implement the logarithm marginal density ratios transformation to form the original features with the goal of obtaining new and better-quality transformed features that can greatly improve the detection capability of an SVM-based detection model. The NSL-KDD dataset is used to evaluate the proposed method, and the empirical results show that it achieves a better and more robust performance than existing methods in terms of accuracy, detection rate, false alarm rate and training speed.

Vu-Duc Ngo,Tuan-Cuong Vuong,Thien Van Luong,Hung Tran

2023-07-04

Abstract:Internet of things (IoT) has been playing an important role in many sectors, such as smart cities, smart agriculture, smart healthcare, and smart manufacturing. However, IoT devices are highly vulnerable to cyber-attacks, which may result in security breaches and data leakages. To effectively prevent these attacks, a variety of machine learning-based network intrusion detection methods for IoT networks have been developed, which often rely on either feature extraction or feature selection techniques for reducing the dimension of input data before being fed into machine learning models. This aims to make the detection complexity low enough for real-time operations, which is particularly vital in any intrusion detection systems. This paper provides a comprehensive comparison between these two feature reduction methods of intrusion detection in terms of various performance metrics, namely, precision rate, recall rate, detection accuracy, as well as runtime complexity, in the presence of the modern UNSW-NB15 dataset as well as both binary and multiclass classification. For example, in general, the feature selection method not only provides better detection performance but also lower training and inference time compared to its feature extraction counterpart, especially when the number of reduced features K increases. However, the feature extraction method is much more reliable than its selection counterpart, particularly when K is very small, such as K = 4. Additionally, feature extraction is less sensitive to changing the number of reduced features K than feature selection, and this holds true for both binary and multiclass classifications. Based on this comparison, we provide a useful guideline for selecting a suitable intrusion detection type for each specific scenario, as detailed in Tab. 14 at the end of Section IV.

Cryptography and Security,Artificial Intelligence

Xiangrong Yang,Junyi Shen,杨向荣,沈钧毅

DOI: https://doi.org/10.3969/j.issn.1671-8267.2003.02.006

2003-01-01

Abstract:Objective: Present a new features selection algorithm. Methods: based on rule induction and field knowledge. Results: This algorithm can be applied in catching dataflow when detecting network intrusions, only the sub-dataset including discriminating features is catched. Then the time spend in following behavior patterns mining is reduced and the patterns mined are more precise. Conclusion: The experiment results show that the feature subset catched by this algorithm is more informative and the dataset's quantity is reduced significantly.

Ayman I. Madbouly,Amr M. Gody,Tamer M. Barakat

DOI: https://doi.org/10.14445/22315381/IJETT-V9P296

2014-03-30

Abstract:Network intrusions have become a significant threat in recent years as a result of the increased demand of computer networks for critical systems. Intrusion detection system (IDS) has been widely deployed as a defense measure for computer networks. Features extracted from network traffic can be used as sign to detect anomalies. However with the huge amount of network traffic, collected data contains irrelevant and redundant features that affect the detection rate of the IDS, consumes high amount of system resources, and slowdown the training and testing process of the IDS. In this paper, a new feature selection model is proposed; this model can effectively select the most relevant features for intrusion detection. Our goal is to build a lightweight intrusion detection system by using a reduced features set. Deleting irrelevant and redundant features helps to build a faster training and testing process, to have less resource consumption as well as to maintain high detection rates. The effectiveness and the feasibility of our feature selection model were verified by several experiments on KDD intrusion detection dataset. The experimental results strongly showed that our model is not only able to yield high detection rates but also to speed up the detection process.

Cryptography and Security,Machine Learning

Dongliang Xuan,Huaping Hu,Bidong Wang,Xingkong Ma

DOI: https://doi.org/10.1109/cecit53797.2021.00205

2021-01-01

Abstract:The development of network has brought great convenience to our lives, but the number of network intrusions has also increased sharply at the same time. Intrusion detection system(IDS) is one of the most effective ways to solve this problem. IDS based on machine learning is an important issue of current research. Feature selection is a commonly used method in IDS to improve model accuracy and timeliness. In this paper, we propose a heuristic algorithm SSA-CFS based on SSA and CFS, and build a two-layer classification model based on this algorithm. We conduct experiments on the data set named NSL-KDD to evaluate the performance of the algorithm and IDS, and compare them with other traditional algorithms and models. The experimental results show that the feature selection algorithm and IDS model we proposed have significantly improved the time and detection accuracy.

Xin Xu,Xuening Wang

DOI: https://doi.org/10.1007/11527503_82

2005-01-01

Abstract:Network intrusion detection is an important technique in computer security. However, the performance of existing intrusion detection systems (IDSs) is unsatisfactory since new attacks are constantly developed and the speed of network traffic volumes increases fast. To improve the performance of IDSs both in accuracy and speed, this paper proposes a novel adaptive intrusion detection method based on principal component analysis (PCA) and support vector machines (SVMs). By making use of PCA, the dimension of network data patterns is reduced significantly. The multi-class SVMs are employed to construct classification models based on training data processed by PCA. Due to the generalization ability of SVMs, the proposed method has good classification performance without tedious parameter tuning. Dimension reduction using PCA may improve accuracy further. The method is also superior to SVMs without PCA in fast training and detection speed. Experimental results on KDD-Cup99 intrusion detection data illustrate the effectiveness of the proposed method.