Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Laisen Nie,Zhaolong Ning,Xiaojie Wang,Xiping Hu,Jun Cheng,Yongkang Li

DOI: https://doi.org/10.1109/tnse.2020.2990984

IF: 6.6

2020-01-01

IEEE Transactions on Network Science and Engineering

Abstract:As an industrial application of Internet of Things (IoT), Internet of Vehicles (IoV) is one of the most crucial techniques for Intelligent Transportation System (ITS), which is a basic element of smart cities. The primary issue for the deployment of ITS based on IoV is the security for both users and infrastructures. The Intrusion Detection System (IDS) is important for IoV users to keep them away from various attacks via the malware and ensure the security of users and infrastructures. In this paper, we design a data-driven IDS by analyzing the link load behaviors of the Road Side Unit (RSU) in the IoV against various attacks leading to the irregular fluctuations of traffic flows. A deep learning architecture based on the Convolutional Neural Network (CNN) is designed to extract the features of link loads, and detect the intrusion aiming at RSUs. The proposed architecture is composed of a traditional CNN and a fundamental error term in view of the convergence of the backpropagation algorithm. Meanwhile, a theoretical analysis of the convergence is provided by the probabilistic representation for the proposed CNN-based deep architecture. We finally evaluate the accuracy of our method by way of implementing it over the testbed.

Chunyuan Wu,Aijuan Qian,Xiaoju Dong,Yanling Zhang

DOI: https://doi.org/10.1109/tase49443.2020.00019

2020-01-01

Abstract:Deep Learning models have demonstrated significant performance on different tasks such as computer vision, natural language processing, etc. In recent years, these models have also achieved remarkable progress in Intrusion Detection Systems. However, the mechanism of these models is often hard to understand, especially for researchers in the domain of network security. In this paper, we propose a visual analytics system for interpretable deep learning based intrusion detection. During the design of this visual analytics system, we follow the requirements and features of explainable artificial intelligence for users in the domain of network security. The system allows users to select the best parameters to construct the model, to better understand the role of neurons in a deep learning model, to select instances and explore the detection mechanism of the model on these instances. We present multiple use cases to demonstrate the effectiveness of our system.

Xuefei Tian,Zhiyuan Wu,JunXiang Cao,Shengtao Chen,Xiaoju Dong

DOI: https://doi.org/10.1016/j.vrih.2023.06.009

2023-01-01

Virtual Reality & Intelligent Hardware

Abstract:Background With the development of information technology, there is a significant increase in the number of network traffic logs mixed with various types of cyberattacks. Traditional intrusion detection systems（IDSs） are limited in detecting new inconstant patterns and identifying malicious traffic traces in real time.Therefore, there is an urgent need to implement more effective intrusion detection technologies to protect computer security. Methods In this study, we designed a hybrid IDS by combining our incremental learning model（KANSOINN） and active learning to learn new log patterns and detect various network anomalies in real time. Conclusions Experimental results on the NSLKDD dataset showed that KAN-SOINN can be continuously improved and effectively detect malicious logs. Meanwhile, comparative experiments proved that using a hybrid query strategy in active learning can improve the model learning efficiency.

Chenyang Qiu,Yingsheng Geng,Junrui Lu,Kaida Chen,Shitong Zhu,Ya Su,Guoshun Nan,Can Zhang,Junsong Fu,Qimei Cui,Xiaofeng Tao

DOI: https://doi.org/10.1145/3580305.3599238

2023-07-02

Abstract:Network-based intrusion detection system (NIDS) monitors network traffic for malicious activities, forming the frontline defense against increasing attacks over information infrastructures. Although promising, our quantitative analysis shows that existing methods perform inconsistently in declaring various unknown attacks (e.g., 9% and 35% F1 respectively for two distinct unknown threats for an SVM-based method) or detecting diverse known attacks (e.g., 31% F1 for the Backdoor and 93% F1 for DDoS by a GCN-based state-of-the-art method), and reveals that the underlying cause is entangled distributions of flow features. This motivates us to propose 3D-IDS, a novel method that aims to tackle the above issues through two-step feature disentanglements and a dynamic graph diffusion scheme. Specifically, we first disentangle traffic features by a non-parameterized optimization based on mutual information, automatically differentiating tens and hundreds of complex features of various attacks. Such differentiated features will be fed into a memory model to generate representations, which are further disentangled to highlight the attack-specific features. Finally, we use a novel graph diffusion method that dynamically fuses the network topology for spatial-temporal aggregation in evolving data streams. By doing so, we can effectively identify various attacks in encrypted traffics, including unknown threats and known ones that are not easily detected. Experiments show the superiority of our 3D-IDS. We also demonstrate that our two-step feature disentanglements benefit the explainability of NIDS.

Cryptography and Security,Artificial Intelligence,Machine Learning,Social and Information Networks

Han Dongming,Pan Jiacheng,Pan Rusheng,Zhou Dawei,Cao Nan,He Jingrui,Xu Mingliang,Chen Wei

DOI: https://doi.org/10.1007/s11704-020-0013-1

IF: 2.6688

2021-01-01

Frontiers of Computer Science

Abstract:Multivariate dynamic networks indicate networks whose topology structure and vertex attributes are evolving along time. They are common in multimedia applications. Anomaly detection is one of the essential tasks in analyzing these networks though it is not well addressed. In this paper, we combine a rare category detection method and visualization techniques to help users to identify and analyze anomalies in multivariate dynamic networks. We conclude features of rare categories and two types of anomalies of rare categories. Then we present a novel rare category detection method, called DIRAD, to detect rare category candidates with anomalies. We develop a prototype system called iNet, which integrates two major visualization components, including a glyph-based rare category identifier, which helps users to identify rare categories among detected substructures, a major view, which assists users to analyze and interpret the anomalies of rare categories in network topology and vertex attributes. Evaluations, including an algorithm performance evaluation, a case study, and a user study, are conducted to test the effectiveness of proposed methods.

Ying Zhao,FangFang Zhou,XiaoPing Fan,Xing Liang,YongGang Liu

DOI: https://doi.org/10.1007/s11432-013-4891-9

2013-01-01

Science China Information Sciences

Abstract:Intrusion Detection Systems(IDS) is an automated cyber security monitoring system to sense malicious activities.Unfortunately,IDS often generates both a considerable number of alerts and false positives in IDS logs.Information visualization allows users to discover and analyze large amounts of information through visual exploration and interaction efficiently.Even with the aid of visualization,identifying the attack patterns and recognizing the false positives from a great number of alerts are still challenges.In this paper,a novel visualization framework,IDSRadar,is proposed for IDS alerts,which can monitor the network and perceive the overall view of the security situation by using radial graph in real-time.IDSRadar utilizes five categories of entropy functions to quantitatively analyze the irregular behavioral patterns,and synthesizes interactions,filtering and drill-down to detect the potential intrusions.In conclusion,IDSRadar is used to analyze the mini-challenges of the VAST challenge 2011 and 2012.

Jia Liu,Wang Yinchai,Teh Chee Siong,Xinjin Li,Liping Zhao,Fengrui Wei

DOI: https://doi.org/10.21203/rs.3.rs-1770107/v1

2022-01-01

Abstract:Abstract Intrusion detection is a fuzzy classification problem. Intrusion detection can detect the attack behaviors of hackers in advance. For generating a visualizing architecture for identifying intrusions, this study proposes an approach that combines ANFIS (Adaptive Network-based Fuzzy Inference System), DT (Decision Tree), and K-means clustering algorithm for visualizing the deep pattern of intrusion detection. The ANFIS generates complex and fuzzy combinations of selected attributes. To reduce the rules generation of ANFIS, Pearson Correlation analysis is used to select attributes that highly relate to the target. Meanwhile, standard deviation analysis and a proposed adaptive K-means algorithm are used for determining the interval division of selected attributes. Then, the CART (classification and regression tree) is used to identify the deep mode in generated rules and selected attributes. The architecture of the proposed algorithm is a hybrid visualizing approach. The architecture can identify deep and hybrid features in intrusion detection. The proposed algorithm was trained, validated, and tested on the NSL-KDD dataset. Using 22 attributes that highly relate to the target, the performance of the proposed method achieved a 99.86% detection rate and 0.14% false alarm rate, which is better than many classifiers. Besides, the visualizing model can help us visually identify the complex pattern of intrusions and analyze the pattern of various intrusions.

Zachary Tauscher,Yushan Jiang,Kai Zhang,Jian Wang,Houbing Song

DOI: https://doi.org/10.48550/arXiv.2108.08394

2021-08-19

Abstract:With massive data being generated daily and the ever-increasing interconnectivity of the world's Internet infrastructures, a machine learning based intrusion detection system (IDS) has become a vital component to protect our economic and national security. In this paper, we perform a comprehensive study on NSL-KDD, a network traffic dataset, by visualizing patterns and employing different learning-based models to detect cyber attacks. Unlike previous shallow learning and deep learning models that use the single learning model approach for intrusion detection, we adopt a hierarchy strategy, in which the intrusion and normal behavior are classified firstly, and then the specific types of attacks are classified. We demonstrate the advantage of the unsupervised representation learning model in binary intrusion detection tasks. Besides, we alleviate the data imbalance problem with SVM-SMOTE oversampling technique in 4-class classification and further demonstrate the effectiveness and the drawback of the oversampling mechanism with a deep neural network as a base model.

Cryptography and Security,Machine Learning

Kaixing Huang,Qi Zhang,Chunjie Zhou,Naixue Xiong,Yuanqing Qin

DOI: https://doi.org/10.1109/tsmc.2017.2698457

2017-01-01

IEEE Transactions on Systems Man and Cybernetics Systems

Abstract:Visual sensor networks (VSNs) are highly vulnerable to attacks due to their open deployment in possibly unattended environments. To improve the network security of VSNs, an intrusion detection system (IDS) is an effective countermeasure. However, as visual sensors can produce big and dynamic video data, it is a tough task to rapidly and effectively detect attacks in VSNs. Moreover, attack samples in VSNs are generally too rare for IDSs to fully understand the behaviors of attacks. Facing these difficulties, in this paper, we propose an efficient intrusion detection approach for VSNs, which is based on traffic pattern learning. In the proposed approach, a traffic model is developed to describe the dynamic characteristics of network traffic in VSNs. Based on this model, the optimal feature set for traffic pattern learning can be extracted. Then a hierarchical self-organizing map (HSOM) is employed to learn traffic patterns and detect intrusions. Furthermore, an active learning strategy is devised to accelerate the training process of the HSOM and better learn the patterns of attacks. Experimental results show that the proposed approach has high detection accuracy and good real-time performance.

Jian Huang,Xiushan Zhang

DOI: https://doi.org/10.1109/ccet.2018.8542190

2018-01-01

Abstract:In recent years, with the rapid development of computer science and information technology, the world is filled and propelled of time-varying and multivariate data. The enormous growth of data in the last decades led to big data challenge in the network security field. Traditional visual analysis method for the time-varying network is inadequate. Efficient methods for visual clutter reduction, network structure exploration and network behavior detection are needed. In this paper, we propose two methods: A triangular-based algorithm for time-varying behavior presentation and an improved brush PCP aims to assist the visual analysis task in time-varying network pattern detection. A synthetic visual analysis system is designed and implemented on the basis of these two novel methods. Our system is capable of visually analyzing vast amounts of network data. To better describe and demonstrate the usefulness and performance of our system, we utilize the ChinaVis2015 Challenge dataset as a case study.

Jie Fu,Lina Wang,Jianpeng Ke,Kang Yang,Rongwei Yu

DOI: https://doi.org/10.1016/j.eswa.2024.125687

IF: 8.5

2025-01-01

Expert Systems with Applications

Abstract:Due to the heterogeneous and dynamic nature of networks, modeling spatiotemporal correlations has become a trend. Although spatiotemporal-based network intrusion detection systems (NIDSs) enhance the performance of intrusion classification, they still suffer from inadequacies in the multi-classification of intrusions and model generalization ability. First, the static attack topologies of network traffic always ignore some important information; Second, the interaction between spatial and temporal dimensions is rarely considered. To mitigate these issues, this paper proposes TSIDS, a spatiotemporal analysis-based approach that extracts the interaction of network behaviors for intrusion detection. TSIDS combines the spatial analysis module to extract spatial information between different events, and the temporal analysis module to learn the temporal dependencies from historical traffic data. To model spatial correlations of temporal features, we propose a feature fusion module based on our customized gating Multilayer Perceptron (cgMLP). The experimental results on four datasets show that our work is effective in intrusion detection, especially multi-classification, and outperforms other baseline methods.

Siming Chen,Xiaoru Yuan

2015-01-01

Abstract:Monitoring the behavior of hosts and identifying anomaly situation in the streaming network is critical but challenging. There lacks of efficient methods to quickly identify and classified the different behavior for IPs and ports in a dynamic scenario. In this work, we propose a visual analytics approach for quickly identifying anomaly situation and tracking the behavior of interested IP/ports from the streaming network flow data. We build up an interactive visual classification and analysis system, providing filtering and sorting methods, as well as correlation exploration. Features can be classified through interactive brushing and be monitored in other analysis stage. Our case study turns our method can efficiently identify anomaly events from the complex global network flow data.

XU Wenlong,YAO Lihong,PAN Li,NI Yousheng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.18.050

2006-01-01

Abstract:Transductive support vector machines (TSVM) classifies the new data vector based on the information only related to this data vector. This paper proposes an anomaly network traffic detection method based on TSVM. The KDD-99 intrusion detection competition data set is used to illustrate the performances of the TSVM. The performance-comparisons of TSVM and traditional inductive SVM are presented. The results show that TSVM can be used in intrusion detection practically.

Zhang, Yanling,Liu, Haolin,Dong, Xiaoju,Li, Chenlu,Zhang, Zexi

DOI: https://doi.org/10.1007/s12650-021-00789-5

IF: 1.7

2021-01-01

Journal of Visualization

Abstract:Cyber security issues are always worthy of attention. Intrusion detection system (IDS) is one of approaches used to protect computer system and identify potential attack. However, existing methods are limited by high-dimensional computational complexity in rare or unknown attack detection task. To improve the ability of detecting anomaly intrusions, a hybrid intrusion detection framework is proposed in this paper. The proposed RuleRCD algorithm first uses fuzzy association rules based on Apriori and K -Means algorithm for normal pattern and major attack detection. The other data are then fed to an active learning-based rare category detection algorithm to identify its attack pattern. This paper also introduces an interactive visualization system, which integrates experts’ decision into intrusion detection workflow. The method improves the effectiveness and interpretability of detection process. KDD-99 dataset is used to evaluate the proposed framework. The result shows that the approach outperforms some methods, especially in terms of the rare attack.

Shuai Jiang,Xiaolong Xu

DOI: https://doi.org/10.1007/978-3-030-34637-9_12

2019-01-01

Abstract:In the era of network and big data, network information security has become a major issue. Intrusion Detection System (IDS) is an essential component of network security facilities, which utilizes network traffic data to detect attacks. IDS can adopt data analysis and data mining technologies to detect attacks to network systems. However, the computational overhead of IDS is too large to serve for real-time detection due to the redundancy and irrelevant features in the network traffic dataset. We hence analyze seven classification algorithms for intrusion detection, where we separately perform data preprocessing with two kinds of dimensionality reduction techniques, Principal Component Analysis (PCA) and Singular Value Decomposition (SVD), to improve the performance of IDS. The experimental results on the NSL-KDD dataset indicate that the classification algorithms with dimensionality reduction outstands in detection rate and detection speed. Meanwhile, SVD demonstrate its superiority to PCA in boosting these algorithms.

Xi He,Li Zhang,Tao Liu,Wei Wang

DOI: https://doi.org/10.1109/compcomm.2018.8780699

2018-01-01

Abstract:Intrusion detection based on network traffic has been widely studied in traditional network systems. At the same time, the security threats faced by Industrial Control Systems (ICS) are becoming increasingly severe. The network communication environments of ICSs are very different from the traditional Internet in in terms of protocols, interaction modes and security considerations. How to detect anomalies effectively in power production control system is an important issue. In this work, we use a representative Distributed Control System (DCS) working in thermal power generation scenarios and conduct various attacks on this DCS to generate an original network traffic. We then consider the time correlation and interaction stability of the DCS and propose a dual window scheme (Dual-Win) to get more effective features based on basic features. We use several machine learning methods for the detection of anomalies based on the traffic data. The experimental results show that our method achieves the detection accuracy as 99.41% with only basic traffic features, and the detection accuracy can be as 99.77% with the basic and Dual-Win features.

Xin Xu

2006-01-01

Abstract:In recent years, intrusion detection has emerged as an important technique for network security. Due to the large volumes of security audit data as well as complex and dynamic properties of intrusion behaviors, to optimize the performance of intrusion detection systems (IDSs) becomes an important open problem. In this paper, a general framework of adaptive intrusion detection based on machine learning is presented. In the framework, three perspectives of challenging problems are explored, which include feature extraction, classifier construction and pattern prediction for sequential data. It is illustrated that the three perspectives of research challenges are mainly suitable for machine learning methods using unsupervised, supervised and reinforcement learning algorithms, respectively. Several recently developed machine learning algorithms, including a multi-class support vector machine with principal component analysis (PCA) for feature reduction and a reinforcement learning algorithm for sequential prediction, are applied and evaluated both on network-based traffic data and on host-based program behaviors. Experiments on the KDD99 intrusion detection data set and the system call data from University of New Mexico show very promising results for the machine learning approaches to adaptive intrusion detection. Some directions for future research works are also discussed.

Peixin Liao,Xvxin Huang,Qiangbo Huang,Yanming Liang,Zhongxiao Wang,Denghui Zhang

DOI: https://doi.org/10.1109/cloudnet59005.2023.10490021

2023-01-01

Abstract:The rapid expansion of the Internet has boosted the widespread adoption of cloud technology across data-center fabrics and generated massive traffic. The emerging intrusion traffic brings new challenges to network security. Despite the remarkable advancements made by deep learning (DL) in fields including computer vision (CV) and natural language processing (NLP), its effectiveness in handling discrete time-series data, particularly in anomaly traffic, remains poor. It also fails to offer interpretability for prediction results, impeding its practicability to guide subsequent steps such as intrusion detection and prevention. This paper presents an interpretable intrusion detection system (IDS) based on feature importance. The approach first extracts significant features by methods including the Principal Component Analysis (PCA) and decision tree (DT). Then it converts important features into 2D feature images so that integrating with existing convolutional neural networks (CNNs) for predictions. Comparative experiments with more than 10 existing methods demonstrate this proposed method enhances detection capabilities and enable the intuitive interpretability of the analysis procedure.

Yuansheng Dong,Rong Wang,Juan He

DOI: https://doi.org/10.1109/icsess47205.2019.9040718

2019-01-01

Abstract:Computer network is vulnerable to hackers, computer viruses, and other malicious attacks. As an active defense technology, intrusion detection plays an important role in the field of network security. Traditional intrusion detection technologies face problems such as low accuracy, low detection efficiency, high false positive rate, and inability to cope with new types of intrusions. To solve these problems, we propose a real-time network intrusion detection system based on deep learning, which uses big data technology, natural language processing technology and deep learning technology. Our main contributions are as follows: (1) Use Flume as the agent for log collection to realize real-time massive log collection, using Flink as real-time computation engine. (2) Aiming at the high dimensional problem of traffic data, a self-encoder-based intrusion detection dimension reduction method is proposed, and the intrusion detection data is preprocessed, including data cleaning, coding, extraction and integration, and normalization. (3) Propos a deep learning-based intrusion detection model, AE-AlexNet, which uses Auto-Encoder AlexNet neural network. The experimental results of the intrusion detection data set KDD 99 show that the accuracy of the AE-AlexNet, model is as high as 94.32%.