Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Jia Liu,Wang Yinchai,Teh Chee Siong,Xinjin Li,Liping Zhao,Fengrui Wei

DOI: https://doi.org/10.21203/rs.3.rs-1770107/v1

2022-01-01

Abstract:Abstract Intrusion detection is a fuzzy classification problem. Intrusion detection can detect the attack behaviors of hackers in advance. For generating a visualizing architecture for identifying intrusions, this study proposes an approach that combines ANFIS (Adaptive Network-based Fuzzy Inference System), DT (Decision Tree), and K-means clustering algorithm for visualizing the deep pattern of intrusion detection. The ANFIS generates complex and fuzzy combinations of selected attributes. To reduce the rules generation of ANFIS, Pearson Correlation analysis is used to select attributes that highly relate to the target. Meanwhile, standard deviation analysis and a proposed adaptive K-means algorithm are used for determining the interval division of selected attributes. Then, the CART (classification and regression tree) is used to identify the deep mode in generated rules and selected attributes. The architecture of the proposed algorithm is a hybrid visualizing approach. The architecture can identify deep and hybrid features in intrusion detection. The proposed algorithm was trained, validated, and tested on the NSL-KDD dataset. Using 22 attributes that highly relate to the target, the performance of the proposed method achieved a 99.86% detection rate and 0.14% false alarm rate, which is better than many classifiers. Besides, the visualizing model can help us visually identify the complex pattern of intrusions and analyze the pattern of various intrusions.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Lu Lv,Wenhai Wang,Zeyin Zhang,Xinggao Liu

DOI: https://doi.org/10.1016/j.knosys.2020.105648

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Intrusion detection is a challenging technology in the area of cyberspace security for protecting a system from malicious attacks. A novel accurate and effective misuse intrusion detection system that relies on specific attack signatures to distinguish between normal and malicious activities is therefore presented to detect various attacks based on an extreme learning machine with a hybrid kernel function (HKELM). First, the derivation and proof of the proposed hybrid kernel are given. A combination of the gravitational search algorithm (GSA) and differential evolution (DE) algorithm is employed to optimize the parameters of HKELM, which improves its global and local optimization abilities during prediction attacks. In addition, the kernel principal component analysis (KPCA) algorithm is introduced for dimensionality reduction and feature extraction of the intrusion detection data. Then, a novel intrusion detection approach, KPCA-DEGSA-HKELM, is obtained. The proposed approach is eventually applied to the classic benchmark KDD99 dataset, the real modern UNSW-NB15 dataset and the industrial intrusion detection dataset from the Tennessee Eastman process. The numerical results validate both the high accuracy and the time-saving benefit of the proposed approach.

Chao Liu,Zhaojun Gu,Jialiang Wang

DOI: https://doi.org/10.1109/access.2021.3082147

IF: 3.9

2021-01-01

IEEE Access

Abstract:Digital assets have come under various network security threats in the digital age. As a kind of security equipment to protect digital assets, intrusion detection system (IDS) is less efficient if the alert is not timely and IDS is useless if the accuracy cannot meet the requirements. Therefore, an intrusion detection model that combines machine learning with deep learning is proposed in this paper. The model uses the k-means and the random forest (RF) algorithms for the binary classification, and distributed computing of these algorithms is implemented on the Spark platform to quickly classify normal events and attack events. Then, by using the convolutional neural network (CNN), long short-term memory (LSTM), and other deep learning algorithms, the events judged as abnormal are further classified into different attack types finally. At this stage, adaptive synthetic sampling (ADASYN) is adopted to solve the unbalanced dataset. The NSL-KDD and CIS-IDS2017 datasets are used to evaluate the performance of the proposed model. The experimental results show that the proposed model has better TPR for most of attack events, faster data preprocessing speed, and potentially less training time. In particular, the accuracy of multi-target classification can reach as high as 85.24% in the NSL-KDD dataset and 99.91% in the CIC-IDS2017 dataset.

computer science, information systems,telecommunications,engineering, electrical & electronic

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.

Jia Liu,Wang Yinchai,Teh Chee Siong,Xinjin Li,Liping Zhao,Fengrui Wei

DOI: https://doi.org/10.1038/s41598-022-23765-x

2022-12-01

Abstract:For generating an interpretable deep architecture for identifying deep intrusion patterns, this study proposes an approach that combines ANFIS (Adaptive Network-based Fuzzy Inference System) and DT (Decision Tree) for interpreting the deep pattern of intrusion detection. Meanwhile, for improving the efficiency of training and predicting, Pearson Correlation analysis, standard deviation, and a new adaptive K-means are used to select attributes and make fuzzy interval decisions. The proposed algorithm was trained, validated, and tested on the NSL-KDD (National security lab-knowledge discovery and data mining) dataset. Using 22 attributes that highly related to the target, the performance of the proposed method achieves a 99.86% detection rate and 0.14% false alarm rate on the KDDTrain+ dataset, a 77.46% detection rate on the KDDTest+ dataset, which is better than many classifiers. Besides, the interpretable model can help us demonstrate the complex and overlapped pattern of intrusions and analyze the pattern of various intrusions.

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Xuefei Tian,Chenlu Li,Aijuan Qian,Xiaoju Dong

DOI: https://doi.org/10.1109/ispa-bdcloud-socialcom-sustaincom51426.2020.00077

2020-01-01

Abstract:The network environment is increasingly complex, resulting in the explosive growth of network traffic logs. Discovering the patterns of these logs and detecting various cyber-attacks and anomalies have become a widespread concern. However, traditional network analysis techniques and Intrusion Detection System (IDS) have limited ability to identify and respond to the malicious activities hidden in dynamic and long-duration time series. This paper proposes a novel visual analysis system, combining visual analysis and machine learning model, to better reveal the pattern of various traffic logs, detect and classify abnormal network behaviors from enormous traffic logs. The system supports interactive exploration in data space and comparative analysis of the normal and abnormal pattern. It could help users analyze traffic logs conveniently and identify network intrusions efficiently. Besides, a supervised classifier in our system supports the prediction of a single traffic log which facilitates users' analysis of the patterns of traffic logs. A case study conducted on the CICIDS-2017 dataset demonstrates the feasibility of our system.

Weicheng Qiu,Yinghua Ma,Xiuzhen Chen,Haiyang Yu,Lixing Chen

DOI: https://doi.org/10.1016/j.cose.2022.102709

IF: 5.105

2022-01-01

Computers & Security

Abstract:Cyber-attacks are becoming increasingly sophisticated, posing greater challenges in accurately detecting intrusions. Failure to prevent intrusions could degrade the credibility of security services. Intrusion Detection System (IDS) is one of the most effective paradigms to identify attack behaviors. This paper proposes a novel hybrid intrusion detection system called DST-IDS. The proposed method employs both packet-based and flow-based intrusion detection techniques and combines them with Dempster-Shafer Theory (DST). DST-IDS has an ensemble-like framework. It takes both traffic flows and their first N packets as inputs; flow-based IDS aims to predict traffic flows and packet-based IDS detects attacks in the corresponding packets; DST is then applied to fuse predictions of flow-based IDS and packet-based IDS to a final detection result. We also design a novel data collection/processing tool in DST-IDS to reduce the data volume required to perform intrusion detection and enable early detection. In addition, DST-IDS is designed to work with heterogeneous data distribution where the distribution of the training dataset can differ from the data distribution during implementation. This property drastically improves the practicality of DST-IDS. We run experiments on public datasets and real networks to evaluate the proposed method. The experimental results show that DST-IDS outperforms state-of-the-art benchmarks in terms of intrusion detection accuracy and detection speed. Particularly, DST-IDS provides real-time detection in real networks and handles well heterogeneous data distribution.

Hyeok Kong,Cholyong Jong,Unhyok Ryang

DOI: https://doi.org/10.48550/arXiv.1610.04306

2016-10-14

Abstract:In this paper, we propose a new practical association rule mining algorithm for anomaly detection in Intrusion Detection System (IDS). First, with a view of anomaly cases being relatively rarely occurred in network packet database, we define a rare association rule among infrequent itemsets rather than the traditional association rule mining method. And then, we discuss an interest measure to catch differences between interesting relations and uninteresting ones, and what interest there is, and develop a hash based rare association rule mining algorithm for finding rare, but useful anomaly patterns to user. Finally, we define a quantitative association rule in relational database, propose a practical algorithm to mine rare association rules from network packet database, and show advantages of it giving a concrete example. Our algorithm can be applied to fields need to mine hidden patterns which are rare, but valuable, like IDS, and it is based on hashing method among infrequent itemsets, so that it has obvious advantages of speed and memory space limitation problems over the traditional association rule mining algorithms. Keywords: rare association mining algorithm, infrequent itemsets, quantitative association rule, network intrusion detection system, anomaly detection

Cryptography and Security

Jiadong Ren,Jiawei Guo,Wang Qian,Huang Yuan,Xiaobing Hao,Hu Jingjing

DOI: https://doi.org/10.1155/2019/7130868

IF: 1.968

2019-06-16

Security and Communication Networks

Abstract:Intrusion detection system (IDS) can effectively identify anomaly behaviors in the network; however, it still has low detection rate and high false alarm rate especially for anomalies with fewer records. In this paper, we propose an effective IDS by using hybrid data optimization which consists of two parts: data sampling and feature selection, called DO_IDS. In data sampling, the Isolation Forest (iForest) is used to eliminate outliers, genetic algorithm (GA) to optimize the sampling ratio, and the Random Forest (RF) classifier as the evaluation criteria to obtain the optimal training dataset. In feature selection, GA and RF are used again to obtain the optimal feature subset. Finally, an intrusion detection system based on RF is built using the optimal training dataset obtained by data sampling and the features selected by feature selection. The experiment will be carried out on the UNSW-NB15 dataset. Compared with other algorithms, the model has obvious advantages in detecting rare anomaly behaviors.

computer science, information systems,telecommunications

Die Zhang,Zhen Zhang

DOI: https://doi.org/10.1109/EIECC60864.2023.10456717

2023-12-22

Abstract:Network abnormal traffic intrusion detection technology is an important research field of network security today. Hybrid intrusion detection technology overcomes the shortcomings of single detection and retains their advantages, achieving high detection rate and high accuracy, so it is widely used in existing network abnormal traffic detection. However, the optimization of the high false alarm rate of anomaly detection in existing hybrid intrusion detection is imperfect, resulting in a large room for improvement in the detection accuracy of hybrid intrusion detection. In response to the above problems, this paper proposes a hybrid intrusion detection method based on Cluster Marking-k-means. By adding a classifier to the anomaly-based detection module, the detection results are secondary classified to reduce False alarm rate, thus improving the overall detection accuracy of the method. The experiment uses NSL-KDD and CICIDS2017 datasets to verify the effectiveness of the method. The results show that the method proposed in this article improves the average F1 score by 1.19% compared to the comparative method.

Computer Science

Jie Yang,Xin Chen,Xudong Xiang,Jianxiong Wan

DOI: https://doi.org/10.1109/cmc.2010.73

2010-01-01

Abstract:A hybrid intrusion detection approach combing both misuse detection and anomaly detection can detect newly discovered attacks while maintaining a relatively high detection rate. This paper presents a novel hybrid intrusion detection system based on protocol analysis and decision tree algorithms. Performance evaluation of the proposed system is conducted using Generalized Stochastic Petri Nets (GSPN). Simulation results show that this hybrid system can reach a high detection rate.

Zachary Tauscher,Yushan Jiang,Kai Zhang,Jian Wang,Houbing Song

DOI: https://doi.org/10.48550/arXiv.2108.08394

2021-08-19

Abstract:With massive data being generated daily and the ever-increasing interconnectivity of the world's Internet infrastructures, a machine learning based intrusion detection system (IDS) has become a vital component to protect our economic and national security. In this paper, we perform a comprehensive study on NSL-KDD, a network traffic dataset, by visualizing patterns and employing different learning-based models to detect cyber attacks. Unlike previous shallow learning and deep learning models that use the single learning model approach for intrusion detection, we adopt a hierarchy strategy, in which the intrusion and normal behavior are classified firstly, and then the specific types of attacks are classified. We demonstrate the advantage of the unsupervised representation learning model in binary intrusion detection tasks. Besides, we alleviate the data imbalance problem with SVM-SMOTE oversampling technique in 4-class classification and further demonstrate the effectiveness and the drawback of the oversampling mechanism with a deep neural network as a base model.

Cryptography and Security,Machine Learning

Jeyavim Sherin R. C.,Parkavi K.

DOI: https://doi.org/10.1049/cmu2.12831

IF: 1.345

2024-09-14

IET Communications

Abstract:Intrusion detection systems (IDS) monitor network activity to detect unusual patterns indicative of security breaches. However, many existing IDS solutions struggle with accurately identifying attacks within packet capture (PCAP) files. To address this limitation, a deep learning‐based dual IDS model is proposed. Utilizing the Cyber Intelligence Centre‐Distributed Denial of Service Attack 2019 dataset, this model begins by extracting features and attributes from PCAP files. Experimental results demonstrate that this model achieves 98.18% accuracy and 98.73% precision in classification tasks, significantly outperforming existing approaches. These findings highlight the effectiveness of the proposed system in enhancing intrusion detection capabilities. The rise of suspicious activities in network communication, driven by increased internet accessibility, necessitates the development of advanced intrusion detection systems (IDS). Existing IDS solutions often exhibit poor performance in detecting suspicious activity and fail to identify various attack types within packet capture (PCAP) files, which monitor network traffic. This paper proposes a deep learning‐based dual IDS model designed to address these issues. The process begins with utilizing the CSE‐CIC‐IDS2019 dataset to extract features from PCAP files. Suspicious activities are detected using the Exponential Geometric‐Gaussian Error Linear Units‐Gated Recurrent Unit (EG‐GELU‐GRU) method. Normal data undergoes further feature extraction and preprocessing through Log ZScore‐Jacosine Density‐Based Spatial Clustering of Applications with Noise (LZ‐JC‐DBSCAN). Feature selection is optimized using the Entropy Pearson R Correlation‐Red Panda optimization algorithm. Suspicious files are flagged, while load balancing is performed on normal data. Attack detection is achieved through word embedding with the Glorot Kaufman‐bidirectional encoder representations from transformers technique and classification via the EG‐GELU‐GRU model. Attacked packets are blocked, and the method is reapplied for attack‐type classification. Experimental results using Python demonstrate the model's superior performance, achieving 98.18% accuracy and 98.73% precision, surpassing existing approaches and significantly enhancing intrusion detection capabilities.

engineering, electrical & electronic

Ansam Khraisat,Iqbal Gondal,Peter Vamplew,Joarder Kamruzzaman,Ammar Alazab

DOI: https://doi.org/10.3390/electronics9010173

IF: 2.9

2020-01-17

Electronics

Abstract:Cyberttacks are becoming increasingly sophisticated, necessitating the efficient intrusion detection mechanisms to monitor computer resources and generate reports on anomalous or suspicious activities. Many Intrusion Detection Systems (IDSs) use a single classifier for identifying intrusions. Single classifier IDSs are unable to achieve high accuracy and low false alarm rates due to polymorphic, metamorphic, and zero-day behaviors of malware. In this paper, a Hybrid IDS (HIDS) is proposed by combining the C5 decision tree classifier and One Class Support Vector Machine (OC-SVM). HIDS combines the strengths of SIDS) and Anomaly-based Intrusion Detection System (AIDS). The SIDS was developed based on the C5.0 Decision tree classifier and AIDS was developed based on the one-class Support Vector Machine (SVM). This framework aims to identify both the well-known intrusions and zero-day attacks with high detection accuracy and low false-alarm rates. The proposed HIDS is evaluated using the benchmark datasets, namely, Network Security Laboratory-Knowledge Discovery in Databases (NSL-KDD) and Australian Defence Force Academy (ADFA) datasets. Studies show that the performance of HIDS is enhanced, compared to SIDS and AIDS in terms of detection rate and low false-alarm rates.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yuzhao Xu,Yanjing Sun,Zhanguo Ma,Hongjie Zhao,Yanfen Wang,Nannan Lu,,,

DOI: https://doi.org/10.20965/jaciii.2022.p0671

2022-09-20

Journal of Advanced Computational Intelligence and Intelligent Informatics

Abstract:Intrusion detection, as a technology used to monitor abnormal behavior and maintain network security, has attracted many researchers’ attention in recent years. Thereinto, association rule mining is one of the mainstream methods to construct intrusion detection systems (IDS). However, the existing association rule algorithms face the challenges of high false positive rate and low detection rate. Meanwhile, too many rules might lead to the uncertainty increase that affects the performance of IDS. In order to tackle the above problems, a modified genetic network programming (GNP) is proposed for class association rule mining. Specifically, based on the property that node connections in the directed graph structure of GNP can be used to construct attribute associations, we propose to introduce information gain into GNP node selection. The most important attributes are thus selected, and the irrelevant attributes are removed before the rule is extracted. Moreover, not only the uncertainty among the class association rules is alleviated and also time consumption is reduced. The extracted rules can be applied to any classifier without affecting the detection performance. Experiment results based on NSL-KDD and KDDCup99 verify the performance of our proposed algorithm.

Shih-Wei Lin,Kuo-Ching Ying,Chou-Yuan Lee,Zne-Jung Lee

DOI: https://doi.org/10.1016/j.asoc.2012.05.004

IF: 8.7

2012-10-01

Applied Soft Computing

Abstract:Intrusion detection system (IDS) is to monitor the attacks occurring in the computer or networks. Anomaly intrusion detection plays an important role in IDS to detect new attacks by detecting any deviation from the normal profile. In this paper, an intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection is proposed. The key idea is to take the advantage of support vector machine (SVM), decision tree (DT), and simulated annealing (SA). In the proposed algorithm, SVM and SA can find the best selected features to elevate the accuracy of anomaly intrusion detection. By analyzing the information from using KDD’99 dataset, DT and SA can obtain decision rules for new attacks and can improve accuracy of classification. In addition, the best parameter settings for the DT and SVM are automatically adjusted by SA. The proposed algorithm outperforms other existing approaches. Simulation results demonstrate that the proposed algorithm is successful in detecting anomaly intrusion detection.

computer science, artificial intelligence, interdisciplinary applications