Ahmed S. Alzahrani,Reehan Ali Shah,Yuntao Qian,Munwar Ali

DOI: https://doi.org/10.1016/j.aej.2020.01.021

IF: 6.626

2020-01-01

Alexandria Engineering Journal

Abstract:With the rapid advancement in technology, network systems are becoming prone to more sophisticated types of intrusions. However, machine learning (ML) based strategies are among the most efficient and popular methods to identify the network intrusions or attacks. In this study, we examined the important and discriminative features, in order to recognize the various attacks by applying the Structural Sparse Logistic Regression (SSPLR) and Support Vector Machine (SVMs) methods. The SVMs are standard ML-based techniques, which provide the reasonable performance, however, they have few shortcomings, such as, interpretability and huge computational cost. On the other hand, the sparse modeling (SSPLR) is considered as the advanced method for the data examination and processing through regularization. The structural sparse modeling can be used to simultaneously select the distinct features or the group of discriminative features from the repository of the data set to determine the coefficient of the linear classifier, where, prior information of the feature’s structure can be mapped on various sparsity-inducing regularizations. In this way, the particular group of features yielded by the most significant network attacks are selected and potentially identified. The experiments and discussion, show that the proposed techniques have improved performance compared to the most state-of-the-art techniques, used for the Intrusion Detection System (IDS).

Chongzhen Zhang,Yanli Chen,Yang Meng,Fangming Ruan,Runze Chen,Yidan Li,Yaru Yang

DOI: https://doi.org/10.1155/2021/6610675

IF: 1.968

2021-01-25

Security and Communication Networks

Abstract:Traditional machine learning-based intrusion detection often only considers a single algorithm to identify intrusion data, lack of the flexibility method, low detection rate, no handing high-dimensional data, and cannot solve these problems well. In order to improve the performance of intrusion detection system, a novel general intrusion detection framework was proposed in this paper, which consists of five parts: preprocessing module, autoencoder module, database module, classification module, and feedback module. The data processed by the preprocessing module are compressed by the autoencoder module to obtain a lower-dimensional reconstruction feature, and the classification result is obtained through the classification module. Compressed features of each traffic are stored in the database module which can both provide retraining and testing for the classification module and restore these features to the original traffic for postevent analysis and forensics. For evaluation of the framework performance proposed, simulation was conducted with the CICIDS2017 dataset to the real traffic of the network. As the experimental results, the accuracy of binary classification and multiclass classification is better than previous work, and high-level accuracy was reached for the restored traffic. At the last, the possibility was discussed on applying the proposed framework to edge/fog networks.

computer science, information systems,telecommunications

Zachary Tauscher,Yushan Jiang,Kai Zhang,Jian Wang,Houbing Song

DOI: https://doi.org/10.48550/arXiv.2108.08394

2021-08-19

Abstract:With massive data being generated daily and the ever-increasing interconnectivity of the world's Internet infrastructures, a machine learning based intrusion detection system (IDS) has become a vital component to protect our economic and national security. In this paper, we perform a comprehensive study on NSL-KDD, a network traffic dataset, by visualizing patterns and employing different learning-based models to detect cyber attacks. Unlike previous shallow learning and deep learning models that use the single learning model approach for intrusion detection, we adopt a hierarchy strategy, in which the intrusion and normal behavior are classified firstly, and then the specific types of attacks are classified. We demonstrate the advantage of the unsupervised representation learning model in binary intrusion detection tasks. Besides, we alleviate the data imbalance problem with SVM-SMOTE oversampling technique in 4-class classification and further demonstrate the effectiveness and the drawback of the oversampling mechanism with a deep neural network as a base model.

Cryptography and Security,Machine Learning

Yung-Chung Wang,Yi-Chun Houng,Han-Xuan Chen,Shu-Ming Tseng

DOI: https://doi.org/10.3390/s23042171

IF: 3.9

2023-02-16

Sensors

Abstract:The prevalence of internet usage leads to diverse internet traffic, which may contain information about various types of internet attacks. In recent years, many researchers have applied deep learning technology to intrusion detection systems and obtained fairly strong recognition results. However, most experiments have used old datasets, so they could not reflect the latest attack information. In this paper, a current state of the CSE-CIC-IDS2018 dataset and standard evaluation metrics has been employed to evaluate the proposed mechanism. After preprocessing the dataset, six models—deep neural network (DNN), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory (LSTM), CNN + RNN and CNN + LSTM—were constructed to judge whether network traffic comprised a malicious attack. In addition, multi-classification experiments were conducted to sort traffic into benign traffic and six categories of malicious attacks: BruteForce, Denial-of-service (DoS), Web Attacks, Infiltration, Botnet, and Distributed denial-of-service (DDoS). Each model showed a high accuracy in various experiments, and their multi-class classification accuracy were above 98%. Compared with the intrusion detection system (IDS) of other papers, the proposed model effectively improves the detection performance. Moreover, the inference time for the combinations of CNN + RNN and CNN + LSTM is longer than that of the individual DNN, RNN and CNN. Therefore, the DNN, RNN and CNN are better than CNN + RNN and CNN + LSTM for considering the implementation of the algorithm in the IDS device.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Fengqin Zuo,Damin Zhang,Lun Li,Qing He,Jiaxin Deng

DOI: https://doi.org/10.1016/j.heliyon.2024.e32087

IF: 3.776

2024-05-29

Heliyon

Abstract:One of the critical technologies to ensure cyberspace security is network traffic anomaly detection, which detects malicious attacks by analyzing and identifying network traffic behavior. The rapid development of the network has led to explosive growth in network traffic, which seriously impacts the user's information security. Researchers have delved into intrusion detection as an active defense technology to address this challenge. However, traditional machine learning methods struggle to capture complex threats and attack patterns when dealing with large-scale network data. In contrast, deep learning methods have the advantages of automatically extracting features from network traffic data and strong generalization capabilities. Aiming to enhance the ability of network anomaly traffic detection, this paper proposes a network traffic anomaly detection based on Deep Residual Shrinkage Network (DRSN), namely "GSOOA-1DDRSN". This method uses an improved Osprey optimization algorithm to select the most relevant and essential features in network traffic, reducing the features' dimensionality. For better detection performance of network traffic anomalies, a one-dimensional deep residual shrinkage network (1DDRSN) is designed as a classifier. Validation is performed using the NSL-KDD and UNSW-NB15 datasets and compared with other methods. The experimental results show that GSOOA-1DDRSN has improved multi-classification accuracy, precision, recall, and F1 Score by approximately 2 % and 3 %, respectively, compared to the 1DDRSN model on two datasets. Additionally, it reduces the time computation costs by 20 % and 30 % on these datasets. Furthermore, compared to other models, GSOOA-1DDRSN offers superior classification accuracy and effectively reduces the number of features.

Kai Jin,Lei Zhang,Yujie Zhang,Duo Sun,Xiaoyuan Zheng

DOI: https://doi.org/10.3390/electronics12204329

IF: 2.9

2023-10-19

Electronics

Abstract:The current mainstream intrusion detection models often have a high false negative rate, significantly affecting intrusion detection systems' (IDSs) practicability. To address this issue, we propose an intrusion detection model based on a multi-scale one-dimensional convolutional neural network module (MS1DCNN), an efficient channel attention module (ECA), and two bidirectional long short-term memory modules (BiLSTMs). The proposed hybrid MS1DCNN-ECA-BiLSTM model uses the MS1DCNN module to extract features with a different granularity from the input data and uses the ECA module to enhance the weight of important features. Finally, the model carries out sequence learning through two BiLSTM layers. We use the dung beetle optimizer (DBO) to optimize the hyperparameters in the model to obtain better classification results. Additionally, we use the synthetic minority oversampling technique (SMOTE) to fill several samples to reduce the local false negative rate. In this paper, we train and test the model using accurate network data from a water storage industrial control system. In the multi-classification experiment, the model's accuracy was 97.04%, the precision was 97.17%, and the false negative rate was 2.95%; in the binary classification experiment, the accuracy and false negative rate were 99.30% and 0.7%. Compared with other mainstream methods, our model has a higher score. This study provides a new algorithm for the intrusion detection of industrial control systems.

engineering, electrical & electronic,computer science, information systems,physics, applied

Bayi Xu,Lei Sun,Xiuqing Mao,Chengwei Liu,Zhiyi Ding

DOI: https://doi.org/10.32604/cmc.2023.046478

2024-01-01

Abstract:In recent years, frequent network attacks have highlighted the importance of efficient detection methods for ensuring cyberspace security. This paper presents a novel intrusion detection system consisting of a data preprocessing stage and a deep learning model for accurately identifying network attacks. We have proposed four deep neural network models, which are constructed using architectures such as Convolutional Neural Networks (CNN), Bi-directional Long Short-Term Memory (BiLSTM), Bidirectional Gate Recurrent Unit (BiGRU), and Attention mechanism. These models have been evaluated for their detection performance on the NSL-KDD dataset.To enhance the compatibility between the data and the models, we apply various preprocessing techniques and employ the particle swarm optimization algorithm to perform feature selection on the NSL-KDD dataset, resulting in an optimized feature subset. Moreover, we address class imbalance in the dataset using focal loss. Finally, we employ the BO-TPE algorithm to optimize the hyperparameters of the four models, maximizing their detection performance. The test results demonstrate that the proposed model is capable of extracting the spatiotemporal features of network traffic data effectively. In binary and multiclass experiments, it achieved accuracy rates of 0.999158 and 0.999091, respectively, surpassing other state-of-the-art methods.

computer science, information systems,materials science, multidisciplinary

Aiguo Chen,Yang Fu,Xu Zheng,Guoming Lu

DOI: https://doi.org/10.1016/j.cose.2021.102600

2022-03-01

Abstract:The Internet environment is exposed to diverse and increasingly numerous intrusion attacks due to its continuously expanding scale, threatening the information and assets of individuals and companies. The application of machine learning and deep learning methods has significantly improved the performance of network behavior anomaly detection (NBAD). However, existing NBAD methods based on machine learning classify network behaviors with hand-selected feature vectors, which are not flexible enough to adapt to various cyber environments and new categories of attacks, resulting in low accuracy. Moreover, high-dimensional and large-scale data have significantly increased the training, retraining, and detection time, resulting in low scalability. To solve these problems, an efficient NBAD algorithm based on deep belief networks (DBN) and long short-term memory (LSTM) networks is proposed. First, a nonlinear feature extraction method using a DBN is applied to extract features automatically and reduce the dimension of the original data while guaranteeing accuracy. Then, a light-structure LSTM network is used to obtain the classification results. The results of multiple experiments show that the proposed approach performs well in feature learning and has high accuracy while obtaining results in a timely manner and easily updating the model.

computer science, information systems

Yanfang Fu,Yishuai Du,Zijian Cao,Qiang Li,Wei Xiang

DOI: https://doi.org/10.3390/electronics11060898

IF: 2.9

2022-03-14

Electronics

Abstract:With an increase in the number and types of network attacks, traditional firewalls and data encryption methods can no longer meet the needs of current network security. As a result, intrusion detection systems have been proposed to deal with network threats. The current mainstream intrusion detection algorithms are aided with machine learning but have problems of low detection rates and the need for extensive feature engineering. To address the issue of low detection accuracy, this paper proposes a model for traffic anomaly detection named a deep learning model for network intrusion detection (DLNID), which combines an attention mechanism and the bidirectional long short-term memory (Bi-LSTM) network, first extracting sequence features of data traffic through a convolutional neural network (CNN) network, then reassigning the weights of each channel through the attention mechanism, and finally using Bi-LSTM to learn the network of sequence features. In intrusion detection public data sets, there are serious imbalance data generally. To address data imbalance issues, this paper employs the method of adaptive synthetic sampling (ADASYN) for sample expansion of minority class samples, to eventually form a relatively symmetric dataset, and uses a modified stacked autoencoder for data dimensionality reduction with the objective of enhancing information fusion. DLNID is an end-to-end model, so it does not need to undergo the process of manual feature extraction. After being tested on the public benchmark dataset on network intrusion detection NSL-KDD, experimental results show that the accuracy and F1 score of this model are better than those of other comparison methods, reaching 90.73% and 89.65%, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Christian Callegari,Stefano Giordano,Michele Pagano

DOI: https://doi.org/10.1016/j.bdr.2024.100446

IF: 3.3

2024-02-29

Big Data Research

Abstract:Anomaly-based Intrusion Detection is a key research topic in network security due to its ability to face unknown attacks and new security threats. For this reason, many works on the topic have been proposed in the last decade. Nonetheless, an ultimate solution, able to provide a high detection rate with an acceptable false alarm rate, has still to be identified. In the last years big research efforts have focused on the application of Deep Learning techniques to the field, but no work has been able, so far, to propose a system achieving good detection performance, while processing raw network traffic in real time. For this reason in the paper we propose an Intrusion Detection System that, leveraging on probabilistic data structures and Deep Learning techniques, is able to process in real time the traffic collected in a backbone network, offering excellent detection performance and low false alarm rate. Indeed, the extensive experimental tests, run to validate our system and compare different Deep Learning techniques, confirm that, with a proper parameter setting, we can achieve about 92% of detection rate, with an accuracy of 0.899. Finally, with minimal changes, the proposed system can provide some information about the kind of anomaly, although in the multi-class scenario the detection rate is slightly lower (around 86%).

computer science, information systems, artificial intelligence, theory & methods

Zhendong Wu,Jingjing Wang,Liqin Hu,Zhang Zhang,Han Wu

DOI: https://doi.org/10.1016/j.jnca.2020.102688

IF: 7.574

2020-08-01

Journal of Network and Computer Applications

Abstract:<p>In recent years, with the increase of human activities in cyberspace, intrusion events, such as network penetration, detection and attack, tend to be frequent and hidden. The traditional intrusion detection methods which prefer rules are not enough to deal with the increasingly complex network intrusion flow. However, the generalization ability of intrusion detection system based on classical machine learning method is still insufficient, and the false alarm rate is high. Aiming at this problem, we consider that normal network traffic and intrusion network traffic are obviously different in several semantic dimensions, though the intrusion traffic is more and more covert. Then we propose a new intrusion detection method, named SRDLM, based on semantic re-encoding and deep learning. The SRDLM method re-encodes the semantics of network traffic, increases the distinguish ability of traffic, and enhances the generalization ability of the algorithm by using deep learning technology, thus effectively improving the accuracy and robustness of the algorithm. The accuracy of the SRDLC algorithm for Web character injection network attack detection is over 99%. When detecting the NSL-KDD data set, the average performance is improved by more than 8% compared with the traditional machine learning method.</p>

computer science, interdisciplinary applications, software engineering, hardware & architecture

Yali Wu,Yanghu Hu,Junhu Wang,Mengqi Feng,Ang Dong,Yanxi Yang

DOI: https://doi.org/10.1016/j.cose.2024.103713

IF: 5.105

2024-02-01

Computers & Security

Abstract:Zero-day attacks from highly dynamic and complex cyberspace make severe threats to the existing network intrusion detection systems. Robust and intelligent solutions are required to handle the rapidly evolving threats from internet environment. In this paper, a novel active learning framework based on Deep Q-Network (DQN) is proposed for zero-day attacks detection. The framework is composed of network intrusion detection systems classifier, sample selection strategy and annotator. Deep Q-Network model serves as an intelligent control component to select the zero-day samples for labeling with the probability distribution. Moreover, the Bi-directional Long Short-Term Memory (BiLSTM) network is integrated into DQN model to form the selecting policy to analyze the temporal correlation within the static classification context. Meanwhile, Euclidean distance function is adopted for labeling the selected samples to achieve an accurate labeling result. Two famous datasets named NSL_KDD and UNSW_NB15 in intrusion detection field are tested for evaluate the performance of our proposed framework. Compared to other machine learning methods, the approach proposed in this paper demonstrates better universality and generalizability . This indicates that the method is more capable of reliably identifying and detecting network intrusion behaviors, which holds significant importance for further security research and practical applications.

computer science, information systems

Zhun Zhang,Qihe Liu,Shilin Qiu,Shijie Zhou,Cheng Zhang

DOI: https://doi.org/10.1109/access.2020.3033494

IF: 3.9

2020-01-01

IEEE Access

Abstract:In recent years, due to the frequent occurrence of network intrusions, more and more researchers have begun to focus on network intrusion detection. However, it is still a challenge to detect unknown attacks. Currently, there are two main methods of unknown attack detection: clustering and honeypot. But they still have unsolved problems such as difficulty in collecting unknown attack samples and failure to detect on time. Zero-Shot learning is proposed to deal with the problem in this article, which can recognize unknown attacks by learning the mapping relations between feature space and semantic space (such as attribute space). When the semantic descriptions of all attacks (including known and unknown attacks) are provided, the classifier built by Zero-Shot learning can extract common semantic information among all attacks and construct connections between known and unknown attacks. The classifier then utilizes the connections to classify unknown attacks although there are no samples for unknown attacks. In this article, we first propose to use Zero-Shot learning to overcome the challenge of unknown attack detection and illustrate the feasibility of this method. Secondly, we then propose a novel method of Zero-Shot learning based on sparse autoencoder for unknown attack detection. This method maps the feature of known attacks to the semantic space, and restores the semantic space to the feature space by constrains of reconstruction error, and establishes the feature to semantic mapping, which is used to detect unknown attacks. Verification tests have been carried out by using the public dataset NSL-KDD. From the experiments conducted in this work, the results show that the average accuracy reaches 88.3% which performs better than other methods.

Zhongjun Yang,Qi Wang,Xuejun Zong,Guogang Wang

DOI: https://doi.org/10.1016/j.cose.2024.103781

IF: 5.105

2024-02-23

Computers & Security

Abstract:The network security problem in today's world is becoming more and more prominent, and intrusion detection as a branch in the field of network security has been developed tremendously. At present, back propagation (BP) neural network is widely used in intrusion detection. However, its weights and thresholds are randomly initialized, so that fall into local optimal after training. To solve this problem, an intrusion detection model based on improved social network search (ISNS) algorithm to optimize BP neural network is proposed. The model first uses chaotic mapping and elite mechanism to improve the original Social Network Search (SNS) algorithm, and then uses the ISNS algorithm to filter the initial weights and thresholds of the BP neural network, and constructs the neural network with the optimal values to avoid falling into local optimum. The experimental results show that the proposed method solves the problem that the traditional BP neural network is easy to fall into local optimum. At the same time, the ISNS_BP model achieves better classification performance than other models, and the accuracy on the NSL-KDD and UNSW-NB15 datasets reaches 98.62 % and 93.97 %, respectively.

computer science, information systems

Shi Dong,Yuanjun Xia,Tao Peng

DOI: https://doi.org/10.1109/tnsm.2021.3120804

2021-12-01

IEEE Transactions on Network and Service Management

Abstract:The rapid development of Internet technology has brought great convenience to our production life, and the ensuing security problems have become increasingly prominent. These problems threaten users' privacy and pose significant security risks to the normal conduct of many aspects of society, such as politics, economy, culture, and people's livelihood. The growth of the information transmission rate expands the scope of attacks and provides a more attack environment for intruders. Abnormal detection is an effective security protection technology that can monitor network transmission in real-time, effectively sense external attacks, and provide response decisions for relevant managers. The development of machine learning has also led to the development of abnormal traffic detection technology. The goal has been to use powerful and fast learning algorithms to deal with changing threats and respond in real-time. Most of the current abnormal detection research is based on simulation, using public and well-known datasets. On the one hand, the dataset contains high-dimensional massive data, which traditional machine learning methods cannot be processed. On the other hand, the labeled data scale is far behind the application requirements, and the dataset's labels are all manually labeled, so the labeling cost is exceptionally high. This paper proposes a semi-supervised Double Deep Q-Network (SSDDQN)-based optimization method for network abnormal traffic detection, mainly based on Double Deep Q-Network (DDQN), a representative of Deep Reinforcement Learning algorithm. In SSDDQN, the current network first adopts the autoencoder to reconstruct the traffic features and then uses a deep neural network as a classifier. The target network first uses the unsupervised learning algorithm K-Means clustering and then uses deep neural network prediction. The experiment uses NSL-KDD and AWID datasets for training and testing and -erforms a comprehensive comparison with existing machine learning models. The experimental results show that SSDDQN has certain advantages in time complexity and achieved good results in various evaluation metrics.

computer science, information systems

Hao Zhang,Zude Xiao,Jason Gu,Yanhua Liu

DOI: https://doi.org/10.1007/s11227-023-05474-y

IF: 3.3

2023-06-15

The Journal of Supercomputing

Abstract:With the rapid development of network technology, the Internet has brought significant convenience to various sectors of society, holding a prominent position. Due to the unpredictable and severe consequences resulting from malicious attacks, the detection of anomalous network traffic has garnered considerable attention from researchers over the past few decades. Accurately labeling a sufficient amount of network traffic data as a training dataset within a short period of time is a challenging task, given the rapid and massive generation of network traffic data. Furthermore, the proportion of malicious attack traffic is relatively small compared to the overall traffic data, and the distribution of traffic data across different types of malicious attacks also varies significantly. To address the aforementioned challenges, this paper presents a novel network anomaly detection algorithm based on semi-supervised learning and adaptive multiclass balancing. Building upon the assumption of consistent distribution between labeled and unlabeled data, this paper introduces the multiclass split balancing strategy and the adaptive confidence threshold function. These innovative approaches aim to tackle the issue of the multiclass imbalanced in traffic data. By leveraging the mutually beneficial relationship between semi-supervised learning and ensemble learning, this paper presents the collaborative rotation forest algorithm. This algorithm is specifically designed to enhance performance of anomaly detection in an environment with label inadequacy. Several comparative experiments conducted on the NSL-KDD, UNSW-NB15, and ToN-IoT demonstrate that the proposed algorithm achieves significant improvements in performance. Specifically, it enhances precision by 1.5–5.7%, recall by 1.5−5.7%, and F-Measure by 1.4−4.3% compared to the state-of-the-art algorithms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Ying Zhong,Yiran Zhu,Zhiliang Wang,Xia Yin,Xingang Shi,Keqin Li

DOI: https://doi.org/10.1007/978-3-030-59016-1_65

2020-01-01

Abstract:Network intrusion detection plays an important role in network security. With the deepening of machine learning research, especially the generative adversarial networks (GAN) proposal, the stability of the anomaly detector is put forward for higher requirements. The main focus of this paper is on the security of machine learning based anomaly detectors. In order to detect the robustness of the existing advanced anomaly detection algorithm, we propose an anomaly detector attack framework MACGAN (maintain attack features based on the generative adversarial networks). The MACGAN framework consists of two parts. The first part is used to analyze the attack fields manually. Then, the learning function of GAN in the second part is used to bypass the anomaly detection. Our framework is tested on the latest Kitsune2018 and CICIDS2017 data sets. Experimental results demonstrate the ability to bypass the state-of-the-art machine learning algorithms. This greatly helps the network security researchers to improve the stability of the detector.

Zhida Li,Ana Laura Gonzalez Rios,Ljiljana Trajkovic

DOI: https://doi.org/10.1109/jsac.2021.3078497

IF: 16.4

2021-07-01

IEEE Journal on Selected Areas in Communications

Abstract:Cyber attacks are becoming more sophisticated and, hence, more difficult to detect. Using efficient and effective machine learning techniques to detect network anomalies and intrusions is an important aspect of cyber security. A variety of machine learning models have been employed to help detect malicious intentions of network users. In this paper, we evaluate performance of recurrent neural networks (Long Short-Term Memory and Gated Recurrent Unit) and Broad Learning System with its extensions to classify known network intrusions. We propose two BLS-based algorithms with and without incremental learning. The algorithms may be used to develop generalized models by using various subsets of input data and expanding the network structure. The models are trained and tested using Border Gateway Protocol routing records as well as network connection records from the NSL-KDD and Canadian Institute of Cybersecurity datasets. Performance of the models is evaluated based on selected features, accuracy, F-Score, and training time.

telecommunications,engineering, electrical & electronic

Zhipeng Li,Zheng Qin,Pengbo Shen,Liu Jiang

DOI: https://doi.org/10.1007/978-3-030-36708-4_29

2019-01-01

Abstract:Network intrusion detection is an important network security infrastructure. Although numerous studies based on machine learning have explored how to enable intrusion detection to detect unknown novel attack types, so called anomaly detection, little work focuses on using attribute learning methods. An important application of attribute learning is zero-shot learning, which can be used to solve the anomaly detection problem. In this paper, we propose an attribute learning method. A pipeline framework using random forest feature selection and DBSCAN clustering attribute conversion is introduced to convert raw network data into attributes. A comprehensive empirical evaluation demonstrates that our proposed framework sustains the data information effectively and outperforms the state-of-the-art approaches. An extra zero-shot learning experiment show that our attribute approach works well in zero-shot learning scenario.

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial