Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Zhiyin Qiu,Ding Zhou,Yahui Zhai,Bo Liu,Lei He,Jiuxin Cao

2024-03-07

Abstract:Promptly discovering unknown network attacks is critical for reducing the risk of major loss imposed on system or equipment. This paper aims to develop an open-set intrusion detection model to classify known attacks as well as inferring unknown ones. To achieve this, we employ OpenMax and variational autoencoder to propose a dual detection model, VAEMax. First, we extract flow payload feature based on one-dimensional convolutional neural network. Then, the OpenMax is used to classify flows, during which some unknown attacks can be detected, while the rest are misclassified into a certain class of known flows. Finally, use VAE to perform secondary detection on each class of flows, and determine whether the flow is an unknown attack based on the reconstruction loss. Experiments performed on dataset CIC-IDS2017 and CSE-CIC-IDS2018 show our approach is better than baseline models and can be effectively applied to realistic network environments.

Cryptography and Security

Lu Lv,Wenhai Wang,Zeyin Zhang,Xinggao Liu

DOI: https://doi.org/10.1016/j.knosys.2020.105648

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Intrusion detection is a challenging technology in the area of cyberspace security for protecting a system from malicious attacks. A novel accurate and effective misuse intrusion detection system that relies on specific attack signatures to distinguish between normal and malicious activities is therefore presented to detect various attacks based on an extreme learning machine with a hybrid kernel function (HKELM). First, the derivation and proof of the proposed hybrid kernel are given. A combination of the gravitational search algorithm (GSA) and differential evolution (DE) algorithm is employed to optimize the parameters of HKELM, which improves its global and local optimization abilities during prediction attacks. In addition, the kernel principal component analysis (KPCA) algorithm is introduced for dimensionality reduction and feature extraction of the intrusion detection data. Then, a novel intrusion detection approach, KPCA-DEGSA-HKELM, is obtained. The proposed approach is eventually applied to the classic benchmark KDD99 dataset, the real modern UNSW-NB15 dataset and the industrial intrusion detection dataset from the Tennessee Eastman process. The numerical results validate both the high accuracy and the time-saving benefit of the proposed approach.

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Jian Yang,Xiang Chen,Shuangwu Chen,Xiaofeng Jiang,Xiaobin Tan

DOI: https://doi.org/10.1109/tifs.2021.3083422

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Promptly discovering unknown network attacks is critical for reducing the risk of major loss imposed on organizations and information infrastructure. This paper aims at developing an intelligent intrusion detection system capable of classifying known attacks as well as inferring unknown ones. To achieve this, we formulate the problem of fine-grained known/unknown intrusion detection as a two-stage minimization problem, where the first stage is to seek a score measure for minimizing the empirical risk of misclassifying the known attacks, while the second stage is to find another score measure for minimizing the identification risk of inferring unknown attacks. The hierarchical nature of problem formulation allows us to employ the class conditioned auto-encoders to construct a hierarchical intrusion detection framework. Since the reconstruction errors of unknown attacks are generally higher than that of the known attacks, we further employ extreme value theory in the second stage to model the distribution of reconstruction errors for differentiating known/unknown attack. To further reduce the false positive rate, we add a benign clustering module for learning the multimodal distribution of benign traffic. We conduct an experiment on two widely used datasets for assessing intrusion detection. The results show that the proposed method improves the detection rate of unknown attacks while keeping a low false positive rate.

computer science, theory & methods,engineering, electrical & electronic

Sheikh Abdul Hameed Ayubkhan,Wun-She Yap,Ezra Morris,Mumtaj Begam Kasim Rawthar

DOI: https://doi.org/10.1007/s12652-022-04449-w

IF: 3.662

2022-11-08

Journal of Ambient Intelligence and Humanized Computing

Abstract:Autoencoder and conventional machine learning classifiers are widely used to design an intrusion detection system (IDS). However, noise and corruption in the high-dimensional network traffic samples will still affect the stability and performance of an autoencoder and other conventional machine learning based IDS models. The distortions in the input datasets cause deviations in the learnt patterns and always resulted in a low detection rate. Besides, the IDS classifiers use every single feature to train the samples, which makes the model consumes longer training time, computational resources and memory usage. The main aim of this proposal is to remove the distortions from the network traffic and train the IDS model in a faster manner to detect any category of intruders in the network traffic by achieving a higher detection rate in a short training time. To achieve this, we propose an intrusion detection system that combines a denoising autoencoder and LightGBM classifier. The denoising autoencoder removes the noise and corruptions in the network traffic, thereby possibly avoiding the deviations which can enhance the features learning capacity required for classification. Subsequently, to classify the samples, the LightGBM classifier is used. The classifier uses the feature histogram bins with larger gradients, thus avoiding using each feature at every iteration to accelerate the training speed and boost the predictive capacity of the model. The proposed model shows better detection performance improvement over nine benchmark datasets including CIDDS-001, CIDDS-002, ISCX-URL2016, UNSW-NB15, CIC-IDS-2017, ISCX-Tor2016, BoT-IoT, IoTID20 and Kyoto 2006+ for both binary classification and multi-classification tasks as compared to other existing IDS. The model achieves the maximum detection rate of over 99.60% for CIDDS-001, 99.90% for CIDDS-002, 97.00% for ISCX-Tor2016, 96.11% for UNSW-NB15, 99.86% for CIC-IDS17, 97.76% for ISCX-URL16, 99.91% for BoT-IoT, 97.43% for both IoTID2020 and Kyoto 2006+ datasets respectively, while the training time ranges from 1.10 to 21.78 s only. More importantly, the proposed model has higher learning and predictivity capacity which boosts the generalization capacity. The model also shows good performance in detecting all classes including the minority classes for all aforementioned datasets without any oversampling techniques. The efficiency of the model emphasizes that it can be deployed as a real-time model in any industrial network traffic that includes IoT based smart environment and fog-cloud computing network.

computer science, information systems,telecommunications, artificial intelligence

Adel Binbusayyis,Thavavel Vaiyapuri

DOI: https://doi.org/10.1007/s10489-021-02205-9

IF: 5.3

2021-02-24

Applied Intelligence

Abstract:With the rapid advancement in network technologies, the need for cybersecurity has gained increasing momentum in recent years. As a primary defense mechanism, an intrusion detection system (IDS) is expected to adapt and secure the computing infrastructures from the ever-changing sophisticated threat landscape. Many deep learning approaches have recently been proposed; however, these techniques face significant challenges in identifying all types of attacks, especially rare attacks due to network traffic imbalances and the lack of a sufficient number of abnormal traffic samples for model training. To overcome these shortcomings and improve detection performance, this paper presents an unsupervised deep learning approach for intrusion detection. Unlike the existing IDS model that extracts features and trains a classifier in two separate stages, a single-stage IDS approach that integrates a one-dimensional convolutional autoencoder (1D CAE) and a one-class support vector machine (OCSVM) as a classifier into a joint optimization framework is introduced in this paper for the first time. Using only the normal traffic samples, the approach simultaneously optimizes the 1D CAE for compact feature representation and the OCSVM for classification by defining a unified objective function combining reconstruction error with classification error. Thus, the generated compact feature representation has not only reconstruction ability but also discriminative ability for classification. An in-depth ablation analysis validates the design decisions and provides further insight of the proposed approach. An extensive set of experiments on two benchmark intrusion datasets, NSL-KDD and UNSW-NB15, demonstrates the generalization ability of the proposed model for unseen attacks and confirms it as a competitive approach over the recent state-of-the-art intrusion detection baselines. Overall, the obtained results emphasize that the proposed approach has potential to serve as a baseline for building an effective IDS.

computer science, artificial intelligence

Jie Wang,Pengfei Li,Weiqiang Kong,Ran An

DOI: https://doi.org/10.3390/math10162872

IF: 2.4

2022-08-12

Mathematics

Abstract:With the rapid development of network technologies, the network security of industrial control systems has aroused widespread concern. As a defense mechanism, an ideal intrusion detection system (IDS) can effectively detect abnormal behaviors in a system without affecting the performance of the industrial control system (ICS). Many deep learning methods are used to build an IDS, which rely on massive numbers of variously labeled samples for model training. However, network traffic is imbalanced, and it is difficult for researchers to obtain sufficient attack samples. In addition, the attack variants are rich, and constructing all possible attack types in advance is impossible. In order to overcome these challenges and improve the performance of an IDS, this paper presents a novel intrusion detection approach which integrates a one-dimensional convolutional autoencoder (1DCAE) and support vector data description (SVDD) for the first time. For the two-stage training process, 1DCAE fails to retain the key features of intrusion detection and SVDD has to add restrictions, so a joint optimization solution is introduced. A three-stage optimization process is proposed to obtain better performance. Experiments on the benchmark intrusion detection dataset NSL-KDD show that the proposed method can effectively detect various unknown attacks, learning with only normal traffic. Compared with the recent state-of-art intrusion detection baselines, the proposed method is improved in most metrics.

mathematics

Congyuan Xu,Jizhong Shen,Xin Du,Fan Zhang

DOI: https://doi.org/10.1109/access.2018.2867564

IF: 3.9

2018-01-01

IEEE Access

Abstract:To improve the performance of network intrusion detection systems (IDS), we applied deep learning theory to intrusion detection and developed a deep network model with automatic feature extraction. In this paper, we consider the characteristics of the time-related intrusion and propose a novel IDS that consists of a recurrent neural network with gated recurrent units (GRU), multilayer perceptron (MLP), and softmax module. Experiments on the well-known KDD 99 and NSL-KDD data sets show that the system has leading performance. The overall detection rate was 99.42% using KDD 99 and 99.31% using NSL-KDD with false positive rates as low as 0.05% and 0.84%, respectively. In particular, for detecting the denial of service attacks, the system achieved detection rates of 99.98% and 99.55%, respectively. Comparative experiments showed that the GRU is more suitable as a memory unit for IDS than LSTM, and proved that it is an effective simplification and improvement of LSTM. Moreover, the bidirectional GRU can reach the best performance compared with the recently published methods.

Li,Fei,Xie,Li,Jiang,Wang,Qi

DOI: https://doi.org/10.3390/electronics12020323

IF: 2.9

2023-01-09

Electronics

Abstract:Existing machine learning-based malware traffic recognition techniques can effectively detect abnormal behaviors in the network. However, almost all of them focus on a closed-set scenario in which the data used for training and testing come from the same label space. Since sophisticated malware and advanced persistent threats are evolving, it is impossible to exhaust all attacks to train a complete recognition model under the existing technical conditions. Therefore, recognition in the real network is an open-set problem, i.e., the recognition system should identify unknown and unseen attacks at test time. In this paper, we propose an uncertainty-aware method to identify known malicious traffic accurately and handle unknown traffic effectively. This method employs predictive uncertainty in deep learning as an indicator for unknown class detection. The predictive uncertainty represents the confidence in neural network predictions. In particular, the Deep Evidence Malware Traffic Recognition (DEMTR) model is presented to provide the multi-classification probability and predictive uncertainty in open-set scenarios using evidential deep learning. We demonstrate the performance of DEMTR on the MCFP dataset. Experimental results indicate that the proposed model outperforms the baseline methods in accuracy and F1-score.

engineering, electrical & electronic,computer science, information systems,physics, applied

Chao Wang,Yunxiao Sun,Sicai Lv,Chonghua Wang,Hongri Liu,Bailing Wang

DOI: https://doi.org/10.3390/electronics12040930

IF: 2.9

2023-02-13

Electronics

Abstract:Intrusion detection systems (IDSs) play a significant role in the field of network security, dealing with the ever-increasing number of network threats. Machine learning-based IDSs have attracted a lot of interest owing to their powerful data-driven learning capabilities. However, it is challenging to train the supervised learning algorithms when there are no attack data at hand. Semi-supervised anomaly detection algorithms, which train the model with only normal data, are more suitable. In this study, we propose a novel semi-supervised anomaly detection-based IDS that leverages the capabilities of representation learning and two anomaly detectors. In detail, the autoencoder (AE) is applied to extract representative features of normal data in the first step, and then two semi-supervised detectors, the one-class support vector machine (OCSVM) and Gaussian mixture model (GMM), are trained on the derived features. The two detectors collaborate to detect anomalous samples. The OCSVM predicts the abnormal samples initially, and after that, the GMM is applied to recheck the misclassified samples further. The experiments demonstrate that the AE improves the detection rate, and two detectors are more promising than a single one.

engineering, electrical & electronic,computer science, information systems,physics, applied

Guolou Ping

DOI: https://doi.org/10.1109/smc53992.2023.10393991

2023-01-01

Abstract:Open-set recognition has gained significant attention in intrusion detection due to its ability to classify known attacks and identify novel attacks. However, current approaches based solely on discriminative features may fail to identify new data with non-discriminative feature differences and are prone to adversarial attacks. To overcome these limitations, this paper proposes an open-set intrusion detection framework that incorporates a cluster anomaly detection plugin to identify non-discriminative unknown classes by introducing primitive features and detecting adversarial examples through cluster design. Specifically, 1) we use the anomaly detection plugin trained with primitive features from the raw data to discover unseen data. Samples rejected by either deep discriminative classifiers or detection plugins are considered unknown. 2) We design the plugin as a cluster of one-class anomaly detectors. This approach effectively isolates adversarial examples carefully crafted to deceive the deep classifier. 3) We provide theoretical evidence of the proposed framework's ability to detect non-discriminative unknown classes and adversarial examples. Extensive experiments demonstrate the effectiveness of our approach when applied to open-set intrusion detection.

Haiyan Xuan,Mohith Manohar

2023-12-04

Abstract:As Artificial Intelligence (AI) technologies continue to gain traction in the modern-day world, they ultimately pose an immediate threat to current cybersecurity systems via exploitative methods. Prompt engineering is a relatively new field that explores various prompt designs that can hijack large language models (LLMs). If used by an unethical attacker, it can enable an AI system to offer malicious insights and code to them. In this paper, an enhanced intrusion detection system (IDS) that utilizes machine learning (ML) and hyperparameter tuning is explored, which can improve a model's performance in terms of accuracy and efficacy. Ultimately, this improved system can be used to combat the attacks made by unethical hackers. A standard IDS is solely configured with pre-configured rules and patterns; however, with the utilization of machine learning, implicit and different patterns can be generated through the models' hyperparameter settings and parameters. In addition, the IDS will be equipped with multiple datasets so that the accuracy of the models improves. We evaluate the performance of multiple ML models and their respective hyperparameter settings through various metrics to compare their results to other models and past research work. The results of the proposed multi-dataset integration method yielded an accuracy score of 99.9% when equipped with the XGBoost and random forest classifiers and RandomizedSearchCV hyperparameter technique.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Jianlei Gao,Senchun Chai,Baihai Zhang,Yuanqing Xia

DOI: https://doi.org/10.3390/en12071223

IF: 3.2

2019-03-29

Energies

Abstract:Recently, network attacks launched by malicious attackers have seriously affected modern life and enterprise production, and these network attack samples have the characteristic of type imbalance, which undoubtedly increases the difficulty of intrusion detection. In response to this problem, it would naturally be very meaningful to design an intrusion detection system (IDS) to effectively and quickly identify and detect malicious behaviors. In our work, we have proposed a method for an IDS-combined incremental extreme learning machine (I-ELM) with an adaptive principal component (A-PCA). In this method, the relevant features of network traffic are adaptively selected, where the best detection accuracy can then be obtained by I-ELM. We have used the NSL-KDD standard dataset and UNSW-NB15 standard dataset to evaluate the performance of our proposed method. Through analysis of the experimental results, we can see that our proposed method has better computation capacity, stronger generalization ability, and higher accuracy.

energy & fuels

Omar Al-Harbi,Ahmed Hamed

DOI: https://doi.org/10.1504/ijsnet.2024.138918

2024-06-04

International Journal of Sensor Networks

Abstract:In cybersecurity, intrusion detection systems (IDSs) play a crucial role in identifying potential vulnerability exploits, thus reinforcing the network's defense infrastructure. Integrating machine learning models into IDS development has improved detection of complex and evolving intrusion patterns. However, imbalanced training data hampers model effectiveness, leading to classification inaccuracies and false alarms. This study proposes an IDS model using a dual-stage deep learning approach to address class imbalance. Initially, a sparse autoencoder (SAE) detects anomalies and extracts features. The subsequent stage employs a layered deep learning model combining convolutional neural network (CNN) and bidirectional long short-term memory (Bi-LSTM) architectures for multiclass classification. The model uses a cross-entropy loss function with proportional class weights. Evaluation on the NSL-KDD dataset demonstrates significant enhancements in overall accuracy, recall rate, and false positive rate, particularly for minority classes, showcasing its competitiveness against baseline models and other approaches.

computer science, information systems,telecommunications

Xiangtong Du,Yongzhong Li,Zunlei Feng

DOI: https://doi.org/10.1007/978-3-030-68851-6_13

2020-01-01

Abstract:In network intrusion detection, the recognition and detection rate of intrusion detection may be reduced due to the lack of sample attributes or insufficient labels. In order to overcome this problem, this paper proposes a semi-supervised intrusion detection algorithm based on auto-encoder. The auto-encoder is adopted to extract features from all samples. For the labeled samples, cross-entropy is adopted for classification. For the unlabeled samples, first, initialize K (number of categories) category centers in the feature space based on the characteristics of partially labeled samples. Constrain the representation of unlabeled samples at the center of a certain category, and then place the restricted representation into the classifier for classification. By combining data from labeled samples and unlabeled samples, and simultaneously updating network parameters and category centers, semi-supervised intrusion detection is achieved. The proposed algorithm is verified on NSL-KDD and KDD CUP99 datasets. Experimental results show that the method can not only effectively reduce the dependence on labeled samples, but also improve the accuracy of intrusion detection to a certain extent.

Wenbin Yao,Longcan Hu,Yingying Hou,Xiaoyong Li

DOI: https://doi.org/10.3390/s23084141

IF: 3.9

2023-04-21

Sensors

Abstract:Network intrusion detection technology is key to cybersecurity regarding the Internet of Things (IoT). The traditional intrusion detection system targeting Binary or Multi-Classification can detect known attacks, but it is difficult to resist unknown attacks (such as zero-day attacks). Unknown attacks require security experts to confirm and retrain the model, but new models do not keep up to date. This paper proposes a Lightweight Intelligent NIDS using a One-Class Bidirectional GRU Autoencoder and Ensemble Learning. It can not only accurately identify normal and abnormal data, but also identify unknown attacks as the type most similar to known attacks. First, a One-Class Classification model based on a Bidirectional GRU Autoencoder is introduced. This model is trained with normal data, and has high prediction accuracy in the case of abnormal data and unknown attack data. Second, a multi-classification recognition method based on ensemble learning is proposed. It uses Soft Voting to evaluate the results of various base classifiers, and identify unknown attacks (novelty data) as the type most similar to known attacks, so that exception classification becomes more accurate. Experiments are conducted on WSN-DS, UNSW-NB15, and KDD CUP99 datasets, and the recognition rates of the proposed models in the three datasets are raised to 97.91%, 98.92%, and 98.23% respectively. The results verify the feasibility, efficiency, and portability of the algorithm proposed in the paper.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Zachary Tauscher,Yushan Jiang,Kai Zhang,Jian Wang,Houbing Song

DOI: https://doi.org/10.48550/arXiv.2108.08394

2021-08-19

Abstract:With massive data being generated daily and the ever-increasing interconnectivity of the world's Internet infrastructures, a machine learning based intrusion detection system (IDS) has become a vital component to protect our economic and national security. In this paper, we perform a comprehensive study on NSL-KDD, a network traffic dataset, by visualizing patterns and employing different learning-based models to detect cyber attacks. Unlike previous shallow learning and deep learning models that use the single learning model approach for intrusion detection, we adopt a hierarchy strategy, in which the intrusion and normal behavior are classified firstly, and then the specific types of attacks are classified. We demonstrate the advantage of the unsupervised representation learning model in binary intrusion detection tasks. Besides, we alleviate the data imbalance problem with SVM-SMOTE oversampling technique in 4-class classification and further demonstrate the effectiveness and the drawback of the oversampling mechanism with a deep neural network as a base model.

Cryptography and Security,Machine Learning