Muhammad Zawad Mahmud,Shahran Rahman Alve,Samiha Islam,Mohammad Monirujjaman Khan

2024-11-08

Abstract:Software-defined network (SDN) is a new approach that allows network control to become directly programmable, and the underlying infrastructure can be abstracted from applications and network services. Control plane). When it comes to security, the centralization that this demands is ripe for a variety of cyber threats that are not typically seen in other network architectures. The authors in this research developed a novel machine-learning method to capture infections in networks. We applied the classifier to the UNSW-NB 15 intrusion detection benchmark and trained a model with this data. Random Forest and Decision Tree are classifiers used to assess with Gradient Boosting and AdaBoost. Out of these best-performing models was Gradient Boosting with an accuracy, recall, and F1 score of 99.87%,100%, and 99.85%, respectively, which makes it reliable in the detection of intrusions for SDN networks. The second best-performing classifier was also a Random Forest with 99.38% of accuracy, followed by Ada Boost and Decision Tree. The research shows that the reason that Gradient Boosting is so effective in this task is that it combines weak learners and creates a strong ensemble model that can predict if traffic belongs to a normal or malicious one with high accuracy. This paper indicates that the GBDT-IDS model is able to improve network security significantly and has better features in terms of both real-time detection accuracy and low false positive rates. In future work, we will integrate this model into live SDN space to observe its application and scalability. This research serves as an initial base on which one can make further strides forward to enhance security in SDN using ML techniques and have more secure, resilient networks.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

DOI: https://doi.org/10.52866/ijcsm.2022.02.01.008

2022-03-18

Iraqi Journal for Computer Science and Mathematics

Abstract:The need for network intrusion detection systems (NIDS) to protect against different attacks grows as the scale of cyber attacks increases. The main areas of cyber attack research are its detection and prevention. Traditional machine learning (ML) algorithms with low accuracy are used by the current NIDS, but it is not suitable for newer anonymous cyber attacks. In this paper, an NIDS model with ensemble ML methods, which can detect and prevent different types of attacks compared with traditional ML methods, is proposed. Our specific system detects known attacks and blocks unknown attacks. The selected system uses four different machine learning methods, including data processing techniques for data preprocessing and data labeling. The entire NSL-KDD database is used to evaluate the performance of various ML classifiers based on different parameters. The simulation analysis shows that the developed NIDS system is better than the existing single ML methods. The detection accuracy rate of intrusion detection system (IDS) is increased by the model, which is essential for NIDS.

Abdulsalam O. Alzahrani,Mohammed J. F. Alenazi

DOI: https://doi.org/10.1002/cpe.7438

2022-11-13

Concurrency and Computation: Practice and Experience

Abstract:Summary Software‐defined networking (SDN) has been developed to separate network control plane from forwarding plane which can decrease operational costs and the time it takes to deploy new services compared to traditional networks. Despite these advantages, this technology brings threats and vulnerabilities. Consequently, developing high‐performance real‐time intrusion detection systems (IDSs) to classify malicious activities is a vital part of SDN architecture. This article introduces two created datasets generated from SDN using Mininet and Ryu controller with different feature extraction tools that contain normal traffic and different types of attacks (Fin flood, UDP flood, ICMP flood, OS probe scan, port probe scan, TCP bandwidth flood, and TCP syn flood) that is used for training a number of supervised binary classification machine learning algorithms such as k‐nearest neighbor, AdaBoost, decision tree (DT), random forest, naive Bayes, multilayer perceptron, support vector machine, and XGBoost. The DT algorithm has achieved high scores to fit a real‐time application achieving F1 score on attack class of 0.9995, F1 score on normal class of 0.9983, and throughput score of 6,737,147.275 samples per second with a total number of three features. In addition, using data preprocessing to reduce the model complexity, thereby increasing the overall throughput to fit a real‐time system.

Abdussalam Ahmed Alashhab,Mohd Soperi Zahid,Babangida Isyaku,Asma Abbas Elnour,Wamda Nagmeldin,Abdelzahir Abdelmaboud,Talal Ali Ahmed Abdullah,Umar Danjuma Maiwada

DOI: https://doi.org/10.1109/access.2024.3384398

IF: 3.9

2024-05-07

IEEE Access

Abstract:Software Defined Networks (SDN) offer dynamic reconfigurability and scalability, revolutionizing traditional networking. However, countering Distributed Denial of Service (DDoS) attacks remains a formidable challenge for both traditional and SDN-based networks. The integration of Machine Learning (ML) into SDN holds promise for addressing these threats. While recent research demonstrates ML's accuracy in distinguishing legitimate from malicious traffic, it faces difficulties in handling emerging, low-rate, and zero-day DDoS attacks due to limited feature scope for training. The ever-evolving DDoS landscape, driven by new protocols, necessitates continuous ML model retraining. In response to these challenges, we propose an ensemble online machine-learning model designed to enhance DDoS detection and mitigation. This approach utilizes online learning to adapt the model with expected attack patterns. The model is trained and evaluated using SDN simulation (Mininet and Ryu). Its dynamic feature selection capability overcomes conventional limitations, resulting in improved accuracy across diverse DDoS attack types. Experimental results demonstrate a remarkable 99.2% detection rate, outperforming comparable models on our custom dataset as well as various benchmark datasets, including CICDDoS2019, InSDN, and slow-read-DDoS. Moreover, the proposed model undergoes comparison with industry-standard commercial solutions. This work establishes a strong foundation for proactive DDoS threat identification and mitigation in SDN environments, reinforcing network security against evolving cyber risks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Nasrin Sultana,Naveen Chilamkurti,Wei Peng,Rabei Alhadad

DOI: https://doi.org/10.1007/s12083-017-0630-0

2018-01-12

Abstract:Software Defined Networking Technology (SDN) provides a prospect to effectively detect and monitor network security problems ascribing to the emergence of the programmable features. Recently, Machine Learning (ML) approaches have been implemented in the SDN-based Network Intrusion Detection Systems (NIDS) to protect computer networks and to overcome network security issues. A stream of advanced machine learning approaches – the deep learning technology (DL) commences to emerge in the SDN context. In this survey, we reviewed various recent works on machine learning (ML) methods that leverage SDN to implement NIDS. More specifically, we evaluated the techniques of deep learning in developing SDN-based NIDS. In the meantime, in this survey, we covered tools that can be used to develop NIDS models in SDN environment. This survey is concluded with a discussion of ongoing challenges in implementing NIDS using ML/DL and future works.

computer science, information systems,telecommunications

Mahmoud Said ElSayed,Nhien-An Le-Khac,Marwan Ali Albahar,Anca Jurcut

DOI: https://doi.org/10.1016/j.jnca.2021.103160

IF: 7.574

2021-01-01

Journal of Network and Computer Applications

Abstract:Software-defined networking (SDN) is a new networking paradigm that separates the controller from the network devices i.e. routers and switches. The centralized architecture of the SDN facilitates the overall network management and addresses the requirement of current data centers. While there are high benefits offered by the SDN architecture, the risk of new attacks is a critical problem and can prevent the wide adoption of SDNs. The SDN controller is a crucial element, and it is an attractive target for the intruders. In case the attacker successfully accessed the SDN controller, it can route the traffic based on its own requirements, causing severe damage to the entire network. The network intrusion detection systems (NIDSs) are important tools to detect and secure the network environment from malicious activities and anomalous attacks. Deep Learning (DL) has recently shown desirable results in a variety of problems, such as text, speech, and image applications, etc.While several related works deployed DL for NIDSs, most of these approaches ignore the influence of the overfitting problem during the implementation of DL algorithms. As a result, it can impact the robustness of the anomaly detection system and lead to poor model performance for zero-day attacks. In this work, we propose a new hybrid DL approach based on the convolutional neural network (CNN) to classify the flow traffic into normal or attack classes. A new regularizer method, namely SD-Reg, which is based on the standard deviation of the weight matrix, has been used to address the problem of overfitting and to improve the capability of NIDSs in detection of unseen intrusion events. The evaluation results indicate that the SD-Reg outperforms the previous regularizer methods. In addition, the proposed hybrid technique gives a higher performance in all the evaluation metrics compared to the single DL models. Several datasets, including the InSDN – the most recent dataset for SDN – are used to train and evaluate the performance of all techniques. Furthermore, we suggest a lightweight NIDS by training the CNN-based models using a less number of features without causing a significant drop in the model performance.

Zaid Mustafa,Rashid Amin,Hamza Aldabbas,Naeem Ahmed

DOI: https://doi.org/10.1007/s10586-024-04430-6

2024-04-27

Cluster Computing

Abstract:There has been a discernible rise in the growth and progress of the Internet, networking, and mobile communication. The complexity of networking systems has increased due to the advancements in devices, resources, and infrastructure. A novel and developing network technology called software-defined networking (SDN), gets beyond the drawbacks of conventional networks and gives networking systems intelligent control. While SDN is the most adaptable and promising network management control solution, its implementation also introduces a number of new security risks. There is a need to deploy networking systems intelligently to manage, optimize, and organize these complex systems. Machine learning (ML) approaches have been extensively utilized to detect many attacks, and an ML technique may assist the network administrator in taking the necessary precautions to avoid intrusions. In SDN, ML techniques are used to manage the network and make Network Intrusion Detection Systems (NIDS) detect network attacks like Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks. This paper comprehensively surveys ML and Deep Learning (DL) algorithms and techniques used for intrusion detection in SDN. Different studies are categorized accordingly, such as supervised, unsupervised, and deep learning models. Research studies are compared in the form of a table, and learned lessons are also leveraged for each category. Finally, this survey presents the key challenges faced in implementing different intrusion detection techniques in SDN before comprehensively highlighting future research directions.

computer science, information systems, theory & methods

Abdulsalam O. Alzahrani,Mohammed J. F. Alenazi

DOI: https://doi.org/10.3390/fi13050111

2021-04-28

Future Internet

Abstract:Software-defined Networking (SDN) has recently developed and been put forward as a promising and encouraging solution for future internet architecture. Managed, the centralized and controlled network has become more flexible and visible using SDN. On the other hand, these advantages bring us a more vulnerable environment and dangerous threats, causing network breakdowns, systems paralysis, online banking frauds and robberies. These issues have a significantly destructive impact on organizations, companies or even economies. Accuracy, high performance and real-time systems are essential to achieve this goal successfully. Extending intelligent machine learning algorithms in a network intrusion detection system (NIDS) through a software-defined network (SDN) has attracted considerable attention in the last decade. Big data availability, the diversity of data analysis techniques, and the massive improvement in the machine learning algorithms enable the building of an effective, reliable and dependable system for detecting different types of attacks that frequently target networks. This study demonstrates the use of machine learning algorithms for traffic monitoring to detect malicious behavior in the network as part of NIDS in the SDN controller. Different classical and advanced tree-based machine learning techniques, Decision Tree, Random Forest and XGBoost are chosen to demonstrate attack detection. The NSL-KDD dataset is used for training and testing the proposed methods; it is considered a benchmarking dataset for several state-of-the-art approaches in NIDS. Several advanced preprocessing techniques are performed on the dataset in order to extract the best form of the data, which produces outstanding results compared to other systems. Using just five out of 41 features of NSL-KDD, a multi-class classification task is conducted by detecting whether there is an attack and classifying the type of attack (DDoS, PROBE, R2L, and U2R), accomplishing an accuracy of 95.95%.

Uakomba Mbasuva,Guy-Alain Lusilao Zodi

DOI: https://doi.org/10.1109/imcom53663.2022.9721785

2022-01-03

Abstract:Software Defined Networks (SDN) is gaining popularity in academia and the industry. This is due to SDNs ease of programmability, flexibility and centralized management. These networking features allow network administrators and programmers to easily monitor and control the entire network, at a limited cost. However, because of its centralized architecture, the controller becomes a single point of failure. This vulnerability makes it a target to cyber-attacks, but more specifically to Distributed Denial of Service (DDoS) attacks. The DDoS attack may target the SDN network controller in order to disrupt the entire network, causing network resources unavailable to legitimate users. Hence, in this work, we propose an ensemble Deep Learning (DL) Intrusion Detection System (IDS) to detect DDoS attack traffic in SDNs. Our proposed approach build an ensemble of Convolutional Neural Network (CNN), Deep Neural Network (DNN) and Recurrent Neural Network (RNN) model. To train the model, we use feature selection techniques from the literature and utilized the Canadian Institute for Cybersecurity Intrusion Detection System (CIC-IDS2017) as the evaluation dataset. The performance of the proposed model is compared with existing models, and from the results, it is observed that our proposed ensemble deep learning model performs better than ensemble CNN, ensemble RNN and ensemble voting.

Kunal Vermani,Amandeep Noliya,Sunil Kumar,Kamlesh Dutta

DOI: https://doi.org/10.20473/jisebi.9.2.136-146

2023-11-01

Journal of Information Systems Engineering and Business Intelligence

Abstract:Background: The architecture of Software Defined Networking (SDN) integrated with Vehicular Ad-hoc Networks (VANETs) is considered a practical method for handling large-scale, dynamic, heterogeneous vehicular networks, since it offers flexibility, programmability, scalability, and a global understanding. However, the integration with VANETs introduces additional security vulnerabilities due to the deployment of a logically centralized control mechanism. These security attacks are classified as internal and external based on the nature of the attacker. The method adopted in this work facilitated the detection of internal position falsification attacks. Objective: This study aimed to investigate the performance of k-NN, SVM, Naïve Bayes, Logistic Regression, and Random Forest machine learning (ML) algorithms in detecting position falsification attacks using the Vehicular Reference Misbehavior (VeReMi) dataset. It also aimed to conduct a comparative analysis of two ensemble classification models, namely voting and stacking for final decision-making. These ensemble classification methods used the ML algorithms cooperatively to achieve improved classification. Methods: The simulations and evaluations were conducted using the Python programming language. VeReMi dataset was selected since it was an application-specific dataset for VANETs environment. Performance evaluation metrics, such as accuracy, precision, recall, F-measure, and prediction time were also used in the comparative studies. Results: This experimental study showed that Random Forest ML algorithm provided the best performance in detecting attacks among the ML algorithms. Voting and stacking were both used to enhance classification accuracy and reduce time required to identify an attack through predictions generated by k-NN, SVM, Naïve Bayes, Logistic Regression, and Random Forest classifiers. Conclusion: In terms of attack detection accuracy, both methods (voting and stacking) achieved the same level of accuracy as Random Forest. However, the detection of attack using stacking could be achieved in roughly less than half the time required by voting ensemble. Keywords: Machine learning methods, Majority voting ensemble, SDN-based VANETs, Security attacks, Stacking ensemble classifiers, VANETs,

Zhulian Chen,Aiqin Hou,Chase Q. Wu,Xinji Qu,Yukun Wang,Le Ru

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys60770.2023.00040

2023-01-01

Abstract:Software-Defined Networking (SDN) is a promising technology for the future Internet. However, the SDN paradigm opens the door to new attack vectors that do not exist in traditional networks, such as flow table overflow attacks and flow rule injection attacks, which traditional intrusion detection systems are no longer sufficient to identify. To address this problem, we propose a new method that uses deep learning for attack detection in an SDN environment. In this method, we first utilize fisher score to remove insignificant features, then design a network model combining bi-directional long short-term memory network (BiLSTM) and gated convolutional neural network (GCNN) to capture the spatio-temporal features of network traffic, and finally use a fully connected layer to perform seven classifications of data. We choose focal loss as the loss function due to the imbalance of samples. The proposed model is evaluated based on the InSDN dataset, which is the latest IDS dataset developed specifically for SDN environments, and the CIC-IDS2017 dataset. The results show that the proposed model improves the performance for anomaly detection and achieves an accuracy of 99.80% and 98.85% on the InSDN and CIC-IDS2017 datasets, respectively. This level of detection accuracy provides great confidence in protecting SDN networks from anomalous traffic.

Hsiu-Min Chuang,Li-Jyun Ye

DOI: https://doi.org/10.3390/su15129395

IF: 3.9

2023-06-12

Sustainability

Abstract:In traditional network management, the configuration of routing policies and associated settings on individual routers and switches was performed manually, incurring a considerable cost. By centralizing network management, software-defined networking (SDN) technology has reduced hardware construction costs and increased flexibility. However, this centralized architecture renders information security vulnerable to network attacks, making intrusion detection in the SDN environment crucial. Machine-learning approaches have been widely used for intrusion detection recently. However, critical issues such as unknown attacks, insufficient data, and class imbalance may significantly affect the performance of typical machine learning. We addressed these problems and proposed a transfer-learning method based on the SDN environment. The following experimental results showed that our method outperforms typical machine learning methods. (1) our model achieved a F1-score of 0.71 for anomaly detection for unknown attacks; (2) for small samples, our model achieved a F1-score of 0.98 for anomaly detection and a F1-score of 0.51 for attack types identification; (3) for class imbalance, our model achieved an F1-score of 1.00 for anomaly detection and 0.91 for attack type identification. In addition, our model required 15,230 seconds (4 h 13 m 50 s) for training, ranking second among the six models when considering both performance and efficiency. In future studies, we plan to combine sampling techniques with few-shot learning to improve the performance of minority classes in class imbalance scenarios.

environmental sciences,environmental studies,green & sustainable science & technology

Mahmoud Said Abdallah,Nhien-An-Le-Khac,Hamed Z. Jahromi,Anca Delia Jurcut

DOI: https://doi.org/10.1145/3465481.3469190

2021-01-01

Abstract:Software-Defined Networking (SDN) is a promising technology for the future Internet. However, the SDN paradigm introduces new attack vectors that do not exist in the conventional distributed networks. This paper develops a hybrid Intrusion Detection System (IDS) by combining the Convolutional Neural Network (CNN) and Long Short-Term Memory Network (LSTM). The proposed model is capable of capturing the spatial and temporal features of the network traffic. Two regularization techniques i.e., L2 Regularization () and dropout method are used to overcome with the overfitting problem. The proposed method improves the intrusion detection performance of zero-day attacks. The InSDN dataset — the most recent dataset for SDN networks is used to test and evaluate the performance of the proposed model. The results indicate that integrating the CNN with LSTM improves the intrusion detection performance and achieves an accuracy of 96.32%. The estimated accuracy is higher than the accuracy of each individual model. In addition, it is established that the regularization techniques improves the performance of the CNN algorithms in detecting new intrusions when compared to the standard CNN. The findings of this study facilitates the development of robust IDS systems for SDN environment.

Mahmoud Said Elsayed,Nhien-An Le-Khac,Soumyabrata Dev,Anca Delia Jurcut

DOI: https://doi.org/10.1109/iccsnt47585.2019.8962519

2019-01-01

Abstract:With the advent of Software Defined Networks (SDNs), there has been a rapid advancement in the area of cloud computing. It is now scalable, cheaper, and easier to manage. However, SDNs are more prone to security vulnerabilities as compared to legacy systems. Therefore, machine-learning techniques are now deployed in the SDN infrastructure for the detection of malicious traffic. In this paper, we provide a systematic benchmarking analysis of the existing machine-learning techniques for the detection of malicious traffic in SDNs. We identify the limitations in these classical machine-learning based methods, and lay the foundation for a more robust framework. Our experiments are performed on a publicly available dataset of Intrusion Detection Systems (IDSs).

Saikat Das,Sajal Saha,Annita Tahsin Priyoti,Etee Kawna Roy,Frederick T. Sheldon,Anwar Haque,Sajjan Shiva

DOI: https://doi.org/10.1109/tnsm.2021.3138457

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:Proper security solutions in the cyber world are crucial for enforcing network security by providing real-time network protection against network vulnerabilities and data exploitation. An effective intrusion detection strategy is capable of taking a holistic approach for protecting critical systems against unauthorized access or attack. In this paper, we describe a machine learning (ML) based comprehensive security solution for network intrusion detection using ensemble supervised ML framework and ensemble feature selection methods. In addition, we provide a comparative analysis of several ML models and feature selection methods. The goal of this research is to design a generic detection mechanism and achieve higher accuracy with minimal false positive rates (FPR). NSL-KDD, UNSW-NB15, and CICIDS2017 datasets are used in the experiment, and results show that our detection model can identify 99.3% of intrusions successfully with the lowest 0.5% of false alarms, which depicts better performance metrics compared to existing solutions.

computer science, information systems

G. Logeswari,S. Bose,T. Anitha

DOI: https://doi.org/10.32604/iasc.2023.026769

2023-01-01

Intelligent Automation & Soft Computing

Abstract:Software Defined Networking (SDN) has emerged as a promising and exciting option for the future growth of the internet. SDN has increased the flexibility and transparency of the managed, centralized, and controlled network. On the other hand, these advantages create a more vulnerable environment with substantial risks, culminating in network difficulties, system paralysis, online banking frauds, and robberies. These issues have a significant detrimental impact on organizations, enterprises, and even economies. Accuracy, high performance, and real-time systems are necessary to achieve this goal. Using a SDN to extend intelligent machine learning methodologies in an Intrusion Detection System (IDS) has stimulated the interest of numerous research investigators over the last decade. In this paper, a novel HFS-LGBM IDS is proposed for SDN. First, the Hybrid Feature Selection algorithm consisting of two phases is applied to reduce the data dimension and to obtain an optimal feature subset. In the first phase, the Correlation based Feature Selection (CFS) algorithm is used to obtain the feature subset. The optimal feature set is obtained by applying the Random Forest Recursive Feature Elimination (RF-RFE) in the second phase. A LightGBM algorithm is then used to detect and classify different types of attacks. The experimental results based on NSL-KDD dataset show that the proposed system produces outstanding results compared to the existing methods in terms of accuracy, precision, recall and f-measure.

automation & control systems,computer science, artificial intelligence

Naveed Ahmed,Asri Bin Ngadi,Johan Mohamad Sharif,Saddam Hussain,Mueen Uddin,Muhammad Siraj Rathore,Jawaid Iqbal,Maha Abdelhaq,Raed Alsaqour,Syed Sajid Ullah,Fatima Tul Zuhra

DOI: https://doi.org/10.3390/s22207896

2022-10-17

Abstract:A revolution in network technology has been ushered in by software defined networking (SDN), which makes it possible to control the network from a central location and provides an overview of the network's security. Despite this, SDN has a single point of failure that increases the risk of potential threats. Network intrusion detection systems (NIDS) prevent intrusions into a network and preserve the network's integrity, availability, and confidentiality. Much work has been done on NIDS but there are still improvements needed in reducing false alarms and increasing threat detection accuracy. Recently advanced approaches such as deep learning (DL) and machine learning (ML) have been implemented in SDN-based NIDS to overcome the security issues within a network. In the first part of this survey paper, we offer an introduction to the NIDS theory, as well as recent research that has been conducted on the topic. After that, we conduct a thorough analysis of the most recent ML- and DL-based NIDS approaches to ensure reliable identification of potential security risks. Finally, we focus on the opportunities and difficulties that lie ahead for future research on SDN-based ML and DL for NIDS.

A. E. M. Eljialy,Mohammed Yousuf Uddin,Sultan Ahmad

DOI: https://doi.org/10.26599/tst.2023.9010032

2024-02-13

Tsinghua Science & Technology

Abstract:Intrusion detection systems (IDSs) are deployed to detect anomalies in real time. They classify a network's incoming traffic as benign or anomalous (attack). An efficient and robust IDS in software-defined networks is an inevitable component of network security. The main challenges of such an IDS are achieving zero or extremely low false positive rates and high detection rates. Internet of Things (IoT) networks run by using devices with minimal resources. This situation makes deploying traditional IDSs in IoT networks unfeasible. Machine learning (ML) techniques are extensively applied to build robust IDSs. Many researchers have utilized different ML methods and techniques to address the above challenges. The development of an efficient IDS starts with a good feature selection process to avoid overfitting the ML model. This work proposes a multiple feature selection process followed by classification. In this study, the Software-defined networking (SDN) dataset is used to train and test the proposed model. This model applies multiple feature selection techniques to select high-scoring features from a set of features. Highly relevant features for anomaly detection are selected on the basis of their scores to generate the candidate dataset. Multiple classification algorithms are applied to the candidate dataset to build models. The proposed model exhibits considerable improvement in the detection of attacks with high accuracy and low false positive rates, even with a few features selected.

computer science, information systems,engineering, electrical & electronic, software engineering

Arindam Sarkar,Hanjabam Saratchandra Sharma,Moirangthem Marjit Singh

DOI: https://doi.org/10.1007/s41870-022-01115-4

2022-10-10

International Journal of Information Technology

Abstract:An efficient machine learning (ML) ensemble technique for categorizing Intrusion Detection (ID) is proposed in this study. The tuning of the ML model’s parameters is a critical topic since it can improve detection quality. Another area where quality might be enhanced is pre-processing. Corrections to the training dataset can help with class identification, especially for unusual attacks like R2L (Root to Local attacks), U2R (User to Root attack). When compared to existing methodologies, the proposed methodology has a number of advantages, such as (1) it proposes two methods for classifying intrusions on the two most widely used datasets using ML models. (2) The KDD Cup99 and NSL-KDD datasets are rebalanced through data augmentation. (3) Provides a 3 steps approach for improving detection of intrusion utilizing Multi Layer Perceptron (MLP) in a cascaded structure. (4) To classify each class using a specialized one, a cascaded meta-specialized classifier architecture has been developed. (5) All meta-specialists assess the dataset’s non-flagged connections. With a classification accuracy of 89.32% and an FPR of 1.95%, this approach has been shown to considerably increase detection quality. (6) Finally, to enhance detection capability, the best algorithms’ predictions are integrated by increasing their weights. On the NSL-KDD dataset, this approach has a high accuracy of 87.63% and a low FPR of 1.68%.

Zong-Zhi Lin,Thomas D. Pike,Mark M. Bailey,Nathaniel D. Bastian

DOI: https://doi.org/10.1109/TSMC.2024.3446635

2024-09-06

Abstract:Network intrusion detection systems (NIDS) to detect malicious attacks continue to meet challenges. NIDS are often developed offline while they face auto-generated port scan infiltration attempts, resulting in a significant time lag from adversarial adaption to NIDS response. To address these challenges, we use hypergraphs focused on internet protocol addresses and destination ports to capture evolving patterns of port scan attacks. The derived set of hypergraph-based metrics are then used to train an ensemble machine learning (ML) based NIDS that allows for real-time adaption in monitoring and detecting port scanning activities, other types of attacks, and adversarial intrusions at high accuracy, precision and recall performances. This ML adapting NIDS was developed through the combination of (1) intrusion examples, (2) NIDS update rules, (3) attack threshold choices to trigger NIDS retraining requests, and (4) a production environment with no prior knowledge of the nature of network traffic. 40 scenarios were auto-generated to evaluate the ML ensemble NIDS comprising three tree-based models. The resulting ML Ensemble NIDS was extended and evaluated with the CIC-IDS2017 dataset. Results show that under the model settings of an Update-ALL-NIDS rule (specifically retrain and update all the three models upon the same NIDS retraining request) the proposed ML ensemble NIDS evolved intelligently and produced the best results with nearly 100% detection performance throughout the simulation.

Cryptography and Security,Artificial Intelligence,Systems and Control,Methodology,Machine Learning