Chiming Xi,Hui Wang,Xubin Wang

DOI: https://doi.org/10.1038/s41598-024-74214-w

IF: 4.6

2024-10-07

Scientific Reports

Abstract:Network is an essential tool today, and the Intrusion Detection System (IDS) can ensure the safe operation. However, with the explosive growth of data, current methods are increasingly struggling as they often detect based on a single scale, leading to the oversight of potential features in the extensive traffic data, which may result in degraded performance. In this work, we propose a novel detection model utilizing multi-scale transformer namely IDS-MTran. In essence, the collaboration of multi-scale traffic features broads the pattern coverage of intrusion detection. Firstly, we employ convolution operators with various kernels to generate multi-scale features. Secondly, to enhance the representation of features and the interaction between branches, we propose Patching with Pooling (PwP) to serve as a bridge. Next, we design multi-scale transformer-based backbone to model the features at diverse scales, extracting potential intrusion trails. Finally, to fully capitalize these multi-scale branches, we propose the Cross Feature Enrichment (CFE) to integrate and enrich features, and then output the results. Sufficient experiments show that compared with other models, the proposed method can distinguish different attack types more effectively. Specifically, the accuracy on three common datasets NSL-KDD, CIC-DDoS 2019 and UNSW-NB15 has all exceeded 99%, which is more accurate and stable.

multidisciplinary sciences

Wei Zhang,Yueqin Li,Xiaofeng Li,Minggang Shao,Yajie Mi,Hongli Zhang,Guoqing Zhi

DOI: https://doi.org/10.1155/2022/4836289

IF: 1.968

2022-03-24

Security and Communication Networks

Abstract:Among the network security problems, SQL injection is a common and challenging network attack means, which can cause inestimable loop-breaking and loss to the database, and how to detect SQL injection statements is one of the current research hotspots. Based on the data characteristics of SQL statements, a deep neural network-based SQL injection detection model and algorithm are built. The core method is to convert the data into word vector form by word pause method, then form a sparse matrix and pass it into the model for training, build a multihidden layer deep neural network model containing ReLU function, optimize the traditional loss function, and introduce Dropout method to improve the generalization ability of this model. The accuracy of the final model is maintained at over 96%. By comparing the experimental results with traditional machine learning algorithms and LSTM algorithms, the proposed algorithm effectively solves the problems of overfitting in machine learning and the need for manual screening to extract features, which greatly improves the accuracy of SQL injection detection.

computer science, information systems,telecommunications

Kasim Tasdemir,Rafiullah Khan,Fahad Siddiqui,Sakir Sezer,Fatih Kurugollu,Sena Busra Yengec-Tasdemir,Alperen Bolat

2023-12-20

Abstract:Detecting SQL Injection (SQLi) attacks is crucial for web-based data center security, but it is challenging to balance accuracy and computational efficiency, especially in high-speed networks. Traditional methods struggle with this balance, while NLP-based approaches, although accurate, are computationally intensive. We introduce a novel cascade SQLi detection method, blending classical and transformer-based NLP models, achieving a 99.86% detection accuracy with significantly lower computational demands-20 times faster than using transformer-based models alone. Our approach is tested in a realistic setting and compared with 35 other methods, including Machine Learning-based and transformer models like BERT, on a dataset of over 30,000 SQL sentences. Our results show that this hybrid method effectively detects SQLi in high-traffic environments, offering efficient and accurate protection against SQLi vulnerabilities with computational efficiency. The code is available at <a class="link-external link-https" href="https://github.com/gdrlab/cascaded-sqli-detection" rel="external noopener nofollow">this https URL</a> .

Cryptography and Security

Yixian Liu,Yupeng Dai

DOI: https://doi.org/10.1049/2024/5565950

2024-04-05

IET Information Security

Abstract:In the past decade, cybersecurity has become increasingly significant, driven largely by the increase in cybersecurity threats. Among these threats, SQL injection attacks stand out as a particularly common method of cyber attack. Traditional methods for detecting these attacks mainly rely on manually defined features, making these detection outcomes highly dependent on the precision of feature extraction. Unfortunately, these approaches struggle to adapt to the increasingly sophisticated nature of these attack techniques, thereby necessitating the development of more robust detection strategies. This paper presents a novel deep learning framework that integrates Bidirectional Encoder Representations from Transformers (BERT) and Long Short-Term Memory (LSTM) networks, enhancing the detection of SQL injection attacks. Leveraging the advanced contextual encoding capabilities of BERT and the sequential data processing ability of LSTM networks, the proposed model dynamically extracts word and sentence-level features, subsequently generating embedding vectors that effectively identify malicious SQL query patterns. Experimental results indicate that our method achieves accuracy, precision, recall, and F1 scores of 0.973, 0.963, 0.962, and 0.958, respectively, while ensuring high computational efficiency.

computer science, information systems, theory & methods

Ding Chen,Qiseng Yan,Chunwang Wu,Jun Zhao

DOI: https://doi.org/10.1088/1742-6596/1757/1/012055

2021-01-01

Journal of Physics: Conference Series

Abstract:Abstract Web application brings us convenience but also has some potential security problems. SQL injection attacks topped the list of Top 10 Network Security Problems released by OWASP, and the detection technology of SQL injection attacks has been one of the hotspots of network security research. In this paper, we propose a SQL injection detection method that does not rely on background rule base by using a natural language processing model and deep learning framework on the basis of comprehensive domestic and international research. The method can improve the accuracy and reduce the false alarm rate while allowing the machine to automatically learn the language model features of SQL injection attacks, greatly reducing human intervention and providing some defense against 0day attacks that never occur.

Chunlai Du,Yanhui Guo,Yuhang Zhang

DOI: https://doi.org/10.3390/electronics13142685

IF: 2.9

2024-07-10

Electronics

Abstract:With the rapid expansion and ubiquitous presence of the Internet of Things (IoT), the proliferation of IoT devices has reached unprecedented levels, heightening concerns about IoT security. Intrusion detection based on deep learning has become a crucial approach for safeguarding IoT ecosystems. However, challenges remain in IoT intrusion detection research, including inadequate feature representation at the classifier level and poor correlation among extracted traffic features, leading to diminished classification accuracy. To address these issues, we propose a novel transformer-based IoT intrusion detection model, MBConv-ViT (MobileNet Convolution and Vision Transformer), which enhances the correlation of extracted features by fusing local and global features. By leveraging the high correlation of traffic flow, our model can identify subtle differences in IoT traffic flow, thereby achieving precise classification of attack traffic. Experiments based on the open datasets TON-IoT and Bot-IoT demonstrate that the accuracy of the MBConv-ViT model, respectively, 97.14% and 99.99%, is more effective than several existing typical models.

engineering, electrical & electronic,computer science, information systems,physics, applied

Qi Zhou,Zhoupu Wang

DOI: https://doi.org/10.4018/ijswis.334845

2023-12-15

International Journal on Semantic Web and Information Systems

Abstract:A network intrusion detection method for information systems using federated learning and improved transformer is proposed to address the problems of long detection time and low security and accuracy when analyzing massive data in most existing intrusion detection methods. Firstly, a network intrusion detection system is constructed based on a federated learning framework, and the transformer model is used as its universal detection model. Then, the dataset is divided and an improved generative adversarial network is used for data augmentation to generate a new sample set to overcome the influence of minority class samples. At the same time, the new samples are input into the transformer local model for network attack type detection and analysis. Finally, the authors aggregate the detection results of each local model and input them into the Softmax classifier to obtain the final classification prediction results.

computer science, information systems, artificial intelligence

Alex Zhu,Wei Qi Yan

DOI: https://doi.org/10.4018/ijdcf.2017100106

2017-01-01

International Journal of Digital Crime and Forensics

Abstract:SQLIA is adopted to attack websites with and without confidential information. Hackers utilized the compromised website as intermediate proxy to attack others for avoiding being committed of cyber-criminal and also enlarging the scale of Distributed Denial of Service Attack DDoS. The DDoS is that hackers maliciously turn down a website and make network resources unavailable to web users. It is extremely difficult to effectively detect and prevent SQLIA because hackers adopt various evading SQLIA Intrusion Detection System techniques. Victims may not be even aware of that their confidential data has been compromised for a long time. In this paper, our contribution is that we evaluate several most popular open source SQLIA tools and SQLIA prevention tools with both qualitative and quantitative assessments.

Zelin Xiang,Xuwei Li

DOI: https://doi.org/10.1186/s13638-023-02279-8

2023-07-27

EURASIP Journal on Wireless Communications and Networking

Abstract:Network intrusion detection system (NIDS) can effectively sense network attacks, which is of great significance for maintaining the security of cyberspace. To meet the requirements of efficient and accurate network status monitoring, a NIDS model using Transformer-based fusion deep learning architecture is proposed. Firstly, GAN-Cross is used to expand minority class sample data, thereby alleviating the issues of imbalanced minority class about the original dataset. Then, the Transformer module is used to adjust the ML-CNN-BiLSTM model to enhance the feature encoding ability of the intrusion model. Finally, the data enhancement model and feature enhancement model are integrated into the NIDS model, the detection model is optimized, the features of network state data are extracted at a deeper level, and the generalization ability of the detection model is enhanced. Some simulation experiments using UNSW-NB15 datasets show that the proposed fusion architecture can achieve efficient analysis of complex network traffic datasets, with an accuracy of 0.903, effectively improving the detection accuracy of NIDS and its ability to detect unknown attacks. The proposed model has good application value in ensuring the stable operation of network systems.

telecommunications,engineering, electrical & electronic

Congqi Shen,Geyang Xiao,Shaofeng Yao,Boyang Zhou,Zhongxia Pan,Hong Zhang

DOI: https://doi.org/10.1109/spac53836.2021.9539933

2021-01-01

Abstract:Current Industrial Internet faces serious threats where attackers propagate malicious flows, resulting in communication failures in the Industrial Internet. In this work, we propose a practical and novel method to detect malicious traffic attack in real time with high accuracy. Our primary idea is to capture network flow, extract adequate network flow features, construct a long short-term memory (LSTM) based deep learning model, and identify the property of the corresponding network flow. Whether the network suffers attack or not is then determined according to the detection results. The corresponding prototype is also implemented in the Industrial Internet which is equipped with Software Defined Networking (SDN). Experimental results validate that the proposed method is effective in defending against malicious traffic attack in real-world network.

Svitlana Gavrylenko,Vadym Poltoratskyi,Alina Nechyporenko

DOI: https://doi.org/10.20998/2522-9052.2024.1.12

2024-02-26

Advanced Information Systems

Abstract:The object of the study is the process of identifying the state of a computer network. The subject of the study are the methods of identifying the state of computer networks. The purpose of the paper is to improve the efficacy of intrusion detection in computer networks by developing a method based on transformer models. The results obtained. The work analyzes traditional machine learning algorithms, deep learning methods and considers the advantages of using transformer models. A method for detecting intrusions in computer networks is proposed. This method differs from known approaches by utilizing the Vision Transformer for Small-size Datasets (ViTSD) deep learning algorithm. The method incorporates procedures to reduce the correlation of input data and transform data into a specific format required for model operations. The developed methods are implemented using Python and the GOOGLE COLAB cloud service with Jupyter Notebook. Conclusions. Experiments confirmed the efficiency of the proposed method. The use of the developed method based on the ViTSD algorithm and the data preprocessing procedure increases the model's accuracy to 98.7%. This makes it possible to recommend it for practical use, in order to improve the accuracy of identifying the state of a computer system.

Shiyu Wang,Wenxiang Xu,Yiwen Liu

DOI: https://doi.org/10.1016/j.comnet.2023.109982

IF: 5.493

2023-08-14

Computer Networks

Abstract:The Internet of Things (IoT), as the information carrier of the Internet and telecommunications networks, is a new network technology comprising physical entities embedded with electronic components, software and sensors, and characterized by strong complexity and openness. With the massive amount of data, the occurrence of network intrusion is also increasingly frequent, involving industrial control systems, IoT devices, mobile security, cloud services, and telecommunications services. With the diversification and intelligence of cyberattack behaviors, traditional intrusion detection systems (IDSs) face problems—such as insufficient feature extraction and inaccurate model classification—when faced with high-dimensional features and nonlinear massive data. Due to their powerful data representation learning ability, deep learning methods save substantial time in processing high-dimensional and complex intrusion data. On this basis, we propose an intrusion detection model using ResNet, Transformer and BiLSTM (Res-TranBiLSTM) that takes into account both the spatial and temporal features of network traffic. We use the Synthetic Minor Overriding Technique (SMOTE) – Edited Nearest Neighbor (ENN) method to alleviate the degree of data imbalance. In addition, we respectively establish a spatial feature extraction model based on ResNet and a temporal feature extraction model based on Transformer and BiLSTM to extract spatial features and temporal features parallelly. Finally, spatiotemporal features are included to achieve attack detection and classification. Further, simulation experiments are conducted using the public data sets NSL-KDD and CIC-IDS2017. The experiments are implemented using Python programming language and Pytorch framework. The results reveal that the performance of our proposed model is better than that of other models, with accuracy reaching 90.99%, 99.15% and 99.56%, on NSL-KDD dataset, CIC-IDS2017 dataset and MQTTset dataset, respectively. It increased the detection accuracy by about 1%-10% on NSL-KDD dataset and about 0.2%-10% on CIC-IDS2017 dataset, and about 1%-10% on MQTTset dataset. These results demonstrate that this method is effective in constructing and optimizing large-scale IDS in the IoT environment.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Qi Liu,Yanchen Liu,Ruifeng Li,Chenhong Cao,Yufeng Li,Xingyu Li,Peng Wang,Runhan Feng

2024-11-15

Abstract:The integration of intelligent and connected technologies in modern vehicles, while offering enhanced functionalities through Electronic Control Unit and interfaces like OBD-II and telematics, also exposes the vehicle's in-vehicle network (IVN) to potential cyberattacks. In this paper, we consider a specific type of cyberattack known as the injection attack. As demonstrated by empirical data from real-world cybersecurity adversarial competitions(available at <a class="link-external link-https" href="https://mimic2024.xctf.org.cn/race/qwmimic2024" rel="external noopener nofollow">this https URL</a> ), these injection attacks have excitation effect over time, gradually manipulating network traffic and disrupting the vehicle's normal functioning, ultimately compromising both its stability and safety. To profile the abnormal behavior of attackers, we propose a novel injection attack detector to extract long-term features of attack behavior. Specifically, we first provide a theoretical analysis of modeling the time-excitation effects of the attack using Multi-Dimensional Hawkes Process (MDHP). A gradient descent solver specifically tailored for MDHP, MDHP-GDS, is developed to accurately estimate optimal MDHP parameters. We then propose an injection attack detector, MDHP-Net, which integrates optimal MDHP parameters with MDHP-LSTM blocks to enhance temporal feature extraction. By introducing MDHP parameters, MDHP-Net captures complex temporal features that standard Long Short-Term Memory (LSTM) cannot, enriching temporal dependencies within our customized structure. Extensive evaluations demonstrate the effectiveness of our proposed detection approach.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Xueying Han,Susu Cui,Song Liu,Chen Zhang,Bo Jiang,Zhigang Lu

DOI: https://doi.org/10.1016/j.cose.2023.103171

2023-03-07

Abstract:Network intrusion detection system plays a critical role in protecting the target network from attacks. However, most existing detection methods cannot fully utilize the information contained in raw network traffic, such as information loss in the feature extraction process and incomplete feature dimensions, which lead to performance bottlenecks. In this paper, we propose a novel intrusion detection model based on n-gram frequency and time-aware transformer called GTID. GTID can learn traffic features from packet-level and session-level hierarchically and can minimize information as much as possible. To extract packet-level features effectively, GTID considers the different roles of packet header and payload, and processes them in different ways, where n-gram frequency is used to represent payload contextual information because of its conciseness. Then, GTID uses the proposed time-aware transformer to learn session-level features for intrusion detection. The time-aware transformer considers the time intervals between packets, and learns the temporal features of a session for classification. For evaluation, several solid experiments are conducted on the ISCX2012 dataset and the CICIDS2017 dataset, and the results show the effectiveness and robustness of GTID.

computer science, information systems

Haomin Wang,Wei Li

DOI: https://doi.org/10.3390/s21155047

IF: 3.9

2021-07-26

Sensors

Abstract:Software-defined networking (SDN) has emerged in recent years as a form of Internet architecture. Its scalability, dynamics, and programmability simplify the traditional Internet structure. This architecture realizes centralized management by separating the control plane and the data-forwarding plane of the network. However, due to this feature, SDN is more vulnerable to attacks than traditional networks and can cause the entire network to collapse. DDoS attacks, also known as distributed denial-of-service attacks, are the most aggressive of all attacks. These attacks generate many packets (or requests) and ultimately overwhelm the target system, causing it to crash. In this article, we designed a hybrid neural network DDosTC structure, combining efficient and scalable transformers and a convolutional neural network (CNN) to detect distributed denial-of-service (DDoS) attacks on SDN, tested on the latest dataset, CICDDoS2019. For better verification, several experiments were conducted by dividing the dataset and comparisons were made with the latest deep learning detection algorithm applied in the field of DDoS intrusion detection. The experimental results show that the average AUC of DDosTC is 2.52% higher than the current optimal model and that DDosTC is more successful than the current optimal model in terms of average accuracy, average recall, and F1 score.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Hui Cao

DOI: https://doi.org/10.1109/ACCESS.2024.3436541

IF: 3.9

IEEE Access

Abstract:With the continuous evolution of network attack methods, traditional rule-based and signature-based security strategies are becoming increasingly hard to deal with increasingly complex network threats. The research focuses on the problem of network traffic anomaly detection in network security, and proposes an improved Transformer and Generative Adversarial Networks network traffic anomaly detection model. The innovation lies in utilizing the Patch segmentation in the Transformer module to reduce information loss, while introducing random masked data blocks to enhance the anti-interference ability of Generative Adversarial Networks, and proposing a class balance model. Therefore, a Transformer Multi Receive Field Fusion (Trans-M) model for network traffic anomaly detection is constructed. The performance test results showed that after category balancing, the accuracy, recall, and F1-score of each model were been significantly improved. The accuracy of the Trans-M model on the balanced dataset arrived 98.12%, an improvement of 8.59% compared to before balancing. The recall rate of the Trans-M model was improved by 8.62% to 97.86%. On Balanced F Score (F1-score), the highest score of the Trans-M model was 98.46%, which was 8.18% higher than before balancing. The experiment outcomes demonstrate that the raised network traffic anomaly detection system is superior to common anomaly traffic detection models and can meet the actual network security protection needs.

Computer Science,Engineering

Anastasiya Arkhipova,Pavel Polyakov,,

DOI: https://doi.org/10.17212/2782-2230-2021-3-57-67

2021-09-30

Digital Technology Security

Abstract:This article presents the results of testing to create a specialized system that helps prevent cyberattacks, thus popularizing the construction of intelligent applications. Based on the results obtained, it can be argued that the tests carried out are satisfactory. The mathematical basis for building a neural network model is the HESADM model (Hybrid Artificial Intelligence Framework). The presented system allows you to form a set of rules using fuzzy logical neurons. This paper presents an approach to the formation of a fuzzy neural network used for detecting SQL injection attacks. The methodology used in this paper is an impulse artificial neural network (SANN), which uses an evolving neural network system (eCOS) and a multi-layer approach of an impulse artificial neural network to classify the exact type of intrusion or network anomaly with minimal computational potential. The impulse artificial neural system forms itself continuously, adapting to the input data, being in a functioning or not state, being under the supervision of an administrator. This system finds application to several other complex problems of the real world, proving its efficiency, including in the field of information security. The considered model is a hybrid evolving pulse anomaly detection model (HESADM), which works on impulses that occur in the system, while neurons are used to monitor the algorithm using a single training pass. In the system, traffic-oriented data is used by importing classes that use variable encoding. The data used is obtained by converting the real characteristics of network traffic into certain time stamps.

Song Xia,Meikang Qiu,Meiqin Liu,Ming Zhong,Hui Zhao

DOI: https://doi.org/10.1007/978-3-030-34139-8_22

2019-01-01

Abstract:Network threats are malicious attacks that endanger network security. With terabits of information stored in the network and much of this information being confidential, cyber security turns to be very important. Most network protection mechanisms are based on firewall and Intrusion Detection System ( IDS ). However, with the diversification of cyber-attacks, traditional defense mechanisms cannot fully guarantee the security of the network. In this paper, we propose an automatic network threat response system based on machine learning and deep learning. It comprises three sub-modules: threat detection module, threat identification module and threat mitigation module. The experimental results show that the proposed system can handle 22 types of network threats in the KDD99 dataset and the rate of successful response is over 97%, which is much better than the traditional ways.

Yu‐Guang Yang,Hong‐Mei Fu,Shang Gao,Yi‐Hua Zhou,Wei‐Min Shi

DOI: https://doi.org/10.1002/ett.4522

IF: 3.6

2022-04-29

Transactions on Emerging Telecommunications Technologies

Abstract:Abstract We propose an intrusion detection model based on an improved vision transformer (ViT). More specifically, the model uses an attention mechanism to process data, which overcomes the flaw of the short‐term memory in recurrent neural network (RNN) and the difficulty of learning remote dependency in convolutional neural network. It supports parallelization and has a faster computing speed than RNN. A sliding window mechanism is presented to improve the capability of modeling local features for ViT. The hierarchical focal loss function is used to improve the classification effect, and solve the issue of the data imbalance. The public intrusion detection dataset NSL‐KDD is used for experimental simulations. By experimental simulations, the accuracy is up to 99.68%, the false‐positive rate is 0.22%, and the recall rate is 99.57%, which show that the improved ViT has better accuracy, false positive rate, and recall rate than existing intrusion detection models.

telecommunications

Wenbo Wang,Peng Yi,Junfang Jiang,Peng Zhang,Xiang Chen

DOI: https://doi.org/10.1016/j.cose.2023.103533

IF: 5.105

2023-10-09

Computers & Security

Abstract:In recent years, the growing threat of cyber attacks has made more researchers focus on the study of alert correlation and attack prediction. While numerous solutions have been proposed, the existing works still have some shortcomings. Without aggregation, previous approaches directly put the excessive and duplicate alerts into models, ignoring the internal logic between adjacent payloads, which we believe is a significant clue to distinguish different types of attacks. In this paper, we propose a similarity based aggregation algorithm to correlate and aggregate alerts, then train a Transformer based model to handle input with variable length and complete the attack prediction. Additionally, a threat estimation method as well as its practical application has been proposed to assess the predicted output. Experimental results demonstrate that our proposed framework has the capability to effectively aggregate alerts, predict different attack intelligence in good mode as well as assess how much threat the administrator would face in the near future.

computer science, information systems