Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Xiaohe Hu,Yang Xiang,Yifan Li,Buyi Qiu,Kai Wang,Jun Li

DOI: https://doi.org/10.26599/tst.2020.9010018

2021-01-01

Abstract:Network monitoring is receiving more attention than ever with the need for a self-driving network to tackle increasingly severe network management challenges. Advanced management applications rely on traffic data analyses, which require network monitoring to flexibly provide comprehensive traffic characteristics. Moreover, in virtualized environments, software network monitoring is constrained by available resources and requirements of cloud operators. In this paper, Trident, a policy-based network monitoring system at the host, is proposed. Trident is a novel monitoring approach, off-path configurable streaming, which offers remote analyzers a fine-grained holistic view of the network traffic. A novel fast path packet classification algorithm and a corresponding cached flow form are also proposed to improve monitoring efficiency. Evaluated in a practical deployment, Trident demonstrates negligible interference with forwarding and requires no additional software dependencies. Trident has been deployed in production networks of several Tier-IV datacenters.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Chenyang Qiu,Yingsheng Geng,Junrui Lu,Kaida Chen,Shitong Zhu,Ya Su,Guoshun Nan,Can Zhang,Junsong Fu,Qimei Cui,Xiaofeng Tao

DOI: https://doi.org/10.1145/3580305.3599238

2023-07-02

Abstract:Network-based intrusion detection system (NIDS) monitors network traffic for malicious activities, forming the frontline defense against increasing attacks over information infrastructures. Although promising, our quantitative analysis shows that existing methods perform inconsistently in declaring various unknown attacks (e.g., 9% and 35% F1 respectively for two distinct unknown threats for an SVM-based method) or detecting diverse known attacks (e.g., 31% F1 for the Backdoor and 93% F1 for DDoS by a GCN-based state-of-the-art method), and reveals that the underlying cause is entangled distributions of flow features. This motivates us to propose 3D-IDS, a novel method that aims to tackle the above issues through two-step feature disentanglements and a dynamic graph diffusion scheme. Specifically, we first disentangle traffic features by a non-parameterized optimization based on mutual information, automatically differentiating tens and hundreds of complex features of various attacks. Such differentiated features will be fed into a memory model to generate representations, which are further disentangled to highlight the attack-specific features. Finally, we use a novel graph diffusion method that dynamically fuses the network topology for spatial-temporal aggregation in evolving data streams. By doing so, we can effectively identify various attacks in encrypted traffics, including unknown threats and known ones that are not easily detected. Experiments show the superiority of our 3D-IDS. We also demonstrate that our two-step feature disentanglements benefit the explainability of NIDS.

Cryptography and Security,Artificial Intelligence,Machine Learning,Social and Information Networks

Yue Li,Yingjian Liu,Haoyu Yin,Zhongwen Guo,Yu Wang

DOI: https://doi.org/10.1109/jiot.2023.3297334

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Internet of Underwater Things (IoUT) needs to maintain effective communication even under the circumstances of severe environments and limited energy. Named Data Networking (NDN), a future network architecture, is starting to be used for IoUT as an effective architecture implementation. Despite having a good performance of data transmission, Underwater Named Data Networking (UNDN) nevertheless faces some security risks, such as Denial-of-Service (DoS) brought by Interest Flooding Attacks (IFAs). This paper proposes a novel DoS attack, Synergetic Denial-of-Service (SDoS), which can cause hiding damages to router’s Content Store (CS), Pending Interest Table (PIT), and Forwarding Information Base (FIB). We not only study the basic synergetic attack model of SDoS but also analyze some possible attack variants. Simulation results illustrate that SDoS entirely invalidates the only IFA detection algorithm in UNDN. Compared to ordinary IFAs, SDoS attacks increase network traffic fourfold. Furthermore, we discover a unique infection problem in UNDN and propose a countermeasure named Trident, which has meticulously designed adaptive threshold, Double Trial for attacker identification, and a self-proving mechanism based on leaky bucket. Experiment results demonstrate that Trident can detect and resist not only IFAs but also SDoS attacks effectively. Meanwhile, Trident also achieves good defense performance on the variants of SDoS and can take on burst traffic and network congestion robustly.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Yan Chen,Zhichun Li

2009-01-01

Abstract:In this thesis, I propose and develop a network-based attack defense system, RAIDM. I focus on network based defense because of the following reasons: (i) network gateways/routers are the vantage points for detecting large scale attacks; (ii) only host based detection/prevention is not enough for modern networks. RAIDM has four components: sketch-based monitoring and detection, polymorphic worm signature generation, signature matching engines and network situational awareness.The first module is sketch-based monitoring and detection. In this thesis, leveraging data streaming techniques such as reversible sketch, we design HiFIND [1], a High-speed Flow-level Intrusion Detection system. We also propose a two-dimensional sketch for attack differentiation. HiFIND (i) is scalable to flow-level detection on high-speed networks; (ii) is DoS resilient; (iii) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; (iv) enables aggregate detection over multiple routers/gateways; and (v) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (e.g. OC192), even for the worst case traffic of 40-byte-packet streams with each packet forming a flow.The second module is polymorphic worm signature generation. Recently, worms and remote exploits sent by botnets have become the major tools for launching Internet attacks. It is critical to quickly generate signatures in response to those fast propagating threats. To this end, I have developed two types of automated worm signature generation approaches (token-based signature generator and length based signature generator) with different information availability requirement and underlying assumptions. Beside token based signature generator, we design a network-based Length-based Signature Generator (LESG) for worms exploiting buffer overflow vulnerabilities. We further prove the attack resilience bounds even under the worst case attacks with deliberate noise injection. Moreover, LESG is fast and noise-tolerant and has efficient signature matching.The third module is signature matching engines. In this thesis, we design NetShield, a vulnerability signature based NIDS/NIPS which achieves high throughput comparable to that of the state-of-the-art regex-based systems while offering much better accuracy. This is accomplished because of the following contributions: (i) we propose a candidate selection algorithm that efficiently matches thousands of vulnerability signatures simultaneously using a small amount of memory; (ii) we propose a parsing transition state machine that achieves fast protocol parsing; (iii) we implement the NetShield prototype, including rewriting the ruleset of Snort to vulnerability signatures. Experimental results show that the core engine of NetShield achieves 1.9Gbps signature matching throughput for 794 HTTP vulnerability signatures on a 3.8GHz PC.Finally, the fourth module is network situational awareness for botnet probings. Botnets dominate today's attack landscape. In this thesis, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer—using purely local observation—information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. (Abstract shortened by UMI.)

Changbin Xiao,Lei Xie,Huifang Chen

DOI: https://doi.org/10.1109/eit63098.2024.10762098

2024-01-01

Abstract:In the complicated modern network, an effective intrusive traffic detection (ITD) scheme is paramount for enhancing the cybersecurity. Due to the continuous dynamics of data and the introduction of new classes, the existing ITD methods based on deep learning primarily reliant on joint training face challenges. And the frequent retraining is in the price of real-time responsiveness and computational resource. Moreover, the incremental learning strategy is dependent on exemplar sets heavily, which results in a significant storage cost for retaining old-class exemplars. Hence, the ITD problem under evolving network threats should be resolved. In this paper, we propose an adaptive and lightweight ITD method within a class incremental learning (ALCIL) framework. In the proposed ALCIL framework, the attention mechanism and prototype extraction technique are combined to guarantee precise and efficient feature extraction from new threats, as well as reducing the storagerequirement significantly. The design of our framework aims to mitigate catastrophic forgetting, thereby ensuring that the system retains knowledge of earlier classes as it integrates new ones.

Xibin Zhao,Yuanlin Li,Min Zhou,Zhiwei Xu,Hai Wan

DOI: https://doi.org/10.1145/3691620.3695289

2024-10-27

Abstract:SQL injection attacks have posed a significant threat to web applications for decades. They obfuscate malicious codes into natural SQL statements so as to steal sensitive data, making them difficult to detect. Generally, malicious signals can be identified by using the contextual information of SQL statements. Such contextual information, however, is not always easily captured. Due to the fact that SQL as a formal language is highly structured, two tokens that are spatially far away may be semantically very close. An effective approach thus should take the structural feature of SQL statements into account when modeling their contextual information.In this paper, we present a novel abstract syntax tree-based neural network approach named Trident for effectively detecting SQL injection attacks. Benefiting from the structural feature delivered by ASTs, Trident realizes superior modeling of contextual information via tree-based positional embedding and well-designed neural networks. Trident is widely evaluated on a public SQL injection dataset and an adversarial sample dataset. The results demonstrate that Trident can significantly outperform the baselines.CCS CONCEPTS• Software and its engineering → Language features; • Security and privacy → Intrusion detection systems.

Computer Science

Jingyi Zhu,Xiufeng Liu

DOI: https://doi.org/10.1016/j.compeleceng.2024.109113

IF: 4.152

2024-02-12

Computers & Electrical Engineering

Abstract:In the rapidly evolving landscape of the Internet of Things (IoT), ensuring robust intrusion detection is paramount for device and data security. This paper proposes a novel method for intrusion detection in IoT networks that leverages a unique blend of subspace clustering and ensemble learning. Our framework integrates three innovative strategies: Clustering Results as Features (CRF), Two-Level Decision Making (TDM), and Iterative Feedback Loop (IFL). These strategies synergize to enhance detection performance and model robustness. We employ mutual information for feature selection and utilize four subspace clustering algorithms – CLIQUE, PROCLUS, SUBCLU, and LOF – to create additional feature sets. Three base learners – NB, LGBM, and XGB – are used in conjunction with a Logistic Regression (LR) meta-learner. To fine-tune our model, we apply Particle Swarm Optimization (PSO) for hyperparameter optimization. We evaluate our framework on the UNSW-NB15 dataset, which contains realistic and diverse IoT network traffic data. The results show that our framework outperforms the state-of-the-art methods in terms of accuracy (97.05%), precision (96.33%), recall (96.55%), F1-score (96.45%), and false positive rate (0.029). Our framework can effectively detect both known and unknown attacks in IoT networks and achieve high accuracy and low false positive rate. The paper contributes both practical implications for network security and theoretical advancements in intrusion detection research.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Chiming Xi,Hui Wang,Xubin Wang

DOI: https://doi.org/10.1038/s41598-024-74214-w

IF: 4.6

2024-10-07

Scientific Reports

Abstract:Network is an essential tool today, and the Intrusion Detection System (IDS) can ensure the safe operation. However, with the explosive growth of data, current methods are increasingly struggling as they often detect based on a single scale, leading to the oversight of potential features in the extensive traffic data, which may result in degraded performance. In this work, we propose a novel detection model utilizing multi-scale transformer namely IDS-MTran. In essence, the collaboration of multi-scale traffic features broads the pattern coverage of intrusion detection. Firstly, we employ convolution operators with various kernels to generate multi-scale features. Secondly, to enhance the representation of features and the interaction between branches, we propose Patching with Pooling (PwP) to serve as a bridge. Next, we design multi-scale transformer-based backbone to model the features at diverse scales, extracting potential intrusion trails. Finally, to fully capitalize these multi-scale branches, we propose the Cross Feature Enrichment (CFE) to integrate and enrich features, and then output the results. Sufficient experiments show that compared with other models, the proposed method can distinguish different attack types more effectively. Specifically, the accuracy on three common datasets NSL-KDD, CIC-DDoS 2019 and UNSW-NB15 has all exceeded 99%, which is more accurate and stable.

multidisciplinary sciences

Jinghong Lan,Xudong Liu,Bo Li,Jun Zhao

DOI: https://doi.org/10.1007/s10489-022-04076-0

IF: 5.3

2022-09-10

Applied Intelligence

Abstract:Network Intrusion Detection Systems(NIDSs) are crucial for resisting cyber threats. However, NIDSs equipped with supervised learning models do not generalize well to unknown attacks because the training samples for previously unseen new intrusions are usually not available in advance. Thus, a new framework based on a H ierarchical A ttention-based T riplet network with U nsupervised D omain A daptation(HAT-UDA) is proposed for this purpose. Concretely, a joint loss is introduced to force HAT-UDA to learn compact and discriminative embeddings for benign network traffic while being far from the representations of known attacks. Then, a One-class Support Vector Machine(OCSVM) model is trained on top of the benign embeddings for the unknown attack detection task. Furthermore, we propose an unsupervised domain adaptation module in an adversarial manner to reduce the false positives of HAT-UDA when applied to new network scenarios. HAT-UDA provides a novel approach for building a robust NIDS from benign traffic and available (known) attacks. This is particularly meaningful since collecting samples for benign traffic and known attacks is much easier than obtaining instances for unseen new attacks. Extensive experiments show that HAT-UDA outperforms other state-of-the-art methods and significantly improves the detection rate of unknown attacks.

computer science, artificial intelligence

Zhichun Li,Yan Gao,Yan Chen

2005-01-01

Abstract:Traffic anomalies and attacks are commonplace in to- day's networks, and identifying them rapidly and ac- curately is critical for large networks. With the rapid growth of network bandwidth and fast emergence of new attacks/worms, existing network intrusion detection sys- tems (IDS) are insufficient for the following two reasons. First, they are mostly host-based or located on low-end routers, and not scalable to high-speed networks. How- ever, it is crucial to identify fast propagation of worms in their early phases, which can only possibly be achieved by detection at high speed edge/backbone routers instead of at end hosts. Unfortunately, the existing schemes are not scalable to the link speeds and number of flows for high-speed networks. According to a recent research agenda (7) by DARPA, detection on edge networks is par- ticularly critical, powerful and efficient (without deploy- ing IDSs on all the edge hosts). Second, most of the existing approaches are signature based, which cannot detect unknown attacks. Statistical IDSs are therefore proposed to detect anomalies. Cur- rent systems are mostly designed to detect based on the overall traffic, thus they tend to be inaccurate or can- not find real attack flows for mitigation even when spot- ting anomalies. For instance, the state-of-the-art stateless router-based SYN flooding detection techniques, Change Point Monitoring (CPM), use the statistical behavior of SYN-FIN, or SYN-SYN/ACK packet pairs based on over- all traffic for detection (5). It detects well with pure SYN

Yangzong Zhang,Wenjian Liu,Kaiian Kuok,Ngai Cheong

DOI: https://doi.org/10.1109/access.2024.3349943

IF: 3.9

2024-01-01

IEEE Access

Abstract:Recent stealth attacks cleverly disguise malicious activities, masquerading as ordinary connections to popular online services through seemingly innocuous applications. These methods often evade detection by traditional network monitoring or signature-based techniques, as attackers frequently hide Command and Control (C&C) servers within well-known cloud service providers, making the traffic anomalies appear normal. In this paper, we introduce an application-level monitoring system, Anteater. Anteater constructs a detailed profile for each legitimate software’s network traffic behavior, outlining the expected traffic patterns. By scrutinizing a program’s network traffic configuration, Anteater efficiently pinpoints and intercepts the IP addresses associated with abnormal program access. Implemented in a real-world enterprise environment, Anteater was tested on a dataset containing over 400 million real-world network traffic sessions. The evaluation results demonstrate that Anteater achieves a high detection rate for malware injections, boasting a true positive rate of 94.5% and a false positive rate of less than 0.1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chenxin Duan,Sainan Li,Hai Lin,Wenqi Chen,Guanglei Song,Chenglong Li,Jiahai Yang,Zhiliang Wang

DOI: https://doi.org/10.1109/tdsc.2023.3340563

2024-01-01

Abstract:With Internet-of-Things (IoT) devices gaining popularity, dedicated monitoring systems which accurately detect intrusion traffic for them are in high demand. Existing methods mainly use statistical spatial-temporal traffic features and machine learning models. Their practicality has been limited due to the lack of detection ability for stealthy and tricky attacks, diagnostic utility and long-term performance. To address these problems and motivated by the simplicity of mini IoT devices, we propose to construct fully packet-level models to profile traffic patterns for IoT devices by constructing automaton for short flow and long flow, where the length and direction of each packet are the representative features. We apply these fine-grained models to design and develop a traffic monitoring system, namely IoTa , to detect intrusion traffic for IoT devices. IoTa matches the ongoing traffic with patterns extracted from normal traffic traces. With visible and interactive traffic profiles, IoTa can generate interpretable alerts and is available for long-term use under reasonable human efforts. Evaluations on dozens of common IoT devices show that IoTa can achieve excellent detection accuracy (nearly perfect recalls and always over 0.999 precisions) for various intrusion traffic covering the complete kill chains. Incorrect detection results can be compensated for by error recovery mechanisms and the understandable alert context can be used by the operator to enhance the system. The diagnostic utility and little alert weariness are recognized by the experienced operators.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Hoang Nguyen,Rasha Kashef

DOI: https://doi.org/10.1016/j.knosys.2023.110966

IF: 8.139

2023-09-15

Knowledge-Based Systems

Abstract:With recent advances in the Internet of Things (IoT) technology, more people can have instant and easy access to the IoT network of vast and diverse interconnected devices (e.g., surveillance cameras, motion sensors, or smart watches). This trend leads to a significant increase in the frequency and complexity of cyber attacks in the IoT network. Further, these attacks inflict severe financial and privacy damages to individuals and evince the need to develop a more effective and robust network intrusion detection system (NIDS). Network Intrusion Detection (NID) aims to identify the attacks in the networked devices, which is an essential task to protect and maintain Cyber Security. Although recent Machine Learning-based methods have developed and provided more efficient non-human intervention solutions to this problem, these methods still have some unsolved issues. One of the main limitations of existing solutions is that most focus on extracting the features at the flow level independently and ignore their interactions in the network, which impacts the detection performance. To address this problem, in this paper, we propose a T raffic-aware S elf-supervised learning for IoT Network I ntrusion D etection S ystem, namely TS-IDS , which aims to capture the flow relationships between the network entities. Our approach leverages both node and edge features for improved performance. Additionally, we incorporate auxiliary property-based self-supervised learning (SSL) to enhance the graph representation , even in the absence of labelled data. We conducted experiments on two real-world datasets, NF-ToN-IoT and NF-BoT-IoT. We compared the proposed model with state-of-the-art baseline models to demonstrate the potential of our proposed framework.

computer science, artificial intelligence

Cristiano Antonio de Souza,Carlos Becker Westphall,Jean Douglas Valencio,Renato Bobsin Machado,Wesley dos R. Bezerra

DOI: https://doi.org/10.1016/j.adhoc.2024.103541

IF: 4.816

2024-05-11

Ad Hoc Networks

Abstract:Special security techniques, such as intrusion detection mechanisms, are indispensable in modern computer systems. With the emergence of the Internet of Things they have become even more important. It is important to detect and identify the attack in a category so that countermeasures specific to the threat category can be resolved. However, most existing multiclass detection approaches have some weaknesses, mainly related to detecting specific categories of attacks and problems with false positives. This article addresses this research problem and advances state-of-the-art, bringing contributions to a two-stage detection architecture called DNNET-Ensemble, combining binary and multiclass detection. While the benign traffic can be quickly released on the first detection, the intrusive traffic can be subjected to a robust analysis approach without causing delay issues. Additionally, we propose the DNNET binary approach for the binary detection level, which can provide more accurate and faster binary detection. We present the proposal of a federated strategy to train the neural model of the DNNET method without sending data to the cloud, thus preserving the privacy of local data. The proposed Hybrid Attribute Selection strategy can find an optimal subset of attributes through a wrapper method with a lower training cost due to pre-selection using a filter method. Furthermore, the proposed Soft-SMOTE improvement allows operating with a balanced dataset with a minor training time increase, even in scenarios where there are a large number of classes with a large imbalance among them. Results obtained from experiments on renowned intrusion datasets and laboratory experiments demonstrate that the approach can achieve superior detection rates and false positive performance compared to other state-of-the-art approaches.

computer science, information systems,telecommunications

Chongzhen Zhang,Yanli Chen,Yang Meng,Fangming Ruan,Runze Chen,Yidan Li,Yaru Yang

DOI: https://doi.org/10.1155/2021/6610675

IF: 1.968

2021-01-25

Security and Communication Networks

Abstract:Traditional machine learning-based intrusion detection often only considers a single algorithm to identify intrusion data, lack of the flexibility method, low detection rate, no handing high-dimensional data, and cannot solve these problems well. In order to improve the performance of intrusion detection system, a novel general intrusion detection framework was proposed in this paper, which consists of five parts: preprocessing module, autoencoder module, database module, classification module, and feedback module. The data processed by the preprocessing module are compressed by the autoencoder module to obtain a lower-dimensional reconstruction feature, and the classification result is obtained through the classification module. Compressed features of each traffic are stored in the database module which can both provide retraining and testing for the classification module and restore these features to the original traffic for postevent analysis and forensics. For evaluation of the framework performance proposed, simulation was conducted with the CICIDS2017 dataset to the real traffic of the network. As the experimental results, the accuracy of binary classification and multiclass classification is better than previous work, and high-level accuracy was reached for the restored traffic. At the last, the possibility was discussed on applying the proposed framework to edge/fog networks.

computer science, information systems,telecommunications