Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Celestine Iwendi,Suleman Khan,Joseph Henry Anajemba,Mohit Mittal,Mamdouh Alenezi,Mamoun Alazab

DOI: https://doi.org/10.3390/s20092559

IF: 3.9

2020-04-30

Sensors

Abstract:The pursuit to spot abnormal behaviors in and out of a network system is what led to a system known as intrusion detection systems for soft computing besides many researchers have applied machine learning around this area. Obviously, a single classifier alone in the classifications seems impossible to control network intruders. This limitation is what led us to perform dimensionality reduction by means of correlation-based feature selection approach (CFS approach) in addition to a refined ensemble model. The paper aims to improve the Intrusion Detection System (IDS) by proposing a CFS + Ensemble Classifiers (Bagging and Adaboost) which has high accuracy, high packet detection rate, and low false alarm rate. Machine Learning Ensemble Models with base classifiers (J48, Random Forest, and Reptree) were built. Binary classification, as well as Multiclass classification for KDD99 and NSLKDD datasets, was done while all the attacks were named as an anomaly and normal traffic. Class labels consisted of five major attacks, namely Denial of Service (DoS), Probe, User-to-Root (U2R), Root to Local attacks (R2L), and Normal class attacks. Results from the experiment showed that our proposed model produces 0 false alarm rate (FAR) and 99.90% detection rate (DR) for the KDD99 dataset, and 0.5% FAR and 98.60% DR for NSLKDD dataset when working with 6 and 13 selected features.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Limin Lu,Shaohua Teng,Wei Zhang,Zhenhua Zhang,Dongning Liu,Xiaozhao Fang

DOI: https://doi.org/10.1109/cscwd.2019.8791854

2019-01-01

Abstract:Ensemble classifier, by combining multiple classifiers, can often achieve better performance than single classifiers in intrusion detection. Although some ensemble methods have been used for intrusion detection, most of them directly fuse detection outputs after multiple classifiers a re generated. It potentially reduce the overall performance and flexibility. Aiming at achieving a high-precision intrusion detection model with good generalization performance and robustness, an error-correcting ability based collaborative multi-layer selective classifier ensemble model is proposed in this paper, named ML-SCEM. In the ML-SCEM, a novel multi-layer structure consisting of 5 continuous layers is designed, each layer of which is equivalent to a binary classification. In each layer, an error-correcting based selective classifier ensemble method(SCEM) is used to select the main classifier and error-correcting components from M pre-selected base classifiers to generate an ensemble classifier suitable for this layer classification category. Furthermore to improve time efficiency and detection performance, the original dataset is divided into 3 parts of TCP, UDP and ICMP according to the network protocol, so that the three parts are collaboratively detected. The performance of the proposed ML-SCEM is evaluated and compared on the NSL-KDD dataset. It achieves accuracy of 97.07%, false positive rate of 1.58% and efficiently detects various types of attacks.

Lu Lv,Wenhai Wang,Zeyin Zhang,Xinggao Liu

DOI: https://doi.org/10.1016/j.knosys.2020.105648

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Intrusion detection is a challenging technology in the area of cyberspace security for protecting a system from malicious attacks. A novel accurate and effective misuse intrusion detection system that relies on specific attack signatures to distinguish between normal and malicious activities is therefore presented to detect various attacks based on an extreme learning machine with a hybrid kernel function (HKELM). First, the derivation and proof of the proposed hybrid kernel are given. A combination of the gravitational search algorithm (GSA) and differential evolution (DE) algorithm is employed to optimize the parameters of HKELM, which improves its global and local optimization abilities during prediction attacks. In addition, the kernel principal component analysis (KPCA) algorithm is introduced for dimensionality reduction and feature extraction of the intrusion detection data. Then, a novel intrusion detection approach, KPCA-DEGSA-HKELM, is obtained. The proposed approach is eventually applied to the classic benchmark KDD99 dataset, the real modern UNSW-NB15 dataset and the industrial intrusion detection dataset from the Tennessee Eastman process. The numerical results validate both the high accuracy and the time-saving benefit of the proposed approach.

Maryam Yousefnezhad,Javad Hamidzadeh,Mohammad Aliannejadi

DOI: https://doi.org/10.1007/s00500-021-06067-8

IF: 3.732

2021-08-10

Soft Computing

Abstract:An intrusion detection system is a security system that aims to detect sabotage and intrusions on networks to inform experts of the attack and abuse of the network. Different classification methods have been used in the intrusion detection systems such as fuzzy, genetic algorithms, decision trees, artificial neural networks, and support vector machines. Moreover, ensemble classifiers have shown more robust and effective performance for various tasks in the field. In this paper, we adopt ensemble models in order to improve the performance of intrusion detection and, at the same time, decrease the false alarm rate. We use kNN for multi-class classification, as well as SVM to approach the classification problem in normal-based detection. In order to combine multiple outputs, we use the Dempster–Shafer method in which there is the possibility of explicit retrieval of uncertainty. Moreover, we utilize deep learning for extracting features to train the samples, selected by the sample selection algorithm based on ensemble margin. We compare our results with state-of-the-art methods on benchmarking datasets such as UNSW-NB15, CICIDS2017, and NSL-KDD. Our proposed method indicates the superiority in terms of prominent metrics Accuracy, Precision, Recall, and F-measure.

computer science, artificial intelligence, interdisciplinary applications

Perumal Pitchandi,M. Nivaashini,R. Kingsy Grace

DOI: https://doi.org/10.1080/03772063.2024.2367042

IF: 1.8768

2024-06-25

IETE Journal of Research

Abstract:Machine learning (ML) and deep learning (DL) are used in numerous fields, particularly to develop effective intrusion detection systems (IDS). Existing wireless network IDS, which rely on a single ML algorithm and have limitations. These include a high rate of false positives, difficulties in recognizing distinct attack patterns, and a high acquisition cost for annotated training datasets. However, hostile threats are always evolving, networks need a smart security solution. In comparison to other ML approaches, DL algorithms are more successful in intrusion detection. This paper presents a DL based ensemble model that combines Multi-verse through Chaotic Atom Search Optimization (MCA) for preprocessing, which eliminates unsolicited/recurrent information in the dataset. The process of optimized feature selection uses Principal Component Analysis (PCA), Chaotic Manta-ray Foraging Optimizations (CMFO), and a grounded grouping method to partition the optimized feature dataset into k-diverse clusters. The recommended model then stacks Support Vector Machine (SVM) as the ensemble model's meta-learner classifier, pre-training the hybrid DL prototypes using the optimized feature dataset cluster. The CNN-LSTM and CNN-GRU models, which integrate Convolutional Neural Networks (CNN), Long Short-Term Memory (LSTM), and Gated Recurrent Unit (GRU), are the hybrid DL prototype's key components. The suggested model's performance has been enhanced and compared to six ML techniques: NB, SVM, J48, RF, MLP, and kNN models, utilizing measures such as accuracy, precision, recall, and F-measure. The public can access the Aegean Wi-Fi Intrusion Dataset (AWID) which is used for evaluating the recommended model and is outperformed the contemporary models in the literature.

telecommunications,engineering, electrical & electronic

Arindam Sarkar,Hanjabam Saratchandra Sharma,Moirangthem Marjit Singh

DOI: https://doi.org/10.1007/s41870-022-01115-4

2022-10-10

International Journal of Information Technology

Abstract:An efficient machine learning (ML) ensemble technique for categorizing Intrusion Detection (ID) is proposed in this study. The tuning of the ML model’s parameters is a critical topic since it can improve detection quality. Another area where quality might be enhanced is pre-processing. Corrections to the training dataset can help with class identification, especially for unusual attacks like R2L (Root to Local attacks), U2R (User to Root attack). When compared to existing methodologies, the proposed methodology has a number of advantages, such as (1) it proposes two methods for classifying intrusions on the two most widely used datasets using ML models. (2) The KDD Cup99 and NSL-KDD datasets are rebalanced through data augmentation. (3) Provides a 3 steps approach for improving detection of intrusion utilizing Multi Layer Perceptron (MLP) in a cascaded structure. (4) To classify each class using a specialized one, a cascaded meta-specialized classifier architecture has been developed. (5) All meta-specialists assess the dataset’s non-flagged connections. With a classification accuracy of 89.32% and an FPR of 1.95%, this approach has been shown to considerably increase detection quality. (6) Finally, to enhance detection capability, the best algorithms’ predictions are integrated by increasing their weights. On the NSL-KDD dataset, this approach has a high accuracy of 87.63% and a low FPR of 1.68%.

Jinming Wang,Tao Yang,Bingjing Yan,Pengchao Yao,Wenhai Wang,Qiang Yang

DOI: https://doi.org/10.1109/EI256261.2022.10117041

2022-01-01

Abstract:With the development and advances of information and networking technologies in Cyber-physical Power systems (CPPS), the frequency of information exchange between CPPS and the external networks is significantly increasing, leading to an ever-growing risk of cyberspace threats and attacks, e.g., malware injection to the CPPS. The existing detectors against malware are mainly based on static analysis, which deals well with known malware, but cannot cope with unknown or obfuscated malware. To this end, this paper proposed a novel multi-classifier ensemble system (MCES) for malware detection based on behavioral analysis. The developed detection model of MCES is a hierarchical learning model with kernel components consisting of base classifiers and one meta classifier. The proposed solution is assessed through experiments based on in total 14800 malware and 14800 benign samples. The numerical results demonstrated that MCES outperformed existing machine learning-based classifiers in identifying malware through application program interface (API) call sequences. The proposed model achieved the highest accuracy of 97.54%, and the highest recall of 97.85% in comparison with the state-of-the-art deep learning based malware detectors.

Li Yang,Abdallah Shami,Gary Stevens,Stephen De Rusett

DOI: https://doi.org/10.48550/arXiv.2208.03399

2022-09-01

Abstract:Modern vehicles, including autonomous vehicles and connected vehicles, have adopted an increasing variety of functionalities through connections and communications with other vehicles, smart devices, and infrastructures. However, the growing connectivity of the Internet of Vehicles (IoV) also increases the vulnerabilities to network attacks. To protect IoV systems against cyber threats, Intrusion Detection Systems (IDSs) that can identify malicious cyber-attacks have been developed using Machine Learning (ML) approaches. To accurately detect various types of attacks in IoV networks, we propose a novel ensemble IDS framework named Leader Class and Confidence Decision Ensemble (LCCDE). It is constructed by determining the best-performing ML model among three advanced ML algorithms (XGBoost, LightGBM, and CatBoost) for every class or type of attack. The class leader models with their prediction confidence values are then utilized to make accurate decisions regarding the detection of various types of cyber-attacks. Experiments on two public IoV security datasets (Car-Hacking and CICIDS2017 datasets) demonstrate the effectiveness of the proposed LCCDE for intrusion detection on both intra-vehicle and external networks.

Cryptography and Security,Artificial Intelligence,Machine Learning,Networking and Internet Architecture

G Kou,Y Peng,N Yan,Y Shi,ZX Chen,QM Zhu,J Huff,S McCartney

2004-01-01

Abstract:The early and reliable detection and deterrence of malicious attacks, both from external and internal sources is a crucial issue for today's e-business. There are various approaches available for intrusion detection; however, every method has its strengths and weaknesses. As a novel and promising data mining approach, multiple criteria linear programming (MCLP) has been successfully applied to credit card portfolio management for classifying two or multiple groups. The goal of this research is to determine the applicability of the MCLP algorithm to the intrusion detection problem. The demonstration of successful MCLP application in intrusion detection can add another option to network security toolbox. There are two objectives of this paper: first, apply MCLP to network intrusion detection system to identifying attacks; second, employ ensemble method to improve detection results. An overview of the two-group MCLP model formulation, the network intrusion, and the dataset used (KDD-99) in this paper are introduced first. Then MCLP is employed to KDD-99 and results are cross-validated. After that, the ensemble method is tested. As the results indicate, the ensemble method is better than cross-validated MCLP though the magnitude of the increase seems slight due the nature of the dataset.

Tao Ma,Fen Wang,Jianjun Cheng,Yang Yu,Xiaoyun Chen

DOI: https://doi.org/10.3390/s16101701

IF: 3.9

2016-10-13

Sensors

Abstract:The development of intrusion detection systems (IDS) that are adapted to allow routers and network defence systems to detect malicious network traffic disguised as network protocols or normal access is a critical challenge. This paper proposes a novel approach called SCDNN, which combines spectral clustering (SC) and deep neural network (DNN) algorithms. First, the dataset is divided into k subsets based on sample similarity using cluster centres, as in SC. Next, the distance between data points in a testing set and the training set is measured based on similarity features and is fed into the deep neural network algorithm for intrusion detection. Six KDD-Cup99 and NSL-KDD datasets and a sensor network dataset were employed to test the performance of the model. These experimental results indicate that the SCDNN classifier not only performs better than backpropagation neural network (BPNN), support vector machine (SVM), random forest (RF) and Bayes tree models in detection accuracy and the types of abnormal attacks found. It also provides an effective tool of study and analysis of intrusion detection in large networks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jinghong Lan,Xudong Liu,Bo Li,Jie Sun,Beibei Li,Jun Zhao

DOI: https://doi.org/10.1016/j.cose.2022.102919

2022-09-14

Abstract:With the continuous occurrence of cybersecurity incidents, network intrusion detection has become one of the most critical issues in cyber ecosystems. Although previous machine learning-based approaches have made significant progress, their generalization ability is limited due to the following critical challenges. First, intrusion detection is severely affected by the class imbalance problem in many network scenarios, with some attack types representing only a very small subset of the entire training set. Second, cyberattacks are becoming increasingly sophisticated, and hence, it is becoming more challenging for existing methods to extract robust representations. Third, most existing methods generally leverage only a particular aspect of the network traffic features and treat model training as a single-task learning problem, thus ignoring the discriminative ability of different feature types and the performance enhancement of integrating multiple machine learning tasks. In this paper, we propose a Multi-task lEarning Model with hyBrid dEep featuRes (MEMBER) to address the aforementioned challenges. Based on a Convolutional Neural Network (CNN) with embedded spatial and channel attention mechanisms, MEMBER innovatively introduces two auxiliary tasks (i.e., an auto-encoder (AE) enhanced with a memory module and a distance-based prototype network) to boost the model generalization ability and alleviate the performance degradation suffered in imbalanced network environments. Extensive experiments on several benchmark datasets demonstrate the superiority and robustness of our proposed MEMBER in terms of both F1 score and stability.

computer science, information systems

Ewa Rak,Jaromir Sarzyński,Rafał Rak

DOI: https://doi.org/10.1016/j.fss.2024.109015

IF: 4.462

2024-05-22

Fuzzy Sets and Systems

Abstract:With the growing complexity and frequency of cyber threats, there is a pressing need for more effective defense mechanisms. Machine learning offers the potential to analyze vast amounts of data and identify patterns indicative of malicious activity, enabling faster and more accurate threat detection. Ensemble methods, by incorporating diverse models with varying vulnerabilities, can increase resilience against adversarial attacks. This study covers the usage and evaluation of the relevance of an innovative approach of ensemble classification for identifying intrusion threats on a large CICIDS2017 dataset. The approach is based on the distributivity equation that appropriately aggregates the underlying classifiers. It combines various standard supervised classification algorithms, including Multilayer Perceptron Network, k-Nearest Neighbors, and Naive Bayes, to create an ensemble. Experiments were conducted to evaluate the effectiveness of the proposed hybrid ensemble method. The performance of the ensemble approach was compared with individual classifiers using measures such as accuracy, precision, recall, F -score, and area under the ROC curve. Additionally, comparisons were made with widely used state-of-the-art ensemble models, including the soft voting method (Weighted Average Probabilities), Adaptive Boosting (AdaBoost), and Histogram-based Gradient Boosting Classification Tree (HGBC) and with existing methods in the literature using the same dataset, such as Deep Belief Networks (DBN), Deep Feature Learning via Graph (Deep GFL). Based on these experiments, it was found that some ensemble methods, such as AdaBoost and Histogram-based Gradient Classification Tree, do not perform reliably for the specific task of identifying network attacks. This highlights the importance of understanding the context and requirements of the data and problem domain. The results indicate that the proposed hybrid ensemble method outperforms traditional algorithms in terms of classification precision and accuracy, and offers insights for improving the effectiveness of intrusion detection systems.

mathematics, applied,statistics & probability,computer science, theory & methods

Anbang Wang,Xinyu Gong,Jialiang Lu

DOI: https://doi.org/10.1109/smartcloud.2019.00028

2019-01-01

Abstract:With the development of network technology and the updating of intelligent networking devices, the variety of cyber attacks and the number of users being attacked are increasing. Intrusion Detection Systems (IDS) are commonly used in the field of network security to detect anomalous activity and behavior. Many previous works have achieved high detection accuracy on standard testing data sets by implementing mature Machine Learning (ML) algorithms. Inspired by the network ontology researches,, we propose two Long Short-Term Memory (LSTM) based IDSs with deep feature extraction: multi-class feature extraction IDS and dual-class feature extraction IDS. Through our experiments on the CICIDS2017 data set, we have found that multi-class feature extraction IDS can better identify the types of cyber attacks while the dual-class feature extraction IDS can better recall new attacks. We conclude that when the structure and characteristics of the classifier are limited, a reasonable selection of the feature extraction space can help improve the characteristics of the classifier and better achieve the downstream tasks in the security field.

Jian Luo,Yiying Zhang,Yannian Wu,Yao Xu,Xiaoyan Guo,Boxiang Shang

DOI: https://doi.org/10.3390/electronics12040949

IF: 2.9

2023-02-16

Electronics

Abstract:Network intrusion data are characterized by high feature dimensionality, extreme category imbalance, and complex nonlinear relationships between features and categories. The actual detection accuracy of existing supervised intrusion-detection models performs poorly. To address this problem, this paper proposes a multi-channel contrastive learning network-based intrusion-detection method (MCLDM), which combines feature learning in the multi-channel supervised contrastive learning stage and feature extraction in the multi-channel unsupervised contrastive learning stage to train an effective intrusion-detection model. The objective is to research whether feature enrichment and the use of contrastive learning for specific classes of network intrusion data can improve the accuracy of the model. The model is based on an autoencoder to achieve feature reconstruction with supervised contrastive learning and for implementing multi-channel data reconstruction. In the next stage of unsupervised contrastive learning, the extraction of features is implemented using triplet convolutional neural networks (TCNN) to achieve the classification of intrusion data. Through experimental analysis, the multichannel contrastive learning network-based intrusion-detection method achieves 98.43% accuracy in dataset CICIDS17 and 93.94% accuracy in dataset KDDCUP99.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhi Wang,Leshi Shao,Kai Cheng,Yuanzhao Liu,Jianan Jiang,Yuanping Nie,Xiang Li,Xiaohui Kuang

DOI: https://doi.org/10.1002/int.22877

IF: 8.993

2022-03-27

International Journal of Intelligent Systems

Abstract:Many machine‐learning‐based intrusion detection methods have been proposed, however there is a lack of collaboration among these methods. Faced with a cascade of malicious behaviors and various running environments, coupled with the endless emergence of new malicious activities, it is difficult for us to choose an algorithm manually that is suitable for all scenarios. In addition, usually the binary detection models are applied that only “normal” or “abnormal” decision is made, and it is difficult for us to know how much confidence we have in the prediction model. In this study, we propose an intrusion collaborative detection framework (ICDF), an ICDF that allows heterogeneous detection models to effectively work together which have complementary expertise. A multialgorithm model ensemble learning method with confidence interval is adopted. In this process, each algorithm model only makes prediction judgments on its own credible probability interval and refuses to predict outside the interval. The final result is generated by voting based on the confidence of multiple models. Ten detection algorithms were tested on three different data sets. Compared with different single algorithms, ICDF could achieve high precision and recall rate, and the best F1 scores.

computer science, artificial intelligence

Ismail Bibers,Osvaldo Arreche,Mustafa Abdallah

2024-10-21

Abstract:The escalating frequency of intrusions in networked systems has spurred the exploration of new research avenues in devising artificial intelligence (AI) techniques for intrusion detection systems (IDS). Various AI techniques have been used to automate network intrusion detection tasks, yet each model possesses distinct strengths and weaknesses. Selecting the optimal model for a given dataset can pose a challenge, necessitating the exploration of ensemble methods to enhance generalization and applicability in network intrusion detection. This paper addresses this gap by conducting a comprehensive evaluation of diverse individual models and both simple and advanced ensemble methods for network IDS. We introduce an ensemble learning framework tailored for assessing individual models and ensemble methods in network intrusion detection tasks. Our framework encompasses the loading of input datasets, training of individual models and ensemble methods, and the generation of evaluation metrics. Furthermore, we incorporate all features across individual models and ensemble techniques. The study presents results for our framework, encompassing 14 methods, including various bagging, stacking, blending, and boosting techniques applied to multiple base learners such as decision trees, neural networks, and among others. We evaluate the framework using two distinct network intrusion datasets, RoEduNet-SIMARGL2021 and CICIDS-2017, each possessing unique characteristics. Additionally, we categorize AI models based on their performances on our evaluation metrics and via their confusion matrices. Our assessment demonstrates the efficacy of learning across most setups explored in this study. Furthermore, we contribute to the community by releasing our source codes, providing a foundational ensemble learning framework for network intrusion detection.

Cryptography and Security,Artificial Intelligence,Machine Learning

Adel Binbusayyis,Thavavel Vaiyapuri

DOI: https://doi.org/10.1007/s10489-021-02205-9

IF: 5.3

2021-02-24

Applied Intelligence

Abstract:With the rapid advancement in network technologies, the need for cybersecurity has gained increasing momentum in recent years. As a primary defense mechanism, an intrusion detection system (IDS) is expected to adapt and secure the computing infrastructures from the ever-changing sophisticated threat landscape. Many deep learning approaches have recently been proposed; however, these techniques face significant challenges in identifying all types of attacks, especially rare attacks due to network traffic imbalances and the lack of a sufficient number of abnormal traffic samples for model training. To overcome these shortcomings and improve detection performance, this paper presents an unsupervised deep learning approach for intrusion detection. Unlike the existing IDS model that extracts features and trains a classifier in two separate stages, a single-stage IDS approach that integrates a one-dimensional convolutional autoencoder (1D CAE) and a one-class support vector machine (OCSVM) as a classifier into a joint optimization framework is introduced in this paper for the first time. Using only the normal traffic samples, the approach simultaneously optimizes the 1D CAE for compact feature representation and the OCSVM for classification by defining a unified objective function combining reconstruction error with classification error. Thus, the generated compact feature representation has not only reconstruction ability but also discriminative ability for classification. An in-depth ablation analysis validates the design decisions and provides further insight of the proposed approach. An extensive set of experiments on two benchmark intrusion datasets, NSL-KDD and UNSW-NB15, demonstrates the generalization ability of the proposed model for unseen attacks and confirms it as a competitive approach over the recent state-of-the-art intrusion detection baselines. Overall, the obtained results emphasize that the proposed approach has potential to serve as a baseline for building an effective IDS.

computer science, artificial intelligence

Zong-Zhi Lin,Thomas D. Pike,Mark M. Bailey,Nathaniel D. Bastian

DOI: https://doi.org/10.1109/TSMC.2024.3446635

2024-09-06

Abstract:Network intrusion detection systems (NIDS) to detect malicious attacks continue to meet challenges. NIDS are often developed offline while they face auto-generated port scan infiltration attempts, resulting in a significant time lag from adversarial adaption to NIDS response. To address these challenges, we use hypergraphs focused on internet protocol addresses and destination ports to capture evolving patterns of port scan attacks. The derived set of hypergraph-based metrics are then used to train an ensemble machine learning (ML) based NIDS that allows for real-time adaption in monitoring and detecting port scanning activities, other types of attacks, and adversarial intrusions at high accuracy, precision and recall performances. This ML adapting NIDS was developed through the combination of (1) intrusion examples, (2) NIDS update rules, (3) attack threshold choices to trigger NIDS retraining requests, and (4) a production environment with no prior knowledge of the nature of network traffic. 40 scenarios were auto-generated to evaluate the ML ensemble NIDS comprising three tree-based models. The resulting ML Ensemble NIDS was extended and evaluated with the CIC-IDS2017 dataset. Results show that under the model settings of an Update-ALL-NIDS rule (specifically retrain and update all the three models upon the same NIDS retraining request) the proposed ML ensemble NIDS evolved intelligently and produced the best results with nearly 100% detection performance throughout the simulation.

Cryptography and Security,Artificial Intelligence,Systems and Control,Methodology,Machine Learning

Nana Kankam Gyimah,Judith Mwakalonge,Gurcan Comert,Saidi Siuhi,Robert Akinie,Methusela Sulle,Denis Ruganuza,Benibo Izison,Arthur Mukwaya

2024-11-25

Abstract:In this paper, we present an automated machine learning (AutoML) approach for network intrusion detection, leveraging a stacked ensemble model developed using the MLJAR AutoML framework. Our methodology combines multiple machine learning algorithms, including LightGBM, CatBoost, and XGBoost, to enhance detection accuracy and robustness. By automating model selection, feature engineering, and hyperparameter tuning, our approach reduces the manual overhead typically associated with traditional machine learning methods. Extensive experimentation on the NSL-KDD dataset demonstrates that the stacked ensemble model outperforms individual models, achieving high accuracy and minimizing false positives. Our findings underscore the benefits of using AutoML for network intrusion detection, as the AutoML-driven stacked ensemble achieved the highest performance with 90\% accuracy and an 89\% F1 score, outperforming individual models like Random Forest (78\% accuracy, 78\% F1 score), XGBoost and CatBoost (both 80\% accuracy, 80\% F1 score), and LightGBM (78\% accuracy, 78\% F1 score), providing a more adaptable and efficient solution for network security applications.

Machine Learning