Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Minh Hieu Nguyen,Viet Hung Nguyen,Huu Phong Pham,Ngoc Anh Tran

DOI: https://doi.org/10.1145/3628797.3628943

2023-12-07

Abstract:System logs play a vital role in upholding information security by capturing events to address potential risks. Numerous research initiatives have harnessed log data to create machine learning models geared towards spotting unusual activities within systems. In this pragmatic study, we introduce an innovative approach to detecting anomalies in log data, employing a three-step process encompassing preprocessing, advanced natural language processing (NLP) utilizing BERT, and a custom 1D-CNN classification model. During the preprocessing phase, we tokenize the data and eliminate non-essential elements, while BERT enriches log message representations. Our Sliding Window and Overlapping Mechanism ensures consistent input dimensions. The 1D-CNN model extracts temporal features for robust anomaly detection. Empirical findings on HFDS, BGL, Spirit, and Thunderbird datasets illustrate that our method outperforms prior approaches in identifying network attacks.

Computer Science

Dongxue Zhang,Yang Zheng,Yu Wen,Yujue Xu,Jingchuo Wang,Yang Yu,Dan Meng

DOI: https://doi.org/10.1145/3267494.3267495

2018-01-01

Abstract:Insider threats have shown their great destructive power in information security and financial stability and have received widespread attention from governments and organizations. Traditional intrusion detection systems fail to be effective in insider attacks due to the lack of extensive knowledge for insider behavior patterns. Instead, a more sophisticated method is required to have a deeper understanding for activities that insiders communicate with the information system. In this paper, we design a classifier, a neural network model utilizing Long Short Term Memory (LSTM) to model user log as a natural language sequence and achieve role-based classification. LSTM Model can learn behavior patterns of different users by automatically extracting feature and detect anomalies when log patterns deviate from the trained model. To illustrate the effective of classification model, we design two experiments based on cmu dataset. Experimental evaluations have shown that our model can successfully distinguish different behavior pattern and detect malicious behavior.

Congyuan Xu,Jizhong Shen,Xin Du,Fan Zhang

DOI: https://doi.org/10.1109/access.2018.2867564

IF: 3.9

2018-01-01

IEEE Access

Abstract:To improve the performance of network intrusion detection systems (IDS), we applied deep learning theory to intrusion detection and developed a deep network model with automatic feature extraction. In this paper, we consider the characteristics of the time-related intrusion and propose a novel IDS that consists of a recurrent neural network with gated recurrent units (GRU), multilayer perceptron (MLP), and softmax module. Experiments on the well-known KDD 99 and NSL-KDD data sets show that the system has leading performance. The overall detection rate was 99.42% using KDD 99 and 99.31% using NSL-KDD with false positive rates as low as 0.05% and 0.84%, respectively. In particular, for detecting the denial of service attacks, the system achieved detection rates of 99.98% and 99.55%, respectively. Comparative experiments showed that the GRU is more suitable as a memory unit for IDS than LSTM, and proved that it is an effective simplification and improvement of LSTM. Moreover, the bidirectional GRU can reach the best performance compared with the recently published methods.

Yung-Chung Wang,Yi-Chun Houng,Han-Xuan Chen,Shu-Ming Tseng

DOI: https://doi.org/10.3390/s23042171

IF: 3.9

2023-02-16

Sensors

Abstract:The prevalence of internet usage leads to diverse internet traffic, which may contain information about various types of internet attacks. In recent years, many researchers have applied deep learning technology to intrusion detection systems and obtained fairly strong recognition results. However, most experiments have used old datasets, so they could not reflect the latest attack information. In this paper, a current state of the CSE-CIC-IDS2018 dataset and standard evaluation metrics has been employed to evaluate the proposed mechanism. After preprocessing the dataset, six models—deep neural network (DNN), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory (LSTM), CNN + RNN and CNN + LSTM—were constructed to judge whether network traffic comprised a malicious attack. In addition, multi-classification experiments were conducted to sort traffic into benign traffic and six categories of malicious attacks: BruteForce, Denial-of-service (DoS), Web Attacks, Infiltration, Botnet, and Distributed denial-of-service (DDoS). Each model showed a high accuracy in various experiments, and their multi-class classification accuracy were above 98%. Compared with the intrusion detection system (IDS) of other papers, the proposed model effectively improves the detection performance. Moreover, the inference time for the combinations of CNN + RNN and CNN + LSTM is longer than that of the individual DNN, RNN and CNN. Therefore, the DNN, RNN and CNN are better than CNN + RNN and CNN + LSTM for considering the implementation of the algorithm in the IDS device.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jia Zhanpei,Shen Chao,Yi Xiao,Chen Yufei,Yu Tianwen,Guan Xiaohong

DOI: https://doi.org/10.1109/coase.2017.8256257

2017-01-01

CASE

Abstract:Log data are important audit basis to record routine events occurring on computer or network system, which are also critical data source for detecting system anomalies. By analyzing the data from multi-source logs, it is helpful to detect abnormal system behaviors and discover intruder attacks in real time. In this paper, a Spark-based log data security platform is designed and built to analyze the large-scale log data and detect abnormal network behaviors. By integrating data mining, machine learning, and statistical analysis technologies, our proposed framework can quickly analyze large-scale multi-source log data and accurately discriminate the abnormal behaviors. Furthermore, the association analysis is applied to detect abnormal behaviors or potential threats in the system. Under a real-world network environment, extensive experiments are conducted to evaluate the system performance, which can achieve a fast and accurate detection for abnormal network behaviors, and significantly improve the accuracies under various types of network attack scenarios.

Jung-Chun Liu,Chao-Tung Yang,Yu-Wei Chan,Endah Kristiani,Wei-Je Jiang

DOI: https://doi.org/10.1007/s11227-021-03715-6

IF: 3.3

2021-03-16

The Journal of Supercomputing

Abstract:Network log data is significant for network administrators, since it contains information on every event that occurs in a network, including system errors, alerts, and packets sending statuses. Effectively analyzing large volumes of diverse log data brings opportunities to identify issues before they become problems and to prevent future cyberattacks; however, processing of the diverse NetFlow data poses challenges such as volume, velocity, and veracity of log data. In this study, by means of Elasticsearch, Logstash, and Kibana, i.e., the ELK Stack, we construct an analysis and management system for network log data, which provides functions to filter, analyze, and display network log data for further applications and creates data visualization on a Web browser. In addition, an advanced cyberattack detection model is facilitated using deep neural network (DNN), recurrent neural networks (RNN), and long short-term memory (LSTM) approaches. By knowing cyberattack behaviors and cross-validating with the log analysis system, one can learn from this model the characteristics of a variety of cyberattacks. Finally, we also implement Grafana to perform metrics monitoring.

Khloud Al Jallad,Mohamad Aljnidi,Mohammad Said Desouki

DOI: https://doi.org/10.48550/arXiv.2209.13961

2022-09-28

Cryptography and Security

Abstract:With the growing use of information technology in all life domains, hacking has become more negatively effective than ever before. Also with developing technologies, attacks numbers are growing exponentially every few months and become more sophisticated so that traditional IDS becomes inefficient detecting them. This paper proposes a solution to detect not only new threats with higher detection rate and lower false positive than already used IDS, but also it could detect collective and contextual security attacks. We achieve those results by using Networking Chatbot, a deep recurrent neural network: Long Short Term Memory (LSTM) on top of Apache Spark Framework that has an input of flow traffic and traffic aggregation and the output is a language of two words, normal or abnormal. We propose merging the concepts of language processing, contextual analysis, distributed deep learning, big data, anomaly detection of flow analysis. We propose a model that describes the network abstract normal behavior from a sequence of millions of packets within their context and analyzes them in near real-time to detect point, collective and contextual anomalies. Experiments are done on MAWI dataset, and it shows better detection rate not only than signature IDS, but also better than traditional anomaly IDS. The experiment shows lower false positive, higher detection rate and better point anomalies detection. As for prove of contextual and collective anomalies detection, we discuss our claim and the reason behind our hypothesis. But the experiment is done on random small subsets of the dataset because of hardware limitations, so we share experiment and our future vision thoughts as we wish that full prove will be done in future by other interested researchers who have better hardware infrastructure than ours.

Shuzhan Wang,Ruxue Jiang,Zhaoqi Wang,Yan Zhou

2024-09-14

Abstract:Computer network anomaly detection and log analysis, as an important topic in the field of network security, has been a key task to ensure network security and system reliability. First, existing network anomaly detection and log analysis methods are often challenged by high-dimensional data and complex network topologies, resulting in unstable performance and high false-positive rates. In addition, traditional methods are usually difficult to handle time-series data, which is crucial for anomaly detection and log analysis. Therefore, we need a more efficient and accurate method to cope with these problems. To compensate for the shortcomings of current methods, we propose an innovative fusion model that integrates Isolation Forest, GAN (Generative Adversarial Network), and Transformer with each other, and each of them plays a unique role. Isolation Forest is used to quickly identify anomalous data points, and GAN is used to generate synthetic data with the real data distribution characteristics to augment the training dataset, while the Transformer is used for modeling and context extraction on time series data. The synergy of these three components makes our model more accurate and robust in anomaly detection and log analysis tasks. We validate the effectiveness of this fusion model in an extensive experimental evaluation. Experimental results show that our model significantly improves the accuracy of anomaly detection while reducing the false alarm rate, which helps to detect potential network problems in advance. The model also performs well in the log analysis task and is able to quickly identify anomalous behaviors, which helps to improve the stability of the system. The significance of this study is that it introduces advanced deep learning techniques, which work anomaly detection and log analysis.

Machine Learning,Cryptography and Security

Kexiong Fei,Jiang Zhou,Lin Su,Weiping Wang,Yong Chen

DOI: https://doi.org/10.3233/jcs-230092

2024-04-24

Journal of Computer Security

Abstract:With the advancement of network security equipment, insider threats gradually replace external threats and become a critical contributing factor for cluster security threats. When detecting and combating insider threats, existing methods often concentrate on users’ behavior and analyze logs recording their operations in an information system. Traditional sequence-based method considers temporal relationships for user actions, but cannot represent complex logical relationships well between various entities and different behaviors. Current machine learning-based approaches, such as graph-based methods, can establish connections among log entries but have limitations in terms of complexity and identifying malicious behavior of user’s inherent intention. In this paper, we propose Log2Graph, a novel insider threat detection method based on graph convolution neural network. To achieve efficient anomaly detection, Log2Graph first retrieves logs and corresponding features from log files through feature extraction. Specifically, we use an auxiliary feature of anomaly index to describe the relationship between entities, such as users and hosts, instead of establishing complex connections between them. Second, these logs and features are augmented through a combination of oversampling and downsampling, to prepare for the next-stage supervised learning process. Third, we use three elaborated rules to construct the graph of each user by connecting the logs according to chronological and logical relationships. At last, the dedicated built graph convolution neural network is used to detect insider threats. Our validation and extensive evaluation results confirm that Log2Graph can greatly improve the performance of insider threat detection compared to existing state-of-the-art methods.

Pengfei Han,Huakang Li,Gang Xue,Chao Zhang

DOI: https://doi.org/10.1111/coin.12573

2023-04-23

Computational Intelligence

Abstract:Anomaly detection is a key step in ensuring the security and reliability of large‐scale distributed systems. Analyzing system logs through artificial intelligence methods can quickly detect anomalies and thus help maintenance personnel to maintain system security. Most of the current works only focus on the temporal or spatial features of distributed system logs, and they cannot sufficiently extract the global features of distributed system logs to achieve a good correct rate of anomaly detection. To further address the shortcomings of existing methods, this paper proposes a deep learning model with global spatiotemporal features to detect the presence of anomalies in distributed system logs. First, we extract semi‐structured log events from log templates and model them as natural language. In addition, we focus on the temporal characteristics of logs using the bidirectional long short‐term memory network and the spatial invocation characteristics of logs using the Transformer. Extensive experimental evaluations show the advantages of our proposed model for distributed system log anomaly detection tasks. The optimal F1‐Score on three open‐source datasets and our own collected distributed system datasets reach 98.04%, 94.34%, 88.16%, and 97.40%, respectively.

computer science, artificial intelligence

Zhuangbin Chen,Jinyang Liu,Wenwei Gu,Yuxin Su,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.2107.05908

2021-07-13

Software Engineering

Abstract:Logs have been an imperative resource to ensure the reliability and continuity of many software systems, especially large-scale distributed systems. They faithfully record runtime information to facilitate system troubleshooting and behavior understanding. Due to the large scale and complexity of modern software systems, the volume of logs has reached an unprecedented level. Consequently, for log-based anomaly detection, conventional manual inspection methods or even traditional machine learning-based methods become impractical, which serve as a catalyst for the rapid development of deep learning-based solutions. However, there is currently a lack of rigorous comparison among the representative log-based anomaly detectors that resort to neural networks. Moreover, the re-implementation process demands non-trivial efforts, and bias can be easily introduced. To better understand the characteristics of different anomaly detectors, in this paper, we provide a comprehensive review and evaluation of five popular neural networks used by six state-of-the-art methods. Particularly, four of the selected methods are unsupervised, and the remaining two are supervised. These methods are evaluated with two publicly available log datasets, which contain nearly 16 million log messages and 0.4 million anomaly instances in total. We believe our work can serve as a basis in this field and contribute to future academic research and industrial applications.

Zachary Tauscher,Yushan Jiang,Kai Zhang,Jian Wang,Houbing Song

DOI: https://doi.org/10.48550/arXiv.2108.08394

2021-08-19

Abstract:With massive data being generated daily and the ever-increasing interconnectivity of the world's Internet infrastructures, a machine learning based intrusion detection system (IDS) has become a vital component to protect our economic and national security. In this paper, we perform a comprehensive study on NSL-KDD, a network traffic dataset, by visualizing patterns and employing different learning-based models to detect cyber attacks. Unlike previous shallow learning and deep learning models that use the single learning model approach for intrusion detection, we adopt a hierarchy strategy, in which the intrusion and normal behavior are classified firstly, and then the specific types of attacks are classified. We demonstrate the advantage of the unsupervised representation learning model in binary intrusion detection tasks. Besides, we alleviate the data imbalance problem with SVM-SMOTE oversampling technique in 4-class classification and further demonstrate the effectiveness and the drawback of the oversampling mechanism with a deep neural network as a base model.

Cryptography and Security,Machine Learning

Qingyuan Gong,Yang Chen,Xinlei He,Zhou Zhuang,Tianyi Wang,Hong Huang,Xin Wang,Xiaoming Fu

DOI: https://doi.org/10.1109/mcom.2018.1700575

IF: 9.03

2018-11-01

IEEE Communications Magazine

Abstract:Our daily lives have been immersed in widespread location-based social networks (LBSNs). As an open platform, LBSNs typically allow all kinds of users to register accounts. Malicious attackers can easily join and post misleading information, often with the intention of influencing users' decisions in urban computing environments. To provide reliable information and improve the experience for legitimate users, we design and implement DeepScan, a malicious account detection system for LBSNs. Different from existing approaches, DeepScan leverages emerging deep learning technologies to learn users' dynamic behavior. In particular, we introduce the long short-term memory (LSTM) neural network to conduct time series analysis of user activities. DeepScan combines newly introduced time series features and a set of conventional features extracted from user activities, and exploits a supervised machine-learning-based model for detection. Using real traces collected from Dianping, a representative LBSN, we demonstrate that DeepScan can achieve excellent prediction performance with an F1-score of 0.964. We also find that the time series features play a critical role in the detection system.

telecommunications,engineering, electrical & electronic

Ming Zhong,Yajin Zhou,Gang Chen

DOI: https://doi.org/10.3390/s21041113

IF: 3.9

2021-01-01

Sensors

Abstract:IoT plays an important role in daily life; commands and data transfer rapidly between the servers and objects to provide services. However, cyber threats have become a critical factor, especially for IoT servers. There should be a vigorous way to protect the network infrastructures from various attacks. IDS (Intrusion Detection System) is the invisible guardian for IoT servers. Many machine learning methods have been applied in IDS. However, there is a need to improve the IDS system for both accuracy and performance. Deep learning is a promising technique that has been used in many areas, including pattern recognition, natural language processing, etc. The deep learning reveals more potential than traditional machine learning methods. In this paper, sequential model is the key point, and new methods are proposed by the features of the model. The model can collect features from the network layer via tcpdump packets and application layer via system routines. Text-CNN and GRU methods are chosen because the can treat sequential data as a language model. The advantage compared with the traditional methods is that they can extract more features from the data and the experiments show that the deep learning methods have higher F1-score. We conclude that the sequential model-based intrusion detection system using deep learning method can contribute to the security of the IoT servers.

Zhe Chen

DOI: https://doi.org/10.13052/jcsm2245-1439.1349

2024-06-14

Journal of Cyber Security and Mobility

Abstract:At present, the secure campus network strategy adopts technical means such as distinguishing applications and limiting them separately, but they have triggered other new problems, greatly affecting the unity of network resources and data. The relatively dispersed network architecture will inevitably limit the further development and expansion of the campus network. Therefore, when universities plan their networks, they must consider whether the network is safe, complete, smooth, and sustainable for smooth upgrading and development. In order to improve the effect of campus network security intrusion detection, this paper combines feature segmentation and deep learning technology to construct a campus network security intrusion detection model. To reduce the transmission time of query requirements in the grid, this paper improves the replica management mechanism and requires the information server to cache the Bloom Filter structure of nodes in its successor node list. Moreover, this paper uses the Compressed Bloom Filter algorithm to compress the Bloom Filter structure that needs to be transmitted, therefore reducing the network traffic generated during the update process of the Bloom Filter structure copy and avoiding network congestion. It also constructs a campus network security intrusion detection model based on feature segmentation and deep learning. Through experimental verification, the effectiveness of the system in intrusion detection, user evaluation, information processing, and other aspects is verified, and it has certain advantages compared to traditional algorithms. Through experimental research, it can be seen that the campus network security intrusion detection model based on feature segmentation and deep learning proposed in the paper can effectively improve the effect of campus network security monitoring. The method proposed in this article can not only be applied to campus network security, but also to the network security management of enterprises and other units, with certain scalability

Yinxing Li

DOI: https://doi.org/10.1088/1742-6596/1648/4/042071

2020-10-01

Journal of Physics: Conference Series

Abstract:Abstract With the continuous development of human civilization and the continuous progress of computer technology, computer network has been widely used in our life, which has brought great convenience to people’s production and life. As the computer network plays an increasingly important role in daily life, the security of computer network has been paid more and more attention. Therefore, this paper studies the modeling of computer network security analysis based on deep learning algorithm. Starting from the types, levels and main problems of security needs, this paper analyzes the threats faced by the system equipment, access rights, and the main connection relationship, and makes a visual description of the network threats from the perspective of the purpose of the attack is to enhance higher permissions. The security analysis and modeling work is applied to the security fault tree method of computer system and the attack method of network information system. Through research and analysis, starting from the current state of computer network security, this paper deeply studies the analysis and modeling of computer network security, and realizes the evaluation of current computer network security. The accuracy rate of the proposed method for intrusion detection reaches 91.6%.

Xiuzhang Yang,Guojun Peng,Dongni Zhang,Yangqi Lv

DOI: https://doi.org/10.1155/2022/4748528

IF: 1.968

2022-04-26

Security and Communication Networks

Abstract:Nowadays, the intrusion detection system (IDS) plays a crucial role in the Internet of Things (IoT) networks, which could effectively protect sensitive data from various attacks. However, the existing works have not considered multiview features fusion and failed to capture the semantic relationships among the anomalous requests. They are not robust and cannot detect the attack types in real-time. This paper proposes a lightweight intrusion detection system based on deep learning and knowledge graph. First, our system extracts semantic relationships and key features by knowledge graph and statistical analysis. Then, IoT network requests are converted into word vectors through multiview feature fusion and feature alignment. Finally, an attention-based CNN-BiLSTM model is designed to identify malicious request attacks, which can capture long-distance dependence and contextual semantic information. Experiment results show that the proposed model significantly outperforms the existing solution in the robustness of the model. Moreover, it can select more critical features for IDS to achieve better accuracy and lower the false alarm rate. Compared with the state-of-the-art systems, the proposed IDS achieves a higher detection accuracy of 90.01%. In addition, our system can detect various stealthy attack types (including DoS, Probe, R2L, and U2L) and extract semantic relationships among features.

computer science, information systems,telecommunications

Chao Liu,Zhaojun Gu,Jialiang Wang

DOI: https://doi.org/10.1109/access.2021.3082147

IF: 3.9

2021-01-01

IEEE Access

Abstract:Digital assets have come under various network security threats in the digital age. As a kind of security equipment to protect digital assets, intrusion detection system (IDS) is less efficient if the alert is not timely and IDS is useless if the accuracy cannot meet the requirements. Therefore, an intrusion detection model that combines machine learning with deep learning is proposed in this paper. The model uses the k-means and the random forest (RF) algorithms for the binary classification, and distributed computing of these algorithms is implemented on the Spark platform to quickly classify normal events and attack events. Then, by using the convolutional neural network (CNN), long short-term memory (LSTM), and other deep learning algorithms, the events judged as abnormal are further classified into different attack types finally. At this stage, adaptive synthetic sampling (ADASYN) is adopted to solve the unbalanced dataset. The NSL-KDD and CIS-IDS2017 datasets are used to evaluate the performance of the proposed model. The experimental results show that the proposed model has better TPR for most of attack events, faster data preprocessing speed, and potentially less training time. In particular, the accuracy of multi-target classification can reach as high as 85.24% in the NSL-KDD dataset and 99.91% in the CIC-IDS2017 dataset.

computer science, information systems,telecommunications,engineering, electrical & electronic

Muhammad Basit Umair,Zeshan Iqbal,Muhammad Ahmad Faraz,Muhammad Attique Khan,Yu-Dong Zhang,Navid Razmjooy,Sefedine Kadry

DOI: https://doi.org/10.1089/big.2021.0268

IF: 4.426

2022-06-16

Big Data

Abstract:An intrusion detection system (IDS) is designed to detect and analyze network traffic for suspicious activity. Several methods have been introduced in the literature for IDSs; however, due to a large amount of data, these models have failed to achieve high accuracy. A statistical approach is proposed in this research due to the unsatisfactory results of traditional intrusion detection methods. The features are extracted and selected using a multilayer convolutional neural network, and a softmax classifier is employed to classify the network intrusions. To perform further analysis, a multilayer deep neural network is also applied to classify network intrusions. Furthermore, the experiments are performed using two commonly used benchmark intrusion detection datasets: NSL-KDD and KDDCUP'99. The performance of the proposed model is evaluated using four performance metrics: accuracy, recall, F1-score, and precision. The experimental results show that the proposed approach achieved better accuracy (99%) compared with other IDSs.

computer science, theory & methods, interdisciplinary applications