Yanpei Hua

DOI: https://doi.org/10.1109/ictc49638.2020.9123302

2020-05-01

Abstract:Machine Learning (ML) techniques have been widely used in anomaly-based Intrusion Detection System (IDS) in the big data era. Although many advanced approaches are proposed recently, there are still several key limitations that should not be ignored. Firstly, data pre-processing methods have not gained sufficient attention, and they are vital to efficiency of model training especially with massive volume of collected samples. Secondly, in spite that deep learning is able to acquire more hidden interrelations from input data, it usually suffers from high complexity with numerous parameters tuned and much training time consumed. Thirdly, KDD99 data sets and their variants are leveraged by most of the literature for traffic classification, but they are proved to be outdated and inadequate for IDS evaluation. Therefore, to cope with these challenges, in this paper, we firstly propose a data pre-processing approach with under-sampling and embedded feature selection, in order to relieve the imbalance of traffic samples and extract dominant features of incoming flows. Then, we utilize LightGBM to build an traffic classification approach for IDS with better accuracy and efficiency. Finally, we evaluate our proposed approaches based on CIC-IDS2018, the data set issued in 2018 that contains comprehensive real network traffic. Extensive experiments are performed, and related results have confirmed the advantages of our proposed approaches over several other comparisons.

Muhammad Shafiq,Xiangzhan Yu,Ali Kashif Bashir,Hassan Nazeer Chaudhry,Dawei Wang

DOI: https://doi.org/10.1007/s11227-018-2263-3

IF: 3.3

2018-01-01

The Journal of Supercomputing

Abstract:Class imbalance has become a big problem that leads to inaccurate traffic classification. Accurate traffic classification of traffic flows helps us in security monitoring, IP management, intrusion detection, etc. To address the traffic classification problem, in literature, machine learning (ML) approaches are widely used. Therefore, in this paper, we also proposed an ML-based hybrid feature selection algorithm named WMI_AUC that make use of two metrics: weighted mutual information (WMI) metric and area under ROC curve (AUC). These metrics select effective features from a traffic flow. However, in order to select robust features from the selected features, we proposed robust features selection algorithm. The proposed approach increases the accuracy of ML classifiers and helps in detecting malicious traffic. We evaluate our work using 11 well-known ML classifiers on the different network environment traces datasets. Experimental results showed that our algorithms achieve more than 95% flow accuracy results.

Muhammad Imtiaz Shafiq,Xiangzhan Yu,A. Bashir,Hassan Nazeer Chaudhry,Dawei Wang

2020-01-01

Abstract:Class imbalance has become a big problem that leads to inaccurate traffic classification. Accurate traffic classification of traffic flows helps us in security monitoring, IP management, intrusion detection, etc. To address the traffic classification problem, in literature, machine learning (ML) approaches are widely used. Therefore, in this paper, we also proposed anML-based hybrid feature selection algorithm named WMI_AUC that make use of two metrics: weighted mutual information (WMI) metric and area under ROC curve (AUC). These metrics select effective features from a traffic flow. However, in order to select robust features from the selected features, we proposed robust features selection algorithm. The proposed approach increases the accuracy of ML classifiers and helps in detecting malicious traffic. We evaluate B Muhammad Shafiq muhammadshafiq@hit.edu.cn Xiangzhan Yu yuxiangzhan@hit.edu.cn Ali Kashif Bashir dr.alikashif.b@ieee.org Hassan Nazeer Chaudhry hassannazeer.chaudhary@polimi.it Dawei Wang stonetools@yeah.net 1 School of Computer Science and Technology, Harbin Institute of Technology, Harbin 150001, China 2 Faculty of Science and Technology, University of Faroe Islands, Faroe Islands, Denmark 3 Department of Electronics, Information and Bioengineering, Politecnico di Milano, Milan, Italy 4 National Computer Network Emergency Response Technical Team/Coordination Center, Beijing, China

Yu Wang,Shun-Zheng Yu

DOI: https://doi.org/10.1109/iita.2008.536

2008-01-01

Abstract:Network traffic classification plays an important role in various network activities. Due to the ineffectiveness of traditional port-based and payload-based methods, recent works proposed using machine learning methods to classify flows based on statistical characteristics. In this study, we evaluate the effectiveness of machine learning techniques on the real-time traffic classification problem. We identify the most suitable ML, classifier for network traffic classification by comparing various ML schemes, including both supervised and unsupervised methods. We also apply feature selection to identify significant features. Finally, we simulate real-time classification by using features derived from the first few packets of each flow. The results show that classifiers based on decision tree outperform others on both accuracy and performance; and that classifiers based on early flow properties can achieve high accuracy while reducing the computational complexity.

Shijun Huang,Kai Chen,Chao Liu,Alei Liang,Haibing Guan

DOI: https://doi.org/10.1109/icumt.2009.5345539

2009-01-01

Abstract:This Internet traffic classification using Machine Learning is an emerging research field since 1990's, and now it is widely used in numerous network activities. The classification technique focuses on modeling attributes and features of data flows to accomplish the identification of applications. In the paper we design and implement the classification model based on header-derived flow statistical features. Compared with the traditional methods, the model designed here, which is totally insensitive to port numbers and contents of payload on application level, overcomes difficulty in operation caused by unreliable port numbers and complexity of payload interpretation. Rather than relatively complex ML algorithms or even in mixture, supervised k-Nearest Neighbor estimator is adopted for the sake of computational efficiency, along with the effective and easy-to-calculate statistical features selected according to the operational background. Our results indicate that about 90% accuracy on per-flow classification can be achieved, which is a vast improvement over traditional techniques that achieve 50-70%.

Xuecheng Yu,Yan Huang,Yu Zhang,Mingyang Song,Zhenhong Jia

DOI: https://doi.org/10.32604/cmc.2023.044999

2024-01-01

Abstract:With the increasing dimensionality of network traffic, extracting effective traffic features and improving the identification accuracy of different intrusion traffic have become critical in intrusion detection systems (IDS). However, both unsupervised and semisupervised anomalous traffic detection methods suffer from the drawback of ignoring potential correlations between features, resulting in an analysis that is not an optimal set. Therefore, in order to extract more representative traffic features as well as to improve the accuracy of traffic identification, this paper proposes a feature dimensionality reduction method combining principal component analysis and Hotelling’s T2 and a multilayer convolutional bidirectional long short-term memory (MSC_BiLSTM) classifier model for network traffic intrusion detection. This method reduces the parameters and redundancy of the model by feature extraction and extracts the dependent features between the data by a bidirectional long short-term memory (BiLSTM) network, which fully considers the influence between the before and after features. The network traffic is first characteristically downscaled by principal component analysis (PCA), and then the downscaled principal components are used as input to Hotelling’s T2 to compare the differences between groups. For datasets with outliers, Hotelling’s T2 can help identify the groups where the outliers are located and quantitatively measure the extent of the outliers. Finally, a multilayer convolutional neural network and a BiLSTM network are used to extract the spatial and temporal features of network traffic data. The empirical consequences exhibit that the suggested approach in this manuscript attains superior outcomes in precision, recall and F1-score juxtaposed with the prevailing techniques. The results show that the intrusion detection accuracy, precision, and F1-score of the proposed MSC_BiLSTM model for the CIC-IDS 2017 dataset are 98.71%, 95.97%, and 90.22%.

computer science, information systems,materials science, multidisciplinary

Niandong Liao,Xiaoxuan Li,Li, Xiaoxuan

DOI: https://doi.org/10.1007/s40815-022-01269-0

IF: 4.085

2022-03-23

International Journal of Fuzzy Systems

Abstract:As the digital world becomes the main complement to the physical world, establishing a solid line of defense against cyber attacks becomes critical and arduous. The intrusion detection systems (IDSs) based on the supervised learning method have achieved excellent performance, which requires a large amount of labeled data in the training phase. However, attacks occur much less frequently than normal behaviors, and it is difficult to obtain accurate labels. In addition, IDSs based on supervised learning cannot identify unknown attacks. At the same time, the problem that detection accuracy varies greatly with different applications is very significant in traditional unsupervised learning methods. Therefore, it is necessary to perform high-precision anomaly detection on unlabeled samples. This paper proposes a traffic anomaly detection model using K-means and Active Learning Method (ALM), which is mainly composed of a feature extraction module and an anomaly detection module. Firstly, the Pearson correlation coefficient and Light Gradient Boosting Machine (LightGBM) are used in the feature extraction module to select important features. Secondly, K-means divides the characteristic-processed traffic into normal or abnormal categories. Finally, the results of K-means are diffused through ALM, and new classification results are obtained after defuzzification, thereby improving the accuracy of anomaly detection. The latest CICDDoS2019 data set is used in the experiment. Experimental results show that the detection accuracy of the proposed model is above 90%, and the F1 score is above 95%, regardless of whether it is a binary classification of a single attack or a mixed classification of multiple attacks. Compared with three unsupervised learning methods K-means, Auto-encoder and short-term memory (LSTM) and three supervised learning methods Naive Bayes (NB), Support Vector Machine (SVM), Decision Tree (DT), the proposed model has higher classification accuracy and better generalization effect. This article is very helpful for exploring the application of unsupervised learning methods in network intrusion detection systems based on the characteristics of the data itself.

computer science, information systems,automation & control systems, artificial intelligence

Gulab Sah,Sweety Singh,Subhasish Banerjee

DOI: https://doi.org/10.23919/jcc.fa.2022-0076.202409

2024-10-01

China Communications

Abstract:The key objective of intrusion detection systems (IDS) is to protect the particular host or network by investigating and predicting the network traffic as an attack or normal. These IDS uses many methods of machine learning (ML) to learn from past-experience attack i.e. signatures based and identify the new ones. Even though these methods are effective, but they have to suffer from large computational costs due to considering all the traffic features, together. Moreover, emerging technologies like the Internet of Things (IoT), big data, etc. are getting advanced day by day; as a result, network traffics are also increasing rapidly. Therefore, the issue of computational cost needs to be addressed properly. Thus, in this research, firstly, the ML methods have been used with the feature selection technique (FST) to reduce the number of features by picking out only the important ones from NSL-KDD, CICIDS2017, and CIC-DDoS2019 datasets later that helped to build IDSs with lower cost but with the higher performance which would be appropriate for vast scale network. The experimental result demonstrated that the proposed model i.e. Decision tree (DT) with Recursive feature elimination (RFE) performs better than other classifiers with RFE in terms of accuracy, specificity, precision, sensitivity, F1-score, and G-means on the investigated datasets.

telecommunications

María Rodríguez,Álvaro Alesanco,Lorena Mehavilla,José García

DOI: https://doi.org/10.3390/s22239326

IF: 3.9

2022-12-01

Sensors

Abstract:Cybersecurity is one of the great challenges of today's world. Rapid technological development has allowed society to prosper and improve the quality of life and the world is more dependent on new technologies. Managing security risks quickly and effectively, preventing, identifying, or mitigating them is a great challenge. The appearance of new attacks, and with more frequency, requires a constant update of threat detection methods. Traditional signature-based techniques are effective for known attacks, but they are not able to detect a new attack. For this reason, intrusion detection systems (IDS) that apply machine learning (ML) techniques represent an alternative that is gaining importance today. In this work, we have analyzed different machine learning techniques to determine which ones permit to obtain the best traffic classification results based on classification performance measurements and execution times, which is decisive for further real-time deployments. The CICIDS2017 dataset was selected in this work since it contains bidirectional traffic flows (derived from traffic captures) that include benign traffic and different types of up-to-date attacks. Each traffic flow is characterized by a set of connection-related attributes that can be used to model the traffic and distinguish between attacks and normal flows. The CICIDS2017 also contains the raw network traffic captures collected during the dataset creation in a packet-based format, thus permitting to extract the traffic flows from them. Various classification techniques have been evaluated using the Weka software: naive Bayes, logistic, multilayer perceptron, sequential minimal optimization, k-nearest neighbors, adaptive boosting, OneR, J48, PART, and random forest. As a general result, methods based on decision trees (PART, J48, and random forest) have turned out to be the most efficient with F1 values above 0.999 (average obtained in the complete dataset). Moreover, multiclass classification (distinguishing between different types of attack) and binary classification (distinguishing only between normal traffic and attack) have been compared, and the effect of reducing the number of attributes using the correlation-based feature selection (CFS) technique has been evaluated. By reducing the complexity in binary classification, better results can be obtained, and by selecting a reduced set of the most relevant attributes, less time is required (above 30% of decrease in the time required to test the model) at the cost of a small performance loss. The tree-based techniques with CFS attribute selection (six attributes selected) reached F1 values above 0.990 in the complete dataset. Finally, a conventional tool like Zeek has been used to process the raw traffic captures to identify the traffic flows and to obtain a reduced set of attributes from these flows. The classification results obtained using tree-based techniques (with 14 Zeek-based attributes) were also very high, with F1 above 0.997 (average obtained in the complete dataset) and low execution times (allowing several hundred thousand flows/s to be processed). These classification results obtained on the CICIDS2017 dataset allow us to affirm that the tree-based machine learning techniques may be appropriate in the flow-based intrusion detection problem and that algorithms, such as PART or J48, may offer a faster alternative solution to the RF technique.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yu Wang,Shun-Zheng Yu

DOI: https://doi.org/10.4304/jnw.4.7.622-629

2009-01-01

Journal of Networks

Abstract:Network traffic classification plays an important role in various network activities. Due to the ineffectiveness of traditional port-based and payload-based methods, recent works proposed using machine learning methods to classify flows based on statistical characteristics. In this study, we present a comprehensive evaluation of the effectiveness of these statistical methods for real-time traffic classification problem. We evaluate three different flow feature sets that are used to capture distinct properties of each application, two of them consist of features generated from full flows and the third is made up of early sub-flow statistics derived from the first few packets of each flow. We compare various supervised machine learning schemes to identify the one most suitable for traffic classification. We also apply feature selection to identify the most significant features. The results indicate that statistical characteristics of traffic flows are capable to distinguish applications; in particular it’s feasible to use the features derived from early sub-flows for realtime traffic classification. The results also indicate that classifiers based on decision tree outperform others, as they obtain highest accuracy and fastest classifying speed.

Gulab Sah,Subhasish Banerjee,Sweety Singh

DOI: https://doi.org/10.1007/s10207-022-00616-4

2022-10-08

International Journal of Information Security

Abstract:The intrusion detection system (IDS) plays an important role in extracting and analysing the network traffics to detect aberrant activity. However, emerging technologies, like cloud computing, Internet of Things, etc., generate a large volume of traffics, which may carry the irrelevant attributes that do not have any impact on classification or in detection of assaults. Hence, it's became an open challenge for the researchers to extract the meaningful data from huge amounts of traffic and also to examine whether the selected features could increase IDS performance or not. To solve these issues, features selection approaches (FSA) have been used in this research to remove non-relevant features and find the important ones. Later, the various classifiers have been used to investigate the best classifier which could increase the performance of IDS's detection-engine on the NSL-KDD datasets. However, to validate, the investigated best-performing classifier with the suitable features selection technique (FST) has also been implemented on a real-time dataset, i.e. combined CICIDS2017. The experiment results in this research suggest that the acquired subset of relevant features under the proposed model's (Decision Tree + Recursive Feature Elimination) could increase the IDS performance with average accuracy of 99.21% and 99.94% on the well-known NSL-KDD and CICIDS2017 datasets, respectively, and could also minimize the computation cost, in parallel.

computer science, information systems, theory & methods, software engineering

Hongli Zhang,Gang Lu,Mahmoud T. Qassrawi,Yu Zhang,Xiangzhan Yu

DOI: https://doi.org/10.1016/j.comcom.2012.04.012

IF: 5.047

2012-01-01

Computer Communications

Abstract:Machine learning (ML) algorithms have been widely applied in recent traffic classification. However, due to the imbalance in the number of traffic flows, ML based classifiers are prone to misclassify flows as the traffic type that occupies the majority of flows on the Internet. To address the problem, a novel feature selection metric named Weighted Symmetrical Uncertainty (WSU) is proposed. We design a hybrid feature selection algorithm named WSU_AUC, which prefilters most of features with WSU metric and further uses a wrapper method to select features for a specific classifier with Area Under roc Curve (AUC) metric. Additionally, to overcome the impacts of dynamic traffic flows on feature selection, we propose an algorithm named SRSF that Selects the Robust and Stable Features from the results achieved by WSU_AUC. We evaluate our approaches using three classifiers on the traces captured from entirely different networks. Experimental results obtained by our algorithms are promising in terms of true positive rate (TPR) and false positive rate (FPR). Moreover, our algorithms can achieve 94% flow accuracy and 80% byte accuracy on average.

Wenting Wei,Huaxi Gu,Wenshuai Deng,Zhe Xiao,Xinming Ren

DOI: https://doi.org/10.1016/j.neucom.2022.03.007

IF: 6

2022-01-01

Neurocomputing

Abstract:Network traffic classification is an increasingly significant prerequisite for network management. An accurate traffic classifier can contribute to traffic engineering, traffic intrusion detection and user behavior analysis. Recently, deep learning (DL) has attracted considerable attention for traffic classification due to its excellent learning ability without the need for handcrafted feature engineering or privacy invasion. However, most DL-based traffic classification solutions mainly focus on improving the identification performance, with no regard for the computational and memory burden caused by a large model size or data redundancy. Motivated by the above gaps, we elaborate on the preprocessing of raw traffic data and investigate a lightweight traffic classifier. Specifically, we design a preprocessing approach to convert raw traffic data into available datasets for deep learning based traffic classifiers, which tailors raw traffic data as training datasets by resolving its structure and content and pruning redundant information. Thanks to its ability to focus on key information, attention mechanism is introduced to design an attention-based long short-term memory (LSTM) model for traffic classification, termed the ABL-TC. ABL-TC can effectively identify global dependencies between the input and the output with a limited number of important raw features, which can contribute to learning key information to identify various traffic types. Extensive experiments on real-world public datasets show that the ABL-TC outperforms state-of-the-art approaches in terms of various metrics for recognizing traffic categories while remaining competitive in terms of time and memory efficiency.

Hongtao Shi,Hongping Li,Dan Zhang,Chaqiu Cheng,Wei Wu

DOI: https://doi.org/10.1016/j.comnet.2017.03.011

IF: 5.493

2017-01-01

Computer Networks

Abstract:Given the limitations of traditional classification methods based on port number and payload inspection, a large number of studies have focused on developing classification approaches that use Transport Layer Statistics (TLS) features and Machine Learning (ML) techniques. However, classifying Internet traffic data using these approaches is still a difficult task because (1) TLS features are not very robust for traffic classification because they cannot capture the complex non-linear characteristics of Internet traffic, and (2) the existing Feature Selection (FS) techniques cannot reliably provide optimal and stable features for ML algorithms. With the aim of addressing these problems, this paper presents a novel feature extraction and selection approach. First, multifractal features are extracted from traffic flows using a Wavelet Leaders Multifractal Formalism(WLMF) to depict the traffic flows; next, a Principal Component Analysis (PCA)-based FS method is applied on these multifractal features to remove the irrelevant and redundant features. Based on real traffic traces, the experimental results demonstrate significant improvement in accuracy of Support Vector Machines (SVMs) comparing to the TLS features studied in existing ML-based approaches. Furthermore, the proposed approach is suitable for real time traffic classification because of the ability of classifying traffic at the early stage of traffic transmission.

Dai Lei,Yun Xiaochun,Xiao Jun

DOI: https://doi.org/10.1109/WAIM.2008.30

2008-01-01

Abstract:The identification of network applications is of fundamental important to numerous network activities. Unfortunately, traditional port-based classification and packet payload-based analysis exhibit a number of shortfalls. A promising alternative is to use Machine Learning (ML) techniques and identify network applications based on per-flow features. Since a lot of flow features can be used for flow classification, the flow classifier may deal with huge amount of data, which contains irrelevant and redundant features causing slower training and testing process, higher resource consumption as well as poor classification accuracy. Therefore, feature selection plays a vital role in performance optimizing. In this paper, we propose a hybrid feature selection method for flow classification using Chi-Squared and C4.5 algorithm (ChiSquared-C4.5). The experiments demonstrate our approach can greatly improve computational performance without negative impact on classification accuracy.

Shuai Liu,Yong Zhang,Lei Jin,Xiaojuan Wang,Mei Song,Da Guo

DOI: https://doi.org/10.1007/978-3-030-15127-0_60

2018-01-01

Abstract:Machine learning becomes an effective method to detect malicious traffic. With the proliferation of network traffic, malicious traffic categories are greatly increased, which puts forward higher requirements for the computation time and detection accuracy of machine learning. A feature selection framework is proposed to balance the computation time and detection accuracy. First, we construct a feature repository of traffic information with high dimensions. In order to reduce the computation time and minimize the loss of accuracy, we investigate the feature selection algorithms. The algorithm based on chi-square test and xgboost algorithm are adopted to evaluate the proposal. The experiments on CTU dataset show that the proposal can reduce the computation time while ensuring the accuracy.

Qiuhong Wang,Lei Wang,Ji Xiang

DOI: https://doi.org/10.4028/www.scientific.net/AMR.756-759.3506

2013-09-01

Abstract:Traffic classification is a critical technology in the areas of network management and security monitoring. Traditional port-based and payload-based classification are no longer effective due to the fact that many applications utilize unpredictable port numbers and packet encryption. Researchers tend to apply machine learning (ML) techniques to identify the traffic flows by recognizing statistical features. Unfortunately, looking back upon the related work, most of the ML-based classification algorithms have similar performance, and what really matters now is how to optimize these techniques. In this paper, we analyzed two critical issues (Feature Selection, Configuration of Parameters) of ML classification, and presented the corresponding viable methods to optimize the classification model. This paper also reported the experimental evaluation to assess the performance improvements introduced by our optimized methods; experimental results on real-life datasets and network traffic show that the classification model successfully achieves significant accuracy improvement.

Computer Science

Liu Zhen,Liu Qiong

DOI: https://doi.org/10.1016/j.phpro.2012.05.220

2012-01-01

Abstract:If 248 statistical features are used to characterize network traffic flows, the computation cost of classifier will be overlarge. The feature selection methods referenced here improve the accuracy of majority classes and meanwhile decrease the accuracy in minority classes as the cost. As a result, it brings about the multi-class imbalance problem. In this paper, main contributions include two aspects below. 1) An evaluation criterion based on information theory was proposed to assess how much do one feature bias towards one class. 2) A new feature selection method named BFS was proposed to reduce features and alleviate multi-class imbalance. BFS was compared with fast correlation-based filter (FCBF) and full feature set using Naive Bayes and ten skewed datasets. The results show that 1) BFS is more advantage to maintain the balance of multi-class classification results than FCBF, such as the reduction of g-mean is just about 8% using BFS, 2) classification accuracy of Naive Bayes using BFS can achieve to 90%. (C) 2012 Published by Elsevier B.V. Selection and/or peer review under responsibility of ICMPBE International Committee.

Shuai Jiang,Xiaolong Xu

DOI: https://doi.org/10.1109/cyberc.2019.00039

2019-01-01

Abstract:The rapid increase of data has led to many security issues. Various new technologies and other sub-disciplines have been introduced into the research of intrusion detection system (IDS), which has become a hot topic in the current field of security. However, IDS utilizing traditional machine learning technology suffers from relatively low detection rate, large computational overhead, and high false positive rate, due to the large amount of redundancy and high correlation of network traffic data. Therefore, we select random forest (RF) to handle the classification of the network traffic data, and try the classic feature selection algorithms Extra-Trees (ET) and Chi-square (CHI) to reduce the detection time and improve the efficiency of IDS. The experimental results based on the NSL-KDD dataset indicate that ET-RF and CHI-RF outstand in accuracy and computational overhead. Meanwhile, RF with ET outperforms that with CHI.

Muhammad Shafiq,Xiangzhan Yu,Dawei Wang

DOI: https://doi.org/10.1109/hpcc-smartcity-dss.2017.31

2017-01-01

Abstract:Identification of network traffic accurately at its early stage is very important for network traffic management and application traffic classification. In recent years, this becomes very hot topic to identify traffic at its early stage. Unidirectional and bidirectional statistical features are effective features and widely used in Internet traffic classification. However, it is important to evaluate and select effective features for Instant Messaging (IM) application traffic classification at early stage. In this paper we are interested to find out robust and effective features at early stage. We firstly extract 22 statistical features of the first flow on two different network environment traffic datasets include on HIT and NIMS datasets. Then mutual information is conducted between the extract statistical features to select the effective features. Additionally to select robust features, we execute attribute selection cfsSubsetEval with Best search evaluator that select the robust and stable features from the result achieved by mutual information. And then, we execute 10 well-known machine learning classifiers. Our experimental results show that max_fpktl, std_bpktl, max_biat, mean_fpktl, mean_bpktl and min_biat feature are robust features at early stage traffic classification.