Ghazi Al-Naymat,Mouhammd Al-kasassbeh,Eshraq Al-Hawari

DOI: https://doi.org/10.48550/arXiv.1809.02611

2018-09-04

Abstract:The exponential increase in the number of malicious threats on computer networks and Internet services due to a large number of attacks makes the network security at continuous risk. One of the most prevalent network attacks that threaten networks is Denial of Service (DoS) flooding attack. DoS attacks have recently become the most attractive type of attacks to attackers and these have posed devastating threats to network services. So, there is a need for effective approaches, which can efficiently detect any intrusion in the network. This paper presents an efficient mechanism for network attacks detection and types of attack classification using the Management Information Base (MIB) database associated with the Simple Network Management Protocol (SNMP) through machine learning techniques. This paper also investigates the impact of SNMP-MIB data on network anomalies detection. Three classifiers, namely, Random Forest, AdaboostM1 and MLP are used to build the detection model. The use of different classifiers presents a comprehensive study on the effectiveness of SNMP-MIB data in detecting different types of attack. Empirical results show that the machine learning techniques were quite successful in detecting and classifying the attacks with a high detection rate.

Networking and Internet Architecture

Abdelrahman Manna,Mouhammd Alkasassbeh

2019-05-15

Abstract:SNMP-MIB is a widely used approach that uses machine learning to classify data and obtain results, but using SNMP-MIB huge dataset is not efficient and it is also time and resources consuming. In this paper, a REP Tree, J48(Decision Tree) and Random Forest classifiers were used to train a model that can detect the anomalies and predict the network attacks that my affect the Internet Protocol(IP) group. This trained model can be used in the devices that are used to detect the anomalies such as intrusion detection systems.

Computer Science

Samir Ifzarne,Hiba Tabbaa,Imad Hafidi,Nidal Lamghari

DOI: https://doi.org/10.1088/1742-6596/1743/1/012021

2021-01-01

Journal of Physics: Conference Series

Abstract:Abstract The number of Wireless sensor network (WSN) deployments have been growing so exponentially over the recent years. Due to their small size and cost-effective, WSN are attracting many industries to use them in various applications. Environmental monitoring, security of buildings and precision agriculture are few example among several other fields. However, WSN faces high security threats considering most of them are deployed in unattended nature and hostile environment. In the aim of providing secure data processing in the WSN, many techniques are proposed to protect the data privacy while being transferred from the sensors to the base station. This work is focusing on attack detection which is an essential task to secure the network and the data. Anomaly detection is a key challenge in order to ensure the security and prevent malicious attacks in wireless sensor networks. Various machine learning techniques have been used by researchers these days to detect anomalies using offline learning algorithms. On the other hand online learning classifiers have not been thoroughly addressed in the literature. Our aim is to provide an intrusion detection model compatible with the characteristics of WSN. This model is built based on information gain ratio and the online Passive aggressive classifier. Firstly, the information gain ratio is used to select the relevant features of the sensor data. Secondly, the online Passive aggressive algorithm is trained to detect and classify different type of Deny of Service attacks. The experiment was conducted on a wireless sensor network-detection system (WSN-DS) dataset. The proposed model ID-GOPA results detection rate of 96% determining whether the network is in its normal mode or exposed to any type of attack. The detection accuracy is 86%, 68%, 63%, and 46% for scheduling, grayhole, flooding and blackhole attacks, respectively, in addition to 99% for normal traffic. These results shows that our model based on offline learning can be providing good anomaly detection to the WSN and replace online learning in some cases.

Mohamed Abushwereb,Muhannad Mustafa,Mouhammd Al-kasassbeh,Malik Qasaimeh

DOI: https://doi.org/10.48550/arXiv.2001.05707

2020-01-16

Abstract:One of the most common internet attacks causing significant economic losses in recent years is the Denial of Service (DoS) flooding attack. As a countermeasure, intrusion detection systems equipped with machine learning classification algorithms were developed to detect anomalies in network traffic. These classification algorithms had varying degrees of success, depending on the type of DoS attack used. In this paper, we use an SNMP-MIB dataset from real testbed to explore the most prominent DoS attacks and the chances of their detection based on the classification algorithm used. The results show that most DOS attacks used nowadays can be detected with high accuracy using machine learning classification techniques based on features provided by SNMP-MIB. We also conclude that of all the attacks we studied, the Slowloris attack had the highest detection rate, on the other hand TCP-SYN had the lowest detection rate throughout all classification techniques, despite being one of the most used DoS attacks.

Networking and Internet Architecture,Cryptography and Security

Anselme R. Affane M.,Hassan Satori,Youssef Boutazart,Abderahim Ezzine,Khalid Satori

DOI: https://doi.org/10.1007/s11277-024-10999-3

IF: 2.017

2024-05-18

Wireless Personal Communications

Abstract:The progress of Wireless Sensor Networks (WSNs) technologies has introduced a greater susceptibility of sensors and networks to being victims of distributed attacks. These attacks include various malicious activities such as intrusions during routing processes, data intercepting and other disruptive actions. In response to this increasing security challenge, numerous models for attack identification have been proposed. These models typically involve the deployment of detection systems that collect sensor data and employ machine learning and artificial intelligence techniques to categorize them. This research introduces a novel method for the analysis and classification of WSN datasets. The primary objective is to develop an anomaly identification approach that enhances sensor network security and operational efficiency with a good degree of accuracy. To achieve this goal, artificial intelligence method based-on stochastic models are used to create a detection system that learns from existing routing data to identify potential malicious network entries. The proposed approach relies on the principles of the Hidden Markov Model (HMM) and the Gaussian Mixture Model (GMM), a part of artificial intelligence stochastic functions, which incorporate predictive assumptions. In addition, dimensionality reduction is used to select the most pertinent routing features for the training of the system. To assess the effectiveness of our proposed approach, we performed experiments using a custom dataset that represents various network scenarios, including both normal and attacked states. The results demonstrate the performance of the model, achieving a classification score of 92. 18% when using a combination of two HMM and three GMM in the classifier. The proposed method attains a 98% precision value and 95% accuracy, better than performances of SVM, NB, DT and RF methods. This highlights the efficacy of our proposed approach compared to existing research.

telecommunications

Hafiza Anisa Ahmed,Anum Hameed,Narmeen Zakaria Bawany

DOI: https://doi.org/10.7717/peerj-cs.820

2022-01-07

PeerJ Computer Science

Abstract:The expeditious growth of the World Wide Web and the rampant flow of network traffic have resulted in a continuous increase of network security threats. Cyber attackers seek to exploit vulnerabilities in network architecture to steal valuable information or disrupt computer resources. Network Intrusion Detection System (NIDS) is used to effectively detect various attacks, thus providing timely protection to network resources from these attacks. To implement NIDS, a stream of supervised and unsupervised machine learning approaches is applied to detect irregularities in network traffic and to address network security issues. Such NIDSs are trained using various datasets that include attack traces. However, due to the advancement in modern-day attacks, these systems are unable to detect the emerging threats. Therefore, NIDS needs to be trained and developed with a modern comprehensive dataset which contains contemporary common and attack activities. This paper presents a framework in which different machine learning classification schemes are employed to detect various types of network attack categories. Five machine learning algorithms: Random Forest, Decision Tree, Logistic Regression, K-Nearest Neighbors and Artificial Neural Networks, are used for attack detection. This study uses a dataset published by the University of New South Wales (UNSW-NB15), a relatively new dataset that contains a large amount of network traffic data with nine categories of network attacks. The results show that the classification models achieved the highest accuracy of 89.29% by applying the Random Forest algorithm. Further improvement in the accuracy of classification models is observed when Synthetic Minority Oversampling Technique (SMOTE) is applied to address the class imbalance problem. After applying the SMOTE, the Random Forest classifier showed an accuracy of 95.1% with 24 selected features from the Principal Component Analysis method.

computer science, information systems, artificial intelligence, theory & methods

Gauri Kalnoor,S. Gowrishankar

DOI: https://doi.org/10.1007/s41870-021-00748-1

2021-09-24

International Journal of Information Technology

Abstract:Significant growth of smart home devices is adopted, which provides security, convenience, and energy efficiency for users, in recent years. As an instance, consider a secured smart camera that detects movements of unauthorized objects, whereas the fire accidents can be detected by smoke sensors. Though, a surface for new cyber threats is some of the most recent examples that are open up in this field. Furthermore, recent examples also show that the distributed denial of service (DDoS) attacks are performed by misusing the smart devices which are hacked violating the privacy rules. In this proposed work, the application of machine learning in an environment of smart homes is explored so that the anomalous activities that occur can be identified. The sensor data at the network level is trained using a model based on the Markov chain known as hidden Markov model (HMM) and is created using smart devices and multiple sensors from a testbed. The model generated using HMM achieves 97% accuracy while detecting potential anomalies where attacks are indicated. In this approach, we construct the model and differentiate the analysed results with existing techniques. The starting step for securing IoT networks is intrusion detection and the next step is the intruders prediction which provides an active defence against the incoming attacks. The model employs an algorithm that does not depend on specific domain knowledge. The work has achieved an improvement in prediction accuracy of 5% for an alert category over the current variable length methods of Markov chain intrusion prediction, as they provided information more for a possible defence. The DDoS attack is considered as a coordinated attack mainly carried out based on a large scale depending on whether the target system’s resources or services are available. Thus, the novel approach also describes a novel machine learning-based technique using an algorithm known as variational dynamic Bayesian algorithm which helps to obtain a HMM with the number of parameters and model states which are optimized for the prediction of a DDoS attack. This procedure conquers the speed of a moderate combination HMM approach.

Mina Eshak Magdy,Ahmed M. Matter,Saleh Hussin,Doaa Hassan,Shaimaa Ahmed Elsaid

DOI: https://doi.org/10.11591/ijeecs.v30.i3.pp1699-1706

2023-06-01

Indonesian Journal of Electrical Engineering and Computer Science

Abstract:Recently, cyberattacks have been more complex than in the past, as a new cyber-attack is initiated almost every day. Therefore, researchers should develop efficient intrusion detection systems (IDS) to detect cyber-attacks. In order to improve the detection and prevention of the aforementioned cyber-attacks, several articles developed IDSs exploiting machine learning and deep learning. In this paper, a way to find network intrusions using a combination of feature selection and adoptive voting is investigated. NSL-KDD dataset, a high-dimensional dataset that has been widely used for network intrusion detection, is applied in this approach. Feature selection plays an important role for improving accuracy and testing time as it eliminates the less significant attributes from the data set, thus saving computational power and effort. The experimental results show that the proposed approach achieves an accuracy of 86.5% on the NSL-KDD test dataset using an adoptive voting algorithm trained with the selected features. In addition, the time to process each record is 97.5 microseconds, which reflects the proposed model's superior performance. Comparing the proposed model with the existing models in the literature shows that the proposed adaptive voting approach significantly improves intrusion detection accuracy, enhances computational efficiency, and reduces false positives.

Serenje Macdonald,Mkandawire Mtende

DOI: https://doi.org/10.26634/jcom.11.4.20650

2024-01-01

Abstract:The rapid growth of network infrastructures and the increasing volume of data transmitted through them have led to a critical need for efficient and accurate anomaly detection systems in network transport. This paper proposes a novel anomaly detection system that utilizes machine learning techniques to identify abnormal patterns and deviations in network traffic. The proposed system follows a multi-layered approach, starting with the collection of network traffic data from various sources, including routers, switches, and gateways. The data is then preprocessed to extract relevant features and eliminate noise. Feature extraction is carried out using statistical, time-series, and flow-based analysis to capture the inherent characteristics of network communication. Machine learning algorithms, such as neural networks, or in this case, auto-encoders, will be trained to learn the patterns of normal network behavior and subsequently detect deviations from these patterns as anomalies. The system provides alerts and notifications to network administrators, allowing prompt investigation and response to potential security threats or network performance issues. It effectively differentiates between benign and malicious network activities, enabling network administrators to take proactive measures to secure their infrastructure and ensure uninterrupted communication.

Mohammed Maithem,Ghadaa A. Al-sultany

DOI: https://doi.org/10.1088/1742-6596/1804/1/012138

2021-02-01

Journal of Physics: Conference Series

Abstract:Abstract In recent decades, rapid development in the world of technology and networks has been achieved, also there is a spread of Internet services in all fields over the world. Piracy numbers have increased, also a lot of modern systems were penetrated, so the developing information security technologies to detect the new attack become an important requirement. One of the most important information security technologies is an Intrusion Detection System (IDS) that uses machine learning and deep learning techniques to detect anomalies in the network. The main idea of this paper is to use an advanced intrusion detection system with high network performance to detect the unknown attack package, by using a deep neural network algorithm, also in this model, the attack detection is done by two ways (binary classification and multiclass classification). The proposed system has shown encouraging results in terms of the high accuracy (99.98% with multiclass classification and with binary classification).

J Li,C Manikopoulos

DOI: https://doi.org/10.1109/smcsia.2003.1232401

2003-01-01

Abstract:We investigate the statistical anomaly detection of DOS computer network attacks using only MIB II supplied traffic parameters of the SNMP, as carried out by MAID. MAID is a hierarchical, multitier, multiobservation-window, anomaly based network intrusion detection system, prototyped in our laboratory for the US Army's tactical Internet. MAID monitors several MIB II supplied network traffic parameters simultaneously, constructs a probability density function (PDF) for each, statistically compares it to a reference PDF of normal behavior using a similarity metric, then combines the results into an anomaly status vector that is classified by a neural network classifier. The data used here derive from many experiments that have been carried out in our network testbed facility that monitor 27 MIB traffic parameters simultaneously, focusing on the Denial of Service (DOS) class of attacks, including UDP, ICMP and TCP type flooding attacks. We further focused on the anomaly detector and specifically two issues: (a) the effectiveness of some alternative similarity metrics and (b) early detection, i.e., detection at low values of the ratio of attack to background traffic. Thus, we studied the effectiveness of five prominent and/or promising similarity metrics: a /spl chi//sup 2/ test (CST), a Kolmogorov-Smyrnov (KS) test (KST), Kupier's KS type statistic (KKS), a combined area-KS type test (AKS), and a simpler fractional deviation from the mean statistic (FDM). We present the performance of these metrics using 9 traffic intensity scenarios, as the attack traffic decreased from 10% to 0.5% of the background. It was found that the KST metric performed slightly better overall while the FDM performed surprisingly well at low traffic intensities. It was also found that an attack/background ratio as small as 1% can be detected by MAID with corresponding misclassification rates in the range of 0.5-1.0 %. These results show promise for the use of MAID in early DOS detection using MIB traffic parameters.

Ashraf Abdelhamid,Mahmoud Said Elsayed,Anca D. Jurcut,Marianne A. Azer

DOI: https://doi.org/10.3390/electronics12061294

IF: 2.9

2023-03-09

Electronics

Abstract:Mobile ad hoc networks (MANETs) are now key in today's new world. They are critically needed in many situations when it is crucial to form a network on the fly while not having the luxury of time or resources to configure devices, build infrastructure, or even have human interventions. Ad hoc networks have many applications. For instance, they can be used in battlefields, education, rescue missions, and many other applications. Such networks are characterized by high mobility, low resources of power, storage, and processing. They are infrastructure-less; this means that they don't use infrastructure equipment for communication. These networks rely instead on each other for routing and communication. MANETs use a hopping mechanism where each node in a network finds another node within its communication range and use it as a hop for delivering the message through another node and so on. In standard networks, there is dedicated equipment for specific functions such as routers, servers, firewalls, etc., while in ad hoc networks, every node performs multiple functions. For example, the routing function is performed by nodes. Hence, they are more vulnerable to attacks than standard networks. The main goal of this paper is to propose a solution for detecting black hole attacks using anomaly detection based on a support vector machine (SVM). This detection system aims at analyzing the traffic of the network and identifying anomalies by checking node behaviors. In the case of black hole attacks, the attacking nodes have some behavioral characteristics that are different from normal nodes. These characteristics can be effectively detected using our lightweight detection system. To experiment with the effectiveness of this solution, an OMNET++ simulator is used to generate traffic under a black hole attack. The traffic is then classified into malicious and non-malicious based on which the malicious node is identified. The results of the proposed solution showed very high accuracy in detecting black hole attacks.

engineering, electrical & electronic,computer science, information systems,physics, applied

Abdulsalam O. Alzahrani,Mohammed J. F. Alenazi

DOI: https://doi.org/10.3390/fi13050111

2021-04-28

Future Internet

Abstract:Software-defined Networking (SDN) has recently developed and been put forward as a promising and encouraging solution for future internet architecture. Managed, the centralized and controlled network has become more flexible and visible using SDN. On the other hand, these advantages bring us a more vulnerable environment and dangerous threats, causing network breakdowns, systems paralysis, online banking frauds and robberies. These issues have a significantly destructive impact on organizations, companies or even economies. Accuracy, high performance and real-time systems are essential to achieve this goal successfully. Extending intelligent machine learning algorithms in a network intrusion detection system (NIDS) through a software-defined network (SDN) has attracted considerable attention in the last decade. Big data availability, the diversity of data analysis techniques, and the massive improvement in the machine learning algorithms enable the building of an effective, reliable and dependable system for detecting different types of attacks that frequently target networks. This study demonstrates the use of machine learning algorithms for traffic monitoring to detect malicious behavior in the network as part of NIDS in the SDN controller. Different classical and advanced tree-based machine learning techniques, Decision Tree, Random Forest and XGBoost are chosen to demonstrate attack detection. The NSL-KDD dataset is used for training and testing the proposed methods; it is considered a benchmarking dataset for several state-of-the-art approaches in NIDS. Several advanced preprocessing techniques are performed on the dataset in order to extract the best form of the data, which produces outstanding results compared to other systems. Using just five out of 41 features of NSL-KDD, a multi-class classification task is conducted by detecting whether there is an attack and classifying the type of attack (DDoS, PROBE, R2L, and U2R), accomplishing an accuracy of 95.95%.

Sumedha Seniaray,Rajni Jindal

DOI: https://doi.org/10.1007/s11277-024-11602-5

IF: 2.017

2024-10-05

Wireless Personal Communications

Abstract:Data and information, being a critical part of the Internet, are vital to network security. Intrusion Detection System (IDS) is required to preserve confidentiality, data integrity, and system availability from attacks. IDS collects network data from various places that may contain features that are redundant and irrelevant, leading to an increase in processing time and low detection rate. This study proposes a three-phase network-based IDS to counter this issue. Initially, network data is captured and preprocessed. In the second phase, we perform feature extraction, selection, and ranking to obtain the optimal feature set. A novel Dynamic Mutual Information-based Genetic Algorithm for feature selection (DMI-GA), aiming to enhance the performance of machine learning (ML) techniques by identifying an optimal set of features, is also proposed in this work. Finally, well-known ML models are employed to detect intrusions within this refined set of network traffic features. Experimental results demonstrate a significant improvement in detection accuracy when the ML models are trained and tested on an optimal set of features. It is also observed that DMI-GA combined with the Random Forest classifier, achieves the highest detection accuracy of 99.94%, surpassing the performance of existing state-of-the-art anomaly-based network intrusion detection systems. A comprehensive statistical analysis of these ML methods is also conducted using 10-fold and Leave-One-Out cross-validation strategies, as it mitigates overfitting and offers a thorough evaluation of the model's performance, resulting in an average accuracy of 99.91%.

telecommunications

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Mouhammad Alkasassbeh,Mohammad Almseidin

DOI: https://doi.org/10.48550/arXiv.1809.02610

2018-09-02

Abstract:Network security engineers work to keep services available all the time by handling intruder attacks. Intrusion Detection System (IDS) is one of the obtainable mechanisms that is used to sense and classify any abnormal actions. Therefore, the IDS must be always up to date with the latest intruder attacks signatures to preserve confidentiality, integrity, and availability of the services. The speed of the IDS is a very important issue as well learning the new attacks. This research work illustrates how the Knowledge Discovery and Data Mining (or Knowledge Discovery in Databases) KDD dataset is very handy for testing and evaluating different Machine Learning Techniques. It mainly focuses on the KDD preprocess part in order to prepare a decent and fair experimental data set. The J48, MLP, and Bayes Network classifiers have been chosen for this study. It has been proven that the J48 classifier has achieved the highest accuracy rate for detecting and classifying all KDD dataset attacks, which are of type DOS, R2L, U2R, and PROBE.

Networking and Internet Architecture,Cryptography and Security

Esra Altulaihan,Mohammed Amin Almaiah,Ahmed Aljughaiman

DOI: https://doi.org/10.3390/s24020713

IF: 3.9

2024-01-23

Sensors

Abstract:Widespread and ever-increasing cybersecurity attacks against Internet of Things (IoT) systems are causing a wide range of problems for individuals and organizations. The IoT is self-configuring and open, making it vulnerable to insider and outsider attacks. In the IoT, devices are designed to self-configure, enabling them to connect to networks autonomously without extensive manual configuration. By using various protocols, technologies, and automated processes, self-configuring IoT devices are able to seamlessly connect to networks, discover services, and adapt their configurations without requiring manual intervention or setup. Users' security and privacy may be compromised by attackers seeking to obtain access to their personal information, create monetary losses, and spy on them. A Denial of Service (DoS) attack is one of the most devastating attacks against IoT systems because it prevents legitimate users from accessing services. A cyberattack of this type can significantly damage IoT services and smart environment applications in an IoT network. As a result, securing IoT systems has become an increasingly significant concern. Therefore, in this study, we propose an IDS defense mechanism to improve the security of IoT networks against DoS attacks using anomaly detection and machine learning (ML). Anomaly detection is used in the proposed IDS to continuously monitor network traffic for deviations from normal profiles. For that purpose, we used four types of supervised classifier algorithms, namely, Decision Tree (DT), Random Forest (RF), K Nearest Neighbor (kNN), and Support Vector Machine (SVM). In addition, we utilized two types of feature selection algorithms, the Correlation-based Feature Selection (CFS) algorithm and the Genetic Algorithm (GA) and compared their performances. We also utilized the IoTID20 dataset, one of the most recent for detecting anomalous activity in IoT networks, to train our model. The best performances were obtained with DT and RF classifiers when they were trained with features selected by GA. However, other metrics, such as training and testing times, showed that DT was superior.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Redhwan M. A. Saad,Mohammed Anbar,Selvakumar Manickam,Samir I. Shaheen,Iznan H. Hasbullah

DOI: https://doi.org/10.1007/s10207-024-00815-1

2024-02-12

International Journal of Information Security

Abstract:The exponential increase in Internet-facing devices in the last decade has resulted in IP address exhaustion due to the limitations of the existing IPv4 address space. Therefore, the Internet Engineering Task Force engineered a new version of the Internet protocol known as Internet Protocol Version 6 (IPv6) to resolve the issue. However, IPv6 is highly dependent on the neighbor discovery protocol (NDP), which, unfortunately, has well-known vulnerabilities in its underlying messaging protocol, the Internet Control Message Protocol version 6. So, the NDP flaws leave the IPv6 network open to many security threats and attacks, including man-in-the-middle, spoofing, and denial-of-service attacks, which are the most annoying attack at the network layer. Unfortunately, one of the critical issues plaguing the existing anomaly-based detection system is the effectiveness of detecting NDP-based DDoS attacks, which requires urgent attention. This paper suggests a system to find network traffic patterns that are not normal that are caused by NDP-based attacks. It does this by teaching neural networks how to recognize network attack patterns using the backpropagation algorithm. The proposed system is a big step forward from where the field is now because it uses a complex neural network algorithm to create an NDP anomaly-based detection system. Using a real dataset to test the proposed system's performance shows that it can find NDP anomalies with a 99.95% success rate, a 99.92% precision rate, a 99.98% recall rate, an F1-Score of 99.98%, and a 0.040% false positive rate. Also, the proposed approach shows better results compared to other existing approaches.

computer science, information systems, theory & methods, software engineering

Omar Alghushairy,Raed Alsini,Zakhriya Alhassan,Abdulrahman A. Alshdadi,Ameen Banjar,Ayman Yafoz,Xiaogang Ma

DOI: https://doi.org/10.1109/access.2024.3364400

IF: 3.9

2024-02-20

IEEE Access

Abstract:With the increase of cyber-attacks and security threats in the recent decade, it is necessary to safeguard sensitive data and provide robust protection to information systems and computer networks. In this paper, an anomaly-based network outlier detection system (NODS) is proposed and optimized to check and classify the incoming network traffic stream's behaviours that affect the computer networks. The proposed NODS has high classification efficiency. Network connection events classified as outliers are reported to the network admin to drop and block its packets. The NSL-KDD and CICIDS2017 intrusion datasets were employed to build the proposed system and test its detection capabilities. Sequential scenarios were implemented to optimize the system's effectiveness. Network features were normalized by min-max and Z-Score approaches, while the relevant features were selected individually by the principal component analysis (PCA) and correlated features selection (CFS) techniques. Support vector machine (SVM) and Gaussian Naive Bayes (GNB) algorithms are used to build the detection model, while the Genetic algorithm (GA) was employed to tune their control parameters. The obtained evaluation results proved that the proposed SVM based NODS is characterized by low false alarms and detection time as well as high classification accuracy. Furthermore, a comparative analysis was conducted with other existing techniques, and the results obtained demonstrate the effectiveness of the proposed SVM-IDS

computer science, information systems,telecommunications,engineering, electrical & electronic

Benjamin J. Radford,Leonardo M. Apolonio,Antonio J. Trias,Jim A. Simpson

DOI: https://doi.org/10.48550/arXiv.1803.10769

2018-03-28

Abstract:We show that a recurrent neural network is able to learn a model to represent sequences of communications between computers on a network and can be used to identify outlier network traffic. Defending computer networks is a challenging problem and is typically addressed by manually identifying known malicious actor behavior and then specifying rules to recognize such behavior in network communications. However, these rule-based approaches often generalize poorly and identify only those patterns that are already known to researchers. An alternative approach that does not rely on known malicious behavior patterns can potentially also detect previously unseen patterns. We tokenize and compress netflow into sequences of "words" that form "sentences" representative of a conversation between computers. These sentences are then used to generate a model that learns the semantic and syntactic grammar of the newly generated language. We use Long-Short-Term Memory (LSTM) cell Recurrent Neural Networks (RNN) to capture the complex relationships and nuances of this language. The language model is then used predict the communications between two IPs and the prediction error is used as a measurement of how typical or atyptical the observed communication are. By learning a model that is specific to each network, yet generalized to typical computer-to-computer traffic within and outside the network, a language model is able to identify sequences of network activity that are outliers with respect to the model. We demonstrate positive unsupervised attack identification performance (AUC 0.84) on the ISCX IDS dataset which contains seven days of network activity with normal traffic and four distinct attack patterns.

Computers and Society,Human-Computer Interaction,Machine Learning