Kaiyuan Jiang,Wenya Wang,Aili Wang,Haibin Wu

DOI: https://doi.org/10.1109/access.2020.2973730

IF: 3.9

2020-01-01

IEEE Access

Abstract:Intrusion detection system (IDS) plays an important role in network security by discovering and preventing malicious activities. Due to the complex and time-varying network environment, the network intrusion samples are submerged into a large number of normal samples, which leads to insufficient samples for model training and detection results with a high false detection rate. According to the problem of data imbalance, we propose a network intrusion detection algorithm combined hybrid sampling with deep hierarchical network. Firstly, we use the one-side selection (OSS) to reduce the noise samples in majority category, and then increase the minority samples by Synthetic Minority Over-sampling Technique (SMOTE). In this way, a balanced dataset can be established to make the model fully learn the features of minority samples and greatly reduce the model training time. Secondly, we use convolution neural network (CNN) to extract spatial features and Bi-directional long short-term memory (BiLSTM) to extract temporal features, which forms a deep hierarchical network model. The proposed network intrusion detection algorithm was verified by experiments on the NSL-KDD and UNSW-NB15 dataset, and the classification accuracy can achieve 83.58% and 77.16%, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xue-qin Zhang,Chun-hua Gu,Ji-yi Wu

DOI: https://doi.org/10.3969/j.issn.1000-565X.2011.02.018

2011-01-01

Abstract:Owing to the constraints of time and space complexity, the standard SVM (Support Vector Machine) algorithm cannot effectively deal with large-scale network intrusion detection. In order to solve this problem and in view of the geometric interpretation of SVM, an intrusion detection classification algorithm named PCH-SVM is proposed based on the parallel convex hull decomposition and the SVM. With the help of convex hull decomposition and parallel computing, this algorithm can fast extract the vertices of convex hull of the original training samples to build a reduced SVM training set. Experimental results show that the proposed algorithm can effectively reduce the time and space complexity during SVM training, and speeds up the modeling and detection of intrusion detection classifier without any accuracy loss.

Zhang Xue-qin,Gu Chun-hua,Lin Jia-jin

DOI: https://doi.org/10.1109/chinacom.2006.344739

2006-01-01

Abstract:Support vector machine (SVM) has been applied to intrusion detection system (IDS) for its abilities to perform classification and regression. But for large-scale network intrusion detection problem, since solving a support vector machine is a typical quadratic optimization problem, which is influenced by the dimension and quantity of examples, many problems arise. KDDCUP'99 was used as the experiment dataset in this paper. A feature selection technology based on Fisher score was presented and used to construct a reduced feature subset of KDDCUP'99 dataset. SVM was used as a classifier. Experiment was run. The experiment results show, using Fisher score combined with SVM to select the important features is an effective method to reduce the dimension of the example feature space, and the classification accuracy has not dramatically decreased comparing to the original feature space.

Wu Yang,Xiao-Chun Yun,Jian-Hua Li

DOI: https://doi.org/10.1007/11610496_114

2006-01-01

Abstract:In recent years, with the rapid development of network technique and network bandwidth, the network attacking events for web servers such as DOS/PROBE are becoming more and more frequent. In order to detect these types of intrusions in the new network environment more efficiently, this paper applies new machine learning methods to intrusion detection and proposes an efficient algorithm based on vector quantization and support vector machine for intrusion detection (VQ-SVM). The algorithm firstly reduces the network auditing dataset by using VQ techniques, produces a codebook as the training example set, and then adopts fast training algorithm for SVM to build intrusion detection model on the codebook. The experiment results indicate that the combined algorithm of VQ-SVM can greatly improve the learning and detecting efficiency of the traditional SVM-based intrusion detection model.

XU Wenlong,YAO Lihong,PAN Li,NI Yousheng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.18.050

2006-01-01

Abstract:Transductive support vector machines (TSVM) classifies the new data vector based on the information only related to this data vector. This paper proposes an anomaly network traffic detection method based on TSVM. The KDD-99 intrusion detection competition data set is used to illustrate the performances of the TSVM. The performance-comparisons of TSVM and traditional inductive SVM are presented. The results show that TSVM can be used in intrusion detection practically.

Chong Di,Yu Su,Zhuoran Han,Shenghong Li

DOI: https://doi.org/10.1007/978-981-10-6571-2_252

2018-01-01

Abstract:As an indispensable defensive measure of network security, the intrusion detection is a process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents. It is a classifier to judge the event is normal or malicious. The information used for intrusion detection contains some redundant features which would increase the difficulty of training the classifier for intrusion detection and increase the time of making predictions. To simplify the training process and improve the efficiency of the classifier, it is necessary to remove these dispensable features. in this paper, we propose a novel LA-SVM scheme to automatically remove redundant features focusing on intrusion detection. This is the first application of learning automata for solving dimension reduction problems. The simulation results indicate that the LA-SVM scheme achieves a higher accuracy and is more efficient in making predictions compared with traditional SVM.

Chengyuan Zhu,Yanyun Pu,Kaixiang Yang,Qinmin Yang,C. L. Philip Chen

DOI: https://doi.org/10.1109/tim.2023.3277937

IF: 5.6

2023-01-01

IEEE Transactions on Instrumentation and Measurement

Abstract:External intrusion incidents pose a severe threat to pipeline security in energy transportation. In response to this, distributed optical fiber sensing technology has been widely studied in the field of safety monitoring in recent years. However, the diversity of the environment along the long-distance pipeline makes the vibration signal complex and changeable, which significantly limits the recognition accuracy in practical applications, resulting in numerous false positives. To address the above issues, we transform intrusion detection into a multiclass classification problem to identify intrusion events. In this study, a scheme of image encoding combined with shifted windows transformer (SwinT) model in computer vision is proposed for pattern recognition. Specifically, the timing signals collected by the distributed vibration sensing (DVS) system are transformed into 2-D images. The correlation and time dependence between sampling points are strengthened in image encoding, and the window and shifted window design of SwinT are used for multiscale feature extraction. Moreover, the focus loss function is introduced to attenuate the impact of the class imbalance issue in the actual scene. Extensive experiments verify the superiority of our proposed method in terms of various evaluation indicators, demonstrating that the model can be deployed online for energy pipeline safety.

LIN Yang,LIU Guiquan,YANG Lishen

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.14.053

2007-01-01

Abstract:In the application of intrusion detection,SVM maintains fine detection status on the condition of small-scale dataset.This paper proposes an improved SVM method.Through cutting non-effective records from training set under the guidance of specific probabilities,it gains better classification results and greatly ameliorates the situation of high resources occupation and time cosumption in traditional SVM training and classification.The tests on DARPA dataset show that this method performs well in intrusion detection.

Zhang Xue-qin,Gu Chun-hua

DOI: https://doi.org/10.3969/j.issn.1000-565X.2010.01.016

2010-01-01

Abstract:In order to eliminate redundant features,reduce the system burden of storage and computation,and improve the performance of the classifier for network intrusion detection,a method to extract network intrusion detection feature is proposed based on the Fisher score and the support vector machine(SVM).Then,in accordance with KDD′99 network intrusion detection dataset,the feature significance rankings for the mixed attack and four single attacks are respectively obtained by using the proposed method.By extracting important features,a SVM classifier is thus constructed.Experimental results show that,as compared with the classifier constructed based on all features,the new classifier is of approximately equivalent accuracy and dramatically low training and testing time cost.

Hao Zhang,Lina Ge,Zhe Wang

DOI: https://doi.org/10.1007/978-3-031-13870-6_53

2022-01-01

Abstract:Intrusion detection system plays an important role in network security, however, the problem with data imbalance limits the detection ability of intrusion detection system. In order to improve the performance of intrusion detection system, this paper proposes to use the adaptive synthetic sampling technique (ADASYN) and random under sampling technique to alleviate the problem of data imbalance in intrusion detection. Firstly, the majority class samples in the dataset are removed by undersampling technology and the minority class samples are oversampled, so the samples can reach a balanced state. Subsequently, a sparse autoencoder (SAE) extracts features from the resampled data to fit the original sample as closely as possible. Finally, LightGBM is applied on the processed dataset for the classification process. Multi-classification experiments were conducted on KDD99 and UNSWNB15 datasets. We compare six models' performance and find LightGBM is superior to other models. Furthermore, we also compare existing methods and the results show that our proposed method outperforms current methods.

Zongwen Fan,Shaleeza Sohail,Fariza Sabrina,Xin Gu

DOI: https://doi.org/10.3390/electronics13101878

IF: 2.9

2024-05-11

Electronics

Abstract:Cybersecurity is one of the important considerations when adopting IoT devices in smart applications. Even though a huge volume of data is available, data related to attacks are generally in a significantly smaller proportion. Although machine learning models have been successfully applied for detecting security attacks on smart applications, their performance is affected by the problem of such data imbalance. In this case, the prediction model is preferable to the majority class, while the performance for predicting the minority class is poor. To address such problems, we apply two oversampling techniques and two undersampling techniques to balance the data in different categories. To verify their performance, five machine learning models, namely the decision tree, multi-layer perception, random forest, XGBoost, and CatBoost, are used in the experiments based on the grid search with 10-fold cross-validation for parameter tuning. The results show that both the oversampling and undersampling techniques can improve the performance of the prediction models used. Based on the results, the XGBoost model based on the SMOTE has the best performance in terms of accuracy at 75%, weighted average precision at 82%, weighted average recall at 75%, weighted average F1 score at 78%, and Matthews correlation coefficient at 72%. This indicates that this oversampling technique is effective for multi-attack prediction under a data imbalance scenario.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wang Yue,Jiang Yiming,Lan Julong

DOI: https://doi.org/10.1088/1742-6596/1738/1/012127

2021-01-01

Journal of Physics: Conference Series

Abstract:Abstract Many deep learning models have been used in network intrusion detection to improve the accuracy of intrusion detection. In the existing deep learning methods, the input sample is either the feature vector extracted from the raw traffic data in advance, or directly the raw traffic data. These two categories of methods have their own limitations. In order to overcome the limitations, this paper proposes a preprocessing method based on multi-packets input unit and the raw traffic data is significantly compressed to improve the computational efficiency. To improve the computational efficiency and the detection accuracy, a deep learning model called F-CNN is designed. Experimental results on the benchmark dataset show that the proposed method has significantly improved detection accuracy and training efficiency compared with existing models with good performance.

GU Yu,ZHENG Jin-hui,DAI Ming-wei,HE Lei

DOI: https://doi.org/10.3969/j.issn.1000-7180.2005.05.005

2005-01-01

Abstract:For large data sets, the performance of Support Vector Machine (SVM) is not satisfied, because of its high complexity of time and space. In order to reduce the complexities, we propose a new method that uses the SVM ensembles with bagging (bootstrap aggregating) in this paper. We train each individual SVM independently using the randomly chosen training samples via a bootstrap technique. After that, they are collected to make a decision according to the majority voting. The experiment results for the intrusion detection data classification show that our proposed SVM ensemble with bagging outperforms any single SVM in terms of classification accuracy.

Weijun li,Zhenyu Liu

DOI: https://doi.org/10.1016/j.proenv.2011.12.040

2011-01-01

Procedia Environmental Sciences

Abstract:Network intrusion is always hidden in a mass of routine data and the differences between these data are very large. Normalization can help to speed up the learning phase and avoiding numerical problems such as precision loss from arithmetic overflows. Some normalization methods are analyzed and simulated. Experiments results show that the method using SVM with normalization has much better performance compared to the method using SVM without normalization in classing intrusion data of KDD99 and Min-Max Normalization has better performance in speed, accuracy of cross validation and quantity of support vectors than other normalization methods.

English Else

Zachary Tauscher,Yushan Jiang,Kai Zhang,Jian Wang,Houbing Song

DOI: https://doi.org/10.48550/arXiv.2108.08394

2021-08-19

Abstract:With massive data being generated daily and the ever-increasing interconnectivity of the world's Internet infrastructures, a machine learning based intrusion detection system (IDS) has become a vital component to protect our economic and national security. In this paper, we perform a comprehensive study on NSL-KDD, a network traffic dataset, by visualizing patterns and employing different learning-based models to detect cyber attacks. Unlike previous shallow learning and deep learning models that use the single learning model approach for intrusion detection, we adopt a hierarchy strategy, in which the intrusion and normal behavior are classified firstly, and then the specific types of attacks are classified. We demonstrate the advantage of the unsupervised representation learning model in binary intrusion detection tasks. Besides, we alleviate the data imbalance problem with SVM-SMOTE oversampling technique in 4-class classification and further demonstrate the effectiveness and the drawback of the oversampling mechanism with a deep neural network as a base model.

Cryptography and Security,Machine Learning

Wei Wu,Haipeng Peng,Haotian Zhu,Derun Zhang

DOI: https://doi.org/10.3390/s24134253

2024-06-30

Abstract:With the rapid development of the Internet of Things (IoT), the sophistication and intelligence of sensors are continually evolving, playing increasingly important roles in smart homes, industrial automation, and remote healthcare. However, these intelligent sensors face many security threats, particularly from malware attacks. Identifying and classifying malware is crucial for preventing such attacks. As the number of sensors and their applications grow, malware targeting sensors proliferates. Processing massive malware samples is challenging due to limited bandwidth and resources in IoT environments. Therefore, compressing malware samples before transmission and classification can improve efficiency. Additionally, sharing malware samples between classification participants poses security risks, necessitating methods that prevent sample exploitation. Moreover, the complex network environments also necessitate robust classification methods. To address these challenges, this paper proposes CSMC (Compressed Sensing Malware Classification), an efficient malware classification method based on compressed sensing. This method compresses malware samples before sharing and classification, thus facilitating more effective sharing and processing. By introducing deep learning, the method can extract malware family features during compression, which classical methods cannot achieve. Furthermore, the irreversibility of the method enhances security by preventing classification participants from exploiting malware samples. Experimental results demonstrate that for malware targeting Windows and Android operating systems, CSMC outperforms many existing methods based on compressed sensing and machine or deep learning. Additionally, experiments on sample reconstruction and noise demonstrate CSMC's capabilities in terms of security and robustness.

陈光英,张千里,李星

DOI: https://doi.org/10.3321/j.issn:1000-436x.2002.05.010

2002-01-01

Abstract:An intrusion detection system based on SVM classification technique was designed and implemented. It uses the technique of support vector machine to recognize TCP network connections without the reference of the port numbers. If a connection is recognized in a category that is different from the type of service characterized by the port number, then the connection is considered abnormal. This paper also focused on how the trace time, the feature set size and the kernel function of SVM affect the recognition error rate. Results from preliminary experiments show that our system can detect abnormal TCP network connections.

Yanmeng Mo,Huige Li,Dongsheng Wang,Gaqiong Liu

DOI: https://doi.org/10.7717/peerj-cs.2152

2024-06-28

PeerJ Computer Science

Abstract:With the rapid extensive development of the Internet, users not only enjoy great convenience but also face numerous serious security problems. The increasing frequency of data breaches has made it clear that the network security situation is becoming increasingly urgent. In the realm of cybersecurity, intrusion detection plays a pivotal role in monitoring network attacks. However, the efficacy of existing solutions in detecting such intrusions remains suboptimal, perpetuating the security crisis. To address this challenge, we propose a sparse autoencoder-Bayesian optimization-convolutional neural network (SA-BO-CNN) system based on convolutional neural network (CNN). Firstly, to tackle the issue of data imbalance, we employ the SMOTE resampling function during system construction. Secondly, we enhance the system’s feature extraction capabilities by incorporating SA. Finally, we leverage BO in conjunction with CNN to enhance system accuracy. Additionally, a multi-round iteration approach is adopted to further refine detection accuracy. Experimental findings demonstrate an impressive system accuracy of 98.36%. Comparative analyses underscore the superior detection rate of the SA-BO-CNN system.

computer science, information systems, artificial intelligence, theory & methods

Taining Zhang,Yihan Xiao,C. Xing,Zhongkai Zhao

DOI: https://doi.org/10.1109/ACCESS.2019.2904620

IF: 3.9

2019-03-12

IEEE Access

Abstract:With the popularity and development of network technology and the Internet, intrusion detection systems (IDSs), which can identify attacks, have been developed. Traditional intrusion detection algorithms typically employ mining association rules to identify intrusion behaviors. However, they fail to fully extract the characteristic information of user behaviors and encounter various problems, such as high false alarm rate (FAR), poor generalization capability, and poor timeliness. In this paper, we propose a network intrusion detection model based on a convolutional neural network–IDS (CNN–IDS). Redundant and irrelevant features in the network traffic data are first removed using different dimensionality reduction methods. Features of the dimensionality reduction data are automatically extracted using the CNN, and more effective information for identifying intrusion is extracted by supervised learning. To reduce the computational cost, we convert the original traffic vector format into an image format and use a standard KDD-CUP99 dataset to evaluate the performance of the proposed CNN model. The experimental results indicate that the AC, FAR, and timeliness of the CNN–IDS model are higher than those of traditional algorithms. Therefore, the model we propose has not only research significance but also practical value.

Engineering,Computer Science