Haifeng Lv,Xiaoyu Ji,Yong Ding

DOI: https://doi.org/10.1088/1742-6596/2517/1/012016

2023-01-01

Journal of Physics Conference Series

Abstract:The intrusion detection system (IDS) plays an important part because it offers an efficient way to prevent and mitigate cyber attacks. Numerous deep learning methods for intrusion anomaly detection have been developed as a result of recent advances in artificial intelligence (AI) in order to strengthen internet security. The balance among the high detection rate (DR), the low false alarm rate (FAR) and disaster of dimensionality is the crucial apprehension while devising an effective IDS. For the binary classification of intrusion detection systems, we present in this study a mixed model called K-means-XGBoost consisting of K-means and (Extreme Gradient Boosting, XGBoost) algorithms. The distributed computation of our method is achieved in Spark platform to rapidly separate normal events and anomaly events. In phrases of accuracy, DR, F1-score, recall, precision, and error indices FAR, the proposed model’s performance is measured via the well-known dataset of NSL-KDD. The experimental outcomes indicate that our method is outstandingly better among accuracy, DR, F1-score, training time, and processing speed, compared to other models which are recently created. In particular, the accuracy, F1-score, and DR of the proposed model can achieve as high as 93.28%, 94.39%, and 99.22% in the NSL-KDD dataset, respectively.

Xuedan Miao,Ying Liu,Haiquan Zhao,Chunguang Li

DOI: https://doi.org/10.1109/tcyb.2018.2804940

IF: 11.8

2019-01-01

IEEE Transactions on Cybernetics

Abstract:Anomaly detection has attracted much attention in recent years since it plays a crucial role in many domains. Various anomaly detection approaches have been proposed, among which one-class support vector machine (OCSVM) is a popular one. In practice, data used for anomaly detection can be distributively collected via wireless sensor networks. Besides, as the data usually arrive at the nodes sequentially, online detection method that can process streaming data is preferred. In this paper, we formulate a distributed online OCSVM for anomaly detection over networks and get a decentralized cost function. To get the decentralized implementation without transmitting the original data, we use a random approximate function to replace the kernel function. Furthermore, to find an appropriate approximate dimension, we add a sparse constraint into the decentralized cost function to get another one. Then we minimize these two cost functions by stochastic gradient descent and derive two distributed algorithms. Some theoretical analysis and experiments are performed to show the effectiveness of the proposed algorithms. Experimental results on both synthetic and real datasets reveal that both of the proposed algorithms achieve low mis-detection rates and high true positive rates. Compared with other state-of-the-art anomaly detection methods, the proposed distributed algorithms not only show good anomaly detection performance, but also require relatively short running time and low CPU memory consumption.

Jingxuan Pang,Xiaokun Pu,Chunguang Li

DOI: https://doi.org/10.1109/tii.2022.3145834

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Anomaly detection plays an important role in industry, especially in ensuring system safety and product quality. Due to the unavailability of anomalous data in many practical cases, anomaly detection is usually solved by one-class classification (OCC) methods using only normal data. As a classical OCC method, one-class support vector machine (OCSVM) is a popular discriminative approach for anomaly detection, which detects abnormal data points by establishing a decision boundary in the kernel space. However, the performance of OCSVM heavily relies on kernel parameters, whose selection is not trivial for anomaly detection problems. Moreover, for some uneven and complex data distributions, different data regions may have quite different densities and shapes, making it difficult for OCSVM to obtain good boundaries in all regions using a global kernel parameter. To address the above two issues, in this article, we propose a hybrid algorithm incorporating vector quantization and OCSVM (VQ-OCSVM). Specifically, vector quantization is used to extract distribution information of normal data, and the results are used to construct an explicit mapping function to map data into a high-dimensional feature space. Then, OCSVM is performed in the feature space to build a classifier. By introducing the explicit mapping into OCSVM, the proposed method can effectively bypass the kernel parameter selection problem of the classical OCSVM method. Furthermore, the constructed mapping carries the data distribution information, and the VQ-OCSVM model can be regarded as an integration of generative learning and discriminative learning. The complementary properties of these two paradigms make the proposed VQ-OCSVM algorithm have better generalization capacity for complex data distribution. Both qualitative and quantitative experimental results demonstrate the effectiveness and advantages of the proposed method.

Adel Binbusayyis,Thavavel Vaiyapuri

DOI: https://doi.org/10.1007/s10489-021-02205-9

IF: 5.3

2021-02-24

Applied Intelligence

Abstract:With the rapid advancement in network technologies, the need for cybersecurity has gained increasing momentum in recent years. As a primary defense mechanism, an intrusion detection system (IDS) is expected to adapt and secure the computing infrastructures from the ever-changing sophisticated threat landscape. Many deep learning approaches have recently been proposed; however, these techniques face significant challenges in identifying all types of attacks, especially rare attacks due to network traffic imbalances and the lack of a sufficient number of abnormal traffic samples for model training. To overcome these shortcomings and improve detection performance, this paper presents an unsupervised deep learning approach for intrusion detection. Unlike the existing IDS model that extracts features and trains a classifier in two separate stages, a single-stage IDS approach that integrates a one-dimensional convolutional autoencoder (1D CAE) and a one-class support vector machine (OCSVM) as a classifier into a joint optimization framework is introduced in this paper for the first time. Using only the normal traffic samples, the approach simultaneously optimizes the 1D CAE for compact feature representation and the OCSVM for classification by defining a unified objective function combining reconstruction error with classification error. Thus, the generated compact feature representation has not only reconstruction ability but also discriminative ability for classification. An in-depth ablation analysis validates the design decisions and provides further insight of the proposed approach. An extensive set of experiments on two benchmark intrusion datasets, NSL-KDD and UNSW-NB15, demonstrates the generalization ability of the proposed model for unseen attacks and confirms it as a competitive approach over the recent state-of-the-art intrusion detection baselines. Overall, the obtained results emphasize that the proposed approach has potential to serve as a baseline for building an effective IDS.

computer science, artificial intelligence

Qian Huang,Zhen Wang,Tao Wei,Yu Chen

2006-01-01

Abstract:This paper presents an algorithm for intrusion detection, based on one-class support vector machine (SVM) and online training of SVM. The algorithm formulates intrusion detection as a one-class classification problem. The model-building part of the algorithm works even when the training data is noisy, and therefore compared with regular SVM algorithms, it imposes fewer requirements on the training set and has a higher detection rate. For the testing data containing new types of attack, the algorithm can add such data to the training set and update the training result real-time. It tests the algorithm on KDD CUP' 99 benchmark data set for intrusion detection and the result shows that the algorithm is able to shorten the training time, and in the same time, obtain a high detection rate.

Caihong Wang,Run Huang,Weihang Zhang,Jian Sun

DOI: https://doi.org/10.1109/iccwamtip47768.2019.9067642

2019-01-01

Abstract:The main purpose of the intrusion detection system (IDS) is to detect a network attack and respond to the network intrusion. Existing supervised IDSs require a large amount of tag data as the training data, and there is almost no effect on the unknown attacks. Traditional unsupervised intrusion systems have problems including low accuracy and the inability to provide specific information regarding the detected attacks. To solve the above problems, we propose a multilayer IDS based on semi-supervised clustering. This system solves the problem of insufficient training data by using tag extension technology and genetic algorithm, and solves the problem of unsupervised clustering unable to provide specific information of attack by using the idea of semi-supervised clustering. We use the NSL-KDD dataset to conduct the experiments. The simulation results show that the proposed IDS only needs a small amount of training data to obtain better performance, especially for lower frequency attacks.

Tianyue Zhang,Wei Chen,Yuxiao Liu,Lifa Wu

DOI: https://doi.org/10.1016/j.cose.2023.103144

2023-02-24

Abstract:The analysis of a substantial portion of network data is a requirement for almost any machine learning-based network intrusion detection method. High dimension features, a lack of labelled datasets, and inflexible feature selection are some of the difficulties it encounters. This paper proposes an intrusion detection method based on stacked sparse autoencoder and improved Gaussian mixture model (SIGMOD). The method utilizes the stacked sparse autoencoder to produce non-linear dimensionality reduction after first using the Pearson correlation coefficient to achieve linear dimensionality reduction. It can lessen redundant data, obtain low-dimensional features and generate reconstruction errors of the samples, which are subsequently fed into the improved Gaussian mixture model. The method finally judges whether it is abnormal according to the output sample energy threshold of the improved Gaussian mixture model. Unlike the traditional anomaly detection technology that performs dimensionality reduction and clustering in two separate steps, SIGMOD jointly optimizes the parameters of the stacked sparse autoencoder and the Gaussian mixture model in an end-to-end manner, avoiding the key feature loss of cluster analysis in dimensionality reduction by the two-step method. The experiment results on the UNSW-NB15 dataset demonstrate that SIGMOD performs significantly better than the conventional anomaly detection approach.

computer science, information systems

Fei Wang,Hongliang Zhu,Bin Tian,Yang Xin,Xinxin Niu,Yu Yang

DOI: https://doi.org/10.1109/icbnmt.2011.6155940

2011-01-01

Abstract:Intrusion-detection systems (IDSs) are essential tools for the security of computer systems. Anomaly detection, which uses knowledge about normal behaviors and attempts to detect intrusions by noting significant deviations, has been paid more and more attention. In this paper, we introduce a HMM-based method for anomaly detection. The proposed method is composed of two important stages: off-line training stage and on-line testing stage. In the off-line training stage, we train the normal behaviors by hidden Markov models (HMMs). In the on-line testing stage, we make the final decision based on the minimum risk Bayesian decision theory. We deploy the method on an IDS system to evaluate its performance, and the experimental results demonstrate that our method can achieve satisfying results.

Fei Wang,Yuwen Qian,Yuewei Dai,Zhiquan Wang

DOI: https://doi.org/10.1109/CMC.2010.9

2010-01-01

Abstract:For solving the problem of less information getting about unknown intrusions in anomaly detection, a model based on hybrid SVM/SOM is proposed. Firstly, C-SVM is used to find out the anomalous connections, and then, a packet filtering scheme is used to remove the known intrusions, which is performed by one-class SVM, after that, the identified unknown intrusions are projected onto the output grid by SOM. Finally, the experimental results, which use kddcup99 dataset, show high detection rate with low false rate and can get more information about the unknown intrusion.

YX Wang,J Wong,A Miner

DOI: https://doi.org/10.1109/iaw.2004.1437839

2004-01-01

Abstract:Kernel methods are widely used in statistical learning for many fields, such as protein classification and image processing. We recently extend kernel methods to intrusion detection domain by introducing a new family of kernels suitable for intrusion detection. These kernels, combined with an unsupervised learning method - one-class Support Vector Machine, are used for anomaly detection. Our experiments show that the new anomaly detection methods are able to achieve better accuracy rates than the conventional anomaly detectors.

Yuyang Zhou,Guang Cheng,Shanqing Jiang,Mian Dai

DOI: https://doi.org/10.1016/j.comnet.2020.107247

IF: 5.493

2020-01-01

Computer Networks

Abstract:Intrusion detection system (IDS) is one of extensively used techniques in a network topology to safeguard the integrity and availability of sensitive assets in the protected systems. Although many supervised and unsupervised learning approaches from the field of machine learning have been used to increase the efficacy of IDSs, it is still a problem for existing intrusion detection algorithms to achieve good performance. First, lots of redundant and irrelevant data in high-dimensional datasets interfere with the classification process of an IDS. Second, an individual classifier may not perform well in the detection of each type of attacks. Third, many models are built for stale datasets, making them less adaptable for novel attacks. Thus, we propose a new intrusion detection framework in this paper, and this framework is based on the feature selection and ensemble learning techniques. In the first step, a heuristic algorithm called CFS-BA is proposed for dimensionality reduction, which selects the optimal subset based on the correlation between features. Then, we introduce an ensemble approach that combines C4.5, Random Forest (RF), and Forest by Penalizing Attributes (Forest PA) algorithms. Finally, voting technique is used to combine the probability distributions of the base learners for attack recognition. The experimental results, using NSL-KDD, AWID, and CIC-IDS2017 datasets, reveal that the proposed CFS-BA-Ensemble method is able to exhibit better performance than other related and state of the art approaches under several metrics.

Yang Chen,Nami Ashizawa,Seanglidet Yean,Chai Kiat Yeo,Naoto Yanai

DOI: https://doi.org/10.48550/arXiv.2008.12686

2020-08-28

Abstract:In the information age, a secure and stable network environment is essential and hence intrusion detection is critical for any networks. In this paper, we propose a self-organizing map assisted deep autoencoding Gaussian mixture model (SOMDAGMM) supplemented with well-preserved input space topology for more accurate network intrusion detection. The deep autoencoding Gaussian mixture model comprises a compression network and an estimation network which is able to perform unsupervised joint training. However, the code generated by the autoencoder is inept at preserving the topology of the input space, which is rooted in the bottleneck of the adopted deep structure. A self-organizing map has been introduced to construct SOMDAGMM for addressing this issue. The superiority of the proposed SOM-DAGMM is empirically demonstrated with extensive experiments conducted upon two datasets. Experimental results show that SOM-DAGMM outperforms state-of-the-art DAGMM on all tests, and achieves up to 15.58% improvement in F1 score and with better stability.

Machine Learning,Cryptography and Security,Social and Information Networks

Yuyang Zhou,Guang Cheng

2019-01-01

Abstract:Intrusion detection system (IDS) is one of extensively used techniques in a network topology to safeguard the integrity and availability of sensitive assets in the protected systems. Although many supervised and unsupervised learning approaches from the field of machine learning have been used to increase the efficacy of IDSs, it is still a problem for existing intrusion detection algorithms to achieve good performance. First, lots of redundant and irrelevant data in high-dimensional datasets interfere with the classification process of an IDS. Second, an individual classifier may not perform well in the detection of each type of attacks. Third, many models are built for stale datasets, making them less adaptable for novel attacks. Thus, we propose a new intrusion detection framework in this paper, and this framework is based on the feature selection and ensemble learning techniques. In the first step, a heuristic algorithm called CFS-BA is proposed for dimensionality reduction, which selects the optimal subset based on the correlation between features. Then, we introduce an ensemble approach that combines C4.5, Random Forest (RF), and Forest by Penalizing Attributes (Forest PA) algorithms. Finally, voting technique is used to combine the probability distributions of the base learners for attack recognition. The experimental results, using NSL-KDD, AWID, and CIC-IDS2017 datasets, reveal that the proposed CFS-BA-Ensemble method is able to exhibit better performance than other related and state of the art approaches under several metrics.

Li Jieling,Zhang Hao,Liu Yanhua,Liu Zhihuang

DOI: https://doi.org/10.1007/s11227-022-04390-x

2022-01-01

Abstract:Network intrusion detection plays an important role as tools for managing and identifying potential threats, which presents various challenges. Redundant features and difficult marking in data cause a long-term problem in network traffic detection. In this paper, we propose a semi-supervised machine learning framework based on multi-strategy feature filtering, principal component analysis (PCA), and an improved Tri-Light Gradient Boosting Machine (Tri-LightGBM) based on stratified sampling. This multi-strategy feature filtering method employing Fisher score and Information gain can select features that have good category discrimination and are more relevant to category labels. After that, we combine PCA to convert multiple features into comprehensive features, which are used as the input of the Tri-LightGBM model. Tri-LightGBM can exploit unlabeled data cooperatively and maintain a large disagreement among the base learners. Moreover, we propose a stratified sampling based on labeled categories to reduce the probability of being selected as the same category during the model update process. Thus, the Tri-LightGBM based on stratified sampling can compensate for the classification error rate caused by the imbalance of the dataset. The semi-supervised machine learning framework is evaluated on two intrusion detection evaluation datasets, namely UNSW-NB15 and CIC-IDS-2017. The evaluation results show that the multi-strategy feature filtering method can increase the accuracy, recall, precision, and F-measure by up to 0.5%, and reduce the false-positive rate by up to 0.5%. Furthermore, the precision rate of minority categories can be increased by about 1–2%.

Hongliang Zhu,Yang Xin,Fei Wang

DOI: https://doi.org/10.1109/ICBNMT.2011.6156020

2011-01-01

Abstract:Intrusion-detection systems (IDSs) are essential tools for the security of computer systems. Anomaly detection, which uses knowledge about normal behaviors and attempts to detect intrusions by noting significant deviations, has been paid more and more attention. In this paper, we introduce a novel framework for anomaly detection. In the proposed method, two widely used statistical learning method, Hidden Markov Model and Support Vector. Machine, are introduced to detect the abnormal events. Then, we fuse the detection results by some special rules. We deploy the method on an IDS system to evaluate its performance, and the experimental results demonstrate that. our method can achieve satisfying results.

Alimov Abdulboriy,Ji Sun Shin

DOI: https://doi.org/10.1109/access.2024.3361041

IF: 3.9

2024-02-10

IEEE Access

Abstract:With the rapid growth of digitalization and the increasing volume of data, the cybersecurity threat landscape is expanding at an alarming rate. Intrusion Detection Systems (IDS) have been widely employed in conjunction with firewalls to safeguard networks. However, traditional IDS systems operate in a static manner, rendering them vulnerable to obsolescence and necessitating costly retraining efforts. As a result, the demand for dynamic models capable of handling continuous streams of network traffic has surged as they can learn from the incoming traffic without the need to old data and costly retraining. In response to this challenge, we have implemented an enhanced approach: an incremental majority voting IDS system, which utilizes existing tools and techniques to improve the robustness and adaptability of intrusion detection By leveraging the collective decision-making power of multiple machine learning models such as: KNN classifier, Softmax Regressor and Adaptive Random Forest classifier, our system aims to improve the accuracy, especially reducing false alarm rates, and effectiveness of intrusion detection in real-time scenarios. Through this research, we have managed to obtain a model which scores 96.43% of accuracy as well as giving 100% precision for majority type of attacks. By successfully handling the imbalanced nature of streaming data, our adopted model shows promising potential as a high-performing solution for IDS and can be considered one of the robust IDS models capable of dealing with real-world imbalanced datasets.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiao Haijun,Peng Fang,Wang Ling,Ll Hongwei

DOI: https://doi.org/10.1109/gsis.2007.4443446

2007-01-01

Abstract:In order to gain the result of identifying a good detection mechanism in intrusion detection, several intelligent techniques such as ANNs, SVMs, and data mining techniques are being used to build IDSs. Instead examining all data features to detect intrusion or misuse patterns, the approach of Adhoc-based feature selection and support vector machine classifier for detect intrusion is performed. In this performance of IDS, Ad hoc technology is used to optimize the feature subset for raw data and 10-fold cross validation is used to optimize the parameters of SVM for intrusion detection. The result of our experiments shows that the FS & SVM is not only superior to the famous data mining strategy, but also superior to other intelligent paradigms.

Wanjun LIU,Jitao QIN,Haicheng QU

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017102502

2018-01-01

Abstract:Since the intrusion detection method based on One-Class Support Vector Machine (OCSVM) can not detect internal abnormal points and outliers,which leads to the deviation of decision function from training samples.A new OCSVM anomaly detection function combining DBSCAN (Density-Based Spatial Clustering of Applications with Noise) and K-means was proposed.Firstly,the outliers in the training data were removed by DBSCAN algorithm to eliminate the influence of outliers.Then,K-means clustering method was used to classify normal data clusters,so that the internal abnormal points could be selected.Finally,a one-class classifier for each data cluster was created to detect exception data by OCSVM algorithm.The experimental results on industrial control networks show that the combined classifier can detect the intrusion attacks of the industrial control network by using normal data,and it can improve the detection effect of OCSVM algorithm.In intrusion detection experiment of gas pipeline,the overall detection rate of the proposed method is 91.81％,while the overall detection rate of OCSVM algorithm is 80.77％.

WANG Jialin,LIU Jiqiang,ZHAO Di,WANG Yingdi,XIANG Yingxiao,CHEN Tong,TONG Endong,NIU Wenjia

DOI: https://doi.org/10.11959/j.issn.2096-109x.2018086

2018-01-01

Abstract:Network intrusion detection system plays an important role in protecting network security.With the continuous development of science and technology,the current intrusion technology cannot cope with the modern complex and volatile network abnormal traffic,without taking into account the scalability,sustainability and training time of the detection technology.Aiming at these problems,a new deep learning method was proposed,which used unsupervised non-symmetric convolutional auto-encoder to learn the characteristics of the data.In addition,a new method based on the combination of non-symmetric convolutional auto-encoder and multi-class support vector machine was proposed.Experiments on the data set of KDD99 show that the method achieves good results,significantly reduces training time compared with other methods,and further improves the network intrusion detection technology.

张琨,许满武,刘凤玉,张宏

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.18.017

2004-01-01

Abstract:An intrusion detection system based on support vector machine is designed and implemented. The generalizing ability of intrusion detection system is still good when the priori knowledge is less (namely, the sample size is small). Comparison of detection ability between the above detection method and BP neural network shows that the intrusion detection system based on support vector machine can effectively detect intrusion and can dramatically shorten the training time under the same detection performance condition.