Zhongyang Xiong,Yufang Zhang,Daijie Cheng,Daoqun Liu

2006-01-01

Abstract:Intrusion Detection System (IDS), a kind of dynamic security technique, is an important means for network security. Aimed at overcoming drawbacks such as the higher false alarms rate, the higher missing alarms rate and the lower efficiency existed in most current IDS, an improved intrusion detection model based on genetic algorithm and neural network is presented. The more advanced nonlinear mode of neural network is adopted other than the general intrusion detection mode based on intrusion actions. This intrusion detection model integrates misusing detection and anomaly detection, takes the data from host and network as data sources and combines genetic algorithm and neural network in order to improve adaptability and intelligence of IDS. The new fitness function is redesigned, and cross operator and mutation operator are modified in improved genetic algorithm. These meet the intrusion detection requirement and have better adaptability. The experiments on the KDD CUP 1999 data records of network connections verified that the model put forward is better and achieved the objection.

Congyuan Xu,Jizhong Shen,Xin Du,Fan Zhang

DOI: https://doi.org/10.1109/access.2018.2867564

IF: 3.9

2018-01-01

IEEE Access

Abstract:To improve the performance of network intrusion detection systems (IDS), we applied deep learning theory to intrusion detection and developed a deep network model with automatic feature extraction. In this paper, we consider the characteristics of the time-related intrusion and propose a novel IDS that consists of a recurrent neural network with gated recurrent units (GRU), multilayer perceptron (MLP), and softmax module. Experiments on the well-known KDD 99 and NSL-KDD data sets show that the system has leading performance. The overall detection rate was 99.42% using KDD 99 and 99.31% using NSL-KDD with false positive rates as low as 0.05% and 0.84%, respectively. In particular, for detecting the denial of service attacks, the system achieved detection rates of 99.98% and 99.55%, respectively. Comparative experiments showed that the GRU is more suitable as a memory unit for IDS than LSTM, and proved that it is an effective simplification and improvement of LSTM. Moreover, the bidirectional GRU can reach the best performance compared with the recently published methods.

Jinping Liu,Wuxia Zhang,Zhaohui Tang,Yongfang Xie,Tianyu Ma,Jingjing Zhang,Guoyong Zhang,Jean Paul Niyoyita

DOI: https://doi.org/10.1016/j.eswa.2019.112845

IF: 8.5

2019-01-01

Expert Systems with Applications

Abstract:In this paper, an adaptive network intrusion detection method using fuzzy rough set-based feature selection and GA-GOGMM-based pattern learning is presented. Based on the fuzzy rough set theory, the optimal attribute subset of network connection records is achieved by the information gain ratio criterion in advance. A greedy algorithm-based global optimal Gaussian mixture model (GMM) clustering method, termed GA-GOGMM, is introduced, to extract the intrinsic structure of network instances to achieve highly-discernable and stable normal and intrusion pattern libraries for the subsequent network intrusion detection (NID). GA-GOGMM-based pattern learning can achieve the optimal GMM of network traffic instances for the pattern clustering while avoiding the negative effect of the empirical initialization of clustering numbers and random initialization of clustering centers with a low computational complexity. An adaptive model updating mechanism is further introduced for the online updating of normal and intrusion pattern libraries to ensure the adaptability of the NID model. Extensive validation and comparative experiments, conducted on a benchmark dataset NSL-KDD and a self-built Nidsbench-based network simulation platform, show that the proposed ANID approach leads to a significant improvement in detection accuracies with low false alarms and missing reports on both known and unknown attacks. It can effectively adapt to the dynamic changing network environments with high detection accuracy and low false alarm rate as well as low missing reporting rate, which has significant application prospects. (C) 2019 Elsevier Ltd. All rights reserved.

Nour Moustafa,Jill Slay

DOI: https://doi.org/10.4225/75/57a84d4fbefbb

2017-07-18

Abstract:Network intrusion detection systems are an active area of research to identify threats that face computer networks. Network packets comprise of high dimensions which require huge effort to be examined effectively. As these dimensions contain some irrelevant features, they cause a high False Alarm Rate (FAR). In this paper, we propose a hybrid method as a feature selection, based on the central points of attribute values and an Association Rule Mining algorithm to decrease the FAR. This algorithm is designed to be implemented in a short processing time, due to its dependency on the central points of feature values with partitioning data records into equal parts. This algorithm is applied on the UNSW-NB15 and the NSLKDD data sets to adopt the highest ranked features. Some existing techniques are used to measure the accuracy and FAR. The experimental results show the proposed model is able to improve the accuracy and decrease the FAR. Furthermore, its processing time is extremely short.

Cryptography and Security

I. Sumaiya Thaseen,J. Saira Banu,K. Lavanya,Muhammad Rukunuddin Ghalib,Kumar Abhishek

DOI: https://doi.org/10.1002/ett.4014

IF: 3.6

2020-06-08

Transactions on Emerging Telecommunications Technologies

Abstract:<p>Serious concerns regarding vulnerability and security have been raised as a result of the constant growth of computer networks. Intrusion detection systems (IDS) have been adopted by network administrators to provide essential network security. Commercial IDS in the market do not have the capability to identify novel attacks but generate false alarms for legitimate user activities. Neural networks can be applied for the solution of these issues and for providing improved accuracy. Correlation‐based attribute selection ranks the features according to the highest correlation between the attributes and class label. In this article, the authors propose a correlation‐based feature selection integrated with neural network for identifying anomalies. Experimental analysis performed on NSL‐KDD and UNSW‐NB datasets, which are benchmark datasets of intrusion detection with current attacks. The results show that the proposed model is superior in terms of accuracy, sensitivity, and specificity in comparison with some of the state‐of‐the‐art techniques. With the emergence of the Internet of Things Technology, such IDS can be deployed for securing the IoT servers in future. Wireless payment systems can be secured by building and deploying IDS. A secure integrated network management can be achieved which is error‐free and thereby improving performance.</p>

telecommunications

Yuteng Guo,Beizhan Wang,Xinxing Zhao,Xiaobiao Xie

DOI: https://doi.org/10.1109/iccse.2010.5593765

2010-01-01

Abstract:In the Network Intrusion Detection, the large number of features increases the time and space cost, besides the irrelative redundant characteristics make the detection accuracy dropped. In order to improve detection accuracy and efficiency, a new Feature Selection method based on Rough Sets and improved Genetic Algorithms is proposed for Network Intrusion Detection. Firstly, the features are filtered by virtue of the Rough Sets theory; then in the remaining feature subset, the Optimal subset will be found out through the Genetic Algorithm improved with Population Clustering approach for the best ultimate optimized results. Finally, the effectiveness of the algorithm is tested on the classical KDD CUP 99 data sets, using the SVM classifier for performance evaluation. The experiment shows that the new method improves the accuracy and efficiency in Network Intrusion Detection compared with the related researches of the intrusion detection system.

Hua Jiang,Junhu Ruan

DOI: https://doi.org/10.4304/jcp.4.12.1223-1230

2009-01-01

Journal of Computers

Abstract:Traditional network security models have not meet the development of network technologies, so PPDR model emerged, as the times require. Instruction detection technology is an important composed part in PPDR model and it make up for the shortages of firewall and data security protection. This technology has not only distinguished from computer and network resources, but also has given important information in instruction; it has not only detected instructing action from out word, but also has controlled user's actions. Instruction detection technology is the core in instruction detection system, it include abnormity instruction and abused instruction detection. However, how to detect whether there are intrusions is a problem to need solving first. According to the high missing report rate and high false report rate of existing intrusion detection systems, the paper proposed an anomaly intrusion detection model based on genetic neural network, which combined the good global searching ability of genetic algorithm with the accurate local searching feature of BP networks to optimize the initial weights of neural networks. The practice overcame the shortcomings in BP algorithm such as slow convergence, easily dropping into local minimum and weakness in global searching. Simulation results showed that the practice worked well, fast learning speed and high-accuracy categories.

Ying Zhang,Peisong Li,Xinheng Wang

DOI: https://doi.org/10.1109/access.2019.2903723

IF: 3.9

2019-01-01

IEEE Access

Abstract:With the advent of the Internet of Things (IoT), the security of the network layer in the IoT is getting more and more attention. The traditional intrusion detection technologies cannot be well adapted in the complex Internet environment of IoT. For the deep learning algorithm of intrusion detection, a neural network structure may have fine detection accuracy for one kind of attack, but it may not have a good detection effect when facing other attacks. Therefore, it is urgent to design a self-adaptive model to change the network structure for different attack types. This paper presents an intrusion detection model based on improved genetic algorithm (GA) and deep belief network (DBN). Facing different types of attacks, through multiple iterations of the GA, the optimal number of hidden layers and number of neurons in each layer are generated adaptively, so that the intrusion detection model based on the DBN achieves a high detection rate with a compact structure. Finally, the NSL-KDD dataset was used to simulate and evaluate the model and algorithms. The experimental results show that the improved intrusion detection model combined with DBN can effectively improve the recognition rate of intrusion attacks and reduce the complexity of the neural network structure.

GUO Shan-Qing,XIE Li,ZENG Ying-Pei

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.09.003

2006-01-01

Abstract:Progress has been made in using machine learning techniques such as SVM and neural networks for intrusion detection,but the non-understandable detection results have prevented those algorithms from being thoroughly utilized.In this paper,the authors put forward a novel huge-data oriented method,which was based on the popular association rules extraction algorithm and targeted at the result of intrusion detection,to build real-time rules for enhancing the understanding of detection results and therefore decrease possible loss.The algorithm,by introducing local support,global confidence,CI-Tree and IX-Tree structure,employed these tree structures to build online rules for currently active intrusion.This algorithm solved a number of problems that exist in applying association rules algorithm to intrusion detection:(1)multi-scan(twice at least);(2)mass useless rules due to unbalanced distribution of attacking data;(3)unwanted frequent set produced in the old two-phase rule-building method.Experimental results have demonstrated the method's good performance in both rule building efficacy and time efficiency.

Mousa Alizadeh,Sadegh E Mousavi,Mohammad T H Beheshti,Ali Ostadi

DOI: https://doi.org/10.1109/icspis54653.2021.9729365

2021-12-29

Abstract:In terms of network topology, one of the extensively utilized technologies is the intrusion detection system (IDS). Despite applying numerous machine learning approaches (supervised and unsupervised) to enhance efficacy, reaching high-grade performance is still a challenging problem for existing intrusion detection algorithms. This study presents a new technique for IDS that focuses on various deep neural networks (DNNs) and their combination for data classification. The proposed model consists of three parts: (1) the feature selection is composed of an intersection of mutual information based on the transductive model (MIT-MIT), Anova F-value, and Genetic Algorithm (GA) methods, (2) the second section is a classifier network using a hybrid CNN-LSTM algorithm, and (3) the hyperparameter optimization module that puts to use Firefly, BAT, and Gray Wolf algorithms. In order to validate and verify the suggested model via accuracy, F1 score, recall, and precision criteria, a benchmark dataset, namely, NSL-KDD, is employed, which compares the proposed method with the highly developed classifiers. The comparison outcomes confirmed the surpassing of the presented strategy over contrast algorithms.

Wan Tang,Ximin Yang,Xia Xie,Yang Cao

2008-01-01

Abstract:The large time and memory space requirement during training data preprocessing and evolution, and high false alarm rate are major drawbacks of network intrusion detection techniques based on evolutionary computation. The intrusion detection rules were representated using gene expression programming (GEP). A formal definition of rule constraint grammar for intrusion detection GEP-based rule was proposed. In order to generate constraint-satisfied rules, the rule constraint judgement and processing was added into GEP basic evolution processes. Finally, the KDD CUP'99 DATA was used for evaluation. In the test set, the probability of detection is 89.79% and false alarm rate is 0.41%. The results indicate that the rules can be generated in small populations and less evolution generation through the proposed constraint and evolution strategy. The rules are effective, simple, and capable of detecting unknown intrusions. The false alarm rate is low remaining the high probability of detection.

ZHU Hong-ping,GONG Qing-ge,LEI Zhan-bo

2012-01-01

Abstract:This paper designed a feature selection algorithm to solve the problem that there are many redundant and irrelevant features in the intrusion detection data sets,which leads to the high feature dimension and low efficiency of detection.First,deleted the redundant and irrelevant features in the ID data set,so as to build the effective feature set L.Then,used a partial checkout to make a deeper choice of the feature to build another feature set L′.Finally,used an improved genetic algorithm to optimize L′,and by this way,all features that could best show the state of the current system would be selected.The result of the stimulant experiment shows that it can improve the efficiency of intrusion detection apparently on condition of guarantee to classification accuracy and lower missing detection and wrong detection.

Jia Liu,Wang Yinchai,Teh Chee Siong,Xinjin Li,Liping Zhao,Fengrui Wei

DOI: https://doi.org/10.21203/rs.3.rs-1770107/v1

2022-01-01

Abstract:Abstract Intrusion detection is a fuzzy classification problem. Intrusion detection can detect the attack behaviors of hackers in advance. For generating a visualizing architecture for identifying intrusions, this study proposes an approach that combines ANFIS (Adaptive Network-based Fuzzy Inference System), DT (Decision Tree), and K-means clustering algorithm for visualizing the deep pattern of intrusion detection. The ANFIS generates complex and fuzzy combinations of selected attributes. To reduce the rules generation of ANFIS, Pearson Correlation analysis is used to select attributes that highly relate to the target. Meanwhile, standard deviation analysis and a proposed adaptive K-means algorithm are used for determining the interval division of selected attributes. Then, the CART (classification and regression tree) is used to identify the deep mode in generated rules and selected attributes. The architecture of the proposed algorithm is a hybrid visualizing approach. The architecture can identify deep and hybrid features in intrusion detection. The proposed algorithm was trained, validated, and tested on the NSL-KDD dataset. Using 22 attributes that highly relate to the target, the performance of the proposed method achieved a 99.86% detection rate and 0.14% false alarm rate, which is better than many classifiers. Besides, the visualizing model can help us visually identify the complex pattern of intrusions and analyze the pattern of various intrusions.

Xianwei Gao,Chun Shan,Changzhen Hu,Zequn Niu,Zhen Liu

DOI: https://doi.org/10.1109/access.2019.2923640

IF: 3.9

2019-01-01

IEEE Access

Abstract:In recent years, advanced threat attacks are increasing, but the traditional network intrusion detection system based on feature filtering has some drawbacks which make it difficult to find new attacks in time. This paper takes NSL-KDD data set as the research object, analyses the latest progress and existing problems in the field of intrusion detection technology, and proposes an adaptive ensemble learning model. By adjusting the proportion of training data and setting up multiple decision trees, we construct a MultiTree algorithm. In order to improve the overall detection effect, we choose several base classifiers, including decision tree, random forest, kNN, DNN, and design an ensemble adaptive voting algorithm. We use NSL-KDD Test+ to verify our approach, the accuracy of the MultiTree algorithm is 84.2%, while the final accuracy of the adaptive voting algorithm reaches 85.2%. Compared with other research papers, it is proved that our ensemble model effectively improves detection accuracy. In addition, through the analysis of data, it is found that the quality of data features is an important factor to determine the detection effect. In the future, we should optimize the feature selection and preprocessing of intrusion detection data to achieve better results.

Chi-Ho Tsang,Sam Kwong,Hanli Wang

DOI: https://doi.org/10.1016/j.patcog.2006.12.009

IF: 8

2007-01-01

Pattern Recognition

Abstract:Classification of intrusion attacks and normal network traffic is a challenging and critical problem in pattern recognition and network security. In this paper, we present a novel intrusion detection approach to extract both accurate and interpretable fuzzy IF-THEN rules from network traffic data for classification. The proposed fuzzy rule-based system is evolved from an agent-based evolutionary framework and multi-objective optimization. In addition, the proposed system can also act as a genetic feature selection wrapper to search for an optimal feature subset for dimensionality reduction. To evaluate the classification and feature selection performance of our approach, it is compared with some well-known classifiers as well as feature selection filters and wrappers. The extensive experimental results on the KDD-Cup99 intrusion detection benchmark data set demonstrate that the proposed approach produces interpretable fuzzy systems, and outperforms other classifiers and wrappers by providing the highest detection accuracy for intrusion attacks and low false alarm rate for normal network traffic with minimized number of features.

Yuyang Zhou,Guang Cheng

2019-01-01

Abstract:Intrusion detection system (IDS) is one of extensively used techniques in a network topology to safeguard the integrity and availability of sensitive assets in the protected systems. Although many supervised and unsupervised learning approaches from the field of machine learning have been used to increase the efficacy of IDSs, it is still a problem for existing intrusion detection algorithms to achieve good performance. First, lots of redundant and irrelevant data in high-dimensional datasets interfere with the classification process of an IDS. Second, an individual classifier may not perform well in the detection of each type of attacks. Third, many models are built for stale datasets, making them less adaptable for novel attacks. Thus, we propose a new intrusion detection framework in this paper, and this framework is based on the feature selection and ensemble learning techniques. In the first step, a heuristic algorithm called CFS-BA is proposed for dimensionality reduction, which selects the optimal subset based on the correlation between features. Then, we introduce an ensemble approach that combines C4.5, Random Forest (RF), and Forest by Penalizing Attributes (Forest PA) algorithms. Finally, voting technique is used to combine the probability distributions of the base learners for attack recognition. The experimental results, using NSL-KDD, AWID, and CIC-IDS2017 datasets, reveal that the proposed CFS-BA-Ensemble method is able to exhibit better performance than other related and state of the art approaches under several metrics.

Weiwu Ren,Liang Hu,Kuo Zhao,Jianfeng Chu,Bing Jia

DOI: https://doi.org/10.4304/jcp.8.10.2536-2543

2013-01-01

Journal of Computers

Abstract:with the rapid growth of attack patterns, the number of attributes for detecting attacks gradually increased. Moreover, an automatic attack classification method, as the next thing of intrusion detection, is needed. For solving the above problems, an intrusion classifier based on multiple attribute selection algorithms has been proposed. The classifier includes various combinations with different representative attributes selection algorithms and classification algorithms. A series of experimental results on well-known KDD Cup 1999 data sets indicate real time performance and classification performances of different combinations.

Hao-Ting Pai,Yu-Hsuan Kang,Wen-Cheng Chung

2024-03-12

Abstract:Recent advancements in Intrusion Detection Systems (IDS), integrating Explainable AI (XAI) methodologies, have led to notable improvements in system performance via precise feature selection. However, a thorough understanding of cyber-attacks requires inherently explainable decision-making processes within IDS. In this paper, we present the Interpretable Generalization Mechanism (IG), poised to revolutionize IDS capabilities. IG discerns coherent patterns, making it interpretable in distinguishing between normal and anomalous network traffic. Further, the synthesis of coherent patterns sheds light on intricate intrusion pathways, providing essential insights for cybersecurity forensics. By experiments with real-world datasets NSL-KDD, UNSW-NB15, and UKM-IDS20, IG is accurate even at a low ratio of training-to-test. With 10%-to-90%, IG achieves Precision (PRE)=0.93, Recall (REC)=0.94, and Area Under Curve (AUC)=0.94 in NSL-KDD; PRE=0.98, REC=0.99, and AUC=0.99 in UNSW-NB15; and PRE=0.98, REC=0.98, and AUC=0.99 in UKM-IDS20. Notably, in UNSW-NB15, IG achieves REC=1.0 and at least PRE=0.98 since 40%-to-60%; in UKM-IDS20, IG achieves REC=1.0 and at least PRE=0.88 since 20%-to-80%. Importantly, in UKM-IDS20, IG successfully identifies all three anomalous instances without prior exposure, demonstrating its generalization capabilities. These results and inferences are reproducible. In sum, IG showcases superior generalization by consistently performing well across diverse datasets and training-to-test ratios (from 10%-to-90% to 90%-to-10%), and excels in identifying novel anomalies without prior exposure. Its interpretability is enhanced by coherent evidence that accurately distinguishes both normal and anomalous activities, significantly improving detection accuracy and reducing false alarms, thereby strengthening IDS reliability and trustworthiness.

Cryptography and Security,Artificial Intelligence

Jia Liu,Wang Yinchai,Teh Chee Siong,Xinjin Li,Liping Zhao,Fengrui Wei

DOI: https://doi.org/10.1038/s41598-022-23765-x

2022-12-01

Abstract:For generating an interpretable deep architecture for identifying deep intrusion patterns, this study proposes an approach that combines ANFIS (Adaptive Network-based Fuzzy Inference System) and DT (Decision Tree) for interpreting the deep pattern of intrusion detection. Meanwhile, for improving the efficiency of training and predicting, Pearson Correlation analysis, standard deviation, and a new adaptive K-means are used to select attributes and make fuzzy interval decisions. The proposed algorithm was trained, validated, and tested on the NSL-KDD (National security lab-knowledge discovery and data mining) dataset. Using 22 attributes that highly related to the target, the performance of the proposed method achieves a 99.86% detection rate and 0.14% false alarm rate on the KDDTrain+ dataset, a 77.46% detection rate on the KDDTest+ dataset, which is better than many classifiers. Besides, the interpretable model can help us demonstrate the complex and overlapped pattern of intrusions and analyze the pattern of various intrusions.

ZHUANG hui,ZHANG Xin-dong,QI Wen-bin

DOI: https://doi.org/10.3969/j.issn.1006-4052.2012.20.050

2012-01-01

Abstract:Intrusion detection using ensemble learning,in the process,feature selection is an important part.The best feature combination,not only can reduce the classification error rate,but also can improve the classification efficiency.Improved genetic algorithm and using feature selection of intrusion detection data sets,and the experiment proved that this method can get a better integration of results.