Cheolhee Park,Jonghoon Lee,Youngsoo Kim,Jong-Geun Park,Hyunjin Kim,Dowon Hong

DOI: https://doi.org/10.1109/jiot.2022.3211346

IF: 10.6

2023-01-24

IEEE Internet of Things Journal

Abstract:As communication technology advances, various and heterogeneous data are communicated in distributed environments through network systems. Meanwhile, along with the development of communication technology, the attack surface has expanded, and concerns regarding network security have increased. Accordingly, to deal with potential threats, research on network intrusion detection systems (NIDSs) has been actively conducted. Among the various NIDS technologies, recent interest is focused on artificial intelligence (AI)-based anomaly detection systems, and various models have been proposed to improve the performance of NIDS. However, there still exists the problem of data imbalance, in which AI models cannot sufficiently learn malicious behavior and thus fail to detect network threats accurately. In this study, we propose a novel AI-based NIDS that can efficiently resolve the data imbalance problem and improve the performance of the previous systems. To address the aforementioned problem, we leveraged a state-of-the-art generative model that could generate plausible synthetic data for minor attack traffic. In particular, we focused on the reconstruction error and Wasserstein distance-based generative adversarial networks, and autoencoder-driven deep learning models. To demonstrate the effectiveness of our system, we performed comprehensive evaluations over various data sets and demonstrated that the proposed systems significantly outperformed the previous AI-based NIDS.

Sidahmed Benabderrahmane,Ngoc Hoang,Petko Valtchev,James Cheney,Talal Rahwan

2024-06-27

Abstract:Advanced Persistent Threats (APTs) are sophisticated, targeted cyberattacks designed to gain unauthorized access to systems and remain undetected for extended periods. To evade detection, APT cyberattacks deceive defense layers with breaches and exploits, thereby complicating exposure by traditional anomaly detection-based security methods. The challenge of detecting APTs with machine learning is compounded by the rarity of relevant datasets and the significant imbalance in the data, which makes the detection process highly burdensome. We present AE-APT, a deep learning-based tool for APT detection that features a family of AutoEncoder methods ranging from a basic one to a Transformer-based one. We evaluated our tool on a suite of provenance trace databases produced by the DARPA Transparent Computing program, where APT-like attacks constitute as little as 0.004% of the data. The datasets span multiple operating systems, including Android, Linux, BSD, and Windows, and cover two attack scenarios. The outcomes showed that AE-APT has significantly higher detection rates compared to its competitors, indicating superior performance in detecting and ranking anomalies.

Cryptography and Security,Artificial Intelligence

Xinxing Zhao,Kar Wai Fok,Vrizlynn L. L. Thing

2024-04-11

Abstract:Network intrusion detection systems (NIDS) play a pivotal role in safeguarding critical digital infrastructures against cyber threats. Machine learning-based detection models applied in NIDS are prevalent today. However, the effectiveness of these machine learning-based models is often limited by the evolving and sophisticated nature of intrusion techniques as well as the lack of diverse and updated training samples. In this research, a novel approach for enhancing the performance of an NIDS through the integration of Generative Adversarial Networks (GANs) is proposed. By harnessing the power of GANs in generating synthetic network traffic data that closely mimics real-world network behavior, we address a key challenge associated with NIDS training datasets, which is the data scarcity. Three distinct GAN models (Vanilla GAN, Wasserstein GAN and Conditional Tabular GAN) are implemented in this work to generate authentic network traffic patterns specifically tailored to represent the anomalous activity. We demonstrate how this synthetic data resampling technique can significantly improve the performance of the NIDS model for detecting such activity. By conducting comprehensive experiments using the CIC-IDS2017 benchmark dataset, augmented with GAN-generated data, we offer empirical evidence that shows the effectiveness of our proposed approach. Our findings show that the integration of GANs into NIDS can lead to enhancements in intrusion detection performance for attacks with limited training data, making it a promising avenue for bolstering the cybersecurity posture of organizations in an increasingly interconnected and vulnerable digital landscape.

Cryptography and Security

Congyuan Xu,Jizhong Shen,Xin Du,Fan Zhang

DOI: https://doi.org/10.1109/access.2018.2867564

IF: 3.9

2018-01-01

IEEE Access

Abstract:To improve the performance of network intrusion detection systems (IDS), we applied deep learning theory to intrusion detection and developed a deep network model with automatic feature extraction. In this paper, we consider the characteristics of the time-related intrusion and propose a novel IDS that consists of a recurrent neural network with gated recurrent units (GRU), multilayer perceptron (MLP), and softmax module. Experiments on the well-known KDD 99 and NSL-KDD data sets show that the system has leading performance. The overall detection rate was 99.42% using KDD 99 and 99.31% using NSL-KDD with false positive rates as low as 0.05% and 0.84%, respectively. In particular, for detecting the denial of service attacks, the system achieved detection rates of 99.98% and 99.55%, respectively. Comparative experiments showed that the GRU is more suitable as a memory unit for IDS than LSTM, and proved that it is an effective simplification and improvement of LSTM. Moreover, the bidirectional GRU can reach the best performance compared with the recently published methods.

Naibo Zhu,Guangyu Zhao,Yang Yang,Han Yang,Zhi Liu

DOI: https://doi.org/10.1109/access.2023.3280421

IF: 3.9

2023-01-01

IEEE Access

Abstract:Using deep learning and machine learning techniques for network intrusion detection is of great significance for enhancing the defense capability of network security systems. Given the characteristics of generative adversarial networks, such as the approximate consistency of generated samples with the input data distribution but with a random distribution within a certain bounded interval, and in response to the problem of insufficient classification performance and detection omission caused by the imbalance of different degrees of data categories and quantities in network intrusion traffic, and in light of the fact that the effectiveness of existing classification algorithms based on unbalanced traffic data still has some room for improvement, this paper proposes a network intrusion detection strategy based on auxiliary classifier generative adversarial networks. The data expansion experiments are conducted with the intrusion detection dataset NSL-KDD. The data are classified into twenty-three categories before and after the expansion by binary classification validation. The results show that the expansion of the generated samples for unbalanced network traffic data improve the subsequent recognition effect significantly. Finally, five classification performance index verification experiments are conducted. The results prove that the strategy of this paper performs better in accuracy, precision, recall rate and F-value indexes, and is capable of obtaining a large number of features from limited samples and inferring complete data distribution based on fewer features. The model as a whole has stronger generalization ability and defense effect.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yanqing Yang,Kangfeng Zheng,Bin Wu,Yixian Yang,Xiujuan Wang

DOI: https://doi.org/10.1109/access.2020.2977007

IF: 3.9

2020-01-01

IEEE Access

Abstract:To explore the advantages of adversarial learning and deep learning, we propose a novel network intrusion detection model called SAVAER-DNN, which can not only detect known and unknown attacks but also improve the detection rate of low-frequent attacks. SAVAER is a supervised variational auto-encoder with regularization, which uses WGAN-GP instead of the vanilla GAN to learn the latent distribution of the original data. SAVAER's decoder is used to synthesize samples of low-frequent and unknown attacks, thereby increasing the diversity of training samples and balancing the training data set. SAVAER's encoder is used to initialize the weights of the hidden layers of the DNN and explore high-level feature representations of the original samples. The benchmark NSL-KDD (KDDTest+), NSL-KDD (KDDTest-21) and UNSW-NB15 datasets are used to evaluate the performance of the proposed model. The experimental results show that the proposed SAVAER-DNN is more suitable for data augmentation than the other three well-known data oversampling methods. Moreover, the proposed SAVAER-DNN outperforms eight well-known classification models in detection performance and is more effective in detecting low-frequent and unknown attacks. Furthermore, compared with other state-of-the-art intrusion detection models reported in the IDS literature, the proposed SAVAER-DNN offers better performance in terms of overall accuracy, detection rate, F1 score, and false positive rate.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shuokang Huang,Kai Lei

DOI: https://doi.org/10.1016/j.adhoc.2020.102177

IF: 4.816

2020-01-01

Ad Hoc Networks

Abstract:With the emergence of ever-advancing network threats, the guarantee of system security becomes increasingly crucial, especially in the dynamic and decentralized ad-hoc networks. One essential part of cybersecurity is intrusion detection, which identifies anomalous activities according to traffic patterns. However, the class-imbalanced data have caused a challenging problem where the number of abnormal samples is significantly lower than that of the normal ones. This class imbalance problem confines the performance of intrusion classifiers and results in low robustness to unknown anomalies. In this paper, we propose a novel Imbalanced Generative Adversarial Network (IGAN) to tackle the class imbalance problem. In the primary novelty of our model, we introduce an imbalanced data filter and convolutional layers to the typical GAN, generating new representative instances for minority classes. Further, an IGAN-based Intrusion Detection System, namely IGAN-IDS, is established to cope with class-imbalanced intrusion detection, using the instances generated by IGAN. Concretely, IGAN-IDS consists of three modules: feature extraction, IGAN, and deep neural network. First, we utilize a feed-forward neural network (FNN) to transform raw network attributes into feature vectors. Then, the IGAN generates new samples expressed in the latent space. Finally, the deep neural network, composed of convolutional layers and fully-connected layers, executes the final intrusion detection. We conduct experiments on three benchmark datasets to evaluate the performance of IGAN-IDS, comparing against 15 other methods. The experimental results demonstrate that our proposed IGAN-IDS outperforms the state-of-the-art approaches.

Wuxin Tian,Yanping Shen,Na Guo,Jing Yuan,Yanqing Yang

DOI: https://doi.org/10.3390/s24186035

IF: 3.9

2024-09-19

Sensors

Abstract:To address the class imbalance issue in network intrusion detection, which degrades performance of intrusion detection models, this paper proposes a novel generative model called VAE-WACGAN to generate minority class samples and balance the dataset. This model extends the Variational Autoencoder Generative Adversarial Network (VAEGAN) by integrating key features from the Auxiliary Classifier Generative Adversarial Network (ACGAN) and the Wasserstein Generative Adversarial Network with Gradient Penalty (WGAN-GP). These enhancements significantly improve both the quality of generated samples and the stability of the training process. By utilizing the VAE-WACGAN model to oversample anomalous data, more realistic synthetic anomalies that closely mirror the actual network traffic distribution can be generated. This approach effectively balances the network traffic dataset and enhances the overall performance of the intrusion detection model. Experimental validation was conducted using two widely utilized intrusion detection datasets, UNSW-NB15 and CIC-IDS2017. The results demonstrate that the VAE-WACGAN method effectively enhances the performance metrics of the intrusion detection model. Furthermore, the VAE-WACGAN-based intrusion detection approach surpasses several other advanced methods, underscoring its effectiveness in tackling network security challenges.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Khloud Al Jallad,Mohamad Aljnidi,Mohammad Said Desouki

DOI: https://doi.org/10.48550/arXiv.2209.13961

2022-09-28

Cryptography and Security

Abstract:With the growing use of information technology in all life domains, hacking has become more negatively effective than ever before. Also with developing technologies, attacks numbers are growing exponentially every few months and become more sophisticated so that traditional IDS becomes inefficient detecting them. This paper proposes a solution to detect not only new threats with higher detection rate and lower false positive than already used IDS, but also it could detect collective and contextual security attacks. We achieve those results by using Networking Chatbot, a deep recurrent neural network: Long Short Term Memory (LSTM) on top of Apache Spark Framework that has an input of flow traffic and traffic aggregation and the output is a language of two words, normal or abnormal. We propose merging the concepts of language processing, contextual analysis, distributed deep learning, big data, anomaly detection of flow analysis. We propose a model that describes the network abstract normal behavior from a sequence of millions of packets within their context and analyzes them in near real-time to detect point, collective and contextual anomalies. Experiments are done on MAWI dataset, and it shows better detection rate not only than signature IDS, but also better than traditional anomaly IDS. The experiment shows lower false positive, higher detection rate and better point anomalies detection. As for prove of contextual and collective anomalies detection, we discuss our claim and the reason behind our hypothesis. But the experiment is done on random small subsets of the dataset because of hardware limitations, so we share experiment and our future vision thoughts as we wish that full prove will be done in future by other interested researchers who have better hardware infrastructure than ours.

Hongwei Ding,Yu Sun,Nana Huang,Xiaohui Cui,Zhidong Shen

DOI: https://doi.org/10.1109/tifs.2023.3331240

IF: 7.231

2023-12-05

IEEE Transactions on Information Forensics and Security

Abstract:Internet of Things (IoT) devices are large in number, widely distributed, weak in protection ability, and vulnerable to various malicious attacks. Intrusion detection technology can provide good protection for network equipment. However, the normal traffic and abnormal traffic in the network are usually imbalanced. Imbalanced samples will seriously affect the performance of machine learning detection algorithm. Therefore, this paper proposes an intrusion detection method based on data augmentation, namely TMG-IDS. We name the proposed data augmentation model TMG-GAN, which is a data augmentation method based on generative adversarial networks (GAN). First, TMG-GAN has a multi-generator structure, which can be used to generate different types of attack data simultaneously. Second, we increase the classifier structure, which can optimize the generator and discriminator more efficiently based on the classification loss. Third, we calculate the cosine similarity between the generated samples and the original samples and other types of generated samples as a generator loss, which can further improve the quality of generated samples and reduce the class overlap area between the distributions of various generated samples. We conduct extensive experiments on two intrusion detection datasets, CICIDS2017 and UNSW-NB15. The experimental results show that compared with the advanced oversampling algorithm and the latest intrusion detection algorithm, the proposed TMG-IDS method has a good detection effect under the three indicators of Precision, Recall and F1-score.

computer science, theory & methods,engineering, electrical & electronic

Vanlalruata Hnamte,Hong Nhung-Nguyen,Jamal Hussain,Yong Hwa-Kim

DOI: https://doi.org/10.1109/access.2023.3266979

IF: 3.9

2023-01-01

IEEE Access

Abstract:Machine learning and deep learning techniques are widely used to evaluate intrusion detection systems (IDS) capable of rapidly and automatically recognizing and classifying cyber-attacks on networks and hosts. However, when destructive attacks are becoming more extensive, more challenges develop, needing a comprehensive response. Numerous intrusion detection datasets are publicly accessible for further analysis by the cybersecurity research community. However, no previous research has examined the performance of the proposed model on a variety of publicly accessible datasets in detail. Due to the dynamic nature of the attack and its rapidly changing attack techniques, the publicly accessible intrusion datasets must be updated and benchmarked regularly. The deep neural network (DNN) and convolutional neural network (CNN) are examined in this article as types of deep learning models for developing a flexible and effective IDS capable of detecting and comparing them with the proposed model in detecting cyber-attacks. The constant development of network behavior and the fast growth of attacks need the development of IDS and the evaluation of many datasets produced over time through static and dynamic methods. This kind of research enables the identification of the most efficient algorithm for identifying future cyber-attacks. We proposed a novel two-stage deep learning technique hybridizing Long-Short Term Memory (LSTM) and Auto-Encoders (AE) for detecting attacks. The CICIDS2017 and CSE-CICDIS2018 datasets are used to determine the optimum network parameters for the proposed LSTM-AE. The experimental results show that the proposed hybrid model works well and is applicable for detecting attacks in modern scenarios.

computer science, information systems,telecommunications,engineering, electrical & electronic

Junpeng He,Lingfeng Yao,Xiong Li,Muhammad Khurram Khan,Weina Niu,Xiaosong Zhang,Fagen Li

DOI: https://doi.org/10.1007/s10489-024-05290-8

IF: 5.3

2024-02-27

Applied Intelligence

Abstract:Malicious traffic on the Internet has become an increasingly serious problem, and several artificial intelligence (AI)-based malicious traffic detection methods have been proposed. Generally, AI-based methods need numerous benign and specific types of malicious traffic training instances to achieve better detection results. However, for attacks with only a few instances, known as the few-shot attacks, these methods often perform poorly, and how to train a model for detecting few-shot attacks is a huge challenge. For this problem, we propose a novel intrusion detection system based on generative adversarial networks and model-agnostic meta-learning. The system adopts a hybrid detection mechanism where an anomaly-based classifier determines whether incoming traffic is malicious and a signature-based classifier identifies the class of malicious traffic. In the system, the samples of few-shot attacks are augmented by maximizing the use of meta-knowledge and then applied to assist the detection of few-shot attacks to obtain better detection results. The experiments show that for CSE-CIC-IDS2018 and Bot-IoT datasets, this system can detect malicious traffic with 94.3%/1.8% TPR/FPR and 99.8%/0.1% TPR/FPR, respectively, and also can identify the class of the few-shot attacks with 95.2% and 91.9% accuracy, respectively. Compared with other related methods, the system improves the accuracy of identifying few-shot attacks on these two datasets by at least 2.2% and 1.5%, respectively. Additionally, a parameter visualization process is designed, which shows the fast-adaptive property and better generalization capability of the system.

computer science, artificial intelligence

Mukhtar Ahmed,Jinfu Chen,Ernest Akpaku,Rexford Nii Ayitey Sosu,Ajmal Latif

DOI: https://doi.org/10.1145/3690637

IF: 2.717

2024-08-29

ACM Transactions on Privacy and Security

Abstract:With the rapid advancements in internet technology, the complexity and sophistication of network traffic attacks are increasing, making it challenging for traditional anomaly detection systems to analyze and detect malicious network attacks. The increasing advancedness of cyber threats calls for innovative approaches to identify malicious patterns within network traffic precisely. The primary issue lies in the fact that these approaches do not focus on the essential adaptive features of network traffic. We proposed an effective anomaly detection system for malicious network traffic attacks called the Deep Ensemble Learning Model (DELM). We leverage the structure of the Feedforward Deep Neural Network (FDNN), and Deep Belief Network (DBN), incorporating multiple hidden layers with non-linear activation functions. Integrating Adaptive Feature Aggregation (AFA) with the FDNN algorithm dynamically adjusts the feature aggregation process based on incoming traffic characteristics to improve adaptability. The Conditional Generative Network was employed to enhance DELM for generating data for minority classes. To improve the model’s accuracy, we applied batch normalization and data augmentation techniques for preprocessing, utilized n-gram, one-hot encoding, and feature aggregation methods for effective feature extraction. This study significantly contributes to network security by enhancing systems for detecting malicious network traffic. With its interpretability and adaptability, our proposed model shows promise in addressing the evolving cyber threat and fortifying critical network infrastructure. The experimental results demonstrate that our model performs with higher stability than the existing state-of-the-art detection approaches, as reflected by its higher accuracy, precision, recall, f1 score, and AUC-ROC.

computer science, information systems

Zian Jia,Xiaosu Wang,Yun Xiong,Yao Zhang,JinJing Zhao

DOI: https://doi.org/10.1109/dsc55868.2022.00056

2022-01-01

Abstract:Advanced Persistent Threats (APT) are difficult to detect and defend due to their high variability and concealment. Current APT detection and investigation approaches suffer from two major problems. First, most recent models heavily rely on heuristic rules derived from a large amount of expensive prior knowledge, which in turn prevents the models from generalizing to new types of APT attacks. Second, the development of existing fully supervised models is limited by the scarcity of APT attack data. In this paper, we first construct the provenance graph by introducing logical entities to reduce the dependency on prior knowledge. Then we propose a novel self-supervised representation-learning based model, AISLE, for the investigation of the APT attack, which consists of a graph structure encoder (GSE) and an entity interaction pattern encoder (IPE). The GSE employs a graph attention auto-encoder to effectively compress the structural information of the graph; and the IPE employs a LSTM auto-encoder to extract the interaction patterns of entities from their interaction history. The two entity embeddings calculated respectively by the two auto-encoders are concatenated to form the final representation of the entity, which is evaluated by the attack investigation module to identify attack entities. Our model is evaluated on ten real-world APT attacks in a realistic virtual environment. The results show that our model can achieve superior generalization ability and consistently outperform the latest state-of-the-art APT attack investigation approaches.

Willian T. Lunardi,Martin Andreoni Lopez,Jean-Pierre Giacalone

DOI: https://doi.org/10.48550/arXiv.2205.01432

IF: 5.414

2022-05-03

Machine Learning

Abstract:As the number of heterogenous IP-connected devices and traffic volume increase, so does the potential for security breaches. The undetected exploitation of these breaches can bring severe cybersecurity and privacy risks. Anomaly-based \acp{IDS} play an essential role in network security. In this paper, we present a practical unsupervised anomaly-based deep learning detection system called ARCADE (Adversarially Regularized Convolutional Autoencoder for unsupervised network anomaly DEtection). With a convolutional \ac{AE}, ARCADE automatically builds a profile of the normal traffic using a subset of raw bytes of a few initial packets of network flows so that potential network anomalies and intrusions can be efficiently detected before they cause more damage to the network. ARCADE is trained exclusively on normal traffic. An adversarial training strategy is proposed to regularize and decrease the \ac{AE}'s capabilities to reconstruct network flows that are out-of-the-normal distribution, thereby improving its anomaly detection capabilities. The proposed approach is more effective than state-of-the-art deep learning approaches for network anomaly detection. Even when examining only two initial packets of a network flow, ARCADE can effectively detect malware infection and network attacks. ARCADE presents 20 times fewer parameters than baselines, achieving significantly faster detection speed and reaction time.

Aulia Arif Wardana,Grzegorz Kołaczek,Arkadiusz Warzyński,Parman Sukarno

DOI: https://doi.org/10.1007/s10207-024-00891-3

2024-07-23

International Journal of Information Security

Abstract:Abstract Detecting coordinated attacks in cybersecurity is challenging due to their sophisticated and distributed nature, making traditional Intrusion Detection Systems often ineffective, especially in heterogeneous networks with diverse devices and systems. This research introduces a novel Collaborative Intrusion Detection System (CIDS) using a Weighted Ensemble Averaging Deep Neural Network (WEA-DNN) designed to detect such attacks. The WEA-DNN combines deep learning techniques and ensemble methods to enhance detection capabilities by integrating multiple Deep Neural Network (DNN) models, each trained on different data subsets with varying architectures. Differential Evolution optimizes the model’s contributions by calculating optimal weights, allowing the system to collaboratively analyze network traffic data from diverse sources. Extensive experiments on real-world datasets like CICIDS2017, CSE-CICIDS2018, CICToNIoT, and CICBotIoT show that the CIDS framework achieves an average accuracy of 93.8%, precision of 78.6%, recall of 60.4%, and an F1-score of 62.4%, surpassing traditional ensemble models and matching the performance of local DNN models. This demonstrates the practical benefits of WEA-DNN in improving detection capabilities in real-world heterogeneous network environments, offering superior adaptability and robustness in handling complex attack patterns.

computer science, information systems, theory & methods, software engineering

He Zhang,Xingrui Yu,Peng Ren,Chunbo Luo,Geyong Min

DOI: https://doi.org/10.48550/arXiv.1901.07949

2019-01-23

Cryptography and Security

Abstract:Intrusion detection systems (IDSs) play an important role in identifying malicious attacks and threats in networking systems. As fundamental tools of IDSs, learning based classification methods have been widely employed. When it comes to detecting network intrusions in small sample sizes (e.g., emerging intrusions), the limited number and imbalanced proportion of training samples usually cause significant challenges in training supervised and semi-supervised classifiers. In this paper, we propose a general network intrusion detection framework to address the challenges of both \emph{data scarcity} and \emph{data imbalance}. The novelty of the proposed framework focuses on incorporating deep adversarial learning with statistical learning and exploiting learning based data augmentation. Given a small set of network intrusion samples, it first derives a Poisson-Gamma joint probabilistic generative model to generate synthesised intrusion data using Monte Carlo methods. Those synthesised data are then augmented by deep generative neural networks through adversarial learning. Finally, it adopts the augmented intrusion data to train supervised models for detecting network intrusions. Comprehensive experimental validations on KDD Cup 99 dataset show that the proposed framework outperforms the existing learning based IDSs in terms of improved accuracy, precision, recall, and F1-score.

Yanfang Ye,Shifu Hou,Lingwei Chen,Jingwei Lei,Wenqiang Wan,Jiabin Wang,Qi Xiong,Fudong Shao

DOI: https://doi.org/10.48550/arXiv.1811.01027

2019-05-21

Abstract:The explosive growth and increasing sophistication of Android malware call for new defensive techniques that are capable of protecting mobile users against novel threats. In this paper, we first extract the runtime Application Programming Interface (API) call sequences from Android apps, and then analyze higher-level semantic relations within the ecosystem to comprehensively characterize the apps. To model different types of entities (i.e., app, API, IMEI, signature, affiliation) and the rich semantic relations among them, we then construct a structural heterogeneous information network (HIN) and present meta-path based approach to depict the relatedness over apps. To efficiently classify nodes (e.g., apps) in the constructed HIN, we propose the HinLearning method to first obtain in-sample node embeddings and then learn representations of out-of-sample nodes without rerunning/adjusting HIN embeddings at the first attempt. Afterwards, we design a deep neural network (DNN) classifier taking the learned HIN representations as inputs for Android malware detection. A comprehensive experimental study on the large-scale real sample collections from Tencent Security Lab is performed to compare various baselines. Promising experimental results demonstrate that our developed system AiDroid which integrates our proposed method outperforms others in real-time Android malware detection. AiDroid has already been incorporated into Tencent Mobile Security product that serves millions of users worldwide.

Cryptography and Security,Machine Learning

Francisco S. Melícias,Tiago F. R. Ribeiro,Carlos Rabadão,Leonel Santos,Rogério Luís De C. Costa

DOI: https://doi.org/10.1109/access.2024.3360879

IF: 3.9

2024-02-10

IEEE Access

Abstract:The absence of essential security protocols in Industrial Internet of Things (IIoT) networks introduces cybersecurity vulnerabilities and turns them into potential targets for various attack types. Although machine learning has been used for intrusion detection in the IIoT, datasets with representative data of common attacks of IIoT network traffic are limited and often imbalanced. Data augmentation techniques address these problems by creating artificial data in classes with fewer samples. In this work, we evaluate the use of data augmentation when training intrusion detection models based on IIoT traffic data. We compare Generative Pre-trained Transformers (GPT) and variations on the Synthetic Minority Over-sampling TEchnique (SMOTE) and evaluate their capability to enhance intrusion detection performance. We examine the performance of five intrusion detection algorithms when trained with augmented datasets to models trained with the original non-augmented dataset. To ensure a fair comparison, we evaluated the algorithms' performance in the different scenarios using the same test dataset, which does not contain synthetic data. The results show the need for a systematic evaluation before employing data augmentation, as its impact on classification performance depends on the algorithm, data, and used technique. While deep neural networks benefit from data augmentation, the eXtreme Gradient Boosting (XGBoost), which achieved superior performance in intrusion detection between all evaluated classifiers (with F1-Score over 91%), didn't have any performance improvement when trained with augmented data. The evaluation of data generated by GPT-based methods shows such methods (especially GReaT) generate invalid data for both numerical and categorical features in a way that leads to performance degradation in multiclass classification.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sheikh Abdul Hameed Ayubkhan,Wun-She Yap,Ezra Morris,Mumtaj Begam Kasim Rawthar

DOI: https://doi.org/10.1007/s12652-022-04449-w

IF: 3.662

2022-11-08

Journal of Ambient Intelligence and Humanized Computing

Abstract:Autoencoder and conventional machine learning classifiers are widely used to design an intrusion detection system (IDS). However, noise and corruption in the high-dimensional network traffic samples will still affect the stability and performance of an autoencoder and other conventional machine learning based IDS models. The distortions in the input datasets cause deviations in the learnt patterns and always resulted in a low detection rate. Besides, the IDS classifiers use every single feature to train the samples, which makes the model consumes longer training time, computational resources and memory usage. The main aim of this proposal is to remove the distortions from the network traffic and train the IDS model in a faster manner to detect any category of intruders in the network traffic by achieving a higher detection rate in a short training time. To achieve this, we propose an intrusion detection system that combines a denoising autoencoder and LightGBM classifier. The denoising autoencoder removes the noise and corruptions in the network traffic, thereby possibly avoiding the deviations which can enhance the features learning capacity required for classification. Subsequently, to classify the samples, the LightGBM classifier is used. The classifier uses the feature histogram bins with larger gradients, thus avoiding using each feature at every iteration to accelerate the training speed and boost the predictive capacity of the model. The proposed model shows better detection performance improvement over nine benchmark datasets including CIDDS-001, CIDDS-002, ISCX-URL2016, UNSW-NB15, CIC-IDS-2017, ISCX-Tor2016, BoT-IoT, IoTID20 and Kyoto 2006+ for both binary classification and multi-classification tasks as compared to other existing IDS. The model achieves the maximum detection rate of over 99.60% for CIDDS-001, 99.90% for CIDDS-002, 97.00% for ISCX-Tor2016, 96.11% for UNSW-NB15, 99.86% for CIC-IDS17, 97.76% for ISCX-URL16, 99.91% for BoT-IoT, 97.43% for both IoTID2020 and Kyoto 2006+ datasets respectively, while the training time ranges from 1.10 to 21.78 s only. More importantly, the proposed model has higher learning and predictivity capacity which boosts the generalization capacity. The model also shows good performance in detecting all classes including the minority classes for all aforementioned datasets without any oversampling techniques. The efficiency of the model emphasizes that it can be deployed as a real-time model in any industrial network traffic that includes IoT based smart environment and fog-cloud computing network.

computer science, information systems,telecommunications, artificial intelligence