Jiang Xie,Shuhao Li,Yongzheng Zhanga,Peishuai Sun,Hongbo Xu

DOI: https://doi.org/10.1016/j.cose.2022.102867

2023-09-13

Abstract:The proliferation of network attacks poses a significant threat. Researchers propose datasets for network attacks to support research in related fields. Then, many attack detection methods based on these datasets are proposed. These detection methods, whether two-classification or multi-classification, belong to single-label learning, i.e., only one label is given to each sample. However, we discover that there is a noteworthy phenomenon of behavior attribute overlap between attacks, The presentation of this phenomenon in a dataset is that there are multiple samples with the same features but different labels. In this paper, we verify the phenomenon in well-known datasets(UNSW-NB15, CCCS-CIC-AndMal-2020) and re-label these data. In addition, detecting network attacks in a multi-label manner can obtain more information, providing support for tracing the attack source and building IDS. Therefore, we propose a multi-label detection model based on deep learning, MLD-Model, in which Wasserstein-Generative-Adversarial- Network-with-Gradient-Penalty (WGAN-GP) with improved loss performs data enhancement to alleviate the class imbalance problem, and Auto-Encoder (AE) performs classifier parameter pre-training. Experimental results demonstrate that MLD-Model can achieve excellent classification performance. It can achieve F1=80.06% in UNSW-NB15 and F1=83.63% in CCCS-CIC-AndMal-2020. Especially, MLD-Model is 5.99%-7.97% higher in F1 compared with the related single-label methods.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1109/tifs.2020.2991876

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Conventional intrusion detection systems based on supervised learning techniques require a large number of samples for training, while in some scenarios, such as zero-day attacks, security agencies can only intercept a limited number of shots of malicious samples. Therefore, there is a need for few-shot detection. In this paper, a detection method based on a meta-learning framework is proposed for this purpose. The proposed method can be used to distinguish and compare a pair of network traffic samples as a basic task of learning, including a normal unaffected sample and a malicious one. To accomplish this task, we design a deep neural network (DNN) named FC-Net, which mainly comprises two parts: feature extraction network and comparison network. FC-Net learns a pair of feature maps for classification from a pair of network traffic samples, then compares the obtained feature maps, and finally determines whether the pair of samples belongs to the same type. To evaluate the proposed detection method, we construct two datasets for few-shot network intrusion detection based on real network traffic data sources, using a specifically developed approach. The experimental results indicate that the proposed detection method is universal and is not limited to specific datasets or attack types. Training and testing on the same datasets demonstrate that the proposed method can achieve the average detection rate up to 98.88%. The outcome of training on one dataset and testing on the other one confirms that the proposed method can achieve better performance. In a few-shot scenario, malicious samples in an untrained dataset can be detected successfully, and the average detection rate is up to 99.62%.

Chunrui Zhang,Gang Wang,Shen Wang,Dechen Zhan,Mingyong Yin

DOI: https://doi.org/10.1016/j.comnet.2023.109692

IF: 5.493

2023-03-11

Computer Networks

Abstract:In recent years, cybersecurity has been endlessly challenged by more and more sophisticated network attacks, due to lacking the ability to detect unknown attacks in time. Recent researches show that machine learning helps to improve the efficacy of network attack detection, by training network attack classification models with huge amount labeled data. However in internal networks, due to the scarcity of attack instances and lacking expert labor force to label the data, it is always difficult to obtain sufficient labeled data to train such models. To uncover unknown attacks with machine learning techniques in internal networks, we propose to exploit transfer learning to utilize public datasets that contains attack instances to train a prediction model that will be used for un-labeled internal datasets. The main problem is to address the heterogeneity between datasets. Specifically, we project two heterogeneous datasets into a common latent space and formulate an optimization problem to minimize the distance of two distributions in the common space. Then we apply SVM classifier to the projected data to identify attack instances in internal networks. We conduct experiments that perform transfer learning between the NSLKDD to UNSW-NB15 datasets. The results validate that the proposed method notably improves the cross-domain attack detection accuracy in learning scenarios, such as "DoS to DoS" and "R2L to Exploits".

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Kuljeet Singh,Amit Mahajan,Vibhakar Mansotra

DOI: https://doi.org/10.1504/ijsnet.2023.135851

2024-01-10

International Journal of Sensor Networks

Abstract:Due to the continued and unabated increase in the number of cyber-attacks, the need for improved network security architecture is more apparent. The deep learning approach plays a pivotal role by classifying network traffic and identifying malicious records. However, this approach is often met with twin challenges of the high dimensionality of data and imbalanced ratio of attack labels within the data. To mitigate these issues and achieve a better detection rate, this research has proposed a new intrusion detection framework based on three main components; feature selection, oversampling, and hybrid CNN-LSTM classifier. This study deployed information gain, chi-square, basic methods, L1 regularisation, and random forest classifier as five feature selection methods and SMOTE for handling class imbalance. The experimental results, conducted using the CICIDS2017 dataset, have shown that the proposed model has demonstrated better performance in the detection of network attacks with more than 99% detection rate. Results established that number of features can be significantly reduced without altering the accuracy and oversampling has helped in improving the detection rate of minority attack labels.

computer science, information systems,telecommunications

Jian Luo,Yiying Zhang,Yannian Wu,Yao Xu,Xiaoyan Guo,Boxiang Shang

DOI: https://doi.org/10.3390/electronics12040949

IF: 2.9

2023-02-16

Electronics

Abstract:Network intrusion data are characterized by high feature dimensionality, extreme category imbalance, and complex nonlinear relationships between features and categories. The actual detection accuracy of existing supervised intrusion-detection models performs poorly. To address this problem, this paper proposes a multi-channel contrastive learning network-based intrusion-detection method (MCLDM), which combines feature learning in the multi-channel supervised contrastive learning stage and feature extraction in the multi-channel unsupervised contrastive learning stage to train an effective intrusion-detection model. The objective is to research whether feature enrichment and the use of contrastive learning for specific classes of network intrusion data can improve the accuracy of the model. The model is based on an autoencoder to achieve feature reconstruction with supervised contrastive learning and for implementing multi-channel data reconstruction. In the next stage of unsupervised contrastive learning, the extraction of features is implemented using triplet convolutional neural networks (TCNN) to achieve the classification of intrusion data. Through experimental analysis, the multichannel contrastive learning network-based intrusion-detection method achieves 98.43% accuracy in dataset CICIDS17 and 93.94% accuracy in dataset KDDCUP99.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhiyan Chen,Murat Simsek,Burak Kantarci,Mehran Bagheri,Petar Djukic

2023-06-16

Abstract:Network Intrusion Detection Systems (NIDS) have been extensively investigated by monitoring real network traffic and analyzing suspicious activities. However, there are limitations in detecting specific types of attacks with NIDS, such as Advanced Persistent Threats (APT). Additionally, NIDS is restricted in observing complete traffic information due to encrypted traffic or a lack of authority. To address these limitations, a Host-based Intrusion Detection system (HIDS) evaluates resources in the host, including logs, files, and folders, to identify APT attacks that routinely inject malicious files into victimized nodes. In this study, a hybrid network intrusion detection system that combines NIDS and HIDS is proposed to improve intrusion detection performance. The feature flattening technique is applied to flatten two-dimensional host-based features into one-dimensional vectors, which can be directly used by traditional Machine Learning (ML) models. A two-stage collaborative classifier is introduced that deploys two levels of ML algorithms to identify network intrusions. In the first stage, a binary classifier is used to detect benign samples. All detected attack types undergo a multi-class classifier to reduce the complexity of the original problem and improve the overall detection performance. The proposed method is shown to generalize across two well-known datasets, CICIDS 2018 and NDSec-1. Performance of XGBoost, which represents conventional ML, is evaluated. Combining host and network features enhances attack detection performance (macro average F1 score) by 8.1% under the CICIDS 2018 dataset and 3.7% under the NDSec-1 dataset. Meanwhile, the two-stage collaborative classifier improves detection performance for most single classes, especially for DoS-LOIC-UDP and DoS-SlowHTTPTest, with improvements of 30.7% and 84.3%, respectively, when compared with the traditional ML XGBoost.

Cryptography and Security,Artificial Intelligence,Networking and Internet Architecture

Wei Ma,Yunyun Hou,Mingyu Jin,Pengpeng Jian

DOI: https://doi.org/10.1371/journal.pone.0300821

IF: 3.7

2024-03-26

PLoS ONE

Abstract:Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system's normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

multidisciplinary sciences

Jinghong Lan,Xudong Liu,Bo Li,Jie Sun,Beibei Li,Jun Zhao

DOI: https://doi.org/10.1016/j.cose.2022.102919

2022-09-14

Abstract:With the continuous occurrence of cybersecurity incidents, network intrusion detection has become one of the most critical issues in cyber ecosystems. Although previous machine learning-based approaches have made significant progress, their generalization ability is limited due to the following critical challenges. First, intrusion detection is severely affected by the class imbalance problem in many network scenarios, with some attack types representing only a very small subset of the entire training set. Second, cyberattacks are becoming increasingly sophisticated, and hence, it is becoming more challenging for existing methods to extract robust representations. Third, most existing methods generally leverage only a particular aspect of the network traffic features and treat model training as a single-task learning problem, thus ignoring the discriminative ability of different feature types and the performance enhancement of integrating multiple machine learning tasks. In this paper, we propose a Multi-task lEarning Model with hyBrid dEep featuRes (MEMBER) to address the aforementioned challenges. Based on a Convolutional Neural Network (CNN) with embedded spatial and channel attention mechanisms, MEMBER innovatively introduces two auxiliary tasks (i.e., an auto-encoder (AE) enhanced with a memory module and a distance-based prototype network) to boost the model generalization ability and alleviate the performance degradation suffered in imbalanced network environments. Extensive experiments on several benchmark datasets demonstrate the superiority and robustness of our proposed MEMBER in terms of both F1 score and stability.

computer science, information systems

Shuxin Shi,Dezhi Han,Mingming Cui

DOI: https://doi.org/10.1080/09540091.2023.2227780

2023-08-18

Connection Science

Abstract:With the rapid growth of Internet data traffic, the means of malicious attack become more diversified. The single modal intrusion detection model cannot fully exploit the rich feature information in the massive network traffic data, resulting in unsatisfactory detection results. To address this issue, this paper proposes a multimodal hybrid parallel network intrusion detection model (MHPN). The proposed model extracts network traffic features from two modalities: the statistical information of network traffic and the original load of traffic, and constructs appropriate neural network models for each modal information. Firstly, a two-branch convolutional neural network is combined with Long Short-Term Memory (LSTM) network to extract the spatio-temporal feature information of network traffic from the original load mode of traffic, and a convolutional neural network is used to extract the feature information of traffic statistics. Then, the feature information extracted from the two modalities is fused and fed to the CosMargin classifier for network traffic classification. The experimental results on the ISCX-IDS 2012 and CIC-IDS-2017 datasets show that the MHPN model outperforms the single-modal models and achieves an average accuracy of 99.98 % . The model also demonstrates strong robustness and a positive sample recognition rate.

computer science, artificial intelligence, theory & methods

Junyi Liu,Yifu Tang,Haimeng Zhao,Xieheng Wang,Fangyu Li,Jingyi Zhang

DOI: https://doi.org/10.1145/3585520

2024-01-01

ACM Transactions on Sensor Networks

Abstract:Cybersecurity breaches are common anomalies for distributed cyber-physical systems (CPS). However, the cyber security breach classification is still a difficult problem, even using cutting-edge artificial intelligence (AI) approaches. In this article, we study a multi-class classification problem in cyber security for attack detection. A challenging multi-node data-censoring case is considered. In such a case, data within each data center/node cannot be shared while the local data is incomplete. Particularly, local nodes contain only a part of the multiple classes. In order to train a global multi-class classifier without sharing the raw data across all nodes, we design a multi-node multi-class classification ensemble approach which is the main result of our study. By gathering the estimated parameters of the binary classifiers and data densities from each local node, the missing information for each local node is completed to build the global multi-class classifier. Numerical experiments are given to validate the effectiveness of the proposed approach under the multi-node data-censoring case. Under such a case, we even show the out-performance of the proposed approach over the full-data approach.

Feilu Hang,Linjiang Xie,Zhenhong Zhang,Jian Hu

DOI: https://doi.org/10.12694/scpe.v25i4.2862

2024-06-16

Abstract:This paper proposes an adaptive Wedman intrusion detection algorithm (AID-DFS) for data fusion. Firstly, feature extraction of abnormal text detection is carried out using a BI-gated loop (Bi-GRU). Multi-branch convolutional recurrent neural network (CNN-RNN) extracts hierarchical features from abnormal images. The multi-mode dynamic fusion uses the intermodal and intramodal attention mechanisms. In this way, a joint representation of multiple modes is obtained. The visual perception mechanism is used to realize multichannel integration and strengthen the function of original information in multichannel. The experimental results show that the proposed method has 99.6% accuracy and 94.9% accuracy. Compared with other algorithms, the proposed method can improve the performance of the intrusion system by about 10.2%.

Yan Feng,Zhihai Yang,Qindong Sun,Yanxiao Liu

DOI: https://doi.org/10.3390/electronics13152953

IF: 2.9

2024-07-27

Electronics

Abstract:Anomaly detection for network traffic aims to analyze the characteristics of network traffic in order to discover unknown attacks. Currently, existing detection methods have achieved promising results against high-intensity attacks that aim to interrupt the operation of the target system. In reality, attack behaviors that are commonly exhibited are highly concealed and disruptive. In addition, the attack scales are flexible and variable. In this paper, we construct a multiscale network intrusion behavior dataset, which includes three attack scales and two multiscale attack patterns based on probability distribution. Specifically, we propose a stacked ensemble learning-based detection model for anomalous traffic (or SEDAT for short) to defend against highly concealed multiscale attacks. The model employs a random forest (RF)-based method to select features and introduces multiple base learning autoencoders (AEs) to enhance the representation of multiscale attack behaviors. In addressing the challenge of a single model's inability to capture the regularities of multiscale attack behaviors, SEDAT is capable of adapting to the complex multiscale characteristics in network traffic, enabling the prediction of network access behavior. Comparative experiments demonstrate that SEDAT exhibits superior detection capabilities in multiscale network attacks. In particular, SEDAT achieves an improvement of at least 5% accuracy over baseline methods for detecting multiscale attacks.

engineering, electrical & electronic,physics, applied,computer science, information systems

Ehsan Hallaji,Roozbeh Razavi-Far,Mehrdad Saif

DOI: https://doi.org/10.1016/j.cose.2024.103730

IF: 5.105

2024-01-21

Computers & Security

Abstract:Intrusion detection systems are primarily designed to flag security breaches upon their occurrence. These systems operate under the assumption of single-label data, where each instance is assigned to a single category. However, when dealing with complex data, such as malware triage, the information provided by the IDS is limited. Consequently, additional analysis becomes necessary, leading to delays and incurring additional computational costs. Existing solutions to this problem typically merge these steps by considering a unified, but large, label set encompassing both intrusion and analytical labels, which adversely affects efficiency and performance. To address these challenges, this paper presents a novel framework for multi-label classification by employing an ensemble of sequential models that preserve the original label sets during training. Each model focuses on learning the distribution specifically related to its assigned set of labels, independent of the other label sets. To capture the relationship between different sets of labels, the parameters of each trained model initialize the subsequent model, ensuring that information from unrelated label sets does not interfere with the learning objective. Consequently, the proposed method enhances prediction performance without increasing computational complexity. To evaluate the effectiveness of our approach, we conduct experiments on a real-world dataset related to intrusion detection. The results clearly demonstrate the effectiveness of our proposed method in handling multi-label classification tasks.

computer science, information systems

Jian Zhang,Shengquan Liu,Zhihua Liu

DOI: https://doi.org/10.1371/journal.pone.0304066

IF: 3.7

2024-06-27

PLoS ONE

Abstract:In recent years, with the development of the Internet, the attribution classification of APT malware remains an important issue in society. Existing methods have yet to consider the DLL link library and hidden file address during the execution process, and there are shortcomings in capturing the local and global correlation of event behaviors. Compared to the structural features of binary code, opcode features reflect the runtime instructions and do not consider the issue of multiple reuse of local operation behaviors within the same APT organization. Obfuscation techniques more easily influence attribution classification based on single features. To address the above issues, (1) an event behavior graph based on API instructions and related operations is constructed to capture the execution traces on the host using the GNNs model. (2) ImageCNTM captures the local spatial correlation and continuous long-term dependency of opcode images. (3) The word frequency and behavior features are concatenated and fused, proposing a multi-feature, multi-input deep learning model. We collected a publicly available dataset of APT malware to evaluate our method. The attribution classification results of the model based on a single feature reached 89.24% and 91.91%. Finally, compared to single-feature classifiers, the multi-feature fusion model achieves better classification performance.

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Sen-Lei Zhang,Bin Zhang,Yi-Tao Zhou,Yue-Xuan Guo,Jing-Lei Tan

DOI: https://doi.org/10.3390/app13106217

2023-05-19

Applied Sciences

Abstract:Rapid and accurate anomaly traffic detection is one of the most important research problems in cyberspace situational awareness. In order to improve the accuracy and efficiency of the detection, a two-stage anomaly detection method based on user preference features and a deep fusion model is proposed. First, a user-preference list of attack detection tasks is constructed based on the resilient distributed dataset. Following that, the detection tasks are divided into multiple stages according to the detection framework, which allows multiple worker hosts to work in parallel. Finally, a deep fusion classifier is trained using the features extracted from the input traffic data. Experimental results indicate that the proposed method achieves better detection accuracy compared to the existing typical methods. Furthermore, compared with stand-alone detection, the proposed method can effectively improve the time efficiencies of the model’s training and testing to a large extent. The ablation experiment justifies the use of the machine learning method.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Mingzhi Ma,Weijie Zheng,Wanli Lv,Lu Ren,Hang Su,Zhaoxia Yin

DOI: https://doi.org/10.1109/icip49359.2023.10222512

2023-01-01

Abstract:The vulnerabilities of multi-label models concerning adversarial attacks have been paid much attention. In the multi-label model, the labels are not independent of each other. However, the existing multi-label adversarial attack works do not adequately consider label correlations, thus unable to cost the most minor disturbance while ensuring the attack success rate. To address this issue, we develop a method that uses the label correlation. For targeted attacks, we build a label correlation matrix using cosine distance and select the label with the highest correlation score with the attacked label as the target label. For untargeted attacks, we choose the attacked label with the lowest confidence because of the label correlation. The proposed method can achieve low attack costs with high success rates, as demonstrated in experimental results.

Su Wang,Zhiliang Wang,Xia Yin,Xingang Shi

DOI: https://doi.org/10.1109/infocomwkshps50562.2020.9163041

2020-01-01

Abstract:Nowadays, attackers tend to perform several steps to complete a cyber attack named multi-step network attack which is different from the traditional network attack. Plenty of studies carried on multi-step attack detection use rule-based intrusion detection system (IDS) alerts as source while rule-based IDS relies heavily on its rule set. It is hard for IDS rule set to detect every anomaly behavior and once some attack steps do not cause alert, the subsequent multi-step attack detection will be affected. In this poster, we present a novel unsupervised two layer multi-step attack detector. In the first layer, we propose Dynamic Threshold Time Decay Frequent Item Mining to detect those steps IDS cannot generate alert and in the second layer, we utilize Heuristic Alarm Clustering method to detect the mult-istep attack scenario. The results of evaluation on IDS2012 dataset show that our detector can significantly reduce the false negative rate (FNR) of Suricata IDS.

Yujiang Liu,Wenjian Luo,Zhijian Chen,Muhammad Luqman Naseem

2024-09-26

Abstract:With the rapid development of Deep Neural Networks (DNNs), they have been applied in numerous fields. However, research indicates that DNNs are susceptible to adversarial examples, and this is equally true in the multi-label domain. To further investigate multi-label adversarial examples, we introduce a novel type of attacks, termed "Showing Many Labels". The objective of this attack is to maximize the number of labels included in the classifier's prediction results. In our experiments, we select nine attack algorithms and evaluate their performance under "Showing Many Labels". Eight of the attack algorithms were adapted from the multi-class environment to the multi-label environment, while the remaining one was specifically designed for the multi-label environment. We choose ML-LIW and ML-GCN as target models and train them on four popular multi-label datasets: VOC2007, VOC2012, NUS-WIDE, and COCO. We record the success rate of each algorithm when it shows the expected number of labels in eight different scenarios. Experimental results indicate that under the "Showing Many Labels", iterative attacks perform significantly better than one-step attacks. Moreover, it is possible to show all labels in the dataset.

Artificial Intelligence

Xueying Han,Song Liu,Junrong Liu,Bo Jiang,Zhigang Lu,Baoxu Liu

DOI: https://doi.org/10.1109/tifs.2024.3426304

IF: 7.231

2024-07-20

IEEE Transactions on Information Forensics and Security

Abstract:Malicious traffic detection in the real world faces the challenge of dealing with a diverse mix of known, unknown, and variant malicious traffic, requiring methods that are accurate, generalizable, and reliable for identifying both known and emerging threats. However, existing methods are unable to fully meet these requirements. Supervised methods can accurately detect known malicious traffic, but their performance declines significantly when encountering unknown attacks. Additionally, the misclassification is usually silent, leading to doubts about the reliability and practicality. Unsupervised methods can deal with unknown attacks, but their high false positive rate and inability to utilize the knowledge of existing attack data constitute obvious shortcomings. To overcome these limitations, we propose ECNet, an end-to-end robust malicious network traffic detection method. Particularly, ECNet incorporates multi-view features, including content and pattern features, and employs a gated-based feature fusion approach, providing an efficient and robust representation. Moreover, ECNet introduces a confidence mechanism and combines category probability and confidence values during training and detection; therefore, it can accurately detect both known and unknown malicious traffic while ensuring the credibility of results. To validate the performance of ECNet, we conduct comprehensive experiments on six reorganized datasets and compare ECNet with seven state-of-the-art methods. The results demonstrate that ECNet outperforms others, particularly showing significant improvements in detecting unknown attacks, with up to a 14.15% increase in F1 compared to the best-performing method.

computer science, theory & methods,engineering, electrical & electronic