Evolving optimised decision rules for intrusion detection using particle swarm paradigm

The aim of this article is to construct a practical intrusion detection system (IDS) that properly analyses the statistics of network traffic pattern and classify them as normal or anomalous class. The objective of this article is to prove that the choice of effective network traffic features and a proficient machine-learning paradigm enhances the detection accuracy of IDS. In this article, a rule-based approach with a family of six decision tree classifiers, namely Decision Stump, C4.5, Naive Baye's Tree, Random Forest, Random Tree and Representative Tree model to perform the detection of anomalous network pattern is introduced. In particular, the proposed swarm optimisation-based approach selects instances that compose training set and optimised decision tree operate over this trained set producing classification rules with improved coverage, classification capability and generalisation ability. Experiment with the Knowledge Discovery and Data mining (KDD) data set which have information on traffic pattern, during normal and intrusive behaviour shows that the proposed algorithm produces optimised decision rules and outperforms other machine-learning algorithm.     

A hybrid network intrusion detection system using simplified swarm optimization (SSO)

The network intrusion detection techniques are important to prevent our systems and networks from malicious behaviors. However, traditional network intrusion prevention such as firewalls, user authentication and data encryption have failed to completely protect networks and systems from the increasing and sophisticated attacks and malwares. In this paper, we propose a new hybrid intrusion detection system by using intelligent dynamic swarm based rough set (IDS-RS) for feature selection and simplified swarm optimization for intrusion data classification. IDS-RS is proposed to select the most relevant features that can represent the pattern of the network traffic. In order to improve the performance of SSO classifier, a new weighted local search (WLS) strategy incorporated in SSO is proposed. The purpose of this new local search strategy is to discover the better solution from the neighborhood of the current solution produced by SSO. The performance of the proposed hybrid system on KDDCup 99 dataset has been evaluated by comparing it with the standard particle swarm optimization (PSO) and two other most popular benchmark classifiers. The testing results showed that the proposed hybrid system can achieve higher classification accuracy than others with 93.3% and it can be one of the competitive classifier for the intrusion detection system.     

Intelligent Intrusion Detection for Industrial Internet of Things Using Clustering Techniques

The rapid growth of the Internet of Things (IoT) in the industrial sector has given rise to a new term: the Industrial Internet of Things (IIoT). The IIoT is a collection of devices, apps, and services that connect physical and virtual worlds to create smart, cost-effective, and scalable systems. Although the IIoT has been implemented and incorporated into a wide range of industrial control systems, maintaining its security and privacy remains a significant concern. In the IIoT contexts, an intrusion detection system (IDS) can be an effective security solution for ensuring data confidentiality, integrity, and availability. In this paper, we propose an intelligent intrusion detection technique that uses principal components analysis (PCA) as a feature engineering method to choose the most significant features, minimize data dimensionality, and enhance detection performance. In the classification phase, we use clustering algorithms such as K-medoids and K-means to determine whether a given flow of IIoT traffic is normal or attack for binary classification and identify the group of cyberattacks according to its specific type for multi-class classification. To validate the effectiveness and robustness of our proposed model, we validate the detection method on a new driven IIoT dataset called X-IIoTID. The performance results showed our proposed detection model obtained a higher accuracy rate of 99.79% and reduced error rate of 0.21% when compared to existing techniques.     

SLA-based complementary approach for network intrusion detection

Enhancing the intrusion detection system is essential to maintain user confidence in network services security. However, the threat of intruders on Internet services is prevalent. This paper proposes a distributed edge-to-edge complementary approach for intrusion detection in a DiffServ/MPLS domain. The QoS metrics are inspected at the edges routers to determine anomalous behavior in the network traffic. Consumed ratios of one-way delay variation (OWDV) and packet loss are computed to monitor service level agreement (SLA) violations. The bandwidth ratio is measured to differentiate abnormal from normal traffic as well as to detect multiple intrusions launched simultaneously. We employed SLA as a comparison scale to infer the deviation between the users consumed ratios and the predefined ratios in the SLA. Service violation occurs and intrusion may be launched when the predefined ratios are exceeded. The complementary services of DiffServ and MPLS techniques guarantee accurate measurements, whereas the complementary measurements of active and passive techniques immunize network performance against scalability limitation. Simulation results indicate that the proposed approach is capable of monitoring SLA violations and can filter out traffic of intruders who breach SLA without disturbing the normal traffic of legitimate users.     

Evaluation of an adaptive genetic-based signature extraction system for network intrusion detection

Machine learning techniques are frequently applied to intrusion detection problems in various ways such as to classify normal and intrusive activities or to mine interesting intrusion patterns. Self-learning rule-based systems can relieve domain experts from the difficult task of hand crafting signatures, in addition to providing intrusion classification capabilities. To this end, a genetic-based signature learning system has been developed that can adaptively and dynamically learn signatures of both normal and intrusive activities from the network traffic. In this paper, we extend the evaluation of our systems to real time network traffic which is captured from a university departmental server. A methodology is developed to build fully labelled intrusion detection data set by mixing real background traffic with attacks simulated in a controlled environment. Tools are developed to pre-process the raw network data into feature vector format suitable for a supervised learning classifier system and other related machine learning systems. The signature extraction system is then applied to this data set and the results are discussed. We show that even simple feature sets can help detecting payload-based attacks.     

网络入侵智能识别技术研究

文章研究了SVM和SOM方法在网络入侵检测中的应用,深入探讨了其中的关键技术问题和解决方法,对于SVM核参数优化方法及SOM可视化技术进行了应用研究,用KDD’99CUP数据集进行了仿真实验,结果表明这两种方法对于网络入侵数据的识别是有效的,并利用两种方法的各自优势构造了一种基于SOM-SVM复合结构的网络入侵智能识别模型。     

Intrusion Detection System for Big Data Analytics in IoT Environment

In the digital area, Internet of Things (IoT) and connected objects generate a huge quantity of data traffic which feeds big data analytic models to discover hidden patterns and detect abnormal traffic. Though IoT networks are popular and widely employed in real world applications, security in IoT networks remains a challenging problem. Conventional intrusion detection systems (IDS) cannot be employed in IoT networks owing to the limitations in resources and complexity. Therefore, this paper concentrates on the design of intelligent metaheuristic optimization based feature selection with deep learning (IMFSDL) based classification model, called IMFSDL-IDS for IoT networks. The proposed IMFSDL-IDS model involves data collection as the primary process utilizing the IoT devices and is preprocessed in two stages: data transformation and data normalization. To manage big data, Hadoop ecosystem is employed. Besides, the IMFSDL-IDS model includes a hill climbing with moth flame optimization (HCMFO) for feature subset selection to reduce the complexity and increase the overall detection efficiency. Moreover, the beetle antenna search (BAS) with variational autoencoder (VAE), called BAS-VAE technique is applied for the detection of intrusions in the feature reduced data. The BAS algorithm is integrated into the VAE to properly tune the parameters involved in it and thereby raises the classification performance. To validate the intrusion detection performance of the IMFSDL-IDS system, a set of experimentations were carried out on the standard IDS dataset and the results are investigated under distinct aspects. The resultant experimental values pointed out the betterment of the IMFSDL-IDS model over the compared models with the maximum accuracy 95.25% and 97.39% on the applied NSL-KDD and UNSW-NB15 dataset correspondingly.     

Effective network intrusion detection using stacking-based ensemble approach

The increasing demand for communication between networked devices connected either through an intranet or the internet increases the need for a reliable and accurate network defense mechanism. Network intrusion detection systems (NIDSs), which are used to detect malicious or anomalous network traffic, are an integral part of network defense. This research aims to address some of the issues faced by anomaly-based network intrusion detection systems. In this research, we first identify some limitations of the legacy NIDS datasets, including a recent CICIDS2017 dataset, which lead us to develop our novel dataset, CIPMAIDS2023-1. Then, we propose a stacking-based ensemble approach that outperforms the overall state of the art for NIDS. Various attack scenarios were implemented along with benign user traffic on the network topology created using graphical network simulator-3 (GNS-3). Key flow features are extracted using cicflowmeter for each attack and are evaluated to analyze their behavior. Several different machine learning approaches are applied to the features extracted from the traffic data, and their performance is compared. The results show that the stacking-based ensemble approach is the most promising and achieves the highest weighted F1-score of 98.24%.

     

粒子群选择特征和信息增益确定特征权值的入侵检测

为了提高网络入侵检测正确率,提出一种粒子群算法(PSO)选择特征和信息增益(IG)法确定特征权值的网络入侵检测模型(PSO-IG)。首先采用PSO选择网络入侵特征子集,消除冗余特征;然后采用IG法确定特征子集中的特征权重,并采用支持向量机(SVM)建立分类模型;最后采用KDD CUP 99 数据集对PSO-IG的性能进行测试。测试结果表明:PSO-IG消除了冗余特征,降低了输入维数,提高了网络入侵检测速度;通过合理确定特征权值,提高了入侵检测正确率。     

基于模糊数据挖掘和遗传算法的网络入侵检测技术

文章通过开发一套新的网络入侵检测系统来证实应用模糊逻辑和遗传算法的数据挖掘技术的有效性;这个系统联合了基于模糊数据挖掘技术的异常检测和基于专家系统的滥用检测,在开发异常检测的部分时,利用模糊数据挖掘技术来从正常的行为存储模式中寻找差异,遗传算法用来调整模糊隶属函数和选择一个合适的特征集合,滥用检测部分用于寻找先前行为描述模式,这种模式很可能预示着入侵,网络的通信量和系统的审计数据被用做两个元件的输入;此系统的系统结构既支持异常检测又支持滥用检测、既适用于个人工作站又可以适用于复杂网络。     

A Novel Approach for Network Vulnerability Analysis in IIoT

Industrial Internet of Things (IIoT) offers efficient communication among business partners and customers. With an enlargement of IoT tools connected through the internet, the ability of web traffic gets increased. Due to the raise in the size of network traffic, discovery of attacks in IIoT and malicious traffic in the early stages is a very demanding issues. A novel technique called Maximum Posterior Dichotomous Quadratic Discriminant Jaccardized Rocchio Emphasis Boost Classification (MPDQDJREBC) is introduced for accurate attack detection with minimum time consumption in IIoT. The proposed MPDQDJREBC technique includes feature selection and categorization. First, the network traffic features are collected from the dataset. Then applying the Maximum Posterior Dichotomous Quadratic Discriminant analysis to find the significant features for accurate classification and minimize the time consumption. After the significant features selection, classification is performed using the Jaccardized Rocchio Emphasis Boost technique. Jaccardized Rocchio Emphasis Boost Classification technique combines the weak learner result into strong output. Jaccardized Rocchio classification technique is considered as the weak learners to identify the normal and attack. Thus, proposed MPDQDJREBC technique gives strong classification results through lessening the quadratic error. This assists for proposed MPDQDJREBC technique to get better the accuracy for attack detection with reduced time usage. Experimental assessment is carried out with UNSW_NB15 Dataset using different factors such as accuracy, precision, recall, F-measure and attack detection time. The observed results exhibit the MPDQDJREBC technique provides higher accuracy and lesser time consumption than the conventional techniques.     

Intrusion Detection Systems in Internet of Things and Mobile Ad-Hoc Networks

Internet of Things (IoT) devices work mainly in wireless mediums; requiring different Intrusion Detection System (IDS) kind of solutions to leverage 802.11 header information for intrusion detection. Wireless-specific traffic features with high information gain are primarily found in data link layers rather than application layers in wired networks. This survey investigates some of the complexities and challenges in deploying wireless IDS in terms of data collection methods, IDS techniques, IDS placement strategies, and traffic data analysis techniques. This paper’s main finding highlights the lack of available network traces for training modern machine-learning models against IoT specific intrusions. Specifically, the Knowledge Discovery in Databases (KDD) Cup dataset is reviewed to highlight the design challenges of wireless intrusion detection based on current data attributes and proposed several guidelines to future-proof following traffic capture methods in the wireless network (WN). The paper starts with a review of various intrusion detection techniques, data collection methods and placement methods. The main goal of this paper is to study the design challenges of deploying intrusion detection system in a wireless environment. Intrusion detection system deployment in a wireless environment is not as straightforward as in the wired network environment due to the architectural complexities. So this paper reviews the traditional wired intrusion detection deployment methods and discusses how these techniques could be adopted into the wireless environment and also highlights the design challenges in the wireless environment. The main wireless environments to look into would be Wireless Sensor Networks (WSN), Mobile Ad Hoc Networks (MANET) and IoT as this are the future trends and a lot of attacks have been targeted into these networks. So it is very crucial to design an IDS specifically to target on the wireless networks.     

A hybrid artificial immune system and Self Organising Map for network intrusion detection

Network intrusion detection is the problem of detecting unauthorised use of, or access to, computer systems over a network. Two broad approaches exist to tackle this problem: anomaly detection and misuse detection. An anomaly detection system is trained only on examples of normal connections, and thus has the potential to detect novel attacks. However, many anomaly detection systems simply report the anomalous activity, rather than analysing it further in order to report higher-level information that is of more use to a security officer. On the other hand, misuse detection systems recognise known attack patterns, thereby allowing them to provide more detailed information about an intrusion. However, such systems cannot detect novel attacks.A hybrid system is presented in this paper with the aim of combining the advantages of both approaches. Specifically, anomalous network connections are initially detected using an artificial immune system. Connections that are flagged as anomalous are then categorised using a Kohonen Self Organising Map, allowing higher-level information, in the form of cluster membership, to be extracted. Experimental results on the KDD 1999 Cup dataset show a low false positive rate and a detection and classification rate for Denial-of-Service and User-to-Root attacks that is higher than those in a sample of other works.     

Automatically building datasets of labeled IP traffic traces: A self-training approach

Many approaches have been proposed so far to tackle computer network security. Among them, several systems exploit Machine Learning and Pattern Recognition techniques, by regarding malicious behavior detection as a classification problem. Supervised and unsupervised algorithms have been used in this context, each one with its own benefits and shortcomings. When using supervised techniques, a representative training set is required, which reliably indicates what a human expert wants the system to learn and recognize, by means of suitably labeled samples. In real environments there is a significant difficulty in collecting a representative dataset of correctly labeled traffic traces. In adversarial environments such a task is made even harder by malicious attackers, trying to make their actions’ evidences stealthy.In order to overcome this problem, a self-training system is presented in this paper, building a dataset of labeled network traffic based on raw tcpdump traces and no prior knowledge on data. Results on both emulated and real traffic traces have shown that intrusion detection systems trained on such a dataset perform as well as the same systems trained on correctly hand-labeled data.     

基于智能流量预测的入侵检测方法

为了提高入侵检测系统检测的实时性,提出了一种基于智能流量预测的入侵检测方法。该方法拟合了智能Agent的智能性、自主性和自适应性的优点以及灰色预测对不确定资源的科学预测的优点,用流量预测智能Agent预测得到的流量序列来代替未来一段时间段内的实际流量,并把这个预测序列作为检测对象集的一部分。然后用人工方法模拟了流量处理Agent与预测智能Agent的活动,并通过对实际的采集数据进行仿真,实验证明了预测智能Agent的预测活动的科学性。     

Computer-aided diagnosis of human brain tumor through MRI: A survey and a new algorithm

Computer-aided detection/diagnosis (CAD) systems can enhance the diagnostic capabilities of physicians and reduce the time required for accurate diagnosis. The objective of this paper is to review the recent published segmentation and classification techniques and their state-of-the-art for the human brain magnetic resonance images (MRI). The review reveals the CAD systems of human brain MRI images are still an open problem. In the light of this review we proposed a hybrid intelligent machine learning technique for computer-aided detection system for automatic detection of brain tumor through magnetic resonance images. The proposed technique is based on the following computational methods; the feedback pulse-coupled neural network for image segmentation, the discrete wavelet transform for features extraction, the principal component analysis for reducing the dimensionality of the wavelet coefficients, and the feed forward back-propagation neural network to classify inputs into normal or abnormal. The experiments were carried out on 101 images consisting of 14 normal and 87 abnormal (malignant and benign tumors) from a real human brain MRI dataset. The classification accuracy on both training and test images is 99% which was significantly good. Moreover, the proposed technique demonstrates its effectiveness compared with the other machine learning recently published techniques. The results revealed that the proposed hybrid approach is accurate and fast and robust. Finally, possible future directions are suggested.     

Genetic-fuzzy rule mining approach and evaluation of feature selection techniques for anomaly intrusion detection

Classification of intrusion attacks and normal network traffic is a challenging and critical problem in pattern recognition and network security. In this paper, we present a novel intrusion detection approach to extract both accurate and interpretable fuzzy IF-THEN rules from network traffic data for classification. The proposed fuzzy rule-based system is evolved from an agent-based evolutionary framework and multi-objective optimization. In addition, the proposed system can also act as a genetic feature selection wrapper to search for an optimal feature subset for dimensionality reduction. To evaluate the classification and feature selection performance of our approach, it is compared with some well-known classifiers as well as feature selection filters and wrappers. The extensive experimental results on the KDD-Cup99 intrusion detection benchmark data set demonstrate that the proposed approach produces interpretable fuzzy systems, and outperforms other classifiers and wrappers by providing the highest detection accuracy for intrusion attacks and low false alarm rate for normal network traffic with minimized number of features.     

An autonomous labeling approach to support vector machines algorithms for network traffic anomaly detection

In the past years, several support vector machines (SVM) novelty detection approaches have been applied on the network intrusion detection field. The main advantage of these approaches is that they can characterize normal traffic even when trained with datasets containing not only normal traffic but also a number of attacks. Unfortunately, these algorithms seem to be accurate only when the normal traffic vastly outnumbers the number of attacks present in the dataset. A situation which can not be always hold.This work presents an approach for autonomous labeling of normal traffic as a way of dealing with situations where class distribution does not present the imbalance required for SVM algorithms. In this case, the autonomous labeling process is made by SNORT, a misuse-based intrusion detection system. Experiments conducted on the 1998 DARPA dataset show that the use of the proposed autonomous labeling approach not only outperforms existing SVM alternatives but also, under some attack distributions, obtains improvements over SNORT itself.     

融合随机森林和梯度提升树的入侵检测研究

网络入侵检测系统作为一种保护网络免受攻击的安全防御技术,在保障计算机系统和网络安全领域起着非常重要的作用.针对网络入侵检测中数据不平衡的多分类问题,机器学习已被广泛用于入侵检测,比传统方法更智能、更准确.对现有的网络入侵检测多分类方法进行了改进研究,提出了一种融合随机森林模型进行特征转换、使用梯度提升决策树模型进行分类的入侵检测模型RF-GBDT,该模型主要分为特征选择、特征转换和分类器这3个部分.采用UNSW-NB15数据集对RF-GBDT模型进行了实验测试,与其他3种同领域的算法相比,RF-GBDT既缩短了训练时间,又具有较高的检测率和较低的误报率,在测试数据集上受试者工作特征曲线下的面积可达98.57%.RF-GBDT对于解决网络入侵检测数据不平衡的多分类问题具有较显著的优势,是一种切实可行的入侵检测方法.     

Neural projection techniques for the visual inspection of network traffic

A crucial aspect in network monitoring for security purposes is the visual inspection of the traffic pattern, mainly aimed to provide the network manager with a synthetic and intuitive representation of the current situation. Towards that end, neural projection techniques can map high-dimensional data into a low-dimensional space adaptively, for the user-friendly visualization of monitored network traffic. This work proposes two projection methods, namely, cooperative maximum likelihood Hebbian learning and auto-associative back-propagation networks, for the visual inspection of network traffic. This set of methods may be seen as a complementary tool in network security as it allows the visual inspection and comprehension of the traffic data internal structure. The proposed methods have been evaluated in two complementary and practical network-security scenarios: the on-line processing of network traffic at packet level, and the off-line processing of connection records, e.g. for post-mortem analysis or batch investigation. The empirical verification of the projection methods involved two experimental domains derived from the standard corpora for evaluation of computer network intrusion detection: the MIT Lincoln Laboratory DARPA dataset.