基于膨胀卷积和门控循环单元组合的入侵检测模型

基于机器学习的入侵检测模型在网络环境的安全保护中起着至关重要的作用。针对现有的网络入侵检测模型不能够对网络入侵数据特征进行充分学习的问题,将深度学习理论应用于入侵检测,提出了一种具有自动特征提取功能的深度网络模型。在该模型中,使用膨胀卷积来增大对信息的感受野并从中提取高级特征,使用门控循环单元（GRU）模型提取保留特征之间的长期依赖关系,再利用深层神经网络（DNN）对数据特征进行充分学习。与经典的机器学习分类器相比,该模型具有较高的检测率。在著名的KDD CUP99、NSL-KDD和UNSW-NB15数据集上进行的实验表明,该模型具有由于其他分类器的性能。具体来说,该模型在KDD CUP99数据集上的准确率为99.78%,在NSL-KDD数据集上的准确率为99.53%,在UNSW-NB15数据集上的准确率为93.12%。     

基于DAE和GRU组合的流量异常检测方法

流量异常检测能够有效识别网络流量数据中的攻击行为,是一种重要的网络安全防护手段。近年来,深度学习在流量异常检测领域得到了广泛应用,现有的深度学习模型进行流量异常检测存在两个问题:一是数据受噪声影响导致检测鲁棒性差、准确率低;二是数据特征维度高以及模型参数多导致训练和检测速度慢。为了在降低流量数据噪声影响的基础上提高检测速度和准确性,本文提出了一种基于去噪自编码器(Denoising Auto Encoder,DAE)和门控循环单元(Gated Recurrent Unit,GRU)组合的流量异常检测方法。首先设计了基于DAE的流量特征提取算法,采用小批量梯度下降算法对DAE进行训练,通过最小化含噪声数据的重构向量与原始输入向量间的差异,有效提取具有较强鲁棒性的流量特征,降低特征维度。然后设计了基于GRU的异常检测算法,利用提取的低维流量特征数据训练GRU,从而构建异常流量分类器,实现对攻击流量的准确检测。最后在NSL-KDD、UNSW-NB15、CICIDS2017数据集上的实验结果表明:与其他的机器学习、深度学习方法相比,本文所提方法的检测准确率最大提升了18.71%。同时,本文方法可以实现较高的精确率、召回率和检测效率,同时具有较低的误报率。在面对数据受到噪声破坏时,具有较强的检测鲁棒性。     

A hybrid machine learning approach for detecting unprecedented DDoS attacks

Service availability plays a vital role on computer networks, against which Distributed Denial of Service (DDoS) attacks are an increasingly growing threat each year. Machine learning (ML) is a promising approach widely used for DDoS detection, which obtains satisfactory results for pre-known attacks. However, they are almost incapable of detecting unknown malicious traffic. This paper proposes a novel method combining both supervised and unsupervised algorithms. First, a clustering algorithm separates the anomalous traffic from the normal data using several flow-based features. Then, using certain statistical measures, a classification algorithm is used to label the clusters. Employing a big data processing framework, we evaluate the proposed method by training on the CICIDS2017 dataset and testing on a different set of attacks provided in the more up-to-date CICDDoS2019. The results demonstrate that the Positive Likelihood Ratio (LR+) of our method is approximately 198% higher than the ML classification algorithms.

     

基于特征值分布和人工智能的网络入侵检测系统的研究与实现

为维护操作系统的安全性和可靠性,提出了一个具备泛用能力、基于人工智能模型的网络入侵检测系统框架,其主要功能是针对来自互联网里各种形式的网络流量进行检测,并嗅探出可能的入侵攻击及恶意网络连接并将其归类.该框架首先使用采样、独热编码、特征选择和归一化将网络流量实例进行预处理,获取基本信息和筛选重要特征;然后利用网络连接实例的特征值分布建立评分机制,对数据进行信息再提取;最后针对不同的网络流量形式,利用不同的基于机器学习或深度学习的模型进行结果判断.实验中使用三个公开基准数据集KDDCup99、UNSW-NB15和CICIDS2017进行训练和测试.通过与相关文献比较,发现提出方法在三个数据集的正确率和F1得分上均有着优异的表现.     

基于大数据技术的网络异常行为检测模型

针对传统的网络异常检测受数据存储、处理能力的限制,存在准确率较低、误报率较高以及无法检测未知攻击的问题。在Spark框架下结合改进的支持向量机和随机森林算法,提出了一种基于大数据技术的网络异常行为检测模型。使用NSL-KDD数据集进行了方法验证,表明该方法在准确率和误报率方面明显优于传统的检测算法,整体检测的准确率和误报率分别为96.61%和2.92%,DOS、Probe、R2L和U2R四种攻击类型的准确率分别达到98.01%、88.29%、94.03%和66.67%,验证了方法的有效性。     

Detection of DDoS attacks using optimized traffic matrix

Distributed Denial of Service (DDoS) attacks have been increasing with the growth of computer and network infrastructures in Ubiquitous computing. DDoS attacks generating mass traffic deplete network bandwidth and/or system resources. It is therefore significant to detect DDoS attacks in their early stage. Our previous approach used a traffic matrix to detect DDoS attacks quickly and accurately. However, it could not find out to tune up parameters of the traffic matrix including (i) size of traffic matrix, (ii) time based window size, and (iii) a threshold value of variance from packets information with respect to various monitored environments and DDoS attacks. Moreover, the time based window size led to computational overheads when DDoS attacks did not occur. To cope with it, we propose an enhanced DDoS attacks detection approach by optimizing the parameters of the traffic matrix using a Genetic Algorithm (GA) to maximize the detection rates. Furthermore, we improve the traffic matrix building operation by (i) reforming the hash function to decrease hash collisions and (ii) replacing the time based window size with a packet based window size to reduce the computational overheads. We perform experiments with DARPA 2000 LLDOS 1.0, LBL-PKT-4 of Lawrence Berkeley Laboratory and generated attack datasets. The experimental results show the feasibility of our approach in terms of detection accuracy and speed.     

基于HMM时间序列预测和混沌模型的DDoS攻击检测方法

分布式拒绝服务（DDoS）攻击是网络环境中最具破坏力的攻击方式之一,现有基于机器学习的攻击检测方法往往直接将某时刻的特征值代入分类器进行分类,没有考虑相邻时刻特征之间的联系,因而导致误报率和漏报率较高。提出一种基于隐马尔科夫模型HMM时间序列预测和混沌模型的DDoS攻击检测方法。针对大规模攻击网络流量的突发性,定义网络流量加权特征NTWF和网络流平均速率NFAR二元组来描述网络流量的特点;然后采用层次聚类算法对训练集进行分类,以获取隐层状态HLS序列,利用NTWF序列和HLS序列对HMM进行监督学习获得状态转移矩阵和混淆矩阵,以预测NTWF序列;最后通过混沌模型分析NTWF序列的预测误差,结合基于NFAR的规则来识别攻击行为。实验结果表明,与同类方法相比,所提方法具有较低的误报率和漏报率。     

一种IPv6环境下DDoS实时检测方法

DDoS攻击是当今网络包括下一代网络IPv6中最严重的威胁之一,提出一种基于流量自相似的IPv6的实时检测方法。分别采用改进的WinPcap实现流数据的实时捕获和监测,和将Whittle ML方法首次应用于DDoS攻击检测。针对Hurst估值方法的选择和引入DDoS攻击流的网络进行对比仿真实验,结果表明:Hurst估值相对误差,Whittle ML方法比小波变换减少0.07%;检测到攻击的误差只有0.042%,准确性达99.6%;增强了DDoS攻击检测的成功率和敏感度。     

A feed forward deep neural network model using feature selection for cloud intrusion detection system

The rapid advancement and growth of technology have rendered cloud computing services indispensable to our activities. Threats and intrusions have since multiplied exponentially across a range of industries. In such a scenario, the intrusion detection system, or simply the IDS, is deployed on the network to monitor and detect any attacks. The paper proposes a feed-forward deep neural network (FFDNN) method based on deep learning methodology using a filter-based feature selection model. The feature selection strategy aims to determine and select the most highly relevant subset of attributes from the feature importance score for training the deep learning model. Three benchmark data sets were used to assess the experiment: CIC-IDS 2017, UNSW-NB15, and NSL-KDD. In order to justify the proposed technique, a comparison was done using other learning algorithms ranging from classical machine learning to ensemble learning methods that can detect various attacks. The experiments showed that the FFDNN model with reduced feature subsets gave the highest accuracy of 99.53% and 94.45% in the NSL-KDD and UNSW-NB15 data sets, while the ensemble-based XGBoost model performed better in the CIC-IDS 2017 data set. In addition, the results show that the overall accuracy, recall, and F1 score of the deep learning algorithm are generally better for all the data sets.     

Deciding optimal entropic thresholds to calibrate the detection mechanism for variable rate DDoS attacks in ISP domain: honeypot based approach

High bandwidth DDoS attacks consume more resources and have direct impact at ISP level in contrast to low rate DDoS attacks which lead to graceful degradation of network and are mostly undetectable. Although an array of detection schemes have been proposed, current requirement is a real time DDoS detection mechanism that adapts itself to varying network conditions to give minimum false alarms. DDoS attacks that disturb the distribution of traffic features in ISP domain are reflected by entropic variations on in stream samples. We propose honeypot detection for attack traffic having statistically similar distribution features as legitimate traffic. Next we propose to calibrate the detection mechanism for minimum false alarm rate by varying tolerance factor in real time. Simulations are carried out in ns-2 at different attack strengths. We also report our experimental results over MIT Lincoln lab dataset and its subset KDD 99 dataset. Results show that the proposed approach is comparable to previously reported approaches with an advantage of variable rate attack detection with minimum false positives and negatives.     

Intrusion detection in networks using crow search optimization algorithm with adaptive neuro-fuzzy inference system

Intrusion detection system has become the fundamental part for the network security and essential for network security because of the expansion of attacks which causes many issues. This is because of the broad development of internet and access to data systems around the world. For detecting the abnormalities present in the network or system, the intrusion detection system (IDS) is used. Because of the large volume of data, the network gets expanded with false alarm rate of intrusion and detection accuracy decreased. This is one of the significant issues when the network experiences unknown attacks. The principle objective was to expand the accuracy and reduce the false alarm rate (FAR). To address the above difficulties the proposed with Crow Search Optimization algorithm with Adaptive Neuro-Fuzzy Inference System (CSO-ANFIS) is used. The ANFIS is the combination of fuzzy interference system and artificial neural network, and to enhance the performance of the ANFIS model the crow search optimization algorithm is used to optimize the ANFIS. The NSL-KDD data set was used to validate the performance of intrusion detection of the proposed model and the experiment results are compared with other existing techniques for overall performance validation. The results of the intrusion detection based on the NSL-KDD dataset was better and efficient compared with those models because the detection rate was 95.80% and the FAR result was 3.45%.     

基于可编程协议无关报文处理的分布式拒绝服务攻击检测

传统软件定义网络（SDN）中的分布式拒绝服务（DDoS）攻击检测方法需要控制平面与数据平面进行频繁通信,这会导致显著的开销和延迟,而目前可编程数据平面由于语法无法实现复杂检测算法,难以保证较高检测效率。针对上述问题,提出了一种基于可编程协议无关报文处理（P4）可编程数据平面的DDoS攻击检测方法。首先,利用基于P4改进的信息熵进行初检,判断是否有可疑流量发生;然后再利用P4提取特征只需微秒级时长的优势,提取可疑流量的六元组特征导入数据标准化—深度神经网络（data standardization-deep neural network,DS-DNN）复检模块,判断其是否为DDoS攻击流量;最后,模拟真实环境对该方法的各项评估指标进行测试。实验结果表明,该方法能够较好地检测SDN环境下的DDoS攻击,在保证较高检测率与准确率的同时,有效降低了误报率,并将检测时长缩短至毫秒级别。     

高效的半监督多层次入侵检测算法

针对基于监督学习的入侵检测算法需要的大量有标签数据难以收集，无监督学习算法准确率不高，且对R2L及U2R两类攻击检测率低等问题，提出一种高效的半监督多层次入侵检测算法。首先，利用Kd-tree的索引结构，利用加权密度在高密度样本区选择K-means算法的初始聚类中心；然后，将聚类之后的数据分为三个类簇，将无标签类簇和混合类簇借助Tri-training采用加权投票规则扩充有标签数据集；最后，利用二叉树形结构设计层次化分类模型，在NSL-KDD数据集上进行了实验验证。结果表明半监督多层次入侵检测模型能够在利用少量有标签数据的情况下，对R2L及U2R的检测率分别达到49.38%、81.14%，有效提高R2L及U2R两类攻击的检测率，从而降低系统的漏报率。     

Collaborative detection and filtering of shrew DDoS attacks using spectral analysis

This paper presents a new spectral template-matching approach to countering shrew distributed denial-of-service (DDoS) attacks. These attacks are stealthy, periodic, pulsing, and low-rate in attack volume, very different from the flooding type of attacks. They are launched with high narrow spikes in very low frequency, periodically. Thus, shrew attacks may endanger the victim systems for a long time without being detected. In other words, such attacks may reduce the quality of services unnoticeably. Our defense method calls for collaborative detection and filtering (CDF) of shrew DDoS attacks. We detect shrew attack flows hidden in legitimate TCP/UDP streams by spectral analysis against pre-stored template of average attack spectral characteristics. This novel scheme is suitable for either software or hardware implementation.The CDF scheme is implemented with the NS-2 network simulator using real-life Internet background traffic mixed with attack datasets used by established research groups. Our simulated results show high detection accuracy by merging alerts from cooperative routers. Both theoretical modeling and simulation experimental results are reported here. The experiments achieved up to 95% successful detection of network anomalies along with a low 10% false positive alarms. The scheme cuts off malicious flows containing shrew attacks using a newly developed packet-filtering scheme. Our filtering scheme retained 99% of legitimate TCP flows, compared with only 20% TCP flows retained by using the Drop Tail algorithm. The paper also considers DSP, FPGA, and network processor implementation issues and discusses limitations and further research challenges.     

A machine learning approach for feature selection traffic classification using security analysis

Class imbalance has become a big problem that leads to inaccurate traffic classification. Accurate traffic classification of traffic flows helps us in security monitoring, IP management, intrusion detection, etc. To address the traffic classification problem, in literature, machine learning (ML) approaches are widely used. Therefore, in this paper, we also proposed an ML-based hybrid feature selection algorithm named WMI_AUC that make use of two metrics: weighted mutual information (WMI) metric and area under ROC curve (AUC). These metrics select effective features from a traffic flow. However, in order to select robust features from the selected features, we proposed robust features selection algorithm. The proposed approach increases the accuracy of ML classifiers and helps in detecting malicious traffic. We evaluate our work using 11 well-known ML classifiers on the different network environment traces datasets. Experimental results showed that our algorithms achieve more than 95% flow accuracy results.     

An Efficient Unsupervised Learning Approach for Detecting Anomaly in Cloud

The Cloud system shows its growing functionalities in various industrial applications. The safety towards data transfer seems to be a threat where Network Intrusion Detection System (NIDS) is measured as an essential element to fulfill security. Recently, Machine Learning (ML) approaches have been used for the construction of intellectual IDS. Most IDS are based on ML techniques either as unsupervised or supervised. In supervised learning, NIDS is based on labeled data where it reduces the efficiency of the reduced model to identify attack patterns. Similarly, the unsupervised model fails to provide a satisfactory outcome. Hence, to boost the functionality of unsupervised learning, an effectual auto-encoder is applied for feature selection to select good features. Finally, the Naïve Bayes classifier is used for classification purposes. This approach exposes the finest generalization ability to train the data. The unlabelled data is also used for adoption towards data analysis. Here, redundant and noisy samples over the dataset are eliminated. To validate the robustness and efficiency of NIDS, the anticipated model is tested over the NSL-KDD dataset. The experimental outcomes demonstrate that the anticipated approach attains superior accuracy with 93%, which is higher compared to J48, AB tree, Random Forest (RF), Regression Tree (RT), Multi-Layer Perceptrons (MLP), Support Vector Machine (SVM), and Fuzzy. Similarly, False Alarm Rate (FAR) and True Positive Rate (TPR) of Naive Bayes (NB) is 0.3 and 0.99, respectively. When compared to prevailing techniques, the anticipated approach also delivers promising outcomes.     

Learning dataset representation for automatic machine learning algorithm selection

The algorithm selection problem is defined as identifying the best-performing machine learning (ML) algorithm for a given combination of dataset, task, and evaluation measure. The human expertise required to evaluate the increasing number of ML algorithms available has resulted in the need to automate the algorithm selection task. Various approaches have emerged to handle the automatic algorithm selection challenge, including meta-learning. Meta-learning is a popular approach that leverages accumulated experience for future learning and typically involves dataset characterization. Existing meta-learning methods often represent a dataset using predefined features and thus cannot be generalized across different ML tasks, or alternatively, learn a dataset’s representation in a supervised manner and therefore are unable to deal with unsupervised tasks. In this study, we propose a novel learning-based task-agnostic method for producing dataset representations. Then, we introduce TRIO, a meta-learning approach, that utilizes the proposed dataset representations to accurately recommend top-performing algorithms for previously unseen datasets. TRIO first learns graphical representations for the datasets, using four tools to learn the latent interactions among dataset instances and then utilizes a graph convolutional neural network technique to extract embedding representations from the graphs obtained. We extensively evaluate the effectiveness of our approach on 337 datasets and 195 ML algorithms, demonstrating that TRIO significantly outperforms state-of-the-art methods for algorithm selection for both supervised (classification and regression) and unsupervised (clustering) tasks.

     

基于混合深度学习的多类型低速率DDoS攻击检测方法

低速率分布式拒绝服务攻击针对网络协议自适应机制中的漏洞实施攻击,对网络服务质量造成了巨大威胁,具有隐蔽性强、攻击速率低和周期性的特点。现有检测方法存在检测类型单一和识别精度低的问题,因此提出了一种基于混合深度学习的多类型低速率DDo S攻击检测方法。模拟不同类型的低速率DDo S攻击和5G环境下不同场景的正常流量,在网络入口处收集流量并提取其流特征信息,得到多类型低速率DDo S攻击数据集;从统计阈值和特征工程的角度,分别分析了不同类型低速率DDo S攻击的特征,得到了40维的低速率DDo S攻击有效特征集;基于该有效特征集采用CNN-RF混合深度学习算法进行离线训练,并对比该算法与LSTM-Light GBM和LSTM-RF算法的性能;在网关处部署CNN-RF检测模型,实现了多类型低速率DDo S攻击的在线检测,并使用新定义的错误拦截率和恶意流量检测率指标进行了性能评估。结果显示,在120 s的时间窗口下,所提方法能够在线检测出4种类型的低速率DDo S攻击,包括Slow Headers攻击、Slow Body攻击、SlowRead攻击和Shrew攻击,错误拦截率达到11.03%,恶...     

SDN环境中基于交叉熵的分阶段DDoS攻击检测与识别

针对软件定义网络易遭受DDoS攻击、监控负荷重等问题,提出一种分阶段多层次、基于交叉熵的DDoS攻击识别模型.采用监控SDN交换机CPU使用率的初检方法预判异常状态;引入交叉熵理论对异常交换机的目的IP交叉熵和PACKET IN数据包联合检测,对正常与异常流量的特征分布相似性进行定量分析;通过选取的基于交叉熵的特征对流...     

改进的基于熵的DDoS攻击检测方法

基于熵的分布式拒绝服务攻击(DDoS)攻击的检测方法相比其他基于流量或特征的检测方法,具有计算简便、灵敏度高、误报率低、不增加额外网络流量、不增加额外硬件成本等特点。为了进一步提高了DDoS攻击检测的准确率,并降低误报率,提出一种改进的基于熵的DDoS攻击检测方法。该方法将DDoS攻击细分为不同的威胁等级,对每个威胁等级的攻击进行不同次数的检测。NS-2模拟实验结果验证了其有效性。