Evolving optimised decision rules for intrusion detection using particle swarm paradigm

The aim of this article is to construct a practical intrusion detection system (IDS) that properly analyses the statistics of network traffic pattern and classify them as normal or anomalous class. The objective of this article is to prove that the choice of effective network traffic features and a proficient machine-learning paradigm enhances the detection accuracy of IDS. In this article, a rule-based approach with a family of six decision tree classifiers, namely Decision Stump, C4.5, Naive Baye's Tree, Random Forest, Random Tree and Representative Tree model to perform the detection of anomalous network pattern is introduced. In particular, the proposed swarm optimisation-based approach selects instances that compose training set and optimised decision tree operate over this trained set producing classification rules with improved coverage, classification capability and generalisation ability. Experiment with the Knowledge Discovery and Data mining (KDD) data set which have information on traffic pattern, during normal and intrusive behaviour shows that the proposed algorithm produces optimised decision rules and outperforms other machine-learning algorithm.     

Building lightweight intrusion detection system using wrapper-based feature selection mechanisms

Intrusion Detection System (IDS) is an important and necessary component in ensuring network security and protecting network resources and network infrastructures. How to build a lightweight IDS is a hot topic in network security. Moreover, feature selection is a classic research topic in data mining and it has attracted much interest from researchers in many fields such as network security, pattern recognition and data mining. In this paper, we effectively introduced feature selection methods to intrusion detection domain. We propose a wrapper-based feature selection algorithm aiming at building lightweight intrusion detection system by using modified random mutation hill climbing (RMHC) as search strategy to specify a candidate subset for evaluation, as well as using modified linear Support Vector Machines (SVMs) iterative procedure as wrapper approach to obtain the optimum feature subset. We verify the effectiveness and the feasibility of our feature selection algorithm by several experiments on KDD Cup 1999 intrusion detection dataset. The experimental results strongly show that our approach is not only able to speed up the process of selecting important features but also to yield high detection rates. Furthermore, our experimental results indicate that intrusion detection system with feature selection algorithm has better performance than that without feature selection algorithm both in detection performance and computational cost.     

一种高效的面向轻量级入侵检测系统的特征选择算法

特征选择是网络安全、模式识别、数据挖掘等领域的重要问题之一.针对高维数据对象,特征选择一方面可以提高分类精度和效率,另一方面可以找出富含信息的特征子集.文中提出一种wrapper型的特征选择算法来构建轻量级入侵检测系统.该算法采用遗传算法和禁忌搜索相混合的搜索策略对特征子集空间进行随机搜索,然后利用提供的数据在无约束优化线性支持向量机上的平均分类正确率作为特征子集的评价标准来获取最优特征子集.文中按照DOS,PROBE,R2L,U2R 4个类别对KDD1999数据集进行分类,并且在每一类上进行了大量的实验.实验结果表明,对每一类攻击文中提出的特征选择算法不仅可以加快特征选择的速度,而且基于该算法构建的入侵检测系统在建模时间、检测时间、检测已知攻击、检测未知攻击上,与没有运用特征选择的入侵检测系统相比具有更好的性能.     

基于GAIG特征选择算法的轻量化DDoS攻击检测方法

为了提高基于分类的DDoS攻击检测方法的实时性,通过结合轻量级入侵检测提出了以遗传算法为搜索策略、信息增益为子集评估标准的filter型特征选择算法GAIG（Feature Selection based on Genetic Algorithm and Information Gain）,提取具有高区分度的相对最小特征子集。在此基础上对比了Na?ve Bayes、C4.5、SVM、RBF Network、Random Forest和Random Tree这六种常用分类器的性能,并选取Random Tree构建了一种轻量化的DDoS攻击检测系统。实验结果表明,GAIG算法使分类器在尽可能不降低分类精度的同时,提高分类速度,从而提高分类检测的实时性;该轻量化攻击检测系统比一般的分类模型具有更好的检测未知攻击的能力。     

Comparative study for feature selection algorithms in intrusion detection system

The Intrusion Detection System (IDS) deals with the huge amount of network data that includes redundant and irrelevant features causing slow training and testing procedure, higher resource usage and poor detection ratio. Feature selection is a vital preprocessing step in intrusion detection. Hence, feature selec-tion is an essential issue in intrusion detection and need to be addressed by selec-ting the appropriate feature selection algorithm. A major challenge to select the optimal feature selection methods can precisely calculate the relevance of fea-tures to the detection process and the redundancy among features. In this paper, we study the concepts and algorithms used for feature selection algorithms in the IDS. We conclude this paper by identifying the best feature selection algorithm to select the important and useful features from the network dataset.     

基于GATS—C4．5的IP流分类

流分类技术在网络安全监控、QoS、入侵检测等应用领域起着重要的作用,是当前研究的热点.提出一种新的特征选择算法GATS-C4.5来构建轻量级的IP流分类器.该算法采用遗传算法与禁忌搜索相混合的搜索策略对特征子集空间进行随机搜索,然后利用提供的数据在CA.5上的分类正确率作为特征子集的评价标准来获取最优特征子集.在IP流数据集上进行了大量的实验,实验结果表明基于GATS-C4.5的流分类器在不影响检测准确度的情况下能够提高检测速度,并且基于GATS-CA.5的IP流分类器与NBK-FCBF(Naive Bayes method with Kereel density estimation after Correlation-Based Filter)相比具有更小的计算复杂性与更高的检测率.     

An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection

Intrusion detection system (IDS) is to monitor the attacks occurring in the computer or networks. Anomaly intrusion detection plays an important role in IDS to detect new attacks by detecting any deviation from the normal profile. In this paper, an intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection is proposed. The key idea is to take the advantage of support vector machine (SVM), decision tree (DT), and simulated annealing (SA). In the proposed algorithm, SVM and SA can find the best selected features to elevate the accuracy of anomaly intrusion detection. By analyzing the information from using KDD’99 dataset, DT and SA can obtain decision rules for new attacks and can improve accuracy of classification. In addition, the best parameter settings for the DT and SVM are automatically adjusted by SA. The proposed algorithm outperforms other existing approaches. Simulation results demonstrate that the proposed algorithm is successful in detecting anomaly intrusion detection.     

A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks

In recent years, Botnets have been adopted as a popular method to carry and spread many malicious codes on the Internet. These malicious codes pave the way to execute many fraudulent activities including spam mail, distributed denial-of-service attacks and click fraud. While many Botnets are set up using centralized communication architecture, the peer-to-peer (P2P) Botnets can adopt a decentralized architecture using an overlay network for exchanging command and control data making their detection even more difficult. This work presents a method of P2P Bot detection based on an adaptive multilayer feed-forward neural network in cooperation with decision trees. A classification and regression tree is applied as a feature selection technique to select relevant features. With these features, a multilayer feed-forward neural network training model is created using a resilient back-propagation learning algorithm. A comparison of feature set selection based on the decision tree, principal component analysis and the ReliefF algorithm indicated that the neural network model with features selection based on decision tree has a better identification accuracy along with lower rates of false positives. The usefulness of the proposed approach is demonstrated by conducting experiments on real network traffic datasets. In these experiments, an average detection rate of 99.08 % with false positive rate of 0.75 % was observed.

     

融合异常检测与随机森林的微博转发行为预测方法

针对目前微博转发行为预测具有的特征选择任意性、准确率不高的问题,提出了融合异常检测与随机森林的微博转发行为预测方法。首先,提取用户基本特征、博文基本特征、博文内容主题特征,并基于相对熵计算用户活跃度、博文影响力;其次,通过结合过滤式与封装式特征选择方法筛选出关键特征组;最后,融合异常检测与随机森林算法,依据筛选后的关键特征组进行微博转发行为预测,并利用袋外数据误差估计设置随机森林中的决策树和特征数。在真实新浪微博数据集上与基于逻辑回归、决策树、朴素贝叶斯、随机森林等算法的微博转发行为预测方法进行实验对比,结果表明所提方法的预测准确率(90.5％) 高于基准方法中最优的随机森林方法的预测准确率,同时验证了特征筛选方法的有效性。     

Practical real-time intrusion detection using machine learning approaches

The growing prevalence of network attacks is a well-known problem which can impact the availability, confidentiality, and integrity of critical information for both individuals and enterprises. In this paper, we propose a real-time intrusion detection approach using a supervised machine learning technique. Our approach is simple and efficient, and can be used with many machine learning techniques. We applied different well-known machine learning techniques to evaluate the performance of our IDS approach. Our experimental results show that the Decision Tree technique can outperform the other techniques. Therefore, we further developed a real-time intrusion detection system (RT-IDS) using the Decision Tree technique to classify on-line network data as normal or attack data. We also identified 12 essential features of network data which are relevant to detecting network attacks using the information gain as our feature selection criterions. Our RT-IDS can distinguish normal network activities from main attack types (Probe and Denial of Service (DoS)) with a detection rate higher than 98% within 2 s. We also developed a new post-processing procedure to reduce the false-alarm rate as well as increase the reliability and detection accuracy of the intrusion detection system.     

基于智能进化算法的DDoS攻击检测防御研究

为了减少分布式拒绝服务攻击(DDoS),将蚂蚱优化算法(GOA)与机器学习算法结合使用,通过创建入侵检测系统(IDS)来满足监控环境的要求,并能够区分正常和攻击流量.所设计的基于GOA的IDS技术(GOIDS)能够从原始IDS数据集中选择最相关的特征来帮助区分典型的低速DDoS攻击,然后将选择的特征传递给支持向量机(SVM)、决策树(DT)、朴素贝叶斯(NB)和多层感知器(MLP)等分类器来识别攻击类型.利用KDD Cup 99和CIC-IDS 2017公开数据集作为实验数据,仿真结果表明,基于决策树的GOIDS具有较高的检测率和较低的假阳性率.     

基于特征选择的轻量级入侵检测系统

基于特征选择的入侵检测系统处理的数据含有大量的冗余与噪音特征,使得系统耗用的计算资源很大,导致系统训练时间长、实时性差,检测效果不好.特征选择算法能够很好地消除冗余和噪音特征,为了提高入侵检测系统的检测速度和效果,对基于特征选择的入侵检测系统进行研究是必要的.综述了这一领域的研究进展,从过滤器、封装器、混合器3种模式对基于特征选择的轻量级入侵检测系统进行分类比较,分析和总结各种系统的优缺点以及它们各自适用的条件,最后指出入侵检测领域特征选择的发展趋势.特征选择不仅可以提升入侵检测系统的性能,而且使得对入侵检测的研究向特征提取算法的方向转移.     

Feature subset selection Filter–Wrapper based on low quality data

Today, feature selection is an active research in machine learning. The main idea of feature selection is to choose a subset of available features, by eliminating features with little or no predictive information, as well as redundant features that are strongly correlated. There are a lot of approaches for feature selection, but most of them can only work with crisp data. Until now there have not been many different approaches which can directly work with both crisp and low quality (imprecise and uncertain) data. That is why, we propose a new method of feature selection which can handle both crisp and low quality data. The proposed approach is based on a Fuzzy Random Forest and it integrates filter and wrapper methods into a sequential search procedure with improved classification accuracy of the features selected. This approach consists of the following main steps: (1) scaling and discretization process of the feature set; and feature pre-selection using the discretization process (filter); (2) ranking process of the feature pre-selection using the Fuzzy Decision Trees of a Fuzzy Random Forest ensemble; and (3) wrapper feature selection using a Fuzzy Random Forest ensemble based on cross-validation. The efficiency and effectiveness of this approach is proved through several experiments using both high dimensional and low quality datasets. The approach shows a good performance (not only classification accuracy, but also with respect to the number of features selected) and good behavior both with high dimensional datasets (microarray datasets) and with low quality datasets.     

粒子群优化支持向量机的入侵检测算法

为了提高网络入侵的检测正确率,针对网络入侵检测中特征选择问题,将二值粒子群优化算法(BPSO)用于网络入侵特征选择,结合支持向量机(SVM)提出了一种基于BPSO-SVM的网络入侵检测算法。该算法将网络入侵检测转化为多分类问题,采用wrapper特征选择模型,以SVM为分类器,通过样本训练分类器,根据分类结果,利用BPSO算法在特征空间中进行全局搜索,选择最优特征集进行分类。实验结果表明,BPSO-SVM有效降低了特征维数,显著提高了网络入侵的检测正确率,还大大缩短了检测时间。     

基于平均特征重要性和集成学习的异常检测

异常检测系统在网络空间安全中起着至关重要的作用,为网络安全提供有效的保障.对于复杂的网络流量信息,传统的单一的分类器往往无法同时具备较高检测精确度和较强的泛化能力.此外,基于全特征的异常检测模型往往会受到冗余特征的干扰,影响检测的效率和精度.针对这些问题,本文提出了一种基于平均特征重要性的特征选择和集成学习的模型,选取决策树(DT)、随机森林(RF)、额外树(ET)作为基分类器,建立投票集成模型,并基于基尼系数计算基分类器的平均特征重要性进行特征选择.在多个数据集上的实验评估结果表明,本文提出的集成模型优于经典集成学习模型及其他著名异常检测集成模型.且提出的基于平均特征重要性的特征选择方法可以使集成模型准确率平均进一步提升约0.13%,训练时间平均节省约30%.     

机器学习在工业网络入侵检测中的研究应用

在工业化和信息化两化深度融合的背景下,工业控制网络面临着高强度、持续性的恶意渗透和网络攻击,对国家安全和工业生产构成了巨大威胁.检测工业控制网络遭受恶意攻击,高效区分正常数据和攻击数据的研究已成为热点问题.以密西西比州立大学SCADA实验室的能源系统攻击数据集作为工业控制网络入侵检测的主要研究对象,对比不同机器学习算法的准确率、漏警率、虚警率等重要指标,得出综合性能最优的XGBoost算法.为进一步提高入侵检测效率,提出了一种针对XGBoost算法的包裹式特征选择方法,在简化数据集的同时突出不同特征在入侵检测中的重要性.研究结果表明,结合包裹式特征选择的XGBoost算法能有效解决入侵检测问题并提高入侵检测效率,验证了此方法的有效性和科学性.     

基于连接数据分析和OSELM分类器的网络入侵检测系统

针对网络入侵的实时高效检测问题,提出一种基于网络连接数据分析和在线贯序极限学习机(OSELM)分类器的网络入侵检测系统(IDS)。首先,对入侵数据库中的网络连接数据进行分析,通过特征选择算法选择出最优特征子集。然后,迭代执行交叉验证,并通过Alpha剖析来缩减样本尺寸,以此减低后续分类器的计算复杂度。最后,利用优化后的样本特征集来训练OSELM分类器,以此构建一个网络实时入侵检测系统。在NSL-KDD数据库上的实验结果表明,提出的IDS具有较高的检测率和较低的误报率,同时检测时间较短,符合实时入侵检测的要求。     

基于主成分分析禁忌搜索和决策树分类的异常流量检测方法

真实网络流量包括大量特征属性,现有基于特征分析的异常流量检测方法无法满足高维特征分析要求。提出一种基于主成分分析和禁忌搜索(PCA-TS)的流量特征选择算法结合决策树分类的异常流量检测方法,通过PCA-TS对高维特征进行特征约减和近优特征子集选择,为决策树分类方法提供有效的低维特征属性,结合决策树分类精度和处理效率高的优点,采用半监督学习方式进行异常流量实时检测。实验表明,与传统异常检测方法相比,此方法具有更高的检测精度和更低的误检率,其检测性能受样本规模影响较小,且对未知异常可以进行有效检测     

粗糙集和决策树方法在IDS中的应用研究

入侵检测系统（IDS）是数据挖掘的一个热门应用领域。为了解决当前建立的入侵检测系统缺少有效性的问题，文中首先介绍入侵检测系统产生的背景和入侵检测系统的特点，分析决策树归纳学习的过程，从数据挖掘的角度，首先使用粗糙集进行属性约简，运用决策树学习方法对入侵检测数据进行归纳学习。从结果看出粗糙集和决策树学习方法在建立入侵检测系统上的有效性和实用性。     

D-SCIDS: Distributed soft computing intrusion detection system

An Intrusion Detection System (IDS) is a program that analyzes what happens or has happened during an execution and tries to find indications that the computer has been misused. A Distributed IDS (DIDS) consists of several IDS over a large network (s), all of which communicate with each other, or with a central server that facilitates advanced network monitoring. In a distributed environment, DIDS are implemented using co-operative intelligent agents distributed across the network(s). This paper evaluates three fuzzy rule-based classifiers to detect intrusions in a network. Results are then compared with other machine learning techniques like decision trees, support vector machines and linear genetic programming. Further, we modeled Distributed Soft Computing-based IDS (D-SCIDS) as a combination of different classifiers to model lightweight and more accurate (heavy weight) IDS. Empirical results clearly show that soft computing approach could play a major role for intrusion detection.