Genetic-based Fuzzy IDS for Feature Set Reduction and Worm Hole Attack Detection

The wireless ad-hoc networks are decentralized networks with a dynamic topology that allows for end-to-end communications via multi-hop routing operations with several nodes collaborating themselves, when the destination and source nodes are not in range of coverage. Because of its wireless type, it has lot of security concerns than an infrastructure networks. Wormhole attacks are one of the most serious security vulnerabilities in the network layers. It is simple to launch, even if there is no prior network experience. Signatures are the sole thing that preventive measures rely on. Intrusion detection systems (IDS) and other reactive measures detect all types of threats. The majority of IDS employ features from various network layers. One issue is calculating a huge layered features set from an ad-hoc network. This research implements genetic algorithm (GA)-based feature reduction intrusion detection approaches to minimize the quantity of wireless feature sets required to identify worm hole attacks. For attack detection, the reduced feature set was put to a fuzzy logic system (FLS). The performance of proposed model was compared with principal component analysis (PCA) and statistical parametric mapping (SPM). Network performance analysis like delay, packet dropping ratio, normalized overhead, packet delivery ratio, average energy consumption, throughput, and control overhead are evaluated and the IDS performance parameters like detection ratio, accuracy, and false alarm rate are evaluated for validation of the proposed model. The proposed model achieves 95.5% in detection ratio with 96.8% accuracy and produces very less false alarm rate (FAR) of 14% when compared with existing techniques.     

基于连接数据分析和OSELM分类器的网络入侵检测系统

针对网络入侵的实时高效检测问题,提出一种基于网络连接数据分析和在线贯序极限学习机(OSELM)分类器的网络入侵检测系统(IDS)。首先,对入侵数据库中的网络连接数据进行分析,通过特征选择算法选择出最优特征子集。然后,迭代执行交叉验证,并通过Alpha剖析来缩减样本尺寸,以此减低后续分类器的计算复杂度。最后,利用优化后的样本特征集来训练OSELM分类器,以此构建一个网络实时入侵检测系统。在NSL-KDD数据库上的实验结果表明,提出的IDS具有较高的检测率和较低的误报率,同时检测时间较短,符合实时入侵检测的要求。     

基于Adam-BNDNN的网络入侵检测模型

针对传统入侵检测算法检测精度低、误报率高等问题,提出了一种融合批量规范化和深度神经网络的网络入侵检测模型。该模型首先在深度神经网络隐藏层添加批量规范化层,优化隐藏层的输出结果,然后采用Adam自适应梯度下降优化算法对BNDNN参数进行自动优化,提高模型检测能力。并使用NSL-KDD数据集进行仿真实验,结果表明该模型的检测效果优于SNN、KNN、DNN等检测方法;整体检测率可达99.41%,整体误报率为0.59%,证明了模型的可行性。     

融合随机森林和梯度提升树的入侵检测研究

网络入侵检测系统作为一种保护网络免受攻击的安全防御技术,在保障计算机系统和网络安全领域起着非常重要的作用.针对网络入侵检测中数据不平衡的多分类问题,机器学习已被广泛用于入侵检测,比传统方法更智能、更准确.对现有的网络入侵检测多分类方法进行了改进研究,提出了一种融合随机森林模型进行特征转换、使用梯度提升决策树模型进行分类的入侵检测模型RF-GBDT,该模型主要分为特征选择、特征转换和分类器这3个部分.采用UNSW-NB15数据集对RF-GBDT模型进行了实验测试,与其他3种同领域的算法相比,RF-GBDT既缩短了训练时间,又具有较高的检测率和较低的误报率,在测试数据集上受试者工作特征曲线下的面积可达98.57%.RF-GBDT对于解决网络入侵检测数据不平衡的多分类问题具有较显著的优势,是一种切实可行的入侵检测方法.     

基于DBN-XGBDT的入侵检测模型研究

在分布均匀的海量数据情况下,现有的入侵检测模型均具备良好的检测性能。但网络中产生的海量入侵数据的分布通常具有不均衡特点,而大多数检测模型针对罕见攻击类型的检测率低。针对上述问题,提出了一种深度信念网络（Deep Belief Networks,DBN）融合极限梯度提升（eXtreme Gradient Boosting,XGBoost）基于决策树算法（Decision Tree,DT）的入侵检测模型（DBN-XGBDT）。该模型将预处理后的数据集输入深度信念网络中,实现对入侵检测数据的降维处理,将得到的特征数据根据攻击类别任两类为一组,通过XGBoost算法逐一构建梯度提升树并细化为二分类;最后运用控制变量法和XGBoost内置的交叉验证进行调参,择优调整模型参数,对未知网络攻击实现有效检测。基于NSL-KDD数据集对DBN-XGBDT模型与XGBoost、DBN-BP、DBN-MSVM等优越模型进行了检测实验。实验结果表明,DBN-XGBDT模型较上述3个单一、混合分类模型的正确率分别提升2.07个百分点、1.14个百分点,对U2R的检测率提升至75.37%,平均误报率降至56.23%,为入侵检测处理不均衡数据且提高对罕见攻击的检测性能提供了新方法。     

Genetic-fuzzy rule mining approach and evaluation of feature selection techniques for anomaly intrusion detection

Classification of intrusion attacks and normal network traffic is a challenging and critical problem in pattern recognition and network security. In this paper, we present a novel intrusion detection approach to extract both accurate and interpretable fuzzy IF-THEN rules from network traffic data for classification. The proposed fuzzy rule-based system is evolved from an agent-based evolutionary framework and multi-objective optimization. In addition, the proposed system can also act as a genetic feature selection wrapper to search for an optimal feature subset for dimensionality reduction. To evaluate the classification and feature selection performance of our approach, it is compared with some well-known classifiers as well as feature selection filters and wrappers. The extensive experimental results on the KDD-Cup99 intrusion detection benchmark data set demonstrate that the proposed approach produces interpretable fuzzy systems, and outperforms other classifiers and wrappers by providing the highest detection accuracy for intrusion attacks and low false alarm rate for normal network traffic with minimized number of features.     

一种粗糙集-决策树结合的入侵检测方法

针对入侵检测系统收集数据海量、高维、检测模型复杂和检测准确率低等问题,采用粗糙集属性约简的优势寻找与判断入侵与否相关的属性,利用决策树分类算法生成模型并对网络连接进行入侵预测分类检测,从而提出了一种粗糙集属性约简和决策树预测分类相结合的网络入侵检测方法.实验结果表明,该方法在入侵检测准确率上有很大的提高,对DoS攻击、Probe攻击和R2L攻击的检测效果均有所提高,同时大大降低了检测的误报率.     

SDN环境下基于DBN的DDoS攻击检测

软件定义网络(SDN)作为新型网络架构模式,其安全威胁主要来自DDoS攻击,建立高效的DDoS攻击检测系统是网络安全管理的重要内容.在SDN环境下,针对DDoS的入侵检测算法具有支持协议少、实用性差等缺陷,为此,提出一种基于深度信念网络(DBN)的DDoS攻击检测算法.分析SDN环境下DDoS攻击的机制,通过Mininet模拟SDN的网络拓扑结构,并使用Wireshark完成DDoS流量数据包的收集和检测.实验结果表明,与XGBoost、随机森林、支持向量机算法相比,该算法具有攻击检测准确性高、误报率低、检测速率快和易于扩展等优势,综合性能较好.     

机器学习在网络入侵检测中的应用

随着网络的快速发展,网络安全成为计算机网络中一个重要的研究方向。网络攻击日益频繁,传统的安全防护产品存在漏洞, 入侵检测作为信息安全的重要防护手段弥补了防火墙的不足,提供了有效的网络入侵检测措施,保护网络安全。然而传统的入侵检测系统存在许多问题,基于机器学习的入侵检测方法实现了对网络攻击的智能检测,提高了入侵检测的效率,降低了漏报率和误报率。本文首先简要介绍机器学习的部分算法,然后对机器学习算法在网络入侵检测中的应用进行深入的分析,比较各个算法在入侵检测应用中的优势和缺点,最后总结了机器学习的应用前景,为获得性能良好的网络入侵检测和防御系统奠定基础。     

基于大数据技术的网络异常行为检测模型

针对传统的网络异常检测受数据存储、处理能力的限制,存在准确率较低、误报率较高以及无法检测未知攻击的问题。在Spark框架下结合改进的支持向量机和随机森林算法,提出了一种基于大数据技术的网络异常行为检测模型。使用NSL-KDD数据集进行了方法验证,表明该方法在准确率和误报率方面明显优于传统的检测算法,整体检测的准确率和误报率分别为96.61%和2.92%,DOS、Probe、R2L和U2R四种攻击类型的准确率分别达到98.01%、88.29%、94.03%和66.67%,验证了方法的有效性。     

A random-forests-based classifier using class association rules and its application to an intrusion detection system

With the rapid developments of network technology, devices connected to the network in a variety of fields have increased, and then, network security has become more important. Rule-based classification for intrusion detection is useful, because it is not only easily understood by humans, but also accurate for the classification of new patterns. Genetic network programming (GNP) is one of the rule-mining techniques as well as the evolutionary-optimization techniques. It can extract rules efficiently even from an enormous database, but still needs more accuracy and stability for practical use. This paper describes a classification system with random forests, employing weighted majority vote in the classification to enhance its performance. For the performance evaluation, NSL-KDD (Network Security Laboratory-Knowledge Discovery and Data Mining) data set is used and the proposed method is compared with the conventional methods, including other machine-learning techniques (Random forests, SVM, J4.8) in terms of the accuracy and false positive rate.     

基于SSA-SVM的网络入侵检测研究

互联网快速发展使得网络空间越来越复杂,网络入侵导致网络安全问题备受关注。为提升网络入侵的检测效率和精度,构建了基于支持向量机的网络入侵检测模型。支持向量机模型的惩罚系数和核函数参数直接影响入侵模型的检测精度,采用麻雀搜索算法对惩罚系数和核函数参数进行优化,提出了基于麻雀搜索算法和支持向量机的网络入侵检测模型。将提出的网络入侵检测模型应用于实际的网络入侵检测中,并与PSO-SVM和SVM模型进行对比。结果表明,所提出的网络入侵检测模型能够有效降低网络入侵的误报率,这对确保网络安全具有一定的现实意义。     

基于序列模型的无线传感网入侵检测系统

随着物联网(IoT)的快速发展，越来越多的IoT节点设备被部署，但伴随而来的安全问题也不可忽视。IoT的网络层节点设备主要通过无线传感网进行通信，其相较于互联网更开放也更容易受到拒绝服务等网络攻击。针对无线传感网面临的网络层安全问题，提出了一种基于序列模型的网络入侵检测系统，对网络层入侵进行检测和报警，具有较高的识别率以及较低的误报率。另外，针对无线传感网节点设备面临的节点主机设备的安全问题，在考虑节点开销的基础上，提出了一种基于简单序列模型的主机入侵检测系统。实验结果表明，针对无线传感网的网络层以及主机层的两个入侵检测系统的准确率都达到了99%以上，误报率在1%左右，达到了工业需求，这两个系统可以全面有效地保护无线传感网安全。     

Blockchain: Secured Solution for Signature Transfer in Distributed Intrusion Detection System

Exchange of data in networks necessitates provision of security and confidentiality. Most networks compromised by intruders are those where the exchange of data is at high risk. The main objective of this paper is to present a solution for secure exchange of attack signatures between the nodes of a distributed network. Malicious activities are monitored and detected by the Intrusion Detection System (IDS) that operates with nodes connected to a distributed network. The IDS operates in two phases, where the first phase consists of detection of anomaly attacks using an ensemble of classifiers such as Random forest, Convolutional neural network, and XGBoost along with genetic algorithm to improve the performance of IDS. The novel attacks detected in this phase are converted into signatures and exchanged further through the network using the blockchain framework in the second phase. This phase uses the cryptosystem as part of the blockchain to store data and secure it at a higher level. The blockchain is implemented using the Hyperledger Fabric v1.0 and v2.0, to create a prototype for secure signature transfer. It exchanges signatures in a much more secured manner using the blockchain architecture when implemented with version 2.0 of Hyperledger Fabric. The performance of the proposed blockchain system is evaluated on UNSW NB15 dataset. Blockchain performance has been evaluated in terms of execution time, average latency, throughput and transaction processing time. Experimental evidence of the proposed IDS system demonstrates improved performance with accuracy, detection rate and false alarm rate (FAR) as key parameters used. Accuracy and detection rate increase by 2% and 3% respectively whereas FAR reduces by 1.7%.     

机器学习在工业网络入侵检测中的研究应用

在工业化和信息化两化深度融合的背景下,工业控制网络面临着高强度、持续性的恶意渗透和网络攻击,对国家安全和工业生产构成了巨大威胁.检测工业控制网络遭受恶意攻击,高效区分正常数据和攻击数据的研究已成为热点问题.以密西西比州立大学SCADA实验室的能源系统攻击数据集作为工业控制网络入侵检测的主要研究对象,对比不同机器学习算法的准确率、漏警率、虚警率等重要指标,得出综合性能最优的XGBoost算法.为进一步提高入侵检测效率,提出了一种针对XGBoost算法的包裹式特征选择方法,在简化数据集的同时突出不同特征在入侵检测中的重要性.研究结果表明,结合包裹式特征选择的XGBoost算法能有效解决入侵检测问题并提高入侵检测效率,验证了此方法的有效性和科学性.     

基于膨胀卷积和门控循环单元组合的入侵检测模型

基于机器学习的入侵检测模型在网络环境的安全保护中起着至关重要的作用。针对现有的网络入侵检测模型不能够对网络入侵数据特征进行充分学习的问题,将深度学习理论应用于入侵检测,提出了一种具有自动特征提取功能的深度网络模型。在该模型中,使用膨胀卷积来增大对信息的感受野并从中提取高级特征,使用门控循环单元（GRU）模型提取保留特征之间的长期依赖关系,再利用深层神经网络（DNN）对数据特征进行充分学习。与经典的机器学习分类器相比,该模型具有较高的检测率。在著名的KDD CUP99、NSL-KDD和UNSW-NB15数据集上进行的实验表明,该模型具有由于其他分类器的性能。具体来说,该模型在KDD CUP99数据集上的准确率为99.78%,在NSL-KDD数据集上的准确率为99.53%,在UNSW-NB15数据集上的准确率为93.12%。     

改进粒子群算法和支持向量机的网络入侵检测

网络入侵检测一直是网络安全领域中的研究热点,针对分类器参数优化难题,为了提高网络入侵检测准确性,提出一种改进粒子群算法和支持向量机相融合的网络入侵检测模型(IPSO-SVM).首先将网络入侵检测率作为目标函数,支持向量机参数作为约束条件建立数学模型,然后采用改进粒子群算法找到支持向量机参数,最后采用支持向量机作为分类器建立入侵检测模型,并在Matlab 2012平台上采用KDD 999数据进行验证性实验.结果表明,IPSO-SVM解决了分类器参数优化难题,获得更优的网络入侵分类器,提高网络入侵检测率,虚警率和漏报率大幅度下降.     

Association Rule Mining Frequent-Pattern-Based Intrusion Detection in Network

In the network security system, intrusion detection plays a significant role. The network security system detects the malicious actions in the network and also conforms the availability, integrity and confidentiality of data information resources. Intrusion identification system can easily detect the false positive alerts. If large number of false positive alerts are created then it makes intrusion detection system as difficult to differentiate the false positive alerts from genuine attacks. Many research works have been done. The issues in the existing algorithms are more memory space and need more time to execute the transactions of records. This paper proposes a novel framework of network security Intrusion Detection System (IDS) using Modified Frequent Pattern (MFP-Tree) via K-means algorithm. The accuracy rate of Modified Frequent Pattern Tree (MFPT)-K means method in finding the various attacks are Normal 94.89%, for DoS based attack 98.34%, for User to Root (U2R) attacks got 96.73%, Remote to Local (R2L) got 95.89% and Probe attack got 92.67% and is optimal when it is compared with other existing algorithms of K-Means and APRIORI.     

基于可变网络结构自组织映射的入侵检测模型

针对网络入侵检测在数据不均衡下检测性能较差的问题，提出了一种对比主成分分析（cPCA）结合可改变网络结构的自组织映射（AMSOM）的入侵检测模型。通过把少数类设置为背景数据，cPCA在降维的同时提高模型对少数类攻击的识别能力。AMSOM在输出层构建一个更加灵活的动态神经元网络，保持两个空间的对应关系，解决了SOM在训练过程中产生畸形的问题，提高输出神经元的聚类结果识别率。使用NSL-KDD数据集，实验结果表明提出的模型对少数的网络攻击表现出良好的性能，具有更高的准确率、召回率和[F1]值。     

基于环境信息降低入侵检测误报率

采用单包分析技术的网络入侵检测系统常具有较高的误报率,影响其实用性。本文针对误用网络型入侵检测系统建立一个警报过滤机制,该机制找出攻击成功时所需具备的环境条件。当入侵检测系统发现可疑入侵时,依据环境条件加以实时确认查核,从而减少误报。