A hybrid network intrusion detection system using simplified swarm optimization (SSO)

The network intrusion detection techniques are important to prevent our systems and networks from malicious behaviors. However, traditional network intrusion prevention such as firewalls, user authentication and data encryption have failed to completely protect networks and systems from the increasing and sophisticated attacks and malwares. In this paper, we propose a new hybrid intrusion detection system by using intelligent dynamic swarm based rough set (IDS-RS) for feature selection and simplified swarm optimization for intrusion data classification. IDS-RS is proposed to select the most relevant features that can represent the pattern of the network traffic. In order to improve the performance of SSO classifier, a new weighted local search (WLS) strategy incorporated in SSO is proposed. The purpose of this new local search strategy is to discover the better solution from the neighborhood of the current solution produced by SSO. The performance of the proposed hybrid system on KDDCup 99 dataset has been evaluated by comparing it with the standard particle swarm optimization (PSO) and two other most popular benchmark classifiers. The testing results showed that the proposed hybrid system can achieve higher classification accuracy than others with 93.3% and it can be one of the competitive classifier for the intrusion detection system.     

Evaluation of an adaptive genetic-based signature extraction system for network intrusion detection

Machine learning techniques are frequently applied to intrusion detection problems in various ways such as to classify normal and intrusive activities or to mine interesting intrusion patterns. Self-learning rule-based systems can relieve domain experts from the difficult task of hand crafting signatures, in addition to providing intrusion classification capabilities. To this end, a genetic-based signature learning system has been developed that can adaptively and dynamically learn signatures of both normal and intrusive activities from the network traffic. In this paper, we extend the evaluation of our systems to real time network traffic which is captured from a university departmental server. A methodology is developed to build fully labelled intrusion detection data set by mixing real background traffic with attacks simulated in a controlled environment. Tools are developed to pre-process the raw network data into feature vector format suitable for a supervised learning classifier system and other related machine learning systems. The signature extraction system is then applied to this data set and the results are discussed. We show that even simple feature sets can help detecting payload-based attacks.     

Intrusion detection using a linguistic hedged fuzzy-XCS classifier system

Intrusion detection systems (IDS) are a fundamental defence component in the architecture of the current telecommunication systems. Misuse detection is one of the different approaches to create IDS. It is based on the automatic generation of detection rules from labelled examples. Such examples are either attacks or normal situations. From this perspective the problem can be viewed as a supervised classification one. In this sense, this paper proposes the use of XCS as a classification technique to aid in the tasks of misuse detection in IDS systems. The final proposed XCS variant includes the use of hedged linguistic fuzzy classifiers to allow for interpretability. The use of this linguistic fuzzy approach provides with both the possibility of testing human designed detectors and a posteriori human fine tuning of the models obtained. To evaluate the performance not only several classic classification problems as Wine or Breast Cancer datasets are considered, but also a problem based on real data, the KDD-99. This latter problem, the KDD-99, is a classic in the literature of intrusion systems. It shows that with simple configurations the proposed variant obtains competitive results compared with other techniques shown in the recent literature. It also generates human interpretable knowledge, something very appreciated by security experts. In fact, this effort is integrated into a global detection architecture, where the security administrator is guiding part of the intrusion detection (and prevention) process.     

基于GAIG特征选择算法的轻量化DDoS攻击检测方法

为了提高基于分类的DDoS攻击检测方法的实时性,通过结合轻量级入侵检测提出了以遗传算法为搜索策略、信息增益为子集评估标准的filter型特征选择算法GAIG（Feature Selection based on Genetic Algorithm and Information Gain）,提取具有高区分度的相对最小特征子集。在此基础上对比了Na?ve Bayes、C4.5、SVM、RBF Network、Random Forest和Random Tree这六种常用分类器的性能,并选取Random Tree构建了一种轻量化的DDoS攻击检测系统。实验结果表明,GAIG算法使分类器在尽可能不降低分类精度的同时,提高分类速度,从而提高分类检测的实时性;该轻量化攻击检测系统比一般的分类模型具有更好的检测未知攻击的能力。     

融合随机森林和梯度提升树的入侵检测研究

网络入侵检测系统作为一种保护网络免受攻击的安全防御技术,在保障计算机系统和网络安全领域起着非常重要的作用.针对网络入侵检测中数据不平衡的多分类问题,机器学习已被广泛用于入侵检测,比传统方法更智能、更准确.对现有的网络入侵检测多分类方法进行了改进研究,提出了一种融合随机森林模型进行特征转换、使用梯度提升决策树模型进行分类的入侵检测模型RF-GBDT,该模型主要分为特征选择、特征转换和分类器这3个部分.采用UNSW-NB15数据集对RF-GBDT模型进行了实验测试,与其他3种同领域的算法相比,RF-GBDT既缩短了训练时间,又具有较高的检测率和较低的误报率,在测试数据集上受试者工作特征曲线下的面积可达98.57%.RF-GBDT对于解决网络入侵检测数据不平衡的多分类问题具有较显著的优势,是一种切实可行的入侵检测方法.     

A machine learning approach for feature selection traffic classification using security analysis

Class imbalance has become a big problem that leads to inaccurate traffic classification. Accurate traffic classification of traffic flows helps us in security monitoring, IP management, intrusion detection, etc. To address the traffic classification problem, in literature, machine learning (ML) approaches are widely used. Therefore, in this paper, we also proposed an ML-based hybrid feature selection algorithm named WMI_AUC that make use of two metrics: weighted mutual information (WMI) metric and area under ROC curve (AUC). These metrics select effective features from a traffic flow. However, in order to select robust features from the selected features, we proposed robust features selection algorithm. The proposed approach increases the accuracy of ML classifiers and helps in detecting malicious traffic. We evaluate our work using 11 well-known ML classifiers on the different network environment traces datasets. Experimental results showed that our algorithms achieve more than 95% flow accuracy results.     

基于遗传优化与模糊规则挖掘的异常入侵检测

提出一种基于智能体进化计算框架与遗传模糊规则挖掘的异常入侵检测方法.通过应用模糊集分布策略、解释性的控制策略和模糊规则生成策略,实现了Agent之间的模糊集信息交换,从而有效地从网络数据中抽取正确的、可解释的模糊IF-THEN分类规则,优化了模糊系统的可解释性,并提高了系统的紧凑性.采用KDD-Cup99数据集进行测试,并与现有方法进行了比较,结果表明该方法对R2L的攻击检测性能稍弱,对DoS、Probe和U2R的攻击均具有较高的分类精度与较低的误报率.     

基于GQPSO算法的网络入侵特征选择方法

高维网络数据中的无关属性和冗余属性容易使分类算法的网络入侵检测速度变慢、检测率降低。为此,提出一种基于遗传量子粒子群优化(GQPSO)算法的网络入侵特征选择方法,该方法将遗传算法中的选择变异策略与QPSO有机结合形成GQPSO算法,并以网络数据属性之间的归一化互信息量作为该算法适应度函数,指导其对网络数据的属性约简,实现网络入侵特征子集的优化选择。在KDDCUP1999数据集上进行仿真实验,结果表明,与QPSO算法、PSO算法相比,该方法能更有效地精简网络数据特征,提高分类算法的网络入侵检测速度及检测率。     

基于多特征选取和类完全加权的入侵检测

为提升入侵检测系统的整体性能,文中提出一种新的算法。首先使用孤立点滤除算法进行数据前期处理,通过特征选取算法筛选出各分类器中最佳的特征空间,以增强各分类算法的训练模型。再进一步运用十倍交叉验证法对分类模型实施性能评估,把具有最佳捕捉率的分类模型作为预测测试样本类别时的加权分类模型,最后得出整体推论结果。仿真实验表明该算法整体分类准确率提高到96%,成本值减低为0.198 3,能够成功地改善网络异常入侵检测的分类性能。     

Evolving optimised decision rules for intrusion detection using particle swarm paradigm

The aim of this article is to construct a practical intrusion detection system (IDS) that properly analyses the statistics of network traffic pattern and classify them as normal or anomalous class. The objective of this article is to prove that the choice of effective network traffic features and a proficient machine-learning paradigm enhances the detection accuracy of IDS. In this article, a rule-based approach with a family of six decision tree classifiers, namely Decision Stump, C4.5, Naive Baye's Tree, Random Forest, Random Tree and Representative Tree model to perform the detection of anomalous network pattern is introduced. In particular, the proposed swarm optimisation-based approach selects instances that compose training set and optimised decision tree operate over this trained set producing classification rules with improved coverage, classification capability and generalisation ability. Experiment with the Knowledge Discovery and Data mining (KDD) data set which have information on traffic pattern, during normal and intrusive behaviour shows that the proposed algorithm produces optimised decision rules and outperforms other machine-learning algorithm.     

Practical real-time intrusion detection using machine learning approaches

The growing prevalence of network attacks is a well-known problem which can impact the availability, confidentiality, and integrity of critical information for both individuals and enterprises. In this paper, we propose a real-time intrusion detection approach using a supervised machine learning technique. Our approach is simple and efficient, and can be used with many machine learning techniques. We applied different well-known machine learning techniques to evaluate the performance of our IDS approach. Our experimental results show that the Decision Tree technique can outperform the other techniques. Therefore, we further developed a real-time intrusion detection system (RT-IDS) using the Decision Tree technique to classify on-line network data as normal or attack data. We also identified 12 essential features of network data which are relevant to detecting network attacks using the information gain as our feature selection criterions. Our RT-IDS can distinguish normal network activities from main attack types (Probe and Denial of Service (DoS)) with a detection rate higher than 98% within 2 s. We also developed a new post-processing procedure to reduce the false-alarm rate as well as increase the reliability and detection accuracy of the intrusion detection system.     

Network intrusion detection based on deep learning model optimized with rule-based hybrid feature selection

ABSTRACT

Network Intrusion Detection System (NIDS) is often used to classify network traffic in an attempt to protect computer systems from various network attacks. A major component for building an efficient intrusion detection system is the preprocessing of network traffic and identification of essential features which is essential for building robust classifier. In this study, a NIDS based on deep learning model optimized with rule-based hybrid feature selection is proposed. The architecture is divided into three phases namely: hybrid feature selection, rule evaluation and detection. Several search methods and attribute evaluators were combined for features selection to enhance experimentation and comparison. The results obtained showed that the number of selected features will not affect the detection accuracy of the feature selection algorithms, but directly proportional to the performance of the base classifier. Results from the performance comparison proved that the proposed method outperforms other related methods with reduction of false alarm rate, high accuracy rate, reduced training and testing time of 1.2%, 98.8%, 7.17s and 3.11s, respectively. Finally, the simulation experiments on standard evaluation metrics showed that the proposed method is suitable for attack classification in NIDS.     

基于Fisher-PCA和深度学习的入侵检测方法研究

为了在攻击形式多样化、入侵数据海量及多维化的环境中快速、准确地识别网络攻击,提出了一种融合Fisher-PCA特征提取与深度学习的入侵检测算法。通过Fisher特征选择算法选出重要的特征组成特征子集,然后基于主成分分析法（Principal Component Analysis,PCA）将特征子集进行降维,提取出了分类能力强的特征集。构建了一种新的DNN（Deep Neural Networks）深度神经网络模型对网络攻击数据和正常数据进行识别与分类。在KDD99数据集上进行试验,结果表明这种入侵检测算法与传统的ANN、SVM算法相比,在准确率上分别提高了12.63%、6.77%,在误报率上由原来的2.31%、1.96%降为0.28%,与DBN4 、PCA-CNN算法相比,在准确率和检测率保持基本相同的同时有着更低的误报率。     

GMDH-based networks for intelligent intrusion detection

Network intrusion detection has been an area of rapid advancement in recent times. Similar advances in the field of intelligent computing have led to the introduction of several classification techniques for accurately identifying and differentiating network traffic into normal and anomalous. Group Method for Data Handling (GMDH) is one such supervised inductive learning approach for the synthesis of neural network models. Through this paper, we propose a GMDH-based technique for classifying network traffic into normal and anomalous. Two variants of the technique, namely, Monolithic and Ensemble-based, were tested on the KDD-99 dataset. The dataset was preprocessed and all features were ranked based on three feature ranking techniques, namely, Information Gain, Gain Ratio, and GMDH by itself. The results obtained proved that the proposed intrusion detection scheme yields high attack detection rates, nearly 98%, when compared with other intelligent classification techniques for network intrusion detection.     

Gravitational search algorithm–optimized neural misuse detector with selected features by fuzzy grids–based association rules mining

Feature selection is one of the most important techniques for data preprocessing in classification problems. In this paper, fuzzy grids–based association rules mining, as an effective data mining technique, is used for feature selection in misuse detection application in computer networks. The main idea of this algorithm is to find the relationships between items in large datasets so that it detects correlations between inputs of the system and then eliminates the redundant inputs. To classify the attacks, a fuzzy ARTMAP neural network is employed whose training parameters are optimized by gravitational search algorithm. The performance of the proposed system is compared with some other machine learning methods in the same application. Experimental results show that the proposed system, when choosing optimum “feature subset size-adjustment” parameter, performs better in terms of detection rate, false alarm rate, and cost per example in classification problems. In addition, employing the reduced-size feature set results in more than 8.4 percent reduction in computational complexity.     

An autonomous labeling approach to support vector machines algorithms for network traffic anomaly detection

In the past years, several support vector machines (SVM) novelty detection approaches have been applied on the network intrusion detection field. The main advantage of these approaches is that they can characterize normal traffic even when trained with datasets containing not only normal traffic but also a number of attacks. Unfortunately, these algorithms seem to be accurate only when the normal traffic vastly outnumbers the number of attacks present in the dataset. A situation which can not be always hold.This work presents an approach for autonomous labeling of normal traffic as a way of dealing with situations where class distribution does not present the imbalance required for SVM algorithms. In this case, the autonomous labeling process is made by SNORT, a misuse-based intrusion detection system. Experiments conducted on the 1998 DARPA dataset show that the use of the proposed autonomous labeling approach not only outperforms existing SVM alternatives but also, under some attack distributions, obtains improvements over SNORT itself.     

机器学习在工业网络入侵检测中的研究应用

在工业化和信息化两化深度融合的背景下,工业控制网络面临着高强度、持续性的恶意渗透和网络攻击,对国家安全和工业生产构成了巨大威胁.检测工业控制网络遭受恶意攻击,高效区分正常数据和攻击数据的研究已成为热点问题.以密西西比州立大学SCADA实验室的能源系统攻击数据集作为工业控制网络入侵检测的主要研究对象,对比不同机器学习算法的准确率、漏警率、虚警率等重要指标,得出综合性能最优的XGBoost算法.为进一步提高入侵检测效率,提出了一种针对XGBoost算法的包裹式特征选择方法,在简化数据集的同时突出不同特征在入侵检测中的重要性.研究结果表明,结合包裹式特征选择的XGBoost算法能有效解决入侵检测问题并提高入侵检测效率,验证了此方法的有效性和科学性.     

A novel intrusion detection system based on hierarchical clustering and support vector machines

This study proposed an SVM-based intrusion detection system, which combines a hierarchical clustering algorithm, a simple feature selection procedure, and the SVM technique. The hierarchical clustering algorithm provided the SVM with fewer, abstracted, and higher-qualified training instances that are derived from the KDD Cup 1999 training set. It was able to greatly shorten the training time, but also improve the performance of resultant SVM. The simple feature selection procedure was applied to eliminate unimportant features from the training set so the obtained SVM model could classify the network traffic data more accurately. The famous KDD Cup 1999 dataset was used to evaluate the proposed system. Compared with other intrusion detection systems that are based on the same dataset, this system showed better performance in the detection of DoS and Probe attacks, and the beset performance in overall accuracy.     

An intrusion detection approach based on multiple rough classifiers integration

The study of intrusion detection techniques has been one of the hot spot topics in the field of network security in recent years. For high-dimensional intrusion detection data sets and a single classifier's weak classification ability for data sets with many classes, a novel intrusion detection approach, termed intrusion detection based on multiple rough classifiers integration, is proposed. First, some training data sets are generated from intrusion detection data by random sampling. By combing rough sets and quantum genetic algorithm, a subset of attributes is selected. Then, each simplified data set is trained, which establishes a group of rough classifiers. Finally, the intrusion data classification result is obtained according to the absolute majority voting strategy. The experimental results illustrate the effectiveness of our methods.     

基于改进多目标遗传算法的入侵检测集成方法

针对现有入侵检测算法中存在着对不同类型攻击检测的不均衡性以及冗余或无用特征导致的检测模型复杂与检测精度下降的问题,提出了一种基于改进多目标遗传算法的入侵检测集成方法.利用改进的多目标遗传算法生成检测率与误报率均衡优化的最优特征子集的集合,并采用选择性集成方法挑选精确的、具有多样性的基分类器构造集成入侵检测模型.实验结果表明,该算法能够有效地解决入侵检测中存在的特征选择问题,并在保证较高检测精度的基础上,对不同类型的攻击检测具有良好的均衡性.