scholarly journals CBAM: A Contextual Model for Network Anomaly Detection

Computers ◽  
2021 ◽  
Vol 10 (6) ◽  
pp. 79
Author(s):  
Henry Clausen ◽  
Gudmund Grov ◽  
David Aspinall
Keyword(s):  
Intrusion Detection ◽  
Network Flows ◽  
Concept Drift ◽  
False Positive Rate ◽  
Real Life ◽  
Remote Access ◽  
Detection Methods ◽  
Short Term ◽  
Deep Model ◽  
Network Intrusion

Anomaly-based intrusion detection methods aim to combat the increasing rate of zero-day attacks, however, their success is currently restricted to the detection of high-volume attacks using aggregated traffic features. Recent evaluations show that the current anomaly-based network intrusion detection methods fail to reliably detect remote access attacks. These are smaller in volume and often only stand out when compared to their surroundings. Currently, anomaly methods try to detect access attack events mainly as point anomalies and neglect the context they appear in. We present and examine a contextual bidirectional anomaly model (CBAM) based on deep LSTM-networks that is specifically designed to detect such attacks as contextual network anomalies. The model efficiently learns short-term sequential patterns in network flows as conditional event probabilities. Access attacks frequently break these patterns when exploiting vulnerabilities, and can thus be detected as contextual anomalies. We evaluated CBAM on an assembly of three datasets that provide both representative network access attacks, real-life traffic over a long timespan, and traffic from a real-world red-team attack. We contend that this assembly is closer to a potential deployment environment than current NIDS benchmark datasets. We show that, by building a deep model, we are able to reduce the false positive rate to 0.16% while effectively detecting six out of seven access attacks, which is significantly lower than the operational range of other methods. We further demonstrate that short-term flow structures remain stable over long periods of time, making the CBAM robust against concept drift.

scholarly journals The Proposition and Evaluation of the RoEduNet-SIMARGL2021 Network Intrusion Detection Dataset

Sensors ◽  
2021 ◽  
Vol 21 (13) ◽  
pp. 4319
Author(s):  
Maria-Elena Mihailescu ◽  
Darius Mihai ◽  
Mihai Carabas ◽  
Mikołaj Komisarek ◽  
Marek Pawlicki ◽  
...  
Keyword(s):  
Machine Learning ◽  
Intrusion Detection ◽  
Cross Validation ◽  
Real Life ◽  
Arms Race ◽  
Detection Methods ◽  
Network Intrusion Detection ◽  
Network Intrusion ◽  
Academic Network ◽  
The Stability

Cybersecurity is an arms race, with both the security and the adversaries attempting to outsmart one another, coming up with new attacks, new ways to defend against those attacks, and again with new ways to circumvent those defences. This situation creates a constant need for novel, realistic cybersecurity datasets. This paper introduces the effects of using machine-learning-based intrusion detection methods in network traffic coming from a real-life architecture. The main contribution of this work is a dataset coming from a real-world, academic network. Real-life traffic was collected and, after performing a series of attacks, a dataset was assembled. The dataset contains 44 network features and an unbalanced distribution of classes. In this work, the capability of the dataset for formulating machine-learning-based models was experimentally evaluated. To investigate the stability of the obtained models, cross-validation was performed, and an array of detection metrics were reported. The gathered dataset is part of an effort to bring security against novel cyberthreats and was completed in the SIMARGL project.

Network Intrusion Detection Methods Based on Deep Learning

2020 ◽  
Vol 14 ◽  
Author(s):  
Xiangwen Li ◽  
Shuang Zhang
Keyword(s):  
Deep Learning ◽  
Intrusion Detection ◽  
False Positive Rate ◽  
Detection Algorithm ◽  
Detection Methods ◽  
Network Intrusion Detection ◽  
Test Time ◽  
Data Set ◽  
Network Intrusion ◽  
Kdd Cup 99

: To detect network attacks more effectively, this study uses Honeypot techniques to collect the latest network attack data and proposes network intrusion detection classification models based on deep learning combined with DNN and LSTM models. Experiments showed that the data set training models gave better results than the KDD CUP 99 training model’s detection rate and false positive rate. The DNN-LSTM intrusion detection algorithm proposed in this study gives better results than KDD CUP 99 training model. Compared to other algorithms such as LeNet, DNN-LSTM intrusion detection algorithm exhibits shorter classification test time along with better accuracy and recall rate of intrusion detection.

A Hybrid NIDS Model Using Artificial Neural Network and D-S Evidence

2016 ◽  
Vol 8 (1) ◽  
pp. 37-50 ◽  
Author(s):  
Chunlin Lu ◽  
Yue Li ◽  
Mingjie Ma ◽  
Na Li
Keyword(s):  
Neural Network ◽  
Intrusion Detection ◽  
Bp Neural Network ◽  
False Positive Rate ◽  
Experimental Simulation ◽  
Detection Methods ◽  
General Process ◽  
Training Time ◽  
Network Intrusion ◽  
Artificial Neural

Artificial Neural Networks (ANNs), especially back-propagation (BP) neural network, can improve the performance of intrusion detection systems. However, for the current network intrusion detection methods, the detection precision, especially for low-frequent attacks, detection stability and training time are still needed to be enhanced. In this paper, a new model which based on optimized BP neural network and Dempster-Shafer theory to solve the above problems and help NIDS to achieve higher detection rate, less false positive rate and stronger stability. The general process of the authors' model is as follows: firstly dividing the main extracted feature into several different feature subsets. Then, based on different feature subsets, different ANN models are trained to build the detection engine. Finally, the D-S evidence theory is employed to integration these results, and obtain the final result. The effectiveness of this method is verified by experimental simulation utilizing KDD Cup1999 dataset.

scholarly journals PRATD: A Phased Remote Access Trojan Detection Method with Double-Sided Features

Electronics ◽  
2020 ◽  
Vol 9 (11) ◽  
pp. 1894
Author(s):  
Chun Guo ◽  
Zihua Song ◽  
Yuan Ping ◽  
Guowei Shen ◽  
Yuhei Cui ◽  
...  
Keyword(s):  
False Positive ◽  
Detection Method ◽  
False Positive Rate ◽  
True Positive Rate ◽  
Remote Access ◽  
Detection Methods ◽  
Security Threats ◽  
True Positive ◽  
Trojan Detection ◽  
Positive Rate

Remote Access Trojan (RAT) is one of the most terrible security threats that organizations face today. At present, two major RAT detection methods are host-based and network-based detection methods. To complement one another’s strengths, this article proposes a phased RATs detection method by combining double-side features (PRATD). In PRATD, both host-side and network-side features are combined to build detection models, which is conducive to distinguishing the RATs from benign programs because that the RATs not only generate traffic on the network but also leave traces on the host at run time. Besides, PRATD trains two different detection models for the two runtime states of RATs for improving the True Positive Rate (TPR). The experiments on the network and host records collected from five kinds of benign programs and 20 famous RATs show that PRATD can effectively detect RATs, it can achieve a TPR as high as 93.609% with a False Positive Rate (FPR) as low as 0.407% for the known RATs, a TPR 81.928% and FPR 0.185% for the unknown RATs, which suggests it is a competitive candidate for RAT detection.

PAIRWISE CLUSTERS OPTIMIZATION AND CLUSTER MOST SIGNIFICANT FEATURE METHODS FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEM (POC2MSF)

2018 ◽  
Vol 3 (2) ◽  
pp. 93
Author(s):  
Gervais Hatungimana
Keyword(s):  
Intrusion Detection ◽  
Network Traffic ◽  
False Positive ◽  
Intrusion Detection System ◽  
Detection System ◽  
False Positive Rate ◽  
Significant Feature ◽  
Features Selection ◽  
Number Of Clusters ◽  
Network Intrusion

 Anomaly-based Intrusion Detection System (IDS) uses known baseline to detect patterns which have deviated from normal behavior. If the baseline is faulty, the IDS performance degrades. Most of researches in IDS which use k-centroids-based clustering methods like K-means, K-medoids, Fuzzy, Hierarchical and agglomerative algorithms to baseline network traffic suffer from high false positive rate compared to signature-based IDS, simply because the nature of these algorithms risk to force some network traffic into wrong profiles depending on K number of clusters needed. In this paper we propose alternate method which instead of defining K number of clusters, defines t distance threshold. The unrecognizable IDS; IDS which is neither HIDS nor NIDS is the consequence of using statistical methods for features selection. The speed, memory and accuracy of IDS are affected by inappropriate features reduction method or ignorance of irrelevant features. In this paper we use two-step features selection and Quality Threshold with Optimization methods to design anomaly-based HIDS and NIDS separately. The performance of our system is 0% ,99.9974%, 1,1 false positive rates, accuracy , precision and recall respectively for NIDS and  0%,99.61%, 0.991,0.978 false positive rates, accuracy, precision and recall respectively for HIDS.

scholarly journals Anomaly-based Network Intrusion Detection Methods

2013 ◽  
Vol 11 (6) ◽  
Author(s):  
Pavel Nevlud ◽  
Miroslav Bures ◽  
Lukas Kapicak ◽  
Jaroslav Zdralek
Keyword(s):  
Intrusion Detection ◽  
Detection Methods ◽  
Network Intrusion Detection ◽  
Network Intrusion

scholarly journals Design of Optimal Acceptance Sampling Plan for Network Intrusion Detection

2019 ◽  
Vol 9 (1) ◽  
pp. 4379-4383
Keyword(s):  
Intrusion Detection ◽  
Network Flow ◽  
Network Flows ◽  
Monitoring Network ◽  
Computational Effort ◽  
Network Intrusion Detection ◽  
Acceptance Sampling ◽  
Network Intrusion ◽  
Acceptance Sampling Plan ◽  
The Cost

Network Intrusion Detection Systems (NIDS) protects networks connected to the internet from malicious attacks by monitoring network flows predominantly at fragment level in network layer. Inspecting every fragment of a network flow is computationally prohibitive. The Acceptance Sampling for Network Intrusion Detection (ASNID) method avoids hundred percent inspections of fragments to detect anomalous flows. This study proposes a model to determine optimal acceptance sample size. Further, this study also proposes a model for estimating the cost of computational effort.

scholarly journals Detection of Cyberattacks Traces in IoT Data

2020 ◽  
Vol 26 (11) ◽  
pp. 1422-1434
Author(s):  
Vibekananda Dutta ◽  
Michał Choraś ◽  
Marek Pawlicki ◽  
Rafał Kozik
Keyword(s):  
Machine Learning ◽  
Intrusion Detection ◽  
Short Term Memory ◽  
Research Network ◽  
Network Intrusion Detection ◽  
Learning Approaches ◽  
Short Term ◽  
Term Memory ◽  
Network Intrusion ◽  
Long Short Term Memory

Artificial Intelligence plays a significant role in building effective cybersecurity tools. Security has a crucial role in the modern digital world and has become an essential area of research. Network Intrusion Detection Systems (NIDS) are among the first security systems that encounter network attacks and facilitate attack detection to protect a network. Contemporary machine learning approaches, like novel neural network architectures, are succeeding in network intrusion detection. This paper tests modern machine learning approaches on a novel cybersecurity benchmark IoT dataset. Among other algorithms, Deep AutoEncoder (DAE) and modified Long Short Term Memory (mLSTM) are employed to detect network anomalies in the IoT-23 dataset. The DAE is employed for dimensionality reduction and a host of ML methods, including Deep Neural Networks and Long Short-Term Memory to classify the outputs of into normal/malicious. The applied method is validated on the IoT-23 dataset. Furthermore, the results of the analysis in terms of evaluation matrices are discussed.

Sign in / Sign up

Export Citation Format

Share Document