scholarly journals An Efficient Hyperparameter Control Method for a Network Intrusion Detection System Based on Proximal Policy Optimization

Symmetry ◽  
2022 ◽  
Vol 14 (1) ◽  
pp. 161
Author(s):  
Hyojoon Han ◽  
Hyukho Kim ◽  
Yangwoo Kim
Keyword(s):  
Reinforcement Learning ◽  
Intrusion Detection ◽  
Network Traffic ◽  
Network Intrusion Detection ◽  
Network Environment ◽  
Network Intrusion ◽  
Feature Extractor ◽  
Attack Data ◽  
Policy Optimization ◽  
Reinforcement Learning Model

The complexity of network intrusion detection systems (IDSs) is increasing due to the continuous increases in network traffic, various attacks and the ever-changing network environment. In addition, network traffic is asymmetric with few attack data, but the attack data are so complex that it is difficult to detect one. Many studies on improving intrusion detection performance using feature engineering have been conducted. These studies work well in the dataset environment; however, it is challenging to cope with a changing network environment. This paper proposes an intrusion detection hyperparameter control system (IDHCS) that controls and trains a deep neural network (DNN) feature extractor and k-means clustering module as a reinforcement learning model based on proximal policy optimization (PPO). An IDHCS controls the DNN feature extractor to extract the most valuable features in the network environment, and identifies intrusion through k-means clustering. Through iterative learning using the PPO-based reinforcement learning model, the system is optimized to improve performance automatically according to the network environment, where the IDHCS is used. Experiments were conducted to evaluate the system performance using the CICIDS2017 and UNSW-NB15 datasets. In CICIDS2017, an F1-score of 0.96552 was achieved and UNSW-NB15 achieved an F1-score of 0.94268. An experiment was conducted by merging the two datasets to build a more extensive and complex test environment. By merging datasets, the attack types in the experiment became more diverse and their patterns became more complex. An F1-score of 0.93567 was achieved in the merged dataset, indicating 97% to 99% performance compared with CICIDS2017 and UNSW-NB15. The results reveal that the proposed IDHCS improved the performance of the IDS by automating learning new types of attacks by managing intrusion detection features regardless of the network environment changes through continuous learning.

CLUSTERING-BASED NETWORK INTRUSION DETECTION

2007 ◽  
Vol 14 (02) ◽  
pp. 169-187 ◽  
Author(s):  
SHI ZHONG ◽  
TAGHI M. KHOSHGOFTAAR ◽  
NAEEM SELIYA
Keyword(s):  
Data Mining ◽  
Network Security ◽  
Intrusion Detection ◽  
Unsupervised Learning ◽  
Network Traffic ◽  
Clustering Algorithms ◽  
Network Intrusion Detection ◽  
Learning Methods ◽  
High Detection Rate ◽  
Network Intrusion

Recently data mining methods have gained importance in addressing network security issues, including network intrusion detection — a challenging task in network security. Intrusion detection systems aim to identify attacks with a high detection rate and a low false alarm rate. Classification-based data mining models for intrusion detection are often ineffective in dealing with dynamic changes in intrusion patterns and characteristics. Consequently, unsupervised learning methods have been given a closer look for network intrusion detection. We investigate multiple centroid-based unsupervised clustering algorithms for intrusion detection, and propose a simple yet effective self-labeling heuristic for detecting attack and normal clusters of network traffic audit data. The clustering algorithms investigated include, k-means, Mixture-Of-Spherical Gaussians, Self-Organizing Map, and Neural-Gas. The network traffic datasets provided by the DARPA 1998 offline intrusion detection project are used in our empirical investigation, which demonstrates the feasibility and promise of unsupervised learning methods for network intrusion detection. In addition, a comparative analysis shows the advantage of clustering-based methods over supervised classification techniques in identifying new or unseen attack types.

scholarly journals MFVT:An Anomaly Traffic Detection Method Merging Feature Fusion Network and Vision Transformer Architecture

2021 ◽  
Author(s):  
Ming Li ◽  
Dezhi Han ◽  
Dun Li ◽  
Han Liu ◽  
Chin- Chen Chang
Keyword(s):  
Deep Learning ◽  
Intrusion Detection ◽  
Network Traffic ◽  
Feature Fusion ◽  
Imbalanced Data ◽  
Network Intrusion Detection ◽  
Detection Accuracy ◽  
Data Sets ◽  
Imbalanced Data Sets ◽  
Network Intrusion

Abstract Network intrusion detection, which takes the extraction and analysis of network traffic features as the main method, plays a vital role in network security protection. The current network traffic feature extraction and analysis for network intrusion detection mostly uses deep learning algorithms. Currently, deep learning requires a lot of training resources, and have weak processing capabilities for imbalanced data sets. In this paper, a deep learning model (MFVT) based on feature fusion network and Vision Transformer architecture is proposed, to which improves the processing ability of imbalanced data sets and reduces the sample data resources needed for training. Besides, to improve the traditional raw traffic features extraction methods, a new raw traffic features extraction method (CRP) is proposed, the CPR uses PCA algorithm to reduce all the processed digital traffic features to the specified dimension. On the IDS 2017 dataset and the IDS 2012 dataset, the ablation experiments show that the performance of the proposed MFVT model is significantly better than other network intrusion detection models, and the detection accuracy can reach the state-of-the-art level. And, When MFVT model is combined with CRP algorithm, the detection accuracy is further improved to 99.99%.

scholarly journals Development of software application for network traffic analysis and intrusion detection

2021 ◽  
pp. 57-64
Author(s):  
Alexander Ivanov ◽  
◽  
Alexander Kutischev ◽  
Elena Nikitina ◽  
◽  
...  
Keyword(s):  
Intrusion Detection ◽  
Network Traffic ◽  
Traffic Analysis ◽  
Network Intrusion Detection ◽  
Network Attacks ◽  
Software Application ◽  
Detection Systems ◽  
Network Traffic Analysis ◽  
Network Intrusion ◽  
Network Intrusion Detection Systems

This paper demonstrated the use of neural networks in the development of network intrusion detection systems, described the structure of the developed software application for network traffic analysis and network attacks detection, and presented the software application results.

scholarly journals Network Intrusion Detection Based on an Efficient Neural Architecture Search

Symmetry ◽  
2021 ◽  
Vol 13 (8) ◽  
pp. 1453
Author(s):  
Renjian Lyu ◽  
Mingshu He ◽  
Yu Zhang ◽  
Lei Jin ◽  
Xinlei Wang
Keyword(s):  
Deep Learning ◽  
Intrusion Detection ◽  
Network Traffic ◽  
Traffic Monitoring ◽  
Classification Model ◽  
Network Intrusion Detection ◽  
Traffic Classification ◽  
Neural Architecture ◽  
Network Intrusion ◽  
Network Traffic Classification

Deep learning has been applied in the field of network intrusion detection and has yielded good results. In malicious network traffic classification tasks, many studies have achieved good performance with respect to the accuracy and recall rate of classification through self-designed models. In deep learning, the design of the model architecture greatly influences the results. However, the design of the network model architecture usually requires substantial professional knowledge. At present, the focus of research in the field of traffic monitoring is often directed elsewhere. Therefore, in the classification task of the network intrusion detection field, there is much room for improvement in the design and optimization of the model architecture. A neural architecture search (NAS) can automatically search the architecture of the model under the premise of a given optimization goal. For this reason, we propose a model that can perform NAS in the field of network traffic classification and search for the optimal architecture suitable for traffic detection based on the network traffic dataset. Each layer of our depth model is constructed according to the principle of maximum coding rate attenuation, which has strong consistency and symmetry in structure. Compared with some manually designed network architectures, classification indicators, such as Top-1 accuracy and F1 score, are also greatly improved while ensuring the lightweight nature of the model. In addition, we introduce a surrogate model in the search task. Compared to using the traditional NAS model to search the network traffic classification model, our NAS model greatly improves the search efficiency under the premise of ensuring that the results are not substantially different. We also manually adjust some operations in the search space of the architecture search to find a set of model operations that are more suitable for traffic classification. Finally, we apply the searched model to other traffic datasets to verify the universality of the model. Compared with several common network models in the traffic field, the searched model (NAS-Net) performs better, and the classification effect is more accurate.

scholarly journals Network intrusion detection using oversampling technique and machine learning algorithms

2022 ◽  
Vol 8 ◽  
pp. e820
Author(s):  
Hafiza Anisa Ahmed ◽  
Anum Hameed ◽  
Narmeen Zakaria Bawany
Keyword(s):  
Machine Learning ◽  
Random Forest ◽  
Network Security ◽  
Intrusion Detection ◽  
Network Traffic ◽  
Learning Algorithms ◽  
Machine Learning Algorithms ◽  
Network Intrusion Detection ◽  
Classification Models ◽  
Network Intrusion

The expeditious growth of the World Wide Web and the rampant flow of network traffic have resulted in a continuous increase of network security threats. Cyber attackers seek to exploit vulnerabilities in network architecture to steal valuable information or disrupt computer resources. Network Intrusion Detection System (NIDS) is used to effectively detect various attacks, thus providing timely protection to network resources from these attacks. To implement NIDS, a stream of supervised and unsupervised machine learning approaches is applied to detect irregularities in network traffic and to address network security issues. Such NIDSs are trained using various datasets that include attack traces. However, due to the advancement in modern-day attacks, these systems are unable to detect the emerging threats. Therefore, NIDS needs to be trained and developed with a modern comprehensive dataset which contains contemporary common and attack activities. This paper presents a framework in which different machine learning classification schemes are employed to detect various types of network attack categories. Five machine learning algorithms: Random Forest, Decision Tree, Logistic Regression, K-Nearest Neighbors and Artificial Neural Networks, are used for attack detection. This study uses a dataset published by the University of New South Wales (UNSW-NB15), a relatively new dataset that contains a large amount of network traffic data with nine categories of network attacks. The results show that the classification models achieved the highest accuracy of 89.29% by applying the Random Forest algorithm. Further improvement in the accuracy of classification models is observed when Synthetic Minority Oversampling Technique (SMOTE) is applied to address the class imbalance problem. After applying the SMOTE, the Random Forest classifier showed an accuracy of 95.1% with 24 selected features from the Principal Component Analysis method.

scholarly journals A Stacking Ensemble for Network Intrusion Detection Using Heterogeneous Datasets

2020 ◽  
Vol 2020 ◽  
pp. 1-9 ◽  
Author(s):  
Smitha Rajagopal ◽  
Poornima Panduranga Kundapur ◽  
Katiganere Siddaramappa Hareesha
Keyword(s):  
Intrusion Detection ◽  
Network Traffic ◽  
Research Community ◽  
Machine Learning Algorithms ◽  
Network Intrusion Detection ◽  
Ensemble Model ◽  
Network Intrusion ◽  
Heterogeneous Datasets ◽  
Traffic Environment ◽  
Conventional Machine

The problem of network intrusion detection poses innumerable challenges to the research community, industry, and commercial sectors. Moreover, the persistent attacks occurring on the cyber-threat landscape compel researchers to devise robust approaches in order to address the recurring problem. Given the presence of massive network traffic, conventional machine learning algorithms when applied in the field of network intrusion detection are quite ineffective. Instead, a hybrid multimodel solution when sought improves performance thereby producing reliable predictions. Therefore, this article presents an ensemble model using metaclassification approach enabled by stacked generalization. Two contemporary as well as heterogeneous datasets, namely, UNSW NB-15, a packet-based dataset, and UGR’16, a flow-based dataset, that were captured in emulated as well as real network traffic environment, respectively, were used for experimentation. Empirical results indicate that the proposed stacking ensemble is capable of generating superior predictions with respect to a real-time dataset (97% accuracy) than an emulated one (94% accuracy).

Evaluating Feature Selection Methods for Network Intrusion Detection with Kyoto Data

2016 ◽  
Vol 23 (01) ◽  
pp. 1650001 ◽  
Author(s):  
Maryam M. Najafabadi ◽  
Taghi M. Khoshgoftaar ◽  
Naeem Seliya
Keyword(s):  
Feature Selection ◽  
Intrusion Detection ◽  
Data Reduction ◽  
Predictive Models ◽  
Network Traffic ◽  
Network Intrusion Detection ◽  
Process Time ◽  
Selection Methods ◽  
Network Intrusion ◽  
Reduction Methods

Considering the large quantity of the data flowing through the network routers, there is a very high demand to detect malicious and unhealthy network traffic to provide network users with reliable network operation and security of their information. Predictive models should be built to identify whether a network traffic record is healthy or malicious. To build such models, machine learning methods have started to be used for the task of network intrusion detection. Such predictive models must monitor and analyze a large amount of network data in a reasonable amount of time (usually real time). To do so, they cannot always process the whole data and there is a need for data reduction methods, which reduce the amount of data that needs to be processed. Feature selection is one of the data reduction methods that can be used to decrease the process time. It is important to understand which features are most relevant to determining if a network traffic record is malicious and avoid using the whole feature set to make the processing time more efficient. Also it is important that the simple model built from the reduced feature set be as effective as a model which uses all the features. Considering these facts, feature selection is a very important pre-processing step in the detection of network attacks. The goal is to remove irrelevant and redundant features in order to increase the overall effectiveness of an intrusion detection system without negatively affecting the classification performance. Most of the previous feature selection studies in the area of intrusion detection have been applied on the KDD 99 dataset. As KDD 99 is an outdated dataset, in this paper, we compare different feature selection methods on a relatively new dataset, called Kyoto 2006+. There is no comprehensive comparison of different feature selection approaches for this dataset. In the present work, we study four filter-based feature selection methods which are chosen from two categories for the application of network intrusion detection. Three filter-based feature rankers and one filter-based subset evaluation technique are compared together along with the null case which applies no feature selection. We also apply statistical analysis to determine whether performance differences between these feature selection methods are significant or not. We find that among all the feature selection methods, Signal-to-Noise (S2N) gives the best performance results. It also outperforms no feature selection approach in all the experiments.

scholarly journals A System to automate the development of anomaly-based network intrusion detection model

2021 ◽  
Vol 2089 (1) ◽  
pp. 012006
Author(s):  
B Padmaja ◽  
K Sai Sravan ◽  
E Krishna Rao Patro ◽  
G Chandra Sekhar
Keyword(s):  
Machine Learning ◽  
Intrusion Detection ◽  
Real Time ◽  
Network Traffic ◽  
Intrusion Detection Systems ◽  
Network Intrusion Detection ◽  
Support Vector ◽  
The Internet ◽  
Detection Systems ◽  
Network Intrusion

Abstract Cyber security is the major concern in today’s world. Over the past couple of decades, the internet has grown to such an extent that almost every individual living on this planet has the access to the internet today. This can be viewed as one of the major achievements in the human race, but on the flip side of the coin, this gave rise to a lot of security issues for every individual or the company that is accessing the web through the internet. Hackers have become active and are always monitoring the networks to grab every possible opportunity to attack a system and make the best fortune out of its vulnerabilities. To safeguard people’s and organization’s privacy in this cyberspace, different network intrusion detection systems have been developed to detect the hacker’s presence in the networks. These systems fall under signature based and anomaly based intrusion detection systems. This paper deals with using anomaly based intrusion detection technique to develop an automation system to both train and test supervised machine learning models, which is developed to classify real time network traffic as to whether it is malicious or not. Currently the best models by considering both detection success rate and the false positives rate are Artificial Neural Networks(ANN) followed by Support Vector Machines(SVM). In this paper, it is verified that Artificial Neural Network (ANN) based machine learning with wrapper feature selection outperforms support vector machine (SVM) technique while classifying network traffic as harmful or harmless. Initially to evaluate the performance of the system, NSL-KDD dataset is used to train and test the SVM and ANN models and finally classify real time network traffic using these models. This system can be used to carry out model building automatically on the new datasets and also for classifying the behaviour of the provided dataset without having to code.

Sign in / Sign up

Export Citation Format

Share Document