scholarly journals Application of deep autoencoder as an one-class classifier for unsupervised network intrusion detection: a comparative evaluation

2020 ◽  
Vol 6 ◽  
pp. e327
Author(s):  
Thavavel Vaiyapuri ◽  
Adel Binbusayyis
Keyword(s):  
Deep Learning ◽  
Network Security ◽  
Intrusion Detection ◽  
Network Traffic ◽  
Comparative Evaluation ◽  
Feature Representation ◽  
Valuable Insight ◽  
Learning Approaches ◽  
Network Intrusion ◽  
One Class Classifier

The ever-increasing use of internet has opened a new avenue for cybercriminals, alarming the online businesses and organization to stay ahead of evolving thread landscape. To this end, intrusion detection system (IDS) is deemed as a promising defensive mechanism to ensure network security. Recently, deep learning has gained ground in the field of intrusion detection but majority of progress has been witnessed on supervised learning which requires adequate labeled data for training. In real practice, labeling the high volume of network traffic is laborious and error prone. Intuitively, unsupervised deep learning approaches has received gaining momentum. Specifically, the advances in deep learning has endowed autoencoder (AE) with greater ability for data reconstruction to learn the robust feature representation from massive amount of data. Notwithstanding, there is no study that evaluates the potential of different AE variants as one-class classifier for intrusion detection. This study fills this gap of knowledge presenting a comparative evaluation of different AE variants for one-class unsupervised intrusion detection. For this research, the evaluation includes five different variants of AE such as Stacked AE, Sparse AE, Denoising AE, Contractive AE and Convolutional AE. Further, the study intents to conduct a fair comparison establishing a unified network configuration and training scheme for all variants over the common benchmark datasets, NSL-KDD and UNSW-NB15. The comparative evaluation study provides a valuable insight on how different AE variants can be used as one-class classifier to build an effective unsupervised IDS. The outcome of this study will be of great interest to the network security community as it provides a promising path for building effective IDS based on deep learning approaches alleviating the need for adequate and diverse intrusion network traffic behavior.

CLUSTERING-BASED NETWORK INTRUSION DETECTION

2007 ◽  
Vol 14 (02) ◽  
pp. 169-187 ◽  
Author(s):  
SHI ZHONG ◽  
TAGHI M. KHOSHGOFTAAR ◽  
NAEEM SELIYA
Keyword(s):  
Data Mining ◽  
Network Security ◽  
Intrusion Detection ◽  
Unsupervised Learning ◽  
Network Traffic ◽  
Clustering Algorithms ◽  
Network Intrusion Detection ◽  
Learning Methods ◽  
High Detection Rate ◽  
Network Intrusion

Recently data mining methods have gained importance in addressing network security issues, including network intrusion detection — a challenging task in network security. Intrusion detection systems aim to identify attacks with a high detection rate and a low false alarm rate. Classification-based data mining models for intrusion detection are often ineffective in dealing with dynamic changes in intrusion patterns and characteristics. Consequently, unsupervised learning methods have been given a closer look for network intrusion detection. We investigate multiple centroid-based unsupervised clustering algorithms for intrusion detection, and propose a simple yet effective self-labeling heuristic for detecting attack and normal clusters of network traffic audit data. The clustering algorithms investigated include, k-means, Mixture-Of-Spherical Gaussians, Self-Organizing Map, and Neural-Gas. The network traffic datasets provided by the DARPA 1998 offline intrusion detection project are used in our empirical investigation, which demonstrates the feasibility and promise of unsupervised learning methods for network intrusion detection. In addition, a comparative analysis shows the advantage of clustering-based methods over supervised classification techniques in identifying new or unseen attack types.

scholarly journals Deep Learning Approaches for Intrusion Detection

2021 ◽  
pp. 50-64
Author(s):  
Azar Abid Salih ◽  
Siddeeq Y. Ameen ◽  
Subhi R. M. Zeebaree ◽  
Mohammed A. M. Sadeeq ◽  
Shakir Fattah Kak ◽  
...  
Keyword(s):  
Deep Learning ◽  
Intrusion Detection ◽  
Computer Security ◽  
Intrusion Detection System ◽  
Detection System ◽  
Feature Learning ◽  
Detailed Comparison ◽  
Learning Approaches ◽  
Network Intrusion ◽  
Research Problems

Recently, computer networks faced a big challenge, which is that various malicious attacks are growing daily. Intrusion detection is one of the leading research problems in network and computer security. This paper investigates and presents Deep Learning (DL) techniques for improving the Intrusion Detection System (IDS). Moreover, it provides a detailed comparison with evaluating performance, deep learning algorithms for detecting attacks, feature learning, and datasets used to identify the advantages of employing in enhancing network intrusion detection.

scholarly journals MFVT:An Anomaly Traffic Detection Method Merging Feature Fusion Network and Vision Transformer Architecture

2021 ◽  
Author(s):  
Ming Li ◽  
Dezhi Han ◽  
Dun Li ◽  
Han Liu ◽  
Chin- Chen Chang
Keyword(s):  
Deep Learning ◽  
Intrusion Detection ◽  
Network Traffic ◽  
Feature Fusion ◽  
Imbalanced Data ◽  
Network Intrusion Detection ◽  
Detection Accuracy ◽  
Data Sets ◽  
Imbalanced Data Sets ◽  
Network Intrusion

Abstract Network intrusion detection, which takes the extraction and analysis of network traffic features as the main method, plays a vital role in network security protection. The current network traffic feature extraction and analysis for network intrusion detection mostly uses deep learning algorithms. Currently, deep learning requires a lot of training resources, and have weak processing capabilities for imbalanced data sets. In this paper, a deep learning model (MFVT) based on feature fusion network and Vision Transformer architecture is proposed, to which improves the processing ability of imbalanced data sets and reduces the sample data resources needed for training. Besides, to improve the traditional raw traffic features extraction methods, a new raw traffic features extraction method (CRP) is proposed, the CPR uses PCA algorithm to reduce all the processed digital traffic features to the specified dimension. On the IDS 2017 dataset and the IDS 2012 dataset, the ablation experiments show that the performance of the proposed MFVT model is significantly better than other network intrusion detection models, and the detection accuracy can reach the state-of-the-art level. And, When MFVT model is combined with CRP algorithm, the detection accuracy is further improved to 99.99%.

scholarly journals Network Intrusion Detection Based on an Efficient Neural Architecture Search

Symmetry ◽  
2021 ◽  
Vol 13 (8) ◽  
pp. 1453
Author(s):  
Renjian Lyu ◽  
Mingshu He ◽  
Yu Zhang ◽  
Lei Jin ◽  
Xinlei Wang
Keyword(s):  
Deep Learning ◽  
Intrusion Detection ◽  
Network Traffic ◽  
Traffic Monitoring ◽  
Classification Model ◽  
Network Intrusion Detection ◽  
Traffic Classification ◽  
Neural Architecture ◽  
Network Intrusion ◽  
Network Traffic Classification

Deep learning has been applied in the field of network intrusion detection and has yielded good results. In malicious network traffic classification tasks, many studies have achieved good performance with respect to the accuracy and recall rate of classification through self-designed models. In deep learning, the design of the model architecture greatly influences the results. However, the design of the network model architecture usually requires substantial professional knowledge. At present, the focus of research in the field of traffic monitoring is often directed elsewhere. Therefore, in the classification task of the network intrusion detection field, there is much room for improvement in the design and optimization of the model architecture. A neural architecture search (NAS) can automatically search the architecture of the model under the premise of a given optimization goal. For this reason, we propose a model that can perform NAS in the field of network traffic classification and search for the optimal architecture suitable for traffic detection based on the network traffic dataset. Each layer of our depth model is constructed according to the principle of maximum coding rate attenuation, which has strong consistency and symmetry in structure. Compared with some manually designed network architectures, classification indicators, such as Top-1 accuracy and F1 score, are also greatly improved while ensuring the lightweight nature of the model. In addition, we introduce a surrogate model in the search task. Compared to using the traditional NAS model to search the network traffic classification model, our NAS model greatly improves the search efficiency under the premise of ensuring that the results are not substantially different. We also manually adjust some operations in the search space of the architecture search to find a set of model operations that are more suitable for traffic classification. Finally, we apply the searched model to other traffic datasets to verify the universality of the model. Compared with several common network models in the traffic field, the searched model (NAS-Net) performs better, and the classification effect is more accurate.

scholarly journals VPN Traffic Detection in SSL-Protected Channel

2019 ◽  
Vol 2019 ◽  
pp. 1-17
Author(s):  
Muhammad Zain ul Abideen ◽  
Shahzad Saleem ◽  
Madiha Ejaz
Keyword(s):  
Network Security ◽  
Intrusion Detection ◽  
Network Traffic ◽  
Communication Protocols ◽  
Virtual Private Network ◽  
Domain Name ◽  
Network Intrusion ◽  
Hypertext Transfer Protocol ◽  
Private Network ◽  
Transfer Protocol

In recent times, secure communication protocols over web such as HTTPS (Hypertext Transfer Protocol Secure) are being widely used instead of plain web communication protocols like HTTP (Hypertext Transfer Protocol). HTTPS provides end-to-end encryption between the user and service. Nowadays, organizations use network firewalls and/or intrusion detection and prevention systems (IDPS) to analyze the network traffic to detect and protect against attacks and vulnerabilities. Depending on the size of organization, these devices may differ in their capabilities. Simple network intrusion detection system (NIDS) and firewalls generally have no feature to inspect HTTPS or encrypted traffic, so they rely on unencrypted traffic to manage the encrypted payload of the network. Recent and powerful next-generation firewalls have Secure Sockets Layer (SSL) inspection feature which are expensive and may not be suitable for every organizations. A virtual private network (VPN) is a service which hides real traffic by creating SSL-protected channel between the user and server. Every Internet activity is then performed under the established SSL tunnel. The user inside the network with malicious intent or to hide his activity from the network security administration of the organization may use VPN services. Any VPN service may be used by users to bypass the filters or signatures applied on network security devices. These services may be the source of new virus or worm injected inside the network or a gateway to facilitate information leakage. In this paper, we have proposed a novel approach to detect VPN activity inside the network. The proposed system analyzes the communication between user and the server to analyze and extract features from network, transport, and application layer which are not encrypted and classify the incoming traffic as malicious, i.e., VPN traffic or standard traffic. Network traffic is analyzed and classified using DNS (Domain Name System) packets and HTTPS- (Hypertext Transfer Protocol Secure-) based traffic. Once traffic is classified, the connection based on the server’s IP, TCP port connected, domain name, and server name inside the HTTPS connection is analyzed. This helps in verifying legitimate connection and flags the VPN-based traffic. We worked on top five freely available VPN services and analyzed their traffic patterns; the results show successful detection of the VPN activity performed by the user. We analyzed the activity of five users, using some sort of VPN service in their Internet activity, inside the network. Out of total 729 connections made by different users, 329 connections were classified as legitimate activity, marking 400 remaining connections as VPN-based connections. The proposed system is lightweight enough to keep minimal overhead, both in network and resource utilization and requires no specialized hardware.

scholarly journals Network intrusion detection using oversampling technique and machine learning algorithms

2022 ◽  
Vol 8 ◽  
pp. e820
Author(s):  
Hafiza Anisa Ahmed ◽  
Anum Hameed ◽  
Narmeen Zakaria Bawany
Keyword(s):  
Machine Learning ◽  
Random Forest ◽  
Network Security ◽  
Intrusion Detection ◽  
Network Traffic ◽  
Learning Algorithms ◽  
Machine Learning Algorithms ◽  
Network Intrusion Detection ◽  
Classification Models ◽  
Network Intrusion

The expeditious growth of the World Wide Web and the rampant flow of network traffic have resulted in a continuous increase of network security threats. Cyber attackers seek to exploit vulnerabilities in network architecture to steal valuable information or disrupt computer resources. Network Intrusion Detection System (NIDS) is used to effectively detect various attacks, thus providing timely protection to network resources from these attacks. To implement NIDS, a stream of supervised and unsupervised machine learning approaches is applied to detect irregularities in network traffic and to address network security issues. Such NIDSs are trained using various datasets that include attack traces. However, due to the advancement in modern-day attacks, these systems are unable to detect the emerging threats. Therefore, NIDS needs to be trained and developed with a modern comprehensive dataset which contains contemporary common and attack activities. This paper presents a framework in which different machine learning classification schemes are employed to detect various types of network attack categories. Five machine learning algorithms: Random Forest, Decision Tree, Logistic Regression, K-Nearest Neighbors and Artificial Neural Networks, are used for attack detection. This study uses a dataset published by the University of New South Wales (UNSW-NB15), a relatively new dataset that contains a large amount of network traffic data with nine categories of network attacks. The results show that the classification models achieved the highest accuracy of 89.29% by applying the Random Forest algorithm. Further improvement in the accuracy of classification models is observed when Synthetic Minority Oversampling Technique (SMOTE) is applied to address the class imbalance problem. After applying the SMOTE, the Random Forest classifier showed an accuracy of 95.1% with 24 selected features from the Principal Component Analysis method.

scholarly journals Network Intrusion Detection with Threat Agent Profiling

2018 ◽  
Vol 2018 ◽  
pp. 1-17 ◽  
Author(s):  
Tomáš Bajtoš ◽  
Andrej Gajdoš ◽  
Lenka Kleinová ◽  
Katarína Lučivjanská ◽  
Pavol Sokol
Keyword(s):  
Network Security ◽  
Intrusion Detection ◽  
Network Traffic ◽  
Clustering Algorithms ◽  
Computer Systems ◽  
Network Intrusion Detection ◽  
Clustering Methods ◽  
Security Incident ◽  
Network Intrusion ◽  
Fine Classification

With the increase in usage of computer systems and computer networks, the problem of intrusion detection in network security has become an important issue. In this paper, we discuss approaches that simplify network administrator’s work. We applied clustering methods for security incident profiling. We considerK-means, PAM, and CLARA clustering algorithms. For this purpose, we used data collected in Warden system from various security tools. We do not aim to differentiate between normal and abnormal network traffic, but we focus on grouping similar threat agents based on attributes of security events. We suggest a case of a fine classification and a case of a coarse classification and discuss advantages of both cases.

Sign in / Sign up

Export Citation Format

Share Document