An intrusion detection (ID) model is proposed based on the fuzzy data mining method. A major difficulty of anomaly ID is that patterns of the normal behavior change with time. In addition, an actual intrusion with a...An intrusion detection (ID) model is proposed based on the fuzzy data mining method. A major difficulty of anomaly ID is that patterns of the normal behavior change with time. In addition, an actual intrusion with a small deviation may match normal patterns. So the intrusion behavior cannot be detected by the detection system.To solve the problem, fuzzy data mining technique is utilized to extract patterns representing the normal behavior of a network. A set of fuzzy association rules mined from the network data are shown as a model of “normal behaviors”. To detect anomalous behaviors, fuzzy association rules are generated from new audit data and the similarity with sets mined from “normal” data is computed. If the similarity values are lower than a threshold value,an alarm is given. Furthermore, genetic algorithms are used to adjust the fuzzy membership functions and to select an appropriate set of features.展开更多
With the economic development and the popularity of application of electronic computer, electronic commerce has rapid development. More and more commerce and key business has been carried on the lnternet because Inter...With the economic development and the popularity of application of electronic computer, electronic commerce has rapid development. More and more commerce and key business has been carried on the lnternet because Internet has the features of interaction, openness, sharing and so on. However, during the daily commerce, people worry about the security of the network system. So a new technology which can detect the unusual behavior in time has been invented in order to protect the security of network system. The system of intrusion detection needs a lot of new technology to protect the data of the network system. The application of data mining technology in the system of intrusion detection can provide a better assistant to the users to analyze the data and improve the accuracy of the checking system.展开更多
Aiming at the shortcomings in intrusion detection systems (IDSs) used incommercial and research fields, we propose the MA-IDS system, a distributed intrusion detectionsystem based on data mining. In this model, misuse...Aiming at the shortcomings in intrusion detection systems (IDSs) used incommercial and research fields, we propose the MA-IDS system, a distributed intrusion detectionsystem based on data mining. In this model, misuse intrusion detection system CM1DS) and anomalyintrusion de-lection system (AIDS) are combined. Data mining is applied to raise detectionperformance, and distributed mechanism is employed to increase the scalability and efficiency. Host-and network-based mining algorithms employ an improved. Bayes-ian decision theorem that suits forreal security environment to minimize the risks incurred by false decisions. We describe the overallarchitecture of the MA-IDS system, and discuss specific design and implementation issue.展开更多
Intrusion detection is regarded as classification in data mining field. However instead of directly mining the classification rules, class association rules, which are then used to construct a classifier, are mined fr...Intrusion detection is regarded as classification in data mining field. However instead of directly mining the classification rules, class association rules, which are then used to construct a classifier, are mined from audit logs. Some attributes in audit logs are important for detecting intrusion but their values are distributed skewedly. A relative support concept is proposed to deal with such situation. To mine class association rules effectively, an algorithms based on FP-tree is exploited. Experiment result proves that this method has better performance.展开更多
Anomaly detection has been an active research topic in the field of network intrusion detection for many years. A novel method is presented for anomaly detection based on system calls into the kernels of Unix or Linux...Anomaly detection has been an active research topic in the field of network intrusion detection for many years. A novel method is presented for anomaly detection based on system calls into the kernels of Unix or Linux systems. The method uses the data mining technique to model the normal behavior of a privileged program and uses a variable-length pattern matching algorithm to perform the comparison of the current behavior and historic normal behavior, which is more suitable for this problem than the fixed-length pattern matching algorithm proposed by Forrest et al. At the detection stage, the particularity of the audit data is taken into account, and two alternative schemes could be used to distinguish between normalities and intrusions. The method gives attention to both computational efficiency and detection accuracy and is especially applicable for on-line detection. The performance of the method is evaluated using the typical testing data set, and the results show that it is significantly better than the anomaly detection method based on hidden Markov models proposed by Yan et al. and the method based on fixed-length patterns proposed by Forrest and Hofmeyr. The novel method has been applied to practical hosted-based intrusion detection systems and achieved high detection performance.展开更多
In recent years, significant research has been devoted to the development of Intrusion Detection Systems (IDS) able to detect anomalous computer network traffic indicative of malicious activity. While signature-based ...In recent years, significant research has been devoted to the development of Intrusion Detection Systems (IDS) able to detect anomalous computer network traffic indicative of malicious activity. While signature-based IDS have proven effective in discovering known attacks, anomaly-based IDS hold the even greater promise of being able to automatically detect previously undocumented threats. Traditional IDS are generally trained in batch mode, and therefore cannot adapt to evolving network data streams in real time. To resolve this limitation, data stream mining techniques can be utilized to create a new type of IDS able to dynamically model a stream of network traffic. In this paper, we present two methods for anomalous network packet detection based on the data stream mining paradigm. The first of these is an adapted version of the DenStream algorithm for stream clustering specifically tailored to evaluate network traffic. In this algorithm, individual packets are treated as points and are flagged as normal or abnormal based on their belonging to either normal or outlier clusters. The second algorithm utilizes a histogram to create a model of the evolving network traffic to which incoming traffic can be compared using Pearson correlation. Both of these algorithms were tested using the first week of data from the DARPA ’99 dataset with Generic HTTP, Shell-code and Polymorphic attacks inserted. We were able to achieve reasonably high detection rates with moderately low false positive percentages for different types of attacks, though detection rates varied between the two algorithms. Overall, the histogram-based detection algorithm achieved slightly superior results, but required more parameters than the clustering-based algorithm. As a result of its fewer parameter requirements, the clustering approach can be more easily generalized to different types of network traffic streams.展开更多
This paper studied on the clustering problem for intrusion detection with the theory of information entropy, it was put forward that the clustering problem for exact intrusion detection based on information entropy is...This paper studied on the clustering problem for intrusion detection with the theory of information entropy, it was put forward that the clustering problem for exact intrusion detection based on information entropy is NP complete, therefore, the heuristic algorithm to solve the clustering problem for intrusion detection was designed, this algorithm has the characteristic of incremental development, it can deal with the database with large connection records from the internet.展开更多
Due to the widespread use of the internet and smart devices,various attacks like intrusion,zero-day,Malware,and security breaches are a constant threat to any organization’s network infrastructure.Thus,a Network Intr...Due to the widespread use of the internet and smart devices,various attacks like intrusion,zero-day,Malware,and security breaches are a constant threat to any organization’s network infrastructure.Thus,a Network Intrusion Detection System(NIDS)is required to detect attacks in network traffic.This paper proposes a new hybrid method for intrusion detection and attack categorization.The proposed approach comprises three steps to address high false and low false-negative rates for intrusion detection and attack categorization.In the first step,the dataset is preprocessed through the data transformation technique and min-max method.Secondly,the random forest recursive feature elimination method is applied to identify optimal features that positively impact the model’s performance.Next,we use various Support Vector Machine(SVM)types to detect intrusion and the Adaptive Neuro-Fuzzy System(ANFIS)to categorize probe,U2R,R2U,and DDOS attacks.The validation of the proposed method is calculated through Fine Gaussian SVM(FGSVM),which is 99.3%for the binary class.Mean Square Error(MSE)is reported as 0.084964 for training data,0.0855203 for testing,and 0.084964 to validate multiclass categorization.展开更多
As the Internet offers increased connectivity between human beings, it has fallen prey to malicious users who exploit its resources to gain illegal access to critical information. In an effort to protect computer netw...As the Internet offers increased connectivity between human beings, it has fallen prey to malicious users who exploit its resources to gain illegal access to critical information. In an effort to protect computer networks from external attacks, two common types of Intrusion Detection Systems (IDSs) are often deployed. The first type is signature-based IDSs which can detect intrusions efficiently by scanning network packets and comparing them with human-generated signatures describing previously-observed attacks. The second type is anomaly-based IDSs able to detect new attacks through modeling normal network traffic without the need for a human expert. Despite this advantage, anomaly-based IDSs are limited by a high false-alarm rate and difficulty detecting network attacks attempting to blend in with normal traffic. In this study, we propose a StreamPreDeCon anomaly-based IDS. StreamPreDeCon is an extension of the preference subspace clustering algorithm PreDeCon designed to resolve some of the challenges associated with anomalous packet detection. Using network packets extracted from the first week of the DARPA '99 intrusion detection evaluation dataset combined with Generic Http, Shellcode and CLET attacks, our IDS achieved 94.4% sensitivity and 0.726% false positives in a best case scenario. To measure the overall effectiveness of the IDS, the average sensitivity and false positive rates were calculated for both the maximum sensitivity and the minimum false positive rate. With the maximum sensitivity, the IDS had 80% sensitivity and 9% false positives on average. The IDS also averaged 63% sensitivity with a 0.4% false positive rate when the minimal number of false positives is needed. These rates are an improvement on results found in a previous study as the sensitivity rate in general increased while the false positive rate decreased.展开更多
An unsupervised clustering\|based intrusion detection algorithm is discussed in this paper. The basic idea of the algorithm is to produce the cluster by comparing the distances of unlabeled training data sets. With th...An unsupervised clustering\|based intrusion detection algorithm is discussed in this paper. The basic idea of the algorithm is to produce the cluster by comparing the distances of unlabeled training data sets. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio and the identified cluster can be used in real data detection. The benefit of the algorithm is that it doesn't need labeled training data sets. The experiment concludes that this approach can detect unknown intrusions efficiently in the real network connections via using the data sets of KDD99.展开更多
Due to the amount of data that an IDS needs to examine is very large, it is necessary to reduce the audit features and neglect the redundant features. Therefore, we investigated the performance to reduce TCP/IP featur...Due to the amount of data that an IDS needs to examine is very large, it is necessary to reduce the audit features and neglect the redundant features. Therefore, we investigated the performance to reduce TCP/IP features based on the decision tree rule-based statistical method(DTRS). Its main idea is to create n decision trees in n data subsets, extract the rules, work out the relatively important features in accordance with the frequency of use of different features and demonstrate the performance of reduced features better than primary features by experimental resuits.展开更多
After the digital revolution,large quantities of data have been generated with time through various networks.The networks have made the process of data analysis very difficult by detecting attacks using suitable techn...After the digital revolution,large quantities of data have been generated with time through various networks.The networks have made the process of data analysis very difficult by detecting attacks using suitable techniques.While Intrusion Detection Systems(IDSs)secure resources against threats,they still face challenges in improving detection accuracy,reducing false alarm rates,and detecting the unknown ones.This paper presents a framework to integrate data mining classification algorithms and association rules to implement network intrusion detection.Several experiments have been performed and evaluated to assess various machine learning classifiers based on the KDD99 intrusion dataset.Our study focuses on several data mining algorithms such as;naïve Bayes,decision trees,support vector machines,decision tables,k-nearest neighbor algorithms,and artificial neural networks.Moreover,this paper is concerned with the association process in creating attack rules to identify those in the network audit data,by utilizing a KDD99 dataset anomaly detection.The focus is on false negative and false positive performance metrics to enhance the detection rate of the intrusion detection system.The implemented experiments compare the results of each algorithm and demonstrate that the decision tree is the most powerful algorithm as it has the highest accuracy(0.992)and the lowest false positive rate(0.009).展开更多
In this paper,we introduce an adaptive clustering algorithm for intrusion detection based on wavecluster which was introduced by Gholamhosein in 1999 and used with success in image processing.Because of the non-statio...In this paper,we introduce an adaptive clustering algorithm for intrusion detection based on wavecluster which was introduced by Gholamhosein in 1999 and used with success in image processing.Because of the non-stationary characteristic of network traffic,we extend and develop an adaptive wavecluster algorithm for intrusion detection.Using the multiresolution property of wavelet transforms,we can effectively identify arbitrarily shaped clusters at different scales and degrees of detail,moreover,applying wavelet transform removes the noise from the original feature space and make more accurate cluster found.Experimental results on KDD-99 intrusion detection dataset show the efficiency and accuracy of this algorithm.A detection rate above 96% and a false alarm rate below 3% are achieved.展开更多
There are inherent vulnerabilities that are not easily preventable in the mobile Ad-Hoc networks.To build a highly secure wireless Ad-Hoc network,intrusion detection and response techniques need to be deployed;The int...There are inherent vulnerabilities that are not easily preventable in the mobile Ad-Hoc networks.To build a highly secure wireless Ad-Hoc network,intrusion detection and response techniques need to be deployed;The intrusion detection and cluster-based Ad-Hoc networks has been introduced,then,an architecture for better intrusion detection based on cluster using Data Mining in wireless Ad -Hoc networks has been shown.A statistical anomaly detection approach has been used.The anomaly detection and trace analysis have been done locally in each node and possibly through cooperation with clusterhead detection in the network.展开更多
Intrusion detection is critical to guaranteeing the safety of the data in the network.Even though,since Internet commerce has grown at a breakneck pace,network traffic kinds are rising daily,and network behavior chara...Intrusion detection is critical to guaranteeing the safety of the data in the network.Even though,since Internet commerce has grown at a breakneck pace,network traffic kinds are rising daily,and network behavior characteristics are becoming increasingly complicated,posing significant hurdles to intrusion detection.The challenges in terms of false positives,false negatives,low detection accuracy,high running time,adversarial attacks,uncertain attacks,etc.lead to insecure Intrusion Detection System(IDS).To offset the existing challenge,the work has developed a secure Data Mining Intrusion detection system(DataMIDS)framework using Functional Perturbation(FP)feature selection and Bengio Nesterov Momentum-based Tuned Generative Adversarial Network(BNM-tGAN)attack detection technique.The data mining-based framework provides shallow learning of features and emphasizes feature engineering as well as selection.Initially,the IDS data are analyzed for missing values based on the Marginal Likelihood Fisher Information Matrix technique(MLFIMT)that identifies the relationship among the missing values and attack classes.Based on the analysis,the missing values are classified as Missing Completely at Random(MCAR),Missing at random(MAR),Missing Not at Random(MNAR),and handled according to the types.Thereafter,categorical features are handled followed by feature scaling using Absolute Median Division based Robust Scalar(AMDRS)and the Handling of the imbalanced dataset.The selection of relevant features is initiated using FP that uses‘3’Feature Selection(FS)techniques i.e.,Inverse Chi Square based Flamingo Search(ICS-FSO)wrapper method,Hyperparameter Tuned Threshold based Decision Tree(HpTT-DT)embedded method,and Xavier Normal Distribution based Relief(XavND-Relief)filter method.Finally,the selected features are trained and tested for detecting attacks using BNM-tGAN.The Experimental analysis demonstrates that the introduced DataMIDS framework produces an accurate diagnosis about the attack with low computation time.The work avoids false alarm rate of attacks and remains to be relatively robust against malicious attacks as compared to existing methods.展开更多
Unsupervised anomaly detection can detect attacks without the need for clean or labeled training data.This paper studies the application of clustering to unsupervised anomaly detection(ACUAD).Data records are mapped t...Unsupervised anomaly detection can detect attacks without the need for clean or labeled training data.This paper studies the application of clustering to unsupervised anomaly detection(ACUAD).Data records are mapped to a feature space.Anomalies are detected by determining which points lie in the sparse regions of the feature space.A critical element for this method to be effective is the definition of the distance function between data records.We propose a unified normalization distance framework for records with numeric and nominal features mixed data.A heuristic method that computes the distance for nominal features is proposed,taking advantage of an important characteristic of nominal features-their probability distribution.Then,robust methods are proposed for mapping numeric features and computing their distance,these being able to tolerate the impact of the value difference in scale and diversification among features,and outliers introduced by intrusions.Empirical experiments with the KDD 1999 dataset showed that ACUAD can detect intrusions with relatively low false alarm rates compared with other approaches.展开更多
文摘An intrusion detection (ID) model is proposed based on the fuzzy data mining method. A major difficulty of anomaly ID is that patterns of the normal behavior change with time. In addition, an actual intrusion with a small deviation may match normal patterns. So the intrusion behavior cannot be detected by the detection system.To solve the problem, fuzzy data mining technique is utilized to extract patterns representing the normal behavior of a network. A set of fuzzy association rules mined from the network data are shown as a model of “normal behaviors”. To detect anomalous behaviors, fuzzy association rules are generated from new audit data and the similarity with sets mined from “normal” data is computed. If the similarity values are lower than a threshold value,an alarm is given. Furthermore, genetic algorithms are used to adjust the fuzzy membership functions and to select an appropriate set of features.
文摘With the economic development and the popularity of application of electronic computer, electronic commerce has rapid development. More and more commerce and key business has been carried on the lnternet because Internet has the features of interaction, openness, sharing and so on. However, during the daily commerce, people worry about the security of the network system. So a new technology which can detect the unusual behavior in time has been invented in order to protect the security of network system. The system of intrusion detection needs a lot of new technology to protect the data of the network system. The application of data mining technology in the system of intrusion detection can provide a better assistant to the users to analyze the data and improve the accuracy of the checking system.
文摘Aiming at the shortcomings in intrusion detection systems (IDSs) used incommercial and research fields, we propose the MA-IDS system, a distributed intrusion detectionsystem based on data mining. In this model, misuse intrusion detection system CM1DS) and anomalyintrusion de-lection system (AIDS) are combined. Data mining is applied to raise detectionperformance, and distributed mechanism is employed to increase the scalability and efficiency. Host-and network-based mining algorithms employ an improved. Bayes-ian decision theorem that suits forreal security environment to minimize the risks incurred by false decisions. We describe the overallarchitecture of the MA-IDS system, and discuss specific design and implementation issue.
基金The work is supported by Chinese NSF(Project No.60073034)
文摘Intrusion detection is regarded as classification in data mining field. However instead of directly mining the classification rules, class association rules, which are then used to construct a classifier, are mined from audit logs. Some attributes in audit logs are important for detecting intrusion but their values are distributed skewedly. A relative support concept is proposed to deal with such situation. To mine class association rules effectively, an algorithms based on FP-tree is exploited. Experiment result proves that this method has better performance.
基金supported by the National Grand Fundamental Research "973" Program of China (2004CB318109)the National High-Technology Research and Development Plan of China (2006AA01Z452)the National Information Security "242"Program of China (2005C39).
文摘Anomaly detection has been an active research topic in the field of network intrusion detection for many years. A novel method is presented for anomaly detection based on system calls into the kernels of Unix or Linux systems. The method uses the data mining technique to model the normal behavior of a privileged program and uses a variable-length pattern matching algorithm to perform the comparison of the current behavior and historic normal behavior, which is more suitable for this problem than the fixed-length pattern matching algorithm proposed by Forrest et al. At the detection stage, the particularity of the audit data is taken into account, and two alternative schemes could be used to distinguish between normalities and intrusions. The method gives attention to both computational efficiency and detection accuracy and is especially applicable for on-line detection. The performance of the method is evaluated using the typical testing data set, and the results show that it is significantly better than the anomaly detection method based on hidden Markov models proposed by Yan et al. and the method based on fixed-length patterns proposed by Forrest and Hofmeyr. The novel method has been applied to practical hosted-based intrusion detection systems and achieved high detection performance.
文摘In recent years, significant research has been devoted to the development of Intrusion Detection Systems (IDS) able to detect anomalous computer network traffic indicative of malicious activity. While signature-based IDS have proven effective in discovering known attacks, anomaly-based IDS hold the even greater promise of being able to automatically detect previously undocumented threats. Traditional IDS are generally trained in batch mode, and therefore cannot adapt to evolving network data streams in real time. To resolve this limitation, data stream mining techniques can be utilized to create a new type of IDS able to dynamically model a stream of network traffic. In this paper, we present two methods for anomalous network packet detection based on the data stream mining paradigm. The first of these is an adapted version of the DenStream algorithm for stream clustering specifically tailored to evaluate network traffic. In this algorithm, individual packets are treated as points and are flagged as normal or abnormal based on their belonging to either normal or outlier clusters. The second algorithm utilizes a histogram to create a model of the evolving network traffic to which incoming traffic can be compared using Pearson correlation. Both of these algorithms were tested using the first week of data from the DARPA ’99 dataset with Generic HTTP, Shell-code and Polymorphic attacks inserted. We were able to achieve reasonably high detection rates with moderately low false positive percentages for different types of attacks, though detection rates varied between the two algorithms. Overall, the histogram-based detection algorithm achieved slightly superior results, but required more parameters than the clustering-based algorithm. As a result of its fewer parameter requirements, the clustering approach can be more easily generalized to different types of network traffic streams.
文摘This paper studied on the clustering problem for intrusion detection with the theory of information entropy, it was put forward that the clustering problem for exact intrusion detection based on information entropy is NP complete, therefore, the heuristic algorithm to solve the clustering problem for intrusion detection was designed, this algorithm has the characteristic of incremental development, it can deal with the database with large connection records from the internet.
基金The authors would like to thank the Deanship of Scientific Research at Prince Sattam bin Abdul-Aziz University,Saudi Arabia.
文摘Due to the widespread use of the internet and smart devices,various attacks like intrusion,zero-day,Malware,and security breaches are a constant threat to any organization’s network infrastructure.Thus,a Network Intrusion Detection System(NIDS)is required to detect attacks in network traffic.This paper proposes a new hybrid method for intrusion detection and attack categorization.The proposed approach comprises three steps to address high false and low false-negative rates for intrusion detection and attack categorization.In the first step,the dataset is preprocessed through the data transformation technique and min-max method.Secondly,the random forest recursive feature elimination method is applied to identify optimal features that positively impact the model’s performance.Next,we use various Support Vector Machine(SVM)types to detect intrusion and the Adaptive Neuro-Fuzzy System(ANFIS)to categorize probe,U2R,R2U,and DDOS attacks.The validation of the proposed method is calculated through Fine Gaussian SVM(FGSVM),which is 99.3%for the binary class.Mean Square Error(MSE)is reported as 0.084964 for training data,0.0855203 for testing,and 0.084964 to validate multiclass categorization.
文摘As the Internet offers increased connectivity between human beings, it has fallen prey to malicious users who exploit its resources to gain illegal access to critical information. In an effort to protect computer networks from external attacks, two common types of Intrusion Detection Systems (IDSs) are often deployed. The first type is signature-based IDSs which can detect intrusions efficiently by scanning network packets and comparing them with human-generated signatures describing previously-observed attacks. The second type is anomaly-based IDSs able to detect new attacks through modeling normal network traffic without the need for a human expert. Despite this advantage, anomaly-based IDSs are limited by a high false-alarm rate and difficulty detecting network attacks attempting to blend in with normal traffic. In this study, we propose a StreamPreDeCon anomaly-based IDS. StreamPreDeCon is an extension of the preference subspace clustering algorithm PreDeCon designed to resolve some of the challenges associated with anomalous packet detection. Using network packets extracted from the first week of the DARPA '99 intrusion detection evaluation dataset combined with Generic Http, Shellcode and CLET attacks, our IDS achieved 94.4% sensitivity and 0.726% false positives in a best case scenario. To measure the overall effectiveness of the IDS, the average sensitivity and false positive rates were calculated for both the maximum sensitivity and the minimum false positive rate. With the maximum sensitivity, the IDS had 80% sensitivity and 9% false positives on average. The IDS also averaged 63% sensitivity with a 0.4% false positive rate when the minimal number of false positives is needed. These rates are an improvement on results found in a previous study as the sensitivity rate in general increased while the false positive rate decreased.
文摘An unsupervised clustering\|based intrusion detection algorithm is discussed in this paper. The basic idea of the algorithm is to produce the cluster by comparing the distances of unlabeled training data sets. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio and the identified cluster can be used in real data detection. The benefit of the algorithm is that it doesn't need labeled training data sets. The experiment concludes that this approach can detect unknown intrusions efficiently in the real network connections via using the data sets of KDD99.
基金Supported by Natural Science Foundation of Hebei Prov-ince (F2004000133)
文摘Due to the amount of data that an IDS needs to examine is very large, it is necessary to reduce the audit features and neglect the redundant features. Therefore, we investigated the performance to reduce TCP/IP features based on the decision tree rule-based statistical method(DTRS). Its main idea is to create n decision trees in n data subsets, extract the rules, work out the relatively important features in accordance with the frequency of use of different features and demonstrate the performance of reduced features better than primary features by experimental resuits.
文摘After the digital revolution,large quantities of data have been generated with time through various networks.The networks have made the process of data analysis very difficult by detecting attacks using suitable techniques.While Intrusion Detection Systems(IDSs)secure resources against threats,they still face challenges in improving detection accuracy,reducing false alarm rates,and detecting the unknown ones.This paper presents a framework to integrate data mining classification algorithms and association rules to implement network intrusion detection.Several experiments have been performed and evaluated to assess various machine learning classifiers based on the KDD99 intrusion dataset.Our study focuses on several data mining algorithms such as;naïve Bayes,decision trees,support vector machines,decision tables,k-nearest neighbor algorithms,and artificial neural networks.Moreover,this paper is concerned with the association process in creating attack rules to identify those in the network audit data,by utilizing a KDD99 dataset anomaly detection.The focus is on false negative and false positive performance metrics to enhance the detection rate of the intrusion detection system.The implemented experiments compare the results of each algorithm and demonstrate that the decision tree is the most powerful algorithm as it has the highest accuracy(0.992)and the lowest false positive rate(0.009).
文摘In this paper,we introduce an adaptive clustering algorithm for intrusion detection based on wavecluster which was introduced by Gholamhosein in 1999 and used with success in image processing.Because of the non-stationary characteristic of network traffic,we extend and develop an adaptive wavecluster algorithm for intrusion detection.Using the multiresolution property of wavelet transforms,we can effectively identify arbitrarily shaped clusters at different scales and degrees of detail,moreover,applying wavelet transform removes the noise from the original feature space and make more accurate cluster found.Experimental results on KDD-99 intrusion detection dataset show the efficiency and accuracy of this algorithm.A detection rate above 96% and a false alarm rate below 3% are achieved.
文摘There are inherent vulnerabilities that are not easily preventable in the mobile Ad-Hoc networks.To build a highly secure wireless Ad-Hoc network,intrusion detection and response techniques need to be deployed;The intrusion detection and cluster-based Ad-Hoc networks has been introduced,then,an architecture for better intrusion detection based on cluster using Data Mining in wireless Ad -Hoc networks has been shown.A statistical anomaly detection approach has been used.The anomaly detection and trace analysis have been done locally in each node and possibly through cooperation with clusterhead detection in the network.
文摘Intrusion detection is critical to guaranteeing the safety of the data in the network.Even though,since Internet commerce has grown at a breakneck pace,network traffic kinds are rising daily,and network behavior characteristics are becoming increasingly complicated,posing significant hurdles to intrusion detection.The challenges in terms of false positives,false negatives,low detection accuracy,high running time,adversarial attacks,uncertain attacks,etc.lead to insecure Intrusion Detection System(IDS).To offset the existing challenge,the work has developed a secure Data Mining Intrusion detection system(DataMIDS)framework using Functional Perturbation(FP)feature selection and Bengio Nesterov Momentum-based Tuned Generative Adversarial Network(BNM-tGAN)attack detection technique.The data mining-based framework provides shallow learning of features and emphasizes feature engineering as well as selection.Initially,the IDS data are analyzed for missing values based on the Marginal Likelihood Fisher Information Matrix technique(MLFIMT)that identifies the relationship among the missing values and attack classes.Based on the analysis,the missing values are classified as Missing Completely at Random(MCAR),Missing at random(MAR),Missing Not at Random(MNAR),and handled according to the types.Thereafter,categorical features are handled followed by feature scaling using Absolute Median Division based Robust Scalar(AMDRS)and the Handling of the imbalanced dataset.The selection of relevant features is initiated using FP that uses‘3’Feature Selection(FS)techniques i.e.,Inverse Chi Square based Flamingo Search(ICS-FSO)wrapper method,Hyperparameter Tuned Threshold based Decision Tree(HpTT-DT)embedded method,and Xavier Normal Distribution based Relief(XavND-Relief)filter method.Finally,the selected features are trained and tested for detecting attacks using BNM-tGAN.The Experimental analysis demonstrates that the introduced DataMIDS framework produces an accurate diagnosis about the attack with low computation time.The work avoids false alarm rate of attacks and remains to be relatively robust against malicious attacks as compared to existing methods.
基金supported by the PhD Foundation of Engineering and Commerce College, South-Central University for Nationalities, China
文摘Unsupervised anomaly detection can detect attacks without the need for clean or labeled training data.This paper studies the application of clustering to unsupervised anomaly detection(ACUAD).Data records are mapped to a feature space.Anomalies are detected by determining which points lie in the sparse regions of the feature space.A critical element for this method to be effective is the definition of the distance function between data records.We propose a unified normalization distance framework for records with numeric and nominal features mixed data.A heuristic method that computes the distance for nominal features is proposed,taking advantage of an important characteristic of nominal features-their probability distribution.Then,robust methods are proposed for mapping numeric features and computing their distance,these being able to tolerate the impact of the value difference in scale and diversification among features,and outliers introduced by intrusions.Empirical experiments with the KDD 1999 dataset showed that ACUAD can detect intrusions with relatively low false alarm rates compared with other approaches.
