Anomaly Classification Using Genetic Algorithm-Based Random Forest Modelfor Network Attack Detection

Anomaly classification based on network traffic features is an important task to monitor and detect network intrusion attacks.Network-based intrusion detection systems(NIDSs)using machine learning(ML)methods are effective tools for protecting network infrastructures and services from unpredictable and unseen attacks.Among several ML methods,random forest(RF)is a robust method that can be used in ML-based network intrusion detection solutions.However,the minimum number of instances for each split and the number of trees in the forest are two key parameters of RF that can affect classification accuracy.Therefore,optimal parameter selection is a real problem in RF-based anomaly classification of intrusion detection systems.In this paper,we propose to use the genetic algorithm(GA)for selecting the appropriate values of these two parameters,optimizing the RF classifier and improving the classification accuracy of normal and abnormal network traffics.To validate the proposed GA-based RF model,a number of experiments is conducted on two public datasets and evaluated using a set of performance evaluation measures.In these experiments,the accuracy result is compared with the accuracies of baseline ML classifiers in the recent works.Experimental results reveal that the proposed model can avert the uncertainty in selection the values of RF’s parameters,improving the accuracy of anomaly classification in NIDSs without incurring excessive time.

The Use of Multi-Objective Genetic Algorithm Based Approach to Create Ensemble of ANN for Intrusion Detection

Due to our increased dependence on Internet and growing number of intrusion incidents, building effective intrusion detection systems are essential for protecting Internet resources and yet it is a great challenge. In literature, many researchers utilized Artificial Neural Networks (ANN) in supervised learning based intrusion detection successfully. Here, ANN maps the network traffic into predefined classes i.e. normal or specific attack type based upon training from label dataset. However, for ANN-based IDS, detection rate (DR) and false positive rate (FPR) are still needed to be improved. In this study, we propose an ensemble approach, called MANNE, for ANN-based IDS that evolves ANNs by Multi Objective Genetic algorithm to solve the problem. It helps IDS to achieve high DR, less FPR and in turn high intrusion detection capability. The procedure of MANNE is as follows: firstly, a Pareto front consisting of a set of non-dominated ANN solutions is created using MOGA, which formulates the base classifiers. Subsequently, based upon this pool of non-dominated ANN solutions as base classifiers, another Pareto front consisting of a set of non-dominated ensembles is created which exhibits classification tradeoffs. Finally, prediction aggregation is done to get final ensemble prediction from predictions of base classifiers. Experimental results on the KDD CUP 1999 dataset show that our proposed ensemble approach, MANNE, outperforms ANN trained by Back Propagation and its ensembles using bagging & boosting methods in terms of defined performance metrics. We also compared our approach with other well-known methods such as decision tree and its ensembles using bagging & boosting methods.

Genetic-based Fuzzy IDS for Feature Set Reduction and Worm Hole Attack Detection

The wireless ad-hoc networks are decentralized networks with a dynamic topology that allows for end-to-end communications via multi-hop routing operations with several nodes collaborating themselves,when the destination and source nodes are not in range of coverage.Because of its wireless type,it has lot of security concerns than an infrastructure networks.Wormhole attacks are one of the most serious security vulnerabilities in the network layers.It is simple to launch,even if there is no prior network experience.Signatures are the sole thing that preventive measures rely on.Intrusion detection systems(IDS)and other reactive measures detect all types of threats.The majority of IDS employ features from various network layers.One issue is calculating a huge layered features set from an ad-hoc network.This research implements genetic algorithm(GA)-based feature reduction intrusion detection approaches to minimize the quantity of wireless feature sets required to identify worm hole attacks.For attack detection,the reduced feature set was put to a fuzzy logic system(FLS).The performance of proposed model was compared with principal component analysis(PCA)and statistical parametric mapping(SPM).Network performance analysis like delay,packet dropping ratio,normalized overhead,packet delivery ratio,average energy consumption,throughput,and control overhead are evaluated and the IDS performance parameters like detection ratio,accuracy,and false alarm rate are evaluated for validation of the proposed model.The proposed model achieves 95.5%in detection ratio with 96.8%accuracy and produces very less false alarm rate(FAR)of 14%when compared with existing techniques.

INTERNET INTRUSION DETECTION MODEL BASED ON FUZZY DATA MINING

An intrusion detection （ID） model is proposed based on the fuzzy data mining method. A major difficulty of anomaly ID is that patterns of the normal behavior change with time. In addition, an actual intrusion with a small deviation may match normal patterns. So the intrusion behavior cannot be detected by the detection system.To solve the problem, fuzzy data mining technique is utilized to extract patterns representing the normal behavior of a network. A set of fuzzy association rules mined from the network data are shown as a model of “normal behaviors”. To detect anomalous behaviors, fuzzy association rules are generated from new audit data and the similarity with sets mined from “normal” data is computed. If the similarity values are lower than a threshold value,an alarm is given. Furthermore, genetic algorithms are used to adjust the fuzzy membership functions and to select an appropriate set of features.

Intrusion detection using rough set classification

Recently machine learning-based intrusion detection approaches have been subjected to extensive researches because they can detect both misuse and anomaly. In this paper, rough set classification (RSC), a modern learning algorithm, is used to rank the features extracted for detecting intrusions and generate intrusion detection models. Feature ranking is a very critical step when building the model. RSC performs feature ranking before generating rules, and converts the feature ranking to minimal hitting set problem addressed by using genetic algorithm (GA). This is done in classical approaches using Support Vector Machine (SVM) by executing many iterations, each of which removes one useless feature. Compared with those methods, our method can avoid many iterations. In addition, a hybrid genetic algorithm is proposed to increase the convergence speed and decrease the training time of RSC. The models generated by RSC take the form of'IF-THEN' rules, which have the advantage of explication. Tests and comparison of RSC with SVM on DARPA benchmark data showed that for Probe and DoS attacks both RSC and SVM yielded highly accurate results (greater than 99% accuracy on testing set).

A Neuro-genetic Based Short-term Forecasting Framework for Network Intrusion Prediction System

Information systems are one of the most rapidly changing and vulnerable systems, where security is a major issue. The number of security-breaking attempts originating inside organizations is increasing steadily. Attacks made in this way, usually done by ＂authorized＂ users of the system, cannot be immediately traced. Because the idea of filtering the traffic at the entrance door, by using firewalls and the like, is not completely successful, the use of intrusion detection systems should be considered to increase the defense capacity of an information system. An intrusion detection system （IDS） is usually working in a dynamically changing environment, which forces continuous tuning of the intrusion detection model, in order to maintain sufficient performance. The manual tuning process required by current IDS depends on the system operators in working out the tuning solution and in integrating it into the detection model. Furthermore, an extensive effort is required to tackle the newly evolving attacks and a deep study is necessary to categorize it into the respective classes. To reduce this dependence, an automatically evolving anomaly IDS using neuro-genetic algorithm is presented. The proposed system automatically tunes the detection model on the fly according to the feedback provided by the system operator when false predictions are encountered. The system has been evaluated using the Knowledge Discovery in Databases Conference （KDD 2009） intrusion detection dataset. Genetic paradigm is employed to choose the predominant features, which reveal the occurrence of intrusions. The neuro-genetic IDS （NGIDS） involves calculation of weightage value for each of the categorical attributes so that data of uniform representation can be processed by the neuro-genetic algorithm. In this system unauthorized invasion of a user are identified and newer types of attacks are sensed and classified respectively by the neuro-genetic algorithm. The experimental results obtained in this work show that the system achieves improvement in terms of misclassification cost when compared with conventional IDS. The results of the experiments show that this system can be deployed based on a real network or database environment for effective prediction of both normal attacks and new attacks.

Immune Recognition Method Based on Analogy Reasoning in Intrusion Detection System

In this paper, we propose an analogy based immune recognition method that focuses on the implement of the clone selection process and the negative selection process by means of analogy similarity. This method is applied in an IDS （Intrusion Detection System） following several steps. Firstly, the initial abnormal behaviours sample set is optimized through the combining of the AIS （Artificial Immune System） and the genetic algorithm. Then, the abnormity probability algorithm is raised considering the two sides of abnormality and normality. Finally, an intrusion detection system model is established based on the above algorithms and models.

Novel Model for Intrusion Detection

It's very difficult tha t the traditional intrusion detection methods based on accurate match adapt to the blur and uncertainty of user information and expert knowledge, it results in failing to report the variations of attack signature. In addition security itself includes fuzziness, the judgment standard of confidentiality, integrity and availability of system resource is uncertain. In this paper fuzzy intrusion detection based on partial match is presented to detect some types of attacks availably and alleviate some of the difficulties of above approaches, the architecture of fuzzy intrusion detection system(FIDS) is introduced and its performance is analyzed.

Survey and Proposal of an Adaptive Anomaly Detection Algorithm for Periodic Data Streams

Real-time anomaly detection of massive data streams is an important research topic nowadays due to the fact that a lot of data is generated in continuous temporal processes. There is a broad research area, covering mathematical, statistical, information theory methodologies for anomaly detection. It addresses various problems in a lot of domains such as health, education, finance, government, etc. In this paper, we analyze the state-of-the-art of data streams anomaly detection techniques and algorithms for anomaly detection in data streams (time series data). Critically surveying the techniques’ performances under the challenge of real-time anomaly detection of massive high-velocity streams, we conclude that the modeling of the normal behavior of the stream is a suitable approach. We evaluate Holt-Winters (HW), Taylor’s Double Holt-Winters (TDHW), Hierarchical temporal memory (HTM), Moving Average (MA), Autoregressive integrated moving average (ARIMA) forecasting models, etc. Holt-Winters (HW) and Taylor’s Double Holt-Winters (TDHW) forecasting models are used to predict the normal behavior of the periodic streams, and to detect anomalies when the deviations of observed and predicted values exceeded some predefined measures. In this work, we propose an enhancement of this approach and give a short description about the algorithms and then they are categorized by type of pre-diction as: predictive and non-predictive algorithms. We implement the Genetic Algorithm (GA) to periodically optimize HW and TDHW smoothing parameters in addition to the two sliding windows parameters that improve Hyndman’s MASE measure of deviation, and value of the threshold parameter that defines no anomaly confidence interval [1]. We also propose a new optimization function based on the input training datasets with the annotated anomaly intervals, in order to detect the right anomalies and minimize the number of false ones. The proposed method is evaluated on the known anomaly detection benchmarks NUMENTA and Yahoo datasets with annotated anomalies and real log data generated by the National education information system (NEIS)1 in Macedonia.

Bio-inspired Hybrid Feature Selection Model for Intrusion Detection

Intrusion detection is a serious and complex problem.Undoubtedly due to a large number of attacks around the world,the concept of intrusion detection has become very important.This research proposes a multilayer bioinspired feature selection model for intrusion detection using an optimized genetic algorithm.Furthermore,the proposed multilayer model consists of two layers(layers 1 and 2).At layer 1,three algorithms are used for the feature selection.The algorithms used are Particle Swarm Optimization(PSO),Grey Wolf Optimization(GWO),and Firefly Optimization Algorithm(FFA).At the end of layer 1,a priority value will be assigned for each feature set.At layer 2 of the proposed model,the Optimized Genetic Algorithm(GA)is used to select one feature set based on the priority value.Modifications are done on standard GA to perform optimization and to fit the proposed model.The Optimized GA is used in the training phase to assign a priority value for each feature set.Also,the priority values are categorized into three categories:high,medium,and low.Besides,the Optimized GA is used in the testing phase to select a feature set based on its priority.The feature set with a high priority will be given a high priority to be selected.At the end of phase 2,an update for feature set priority may occur based on the selected features priority and the calculated F-Measures.The proposed model can learn and modify feature sets priority,which will be reflected in selecting features.For evaluation purposes,two well-known datasets are used in these experiments.The first dataset is UNSW-NB15,the other dataset is the NSL-KDD.Several evaluation criteria are used,such as precision,recall,and F-Measure.The experiments in this research suggest that the proposed model has a powerful and promising mechanism for the intrusion detection system.

Hybrid Optimization of Support Vector Machine for Intrusion Detection

Support vector machine (SVM) technique has recently become a research focus in intrusion detection field for its better generalization performance when given less priori knowledge than other soft-computing techniques. But the randomicity of parameter selection in its implement often prevents it achieving expected performance. By utilizing genetic algorithm (GA) to optimize the parameters in data preprocessing and the training model of SVM simultaneously, a hybrid optimization algorithm is proposed in the paper to address this problem. The experimental results demonstrate that it’s an effective method and can improve the performance of SVM-based intrusion detection system further.

A New FLAME Selection Method for Intrusion Detection (FLAME-ID)

Due to the ever growing number of cyber attacks, especially of the online systems, development and operation of adaptive Intrusion Detection Systems (IDSs) is badly needed so as to protect these systems. It remains as a goal of paramount importance to achieve and a serious challenge to address. Different selection methods have been developed and implemented in Genetic Algorithms (GAs) to enhance the rate of detection of the IDSs. In this respect, the present study employed the eXtended Classifier System (XCS) for detection of intrusions by matching the incoming environmental message (packet) with a classifiers pool to determine whether the incoming message is a normal request or an intrusion. Fuzzy Clustering by Local Approximation Membership (FLAME) represents the new selection method used in GAs. In this study, Genetic Algorithm with FLAME selection (FGA) was used as a production engine for the XCS. For comparison purposes, different selection methods were compared with FLAME selection and all experiments and evaluations were performed by using the KDD’99 dataset.

Device Anomaly Detection Algorithm Based on Enhanced Long Short-Term Memory Network

The problems in equipment fault detection include data dimension explosion,computational complexity,low detection accuracy,etc.To solve these problems,a device anomaly detection algorithm based on enhanced long short-term memory(LSTM)is proposed.The algorithm first reduces the dimensionality of the device sensor data by principal component analysis(PCA),extracts the strongly correlated variable data among the multidimensional sensor data with the lowest possible information loss,and then uses the enhanced stacked LSTM to predict the extracted temporal data,thus improving the accuracy of anomaly detection.To improve the efficiency of the anomaly detection,a genetic algorithm(GA)is used to adjust the magnitude of the enhancements made by the LSTM model.The validation of the actual data from the pumps shows that the algorithm has significantly improved the recall rate and the detection speed of device anomaly detection,with the recall rate of 97.07%,which indicates that the algorithm is effective and efficient for device anomaly detection in the actual production environment.

Genetic Algorithm with Variable Length Chromosomes for Network Intrusion Detection

Genetic algorithm(GA) has received significant attention for the design and implementation of intrusion detection systems. In this paper, it is proposed to use variable length chromosomes(VLCs) in a GA-based network intrusion detection system.Fewer chromosomes with relevant features are used for rule generation. An effective fitness function is used to define the fitness of each rule. Each chromosome will have one or more rules in it. As each chromosome is a complete solution to the problem, fewer chromosomes are sufficient for effective intrusion detection. This reduces the computational time. The proposed approach is tested using Defense Advanced Research Project Agency(DARPA) 1998 data. The experimental results show that the proposed approach is efficient in network intrusion detection.

DC-FIPD: Fraudulent IP Identification Method Based on Homology Detection

Currently,telecom fraud is expanding from the traditional telephone network to the Internet,and identifying fraudulent IPs is of great significance for reducing Internet telecom fraud and protecting consumer rights.However,existing telecom fraud identification methods based on blacklists,reputation,content and behavioral characteristics have good identification performance in the telephone network,but it is difficult to apply to the Internet where IP(Internet Protocol)addresses change dynamically.To address this issue,we propose a fraudulent IP identification method based on homology detection and DBSCAN(Density-Based Spatial Clustering of Applications with Noise)clustering(DC-FIPD).First,we analyze the aggregation of fraudulent IP geographies and the homology of IP addresses.Next,the collected fraudulent IPs are clustered geographically to obtain the regional distribution of fraudulent IPs.Then,we constructed the fraudulent IP feature set,used the genetic optimization algorithm to determine the weights of the fraudulent IP features,and designed the calculation method of the IP risk value to give the risk value threshold of the fraudulent IP.Finally,the risk value of the target IP is calculated and the IP is identified based on the risk value threshold.Experimental results on a real-world telecom fraud detection dataset show that the DC-FIPD method achieves an average identification accuracy of 86.64%for fraudulent IPs.Additionally,the method records a precision of 86.08%,a recall of 45.24%,and an F1-score of 59.31%,offering a comprehensive evaluation of its performance in fraud detection.These results highlight the DC-FIPD method’s effectiveness in addressing the challenges of fraudulent IP identification.

结合遗传算法的RF-DBN入侵检测方法

针对目前不平衡数据集少数类攻击样本识别率较低的问题,提出一种BorderlineSMOTE、随机森林和遗传算法(genetic algorithm,GA)-深度信念网络(deep belief network,DBN)相结合的入侵检测方法。首先采用BorderlineSMOTE对少数类样本进行过采样,减少数据集的不平衡度;然后使用随机森林算法实现正异常数据分类,筛选出异常数据;最后采用经GA优化的DBN网络对异常数据进行进一步分类。使用网络安全数据集CICIDS2017进行验证,该方法的准确率达到了99.85%,而且少数类样本的识别精度也有明显提高。

基于遗传算法和随机森林的入侵检测方法研究

入侵检测系统中,待测数据通常存在特征数量多、具有冗余性和相关性的特点,导致检测准确率降低、检测时间增加。提出一种基于多层感知机的遗传算法,建立4层感知机神经网络,将网络的分类能力作为遗传算法适应度评价方法,筛选出最优特征子集,建立随机森林分类器,使用网格验证方法确定随机森林超参数值,利用选取出的特征子集进行入侵类型识别。实验结果表明,该方法在KDD99数据集上对正常和22种类别的入侵数据平均检测准确率达到92%以上,并且具有较好的实时性。

增强支持向量机和遗传算法的WSN安全研究

针对开放式WSN连接到互联网上的智能设备数量和多样性迅速增加而导致的入侵检测误报和入侵检测准确性等问题,提出一种基于增强型支持向量机(Enhanced Support Vector Machine,ESVM)分类和遗传算法(Genetic Algorithm,GA)特征选择的智能轻量级物联网入侵检测算法。该算法进行预处理以将入侵数据集的复杂流量转换为SVM的可读格式,采用交叉和变异算子智能选择信息量最大的流量特征以降低无线网络流量的维数,使用ESVM算法执行分类以更有效地识别入侵攻击检测。实现结果表明,该算法在选择最优流量和提高检测精度方面均有明显改善。

考虑因果约束的异常对象反事实解释

现有的异常检测方法大多关注算法的效率和精确度等,而忽视了异常对象的可解释性.反事实解释方法是当前可解释机器学习的研究热点之一,旨在通过对研究对象的特征进行扰动,进而生成反事实示例以解释模型的决策结果.在实际应用中,特征之间可能存在某种因果关系.然而,现有基于反事实的可解释方法大多关注如何生成更多样的反事实示例,却忽视了特征之间的因果关系,导致可能产生不合理的反事实解释.为此,提出了一种考虑因果约束的异常对象反事实解释算法IARC.该方法在生成反事实解释时,通过将特征间的因果性纳入目标函数来衡量该次扰动是否可行,并通过改进后的遗传算法进行求解,从而生成合理的反事实解释.此外,提出了一种新的度量指标,用于衡量所生成反事实解释的矛盾程度.同多个先进反事实解释方法在多个真实数据集上进行了对比实验和详细的案例可解释分析.实验结果表明,所提出的方法能够为异常对象生成具有强合理性的反事实解释.