Anomaly Intrusion Detection Research Articles

Machine Learning for Cloud Data Classification and Anomaly Intrusion Detection

Machine Learning for Cloud Data Classification and Anomaly Intrusion Detection

A hybrid approach for efficient feature selection in anomaly intrusion detection for IoT networks

The exponential growth of Internet of Things (IoT) devices underscores the need for robust security measures against cyber-attacks. Extensive research in the IoT security community has centered on effective traffic detection models, with a particular focus on anomaly intrusion detection systems (AIDS). This paper specifically addresses the preprocessing stage for IoT datasets and feature selection approaches to reduce the complexity of the data. The goal is to develop an efficient AIDS that strikes a balance between high accuracy and low detection time. To achieve this goal, we propose a hybrid feature selection approach that combines filter and wrapper methods. This approach is integrated into a two-level anomaly intrusion detection system. At level 1, our approach classifies network packets into normal or attack, with level 2 further classifying the attack to determine its specific category. One critical aspect we consider is the imbalance in these datasets, which is addressed using the Synthetic Minority Over-sampling Technique (SMOTE). To evaluate how the selected features affect the performance of the machine learning model across different algorithms, namely Decision Tree, Random Forest, Gaussian Naive Bayes, and k-Nearest Neighbor, we employ benchmark datasets: BoT-IoT, TON-IoT, and CIC-DDoS2019. Evaluation metrics encompass detection accuracy, precision, recall, and F1-score. Results indicate that the decision tree achieves high detection accuracy, ranging between 99.82 and 100%, with short detection times ranging between 0.02 and 0.15 s, outperforming existing AIDS architectures for IoT networks and establishing its superiority in achieving both accuracy and efficient detection times.

A Novel Anomaly Intrusion Detection Method based on RNA Encoding and ResNet50 Model

Cybersecurity refers to the actions that are used by people and companies to protect themselves and their information from cyber threats. Different security methods have been proposed for detecting network abnormal behavior, but some effective attacks are still a major concern in the computer community. Many security gaps, like Denial of Service, spam, phishing, and other types of attacks, are reported daily, and the attack numbers are growing. Intrusion detection is a security protection method that is used to detect and report any abnormal traffic automatically that may affect network security, such as internal attacks, external attacks, and maloperations. This paper proposed an anomaly intrusion detection system method based on a new RNA encoding method and ResNet50 Model, where the encoding is done by splitting the training records into different groups. These groups are protocol, service, flag, and digit, and each group is represented by the number of RNA characters that can represent the group's values. The RNA encoding phase converts network traffic records into RNA sequences, allowing for a comprehensive representation of the dataset. The detection model, utilizing the ResNet architecture, effectively tackles training challenges and achieves high detection rates for different attack types. The KDD-Cup99 Dataset is used for both training and testing. The testing dataset includes new attacks that do not appear in the training dataset, which means the system can detect new attacks in the future. The efficiency of the suggested anomaly intrusion detection system is done by calculating the detection rate (DR), false alarm rate (FAR), and accuracy. The achieved DR, FAR, and accuracy are equal to 96.24%, 6.133%, and 95.99%. The experimental results exhibit that the RNA encoding method can improve intrusion detection.

An RFE/Ridge-ML/DL based anomaly intrusion detection approach for securing IoMT system

Smart healthcare is one of the promising areas of the Internet of Things (IoT), particularly in the case of the Covid-19 pandemic. Real-time patient monitoring and remote diagnostics facilitate better medical services to preserve human lives using Internet of Medical Things (IoMT) technology. Regardless of the numerous benefits, IoMT devices are susceptible to sophisticated cyber-attacks at a breakneck pace, which lead to tampering with healthcare data and threaten patients' lives. In a similar context, the 2022 ransomware cyber-attack on Versailles André-Mignot Hospital compromised the healthcare system and disclosed tremendous amounts of patient information. Towards this direction, most researchers have solely developed either machine learning or Deep learning algorithms to identify network traffic anomalies. Motivated by the above challenges, an effort has been made in this paper to design a Recursive Feature Elimination (RFE) integrated with machine learning paradigms and a Ridge regression merged into deep learning models for implementing accurate anomaly intrusion detection based on the real-time dataset WUSTL-EHMS. Among the paradigms used, the proposed approach confirms that the RFE-based Decision Tree (DT) outperforms state-of-the-art techniques with a training accuracy of 99 % and a testing accuracy of 97.85 % while maintaining a reduction of FAR to 0.03. In a nutshell, it has been proven that the suggested framework can be deployed to build anomaly intrusion detection, reinforcing IoMT against widespread cyber-attacks and safeguarding the integrity of advanced healthcare systems.

A Deep Reinforcement-Based Anomaly Intrusion Detection for Enhancing Network Cybersecurity

Conventional protection methods, such as rules-based firewalls and signature-based detection, are not cutting it in today's environment of increasingly sophisticated and frequent cyberattacks. Cyberattacks nowadays are extremely dynamic and complex, calling for cutting-edge solutions that can change and adapt as the threat does. DRL is an AI subfield that has been successfully addressing difficult decision-making challenges in several fields, including cybersecurity. Here, we make a step forward by using a DRL framework to model cyberattacks; by incorporating real-world events, we make the models more realistic and applicable. We provide a customized approach that greatly improves existing approaches by carefully tailoring DRL (deep reinforcement algorithms to the complex needs of cybersecurity situations, including adversarial training, dynamic environments, bespoke structure of reward and actions, and more. In this study, we provide an anomaly detection method to detect attacks on network CPS using Deep Reinforcement Learning. Our proposed methodology was tested using several publicly available research datasets to ensure its efficacy.

Analysis of a Fuzzy Based Intrusion Detection System in Wireless Ad Hoc Networks

Technology and its growth is considerably enormous. This massive growth allows the opening of new fields of application in the domain of wireless networking and mobile ad-hoc networks (MANET) is one of its kinds. Mobile ad hoc network is widely used from collaborative computing to time critical applications in indoor and outdoor environment. Mobility of ad hoc network makes very attractive in all areas of mobile applications. Nodes participating in mobile ad hoc networks are autonomous, self-configurable and act as a router as well. These types of networks are dynamic in nature and have sort life time. Dynamic nature and limitations of the wireless transmission medium make MANET unsecured and vulnerable to various attacks. It is very tough to implement security for this networks and it opens up doors for further research work on this area. There is a great scope for designing a system to identify attacks and take countermeasures to minimize it and keep the performance of the network within acceptable limits. Intrusion detection system is one of its kinds and considered as security mechanism for MANET. This thesis explores different types of intrusion detection system like misuse detection and anomaly detection for mobile ad hoc networks. Anomaly detection techniques for ad hoc networks depend on the characterization of normal behavior pattern of wireless nodes. This research work focuses on wireless node behavior based detection technique. Most of anomaly intrusion detection systems are focusing on upper layer traffic to a profile normal behavior of wireless node. This research work focus on media access control (MAC) layer and network layer of wireless node. It is inefficient to use a large feature set of MAC layer and network layer due to energy limitation in ad-hoc network. A minimal feature set from MAC layer and network layer were proposed. This research work proposed an anomaly intrusion detection system for mobile ad hoc network using fuzzy logic and weighted average method. The network performance of mobile ad hoc network with intrusion detection system was analyzed using various network parameters. Further the performance of the performance of the intrusion detection system was analyzed using detection rate and false alarms. Results show good improvement in detection rate and other performance metrics

Retracted: Anomaly Intrusion Detection of Wireless Communication Network-Based on Markov Chain Model

Retracted: Anomaly Intrusion Detection of Wireless Communication Network-Based on Markov Chain Model

A novel botnet attack detection for IoT networks based on communication graphs

Intrusion detection systems have been proposed for the detection of botnet attacks. Various types of centralized or distributed cloud-based machine learning and deep learning models have been suggested. However, the emergence of the Internet of Things (IoT) has brought about a huge increase in connected devices, necessitating a different approach. In this paper, we propose to perform detection on IoT-edge devices. The suggested architecture includes an anomaly intrusion detection system in the application layer of IoT-edge devices, arranged in software-defined networks. IoT-edge devices request information from the software-defined networks controller about their own behaviour in the network. This behaviour is represented by communication graphs and is novel for IoT networks. This representation better characterizes the behaviour of the device than the traditional analysis of network traffic, with a lower volume of information. Botnet attack scenarios are simulated with the IoT-23 dataset. Experimental results show that attacks are detected with high accuracy using a deep learning model with low device memory requirements and significant storage reduction for training.Graphical abstract

The robust scheme for intrusion detection system in Internet of Things

Machine learning and deep learning-based anomaly intrusion detection systems (IDSs) have become prevalent in securing IoT networks due to their ability to monitor traffic and detect zero-day attacks. However, recent studies highlight the high vulnerability of these models to adversarial attacks, in which minor input perturbations can significantly decrease the detection accuracy. Although many studies have focused on adversarial attack and defense techniques for deep learning, machine learning, particularly decision trees, has received limited attention. In this study, we aim to assess the efficacy of the robust decision tree in adversarial IoT environments. Our first experiments reveal the robust decision tree’s sensitivity to the offset parameter. We thus propose a statistical approach to auto-select the offset value, enhancing model stability across varying attack offsets. Then, we present a robust scheme for IDSs in IoT environments. This approach employs the enhanced robust decision tree and a tabular deep learning model to detect and classify a range of cyber attacks. Our evaluation results on three popular IDS datasets—IoTID20, CIC-IDS-2017, and BOT-IoT—demonstrate that our proposed approach is robust under various adversarial attack conditions and achieves a consistent accuracy of over 95% in classifying different attack types.

Optimization of Network Security in University Laboratories Based on Anomaly Intrusion Detection in Public Cloud Networks

The network security issue of university laboratories needs to be taken seriously, as there is a large amount of academic data stored in the laboratory. In order to ensure the network security of university laboratories, a series of measures need to be taken. This article uses anomaly intrusion detection technology to optimize the network of university laboratories and designs a network management system for university laboratories. The system adopts cloud computing technology and data center technology, supports software clusters and hardware clusters, and adopts an advanced SOA system framework. The design and implementation of this system effectively improves the security and stability of the university laboratory network. Using anomaly intrusion detection technology, we can effectively identify and prevent abnormal network intrusion, and protect the security of Laboratory equipment and data.

An Advanced Fitness Function Optimization Algorithm for Anomaly Intrusion Detection Using Feature Selection

Cyber-security systems collect information from multiple security sensors to detect network intrusions and their models. As attacks become more complex and security systems diversify, the data used by intrusion-detection systems becomes more dimensional and large-scale. Intrusion detection based on intelligent anomaly detection detects attacks based on machine-learning classification models, soft computing, and rule sets. Feature-selection methods are used for efficient intrusion detection and solving high-dimensional problems. Optimized feature selection can maximize the detection model performance; thus, a fitness function design is required. We proposed an optimization algorithm-based feature-selection algorithm to improve anomaly-detection performance. We used a genetic algorithm and proposed an advanced fitness function that finds the most relevant feature set, increasing the detection rate, reducing the error rate, and enhancing analysis speed. An improved fitness function for the selection of optimized features is proposed; this function can address overfitting by solving the problem of anomaly-detection performance from imbalanced security datasets. The proposed algorithm outperformed other feature-selection algorithms. It outperformed the PCA and wrapper-DR methods, with 0.99564 at 10%, 0.996455 at 15%, and 0.996679 at 20%. It performed higher than wrapper-DR by 0.95% and PCA by 3.76%, showing higher differences in performance than in detection rates.

An abnormal intrusion detection method based on self-organising model

Intelligent video analysis is a new application direction in computer vision. Aiming at the decline of abnormal intrusion detection accuracy caused by background change in the intelligent video analysis field, an anomaly detection method for monitoring video based on a self-organising model is proposed. In this method, the idea of a self-organising mapping neural network in machine learning is applied to anomaly intrusion detection, and the gridded video image is regarded as input excitation. Then, the method constructs the expression model of a normal image by generating, updating, and deleting nodes and uses the node state in this model to calculate the anomaly degree, to judge whether there is an abnormal intrusion. Experiments show that the anomaly detection method based on a self-organising model can effectively detect the abnormal intrusion of pedestrians and vehicles in the scenes taken by a fixed lens camera and rotating ball camera. Its performance is significantly better than common detection methods. Compared with the Gaussian mixture model and grow when required network methods, the accuracy is improved by 5.8% and 2.7%, respectively.

An Anomaly Intrusion Detection for High-Density Internet of Things Wireless Communication Network Based Deep Learning Algorithms.

Telecommunication networks are growing exponentially due to their significant role in civilization and industry. As a result of this very significant role, diverse applications have been appeared, which require secured links for data transmission. However, Internet-of-Things (IoT) devices are a substantial field that utilizes the wireless communication infrastructure. However, the IoT, besides the diversity of communications, are more vulnerable to attacks due to the physical distribution in real world. Attackers may prevent the services from running or even forward all of the critical data across the network. That is, an Intrusion Detection System (IDS) has to be integrated into the communication networks. In the literature, there are numerous methodologies to implement the IDSs. In this paper, two distinct models are proposed. In the first model, a custom Convolutional Neural Network (CNN) was constructed and combined with Long Short Term Memory (LSTM) deep network layers. The second model was built about the all fully connected layers (dense layers) to construct an Artificial Neural Network (ANN). Thus, the second model, which is a custom of an ANN layers with various dimensions, is proposed. Results were outstanding a compared to the Logistic Regression algorithm (LR), where an accuracy of 97.01% was obtained in the second model and 96.08% in the first model, compared to the LR algorithm, which showed an accuracy of 92.8%.

A comprehensive survey of network traffic anomalies and DDoS attacks detection schemes using fuzzy techniques

Anomaly intrusion detection systems are a class of intrusion detection systems that do not rely on the security attacks' signatures and focus on finding unknown malicious behaviors and attacks. In this context, some of the anomaly detection schemes benefit from various fuzzy data mining and statistical methods to deal with ambiguity in the intrusion detection process. The main objective of this article is to put forward an extensive and structured survey of the fuzzy logic-based network traffic anomaly and Distributed Denial of Service (DDoS) attack detection approaches. It groups the investigated scheme concerning the fuzzy techniques applied to deal with network anomalies and DDoS attacks. It illuminates how the fuzzy network anomaly detection approaches have integrated various techniques such as classifiers, feature selection/extraction methods, and statistical and clustering algorithms to find anomalous traffic. Besides, the significant challenges, issues, and ideas in network anomaly detection are discussed. Lastly, several future research topics are provided to better lead the subsequent studies in this context.

CBA-CLSVE: A Class-Level Soft-Voting Ensemble Based on the Chaos Bat Algorithm for Intrusion Detection

Various machine-learning methods have been applied to anomaly intrusion detection. However, the Intrusion Detection System still faces challenges in improving Detection Rate and reducing False Positive Rate. In this paper, a Class-Level Soft-Voting Ensemble (CLSVE) scheme based on the Chaos Bat Algorithm (CBA), called CBA-CLSVE, is proposed for intrusion detection. The Support Vector Machine (SVM), K-Nearest Neighbor (KNN) and Decision Tree (DT) are selected as the base learners of the ensemble. The Chaos Bat Algorithm is used to generate class-level weights to create the weighted voting ensemble. A weighted fitness function considering the tradeoff between maximizing Detection Rate and minimizing False Positive Rate is proposed. In the experiments, the NSL-KDD, UNSW-NB15 and CICIDS2017 datasets are used to verify the scheme. The experimental results show that the class-level weights generated by CBA can be used to improve the combinative performance. They also show that the same ensemble performance can be achieved using about half the total number of features or fewer.

Enhance density peak clustering algorithm for anomaly intrusion detection system

In this paper proposed new model of Density Peak Clustering algorithm to enhance clustering of intrusion attacks. The Anomaly Intrusion Detection System (AIDS) by using original density peak clustering algorithm shows the stable in result to be applied to data-mining module of the intrusion detection system. The proposed system depends on two objectives; the first objective is to analyzing the disadvantage of DPC; however, we propose a novel improvement of DPC algorithm by modifying the calculation of local density method based on cosine similarity instead of the cat off distance parameter to improve the operation of selecting the peak points. The second objective is using the Gaussian kernel measure as a distance metric instead of Euclidean distance to improve clustering of high-dimensional complex nonlinear inseparable network traffic data and reduce the noise. The experimentations evaluated with NSL-KDD dataset.

Enhance density peak clustering algorithm for anomaly intrusion detection system

In this paper proposed new model of Density Peak Clustering algorithm to enhance clustering of intrusion attacks. The Anomaly Intrusion Detection System (AIDS) by using original density peak clustering algorithm shows the stable in result to be applied to data-mining module of the intrusion detection system. The proposed system depends on two objectives; the first objective is to analyzing the disadvantage of DPC; however, we propose a novel improvement of DPC algorithm by modifying the calculation of local density method based on cosine similarity instead of the cat off distance parameter to improve the operation of selecting the peak points. The second objective is using the Gaussian kernel measure as a distance metric instead of Euclidean distance to improve clustering of high-dimensional complex nonlinear inseparable network traffic data and reduce the noise. The experimentations evaluated with NSL-KDD dataset.

Data Fusion Approach for Collaborative Anomaly Intrusion Detection in Blockchain-Based Systems

Blockchain technology is rapidly changing the transaction behavior and efficiency of businesses in recent years. Data privacy and system reliability are critical issues that is highly required to be addressed in Blockchain environments. However, anomaly intrusion poses a significant threat to a Blockchain, and therefore, it is proposed in this article a collaborative clustering-characteristic-based data fusion approach for intrusion detection in a Blockchain-based system, where a mathematical model of data fusion is designed and an AI model is used to train and analyze data clusters in Blockchain networks. The abnormal characteristics in a Blockchain data set are identified, a weighted combination is carried out, and the weighted coefficients among several nodes are obtained after multiple rounds of mutual competition among clustering nodes. When the weighted coefficient and a similarity matching relationship follow a standard pattern, an abnormal intrusion behavior is accurately and collaboratively detected. Experimental results show that the proposed algorithm has high recognition accuracy and promising performance in the real-time detection of attacks in a Blockchain.

The Influence of Salp Swarm Algorithm-Based Feature Selection on Network Anomaly Intrusion Detection

Network security plays a critical role in our lives because of the threats and attacks to which we are exposed, which are increasing daily; these attacks result in a need to develop various protection methods and techniques. Network intrusion detection systems (NIDSs) are a way to detect malicious network attacks. Many researchers have focused on developing NIDSs based on machine learning (ML) approaches to detect diverse attack variants. ML approaches can automatically discover the essential differences between normal and abnormal data by analysing the features of a large dataset. For this purpose, many features are typically extracted without discrimination, increasing the computational complexity. Then, by applying a feature selection method, a subset of features is selected from the whole feature set with the aim of improving the performance of ML-based detection methods. The salp swarm algorithm (SSA) is a nature-inspired optimization algorithm that has demonstrated efficiency in minimizing the processing challenges faced in performing optimization for feature selection problems. This research investigates the impact of the SSA on improving ML-based network anomaly detection using various ML classifiers, including the extreme gradient boosting (XGBoost) and Naive Bayes (NB) algorithms. Experiments were conducted on standard datasets for comparison. Specifically, two datasets explicitly focused on network intrusion attacks were used: UNSW-NB15 and NSL-KDD. The experimental results show that the proposed method is more effective in improving the performance of anomaly NIDSs in terms of the F-measure, recall, detection rate, and false alarm rate on both datasets, outperforming state-of-the-art techniques recently proposed in the literature.

DNA Encoding and STR Extraction for Anomaly Intrusion Detection Systems

Deoxyribonucleic acid (DNA) can be used to discover the presence of diseases in the human body. Similarly, its functionality can be leveraged in an intrusion detection system (IDS) to detect attacks against computer systems and network traffic. Various approaches have been proposed for using DNA sequences in IDSs. The most popular is the DNA sequence matching method, which is also used in biology. A technique that uses the DNA sequence in an IDS has previously been proposed to generate a normal signature sequence with an alignment threshold value. However, its detection rate is very low. Therefore, this paper considers the two main factors that affect the detection accuracy via the DNA sequence, DNA encoding and the short tandem repeat (STR) (i.e., the DNA keys and their positions). It then proposes two DNA encoding methods, named DEM3sel, and DEMdif, which differ in terms of the length of the DNA sequence and the network traffic representation. DEM3sel uses three characters to represent all 41 network attributes but uses a single fixed character to distinguish between nominal and numerical attributes. DEMdif uses different characters to represent all the network attributes based on the attribute values and uses a single fixed character to distinguish between nominal and numerical attributes. In all these methods, the Teiresias algorithm is used to extract the short tandem repeat (STR), which includes both the keys and their positions in the network traffic, while the Knuth-Morris-Pratt algorithm is used as a matching process to determine whether the network traffic is normal or an attack. An experiment is conducted to assess the proposed methods’ performance on two standard datasets: KDDCup 99 and NSL-KDD. The experiment is run 30 times for each DNA encoding method. The results show that DEM3sel obtains the best result compared with DEMdif, where the detection rate, false alarm rate, and accuracy of detection are 99.58%, 35.53%, and 92.74% respectively. The results also show that using more keys and their positions improves the false alarm rate and the accuracy of DEM3sel by up to 26.48% and 1.75%, respectively. Moreover, the performance of the proposed method DEM3sel is comparable to or better than state-of-the-art algorithms. Thus, it can be concluded that the proposed DNA sequence method is suitable for use in an IDS.