Research Of Intrusion Detection System Research Articles

SKT-IDS: Unknown attack detection method based on Sigmoid Kernel Transformation and encoder–decoder architecture

Intrusion Detection Systems (IDS) are crucial in cybersecurity for monitoring network traffic and identifying potential attacks. Existing IDS research largely focuses on known attack detection, leaving a significant gap in research regarding unknown attack detection, where achieving a balance between false alarm rate (identifying normal traffic as attack traffic) and recall rate of unknown attack detection remains challenging. To address these gaps, we propose a novel IDS based on Sigmoid Kernel Transformation and Encoder-Decoder architecture, namely SKT-IDS, where SKT stands for Sigmoid Kernel Transformation. We start with pre-training an attention-based encoder for coarse-grained intrusion detection. Then, we use this encoder to build an encoder–decoder model specifically for 0-day attack detection, training it solely on known traffic using the cosine similarity loss function. To enhance detection, we introduce a Sigmoid Kernel Transformation for feature engineering, improving the discriminative ability between normal traffic and 0-day attacks. Finally, we conducted a series of ablation and comparative experiments on the NSL-KDD and CSE-CIC-IDS2018 datasets, confirming the effectiveness of our proposed method. With a false alarm rate of 1%, we achieved recall rates for unknown attack detection of 65% and 69% on the two datasets, respectively, demonstrating significant performance improvements compared to existing state-of-the-art models.

Blockchain-based IoT security solutions for IDS research centers

The rapid evolution of the Internet of Things (IoT) has connected real-world objects to the Internet, enhancing digital interaction and introducing critical security vulnerabilities. Intrusion Detection Systems (IDS) are essential in identifying threats and protecting Internet of Things devices from cyberattacks. A secure, decentralized platform enabled by blockchain technology offers the optimal solution for researchers worldwide to collaboratively address the challenges of IoT security effectively. This study introduces a blockchain-based IDS research center to strengthen IoT network security via global collaboration. It demonstrates the benefits of combining IDS with blockchain to improve cybersecurity in research centers, facilitating the efficient sharing of security solutions. By defining various node types on the blockchain, the platform ensures controlled access to services and streamlined network management through specific authorizations. Research centers can contribute to the blockchain with their findings, whereas others utilize the platform to access IDS services. Our work uses machine learning algorithms to achieve promising performance in detecting DDoS attacks, with the XGBoost algorithm demonstrating good results compared to the literature. The findings illustrate how effectively the presented approach works with blockchain technology and the CiCIoT2023 dataset to provide safe and decentralized information sharing.

Application of BukaGini algorithm for enhanced feature interaction analysis in intrusion detection systems

This article presents an evaluation of BukaGini, a stability-aware Gini index feature selection algorithm designed to enhance model performance in machine learning applications. Specifically, the study focuses on assessing BukaGini’s effectiveness within the domain of intrusion detection systems (IDS). Recognizing the need for improved feature interaction analysis methodologies in IDS, this research aims to investigate the performance of BukaGini in this context. BukaGini’s performance is evaluated across four diverse datasets commonly used in IDS research: NSLKDD (22,544 samples), WUSTL EHMS (16,318 samples), WSN-DS (374,661 samples), and UNSWNB15 (175,341 samples), amounting to a total of 588,864 data samples. The evaluation encompasses key metrics such as stability score, accuracy, F1-score, recall, precision, and ROC AUC. Results indicate significant advancements in IDS performance, with BukaGini achieving remarkable accuracy rates of up to 99% and stability scores consistently surpassing 99% across all datasets. Additionally, BukaGini demonstrates an average reduction in dimensionality of 25%, selecting 10 features for each dataset using the Gini index. Through rigorous comparative analysis with existing methodologies, BukaGini emerges as a promising solution for feature interaction analysis within cybersecurity applications, particularly in the context of IDS. These findings highlight the potential of BukaGini to contribute to robust model performance and propel intrusion detection capabilities to new heights in real-world scenarios.

A comprehensive guide to CAN IDS data and introduction of the ROAD dataset.

Although ubiquitous in modern vehicles, Controller Area Networks (CANs) lack basic security properties and are easily exploitable. A rapidly growing field of CAN security research has emerged that seeks to detect intrusions or anomalies on CANs. Producing vehicular CAN data with a variety of intrusions is a difficult task for most researchers as it requires expensive assets and deep expertise. To illuminate this task, we introduce the first comprehensive guide to the existing open CAN intrusion detection system (IDS) datasets. We categorize attacks on CANs including fabrication (adding frames, e.g., flooding or targeting and ID), suspension (removing an ID's frames), and masquerade attacks (spoofed frames sent in lieu of suspended ones). We provide a quality analysis of each dataset; an enumeration of each datasets' attacks, benefits, and drawbacks; categorization as real vs. simulated CAN data and real vs. simulated attacks; whether the data is raw CAN data or signal-translated; number of vehicles/CANs; quantity in terms of time; and finally a suggested use case of each dataset. State-of-the-art public CAN IDS datasets are limited to real fabrication (simple message injection) attacks and simulated attacks often in synthetic data, lacking fidelity. In general, the physical effects of attacks on the vehicle are not verified in the available datasets. Only one dataset provides signal-translated data but is missing a corresponding "raw" binary version. This issue pigeon-holes CAN IDS research into testing on limited and often inappropriate data (usually with attacks that are too easily detectable to truly test the method). The scarcity of appropriate data has stymied comparability and reproducibility of results for researchers. As our primary contribution, we present the Real ORNL Automotive Dynamometer (ROAD) CAN IDS dataset, consisting of over 3.5 hours of one vehicle's CAN data. ROAD contains ambient data recorded during a diverse set of activities, and attacks of increasing stealth with multiple variants and instances of real (i.e. non-simulated) fuzzing, fabrication, unique advanced attacks, and simulated masquerade attacks. To facilitate a benchmark for CAN IDS methods that require signal-translated inputs, we also provide the signal time series format for many of the CAN captures. Our contributions aim to facilitate appropriate benchmarking and needed comparability in the CAN IDS research field.

A Reinforcement Learning Framework with Oversampling and Undersampling Algorithms for Intrusion Detection System

Intrusion detection systems (IDSs) play a pivotal role in safeguarding networks and systems against malicious activities. However, the challenge of imbalanced datasets significantly impacts IDS research, skewing learning models towards the majority class and diminishing accuracy for the minority class. This study introduces the Reinforcement Learning (RL) Framework with Oversampling and Undersampling Algorithm (RLFOUA) to address imbalanced datasets. RLFOUA combines RL with diverse resampling algorithms, creating an adaptive learning environment. It integrates the novel True False Rate Synthetic Minority Oversampling Technique (TFRSMOTE) algorithm, emphasizing data-level approaches. Additionally, RLFOUA employs a cost-sensitive approach based on classification metrics. Using the CSE-CIC-IDS2018 and NSL-KDD datasets, RLFOUA demonstrates substantial improvement over existing resampling techniques. Achieving an accuracy of 0.9981 for NSL-KDD and 0.9846 for CSE-CIC-IDS2018, the framework’s performance is evaluated using F1 score, accuracy, precision, recall, and a proposed Index Metric (IM). RLFOUA presents a significant advancement in addressing class imbalance challenges in IDS. It shows an average accuracy improvement of 21.5% compared to the recent resampling technique AESMOTE on the NSL-KDD dataset.

Overview and Exploratory Analyses of CICIDS 2017 Intrusion Detection Dataset

Intrusion detection systems are used to detect attacks on a network. Machine learning (ML) approaches have been widely used to build such intrusion detection systems (IDSs) because they are more accurate when built from a very large and representative dataset. Recently, one of the benchmark datasets that are used to build ML-based intrusion detection models is the CICIDS2017 dataset. The data set is contained in eight groups and was collected from the Data Set & Repository of the Canadian Institute of Cyber Security. The data set is available in both PCAP and net flow formats. This study used the net flow records in the CIDIDS2017 dataset, as they were found to contain newer attacks, very large, and useful for traffic analysis. Exploratory data analysis (EDA) techniques were used to reveal various characteristics of the dataset. The general objective is to provide more insight into the nature, structure, and issues of the data set so as to identify the best ways to use it to achieve improved ML-based IDS models. Furthermore, some of the open problems that can arise from the use of the dataset in any machine learning-based intrusion detection systems are highlighted and possible solutions are briefly discussed. The EDA techniques used revealed important relationships between the input variables and the target class. The study concluded that the EDA can better influence the decision about future IDS research using the dataset.

Machine Learning-based Intrusion Detection for Smart Grid Computing: A Survey

Machine learning (ML)-based intrusion detection system (IDS) approaches have been significantly applied and advanced the state-of-the-art system security and defense mechanisms. In smart grid computing environments, security threats have been significantly increased as shared networks are commonly used, along with the associated vulnerabilities. However, compared to other network environments, ML-based IDS research in a smart grid is relatively unexplored, although the smart grid environment is facing serious security threats due to its unique environmental vulnerabilities. In this article, we conducted an extensive survey on ML-based IDS in smart grids based on the following key aspects: (1) The applications of the ML-based IDS in transmission and distribution side power components of a smart power grid by addressing its security vulnerabilities; (2) dataset generation process and its usage in applying ML-based IDSs in the smart grid; (3) a wide range of ML-based IDSs used by the surveyed papers in the smart grid environment; (4) metrics, complexity analysis, and evaluation testbeds of the IDSs applied in the smart grid; and (5) lessons learned, insights, and future research directions.

Evaluation of Machine Learning based Network Attack Detection

The growth in the internet and communication technologies has driven tremendous developments in various application areas such as smart cities, cloud computing, internet-of-things, e-banking, e-commerce and e-government. However, with the advancements in networking infrastructure, hacking tools and methodologies have been much evolved thereby enabling hackers to attempt newer and more complicated cyber-attacks. Consequently, cyber-security has now emerged as a vital research area to address security concerns. Traditional security mechanisms such as firewalls and anti-viruses are not enough to protect networks and accurately detect intrusions. An Intrusion Detection System (IDS) provides an additional layer of security that prevents networks against possible intrusions through continuous surveillance of the network traffic. Despite the effectiveness of IDS and enormous research being conducted on the very topic, IDS still poses challenges to accurately detect intrusions, novel cyber-attacks and reducing false positive rates. Recently, Machine Learning (ML) and Deep Learning (DL) techniques have been exploited to overcome the inherent deficiencies of IDS. Existing research has demonstrated that ML and DL have great potential to detect intrusions and classify cyber-attacks in an efficient manner. Based on their inherent learning capabilities, ML and DL-based techniques can effectively detect patterns (features) from the network traffic and predict the behavior (normal or abnormal activity) based on these patterns. This research work first presents the concepts of IDS, followed by a comprehensive review of the recent ML and DL-based schemes. Later, a performance analysis of various ML algorithms is presented on a publicly available dataset to weigh their strengths and weaknesses in terms of accuracy and training time among others. We mainly evaluate the most commonly used supervised learning algorithms including Decision Trees (DT), Random Forest (RF), Gradient Booster (GB) and Neural Networks (NNs).

Improved Supervised and Unsupervised Metaheuristic-Based Approaches to Detect Intrusion in Various Datasets

Due to the increasing number of cyber-attacks, the necessity to develop efficient intrusion detection systems (IDS) is more imperative than ever. In IDS research, the most effectively used methodology is based on supervised Neural Networks (NN) and unsupervised clustering, but there are few works dedicated to their hybridization with metaheuristic algorithms. As intrusion detection data usually contains several features, it is essential to select the best ones appropriately. Linear Discriminant Analysis (LDA) and t-statistic are considered as efficient conventional techniques to select the best features, but they have been little exploited in IDS design. Thus, the research proposed in this paper can be summarized as follows. a) The proposed approach aims to use hybridized unsupervised and hybridized supervised detection processes of all the attack categories in the CICIDS2017 Dataset. Nevertheless, owing to the large size of the CICIDS2017 Dataset, only 25% of the data was used. b) As a feature selection method, the LDA performance measure is chosen and combined with the t-statistic. c) For intrusion detection, unsupervised Fuzzy C-means (FCM) clustering and supervised Back-propagation NN are adopted. d) In addition and in order to enhance the suggested classifiers, FCM and NN are hybridized with the seven most known metaheuristic algorithms, including Genetic Algorithm (GA), Particle Swarm Optimization (PSO), Differential Evolution (DE), Cultural Algorithm (CA), Harmony Search (HS), Ant-Lion Optimizer (ALO) and Black Hole (BH) Algorithm. Performance metrics extracted from confusion matrices, such as accuracy, precision, sensitivity and F₁-score are exploited. The experimental result for the proposed intrusion detection, based on training and test CICIDS2017 datasets, indicated that PSO, GA and ALO-based NNs can achieve promising results. PSO-NN produces a tested accuracy, global sensitivity and F₁-score of 99.97%, 99.95% and 99.96%, respectively, outperforming performance concluded in several related works. Furthermore, the best-proposed approaches are valued in the most recent intrusion detection datasets: CSE-CICIDS2018 and LUFlow2020. The evaluation fallouts consolidate the previous results and confirm their correctness.

A Review on Intrusion Detection Using Machine Learning Techniques

An essential tool for monitoring and identifying intrusion threats is the intrusion detection system (IDS). As a result, intrusion detection systems monitor network traffic heading through computer systems to detect for malicious activity and recognized dangers, and send alerts. With a focus on datasets, ML methods, and metrics, this study tries to analyse recent IDS research using a Machine Learning (ML) approach. To make sure the model is suitable for IDS application, dataset selection is crucial. The efficiency of the ML method can also be impacted by the dataset structure. As a result, the choice of ML algorithm depends on the dataset's structure. Metric will then offer a quantitative assessment of ML algorithms for a given dataset. In addition True Positive Rate (TPR), False Positive Rate (FPR) and accuracy, are the three metrics for IDS performance evaluation that are most frequently utilized. This is understandable given that these metrics offer crucial cues that are crucial to IDS performance. A clear path and direction for future study has been provided by the discussion and comparison of the results from various works.

ANALYSIS AND DETECTION OF INTRUSION DETECTION ON NETWORK SECURITY ENVIRONMENT USING ML

The Intrusion Detection System (IDS) is a critical cyber security instrument that monitors and detects intrusion threats. This research intends to examine contemporary IDS research utilizing a Machine Learning (ML) methodology, with a focus on datasets, ML algorithms, and metrics. The choice of datasets is critical for ensuring that the model is suitable for IDS use. Traditional methods, such as firewalls, which focus on data filtering, may not be adequate for detecting all forms of assaults in a timely manner. Machine learning algorithms-based on intrusion detection systems (IDS) are especially good in efficiently processing vast amounts of data in order to identify any malicious behavior for effective handling and prompt detection of these types of attacks. Machine learning-based intrusion detection systems (IDS) are used to monitor all network traffic for malicious activity. In order to improve the intrusion detection system's detection rate, the system's focus was on false negative and false positive performance measures. The results of this paper showed that the ML model XGBoost classifier had the best accuracy rate, while the Decision tree classifier had the lowest. Key Words: IDS, XGBoost Algorithm, Decision tree

Artificial Neural Network Model for Intrusion Detection System

Artificial Intelligence (AI) breakthroughs in the last few years have accelerated dramatically as a result of the industry's vast technological use. Neural Networks (NN) is one of the most vital areas of AI, as they allow for commercial use of features that were previously not accessible via the use of computers. The Intrusion Detection System (IDS) is one of the areas in which Neural Networks are being extensively investigated to provide comprehensive computer network security and data confidentiality. During the realization of this work Artificial Neural Network (ANN) were used to shape the proposed model using a realistic CICIDS2017 dataset retrieved from the Canadian Institute for Cyber-Security (CIC) website. Following implementation and testing, it was discovered that the new model performs exceptionally well, with an average. In addition, the receiver operator characteristic curve (ROC) has a 9.999 % area under the Receiver Operator Characteristic Curve (AUC). Finally, it was discovered that the new model is exceptional and has a high level of accuracy. The new model will aid in an improved knowledge of various orders in which IDS research has been conducted. It will be useful for those working on AI-based solutions in IDS and similar domains. It is possible to enhance the new model's detection capabilities to incorporate all other lingering forms of incidents in this actual datasets, which contains all real-time and existing incidents.

Intrusion Detection System Techniques : A Review

Nowadays, Internet attacks are increasing rapidly. As a result, information security is a serious global concern among Information Technology users. Intrusion Detection System (IDS) is capable to detect unauthorized intrusions into computer systems and networks by looking for signatures of known attacks or deviations of normal activity. IDS is such as a detective control, the main function is to warn the user of any suspicious activity taking place. Active IDS research are still ongoing with remarkable techniques to detect attacks with significance accurate result. This paper deliver a brief overview on types of IDS and a types of techniques employed to detect intrusion.

A Review on Feature Selection and Ensemble Techniques for Intrusion Detection System

Intrusion detection has drawn considerable interest as researchers endeavor to produce efficient models that offer high detection accuracy. Nevertheless, the challenge remains in developing reliable and efficient Intrusion Detection System (IDS) that is capable of handling large amounts of data, with trends evolving in real-time circumstances. The design of such a system relies on the detection methods used, particularly the feature selection techniques and machine learning algorithms used. Thus motivated, this paper presents a review on feature selection and ensemble techniques used in anomaly-based IDS research. Dimensionality reduction methods are reviewed, followed by the categorization of feature selection techniques to illustrate their effectiveness on training phase and detection. Selection of the most relevant features in data has been proven to increase the efficiency of detection in terms of accuracy and computational efficiency, hence its important role in the design of an anomaly-based IDS. We then analyze and discuss a variety of IDS-based machine learning techniques with various detection models (single classifier-based or ensemble-based), to illustrate their significance and success in the intrusion detection area. Besides supervised and unsupervised learning methods in machine learning, ensemble methods combine several base models to produce one optimal predictive model and improve accuracy performance of IDS. The review consequently focuses on ensemble techniques employed in anomaly-based IDS models and illustrates how their use improves the performance of the anomaly-based IDS models. Finally, the paper laments on open issues in the area and offers research trends to be considered by researchers in designing efficient anomaly-based IDSs.

An Analysis of the KDD99 and UNSW-NB15 Datasets for the Intrusion Detection System

The significant increase in technology development over the internet makes network security a crucial issue. An intrusion detection system (IDS) shall be introduced to protect the networks from various attacks. Even with the increased amount of works in the IDS research, there is a lack of studies that analyze the available IDS datasets. Therefore, this study presents a comprehensive analysis of the relevance of the features in the KDD99 and UNSW-NB15 datasets. Three methods were employed: a rough-set theory (RST), a back-propagation neural network (BPNN), and a discrete variant of the cuttlefish algorithm (D-CFA). First, the dependency ratio between the features and the classes was calculated, using the RST. Second, each feature in the datasets became an input for the BPNN, to measure their ability for a classification task concerning each class. Third, a feature-selection process was carried out over multiple runs, to indicate the frequency of the selection of each feature. From the result, it indicated that some features in the KDD99 dataset could be used to achieve a classification accuracy above 84%. Moreover, a few features in both datasets were found to give a high contribution to increasing the classification’s performance. These features were present in a combination of features that resulted in high accuracy; the features were also frequently selected during the feature selection process. The findings of this study are anticipated to help the cybersecurity academics in creating a lightweight and accurate IDS model with a smaller number of features for the developing technologies.

Research on Application of Data Mining Technology in Network Intrusion Detection

In order to improve the efficiency of intrusion detection systems, data mining technology is applied to network intrusion detection. This article introduces the basic concepts of intrusion detection systems, describes the techniques commonly used in data mining research in intrusion detection systems, proposes an intrusion detection system based on data mining, and an improved k-means algorithm.

A GBDT-Paralleled Quadratic Ensemble Learning for Intrusion Detection System

The development of computer and network technology has provided convenience to our daily life, however, attack and intrusion in network emerge endlessly. Intrusion Detection System (IDS) has been developed to confront network attacks. As a result, the research of IDS is one of the most popular fields in recent years. This paper proposes a Gradient Boosting Decision Tree (GBDT)-paralleled quadratic ensemble learning method for intrusion detection system. We use GBDT to deal with the spatial part of traffic data and use Gated Recurrent Unit (GRU) model with special modification for network traffic to deal with temporal data. Then, in order to combine the spatial feature and temporal feature, we fuse GBDT model and GRU model to make a quadratic ensemble model as our final intrusion detection system. The experimental results based on CICIDS2017 dataset show that the advanced spatial-temporal intrusion detection system based on ensemble learning achieves better accuracy, recall, precision and F1 score than the state-of-the-art methods. The accuracies of detecting benign, port scan, Distributed Denial of Service (DDoS), infiltration and web attack traffic are up to 99.9%, 99.9%, 99.9%, 99.9%, and 99.9%, respectively. We also use our method in Information-Centric Networking (ICN) dataset and the results show our method achieves much better performance compared with existing methods.

A Taxonomy of Network Threats and the Effect of Current Datasets on Intrusion Detection Systems

As the world moves towards being increasingly dependent on computers and automation, building secure applications, systems and networks are some of the main challenges faced in the current decade. The number of threats that individuals and businesses face is rising exponentially due to the increasing complexity of networks and services of modern networks. To alleviate the impact of these threats, researchers have proposed numerous solutions for anomaly detection; however, current tools often fail to adapt to ever-changing architectures, associated threats and zero-day attacks. This manuscript aims to pinpoint research gaps and shortcomings of current datasets, their impact on building Network Intrusion Detection Systems (NIDS) and the growing number of sophisticated threats. To this end, this manuscript provides researchers with two key pieces of information; a survey of prominent datasets, analyzing their use and impact on the development of the past decade's Intrusion Detection Systems (IDS) and a taxonomy of network threats and associated tools to carry out these attacks. The manuscript highlights that current IDS research covers only 33.3% of our threat taxonomy. Current datasets demonstrate a clear lack of real-network threats, attack representation and include a large number of deprecated threats, which together limit the detection accuracy of current machine learning IDS approaches. The unique combination of the taxonomy and the analysis of the datasets provided in this manuscript aims to improve the creation of datasets and the collection of real-world data. As a result, this will improve the efficiency of the next generation IDS and reflect network threats more accurately within new datasets.

A Survey of Intrusion Detection Systems Leveraging Host Data

This survey focuses on intrusion detection systems (IDS) that leverage host-based data sources for detecting attacks on enterprise network. The host-based IDS (HIDS) literature is organized by the input data source, presenting targeted sub-surveys of HIDS research leveraging system logs, audit data, Windows Registry, file systems, and program analysis. While system calls are generally included in audit data, several publicly available system call datasets have spawned a flurry of IDS research on this topic, which merits a separate section. To accommodate current researchers, a section giving descriptions of publicly available datasets is included, outlining their characteristics and shortcomings when used for IDS evaluation. Related surveys are organized and described. All sections are accompanied by tables concisely organizing the literature and datasets discussed. Finally, challenges, trends, and broader observations are throughout the survey and in the conclusion along with future directions of IDS research. Overall, this survey was designed to allow easy access to the diverse types of data available on a host for sensing intrusion, the progressions of research using each, and the accessible datasets for prototyping in the area.

TSE-IDS: A Two-Stage Classifier Ensemble for Intelligent Anomaly-Based Intrusion Detection System

Intrusion detection systems (IDSs) play a pivotal role in computer security by discovering and repealing malicious activities in computer networks. Anomaly-based IDS, in particular, rely on classification models trained using historical data to discover such malicious activities. In this paper, an improved IDS based on hybrid feature selection and two-level classifier ensembles are proposed. A hybrid feature selection technique comprising three methods, i.e., particle swarm optimization, ant colony algorithm, and genetic algorithm, is utilized to reduce the feature size of the training datasets (NSL-KDD and UNSW-NB15 are considered in this paper). Features are selected based on the classification performance of a reduced error pruning tree (REPT) classifier. Then, a two-level classifier ensemble based on two meta learners, i.e., rotation forest and bagging, is proposed. On the NSL-KDD dataset, the proposed classifier shows 85.8% accuracy, 86.8% sensitivity, and 88.0% detection rate, which remarkably outperform other classification techniques recently proposed in the literature. The results regarding the UNSW-NB15 dataset also improve the ones achieved by several state-of-the-art techniques. Finally, to verify the results, a two-step statistical significance test is conducted. This is not usually considered by the IDS research thus far and, therefore, adds value to the experimental results achieved by the proposed classifier.