Narrow Results

The prevalence of distributed denial of service (DDoS) flooding assaults is one of the most serious risks to cloud computing security. These types of assaults have as their primary objective the exhaustion of the system’s available resources, that is, the target of the attack, in order to make the system in question unavailable to authorized users. Internet thieves often conduct flooding assaults of the kind known as DDoS, focusing primarily on the application and network levels. When the computer infrastructure is multi-mesh-geo distributed, includes multi-parallel services, and a high number of domains, it may be difficult to detect assaults. This is particularly true when a substantial number of domains are present. When there are a big number of independent administrative users using the services, the situation gets more complicated. The purpose of this body of research is to identify signs that may be utilized to detect DDoS flooding assaults; this is its main objective. As a result, throughout the course of our study, we established a composite metric that considers application, system, network, and infrastructure elements as possible indicators of the incidence of DDoS assaults. According to our research, DDoS assaults may be triggered by a combination of variables. Investigations of simulated traffic are being conducted in the cloud. High traffic may be the result of flooding assaults. The composite metric-based intrusion detection system will be the name of a one-of-a-kind intrusion detection system (IDS) that has been agreed upon ICMIDS. This system will use $K$-Means clustering and the Genetic Algorithm (GA) to detect whether an effort has been made to flood the cloud environment. CMIDS employs a multi-threshold algorithmic strategy in order to identify malicious traffic occurring on a cloud-based network. Cisco has created this technology. This strategy necessitates a comprehensive investigation of all factors, which is crucial for assuring the continuation of cloud-based computing-based activities. This monitoring system involves the development, administration, and storage of a profile database, denoted as Profile DB. This database is used for recording and using the composite metric for each virtual machine. The results of a series of tests are compared to the ISCX benchmark dataset and statistical settings. The results indicate that ICMIDS has a reasonably high detection rate and the lowest false alarm rate in the majority of situations examined during the series of tests done to validate and verify its efficacy. This was shown by the fact that ICMIDS had the lowest false alarm rate among all examined conditions.

Intrusion detection averts a network from probable intrusions by inspecting network traffic to ensure its integrity, availability, and confidentiality. Though IDS seems to eliminate malicious traffic, intruders have endeavored to use different approaches for undertaking attacks. Hence, effective intrusion detection is vital to detect attacks. Concurrently, the evolvement of machine learning (ML), attacks could be identified by evaluating the patterns and learning from them. Considering this, conventional works have attempted to perform intrusion detection. Nevertheless, they lacked about high false alarm rate (FAR) and low accuracy rate due to inefficient feature selection. To resolve these existing pitfalls, this research proposed a modified whale algorithm (MWA) based on nonlinear information gain to select significant and relevant features. This algorithm assures huge initialization to improve local search ability as the agent’s positions are usually near the optimal solution. It is also utilized for an adaptive search for an optimal combination of features. Following this, the research proposes Morlet particle swarm optimization hyperparameter optimization (MPSO-HO) to improve the convergence rate of the algorithm by consenting it to produce from the local optimization by improving its capability. Standard metrics assess the proposed system to confirm the optimal performance of the proposed system. Outcomes explore the effective ability of the proposed system in intrusion detection.

Neural intelligent systems can provide a visualization of the network traffic for security staff, in order to reduce the widely known high false-positive rate associated with misuse-based Intrusion Detection Systems (IDSs). Unlike previous work, this study proposes an unsupervised neural models that generate an intuitive visualization of the captured traffic, rather than network statistics. These snapshots of network events are immensely useful for security personnel that monitor network behavior. The system is based on the use of different neural projection and unsupervised methods for the visual inspection of honeypot data, and may be seen as a complementary network security tool that sheds light on internal data structures through visual inspection of the traffic itself. Furthermore, it is intended to facilitate verification and assessment of Snort performance (a well-known and widely-used misuse-based IDS), through the visualization of attack patterns. Empirical verification and comparison of the proposed projection methods are performed in a real domain, where two different case studies are defined and analyzed.

Network intrusion detection is becoming a challenging task with cyberattacks that are becoming more and more sophisticated. Failing the prevention or detection of such intrusions might have serious consequences. Machine learning approaches try to recognize network connection patterns to classify unseen and known intrusions but also require periodic re-training to keep the performances at a high level. In this paper, a novel continuous learning intrusion detection system, called Soft-Forgetting Self-Organizing Incremental Neural Network (SF-SOINN), is introduced. SF-SOINN, besides providing continuous learning capabilities, is able to perform fast classification, is robust to noise, and it obtains good performances with respect to the existing approaches. The main characteristic of SF-SOINN is the ability to remove nodes from the neural network based on their utility estimate. SF-SOINN has been validated on the well-known NSL-KDD and CIC-IDS-2017 intrusion detection datasets as well as on some artificial data to show the classification capability on more general tasks.

Maintaining computer network security has long been an essential component of computer administration. Network security has become essential to companies’ safety and steady development in real-time implementation for diverse physical domains employing computers. Establishing a specific physical domain has consistently included a priority job of improving the safety of computer systems management. Study results on the practical implementation of machine intelligence in network security maintenance. Specifically, this paper examines and offers security management techniques for computer network data protection to establish an all-encompassing security shield for networked computers, with the ultimate goal of improving the safety and reliability of the net-worked computers used in commercial settings. Furthermore, the comprehensive research analysis determines an architectural model for machine intelligence-based network security maintenance (MI-NSM), implying an intrusion detection scheme with a novel neural network system. Labelling important properties of objects or data points and searching for commonalities allows the auto-mobile’s AI to distinguish between a human, the street, another car, and the sky. The simulation evaluation is performed using the NS2 simulator and observes the security maintenance efficiency over the current security solutions.

This paper describes experiences and results applying Support Vector Machine (SVM) to a Computer Intrusion Detection (CID) dataset. First, issues in supervised classification are discussed, then the incorporation of anomaly detection enhancing the modeling and prediction of cyber-attacks. SVM methods are seen as competitive with benchmark methods and other studies, and are used as a standard for the anomaly detection investigation. The anomaly detection approaches compare one class SVMs with a thresholded Mahalanobis distance to define support regions. Results compare the performance of the methods and investigate joint performance of classification and anomaly detection. The dataset used is the DARPA/KDD-99 publicly available dataset of features from network packets, classified into nonattack and four-attack categories.

Intrusion detection is a kind of security mechanism which is used to detect attacks and intrusion behaviors. Due to the low accuracy and the high false positive rate of the existing clonal selection algorithms applied to intrusion detection, in this paper, we proposed a feature selection method for improved clonal algorithm. The improved method detects the intrusion behavior by selecting the best individual overall and clones them. Experimental results show that the feature selection algorithm is better than the traditional feature selection algorithm on the different classifiers, and it is shown that the final detection results are better than traditional clonal algorithm with 99.6% accuracy and 0.1% false positive rate.

In view of the fact that the existing intrusion detection system (IDS) based on clustering algorithm cannot adapt to the large-scale growth of system logs, a K-mediods clustering intrusion detection algorithm based on differential evolution suitable for cloud computing environment is proposed. First, the differential evolution algorithm is combined with the K-mediods clustering algorithm in order to use the powerful global search capability of the differential evolution algorithm to improve the convergence efficiency of large-scale data sample clustering. Second, in order to further improve the optimization ability of clustering, a dynamic Gemini population scheme was adopted to improve the differential evolution algorithm, thereby maintaining the diversity of the population while improving the problem of being easily trapped into a local optimum. Finally, in the intrusion detection processing of big data, the optimized clustering algorithm is designed in parallel under the Hadoop Map Reduce framework. Simulation experiments were performed in the open source cloud computing framework Hadoop cluster environment. Experimental results show that the overall detection effect of the proposed algorithm is significantly better than the existing intrusion detection algorithms.

Network anomalies significantly impact the efficiency and stability of network systems, making effective anomaly detection crucial for optimal performance and prevention of network breakdowns. However, conventional methods must be improved for handling anomalies’ complexities and evolving nature. Despite extensive research in network anomaly detection (NAD) techniques, there is a need for more systematic literature reviews incorporating recent advances, particularly in dynamic and heterogeneous network settings. Moreover, most review papers focus on individual detection methods, needing a unified framework for comprehensive anomaly detection. To bridge these gaps, this paper conducts a comprehensive analysis by conducting a systematic literature review and formulating five research questions to outline the objectives of this study. A holistic framework is proposed, integrating techniques based on preprocessing and Feature Selection into prediction models to develop more accurate, efficient, and reliable anomaly detection systems. The empirical evaluation assesses the effectiveness, accuracy, efficiency, and reliability of the data-driven NAD techniques. Finally, the study identifies research gaps and potential future directions to guide further advancements in developing accurate and efficient anomaly detection models. By synthesizing and analyzing 116 top-cited papers, this study contributes to the existing body of knowledge by highlighting the potential of emerging anomaly detection techniques in complex and dynamic network environments.

Fog computing is a type of distributed computing that makes data storage and computation closer to the network edge. While fog computing offers numerous advantages, it also introduces several challenges, particularly in terms of security. Intrusion Detection System (IDS) plays a crucial role in securing fog computing environments by monitoring network traffic and system activities for signs of malicious behavior. Several techniques can be employed to enhance intrusion detection in fog computing environments. Accordingly, this paper proposes a Shepard Neuro-Fuzzy Network (ShNFN) for intrusion detection in fog computing. Initially, in the cloud layer, the input data are passed to data transformation to transform the unstructured data into structured form. Here, data transformation is done employing the Box-Cox transformation. Following this, the feature selection is done in terms of information gain and symmetric uncertainty process and it is used to create a relationship between two variables. After that, the data are classified by employing the proposed ShNFN. The ShNFN is attained by fusing two networks, such as Cascade Neuro-Fuzzy Network (Cascade NFN) and Shepard Convolutional Neural Networks (ShCNN). After this, the physical process is executed at the endpoint layer. Finally, intrusion detection is accomplished in the fog layer by the proposed ShNFN method. The performance of the intrusion detection using ShNFN is calculated by the metrics of recall, F-measure and precision. The proposed method achieves the values of 93.3%, 92.5% and 94.8% for recall, F-measure, and precision, respectively.

Aiming at the limitations of existing algorithms of network intrusion detection in dealing with complex data of imbalance and high dimensionality, this paper proposes an intrusion detection algorithm based on convolutional neural network (CNN) and Light Gradient Boosting Machine (LightGBM). First, the data-type conversion, oversampling technology and image data conversion are included in the data preprocessing to make the data balanced and adapt to the input format. Then, by the convolutional layer, pooling layer and fully connected layer of the CNN model, the main features are abstracted from the converted image data. Finally, data of the main features is used for training and testing the LightGBM model, so as to get the final classification results. This paper uses KDDCUP99 dataset to carry out multi-classification experiments. By comparing the experiments before and after balancing the dataset, and comparing with similar algorithms, it verifies the superiority of the proposed algorithm in the classification performance of intrusion detection, especially for the minority attack classes.

Intrusion detection based on federated learning allows the sharing of more high-quality attack samples to improve the intrusion detection performance of local models while preserving the privacy of local data. Most research on federated learning intrusion detection requires local models to be homogeneous. However, in practical scenarios, local models often include both homogeneous and heterogeneous models due to differences in hardware capabilities and business requirements among nodes. Additionally, there is still room for improvement in the accuracy of recognizing novel attacks in existing researches. To address the challenges mentioned above, we propose a Group-based Federated Knowledge Distillation Intrusion Detection approach. First, through a step-by-step grouping method, we achieve the grouping effect of intra-group homogeneity and inter-group heterogeneity, laying the foundation for reducing the aggregation difficulty in intra-group homogenous aggregation and inter-group heterogeneous aggregation. Second, in intra-group homogenous aggregation, a dual-objective optimization model is employed to quantify the learning quality of local models. Weight coefficients are assigned based on the learning quality to perform weighted aggregation. Lastly, in inter-group heterogeneous aggregation, the group leader model’s learning quality is used to classify and aggregate local soft labels, generating global soft labels. Group leader models utilize global soft labels for knowledge distillation to acquire knowledge from heterogeneous models. Experimental results on NSL-KDD and UNSW-NB datasets demonstrate the superiority of our proposed method over other algorithms.

A typical data mining approach to network intrusion detection mandates a training dataset of network events labeled as either normal or a particular attack category. Such a training dataset is usually very large since there are many events to track. This is particularly the case in a WLAN where the number of devices communicating with the WLAN can be large and with adhoc connectivity. The large size of the unlabeled training dataset creates a problem for the domain expert who is asked to label the records toward creating a training dataset. We present an effective approach by which the number of network records the expert has to examine is a relatively small proportion of the given training dataset. A clustering algorithm is used to form relatively coherent groups which the expert examines as an entity to label records as one of four classes: Red (definite intrusion), Yellow (possibly intrusion), Blue (probably normal), and Green (definite normal). Subsequently, an ensemble classifier-based data cleansing approach is used to detect records that were likely mislabeled by the expert. The proposed approach is investigated with a case study of a large real-world WLAN. In addition, ensemble classifier-based intrusion detection models built using the labeled training dataset demonstrate the effectiveness of the labeling process with good generalization accuracy over multiple test datasets.

Intrusion Detection Systems have considerable importance in preventing security threats and protecting computer networks against attackers. So far, various classification approaches using data mining and machine learning techniques have been proposed to the problem of intrusion detection. However, using single classifier systems for intrusion detection suffers from some limitations including lower detection rate for low-frequent attacks, detection instability, and complexity in training process. Ensemble classifier systems combine several individual classifiers and obtain a classifier with higher performance. In this paper, we propose a new ensemble classifier using Radial Basis Function (RBF) neural networks and fuzzy clustering in order to increase detection accuracy and stability, reduce false positives, and provide higher detection rate for low-frequent attacks. We also use a hybrid combination method to aggregate the individual predictions of the base classifiers, which helps to increase detection accuracy. The experimental results on NSL-KDD data set demonstrate that our proposed system has a higher detection accuracy compared to other wellknown classification systems. It also performs more effectively for detection of low-frequent attacks. Furthermore, the proposed ensemble method offers better performance compared to popular ensemble methods.

In Internet of Things (IoT) and cloud systems, Intrusion Detection (ID) is very vital for protecting the security infrastructures. ID techniques are extensively used to detect and track malicious threats in cloud and IoT systems. In the IoT based ID, the conventional techniques work based on the manual traffic feature values that increase the complexity of the networks and achieve a limited detection rate on the larger IoT databases. For addressing the above-stated issues and achieving high classification results, an effective deep learning based ID-System (IDS) is implemented in this article. Initially, the IoT data is acquired from the NSW-NB15 and NSL-KDD databases, and then, the standard scaling normalization technique, known as Min-Max normalization, is applied to select the dominant attributes and to eliminate outliers from the acquired databases. Additionally, the optimal features are selected from the rescaled normalized data by implementing the Bat optimization algorithm. The selection of optimal features decreases the computational complexity and training time of the IDS. The chosen optimal features are passed into the DenseNet model for carrying out intrusion attack detection. Particularly, in the binary-class classification, the Bat-based DenseNet model obtained 98.89% and 98.40% of accuracy on the UNSW-NB15 and NSL-KDD databases, correspondingly. The obtained simulation results prove the higher effectiveness of the current study when it is related to the state-of-the-art classifiers.

Intrusion detection systems play an important role in computer security. To make intrusion detection systems adaptive to changing environments, supervised learning techniques had been applied in intrusion detection. However, supervised learning needs a large amount of training instances to obtain classifiers with high accuracy. Limited to lack of high quality labeled instances, some researchers focused on semi-supervised learning to utilize unlabeled instances enhancing classification. But involving the unlabeled instances into the learning process also introduces vulnerability: attackers can generate fake unlabeled instances to mislead the final classifier so that a few intrusions can not be detected. In this paper we show that the attacker could mislead the semi-supervised intrusion detection classifier by poisoning the unlabeled instances. And we propose a defend method based on active learning to defeat the poisoning attack. Experiments show that the poisoning attack can reduce the accuracy of the semi-supervised learning classifier and the proposed defending method based on active learning can obtain higher accuracy than the original semi-supervised learner under the presented poisoning attack.

Considering the large quantity of the data flowing through the network routers, there is a very high demand to detect malicious and unhealthy network traffic to provide network users with reliable network operation and security of their information. Predictive models should be built to identify whether a network traffic record is healthy or malicious. To build such models, machine learning methods have started to be used for the task of network intrusion detection. Such predictive models must monitor and analyze a large amount of network data in a reasonable amount of time (usually real time). To do so, they cannot always process the whole data and there is a need for data reduction methods, which reduce the amount of data that needs to be processed. Feature selection is one of the data reduction methods that can be used to decrease the process time. It is important to understand which features are most relevant to determining if a network traffic record is malicious and avoid using the whole feature set to make the processing time more efficient. Also it is important that the simple model built from the reduced feature set be as effective as a model which uses all the features. Considering these facts, feature selection is a very important pre-processing step in the detection of network attacks. The goal is to remove irrelevant and redundant features in order to increase the overall effectiveness of an intrusion detection system without negatively affecting the classification performance. Most of the previous feature selection studies in the area of intrusion detection have been applied on the KDD 99 dataset. As KDD 99 is an outdated dataset, in this paper, we compare different feature selection methods on a relatively new dataset, called Kyoto 2006+. There is no comprehensive comparison of different feature selection approaches for this dataset. In the present work, we study four filter-based feature selection methods which are chosen from two categories for the application of network intrusion detection. Three filter-based feature rankers and one filter-based subset evaluation technique are compared together along with the null case which applies no feature selection. We also apply statistical analysis to determine whether performance differences between these feature selection methods are significant or not. We find that among all the feature selection methods, Signal-to-Noise (S2N) gives the best performance results. It also outperforms no feature selection approach in all the experiments.

Due to the great increase in the amount of attacks that occur in computer networks, there is an increasing dependence on network intrusion detection systems which monitor and analyze the network data to detect attacks. In recent years, machine learning methods have been used to build predictive models for network intrusion detection. These methods are able to automatically extract patterns from the network data to build detection models. Defining proper features, which help models to better discriminate between normal and attack data, is a critical task. While network attacks vary widely, they share some commonalities. Many attacks, by their nature, are repetitive and exhibit behaviors different from normal traffic. Among these commonalities are self-similarity between attack packets, periodicity and repetition characteristics seen in the attack traffic. In this paper, we study the common behaviors between two different attack types, called RUDY and DNS Amplification attacks, in order to propose new features for building predictive models by using machine learning algorithms. We collected Netflow traffic from an operational ISP network. We introduce a concept called “session” derived from Netflow which incorporates both sides of a network communication to define a network instance. Features are extracted for each session. To demonstrate how the newly defined features work for the task of intrusion detection, we use these features to build intrusion detection models for the detection of RUDY attack, DNS Amplification attack and the combination of these two attacks. To build predictive models we apply four machine learning classification algorithms: two versions of a decision tree algorithm, Naïve Bayes and 5-Nearest Neighbor (5-NN) algorithm. Our results show that the proposed features based on the attack commonalities provide very good prediction results for the detection of two studied attacks on real network traffic.

When analyzing cybersecurity datasets with machine learning, researchers commonly need to consider whether or not to include Destination Port as an input feature. We assess the impact of Destination Port as a predictive feature by building predictive models with three different input feature sets and four combinations of web attacks from the CSE-CIC-IDS2018 dataset. First, we use Destination Port as the only (single) input feature to our models. Second, all features (from CSE-CIC-IDS2018) are used without Destination Port to build the models. Third, all features plus (including) Destination Port are used to train and test the models. All three of these feature sets obtain respectable classification results in detecting web attacks with LightGBM and CatBoost classifiers in terms of Area Under the Receiver Operating Characteristic Curve (AUC) scores, with AUC scores exceeding 0.90 for all scenarios. We observe the best classification performance scores when Destination Port is combined with all of the other CSE-CIC-IDS2018 features. Although, classification performance is still respectable when only using Destination Port as the only (single) input feature. Additionally, we validate that Botnet attacks also have respectable AUC with Destination Port as the only input feature to our models. This highlights that practitioners must be mindful of whether or not to include Destination Port as an input feature if it experiences lopsided label distributions as we clearly identify in this study. Our brief survey of existing CSE-CIC-IDS2018 literature also discovered that many studies incorrectly treat Destination Port as a numerical input feature with machine learning models. Destination Port should be treated as a categorical input value to machine learning models, as its values do not represent numerical values which can be used in mathematical equations for the models.

Software-defined networking (SDN) is a networking paradigm of subsequent generation where various network components are used by a centralized controller that allows reliability in network system configuration, execution of policy decisions, and management via a primary programmable network infrastructure unit. SDN is known to deny DDoS attacks despite the default security protocols. State-of-the-art researches have shown that SDN intrusion is possible in diverse layers of its generalized architecture. Addressing this problem, this work presents an optimized intrusion detection system for SDN to mitigate the effect of DDoS attacks. This article’s main contribution comprises the development of a voting strategy-based ensemble classifier, which is established based on bio-inspired particle swarm optimization and salp swarm optimization in the context of optimized classification of DDoS attack-prone traffic SDN. Experimental analysis of the proposed SDN-IDS depicts that the proposed strategy outperforms existing classifiers in terms of accuracy.