Improving the Anomaly Detection by Combining PSO Search Methods and J48 Algorithm

The feature selection techniques are used to find the most important and relevant features in a dataset. Therefore, in this study feature selection technique was used to improve the performance of Anomaly Detection. Many feature selection techniques have been developed and implemented on the NSL-KDD dataset. However, with the rapid growth of traffic on a network where more applications, devices, and protocols participate, the traffic data is complex and heterogeneous contribute to security issues. This makes the NSL-KDD dataset no longer reliable for it. The detection model must also be able to recognize the type of novel attack on complex network datasets. So, a robust analysis technique for a more complex and larger dataset is required, to overcome the increase of security issues in a big data network. This study proposes particle swarm optimization (PSO) Search methods as a feature selection method. As contribute to feature analysis knowledge, In the experiment a combination of particle swarm optimization (PSO) Search methods with other search methods are examined. To overcome the limitation NSL-KDD dataset, in the experiments the CICIDS2017 dataset used. To validate the selected features from the proposed technique J48 classification algorithm used in this study. The detection performance of the combination PSO Search method with J48 examined and compare with other feature selection and previous study. The proposed technique successfully finds the important features of the dataset, which improve detection performance with 99.89% accuracy. Compared with the previous study the proposed technique has better accuracy, TPR, and FPR

An Efficient Intrusion Detection Approach Utilizing Various WEKA Classifiers

Detection of Intrusion is an essential expertise business segment as well as a dynamic area of study and expansion caused by its requirement. Modern day intrusion detection systems still have these limitations of time sensitivity. The main requirement is to develop a system which is able of handling large volume of network data to detect attacks more accurately and proactively. Research conducted by on the KDDCUP99 dataset resulted in a various set of attributes for each of the four major attack types. Without reducing the number of features, detecting attack patterns within the data is more difficult for rule generation, forecasting, or classification. The goal of this research is to present a new method that Compare results of appropriately categorized and inaccurately categorized as proportions and the features chosen. In this research paper we explained our approach “An Efficient Intrusion Detection Approach Utilizing Various WEKA Classifiers” which is proposed to enhance the competence of recognition of intrusion employing different WEKA classifiers on processed KDDCUP99 dataset. During the experiment we employed Adaboost, J48, JRip, NaiveBayes and Random Tree classifiers to categorize the different attacks from the processed KDDCUP99. Keywords: Classifier, Data Mining, IDS, Network Security, Attacks, Cyber Securit

Importance of Machine Learning Techniques to Improve the Open Source Intrusion Detection Systems

Nowadays, it became difficult to ensure data security because of the rapid development of information technology according to the Vs of Big Data. To secure a network against malicious activities and to ensure data protection, an intrusion detection system played a very important role. The main objective was to obtain a high-performance solution capable of detecting different types of attacks around the system. The main aim of this paper is to study the lacks of traditional and open source Intrusion Detection Systems and the Machine Learning techniques commonly used to overcome these lacks. A comparison of some existing works by Intrusion Detection System type, detection method, algorithm and accuracy was provided

Improved Performance of Network Attack Detection using Combination Data Mining Techniques

Network Attack detection is very important mechanism for detecting attack in computer networks. Data mining techniques play very important role in detecting intrusions in computer networks. Intrusions can damage to the data and compromise integrity and confidentiality and availability of the data. Intrusions are the activities that violate the security policy of system. Intrusion Detection is the process used to identify network attack. Network security is to be considered as a major issue in recent years, since the computer network keeps on expanding every day. A Network Attack Detection System (NADS) is a system for detecting intrusions and reporting to the authority or to the network administration. Data mining techniques have been applied in many fields like Network Management, Education, Science, Business, Manufacturing, Process control, and Fraud Detection. Data mining algorithms like J48, Randam Forest ,Random Tree, Hoefding Tree and Rep Tree are used to build intrusion detection models using KDD CUP 1999. The performance of network attack detection model is evaluated using KDD CUP 1999 test dataset using series of experiments and measured using correct classi?cation and detection of attack. The combination of data mining algorithm will increase performance of network attack detection i.e false positive and false negative, novel or unknown attacks

Insertion Detection System Employing Neural Network MLP and Detection Trees Using Different Techniques

by addressing intruder attacks, network security experts work to maintain services available at all times. The Intrusion Detection System (IDS) is one of the available mechanisms for detecting and classifying any abnormal behavior. As a result, the IDS must always be up to date with the most recent intruder attack signatures to maintain the confidentiality, integrity, and availability of the services. This paper shows how the NSL-KDD dataset may be used to test and evaluate various Machine Learning techniques. It focuses mostly on the NLS-KDD pre-processing step to create an acceptable and balanced experimental data set to improve accuracy and minimize false positives. For this study, the approaches J48 and MLP were employed. The Decision Trees classifier has been demonstrated to have the highest accuracy rate for detecting and categorizing all NSL-KDD dataset attacks

Intelligent network intrusion detection using an evolutionary computation approach

With the enormous growth of users\u27 reliance on the Internet, the need for secure and reliable computer networks also increases. Availability of effective automatic tools for carrying out different types of network attacks raises the need for effective intrusion detection systems. Generally, a comprehensive defence mechanism consists of three phases, namely, preparation, detection and reaction. In the preparation phase, network administrators aim to find and fix security vulnerabilities (e.g., insecure protocol and vulnerable computer systems or firewalls), that can be exploited to launch attacks. Although the preparation phase increases the level of security in a network, this will never completely remove the threat of network attacks. A good security mechanism requires an Intrusion Detection System (IDS) in order to monitor security breaches when the prevention schemes in the preparation phase are bypassed. To be able to react to network attacks as fast as possible, an automatic detection system is of paramount importance. The later an attack is detected, the less time network administrators have to update their signatures and reconfigure their detection and remediation systems. An IDS is a tool for monitoring the system with the aim of detecting and alerting intrusive activities in networks. These tools are classified into two major categories of signature-based and anomaly-based. A signature-based IDS stores the signature of known attacks in a database and discovers occurrences of attacks by monitoring and comparing each communication in the network against the database of signatures. On the other hand, mechanisms that deploy anomaly detection have a model of normal behaviour of system and any significant deviation from this model is reported as anomaly. This thesis aims at addressing the major issues in the process of developing signature based IDSs. These are: i) their dependency on experts to create signatures, ii) the complexity of their models, iii) the inflexibility of their models, and iv) their inability to adapt to the changes in the real environment and detect new attacks. To meet the requirements of a good IDS, computational intelligence methods have attracted considerable interest from the research community. This thesis explores a solution to automatically generate compact rulesets for network intrusion detection utilising evolutionary computation techniques. The proposed framework is called ESR-NID (Evolving Statistical Rulesets for Network Intrusion Detection). Using an interval-based structure, this method can be deployed for any continuous-valued input data. Therefore, by choosing appropriate statistical measures (i.e. continuous-valued features) of network trafc as the input to ESRNID, it can effectively detect varied types of attacks since it is not dependent on the signatures of network packets. In ESR-NID, several innovations in the genetic algorithm were developed to keep the ruleset small. A two-stage evaluation component in the evolutionary process takes the cooperation of rules into consideration and results into very compact, easily understood rulesets. The effectiveness of this approach is evaluated against several sources of data for both detection of normal and abnormal behaviour. The results are found to be comparable to those achieved using other machine learning methods from both categories of GA-based and non-GA-based methods. One of the significant advantages of ESR-NIS is that it can be tailored to specific problem domains and the characteristics of the dataset by the use of different fitness and performance functions. This makes the system a more flexible model compared to other learning techniques. Additionally, an IDS must adapt itself to the changing environment with the least amount of configurations. ESR-NID uses an incremental learning approach as new flow of traffic become available. The incremental learning approach benefits from less required storage because it only keeps the generated rules in its database. This is in contrast to the infinitely growing size of repository of raw training data required for traditional learning

Reduction of False Positives in Intrusion Detection Based on Extreme Learning Machine with Situation Awareness

Protecting computer networks from intrusions is more important than ever for our privacy, economy, and national security. Seemingly a month does not pass without news of a major data breach involving sensitive personal identity, financial, medical, trade secret, or national security data. Democratic processes can now be potentially compromised through breaches of electronic voting systems. As ever more devices, including medical machines, automobiles, and control systems for critical infrastructure are increasingly networked, human life is also more at risk from cyber-attacks. Research into Intrusion Detection Systems (IDSs) began several decades ago and IDSs are still a mainstay of computer and network protection and continue to evolve. However, detecting previously unseen, or zero-day, threats is still an elusive goal. Many commercial IDS deployments still use misuse detection based on known threat signatures. Systems utilizing anomaly detection have shown great promise to detect previously unseen threats in academic research. But their success has been limited in large part due to the excessive number of false positives that they produce. This research demonstrates that false positives can be better minimized, while maintaining detection accuracy, by combining Extreme Learning Machine (ELM) and Hidden Markov Models (HMM) as classifiers within the context of a situation awareness framework. This research was performed using the University of New South Wales - Network Based 2015 (UNSW-NB15) data set which is more representative of contemporary cyber-attack and normal network traffic than older data sets typically used in IDS research. It is shown that this approach provides better results than either HMM or ELM alone and with a lower False Positive Rate (FPR) than other comparable approaches that also used the UNSW-NB15 data set

Network Based Intrusion Detection System Using Weighted Product Model (WPM)

A security technology called a network-based intrusion detection system (NIDS) was created to safeguard computer networks against unauthorised access and criminal activity. This technology works by analysing network traffic, spotting potential risks, and informing administrators of any possible incursions or attacks. NIDS research ensures that intrusion detection systems are built to minimise the gathering and storage of sensitive data by taking into account the value of privacy and data protection .In general, network-based intrusion detection system research has a major impact on how well these security measures operate, how efficiently they perform, and how adaptable they are.By addressing the evolving challenges posed by cyber threats, NIDS research helps organizations enhance their network security posture, protect sensitive information, and defend against potential intrusions and attacks." The weighted product model (WPM), a multi-criteria decision-making (MCDM) technique, is used to evaluate and rank solutions based on a variety of distinct criteria. It provides a methodical approach to decision-making by considering the relative importance of each attribute and the performance of other solutions in relation to those criteria. The WPM normalises the data, weights the criteria, and gives a weighted score for each alternative. The option with the greatest score is regarded as the ideal option. The weighted product model offers a structured framework for making decisions by taking into account many factors and their varying degrees of importance. It enables decision-makers to assess and contrast options using a wide range of criteria, resulting in more informed and unbiased choices. It's crucial to check nonetheless that the model's weights and normalisation techniques appropriately capture the decision-maker's preferences as well as the features of the choice problem.J48, Random Forest, JRIP, RIDOR, PART. The definition of true positive, false positive, true negative and false negative rates has already been established. These metrics for measuring the effectiveness of classification algorithms, anomaly detection systems, and binary decision-making processes are accurately presented. As can be seen from the results, J48 received the highest rank, while PART received the lowest .In order to increase the security of computer networks, network-based intrusion detection systems (NIDS) are essential. They provide real-time monitoring and analysis of network traffic to identify suspected breaches and malicious activities, enabling appropriate action to be taken. However, it is important to recognize that NIDS can have limitations and are not infallible

TOWARDS A HOLISTIC EFFICIENT STACKING ENSEMBLE INTRUSION DETECTION SYSTEM USING NEWLY GENERATED HETEROGENEOUS DATASETS

With the exponential growth of network-based applications globally, there has been a transformation in organizations\u27 business models. Furthermore, cost reduction of both computational devices and the internet have led people to become more technology dependent. Consequently, due to inordinate use of computer networks, new risks have emerged. Therefore, the process of improving the speed and accuracy of security mechanisms has become crucial.Although abundant new security tools have been developed, the rapid-growth of malicious activities continues to be a pressing issue, as their ever-evolving attacks continue to create severe threats to network security. Classical security techniquesfor instance, firewallsare used as a first line of defense against security problems but remain unable to detect internal intrusions or adequately provide security countermeasures. Thus, network administrators tend to rely predominantly on Intrusion Detection Systems to detect such network intrusive activities. Machine Learning is one of the practical approaches to intrusion detection that learns from data to differentiate between normal and malicious traffic. Although Machine Learning approaches are used frequently, an in-depth analysis of Machine Learning algorithms in the context of intrusion detection has received less attention in the literature.Moreover, adequate datasets are necessary to train and evaluate anomaly-based network intrusion detection systems. There exist a number of such datasetsas DARPA, KDDCUP, and NSL-KDDthat have been widely adopted by researchers to train and evaluate the performance of their proposed intrusion detection approaches. Based on several studies, many such datasets are outworn and unreliable to use. Furthermore, some of these datasets suffer from a lack of traffic diversity and volumes, do not cover the variety of attacks, have anonymized packet information and payload that cannot reflect the current trends, or lack feature set and metadata.This thesis provides a comprehensive analysis of some of the existing Machine Learning approaches for identifying network intrusions. Specifically, it analyzes the algorithms along various dimensionsnamely, feature selection, sensitivity to the hyper-parameter selection, and class imbalance problemsthat are inherent to intrusion detection. It also produces a new reliable dataset labeled Game Theory and Cyber Security (GTCS) that matches real-world criteria, contains normal and different classes of attacks, and reflects the current network traffic trends. The GTCS dataset is used to evaluate the performance of the different approaches, and a detailed experimental evaluation to summarize the effectiveness of each approach is presented. Finally, the thesis proposes an ensemble classifier model composed of multiple classifiers with different learning paradigms to address the issue of detection accuracy and false alarm rate in intrusion detection systems

Important Features of CICIDS-2017 Dataset For Anomaly Detection in High Dimension and Imbalanced Class Dataset

The growth in internet traffic volume presents a new issue in anomaly detection, one of which is the high data dimension. The feature selection technique has been proven to be able to solve the problem of high data dimension by producing relevant features. On the other hand, high-class imbalance is a problem in feature selection. In this study, two feature selection approaches are proposed that are able to produce the most ideal features in the high-class imbalanced dataset. CICIDS-2017 is a reliable dataset that has a problem in high-class imbalance, therefore it is used in this study. Furthermore, this study performs experiments in Information Gain feature selection technique on the imbalance class datasaet. For validation, the Random Forest classification algorithm is used, because of its ability to handle multi-class data. The experimental results show that the proposed approaches have a very surprising performance, and surpass the state-of-the-art methods