Are Machine Learning Based Intrusion Detection System Always Secure?:An insight into tampered learning

Machine learning is successful in many applications including securing a network from unseen attack. The application of learning algorithm for detecting anomaly in a Network has been fundamental since few years. With increasing use of machine learning techniques it has become important to study to what extent it is good to be dependent on them. Altogether a different discipline called ‘Adversarial Learning’ have come up as a separate dimension of study. The work in this paper is to test the robustness of online machine learning based IDS to carefully crafted packets by attacker called poison packets. The objective is to observe how a remote attacker can deviate the normal behavior of machine learning based classifier in the IDS by injecting the network with carefully crafted packets externally, that may seem normal by the classification algorithm and the instance made part of its future training set. This behavior eventually can lead to a poison learning by the classification algorithm in the long run, resulting in misclassification of true attack instances. This work explores one such approach with SOM and SVM as the online learning based classification algorithms

An enhancement of classification technique based on rough set theory for intrusion detection system application

An Intrusion Detection System (IDS) is capable to detect unauthorized intrusions into computer systems and networks by looking for signatures of known attacks or deviations of normal activity. However, accuracy performance is one of the issues in IDS application. Meanwhile, classification is one of techniques in data mining employed to increase IDS performance. In order to improve classification performance problem, feature selection and discretization algorithm are crucial in selecting relevant attributes that could improve classification performance. Discretization algorithms have been recently proposed; however, those algorithms of discretizer are only capable to handle categorical attributes and cannot deal with numerical attributes. In fact, it is difficult to determine the needed number of intervals and their width. Thus, to deal with huge dataset, data mining technique can be improved by introducing discretization algorithm to increase classification performance. The generation of rule is considered a crucial process in data mining and the generated rules are in a huge number. Therefore,it is dreadful to determine important and relevant rules for the next process . As a result, the aim of the study is to improve classification performance in terms of accuracy, detection rate and false positive alarm rate decreased for IDS application. Henceforth, to achieve the aim, current research work proposed an enhancement of discretization algorithm based on Binning Discretization in RST to improve classification performance and to enhance the strategy of generation rules in RST to improve classification performance. Both enhancements were evaluated in terms of accuracy, false positive alarm and detection rate against state-of-the-practice dataset (KDD Cup 99 dataset) in IDS application. Several discretization algorithms such Equal Frequency Binning, Entropy/MDL, Naïve and proposed discretization were analysed and compared in the study. Experimental results show the proposed technique increases accuracy classification percentage up to 99.95%; and the minimum number of bins determine good discretization algorithm. Consequently, attack detection rate increases and false positive alarm rate minimizes. In particular, the proposed algorithm obtains satisfactory compromise between the number of cuts and classification accuracy

Sample Selected Extreme Learning Machine Based Intrusion Detection in Fog Computing and MEC

Fog computing, as a new paradigm, has many characteristics that are different from cloud computing. Due to the resources being limited, fog nodes/MEC hosts are vulnerable to cyberattacks. Lightweight intrusion detection system (IDS) is a key technique to solve the problem. Because extreme learning machine (ELM) has the characteristics of fast training speed and good generalization ability, we present a new lightweight IDS called sample selected extreme learning machine (SS-ELM). The reason why we propose “sample selected extreme learning machine” is that fog nodes/MEC hosts do not have the ability to store extremely large amounts of training data sets. Accordingly, they are stored, computed, and sampled by the cloud servers. Then, the selected sample is given to the fog nodes/MEC hosts for training. This design can bring down the training time and increase the detection accuracy. Experimental simulation verifies that SS-ELM performs well in intrusion detection in terms of accuracy, training time, and the receiver operating characteristic (ROC) value

A taxonomy and survey of intrusion detection system design techniques, network threats and datasets

With the world moving towards being increasingly dependent on computers and automation, one of the main challenges in the current decade has been to build secure applications, systems and networks. Alongside these challenges, the number of threats is rising exponentially due to the attack surface increasing through numerous interfaces offered for each service. To alleviate the impact of these threats, researchers have proposed numerous solutions; however, current tools often fail to adapt to ever-changing architectures, associated threats and 0-days. This manuscript aims to provide researchers with a taxonomy and survey of current dataset composition and current Intrusion Detection Systems (IDS) capabilities and assets. These taxonomies and surveys aim to improve both the efficiency of IDS and the creation of datasets to build the next generation IDS as well as to reflect networks threats more accurately in future datasets. To this end, this manuscript also provides a taxonomy and survey or network threats and associated tools. The manuscript highlights that current IDS only cover 25% of our threat taxonomy, while current datasets demonstrate clear lack of real-network threats and attack representation, but rather include a large number of deprecated threats, hence limiting the accuracy of current machine learning IDS. Moreover, the taxonomies are open-sourced to allow public contributions through a Github repository

Reduction of False Positives in Intrusion Detection Based on Extreme Learning Machine with Situation Awareness

Protecting computer networks from intrusions is more important than ever for our privacy, economy, and national security. Seemingly a month does not pass without news of a major data breach involving sensitive personal identity, financial, medical, trade secret, or national security data. Democratic processes can now be potentially compromised through breaches of electronic voting systems. As ever more devices, including medical machines, automobiles, and control systems for critical infrastructure are increasingly networked, human life is also more at risk from cyber-attacks. Research into Intrusion Detection Systems (IDSs) began several decades ago and IDSs are still a mainstay of computer and network protection and continue to evolve. However, detecting previously unseen, or zero-day, threats is still an elusive goal. Many commercial IDS deployments still use misuse detection based on known threat signatures. Systems utilizing anomaly detection have shown great promise to detect previously unseen threats in academic research. But their success has been limited in large part due to the excessive number of false positives that they produce. This research demonstrates that false positives can be better minimized, while maintaining detection accuracy, by combining Extreme Learning Machine (ELM) and Hidden Markov Models (HMM) as classifiers within the context of a situation awareness framework. This research was performed using the University of New South Wales - Network Based 2015 (UNSW-NB15) data set which is more representative of contemporary cyber-attack and normal network traffic than older data sets typically used in IDS research. It is shown that this approach provides better results than either HMM or ELM alone and with a lower False Positive Rate (FPR) than other comparable approaches that also used the UNSW-NB15 data set

A Hierarchical Temporal Memory Sequence Classifier for Streaming Data

Real-world data streams often contain concept drift and noise. Additionally, it is often the case that due to their very nature, these real-world data streams also include temporal dependencies between data. Classifying data streams with one or more of these characteristics is exceptionally challenging. Classification of data within data streams is currently the primary focus of research efforts in many fields (i.e., intrusion detection, data mining, machine learning). Hierarchical Temporal Memory (HTM) is a type of sequence memory that exhibits some of the predictive and anomaly detection properties of the neocortex. HTM algorithms conduct training through exposure to a stream of sensory data and are thus suited for continuous online learning. This research developed an HTM sequence classifier aimed at classifying streaming data, which contained concept drift, noise, and temporal dependencies. The HTM sequence classifier was fed both artificial and real-world data streams and evaluated using the prequential evaluation method. Cost measures for accuracy, CPU-time, and RAM usage were calculated for each data stream and compared against a variety of modern classifiers (e.g., Accuracy Weighted Ensemble, Adaptive Random Forest, Dynamic Weighted Majority, Leverage Bagging, Online Boosting ensemble, and Very Fast Decision Tree). The HTM sequence classifier performed well when the data streams contained concept drift, noise, and temporal dependencies, but was not the most suitable classifier of those compared against when provided data streams did not include temporal dependencies. Finally, this research explored the suitability of the HTM sequence classifier for detecting stalling code within evasive malware. The results were promising as they showed the HTM sequence classifier capable of predicting coding sequences of an executable file by learning the sequence patterns of the x86 EFLAGs register. The HTM classifier plotted these predictions in a cardiogram-like graph for quick analysis by reverse engineers of malware. This research highlights the potential of HTM technology for application in online classification problems and the detection of evasive malware

Extreme learning machines for intrusion detection

We consider the problem of intrusion detection in a computer network, and investigate the use of extreme learning machines (ELMs) to classify and detect the intrusions. With increasing connectivity between networks, the risk of information systems to external attacks or intrusions has increased tremendously. Machine learning methods like support vector machines (SVMs) and neural networks have been widely used for intrusion detection. These methods generally suffer from long training times, require parameter tuning, or do not perform well in multi-class classification. We propose a basic ELM method based on random features, and a kernel based ELM method for classification. We compare our methods with commonly used SVM techniques in both binary and multi-class classifications. Simulation results show that the proposed basic ELM approach outperforms SVM in training and testing speed, while the proposed kernel based ELM achieves higher detection accuracy than SVM in multi-class classification case