Fig 6 - uploaded by H. Takakura
Content may be subject to copyright.
Context in source publication
Context 1
... l } where x i ∈ R n ; one-class SVM is to map the data points x i into the feature space by using some non-linear mapping Φ(x i ), and to find a hypersphere which contains most of the data points in the feature space. Figure 6 shows the geometry of the hypersphere where it is formulated with the center c and the radius R in the feature space. Therefore, in intrusion detection field, the data points that belong to the outside of the hypersphere can be regarded as anomalies(i.e.. potential cyber attacks) because there are a few attacks in traffic data and IDS alerts, and most of them are usual false positives. ...
Similar publications
Intrusion detection has attracted a considerable interest from researchers and industries. After many years of research the community still faces the problem of building reliable and efficient intrusion detection systems (IDS) capable of handling large quantities of data with changing patterns in real time situations. The Tor network is popular in...
Citations
... In addition to this session analysis based on login or behaviour characteristics, there are also works that introduce mathematical and machine learningbased concepts for session discovery. Methods that have been used for knowledge discovery are Significant Event Discovery [17], Long-Range Dependence [18], Support Vector Machines [19], Principal Component Analysis [20], Symbolic Aggregate approximation [21] and Time-/Internet Protocol (IP) address based correlations of botnet activities [22]. After the data has been surveyed, it is critical to visualise the results. ...
Recently, advances in cyber-physical systems and IoT led to an increase in devices connected to the internet. This rise of functionality also comes with an increased attack surface for cyber criminals. A proven method for forensic investigations of trends and developments in crimes conducted in the virtual world are honeypots. We set up a medium interaction honeypot offering telnet and SSH services. With this honeypot we captured data from attack sessions. This data was used for statistical and behavioural analysis, such as distributions of attacks and different attacker IPs, originating countries, employed anonymi-sation services, skill level of an adversary and commonly targeted embedded devices. Furthermore, machine learning techniques that are capable of identifying unique types of sessions based on issued commands and provided credentials are presented in this work. There are strong indicators that most of the traffic captured during our research is caused by botnet activities, which corresponds to findings of different research activities.
... Buda compared MaxMiner, Maximal Frequent Itemset and Significant Event Discovery [26] against each other in the context of analyzing Honeypot data. Support Vector Machines are also evaluated to dissect Honeypot data [27]. The authors employed k-means clustering to classify attack sessions based on the intrusion attempt and based on the behavior after the exploitation [28]. ...
Criminal activity in the Internet is becoming more sophisticated. Traditional information security techniques hardly cope with recent trends. Honeypots proved to be a valuable source of threat intelligence. In this work several Honeypots are combined into a Honeynet and observed exploitation attempts. The Honeynet consists of six Honeypots and was operated for 222 days. 12 million exploitation attempts were captured. The captured data is examined and evaluated. Several hypotheses are proposed and analyzed. Dependencies and distribution within the data are identified and quantified. Investigated features are: Temporal and spatial distribution, attacked protocols, involved autonomous systems and the employed dictionaries.
... These limitations were addressed by the anomaly-based approach, which enables us to quickly detect and respond to unknown attack patterns to stabilize network operation while reducing human intervention [20][21][22][23][24]. The anomaly-based approach generally learns normal patterns in an unsupervised manner and detects anomaly samples whose patterns significantly deviate from the normal ones. ...
... For instance, the one-class SVM method regards the majority of the data located densely within a specific area as normal and a few outliers as abnormal. One-class SVMs [23] and OptiGrid clustering-based methods [24] were used to detect attack traffics. ...
As network attacks are constantly and dramatically evolving, demonstrating new patterns, intelligent Network Intrusion Detection Systems (NIDS), using deep-learning techniques, have been actively studied to tackle these problems. Recently, various autoencoders have been used for NIDS in order to accurately and promptly detect unknown types of attacks (i.e., zero-day attacks) and also alleviate the burden of the laborious labeling task. Although the autoencoders are effective in detecting unknown types of attacks, it takes tremendous time and effort to find the optimal model architecture and hyperparameter settings of the autoencoders that result in the best detection performance. This can be an obstacle that hinders practical applications of autoencoder-based NIDS. To address this challenge, we rigorously study autoencoders using the benchmark datasets, NSL-KDD, IoTID20, and N-BaIoT. We evaluate multiple combinations of different model structures and latent sizes, using a simple autoencoder model. The results indicate that the latent size of an autoencoder model can have a significant impact on the IDS performance.
... From Table 6, it was clearly observed that the highest accuracy (%) was achieved with the value of 92.39 for our proposed approach, following by 85.05 in approach of the work of Kanakarajan and Muniasamy, 20 the least value was noticed in the approach in the work Gaikwad and Thool. 21 The highest value of 15 FAR (%) was noticed in th approach in the work of Song et al, 4 following by 12.2 in the approach of the work of Kanakarajan and Muniasamy, 20 and the least value was noticed in 0.12 of our approach. Hence, the outcomes have shown better results compared to previously obtained results. ...
As Network traffic rises and attacks become more widespread and complicated, we must come across Innovative ways to enrich Intrusion Detection Systems in Cloud Computing. This paper proposes the Ensemble approaches for Network Intrusion Detection and Classification in Cloud. The major aids of the Ensemble Learning to improve the outcome of each Machine Learning Algorithms and to get a robust Classifier. Real Time Malicious Network Streams Samples were collected using Honeynet, which is deployed on cloud environment. We use supervised learning and Unsupervised learning algorithms for classifying the known malicious network streams and unknown malicious streams. Network related attacks can be segregated into four classes, namely, Denial of service (DOS), User to root (U2 R), Remote to local (R2L), and probe, and the vital constraints that must be overcome with the end goal to build efficient Intelligent Intrusion Detection. The motivation behind the proposed work is to enhance the accuracy rate with response time. The outcome obtained from the Ensemble method has better accuracy rate compared to the SVM, Naive Bayes, and Logistic regression method.
... In contrast, the attack types of ISCX2012 are more modern and closer to reality. In addition, the percentage of attack traffic is approximately 2.8%, which makes ISCX2012 similar to real-world datasets [28]. ...
The development of an anomaly-based intrusion detection system (IDS) is a primary research direction in the field of intrusion detection. An IDS learns normal and anomalous behavior by analyzing network traffic and can detect unknown and new attacks. However, the performance of an IDS is highly dependent on feature design, and designing a feature set that can accurately characterize network traffic is still an ongoing research issue. Anomaly-based IDSs also have the problem of a high false alarm rate (FAR), which seriously restricts their practical applications. In this paper, we propose a novel IDS called the hierarchical spatial-temporal features-based intrusion detection system (HAST-IDS), which first learns the low-level spatial features of network traffic using deep convolutional neural networks (CNNs) and then learns high-level temporal features using long short-term memory (LSTM) networks. The entire process of feature learning is completed by the deep neural networks automatically; no feature engineering techniques are required. The automatically learned traffic features effectively reduce the FAR. The standard DARPA1998 and ISCX2012 datasets are used to evaluate the performance of the proposed system. The experimental results show that the HAST-IDS outperforms other published approaches in terms of accuracy, detection rate and FAR, which successfully demonstrates its effectiveness in both feature learning and FAR reduction.
... They were able to identify several types of botnets based on those features. Other authors employed Significant Event Discovery (Buda & Bluemke, 2016), Long-Range Dependency (Zhan & Xu, 2013), Support Vector Machines (Song et al., 2011), Principal Components Analysis (Sharma & Mandeep, 2010;Almotairi, 2009), Symbolic Aggregate Approximation (Thonnard & Dacier, 2008) and feature correlation (Pham & Dacier, 2011). All of them indicate that the forensic examination of honeypot data is executable by standard data mining techniques. ...
... Buda compared MaxMiner, Maximal Frequent Itemset and Significant Event Discovery [26] against each other in the context of analyzing Honeypot data. Support Vector Machines are also evaluated to dissect Honeypot data [27]. The authors employed k-means clustering to classify attack sessions based on the intrusion attempt and based on the behavior after the exploitation [28]. ...
... In addition to this session analysis based on login or behaviour characteristics, there are also works that intro- duce mathematical and machine learning-based concepts for session discovery. Methods that have been used for knowledge discovery are Significant Event Discovery [17], Longe-Range Dependence [18], Support Vector Machines [19], Principal Component Analysis [20], Symbolic Aggregate approximation [21] and Time-/Internet Protocol (IP) address based correla- tions of botnet activities [22]. After the data has been surveyed, it is critical to visualise the results. ...
... Publicly available datasets were explored to verify the effectiveness of our proposed method on a real dataset as well as KDD Cup'99. Because real world network communications usually contain less than 1% attack [29], we concentrated on datasets whose attack rate is close to 1%. DefCon [31] contains only attacks that are created for competitions that are conducted yearly. ...
... The dataset is based on different attack scenarios. However, it is different from real world network traffic because over 40% of the dataset contains attacks, whereas the ratio of real world attacks is estimated to be approximately 1% [29]. ...
... On the other hand, normal traffic is generated through mail servers that were deployed into the same network with honeypots. Even though the mail server received small amount of attacks, they were considered as normal traffic [29]. The Kyoto dataset is considered a worthwhile dataset for the research community. ...
With the increase of network components connected to the Internet, the need to ensure secure connectivity is becoming increasingly vital. Intrusion Detection Systems (IDSs) are one of the common security components that identify security violations. This paper proposes a novel multilevel hybrid classifier that uses different feature sets on each classifier. It presents the Discernibility Function based Feature Selection method and two classifiers involving multilayer perceptron (MLP) and decision tree (C4.5). Experiments are conducted on the KDD'99 Cup and ISCX datasets, and the proposal demonstrates better performance than individual classifiers and other proposed hybrid classifiers. The proposed method provides significant improvement in the detection rates of attack classes and Cost Per Example (CPE) which was the primary evaluation method in the KDD'99 Cup competition.
... An important problem in the field of intrusion detection is the management alerts [12] as IDS tends to produce high number of false positive alerts as claimed by [13] [14] [15]. Most of the botnets has generating low-volume periodic communication to botmaster which increased false alarm rate and make it harder to be detected as mentioned by [11] [16]. ...
Internet is a most salient services in communication. Thus, companies take this opportunity by putting critical resources online for effective business organization. This has given rise to activities of cyber criminals actuated by botnets. P2P networks had gained popularity through distributed applications such as file-sharing, web caching and network storage whereby it is not easy to guarantee that the file exchanged not the malicious in non-centralized authority of P2P networks. For this reason, these networks become the suitable venue for malicious software to spread. It is straightforward for attackers to target the vulnerable hosts in existing P2P networks as bot candidates and build their zombie army. They can be used to compromise a host and make it become a P2P bot. In order to detect these botnets, a complete flow analysis is necessary. In this paper, we proposed an automated P2P botnets through rule-based detection approach which currently focuses on P2P signature illumination. We consider both of synchronisation within a botnets and the malicious behaviour each bot exhibits at the host or network level to recognize the signature and activities in P2P botnets traffic. The rule-based approach have high detection accuracy and low false positive.
