Through continuous observation and modelling of normal behavior in networks, Anomaly-based Network Intrusion Detection System (A-NIDS) offers a way to find possible threats via deviation from the normal model. The analysis of network traffic based on time series model has the advantage of exploiting the relationship between packages within network traffic and observing trends of behaviors over a period of time. It will generate new sequences with good features that support anomaly detection in network traffic and provide the ability to detect new attacks. Besides, an anomaly detection technique, which focuses on the normal data and aims to build a description of it, will be an effective technique for anomaly detection in imbalanced data. In this paper, we propose a combination model of Long Short Term Memory (LSTM) architecture for processing time series and a data description Support Vector Data Description (SVDD) for anomaly detection in A-NIDS to obtain the advantages of them. This model helps parameters in LSTM and SVDD are jointly trained with joint optimization method. Our experimental results with KDD99 dataset show that the proposed combined model obtains high performance in intrusion detection, especially DoS and Probe attacks with 98.0% and 99.8%, respectively.
AUTHENTICATION USING TRUST TO DETECT MISBEHAVING NODES IN MOBILE AD HOC NETWO...IJNSA Journal
Providing security in Mobile Ad Hoc Network is crucial problem due to its open shared wireless medium,
multi-hop and dynamic nature, constrained resources, lack of administration and cooperation.
Traditionally routing protocols are designed to cope with routing operation but in practice they may be
affected by misbehaving nodes so that they try to disturb the normal routing operations by launching
different attacks with the intention to minimize or collapse the overall network performance. Therefore
detecting a trusted node means ensuring authentication and securing routing can be expected. In this
article we have proposed a Trust and Q-learning based Security (TQS) model to detect the misbehaving
nodes over Ad Hoc On Demand Distance-Vector (AODV) routing protocol. Here we avoid the misbehaving
nodes by calculating an aggregated reward, based on the Q-learning mechanism by using their historical
forwarding and responding behaviour by the way misbehaving nodes can be isolated.
USING A DEEP UNDERSTANDING OF NETWORK ACTIVITIES FOR SECURITY EVENT MANAGEMENTIJNSA Journal
With the growing deployment of host-based and network-based intrusion detection systems in increasingly
large and complex communication networks, managing low-level alerts from these systems becomes
critically important. Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or
intrusion prevention systems (IPSs) are collected throughout a monitored network such that large series of
alerts (alert streams) need to be fused. An alert indicates an abnormal behavior, which could potentially be
a sign for an ongoing cyber attack. Unfortunately, in a real data communication network, administrators
cannot manage the large number of alerts occurring per second, in particular since most alerts are false
positives. Hence, an emerging track of security research has focused on alert correlation to better identify
true positive and false positive. To achieve this goal we introduce Mission Oriented Network Analysis
(MONA). This method builds on data correlation to derive network dependencies and manage security
events by linking incoming alerts to network dependencies.
Now a day the technology is improving day by day. The wired network has been changed to wireless network. There are many advantages of wireless network over wired network. One of the main advantage is we can walk around freely in a network area and accesses internet. Security is one of the challenging issues. Intrusion Detection System is one of the systematic ways to detect malicious node in a mobile ad hoc network MANET and it is driven by battery power. This paper gives a survey on various intrusion detection systems in MANET. Praveen Mourya | Prof. Avinash Sharma ""Review on Intrusion Detection in MANETs"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-2 , February 2020, URL: https://www.ijtsrd.com/papers/ijtsrd29970.pdf
Paper Url : https://www.ijtsrd.com/engineering/computer-engineering/29970/review-on-intrusion-detection-in-manets/praveen-mourya
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ijcseit
Millions of people all over the world are now connected to the Internet for doing business. Therefore, the
demand for Internet and web-based services continues to grow. So, need to install required infrastructure
to balance the computing. In spite the success of new infrastructure, it is susceptible to several critical
malfunctions. Therefore, to guarantee the secure operations on Network and Data, several solutions need
to be developed. The researchers are working in this direction to have the better solution for security.
In distributed environment, at the time of management of resources both computing and networking,
resource allocation and resource utilization, etc, the security is most crucial problem. In this paper, an
extensive review has been made on the different security aspect, different types of attack and techniques to
sustain and block the attack in the distributed environment.
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysisijceronline
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
Balancing Trade-off between Data Security and Energy Model for Wireless Senso...IJECEIAES
An extensive effort to evolve various routing protocol to ensure optimal data delivery in energy efficient way is beneficial only if there is additional means of security process is synchronized. However, the security process consideration introduces additional overhead thus a security mechanism is needed to accomplish an optimal trade-off that exists in-between security as well as resource utilization especially energy. The prime purpose of this paper is to develop a process of security in the context of wireless sensor networks (WSN) by introducing two types of sensor node deployed with different capabilities. The proposed algorithm Novel Model of Secure Paradigm (N-MSP) which is further integrated with WSN. However, this algorithm uses a Hash-based Message Authentication Code (HMAC) authentication followed by pairwise key establishment during data aggregation process in a WSN. The extensive simulation carried out in a numerical platform called MATLAB that depicts that the proposed N-MSP achieves optimal processing time along with energy efficient pairwise key establishment during data aggregation process.
AUTHENTICATION USING TRUST TO DETECT MISBEHAVING NODES IN MOBILE AD HOC NETWO...IJNSA Journal
Providing security in Mobile Ad Hoc Network is crucial problem due to its open shared wireless medium,
multi-hop and dynamic nature, constrained resources, lack of administration and cooperation.
Traditionally routing protocols are designed to cope with routing operation but in practice they may be
affected by misbehaving nodes so that they try to disturb the normal routing operations by launching
different attacks with the intention to minimize or collapse the overall network performance. Therefore
detecting a trusted node means ensuring authentication and securing routing can be expected. In this
article we have proposed a Trust and Q-learning based Security (TQS) model to detect the misbehaving
nodes over Ad Hoc On Demand Distance-Vector (AODV) routing protocol. Here we avoid the misbehaving
nodes by calculating an aggregated reward, based on the Q-learning mechanism by using their historical
forwarding and responding behaviour by the way misbehaving nodes can be isolated.
USING A DEEP UNDERSTANDING OF NETWORK ACTIVITIES FOR SECURITY EVENT MANAGEMENTIJNSA Journal
With the growing deployment of host-based and network-based intrusion detection systems in increasingly
large and complex communication networks, managing low-level alerts from these systems becomes
critically important. Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or
intrusion prevention systems (IPSs) are collected throughout a monitored network such that large series of
alerts (alert streams) need to be fused. An alert indicates an abnormal behavior, which could potentially be
a sign for an ongoing cyber attack. Unfortunately, in a real data communication network, administrators
cannot manage the large number of alerts occurring per second, in particular since most alerts are false
positives. Hence, an emerging track of security research has focused on alert correlation to better identify
true positive and false positive. To achieve this goal we introduce Mission Oriented Network Analysis
(MONA). This method builds on data correlation to derive network dependencies and manage security
events by linking incoming alerts to network dependencies.
Now a day the technology is improving day by day. The wired network has been changed to wireless network. There are many advantages of wireless network over wired network. One of the main advantage is we can walk around freely in a network area and accesses internet. Security is one of the challenging issues. Intrusion Detection System is one of the systematic ways to detect malicious node in a mobile ad hoc network MANET and it is driven by battery power. This paper gives a survey on various intrusion detection systems in MANET. Praveen Mourya | Prof. Avinash Sharma ""Review on Intrusion Detection in MANETs"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-2 , February 2020, URL: https://www.ijtsrd.com/papers/ijtsrd29970.pdf
Paper Url : https://www.ijtsrd.com/engineering/computer-engineering/29970/review-on-intrusion-detection-in-manets/praveen-mourya
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ijcseit
Millions of people all over the world are now connected to the Internet for doing business. Therefore, the
demand for Internet and web-based services continues to grow. So, need to install required infrastructure
to balance the computing. In spite the success of new infrastructure, it is susceptible to several critical
malfunctions. Therefore, to guarantee the secure operations on Network and Data, several solutions need
to be developed. The researchers are working in this direction to have the better solution for security.
In distributed environment, at the time of management of resources both computing and networking,
resource allocation and resource utilization, etc, the security is most crucial problem. In this paper, an
extensive review has been made on the different security aspect, different types of attack and techniques to
sustain and block the attack in the distributed environment.
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysisijceronline
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
Balancing Trade-off between Data Security and Energy Model for Wireless Senso...IJECEIAES
An extensive effort to evolve various routing protocol to ensure optimal data delivery in energy efficient way is beneficial only if there is additional means of security process is synchronized. However, the security process consideration introduces additional overhead thus a security mechanism is needed to accomplish an optimal trade-off that exists in-between security as well as resource utilization especially energy. The prime purpose of this paper is to develop a process of security in the context of wireless sensor networks (WSN) by introducing two types of sensor node deployed with different capabilities. The proposed algorithm Novel Model of Secure Paradigm (N-MSP) which is further integrated with WSN. However, this algorithm uses a Hash-based Message Authentication Code (HMAC) authentication followed by pairwise key establishment during data aggregation process in a WSN. The extensive simulation carried out in a numerical platform called MATLAB that depicts that the proposed N-MSP achieves optimal processing time along with energy efficient pairwise key establishment during data aggregation process.
Preemptive modelling towards classifying vulnerability of DDoS attack in SDN ...IJECEIAES
Software-Defined Networking (SDN) has become an essential networking concept towards escalating the networking capabilities that are highly demanded future internet system, which is immensely distributed in nature. Owing to the novel concept in the field of network, it is still shrouded with security problems. It is also found that the Distributed Denial-of-Service (DDoS) attack is one of the prominent problems in the SDN environment. After reviewing existing research solutions towards resisting DDoS attack in SDN, it is found that still there are many open-end issues. Therefore, these issues are identified and are addressed in this paper in the form of a preemptive model of security. Different from existing approaches, this model is capable of identifying any malicious activity that leads to a DDoS attack by performing a correct classification of attack strategy using a machine learning approach. The paper also discusses the applicability of best classifiers using machine learning that is effective against DDoS attack.
Modelling of A Trust and Reputation Model in Wireless Networksijeei-iaes
Security is the major challenge for Wireless Sensor Networks (WSNs). The sensor nodes are deployed in non controlled environment, facing the danger of information leakage, adversary attacks and other threats. Trust and Reputation models are solutions for this problem and to identify malicious, selfish and compromised nodes. This paper aims to evaluate varying collusion effect with respect to static (SW), dynamic (DW), static with collusion (SWC), dynamic with collusion (DWC) and oscillating wireless sensor networks to derive the joint resultant of Eigen Trust Model. An attempt has been made for the same by comparing aforementioned networks that are purely dedicated to protect the WSNs from adversary attacks and maintain the security issues. The comparison has been made with respect to accuracy and path length and founded that, collusion for wireless sensor networks seems intractable with the static and dynamic WSNs when varied with specified number of fraudulent nodes in the scenario. Additionally, it consumes more energy and resources in oscillating and collusive environments.
Defending against collaborative attacks byranjith kumar
Dear Student,
DREAMWEB TECHNO SOLUTIONS is one of the Hardware Training and Software Development centre available in
Trichy. Pioneer in corporate training, DREAMWEB TECHNO SOLUTIONS provides training in all software
development and IT-related courses, such as Embedded Systems, VLSI, MATLAB, JAVA, J2EE, CIVIL,
Power Electronics, and Power Systems. It’s certified and experienced faculty members have the
competence to train students, provide consultancy to organizations, and develop strategic
solutions for clients by integrating existing and emerging technologies.
ADD: No:73/5, 3rd Floor, Sri Kamatchi Complex, Opp City Hospital, Salai Road, Trichy-18
Contact @ 7200021403/04
phone: 0431-4050403
JPN1422 Defending Against Collaborative Attacks by Malicious Nodes in MANETs...chennaijp
Get the latest IEEE ns2 projects in JP INFOTECH; we are having following category wise projects like Industrial Informatics, Vehicular Technology, Networking, WSN and Manet.
For More Details:
http://jpinfotech.org/final-year-ieee-projects/2014-ieee-projects/ns2-projects/
CLASSIFICATION PROCEDURES FOR INTRUSION DETECTION BASED ON KDD CUP 99 DATA SETIJNSA Journal
In network security framework, intrusion detection is one of a benchmark part and is a fundamental way to protect PC from many threads. The huge issue in intrusion detection is presented as a huge number of false alerts; this issue motivates several experts to discover the solution for minifying false alerts according to data mining that is a consideration as analysis procedure utilized in a large data e.g. KDD CUP 99. This paper presented various data mining classification for handling false alerts in intrusion detection as reviewed. According to the result of testing many procedure of data mining on KDD CUP 99 that is no individual procedure can reveal all attack class, with high accuracy and without false alerts. The best accuracy in Multilayer Perceptron is 92%; however, the best Training Time in Rule based model is 4 seconds . It is concluded that ,various procedures should be utilized to handle several of network attacks.
Improving Network Security in MANETS using IEEACKijsrd.com
Mobile ad hoc networks (MANETs) have attracted much attention due to their mobility and ease of deployment. However, the wireless and dynamic natures render them more vulnerable to various types of security attacks than the wired networks. The major challenge is to guarantee secure network services. We have identified the inadequate nature of EAACK in scenarios of link breakage, source maliciousness and partial packet dropping and hence we propose an improved algorithm called improved EAACK to tackle the security issues. High mobility of MANET nodes contributes to frequent link breakages in the network, which leads to path failures and route discovery processes. Route discovery is initialized through a broadcast mechanism usually. But, the overheads created through this cannot be neglected. The simulation results show that IEEACK scheme can prevent attacks from malicious nodes and improve the security performance of the whole network, especially in terms of the packet delivery ratio, the average end-to-end delay, the routing packet overhead and detection ratio of malicious nodes.
PERFORMANCE ANALYSIS OF THE NEIGHBOR WEIGHT TRUST DETERMINATION ALGORITHM IN ...IJNSA Journal
Mobile ad-hoc networks (MANETs) are susceptible to attacks by malicious nodes that could easily bring down the whole network. Therefore, it is important to have
a reliable mechanism for detecting and isolating malicious nodes before they can do any harm to the network. One of the possible mechanisms is by using trust-based routing protocols. One of the main requirements of such protocols is to have a cost-effective trust determination algorithm. This paper presents the performance analysis of a recently developed trust determination algorithm, namely, the neighbor-weight trust determination (NWTD) algorithm. The performance of the algorithm is evaluated through simulation using the MANET simulator (MANSim). The simulation results demonstrated the reliability and effectiveness of the algorithm in identifying and isolating any maliciously behaving node(s) in a timely manner.
PERFORMANCE ANALYSIS OF THE NEIGHBOR WEIGHT TRUST DETERMINATION ALGORITHM IN ...IJNSA Journal
Mobile ad-hoc networks (MANETs) are susceptible to attacks by malicious nodes that could easily bring
down the whole network. Therefore, it is important to have a reliable mechanism for detecting and isolating
malicious nodes before they can do any harm to the network. One of the possible mechanisms is by using
trust-based routing protocols. One of the main requirements of such protocols is to have a cost-effective
trust determination algorithm. This paper presents the performance analysis of a recently developed trust
determination algorithm, namely, the neighbor-weight trust determination (NWTD) algorithm. The
performance of the algorithm is evaluated through simulation using the MANET simulator (MANSim). The
simulation results demonstrated the reliability and effectiveness of the algorithm in identifying and
isolating any maliciously behaving node(s) in a timely manner.
TRUST ORIENTED SECURITY FRAMEWORK FOR AD HOC NETWORKcscpconf
An ad hoc network is a group of wireless mobile hosts that are connected momentarily through
wireless connections in the dearth of any centralized control or some supporting services. The
mobile ad hoc network is at risk by its environment because of the vulnerabilities at channel and
node level. The conventional security mechanisms deals with only protecting resources from unauthorized access, but are not capable to safeguard the network from who offer resources. Adding trust to the on hand security infrastructures would improvise the security of these environments. A trust oriented security framework for adhoc network using ontological engineering approach is proposed by modeling ad hoc network, the OLSR (Optimized Link State Routing) protocol and trust model as OWL (Ontology Web language) ontologies, which are integrated using Jena. In this model, a trustor can calculate its trust about trustee and use the calculated trust values to make decisions depending on the context of the application or interaction about granting or rejecting it. A number of experiments with a potential implementation of suggested framework are performed to validate the characteristics of a trust oriented model suggested by the literature by this framework
n-Tier Modelling of Robust Key management for Secure Data Aggregation in Wire...IJECEIAES
Security problems in Wireless Sensor Network (WSN) have been researched from more than a decade. There are various security approaches being evolving towards resisting various forms of attack using different methodologies. After reviewing the existing security approaches, it can be concluded that such security approaches are highly attack-specific and doesnt address various associated issues in WSN. It is essential for security approach to be computationally lightweight. Therefore, this paper presents a novel analytical modelling that is based on n-tier approach with a target to generate an optimized secret key that could ensure higher degree of security during the process of data aggregation in WSN. The study outcome shows that proposed system is computationally lightweight with good performance on reduced delay and reduced energy consumption. It also exhibits enhanced response time and good data delivery performance to balance the need of security and data forwarding performance in WSN.
DATA AGGREGATION AND PRIVACY FOR POLICE PATROLSijasuc
With a widespread growth in the potential applications of Wireless Sensor Networks, the need for reliable
security mechanisms for them has increased manifold. This paper proposes a scheme, Privacy for Police
Patrols (PPP), to provide secure data aggregation that relies on multilevel routing. Privacy factors have
been identified and implemented. Aggregates are prepared and the summary of information is gathered
and stored in a repository. The above defined approaches are integrated in police patrol applications and
preliminary results are obtained.
New kind of intrusions causes deviation in the normal behaviour of traffic flow in
computer networks every day. This study focused on enhancing the learning capabilities of IDS
to detect the anomalies present in a network traffic flow by comparing the k-means approach of
data mining for intrusion detection and the outlier detection approach. The k-means approach
uses clustering mechanisms to group the traffic flow data into normal and abnormal clusters.
Outlier detection calculates an outlier score (neighbourhood outlier factor (NOF)) for each flow
record, whose value decides whether a traffic flow is normal or abnormal. These two methods
were then compared in terms of various performance metrics and the amount of computer
resources consumed by them. Overall, k-means was more accurate and precise and has better
classification rate than outlier detection in intrusion detection using traffic flows. This will help
systems administrators in their choice of IDS.
Routing and Security Issues for Trust Based Framework in Mobile Ad Hoc Networksiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
A NOVEL TWO-STAGE ALGORITHM PROTECTING INTERNAL ATTACK FROM WSNSIJCNC
Wireless sensor networks (WSNs) consists of small nodes with constrain capabilities. It enables numerous
applications with distributed network infrastructure. With its nature and application scenario, security of
WSN had drawn a great attention. In malicious environments for a functional WSN, security mechanisms
are essential. Malicious or internal attacker has gained attention as the most challenging attacks to
WSNs. Many works have been done to secure WSN from internal attacks but most of them relay on either
training data set or predefined thresholds. It is a great challenge to find or gain knowledge about the
Malicious. In this paper, we develop the algorithm in two stages. Initially, Abnormal Behaviour
Identification Mechanism (ABIM) which uses cosine similarity. Finally, Dempster-Shafer theory (DST)is
used. Which combine multiple evidences to identify the malicious or internal attacks in a WSN. In this
method we do not need any predefined threshold or tanning data set of the nodes.
SECURED AODV TO PROTECT WSN AGAINST MALICIOUS INTRUSIONIJNSA Journal
One of the security issues in Wireless Sensor Networks (WSN) is intrusion detection. In this paper, we propose a new defence mechanism based on the Ad hoc On-Demand Vector (AODV) routing protocol. AODV is a reactive protocol designed for ad hoc networks and has excellent flexibility to be adapted to a new secure version. The main objective of the proposed secured AODV routing protocol is to protect WSN against malicious intrusion and defend against adversary attacks. This secured AODV protocol works well with the WSN dynamics and topology changes due to limited available resources. It establishes secure multi-hop routing between sensor nodes with high confidence, integrity, and availability. The secured AODV utilizes an existing intrusion dataset that facilitates new collection from all the exchanged packets in the network. The protocol monitors end to end delay and avoid any additional overhead over message transfer between sensor nodes. The experimental results showed that this secured AODV could be used to fight against malicious attacks such as black hole attacks and avoid caused large transmission delays.
A NOVEL HEADER MATCHING ALGORITHM FOR INTRUSION DETECTION SYSTEMSIJNSA Journal
The evolving necessity of the Internet increases the demand on the bandwidth. Therefore, this demand opens the doors for the hackers’ community to develop new methods and techniques to gain control over networking systems. Hence, the intrusion detection systems (IDS) are insufficient to prevent/detect unauthorized access the network. Network Intrusion Detection System (NIDS) is one example that still suffers from performance degradation due the increase of the link speed in today’s networks. In This paper we proposed a novel algorithm to detect the intruders, who’s trying to gain access to the network using the packets header parameters such as;
source/destination address, source/destination port, and protocol without the need to inspect each packet content looking for signatures/patterns. However, the “Packet Header Matching” algorithm enhances the overall speed of the matching process between the incoming packet headers against the rule set. We ran the proposed algorithm to proof the proposed concept in coping with the traffic arrival speeds and the various bandwidth demands. The achieved results were of significant enhancement of the overall performance in terms of detection speed.
APPLICATION-LAYER DDOS DETECTION BASED ON A ONE-CLASS SUPPORT VECTOR MACHINEIJNSA Journal
Application-layer Distributed Denial-of-Service (DDoS) attack takes advantage of the complexity and
diversity of network protocols and services. This kind of attacks is more difficult to prevent than other kinds
of DDoS attacks. This paper introduces a novel detection mechanism for application-layer DDoS attack
based on a One-Class Support Vector Machine (OC-SVM). Support vector machine (SVM) is a relatively
new machine learning technique based on statistics. OC-SVM is a special variant of the SVM and since
only the normal data is required for training, it is effective for detection of application-layer DDoS attack.
In this detection strategy, we first extract 7 features from normal users’ sessions. Then, we build normal
users’ browsing models by using OC-SVM. Finally, we use these models to detect application-layer DDoS
attacks. Numerical results based on simulation experiments demonstrate the efficacy of our detection
method.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Preemptive modelling towards classifying vulnerability of DDoS attack in SDN ...IJECEIAES
Software-Defined Networking (SDN) has become an essential networking concept towards escalating the networking capabilities that are highly demanded future internet system, which is immensely distributed in nature. Owing to the novel concept in the field of network, it is still shrouded with security problems. It is also found that the Distributed Denial-of-Service (DDoS) attack is one of the prominent problems in the SDN environment. After reviewing existing research solutions towards resisting DDoS attack in SDN, it is found that still there are many open-end issues. Therefore, these issues are identified and are addressed in this paper in the form of a preemptive model of security. Different from existing approaches, this model is capable of identifying any malicious activity that leads to a DDoS attack by performing a correct classification of attack strategy using a machine learning approach. The paper also discusses the applicability of best classifiers using machine learning that is effective against DDoS attack.
Modelling of A Trust and Reputation Model in Wireless Networksijeei-iaes
Security is the major challenge for Wireless Sensor Networks (WSNs). The sensor nodes are deployed in non controlled environment, facing the danger of information leakage, adversary attacks and other threats. Trust and Reputation models are solutions for this problem and to identify malicious, selfish and compromised nodes. This paper aims to evaluate varying collusion effect with respect to static (SW), dynamic (DW), static with collusion (SWC), dynamic with collusion (DWC) and oscillating wireless sensor networks to derive the joint resultant of Eigen Trust Model. An attempt has been made for the same by comparing aforementioned networks that are purely dedicated to protect the WSNs from adversary attacks and maintain the security issues. The comparison has been made with respect to accuracy and path length and founded that, collusion for wireless sensor networks seems intractable with the static and dynamic WSNs when varied with specified number of fraudulent nodes in the scenario. Additionally, it consumes more energy and resources in oscillating and collusive environments.
Defending against collaborative attacks byranjith kumar
Dear Student,
DREAMWEB TECHNO SOLUTIONS is one of the Hardware Training and Software Development centre available in
Trichy. Pioneer in corporate training, DREAMWEB TECHNO SOLUTIONS provides training in all software
development and IT-related courses, such as Embedded Systems, VLSI, MATLAB, JAVA, J2EE, CIVIL,
Power Electronics, and Power Systems. It’s certified and experienced faculty members have the
competence to train students, provide consultancy to organizations, and develop strategic
solutions for clients by integrating existing and emerging technologies.
ADD: No:73/5, 3rd Floor, Sri Kamatchi Complex, Opp City Hospital, Salai Road, Trichy-18
Contact @ 7200021403/04
phone: 0431-4050403
JPN1422 Defending Against Collaborative Attacks by Malicious Nodes in MANETs...chennaijp
Get the latest IEEE ns2 projects in JP INFOTECH; we are having following category wise projects like Industrial Informatics, Vehicular Technology, Networking, WSN and Manet.
For More Details:
http://jpinfotech.org/final-year-ieee-projects/2014-ieee-projects/ns2-projects/
CLASSIFICATION PROCEDURES FOR INTRUSION DETECTION BASED ON KDD CUP 99 DATA SETIJNSA Journal
In network security framework, intrusion detection is one of a benchmark part and is a fundamental way to protect PC from many threads. The huge issue in intrusion detection is presented as a huge number of false alerts; this issue motivates several experts to discover the solution for minifying false alerts according to data mining that is a consideration as analysis procedure utilized in a large data e.g. KDD CUP 99. This paper presented various data mining classification for handling false alerts in intrusion detection as reviewed. According to the result of testing many procedure of data mining on KDD CUP 99 that is no individual procedure can reveal all attack class, with high accuracy and without false alerts. The best accuracy in Multilayer Perceptron is 92%; however, the best Training Time in Rule based model is 4 seconds . It is concluded that ,various procedures should be utilized to handle several of network attacks.
Improving Network Security in MANETS using IEEACKijsrd.com
Mobile ad hoc networks (MANETs) have attracted much attention due to their mobility and ease of deployment. However, the wireless and dynamic natures render them more vulnerable to various types of security attacks than the wired networks. The major challenge is to guarantee secure network services. We have identified the inadequate nature of EAACK in scenarios of link breakage, source maliciousness and partial packet dropping and hence we propose an improved algorithm called improved EAACK to tackle the security issues. High mobility of MANET nodes contributes to frequent link breakages in the network, which leads to path failures and route discovery processes. Route discovery is initialized through a broadcast mechanism usually. But, the overheads created through this cannot be neglected. The simulation results show that IEEACK scheme can prevent attacks from malicious nodes and improve the security performance of the whole network, especially in terms of the packet delivery ratio, the average end-to-end delay, the routing packet overhead and detection ratio of malicious nodes.
PERFORMANCE ANALYSIS OF THE NEIGHBOR WEIGHT TRUST DETERMINATION ALGORITHM IN ...IJNSA Journal
Mobile ad-hoc networks (MANETs) are susceptible to attacks by malicious nodes that could easily bring down the whole network. Therefore, it is important to have
a reliable mechanism for detecting and isolating malicious nodes before they can do any harm to the network. One of the possible mechanisms is by using trust-based routing protocols. One of the main requirements of such protocols is to have a cost-effective trust determination algorithm. This paper presents the performance analysis of a recently developed trust determination algorithm, namely, the neighbor-weight trust determination (NWTD) algorithm. The performance of the algorithm is evaluated through simulation using the MANET simulator (MANSim). The simulation results demonstrated the reliability and effectiveness of the algorithm in identifying and isolating any maliciously behaving node(s) in a timely manner.
PERFORMANCE ANALYSIS OF THE NEIGHBOR WEIGHT TRUST DETERMINATION ALGORITHM IN ...IJNSA Journal
Mobile ad-hoc networks (MANETs) are susceptible to attacks by malicious nodes that could easily bring
down the whole network. Therefore, it is important to have a reliable mechanism for detecting and isolating
malicious nodes before they can do any harm to the network. One of the possible mechanisms is by using
trust-based routing protocols. One of the main requirements of such protocols is to have a cost-effective
trust determination algorithm. This paper presents the performance analysis of a recently developed trust
determination algorithm, namely, the neighbor-weight trust determination (NWTD) algorithm. The
performance of the algorithm is evaluated through simulation using the MANET simulator (MANSim). The
simulation results demonstrated the reliability and effectiveness of the algorithm in identifying and
isolating any maliciously behaving node(s) in a timely manner.
TRUST ORIENTED SECURITY FRAMEWORK FOR AD HOC NETWORKcscpconf
An ad hoc network is a group of wireless mobile hosts that are connected momentarily through
wireless connections in the dearth of any centralized control or some supporting services. The
mobile ad hoc network is at risk by its environment because of the vulnerabilities at channel and
node level. The conventional security mechanisms deals with only protecting resources from unauthorized access, but are not capable to safeguard the network from who offer resources. Adding trust to the on hand security infrastructures would improvise the security of these environments. A trust oriented security framework for adhoc network using ontological engineering approach is proposed by modeling ad hoc network, the OLSR (Optimized Link State Routing) protocol and trust model as OWL (Ontology Web language) ontologies, which are integrated using Jena. In this model, a trustor can calculate its trust about trustee and use the calculated trust values to make decisions depending on the context of the application or interaction about granting or rejecting it. A number of experiments with a potential implementation of suggested framework are performed to validate the characteristics of a trust oriented model suggested by the literature by this framework
n-Tier Modelling of Robust Key management for Secure Data Aggregation in Wire...IJECEIAES
Security problems in Wireless Sensor Network (WSN) have been researched from more than a decade. There are various security approaches being evolving towards resisting various forms of attack using different methodologies. After reviewing the existing security approaches, it can be concluded that such security approaches are highly attack-specific and doesnt address various associated issues in WSN. It is essential for security approach to be computationally lightweight. Therefore, this paper presents a novel analytical modelling that is based on n-tier approach with a target to generate an optimized secret key that could ensure higher degree of security during the process of data aggregation in WSN. The study outcome shows that proposed system is computationally lightweight with good performance on reduced delay and reduced energy consumption. It also exhibits enhanced response time and good data delivery performance to balance the need of security and data forwarding performance in WSN.
DATA AGGREGATION AND PRIVACY FOR POLICE PATROLSijasuc
With a widespread growth in the potential applications of Wireless Sensor Networks, the need for reliable
security mechanisms for them has increased manifold. This paper proposes a scheme, Privacy for Police
Patrols (PPP), to provide secure data aggregation that relies on multilevel routing. Privacy factors have
been identified and implemented. Aggregates are prepared and the summary of information is gathered
and stored in a repository. The above defined approaches are integrated in police patrol applications and
preliminary results are obtained.
New kind of intrusions causes deviation in the normal behaviour of traffic flow in
computer networks every day. This study focused on enhancing the learning capabilities of IDS
to detect the anomalies present in a network traffic flow by comparing the k-means approach of
data mining for intrusion detection and the outlier detection approach. The k-means approach
uses clustering mechanisms to group the traffic flow data into normal and abnormal clusters.
Outlier detection calculates an outlier score (neighbourhood outlier factor (NOF)) for each flow
record, whose value decides whether a traffic flow is normal or abnormal. These two methods
were then compared in terms of various performance metrics and the amount of computer
resources consumed by them. Overall, k-means was more accurate and precise and has better
classification rate than outlier detection in intrusion detection using traffic flows. This will help
systems administrators in their choice of IDS.
Routing and Security Issues for Trust Based Framework in Mobile Ad Hoc Networksiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
A NOVEL TWO-STAGE ALGORITHM PROTECTING INTERNAL ATTACK FROM WSNSIJCNC
Wireless sensor networks (WSNs) consists of small nodes with constrain capabilities. It enables numerous
applications with distributed network infrastructure. With its nature and application scenario, security of
WSN had drawn a great attention. In malicious environments for a functional WSN, security mechanisms
are essential. Malicious or internal attacker has gained attention as the most challenging attacks to
WSNs. Many works have been done to secure WSN from internal attacks but most of them relay on either
training data set or predefined thresholds. It is a great challenge to find or gain knowledge about the
Malicious. In this paper, we develop the algorithm in two stages. Initially, Abnormal Behaviour
Identification Mechanism (ABIM) which uses cosine similarity. Finally, Dempster-Shafer theory (DST)is
used. Which combine multiple evidences to identify the malicious or internal attacks in a WSN. In this
method we do not need any predefined threshold or tanning data set of the nodes.
SECURED AODV TO PROTECT WSN AGAINST MALICIOUS INTRUSIONIJNSA Journal
One of the security issues in Wireless Sensor Networks (WSN) is intrusion detection. In this paper, we propose a new defence mechanism based on the Ad hoc On-Demand Vector (AODV) routing protocol. AODV is a reactive protocol designed for ad hoc networks and has excellent flexibility to be adapted to a new secure version. The main objective of the proposed secured AODV routing protocol is to protect WSN against malicious intrusion and defend against adversary attacks. This secured AODV protocol works well with the WSN dynamics and topology changes due to limited available resources. It establishes secure multi-hop routing between sensor nodes with high confidence, integrity, and availability. The secured AODV utilizes an existing intrusion dataset that facilitates new collection from all the exchanged packets in the network. The protocol monitors end to end delay and avoid any additional overhead over message transfer between sensor nodes. The experimental results showed that this secured AODV could be used to fight against malicious attacks such as black hole attacks and avoid caused large transmission delays.
A NOVEL HEADER MATCHING ALGORITHM FOR INTRUSION DETECTION SYSTEMSIJNSA Journal
The evolving necessity of the Internet increases the demand on the bandwidth. Therefore, this demand opens the doors for the hackers’ community to develop new methods and techniques to gain control over networking systems. Hence, the intrusion detection systems (IDS) are insufficient to prevent/detect unauthorized access the network. Network Intrusion Detection System (NIDS) is one example that still suffers from performance degradation due the increase of the link speed in today’s networks. In This paper we proposed a novel algorithm to detect the intruders, who’s trying to gain access to the network using the packets header parameters such as;
source/destination address, source/destination port, and protocol without the need to inspect each packet content looking for signatures/patterns. However, the “Packet Header Matching” algorithm enhances the overall speed of the matching process between the incoming packet headers against the rule set. We ran the proposed algorithm to proof the proposed concept in coping with the traffic arrival speeds and the various bandwidth demands. The achieved results were of significant enhancement of the overall performance in terms of detection speed.
APPLICATION-LAYER DDOS DETECTION BASED ON A ONE-CLASS SUPPORT VECTOR MACHINEIJNSA Journal
Application-layer Distributed Denial-of-Service (DDoS) attack takes advantage of the complexity and
diversity of network protocols and services. This kind of attacks is more difficult to prevent than other kinds
of DDoS attacks. This paper introduces a novel detection mechanism for application-layer DDoS attack
based on a One-Class Support Vector Machine (OC-SVM). Support vector machine (SVM) is a relatively
new machine learning technique based on statistics. OC-SVM is a special variant of the SVM and since
only the normal data is required for training, it is effective for detection of application-layer DDoS attack.
In this detection strategy, we first extract 7 features from normal users’ sessions. Then, we build normal
users’ browsing models by using OC-SVM. Finally, we use these models to detect application-layer DDoS
attacks. Numerical results based on simulation experiments demonstrate the efficacy of our detection
method.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
HOW TO DETECT MIDDLEBOXES: GUIDELINES ON A METHODOLOGYcscpconf
Internet middleboxes such as VPNs, firewalls, and proxies can significantly change handling of traffic streams. They play an increasingly important role in various types of IP networks. If end hosts can detect them, these hosts can make beneficial, and in some cases, crucial improvements in security and performance But because middle boxes have widely varying behavior and effects on the traffic they handle, no single technique has been discovered that can detect all of them.
Devising a detection mechanism to detect any particular type of middle box interference involves many design decisions and has numerous dimensions. One approach to assist with the
complexity of this process is to provide a set of systematic guidelines. This paper is the first attempt to introduce a set of general guidelines (as well as the rationale behind them) to assist researchers with devising methodologies for end-hosts to detect middle boxes by the end-hosts. The guidelines presented here take some inspiration from the previous work of other
researchers using various and often ad hoc approaches. These guidelines, however, are mainly based on our own experience with research on the detection of middle boxes. To assist
researchers in using these guidelines, we also provide an example of how to bring them into play for detection of network compression.
How to detect middleboxes guidelines on a methodologycsandit
Internet middleboxes such as VPNs, firewalls, and proxies can significantly change handling of
traffic streams. They play an increasingly important role in various types of IP networks. If end
hosts can detect them, these hosts can make beneficial, and in some cases, crucial improvements
in security and performance But because middleboxes have widely varying behavior and effects
on the traffic they handle, no single technique has been discovered that can detect all of them.
Devising a detection mechanism to detect any particular type of middlebox interference involves
many design decisions and has numerous dimensions. One approach to assist with the
complexity of this process is to provide a set of systematic guidelines. This paper is the first
attempt to introduce a set of general guidelines (as well as the rationale behind them) to assist
researchers with devising methodologies for end-hosts to detect middleboxes by the end-hosts.
The guidelines presented here take some inspiration from the previous work of other
researchers using various and often ad hoc approaches. These guidelines, however, are mainly
based on our own experience with research on the detection of middleboxes. To assist
researchers in using these guidelines, we also provide an example of how to bring them into
play for detection of network compression
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
An Efficient Mechanism of Handling MANET Routing Attacks using Risk Aware Mit...IJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
A NOVEL ALERT CORRELATION TECHNIQUE FOR FILTERING NETWORK ATTACKSIJNSA Journal
An alert correlation is a high-level alert evaluation technique for managing large volumes of irrelevant and redundant intrusion alerts raised by Intrusion Detection Systems (IDSs).Recent trends show that pure intrusion detection no longer can satisfy the security needs of organizations. One problem with existing alert correlation techniques is that they group related alerts together without putting their severity into consideration. This paper proposes a novel alert correlation technique that can filter unnecessary and low impact alerts from a large volume of intrusion. The proposed technique is based on a supervised feature selection method that usesclass type to define the correlation between alerts. Alerts of similar class type are identified using a class label. Class types are further classified based on their metric ranks of low, medium and high level. Findings show that the technique is able detect and report high level intrusions.
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...IJNSA Journal
Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defence against a variety of attacks that can compromise the security and proper functioning of an enterprise information system. Along with the widespread evolution of new emerging services, the quantity and impact of attacks have continuously increased, attackers continuously find vulnerabilities at various levels, from the network itself to operating system and applications, exploit them to crack system and services. Network defence and network monitoring has become an essential component of computer security to predict and prevent attacks. Unlike traditional Intrusion Detection System (IDS), Intrusion Detection and Prevention System (IDPS) have additional features to secure computer networks.
In this paper, we present a detailed study of how deployment of an IDPS plays a key role in its performance and the ability to detect and prevent known as well as unknown attacks. We categorize IDPS based on deployment as Network-based, host-based, and Perimeter-based and Hybrid. A detailed comparison is shown in this paper and finally we justify our proposed solution, which deploys agents at host-level to give better performance in terms of reduced rate of false positives and accurate detection and prevention.
ATTACK DETECTION AVAILING FEATURE DISCRETION USING RANDOM FOREST CLASSIFIERCSEIJJournal
The widespread use of the Internet has an adverse effect of being vulnerable to cyber attacks. Defensive
mechanisms like firewalls and IDSs have evolved with a lot of research contributions happening in these
areas. Machine learning techniques have been successfully used in these defense mechanisms especially
IDSs. Although they are effective to some extent in identifying new patterns and variants of existing
malicious patterns, many attacks are still left as undetected. The objective is to develop an algorithm for
detecting malicious domains based on passive traffic measurements. In this paper, an anomaly-based
intrusion detection system based on an ensemble based machine learning classifier called Random Forest
with gradient boosting is deployed. NSL-KDD cup dataset is used for analysis and out of 41 features, 32
features were identified as significant using feature discretion. Our observations confirm the conjecture
that both the feature selection and stochastic based genetic operators improves the accuracy and the
effectiveness. The training time is shown to be reduced tremendously by 98.59% and accuracy improved to
98.75%.
Attack Detection Availing Feature Discretion using Random Forest ClassifierCSEIJJournal
The widespread use of the Internet has an adverse effect of being vulnerable to cyber attacks. Defensive
mechanisms like firewalls and IDSs have evolved with a lot of research contributions happening in these
areas. Machine learning techniques have been successfully used in these defense mechanisms especially
IDSs. Although they are effective to some extent in identifying new patterns and variants of existing
malicious patterns, many attacks are still left as undetected. The objective is to develop an algorithm for
detecting malicious domains based on passive traffic measurements. In this paper, an anomaly-based
intrusion detection system based on an ensemble based machine learning classifier called Random Forest
with gradient boosting is deployed. NSL-KDD cup dataset is used for analysis and out of 41 features, 32
features were identified as significant using feature discretion.
CROSS LAYER INTRUSION DETECTION SYSTEM FOR WIRELESS SENSOR NETWORKIJNSA Journal
The wireless sensor networks (WSN) are particularly vulnerable to various attacks at different layers of the protocol stack. Many intrusion detection system (IDS) have been proposed to secure WSNs. But all these systems operate in a single layer of the OSI model, or do not consider the interaction and collaboration between these layers. Consequently these systems are mostly inefficient and would drain out the WSN. In this paper we propose a new intrusion detection system based on cross layer interaction between the network, Mac and physical layers. Indeed we have addressed the problem of intrusion detection in a different way in which the concept of cross layer is widely used leading to the birth of a new type of IDS. We have experimentally evaluated our system using the NS simulator to demonstrate its effectiveness in detecting different types of attacks at multiple layers of the OSI model.
AN IMPROVED WATCHDOG TECHNIQUE BASED ON POWER-AWARE HIERARCHICAL DESIGN FOR I...IJNSA Journal
Preserving security and confidentiality in wireless sensor networks (WSN) are crucial. Wireless sensor networks in comparison with wired networks are more substantially vulnerable to attacks and intrusions. In WSN, a third person can eavesdrop to the information or link to the network. So, preventing these intrusions by detecting them has become one of the most demanding challenges. This paper, proposes an
improved watchdog technique as an effective technique for detecting malicious nodes based on a power aware hierarchical model. This technique overcomes the common problems in the original Watchdog mechanism. The main purpose to present this model is reducing the power consumption as a key factor
for increasing the network's lifetime. For this reason, we simulated our model with Tiny-OS simulator and then, compared our results with non hierarchical model to ensure the improvement. The results indicate that, our proposed model is better in performance than the original models and it has increased the lifetime of the wireless sensor nodes by around 2611.492 seconds for a network with 100 sensors.
Similar to A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYBASED NIDS (20)
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYBASED NIDS
1. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
DOI: 10.5121/ijnsa.2019.11307 89
A COMBINATION OF TEMPORAL SEQUENCE
LEARNING AND DATA DESCRIPTION FOR ANOMALY-
BASED NIDS
Nguyen Thanh Van1,2
, Tran Ngoc Thinh1
, Le Thanh Sach1
1
Faculty of Computer Science and Engineering. Ho Chi Minh City University of
Technology, VNUHCM, VietNam.
2
Ho Chi Minh City University of Technology and Education, VietNam.
ABSTRACT
Through continuous observation and modelling of normal behavior in networks, Anomaly-based Network
Intrusion Detection System (A-NIDS) offers a way to find possible threats via deviation from the normal
model. The analysis of network traffic based on time series model has the advantage of exploiting the
relationship between packages within network traffic and observing trends of behaviors over a period of
time. It will generate new sequences with good features that support anomaly detection in network traffic
and provide the ability to detect new attacks. Besides, an anomaly detection technique, which focuses on
the normal data and aims to build a description of it, will be an effective technique for anomaly detection in
imbalanced data. In this paper, we propose a combination model of Long Short Term Memory (LSTM)
architecture for processing time series and a data description Support Vector Data Description (SVDD) for
anomaly detection in A-NIDS to obtain the advantages of them. This model helps parameters in LSTM and
SVDD are jointly trained with joint optimization method. Our experimental results with KDD99 dataset
show that the proposed combined model obtains high performance in intrusion detection, especially DoS
and Probe attacks with 98.0% and 99.8%, respectively.
KEYWORDS
Anomaly-based network intrusion detection system, temporal sequence, data description
1. INTRODUCTION
The development of computer networks and Internet network has given rise to critical threats
such as zero-day vulnerabilities, mobile threats, etc. Despite recent researches about the cyber
security have increased significantly, it only mitigates intrusions because of the huge appearance
of many new and sophisticated attacks. A-NIDS is very efficient to protect target systems and
networks against attacks. The system can find possible threats via deviation from the
normal model or classification normal/abnormal; therefore, it has the ability to detect attacks
which are new to the system. In anomaly detection, anomalies are very important because they
are serious events and maybe attacks which damage computer and network. For example, an
unusual traffic pattern in a network could mean that a computer is attacked and data is transmitted
to unauthorized destinations. Therefore, the different types of anomaly will have the correlation
with the attacks based on the nature of the anomaly and they need to be detected by A-NIDS.
Some existing solutions apply classic anomaly detection systems to make decision-based on the
traffic features of the present moment. In the network environment, traffic is generated during the
data communications over time, so there is a relationship between packets inside the network
traffic. Therefore, examining a single network packet based on short-term features will be less
effective to detect attacks, especially when attacks spread over many packets such as APTs,
DDoS, the time horizon can span from days to minutes and one can also seconds. In this context,
2. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
90
using Long Short Term Memory (LSTM) [1] will be believed to have the unique ability to
capture long term aspects of a time series. This important point shows that time series can be a
good choice for A-NIDS where attacks are launched in the form of the sequence of packets.
LSTMs are a neural model for sequential data and they account for long-term dependencies in
information sequences. Therefore, it has the ability to learn long-term dependency and context in
sequential data, meaning that temporal features in sequences are achieved. With this advantage of
LSTM, we propose model uses LSTM for analyzing and learning network data to extract
temporal features by exploring the time-dependent structure from the relationship between
packets in input sequences.
A challenge in the A-NIDS is the labels for normal network data is usually available while
abnormal data is difficult to obtain. To eliminate bias towards majority group, an algorithm-level
solution is used to apply one-class learning that focuses on the target group, creating a data
description [2]. In data description, normal data is considered to build data description, then it is
effectively applied to detect abnormal data or exception points that cannot be matched with this
description. The data description (called One-class classification) has many methods such as one-
class Support Vector Machine (OC-SVM) [3] and Support Vector Data Description (SVDD) [4].
OC-SVM builds a hyperplane in a feature space that separates the normal data from the origin
with maximum margin while SVDD tries to find a sphere with a minimum volume containing all
the data objects. One-class classifications have a major limitation that is the lack of ability to
handle dynamic systems. This can be addressed by LSTM which converts time series to fixed
long vectors before applying OC-SVM or SVDD. In this paper, we propose an approach
combining LSTM and One-class classification method SVDD to take advantage and interactive
supports from the two strategies for detecting anomalous in network traffic. Particularly, the
parameters of the LSTM structure and the SVDD formulation are jointly trained with joint
optimization methods. The combination is inspired from the work [5] in 2017 which authors
proposed a general combination model and simulated in some datasets such as occupancy,
exchange rate, HTTP, and stock price. To the best of our knowledge, the combination model is
considered as the first work in the intrusion detection domain.
This paper is organized as follows. Section 2 discusses the background and related works. Section
3 describes our proposed combination model. Section 4 describes our experiments and results.
Section 5 concludes.
2. BACKGROUND AND RELATED WORKS
2.1. TYPE OF NETWORK ANOMALY
In A-NIDS, intrusions are detected based on anomaly detection, therefore, anomaly detection
techniques [6] are applicable in the intrusion detection domain. An important aspect of an
anomaly detection technique is the nature of the desired anomaly. Anomalies can be classified
into the following three categories. The first, if an individual data instance can be considered as
anomalous with respect to the rest of the data, then the instance is termed as a point anomaly.
Example, local access to get the privilege of sending packets on the network, an attacker who
uses the trial and return much time to guess password compared to the normal range of access for
that person will be a point anomaly. The second, if a data instance is anomalous in a specific
context then it is termed as a contextual anomaly. Suppose an individual usually has daily normal
access to network system except in end month day, when it reaches high. A large range of access
in a day of the middle month will be considered a contextual anomaly since it does not conform
to the normal behaviour of the individual in the context of time. The third, if a collection of
related data instances is anomalous with respect to the entire data set, it is termed as a collective
anomaly. The individual data instances in a collective anomaly may not be anomalies by
3. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
91
themselves, but their occurrence together as a collection is anomalous. In the case of a DoS
attack, multiple requests to connect to a web server are a collective anomaly but a single request
is normal. Therefore, we can consider DoS attacks as a collective anomaly. Contextual and
collective anomalies have been most commonly explored for sequence data. In the computer
network domain, network traffic can be defined as large network packet datasets, which are
generated during the data communications over time. Therefore, network traffic datasets can be
analyzed as a time series. Network anomalies should be considered as contextual and collective
anomalies, so the immediate application of countermeasures need to be implemented.
2.2. ANOMALY-BASED NIDS TECHNIQUES AND PREVIOUS WORKS
In the past years, several different techniques have been used in anomaly-based NIDS [7] such as
statistical-based, knowledge-based, and machine learning-based. Almost all works considered
anomaly detection as a classification problem that builds a model of normal network behaviors to
detect new patterns that significantly deviate from the model. However, they do not take into
account the previous, recent events to learn long-term dependency and context in the network
traffic. Thus, challenges need to be scrutinized to improve performance and make suitable
solutions with real network data characters. In general terms all of A-NIDS approaches consist of
the following basic stages as shown in Figure1 [8]. A-NIDS observes changes in data stream that
are collected from network traffic or host activities by building a profile of the system which is
being monitored. The profile is generated over a period of time, so network traffic is considered
as time series data. Analyzing network traffic based on time series has an advantage of exploiting
the relationship between the packets in the network traffic and observing trends of behaving over
a period of time. Subsequently, the temporal structures from network traffic are learned to extract
features and they are used to build intrusion detection model.
Figure. 1.Anomaly-based NIDS architecture[8]
Recently, the feature-based time series approaches are used to extract the various features from
the time series data and combine them to make classifications in time series. However, these
approaches are based on handcrafted methods and demand intensive pre-processing work. A few
attempts have been made aimed at the application of deep learning approaches for time series
processing problems. Deep Learning [9] is used to combine the feature extraction of time series
with the non-linear autoregressive model for higher level prediction. The good feature
representations are obtained from a large amount of unlabeled data, so the model can be pre-
trained in a completely unsupervised fashion. In a previous work [10], we applied Auto Encoder
technique to A-NIDS with the goal of learning features automatically and our experimental
results show that it is an effective technique for exact intrusion detection with low error rate. As a
deep neural network, LSTM is widely used for processing time series data [1], which is an
improved model based on Recurrent Neural Networks (RNNs). A more advanced RNN
4. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
92
architecture with several control structures, LSTM uses well-designed “gate” structures to
decrease the vanishing gradient problem during errors back propagation. Subsequently, the loss
can go back-wards through longer time step, which enables LSTM to learn long-term dependency
and context. With that advantage, LSTM is used to learn temporal features in many image
applications, for instance, Y.Feng [11] proposed a new feature learning method for gait
recognition for to preserve temporal information in a gait sequence. Another work [12] utilized
the LSTM units' ability to findlong temporal relation from its input sequences as well as
extracting local and dense features through convolution operations. However, using LSTM to
learn temporal features in network security is rare. LSTM is also applied in classification and
anomaly detection. Some researchers have applied LSTM for IDS such as Kim. J., [13] has
applied the LSTM along with Gradient Descent Optimization for an effective intrusion detection
classifier with an accuracy of 97.54% and recall of 98.95%. Staudemeyer, R. C., [14] evaluated
the performance of LSTM networks on the KDD99 IDS data set with satisfactory results. Then
they improved results in which the training accuracy 93.82%. These classifications using LSTM
need both normal and abnormal data for training, therefore it is inconvenient in many imbalance
data applications. In using LSTM for detecting anomalous in computer network, Loıc Bontemps
et al. [15] trained LSTM RNN with normal time series data before performing a live prediction
for each time step. The model is built on a time series version of the KDD99 dataset. Their
experiments demonstrate that it is possible to offer reliability and efficiency for collective
anomaly detection. Min Ch. in [16] used a multi-scale LSTM model to detect anomalous Border
Gateway Protocol (BGP) traffic by considering the Internet flow as a multi-dimensional time
sequence and learn the traffic pattern from historical features in a sliding time window. Their
obtained highest result is 99.5% with window size 30 when detecting Slammer anomaly. LSTM
is used to anomalous detect in time series for many domains [17].
Similar to most neural networks, in LSTM, there is the employment of the Softmax function as its
final output layer for its prediction, and the cross-entropy function for computing its loss. With
that way, they do not directly optimize an objective criterion for anomaly detection, which results
in challenges to optimization problems. To solve this problem, a method is introduced using a
combination of LSTM and another model that is specific for anomaly detection. Some works
present an amendment to this norm by introducing linear support vector machine (SVM) as the
replacement for Softmax in a GRU model such as [18] and they reached a training accuracy of
81.54% and a testing accuracy of 84.15%. This work and most of the current researches on
anomaly detection are based on the learning of normally and anomaly behaviors (binary
classification). However, in many real cases in anomaly detection related applications, normal
examples are available, while the abnormal data are rare or difficult to obtain. Therefore, anomaly
detection techniques cannot learn both normally and anomaly behaviors and they only focus on
the normal data and aim to build a description of them. This description is then applied to detect
abnormal data that cannot fit this description very well [19]. Learning from imbalanced data have
been mainly driven by many real life applications. In those applications, we can see the minority
class is usually the more important one and hence many methods are required to improve its
recognition rates. This is closely related to our problem in intrusion detection where normal data
is often available while intrusion is rare. In network security, some works used One-class SVM to
detect anomaly in network traffic [20] and their result archived 71% accuracy; Wireless Sensor
Networks [21] to achieve high detection accuracy and low false alarm rate. In order to consider
these problems, we combine LSTM and SVDD to take advantage of two strategies to detect
abnormalies in network traffic.
5. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
93
3. PROPOSED COMBINING LSTM AND SVDD MODEL IN A-NIDS
3.1. PROPOSED COMBINATION ARCHITECTURE
The proposed architecture in Figure 2, LSTM is used to learn the temporal structure from network
traffic data and SVDD to describe normal examples. Many authors research combining time
series model with another classification algorithm to improve performance for time series
classification tasks such as in [5] [18] [22]. These works combine time series model with SVM
that is supervised learning model with associated learning algorithms that analyses data used for
classification. This classification marks each example as belonging to one or the other of two
classes. They just distinguish between two (or more) classes and cannot detect outliers which do
not belong to any of the classes. Therefore, these methods can potentially fail in many real cases
when the abnormal data will go to null with the increasing diversity of the normal data. To deal
with this challenge, we use SVDD as data description because it can naturally detect anomaly
among the normal data which are closed by a boundary. SVDD [4] is motivated by the Support
Vector Classifier [23]. It obtains a spherically shaped boundary around a dataset and similar to
the Support Vector Classifier it can be made flexible by using other kernel functions. We find a
hyper sphere enclosing the normal data while leaving the anomalies outside. After that, we find a
decision function to determine whether a sequence of packets is anomalous or not based on the
described data.
Figure. 2.The proposed combination architecture in A-NIDS.
Every sequence of packets from network traffic data X are fed to LSTM model, each sequence
includes several packets and may have different number of packet, they are illustrated like this
= , , , … , , : number of sequences.
= , , , … . , !, " : number of packets
,' ∈ )*
, ∀, ∈ 1,2,3 … , " , 0: number of features in a packet
LSTM outputs for each packet sequence are averaged by using mean pooling method. By this
way, we can get a new sequence with many new temporal features. After that, new sequences will
be input to Data description unit to find a decision function y to determine whether a sequence of
packets is anomalous or not based on observed data. The function that takes the value +1 marking
a normal sequence and -1 otherwise:
6. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
94
2(4 ) = 6
−1 if 4 is anomaly sequence
+1 if 4 is normal sequence
; (1)
To find this decision function, we use SVDD to find a small hypersphere enclosing the normal
data while leaving the anomalies outside
3.2. LSTM MODEL
This architecture can be seen as a deep architecture through time steps. We assume sequence ith
(Xi) of packet is fed to LSTM model through time with input vector ,' ∈ )*
(the jth
LSTM block,
0 features). Then, we initialize the learning parameters weights and biases with arbitrary values
that will be adjusted through training. The cell states < ,' of LSTM are computed based on the
input vector ,' and its learning parameters values. With ,' is input vector of the ith
sequence at
the time the jth
, equations in the jth
internal LSTM block are operated as follows
Block input: = ,' = >? ℎABC
D ,' + EC
ℎ ,'F + GC
H(2)
Input gate: ,' = IJKLMJ"(N ,' + O P ,'F + Q )(3)
Forget gate: R,' = IJKLMJ"(BS
D ,' + ES
ℎ ,'F + GS
)(4)
Cell gate: T ,' = J ,'⨀= ,' + R,'⨀D ,'F ) (5)
Output gate: M ,' = IJKLMJ"(BV
D ,' + EV
ℎ ,'F + GV
)(6)
Block output: P ,' = W ,'⨀>? ℎ (< ,')(7)
Here N(.) are rectangular input weight matrices for input (z), input gate (i), forget gate (f) and
output gate (o); O(.) are square recurrent weight matrices for input (z), input gate (i), forget gate
(f) and output gate (o). Two point-wise non-linear activation functions: logistic sigmoid for the
gates and hyperbolic tangent for the block input and output. Point-wise multiplication of two
vectors is denoted by ⨀. Through LSTM blocks, we compute the average PX of LSTM outputs
for a packet sequence ith
or other pooling methods, such as the last in [18] [22] and max.
PX = ∑ P ,''Z (8)
Final in sequence learning period is all output vectors PX Z of sequences are input to the
SVDD model. The combination model will use the loss function of SVDD with the introduction
of SVDD as its final layer. Therefore, the parameters of the model are also learned by joint
optimizing the objective function of SVDD.
3.3. SVDD MODEL
To detect anomalous in every sequence, we use support vector data description (SVDD) that is
rewritten in a form comparable to the support vector classifier (SVC). It poses the ability to map
the data to a new, high dimensional feature space without any extra computational costs.
Therefore, we can obtain more flexible descriptions and it will be presented how the outlier
sensitivity can be controlled in a flexible way. To describe normal data using SVDD, we need to
find a small hyper sphere with radius R and center c to separate the anomalies from the normal
data. Objects on the boundary are the support vectors with [ = 0 while outside objects have [ > 0.
7. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
95
To minimize a hyper sphere enclosing normal packet sequences, we need to solve an optimization
problem that is formulated as follows
min,],<,^ ) +
_
∑ [ (9)
s.t:`PX – <` ≤ ) + [ , [ ≥ 0, ∀J(10)
B(.)e
B(.)
= f, E(.)e
E(.)
= f, G(.)e
G(.)
= 1. (11)
Here hyper sphere with center < and radius ); input data ℎh
X is the output vector from LSTM
model that is calculated in equation (8); : normal examples in training set; [ : slack variables to
penalize misclassified - accepting some normal data that located in an unsafe area: outside the
hypersphere; i: regularization parameter: the coefficient of controlling trade-off between the size
of the hypersphere and the total error [ ; represents all LSTM parameters. The free parameters,
, ), <, [ have to be optimized, taking the constraints (10-11) into account. The first constraint
that almost all objects are within the sphere, it also accepts some normal data located outside of
the hyper sphere. The second orthogonality constraints are used to input LSTM’s output vectors.
They guarantee that input vectors are orthogonal matrices that can effectively prevent the gradient
vanishing/explosion problem in conventional LSTM. An optimization algorithm is used for loss
minimization and it adjusts the weights and biases based on the computed loss. The trained model
can be used for anomaly detection on a given data based on decision function as follows
2(4 ) = sgn k) − `ℎl – T` m. (12)
3.4. TRAINING METHOD
A discussion in [5] showed that the gradient descent based training method provides higher
performance due to its learning capabilities. In our problem, we use a training approach based on
only the first order gradients, which updates the parameters at the same time. However, we need
to require an approximation to the original SVDD formulation to apply this method. We also
ensure the convergence of the approximated formulation to the original SVDD formulation. We
study slack variable in constraints (10) that can be incorporated into formula (9). Therefore, we
need rewrite the first constrained optimization as a part of objective function. Consequently, the
first constraint (10) can be equivalent to
[ = maxo0, p],<APX Hq,
with p],<APX H = `PX – <` − ) . (13)
We can write slack variable [ as a function t(. ) as follows
t kp],<APX Hm = maxo0, p],<APX Hq. (14)
By this way, we can eliminate the first constraint (10). The learning problem is equivalent to the
constrained optimization problem over R, c and as follows
min,],< ) +
_
∑ t kp],<APX Hm (15)
B(.)e
B(.)
= f, E(.)e
E(.)
= f, G(.)e
G(.)
= 1 (16)
Because t(. ) is non-differential function, we cannot optimize (15) by using gradient descent
algorithm. To deal with this obstacle, we can consider objective function as Hinge loss function
8. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
96
and solving it. Another way, we can approximate function t(. ) to a function that is differentiable
function with smooth parameter u [31] in (17)
vw kp],<APX Hm =
w
ln (1 + xwyz,<APX H
)(17)
Where u is smooth parameter – it is handled to expect that vw(. ) converges to P(.). According
(17), vw(. ) converges to P(.) when u increases. Thus, in our experimentation, we need to choose a
large value for u. When vw kp],<APX Hm converges to t kp],<APX Hm, as a consequence, an
approximation {w(<, ), ) of SVDD objective function {(<, ), ) converges to {(<, ), ).
Now, the optimization problem is defined as
(18)
B(.)e
B(.)
= f, E(.)e
E(.)
= f, G(.)e
G(.)
= 1 (19)
Parameters <, ), are updated till obtaining optimization values for (18) and (19). {(. ) should
be minimized with respect to <, ), . After that, we use gradient descent algorithm to train our
combination model makes the parameters in both models LSTM and SVDD (<, ), ) are jointly
optimized. Each iteration | involves cycling through the training data with the updates.
4. EXPERIMENTS AND RESULTS
4.1. DATASET
KDD99 dataset[24]is widely used as one of the few publicly available datasets for IDS problems.
It is believed to apply as an effective benchmark data set to help researchers compare different
intrusion detection methods. Although it is still not an accurate real-world dataset, there are many
papers that describe their implementations on this dataset specifically. This paper will use the
KDD99 dataset, however, our work would work with any dataset that conforms to these rules.
There are many recent datasets containing more modern attacks, such as the UNSW-NB15
dataset generated for the Australian Centre for Cyber Security [25], Intrusion Detection
Evaluation Dataset (CICIDS2017) contains benign and the most up-to-date common attacks [26],
Unified Host and Network Dataset[27] collected from the Los Alamos National Laboratory
enterprise network over the course of approximately 90 days. Most of these datasets may be more
applicable and newer for recent use cases, however, they are not used as publicly as KDD99.
The KDD99 dataset consists of approximately 4,900,000 single connection records. The
distribution of data samples is presented in Table 1. This dataset must deal with the imbalanced
data problem. All data is pre-processed to match to the detection methods proposed.
Table 1. KDD99 dataset
Dataset Normal
Abnormal
Total
DoS Probing R2L U2R
All KDD99 972,780 3,883,370 41,102 1,126 52 4,898,430
19.859% 79.278% 0.839% 0.023% 0.001% 100%
Test KDD99 60,593 229,853 4,166 16,189 228 311,029
19.481% 73.901% 1.339% 5.205% 0.073% 100%
9. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
97
4.2. EXPERIMENTS USING COMBINATION MODELS
We experiment different combined models, ANN+SVDD and LSTM+SVDD with some
configurations such as 256/1024 nodes and 5/10 time steps look-back on the same dataset:
ANN_256+SVDD, ANN_1024+SVDD, LSTM_5+SVDD and LSTM_10+SVDD. We also
perform single models: LSTM and SVDD to compare them with combined models. To evaluate
single SVDD model, we take every packet as a sequence of input to SVDD. Then, we input
normal data to train with a gradient descent algorithm to optimize the parameters. For single
LSTM model, we employ the conventional Softmax function as the final output layer for the
prediction of LSTM structure, and the cross-entropy function for computing its loss. In
ANN+SVDD model, we combine a neural network with a data description model. The model is
trained using gradient descent algorithm to optimize the parameters. To evaluate the performance
of the combination model, LSTM+SVDD, we use an LSTM cell with many blocks as a hidden
layer in regarding learn time-based features, then the loss function of SVDD with the attendance
of SVDD as its final layer. Therefore, the parameters of the model are also learned by joint
optimizing the objective function of SVDD. Every sequence that has different number packet
based on choosing different look-back parameters is input to LSTM structure. When sequences
are input to the model, thanks to LSTM structure that model is able to process such sequences to
get fixed length vector and support for SVDD that cannot directly process these sequences. It also
automatically learns the time-dependent features, therefore, it helps network traffic data is more
completely described. Attack types accuracy are executed by matching actual and predicted
attacks are the correct predictions in all experiments.
4.3. RESULTS AND DISCUSSION
Table 2. Results of the experiment models
Methods Normal
Abnormal
DoS Probing R2L U2R w-sum
SVDD 83.00 97.00 95.60 8.10 81.00 94.02
LSTM 98.99 96.55 56.14 0 0.06 60.14
ANN_256+SVDD 88.50 97.00 99.78 29.60 92.00 97.99
ANN_1024+SVDD 88.85 97.81 99.73 11.15 92.86 97.76
LSTM_5+SVDD 92.90 97.00 97.50 80.00 11.00 95.91
LSTM_10+SVDD 96.00 98.00 99.80 86.00 52.00 98.59
The results in Table 2 show that the combined models outperformed with higher overall accuracy
than our single models. The proposed combination models have high accuracy detection trend in
Normal, Dos, Probe whereas both U2L and R2L have low figures. Especially, the LSTM single
model has the lowest in detecting both U2L and R2L attacks. This is because less percentage of
class occurrences are available for these attacks for training. However, combining SVDD to
LSTM significant improves the accuracy detection percentage of R2L and U2L attacks. To
compare our models, the overall performances are weighted computed as a w-sum measurement
(based on different distribution of data samples). In all experiments, LSTM_10 +SVDD model is
the best with the overall detection accuracy in Normal, Dos and Probe. We also measure the
performance of the best combination model with some recent works in detecting various attacks
as in Table 3.
The Table 3 shows that detection accuracy of the proposed method in Probe attacks is the highest
in all methods. The proposed method is better than almost all methods in detecting DoS, Probe
10. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
98
attacks. The DoS attack characteristics match with the collective anomaly. Probe attacks are
based on a specific purpose to get information and reconnaissance, so they can be matched to
contextual anomalies.It is seen that the proposed model has highly effective in detecting attacks
that are spread over packets in a period of time by investigating a sequence of packets. The only
drawback of the proposed method is the performance for U2R and R2L classes where their values
are somewhat on the lower side as compared to other methods in [28] [29] [30].
Table 3. Accuracy comparison with some recent works
Methods Year Normal
Abnormal
DoS Probing R2L U2R
LSTM [13] 2016 95.53 97.87 54.71 0.00 57.83
LSTM [14] 2015 99.50 99.30 75.80 17.10 0.10
Genetic [28] 2012 99.50 97.00 78.00 11.40 5.60
SVM [29] 2015 76.18 93.98 96.32 98.58 84.55
KNN [29] 2015 81.17 97.63 96.27 99.67 83.24
SVM [30] 2012 99.50 97.67 91.45 53.84 90.34
LS SVM (all features) [31] 2011 99.00 84.30 86.15 99.46 98.82
Clustering &SVM [32] 2010 99.30 99.50 97.50 19.70 28.80
ANN (all features) [33] 2017 88.90 99.90 98.40 42.90 87.50
Proposed 2019 96.00 98.00 99.80 86.00 52.00
We also compare our works to benchmarks of Nicholas J. Miller [34]. Authors used NSL-KDD
dataset - is a subset of the KDD99 dataset, so they have the same data characteristic (attack
types). Through Table 4, it is seen that our work is better other work in the benchmarks.
Table 4. Accuracy comparison with the benchmarks in [34]
Algorithm Accuracy
(Total)
Probe DoS U2R R2L Normal
Naive Bayes 75.36 82.78 77.53 64.50 2.87 92.64
Neural Network 77.80 86.10 77.45 53.02 13.21 94.84
SVM 76.91 93.89 76.08 39.00 10.78 92.84
K-means 74.04 74.19 68.73 56.01 1.23 99.09
Our work 86.36 99.80 98.00 52.00 86.00 96.00
We consider the low performance of U2R and R2L attack types. Both attacks are rare in the
dataset and an individual data instance can be considered as anomalous with respect to the rest of
the data which are the normal accesses. User to Root (U2R) attacks is illegal to access to the
administrator account, exploiting one or several vulnerabilities. Remote to local (R2L) attacks are
local access to get the privilege to send packets on the network, the attacker uses trial and error to
guess the password. Both U2R and R2L attacks are condition specific and sophisticated. Initiation
of these attacks is not similar as compared to others, therefore, these attacks are considered as
point anomaly. Consequently, the root problem is coming from LSTM model itself which is
highly effective in detecting attacks that are spread over packets in a period while attacks
considered as point anomaly are not good. To deal with this challenge, in the near work we will
explore the SVDD model. The performance of SVDD can be improved when a few attacks are
available. When examples (objects which should be rejected) are available, they can be
incorporated in the training to improve the description. In contrast with the training normal
examples which should be within the sphere, the attack examples should be outside it. Overall, it
can be concluded that the proposed method is quite good considering its performances across
both attack and Normal classes, especially attacks have a high frequency such as DoS and Probe.
A convenient in our combination models is that we only train normal data to obtain a flexible data
11. International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.3, May 2019
99
description model and it will be used to know how the outlier sensitivity can be controlled in a
flexible way. This makes sense in a real dataset where normal examples are available, while the
abnormal data are rare or difficult to obtain.
5. CONCLUSIONS
In this paper, we propose an approach combining LSTM and a data description model to take
advantages and interactive supports from the two strategies to detect anomalous in network
traffic. LSTM is candidate of processing time series and supports for obtaining good features
from the relationship between packets in a sequence. Using an unsupervised method as SVDD
model deal to the high cost of obtaining accurate labels in almost all real application and it is also
a good solution for anomaly detection in imbalance data. We apply the gradient-based training
method with adjustment the original objective criteria of the combination model to its
approximation. The combination gives a high overall performance for A-NIDS and convenient
for processing several real datasets. In the future, we will improve processing data, explore more
SVDD in order to increase the proportion of accuracy detection both U2L and R2L attacks.
REFERENCES
[1] Klaus G, Rupesh K. S., Jan K. et al., "LSTM - A Search Space Odyssey", Transactions on neural
networks and learning systems, 2017.
[2] Krawczyk and Bartosz, "Learning from imbalanced data: open challenges and future directions," Prog
Artif Intell5:221–232, Springerlink.com, 2016.
[3] B. Scholkopf, J. C. Platt, J. Shawe-Taylor et al., "Estimating the support of a high-dimensional
distribution," 2001.
[4] D. M. Tax and R. P. Duin, "Support vector data description," in Machine Learning, 2004.
[5] Tolga Ergen, et al."Unsupervised and Semi-supervised Anomaly Detection with LSTM Neural
Networks", arXiv:1710.09207 [eess.SP], 2017.
[6] Chandola V., Banerjee A. and Kumar V., "Anomaly detection: A survey," Technical report, USA,
2009.
[7] M. Ahmed, A. Naser Mahmood and J. Hu, "A survey of network anomaly detection techniques,"
Journal of Network and Computer Applications, p. 13, 2015.
[8] Nguyen Thanh Van and Tran Ngoc Thinh, "Accelerating anomaly-based IDS using neural network on
GPU," in IEEE International Conference on Advanced Computing and Applications, 2015.
[9] L. Arnold, S. Rebecchi, S. Chevallier et al., "An Introduction to Deep Learning," in European
Symposium on Artificial Neural Networks, Bruges (Belgium), 2011.
[10] Nguyen Thanh Van, Le Thanh Sach and Tran Ngoc Thinh, "An anomaly-based Network Intrusion
Detection System using Deep learning," in IEEE International Conference on System Science and
Engineering, 2017.
[11] Y. Feng, Y. Li and J. Luo, "Learning Effective Gait Features Using LSTM," in 23rd International
Conference on Pattern Recognition (ICPR), México, 2016.
[12] Z. Xu, S. Li and W. Deng, "Learning Temporal Features Using LSTM-CNN Architecture for Face
Anti-spoofing," in 3rd IAPR Asian Conference on Pattern Recognition, 2015
[13] Ji K., Jae K., Huong LTT et al., "LSTM - RNN Classifier for Intrusion Detection," in International
Conference Platform Technology and Service (PlatCon), South Korea, 2016.
[14] Ralf C. Staudemeyer, "Applying LSTM RNN to intrusion detection," South African Computer
Journal, p. 6, 2015.