DFAID: Density‐aware and feature‐deviated active intrusion detection over network traffic streams
We study the problem of active intrusion detection over network traffic streams. Existing works create clusters for known classes and manually label instances outside the clusters for detecting novel attack classes and concept drift, yet several challenges are present. First, these methods assume th...
Gespeichert in:
| Veröffentlicht in: | Computers & security 2022-07, Vol.118, p.102719, Article 102719 |
|---|---|
| Hauptverfasser: | , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | 102719 |
| container_title | Computers & security |
| container_volume | 118 |
| creator | Li, Bin Wang, Yijie Xu, Kele Cheng, Li Qin, Zhiquan |
| description | We study the problem of active intrusion detection over network traffic streams. Existing works create clusters for known classes and manually label instances outside the clusters for detecting novel attack classes and concept drift, yet several challenges are present. First, these methods assume that different classes of network traffic distribute far from each other in feature space, while similar attack classes could violate this assumption. It makes the true novel classes and concept drift undetectable, therefore a degraded performance. Second, prior works depending on heavily calculating and retraining cannot achieve efficient incremental updates over the infinite and high-speed streams of network traffic. Last, related methods rarely leverage the domain knowledge in intrusion detection. To address these issues, we propose DFAID, a Density-aware and Feature-deviated Active Intrusion Detection framework over network traffic streams. We first design the mask density score and the feature deviation score to maximize the effectiveness of labeled instances, effectively detecting novel attack classes and the concept drift when similar classes exist. Then, DFAID leverages robust incremental clustering structures to group instances in local regions, relieving the burden on the speed and reducing effects of noisy instances. Last, we further present DFAID-DK by incorporating the Domain Knowledge of temporal correlations between network attacks to correct the wrong predictions. Extensive experiments on two well-known benchmarks, CIC-IDS2017 and ISCX-2012, demonstrate that DFAID and its variation DFAID-DK both achieve significant improvement compared with related methods in terms of f1-score (21.7%, 22.7%) on average, and its running speed is an order of magnitude faster. |
| doi_str_mv | 10.1016/j.cose.2022.102719 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2688592004</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167404822001109</els_id><sourcerecordid>2688592004</sourcerecordid><originalsourceid>FETCH-LOGICAL-c328t-70443a76005d469a564d3c31b7d6d54af32345285ac54aea0c180a61c1c787713</originalsourceid><addsrcrecordid>eNp9kM1OAyEUhYnRxFp9AVckrqcCwwzUuGlaq02auNE1QbiTMNqhAjNNdz6Cz-iTSFPXrricnHN_PoSuKZlQQuvbdmJ8hAkjjGWBCTo9QSMqBStqRuQpGmWTKDjh8hxdxNgSQkUt5QjBYjlbLe7wArro0v7n61vvdACsO4sb0KkPkDULg9MJLNYmuQGw61Loo_MdtpAga7nyAwTcQdr58I5T0E3jDI4pgN7ES3TW6I8IV3_vGL0uH17mT8X6-XE1n60LUzKZCkE4L7WoCaksr6e6qrktTUnfhK1txXVTspJXTFba5B9oYqgkuqaGGiGFoOUY3Rz7boP_7CEm1fo-dHmkYvncasoI4dnFji4TfIwBGrUNbqPDXlGiDjhVqw441QGnOuLMoftjCPL-g4OgonHQGbAuZALKevdf_BdaN3_N</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2688592004</pqid></control><display><type>article</type><title>DFAID: Density‐aware and feature‐deviated active intrusion detection over network traffic streams</title><source>Elsevier ScienceDirect Journals</source><creator>Li, Bin ; Wang, Yijie ; Xu, Kele ; Cheng, Li ; Qin, Zhiquan</creator><creatorcontrib>Li, Bin ; Wang, Yijie ; Xu, Kele ; Cheng, Li ; Qin, Zhiquan</creatorcontrib><description>We study the problem of active intrusion detection over network traffic streams. Existing works create clusters for known classes and manually label instances outside the clusters for detecting novel attack classes and concept drift, yet several challenges are present. First, these methods assume that different classes of network traffic distribute far from each other in feature space, while similar attack classes could violate this assumption. It makes the true novel classes and concept drift undetectable, therefore a degraded performance. Second, prior works depending on heavily calculating and retraining cannot achieve efficient incremental updates over the infinite and high-speed streams of network traffic. Last, related methods rarely leverage the domain knowledge in intrusion detection. To address these issues, we propose DFAID, a Density-aware and Feature-deviated Active Intrusion Detection framework over network traffic streams. We first design the mask density score and the feature deviation score to maximize the effectiveness of labeled instances, effectively detecting novel attack classes and the concept drift when similar classes exist. Then, DFAID leverages robust incremental clustering structures to group instances in local regions, relieving the burden on the speed and reducing effects of noisy instances. Last, we further present DFAID-DK by incorporating the Domain Knowledge of temporal correlations between network attacks to correct the wrong predictions. Extensive experiments on two well-known benchmarks, CIC-IDS2017 and ISCX-2012, demonstrate that DFAID and its variation DFAID-DK both achieve significant improvement compared with related methods in terms of f1-score (21.7%, 22.7%) on average, and its running speed is an order of magnitude faster.</description><identifier>ISSN: 0167-4048</identifier><identifier>EISSN: 1872-6208</identifier><identifier>DOI: 10.1016/j.cose.2022.102719</identifier><language>eng</language><publisher>Amsterdam: Elsevier Ltd</publisher><subject>Active learning ; Clustering ; Communications traffic ; Density ; Domain knowledge ; Domains ; Drift ; Incremental update ; Intrusion ; Intrusion detection ; Network traffic streams ; Performance degradation ; Streams ; Traffic speed</subject><ispartof>Computers & security, 2022-07, Vol.118, p.102719, Article 102719</ispartof><rights>2022 Elsevier Ltd</rights><rights>Copyright Elsevier Sequoia S.A. Jul 2022</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c328t-70443a76005d469a564d3c31b7d6d54af32345285ac54aea0c180a61c1c787713</citedby><cites>FETCH-LOGICAL-c328t-70443a76005d469a564d3c31b7d6d54af32345285ac54aea0c180a61c1c787713</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.sciencedirect.com/science/article/pii/S0167404822001109$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,776,780,3537,27901,27902,65306</link.rule.ids></links><search><creatorcontrib>Li, Bin</creatorcontrib><creatorcontrib>Wang, Yijie</creatorcontrib><creatorcontrib>Xu, Kele</creatorcontrib><creatorcontrib>Cheng, Li</creatorcontrib><creatorcontrib>Qin, Zhiquan</creatorcontrib><title>DFAID: Density‐aware and feature‐deviated active intrusion detection over network traffic streams</title><title>Computers & security</title><description>We study the problem of active intrusion detection over network traffic streams. Existing works create clusters for known classes and manually label instances outside the clusters for detecting novel attack classes and concept drift, yet several challenges are present. First, these methods assume that different classes of network traffic distribute far from each other in feature space, while similar attack classes could violate this assumption. It makes the true novel classes and concept drift undetectable, therefore a degraded performance. Second, prior works depending on heavily calculating and retraining cannot achieve efficient incremental updates over the infinite and high-speed streams of network traffic. Last, related methods rarely leverage the domain knowledge in intrusion detection. To address these issues, we propose DFAID, a Density-aware and Feature-deviated Active Intrusion Detection framework over network traffic streams. We first design the mask density score and the feature deviation score to maximize the effectiveness of labeled instances, effectively detecting novel attack classes and the concept drift when similar classes exist. Then, DFAID leverages robust incremental clustering structures to group instances in local regions, relieving the burden on the speed and reducing effects of noisy instances. Last, we further present DFAID-DK by incorporating the Domain Knowledge of temporal correlations between network attacks to correct the wrong predictions. Extensive experiments on two well-known benchmarks, CIC-IDS2017 and ISCX-2012, demonstrate that DFAID and its variation DFAID-DK both achieve significant improvement compared with related methods in terms of f1-score (21.7%, 22.7%) on average, and its running speed is an order of magnitude faster.</description><subject>Active learning</subject><subject>Clustering</subject><subject>Communications traffic</subject><subject>Density</subject><subject>Domain knowledge</subject><subject>Domains</subject><subject>Drift</subject><subject>Incremental update</subject><subject>Intrusion</subject><subject>Intrusion detection</subject><subject>Network traffic streams</subject><subject>Performance degradation</subject><subject>Streams</subject><subject>Traffic speed</subject><issn>0167-4048</issn><issn>1872-6208</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><recordid>eNp9kM1OAyEUhYnRxFp9AVckrqcCwwzUuGlaq02auNE1QbiTMNqhAjNNdz6Cz-iTSFPXrricnHN_PoSuKZlQQuvbdmJ8hAkjjGWBCTo9QSMqBStqRuQpGmWTKDjh8hxdxNgSQkUt5QjBYjlbLe7wArro0v7n61vvdACsO4sb0KkPkDULg9MJLNYmuQGw61Loo_MdtpAga7nyAwTcQdr58I5T0E3jDI4pgN7ES3TW6I8IV3_vGL0uH17mT8X6-XE1n60LUzKZCkE4L7WoCaksr6e6qrktTUnfhK1txXVTspJXTFba5B9oYqgkuqaGGiGFoOUY3Rz7boP_7CEm1fo-dHmkYvncasoI4dnFji4TfIwBGrUNbqPDXlGiDjhVqw441QGnOuLMoftjCPL-g4OgonHQGbAuZALKevdf_BdaN3_N</recordid><startdate>202207</startdate><enddate>202207</enddate><creator>Li, Bin</creator><creator>Wang, Yijie</creator><creator>Xu, Kele</creator><creator>Cheng, Li</creator><creator>Qin, Zhiquan</creator><general>Elsevier Ltd</general><general>Elsevier Sequoia S.A</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>K7.</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>202207</creationdate><title>DFAID: Density‐aware and feature‐deviated active intrusion detection over network traffic streams</title><author>Li, Bin ; Wang, Yijie ; Xu, Kele ; Cheng, Li ; Qin, Zhiquan</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c328t-70443a76005d469a564d3c31b7d6d54af32345285ac54aea0c180a61c1c787713</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Active learning</topic><topic>Clustering</topic><topic>Communications traffic</topic><topic>Density</topic><topic>Domain knowledge</topic><topic>Domains</topic><topic>Drift</topic><topic>Incremental update</topic><topic>Intrusion</topic><topic>Intrusion detection</topic><topic>Network traffic streams</topic><topic>Performance degradation</topic><topic>Streams</topic><topic>Traffic speed</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Li, Bin</creatorcontrib><creatorcontrib>Wang, Yijie</creatorcontrib><creatorcontrib>Xu, Kele</creatorcontrib><creatorcontrib>Cheng, Li</creatorcontrib><creatorcontrib>Qin, Zhiquan</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Criminal Justice (Alumni)</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computers & security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Li, Bin</au><au>Wang, Yijie</au><au>Xu, Kele</au><au>Cheng, Li</au><au>Qin, Zhiquan</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>DFAID: Density‐aware and feature‐deviated active intrusion detection over network traffic streams</atitle><jtitle>Computers & security</jtitle><date>2022-07</date><risdate>2022</risdate><volume>118</volume><spage>102719</spage><pages>102719-</pages><artnum>102719</artnum><issn>0167-4048</issn><eissn>1872-6208</eissn><abstract>We study the problem of active intrusion detection over network traffic streams. Existing works create clusters for known classes and manually label instances outside the clusters for detecting novel attack classes and concept drift, yet several challenges are present. First, these methods assume that different classes of network traffic distribute far from each other in feature space, while similar attack classes could violate this assumption. It makes the true novel classes and concept drift undetectable, therefore a degraded performance. Second, prior works depending on heavily calculating and retraining cannot achieve efficient incremental updates over the infinite and high-speed streams of network traffic. Last, related methods rarely leverage the domain knowledge in intrusion detection. To address these issues, we propose DFAID, a Density-aware and Feature-deviated Active Intrusion Detection framework over network traffic streams. We first design the mask density score and the feature deviation score to maximize the effectiveness of labeled instances, effectively detecting novel attack classes and the concept drift when similar classes exist. Then, DFAID leverages robust incremental clustering structures to group instances in local regions, relieving the burden on the speed and reducing effects of noisy instances. Last, we further present DFAID-DK by incorporating the Domain Knowledge of temporal correlations between network attacks to correct the wrong predictions. Extensive experiments on two well-known benchmarks, CIC-IDS2017 and ISCX-2012, demonstrate that DFAID and its variation DFAID-DK both achieve significant improvement compared with related methods in terms of f1-score (21.7%, 22.7%) on average, and its running speed is an order of magnitude faster.</abstract><cop>Amsterdam</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.cose.2022.102719</doi></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0167-4048 |
| ispartof | Computers & security, 2022-07, Vol.118, p.102719, Article 102719 |
| issn | 0167-4048 1872-6208 |
| language | eng |
| recordid | cdi_proquest_journals_2688592004 |
| source | Elsevier ScienceDirect Journals |
| subjects | Active learning Clustering Communications traffic Density Domain knowledge Domains Drift Incremental update Intrusion Intrusion detection Network traffic streams Performance degradation Streams Traffic speed |
| title | DFAID: Density‐aware and feature‐deviated active intrusion detection over network traffic streams |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-02T06%3A29%3A47IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=DFAID:%20Density%E2%80%90aware%20and%20feature%E2%80%90deviated%20active%20intrusion%20detection%20over%20network%20traffic%20streams&rft.jtitle=Computers%20&%20security&rft.au=Li,%20Bin&rft.date=2022-07&rft.volume=118&rft.spage=102719&rft.pages=102719-&rft.artnum=102719&rft.issn=0167-4048&rft.eissn=1872-6208&rft_id=info:doi/10.1016/j.cose.2022.102719&rft_dat=%3Cproquest_cross%3E2688592004%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2688592004&rft_id=info:pmid/&rft_els_id=S0167404822001109&rfr_iscdi=true |