Hybrid intrusion detection system based on the stacking ensemble of C5 decision tree classifier and one class support vector machine
- Authors: Khraisat, Ansam , Gondal, Iqbal , Vamplew, Peter , Kamruzzaman, Joarder , Alazab, Ammar
- Date: 2020
- Type: Text , Journal article
- Relation: Electronics (Switzerland) Vol. 9, no. 1 (2020), p.
- Full Text:
- Reviewed:
- Description: Cyberttacks are becoming increasingly sophisticated, necessitating the efficient intrusion detection mechanisms to monitor computer resources and generate reports on anomalous or suspicious activities. Many Intrusion Detection Systems (IDSs) use a single classifier for identifying intrusions. Single classifier IDSs are unable to achieve high accuracy and low false alarm rates due to polymorphic, metamorphic, and zero-day behaviors of malware. In this paper, a Hybrid IDS (HIDS) is proposed by combining the C5 decision tree classifier and One Class Support Vector Machine (OC-SVM). HIDS combines the strengths of SIDS) and Anomaly-based Intrusion Detection System (AIDS). The SIDS was developed based on the C5.0 Decision tree classifier and AIDS was developed based on the one-class Support Vector Machine (SVM). This framework aims to identify both the well-known intrusions and zero-day attacks with high detection accuracy and low false-alarm rates. The proposed HIDS is evaluated using the benchmark datasets, namely, Network Security Laboratory-Knowledge Discovery in Databases (NSL-KDD) and Australian Defence Force Academy (ADFA) datasets. Studies show that the performance of HIDS is enhanced, compared to SIDS and AIDS in terms of detection rate and low false-alarm rates. © 2020 by the authors. Licensee MDPI, Basel, Switzerland.
A novel ensemble of hybrid intrusion detection system for detecting internet of things attacks
- Authors: Khraisat, Ansam , Gondal, Iqbal , Vamplew, Peter , Kamruzzaman, Joarder , Alazab, Ammar
- Date: 2019
- Type: Text , Journal article
- Relation: Electronics (Switzerland) Vol. 8, no. 11 (2019), p.
- Full Text:
- Reviewed:
- Description: The Internet of Things (IoT) has been rapidly evolving towards making a greater impact on everyday life to large industrial systems. Unfortunately, this has attracted the attention of cybercriminals who made IoT a target of malicious activities, opening the door to a possible attack to the end nodes. Due to the large number and diverse types of IoT devices, it is a challenging task to protect the IoT infrastructure using a traditional intrusion detection system. To protect IoT devices, a novel ensemble Hybrid Intrusion Detection System (HIDS) is proposed by combining a C5 classifier and One Class Support Vector Machine classifier. HIDS combines the advantages of Signature Intrusion Detection System (SIDS) and Anomaly-based Intrusion Detection System (AIDS). The aim of this framework is to detect both the well-known intrusions and zero-day attacks with high detection accuracy and low false-alarm rates. The proposed HIDS is evaluated using the Bot-IoT dataset, which includes legitimate IoT network traffic and several types of attacks. Experiments show that the proposed hybrid IDS provide higher detection rate and lower false positive rate compared to the SIDS and AIDS techniques. © 2019 by the authors. Licensee MDPI, Basel, Switzerland.
Categorical features transformation with compact one-hot encoder for fraud detection in distributed environment
- Authors: Ul Haq, Ikram , Gondal, Iqbal , Vamplew, Peter , Brown, Simon
- Date: 2019
- Type: Text , Conference proceedings , Conference paper
- Relation: 2019 16th Australasian Conference on Data Mining, AusDM 2018; Bathurst, NSW; 28 November 2018 through 30 November 2018 Vol. 996, p. 69-80
- Full Text: false
- Reviewed:
- Description: Fraud detection for online banking is an important research area, but one of the challenges is the heterogeneous nature of transactions data i.e. a combination of numeric as well as mixed attributes. Usually, numeric format data gives better performance for classification, regression and clustering algorithms. However, many machine learning problems have categorical, or nominal features, rather than numeric features only. In addition, some machine learning platforms such as Apache Spark accept numeric data only. One-hot Encoding (OHE) is a widely used approach for transforming categorical features to numerical features in traditional data mining tasks. The one-hot approach has some challenges as well: the sparseness of the transformed data and that the distinct values of an attribute are not always known in advance. Other than the model accuracy, compactness of machine learning models is equally important due to growing memory and storage needs. This paper presents an innovative technique to transform categorical features to numeric features by compacting sparse data even if all the distinct values are not known. The transformed data can be used for the development of fraud detection systems. The accuracy of the results has been validated on synthetic and real bank fraud data and a publicly available anomaly detection (KDD-99) dataset on a multi-node data cluster. © Springer Nature Singapore Pte Ltd. 2019.
An anomaly intrusion detection system using C5 decision tree classifier
- Authors: Khraisat, Ansam , Gondal, Iqbal , Vamplew, Peter
- Date: 2018
- Type: Text , Conference proceedings , Conference paper
- Relation: 22nd Pacific-Asia Conference on Knowledge Discovery and Data Mining, PAKDD 2018; Melbourne, Australia; 3rd June 2018; published in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) Vol. 11154 LNAI, p. 149-155
- Full Text: false
- Reviewed:
- Description: Due to increase in intrusion activities over internet, many intrusion detection systems are proposed to detect abnormal activities, but most of these detection systems suffer a common problem which is producing a high number of alerts and a huge number of false positives. As a result, normal activities could be classified as intrusion activities. This paper examines different data mining techniques that could minimize both the number of false negatives and false positives. C5 classifier’s effectiveness is examined and compared with other classifiers. Results should that false negatives are reduced and intrusion detection has been improved significantly. A consequence of minimizing the false positives has resulted in reduction in the amount of the false alerts as well. In this study, multiple classifiers have been compared with C5 decision tree classifier using NSL_KDD dataset and results have shown that C5 has achieved high accuracy and low false alarms as an intrusion detection system.
- Description: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Complex anomaly for enhanced machine independent condition monitoring
- Authors: Amar, Muhammad , Gondal, Iqbal , Wilson, Campbell
- Date: 2015
- Type: Text , Conference proceedings
- Relation: 9th International Conference on Open Source Systems and Technologies, ICOSST 2015; Lahore, Pakistan; 17th-19th December 2015
- Full Text: false
- Description: Safety in machine applications requires tracking machine health during the time of operations. Anomaly detection techniques are used to model normal behavior of the machines and raise an alarm if any anomaly is observed. But traditional anomaly detection techniques do not identify type and severity of aberrance in terms of amplitude, pattern or both. Once the anomalous behavior is observed then fault detection techniques are applied to diagnose faults. For machine independent condition monitoring (MICM) a range of features transforms are needed for autonomous learning of the fault classifiers for different parameters to identify variety of fault types which requires huge amount of time. In this paper a novel complex anomaly plan (CAP) representation has been proposed with amplitude anomalies on real and pattern anomalies on imaginary axis. To plot amplitude and pattern anomalies in the CAP, normal state vibrations frequency features are used to train Gaussian models for each of the frequency. The dynamic location of the anomaly plotted in the CAP gives a measure of the intensity of the anomaly, where real and imaginary axis components help the fault classifier to make an appropriate selection of the transform and thus enhances the efficiency of MICM framework. © 2015 IEEE.
- Description: ICOSST 2015 - 2015 International Conference on Open Source Systems and Technologies, Proceedings
Autonomous behavior modeling approach for diverse anomaly detection application
- Authors: Amar, Muhammad , Wilson, Campbell , Gondal, Iqbal
- Date: 2014
- Type: Text , Conference paper
- Relation: ICOSST 2014 - 2014 International Conference on Open Source Systems and Technologies, Lahore, Pakistan, 18-20th Dec 2014 p. 122-127
- Full Text: false
- Reviewed:
- Description: For absolute process safety in diverse machine applications, timely and reliable anomalous behavior detection is very crucial. Different machine applications have different normal behavior patterns and safety standards thus require adjustable and adaptive anomaly detection techniques. In this paper an autonomous behavior modeling approach for anomaly detection has been presented. In this approach time segmented vibration signals from the machines are transformed into spectral contents. After normalization, these frequency domain contents are divided into weighted frequency bins and then Gaussian models are achieved for these frequency bins over the entire training set. Using summation rule on the outputs of Gaussian models a single indicative measure of the machine health: normality score is obtained. The sensitivity of the normality score and anomaly detector towards potential anomalous signals can be controlled by using different number of bins and weights. Suitable parameters values, number of bins and weights profile, for anomaly detector model are selected autonomously using minimum value of the cost function. The increase of normality score of this model above a certain threshold is considered an alarm indicating anomalous behavior. Thus the proposed method enables us to achieve autonomously a suitable anomaly detection model with suitable parameters with controlled sensitivity during the test phase.
Unitary anomaly detection for ubiquitous safety in machine health monitoring
- Authors: Amar, Muhammad , Gondal, Iqbal , Wilson, Campbell
- Date: 2012
- Type: Text , Conference paper
- Relation: 19th International Conference on Neural Information Processing (INCONIP) p. 361-368
- Full Text: false
- Reviewed:
- Description: Safety has always been of vital concern in both industrial and home applications. Ensuring safety often requires certain quantifications regarding the inclusive behavior of the system under observation in order to determine deviations from normal behavior. In machine health monitoring, the vibration signal is of great importance for such measurements because it includes abundant information from several machine parts and surroundings that can influence machine behavior. This paper proposes a unitary anomaly detection technique (UAD) that, upon observation of abnormal behavior in the vibration signal, can trigger an alarm with an adjustable threshold in order to meet different safety requirements. The normalized amplitude of spectral contents of the quasi stationary time vibration signal are divided into frequency bins, and the summed amplitudes frequencies over bin are used as features. From a training set consisting of normal vibration signals, Gaussian distribution models are obtained for each feature, which are then used for anomaly detection.