1. bookAHEAD OF PRINT
Detalles de la revista
License
Formato
Revista
eISSN
2444-8656
Primera edición
01 Jan 2016
Calendario de la edición
2 veces al año
Idiomas
Inglés
Acceso abierto

AdaBoost Algorithm in Trustworthy Network for Anomaly Intrusion Detection

Publicado en línea: 15 Jul 2022
Volumen & Edición: AHEAD OF PRINT
Páginas: -
Recibido: 25 Apr 2022
Aceptado: 27 Jun 2022
Detalles de la revista
License
Formato
Revista
eISSN
2444-8656
Primera edición
01 Jan 2016
Calendario de la edición
2 veces al año
Idiomas
Inglés
Introduction
Boosting Algorithm and AdaBoost Algorithm

Boosting, also known as reinforcement learning, is an significant ensemble learning technique, which can enhance a weak learner whose prediction accuracy is only slightly higher than random guessing into a strong learner with higher prediction accuracy [1]. Boosting provides a new method and efficient new idea for the design of learning algorithm in the case of very difficult algorithm [2]. As a meta-algorithm framework, Boosting can be applied to nearly all of the popular machine learning algorithms to further improve the original algorithm's prediction accuracy. AdaBoost, short for Adaptive learning, is one of the most successful representatives [3, 4]. Since AdaBoost was proposed, numbers of well-known researchers in the domain of machine learning have been constantly investing in the research of algorithm-related theories. These solid theories have laid sound foundations for the successful application of the AdaBoost algorithm [5]. AdaBoost's success is not only that it is an efficient algorithm, but also that it makes Boosting from an initial conjecture into a truly practical algorithm. Several techniques used by AdaBoost, like breaking the original sample distribution, bring significant enlightenment to the design of other statistical learning algorithms as well. Meanwhile, these relevant theoretical research achievements have made great promotion of ensemble learning, such as:

The face detection based on AdaBoost by S. Yin et al. [6] has the characteristics of bidirectional data calculation and data diversity. The system adopts a parallel configurable architecture, and realizes the integral image calculation based on bidirectionality to improve the efficiency of parallel processing. Meanwhile, it realizes sub-window adaptive cascade classification for data diversity to further improve the efficiency of diverse face detection, and the maximum performance and minimum power consumption of 30 frames per second in 1080p video.

S.W. Foo et al. [7] studied the performance of the AdaBoost algorithm for updating noise estimates in sub-control-based speech enhancement. It classifies signal frames into speech and non-speech models, and calculates the power spectrum with an estimator from the time periods recognized as non-speech, and assumes it is the noise power spectrum. The experimental results show good effects.

W. Hu et al. [8] proposed an improved online AdaBoost, using an online Gaussian mixture model as a weak classifier. Moreover, they proposed a distributed intrusion detection framework using the online AdaBoost algorithm to build a locally parameterized detection model on each node. Using a small number of samples within the node, combined with the local parameter model, a global detection model is constructed on each node. The experimental results show that compared with the traditional online AdaBoost based on decision tree, the improved AdaBoost based on Gaussian mixture model has lower false positive rate and higher detection rate.

Trustworthy Network

Trustworthy network is a two-layer forwarding network composed of communication terminals, programmable network switches, multi-protocol network controllers and protocol conversion gateways. The communication terminal, the programmable network switch and the protocol conversion gateway can support the both proprietary trusted protocol stack and the TCP/IP protocol open protocol stack at the same time. The multi-protocol network controller can switch the protocol stack in real time based on the network operation and maintenance requirements for communication

In Figure 1, between the link layer and the network layer, there is a network security control layer LSC (Link Security Control) sublayer in the trustworthy network. Trustworthy network encodes the data, which is in the transmission by the source end of network communication.

Fig. 1

Trustworthy Network Protocol Stack

By introducing the LSC sublayer, the standard TCP/IP protocol stack is transformed into a proprietary trustworthy protocol stack, which can not only directly use the existing Ethernet link communication, but also be used on the operating system and network applications based on the TCP/IP protocol stack. Meanwhile, it is easy to design and develop, as a reliable communication protocol to ensure network security.

Network Anomaly Intrusion Detection

In the research of network anomaly intrusion detection, a large number of researchers mainly focus on three areas: packet characteristics, network flow behavior and user behavior [9, 10].

Packet characteristics: it mainly refers to the relevant protocols of data packets, such as TCP, UDP, source address and destination address. Types of current network attacks include [10]:

Distributed Denial of Service (DDoS). Distributed denial of service attacks refer to one attacker controls multiple machines located in different locations and uses these machines to attack the victim at the same time, or multiple attackers in different locations launching attacks on one or several targets at the same time. This type of attack is called a distributed denial of service attack, since the origin of the attack is distributed in different locations, and this can contain multiple attackers.

User-To-Root (U2R). This type of attack refers to that the attacker initially only has the general user privilege account of a node, and then obtains the root privilege of the superuser [11].

Remote-To-Local (R2L). This type of attack refers to that the attacker does not have a user account on a node initially, while uses password guessing and cracking to find the vulnerability of the victim to obtain the local access authority of the node.

Probe. The target of this attack is to collect information about the target network or port. Although this attack method will not lead to the collapse of the computer system, it is often a pre-preparation for subsequent attacks.

Network flow behavior: network flow behavior analysis is an efficient method to improve network security by aggregating flow data, ensuring behavior, and extracting corresponding flow behavior features at different geographic locations and times [12].

User behavior: through the identification of the IP address, MAC address, token and other network access authentication certificates of the equipment used by the user, the behavior of the user in the process of accessing the network is counted and analyzed, so as to discover the rules existing in the process of accessing the network, and combine these rules with the network anomaly intrusion strategy to detect the abnormal user behavior in the network [13].

In the domain of network anomaly intrusion detection, intrusion detection systems and firewall systems are usually used together. Intrusion detection mainly detects whether there is malicious access, tampering with information in the system, or even crashing the system. The methods of network anomaly intrusion detection can be mainly divided into traditional rule-based methods and machine learning model-based methods [9, 11].

Traditional Network Anomaly Intrusion Detection Mechanism

Traditional methods mainly include packet filtering, application proxy and other technologies [10]. Packet filtering is the precipitation of knowledge formed by domain experts, but the rules formed by domain knowledge have a defense range delineated by the rules, and cannot defend against all attacks. In the case of a large amount of network access, the application proxy technology cannot achieve a good balance between the normal service and the security detection. In the traditional method, there is also network detection based on signal processing technology, which mainly use the general likelihood ratio to detect the abnormal signal. But this method also relies on human experience [9].

Network Anomaly Intrusion Detection Mechanism based on Machine Learning

Methods based on machine learning can be divided into supervised learning and unsupervised learning [10].

The methods based supervised learning can be summarized as follows:

Method based on Support Vector Machine (SVM). SVM is a relatively simple supervised machine learning algorithm used for regression and/or classification. Basically, SVM finds a hyper-plane that creates a boundary between the types of data. This hyper-plane is nothing but a line in 2-dimensional space. With the hinge loss function, SVM computes the empirical risk and adds a regularization term to the solution system to make the optimization of the structural risk. SVM is considered as a classifier with robustness and sparsity. It can perform nonlinear classification through the kernel method, which is one of the commonly used kernel learning methods [14].

Robust Support Vector Machine Method (RSVM). With RSVMs, adding averaging techniques to standard SVMs smoothes the decision surface and automatically controls the amount of regularization [15]. Compared to standard SVM, RSVM has significantly reduced number of support vectors. As a result, RSVMs have a faster test time.

Bayesian network method. It is considered as one of the most efficient theoretical models in the domain of uncertain knowledge representation and reasoning currently. It is also known as the belief network, and is an extension of the Bayes method. A Bayesian network is a Directed Acyclic Graph. It consists of nodes representing variables and directed edges connecting these nodes. The directed edges represent the mutual relationship between the nodes, and the nodes represent random variables. The strength of the relationship is expressed by the conditional probability, and the prior probability is used for the nodes without parent nodes. Uncertain and probabilistic events can be expressed and analyzed by Bayesian network methods well. Bayesian network methods can be used for decision-making that rely on multiple control factors conditionally, and can deduct from imprecise, incomplete or uncertain information or knowledge [16].

Method based on decision tree model. Decision tree models are recursive-based methods that use some splitting criterion, such as information gain, to classify data [1].

Methods based on neural network. Neural network, or connection model, is an algorithmic mathematical model that imitates animal neural networks’ behavioral characteristics for distributed parallel information processing. It relies on the complexity of the system, and by regulating the interconnected relationship between numbers of internal nodes to accomplishes the purpose of processing information [17]. In the 1990s, limited by computer hardware resources, the training of neural networks with 2–3 layers has been very slow. However, with the accumulation of hardware resources and data, neural network methods have achieved leading results in specific tasks in many fields [18].

The methods based unsupervised learning can be summarized as follows:

Methods based on mathematical statistic. Such methods mainly evaluate the abnormality of samples through probability distribution. However, if the sample method does not satisfy the Gaussian distribution or the pre-assumed distribution, the effect of the method will be affected. The representative method is chi-square test [19].

Methods based on principal component analysis. The principal component analysis method mainly includes two scores. It mainly uses the two proportion scores of the main principal component and the secondary principal component. If it exceeds a certain threshold, it can be judged that the access is abnormal. The main advantage of this method is that it does not require any statistical assumptions about the distribution and has high computational efficiency [20]. However, since there is no specific standard for the selection of scores, the application scenario of the algorithm is limited.

Methods based on information theory. This method mainly uses the concepts of entropy, cross entropy, and information gain in information theory to evaluate whether the model is suitable for new data sets [1, 21].

Methods based on mixed model. This method mainly uses the general approximation of the mixed model to the distribution to fit the distribution. Before the rise of deep learning methods, this type of methods was widely used for anomaly detection, such as Gaussian mixture model [22, 23, 24]. If the Laplace distribution is approximated, an infinite number of Gaussian components are required, which is limited in practical applications.

The effect of supervised learning methods is generally better than that of unsupervised learning, but supervised learning requires a large amount of labeled data, while unsupervised learning does not require a large number of labeled samples [25].

This paper applies Adaboost algorithm in trustworthy network for anomaly intrusion detectionn. This paper uses a simple decision tree as the base weak learner, and uses AdaBoost algorithm to integrate multiple weak learners into a strong learner by re-weighting the samples to further improve the defense effect of the entire trustworthy network against malicious behavior in network attacks.

AdaBoost algorithm in trustworthy network for anomaly intrusion detection

The flow of AdaBoost algorithm for network intrusion detection is shown in Figure 2. Firstly, preprocess the network access data after the trustworthy network authentication, and construct the decision tree model and an AdaBoost-based ensemble model. Then, use the exponential loss function to optimize and train the model to identify network attacks and normal network access. Finally, evaluate the performance of network anomaly intrusion detection based on AdaBoost on the test set. The evaluation indicator is the P-R curve and the average precision based on the P-R curve.

Fig. 2

The flow of AdaBoost algorithm for network intrusion detection

Data preprocessing

Generally, the verification of the LSC sublayer is based on the hash function. If the verification code or verification method is leaked, it is likely to cause the verification of the LSC sublayer to fail. Therefore, new defense mechanisms are needed. After the verification of the LSC sublayer, the data segment is parsed, as shown in Figure 3. In the intrusion detection process, the text is encoded and the data set is divided into training set and test set.

Fig. 3

Comparison between open data frame and trustworthy data frame

The network access data is encoded in text, and each character in the network access data is mapped to the corresponding digital format according to the code table. The specific text format will be described in Section 3 Experiments. In the process, set the input length required by the model, complete the insufficient input length, and truncate the excess length. Assuming there is a dataset {(X, Y)}, where X = (x1, x2, …, xn) represents the mapped network access data, and Y = (y1, y2, …, yn) represents the category label corresponding to network access data. 0 represents normal access, and 1 represents malicious attack.

To verify the method effect, the data set is divided into training data and test data according to a certain proportion. The training data is used for model training, and the test data is used for model selection.

Model Construction

The model construction process is shown in Figure 4.

Fig. 4

The model construction process

A single decision tree can divide the input data to different leaf nodes recursively according to the information gain of each node. X represents the feature of the input data, and. Y represents the class of the data. A single decision tree represents the conditional probability of class Y given input X. For each node i, the feature dimension di of the input vector x is compared with a threshold ti. According to the comparison result, x is divided into one of the left and right branches. The leaf nodes of this tree are the prediction results of the model.

The construction of a single decision tree is as follows: F(x;θ)=j=1JwjI(xRj) F\left( {x;\theta } \right) = \sum\limits_{j = 1}^J {{w_j}{\rm{I}}\left( {x \in {R_j}} \right)} where Rj is the region corresponding to the j-th leaf node, wj is the predicted output of the leaf node, θ = {(Rj, wj): j = 1: J}, J is the number of leaf nodes.

AdaBoost model is constructed as follows:

Firstly, initialize data weight wn(1)=1N w_n^{\left( 1 \right)} = {1 \over N} , where N representative sample number;

Secondly, for M weak classifier decision trees ym (x), m = 1, 2,…, M, optimize the objective function Jm=n=1Nwn(m)I(ym(x)yn) {J_m} = \sum\limits_{n = 1}^N {w_n^{\left( m \right)}I\left( {{y_m}\left( x \right) \ne {y_n}} \right)}

On the m-th decision tree, update the weight of the sample as follows: òm=n=1Nwn(m)I(ym(x)yn)n=1Nwn(m) {\`o _m} = {{\sum\nolimits_{n = 1}^N {w_n^{\left( m \right)}I\left( {{y_m}\left( x \right) \ne {y_n}} \right)} } \over {\sum\nolimits_{n = 1}^N {w_n^{\left( m \right)}} }} αm=ln1òmòm {\alpha _m} = {ln}{{1 - {\`o _m}} \over {{\`o _m}}} wn(m+1)=wn(m)exp(αmI(ym(x)yn)) w_n^{\left( {m + 1} \right)} = w_n^{\left( m \right)}\exp \left( {{\alpha _m}I\left( {{y_m}\left( x \right) \ne {y_n}} \right)} \right)

Finally, use the following model to make predictions. f(x;θ)=sign(m=1MαmFm(x;θm)) f\left( {x;\theta } \right) = sign\left( {\sum\limits_{m = 1}^M {{\alpha _m}{F_m}\left( {x;{\theta _m}} \right)} } \right) where Fm is the m-th tree and αm is the corresponding weight.

Model training

In the model training process, the exponential loss function is mainly used to optimize the training of the model. The specific steps are as follows:

Firstly, optimize the best parameters of the m-th decision tree.

Network intrusion anomaly detection is a binary classification model, as the predicted value y˜={ 1,+1 } \tilde y = \left\{ { - 1,\, + 1} \right\} p(y=1|x)=eF(x)eF(x)+eF(x)=11+e2F(x) p\left( {y = 1|x} \right) = {{{e^{F\left( x \right)}}} \over {{e^{ - F\left( x \right) + {e^{F\left( x \right)}}}}}} = {1 \over {1 + {e^{ - 2F\left( x \right)}}}}

Define the exponential loss function as follows: (y^,F(x))=exp(y^F(x)) \ell \left( {\hat y,F\left( x \right)} \right) = {exp}\left( { - \hat yF\left( x \right)} \right) F(x)E[ ey˜f(x)|x ]=F(x)[ p(y˜=1|x)eF(x)+p(y˜=1|x)eF(x) ]=p(y^=1|x)eF(x)+p(y^=1|x)eF(x)=0 \matrix{ {{\partial \over {\partial F\left( x \right)}}{\rm{E}}\left[ {{e^{ - \tilde yf\left( x \right)}}|x} \right]} \hfill & = \hfill & {{\partial \over {\partial F\left( x \right)}}\left[ {p\left( {\tilde y = 1|x} \right){e^{ - F\left( x \right)}} + p\left( {\tilde y = - 1|x} \right){e^{F\left( x \right)}}} \right]} \hfill \cr {} \hfill & = \hfill & { - p\left( {\hat y = 1|x} \right){e^{ - F\left( x \right)}} + p\left( {\hat y = - 1|x} \right){e^{F\left( x \right)}}} \hfill \cr {} \hfill & = \hfill & 0 \hfill \cr } p(y^=1|x)p(y^=1)|x=e2F(x) {{p\left( {\hat y = 1|x} \right)} \over {p\left( {\hat y = - 1} \right)|x}}={e^{2F\left( x \right)}}

In the m-th step, the optimal function is: Fm=argminFi=1FωiI(y˜iF(xi)) {F_m} = \mathop {\rm argmin}\limits_F \sum\limits_{i = 1}^F {{\omega _i}{\rm{I}}\left( {{{\tilde y}_i} \ne F\left( {{x_i}} \right)} \right)}

Step by step to optimize: L(f)=i=1N(yi,f(xi)) {\rm{L}}\left( f \right) = \sum\limits_{i = 1}^N {\ell \left( {{y_i},f\left( {{x_i}} \right)} \right)}

In the m-th iteration, compute: (βm,θm)=argminβ,θi=1N(yi,fm1(xi)+βF(xi;θ)) \left( {{\beta _m},{\theta _m}} \right) = \mathop {\rm argmin}\limits_{\beta ,\theta } \sum\limits_{i = 1}^N {\ell \left( {{y_i},{f_{m - 1}}\left( {{x_i}} \right) + \beta F\left( {{x_i};\theta } \right)} \right)}

Finally, make forward update based on the result of the decision tree. fm(x)=fm1(x)+βmF(xi;θm)=fm1(x)+θmFm(xi) {f_m}\left( x \right) = {f_{m - 1}}\left( x \right) + {\beta _m}F\left( {{x_i};{\theta _m}} \right) = {f_{m - 1}}\left( x \right) + {\theta _m}{F_m}\left( {{x_i}} \right)

Experiments

On the test data set, evaluate the performance of AdaBoost algorithm for anomaly intrusion detection. The evaluation indicator is the P-R curve and the average precision based on the P-R curve.

To verify the effect of AdaBoost algorithm for anomaly intrusion detection, this paper uses the network message data extracted from the trustworthy network. 20,000 network access data was collected, of which 15,000 are normal network access and 5,000 are abnormal network access. In the experiment, the data set is divided into training data and test data according to the ratio of 7:3. The training data is used to optimize the model parameters, and the test data is used to evaluate the performance of AdaBoost algorithm for anomaly intrusion detection.

In the network intrusion detection, the data of normal network access and abnormal network access are often unbalanced, and the P-R curve is more sensitive to the unbalanced data set. The trend of the P-R curve and the size of the average precision are used to reflect the model's intrusion detection ability.

Experimental environment and data

This experiment ran on a 4-core Intel(R) i7-4720HQ-CPU@2601Mhz laptop with 16GB memory. The data set used is a network access data set extracted from real-world trustworthy network, including 20,000 normal access records and 5,000 offensive access records.

An example of network access is presented as follows:

ff ff ff ff ff ff 00 e0 4c 81 53 57 09 ad 00 79

d5 00 00 00 08 00 45 00 01 5e d4 5f 00 00 80 11

65 30 00 00 00 00 ff ff ff ff 00 44 00 43 01 4a

ca 8e 01 01 06 00 dd 6e 8d 3a 00 00 80 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0

4c 81 53 57 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 82

53 63 35 01 03 3d 07 01 00 e0 4c 81 53 57 32 04

0a 01 01 1b 0c 0f 4c 41 50 54 4f 50 2d 54 52 52

4d 4e 48 44 41 51 12 00 00 00 4c 41 50 54 4f 50

2d 54 52 52 4d 4e 48 44 41 3c 08 4d 53 46 54 20

35 2e 30 37 0e 01 03 06 0f 1f 21 2b 2c 2e 2f 77

79 f9 fc ff

Preprocess the access data firstly. According to Figure 3, including the LSC sublayer, the first 14 bytes are the source address, the destination address and the frame type, and the 15–24 bytes is the LSC sublayer. Assuming that the LSC sublayer has been verified invalid, some abnormal traffic bypasses the LSC sublayer verification mechanism, the middle part of the data packets is intercept, and the content is as follows:

45 00 01 5e d4 5f 00 00 80 11

65 30 00 00 00 00 ff ff ff ff 00 44 00 43 01 4a

ca 8e 01 01 06 00 dd 6e 8d 3a 00 00 80 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0

4c 81 53 57 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 82

53 63 35 01 03 3d 07 01 00 e0 4c 81 53 57 32 04

0a 01 01 1b 0c 0f 4c 41 50 54 4f 50 2d 54 52 52

4d 4e 48 44 41 51 12 00 00 00 4c 41 50 54 4f 50

2d 54 52 52 4d 4e 48 44 41 3c 08 4d 53 46 54 20

35 2e 30 37 0e 01 03 06 0f 1f 21 2b 2c 2e 2f 77

Label the dataset, where normal access is 1, and abnormal access is 0. AdaBoost algorithm is a kind of ensemble learning algorithm with sample weight adjustment. The basic classifier of the ensemble is a simple classification decision tree. The number of basic classifiers is 150. In the training phase, the learning rate is set to 0.005.

Input the training data into the model and minimize AdaBoost's loss function to get the optimal parameters. On the test data set, the evaluation indicator is the P-R curve and the average precision based on the P-R curve.

Experimental results

ROC curve is always used to evaluate the effect of binary classification by most of the existing studies. However, this paper chooses P-R curve as the evaluation index. The reason is that P-R curve is sensitive to data imbalance, and changes in the proportion of positive and negative samples will cause large changes in P-R curve, while ROC curve is insensitive, and the ROC curve will change very little when the proportion of positive and negative samples changes. On the other side, in network intrusion detection, the number of normal access is far more than the number of abnormal access.

The results of network anomaly intrusion detection method based on AdaBoost are as follows:

True Positive (TP): the result of AdaBoost-based method is abnormal access, and it is abnormal access in fact.

False positive (FP): the result of AdaBoost-based method is abnormal access, while it is normal access in fact.

True negative (TN): the result of AdaBoost-based method is normal access, and it is normal access in fact.

False negative (FN): the result of AdaBoost-based method is normal access, while it is abnormal access in fact.

Based on the above four classification results, precision and recall are defined as follows: Precision=TPTP+FPRecall=TPTP+FN \matrix{ {{Precision} = {{TP} \over {TP + FP}}} \hfill \cr {{Recall} = {{TP} \over {TP + FN}}} \hfill \cr }

Given n thresholds βn, corresponding to the coordinate of (Precisionn, Recalln), n coordinate points are formed, and the connecting lines of n coordinate points constitutes the P-R curve. AveragePrecision=n(RecallnRecalln1)Precisionn Average\,{Precision} = \sum\limits_n {\left( {{Recall_n} - {Recall_{n - 1}}} \right){Precision_n}}

For the experimental dataset, the P-R curve and average precision are shown in Figure 5.

Fig. 5

Experimental result

The average accuracy is 0.999771897810219, and the vertical axis of the P-R curve is almost close to the line y = 1, which indicates that the network anomaly intrusion detection method based on AdaBoost has a significant recognition effect on both abnormal network attacks and normal network access.

Conclusions

This paper applied AdaBoost algorithm in trustworthy network for anomaly intrusion detection. This method can realize network access anomaly monitoring at the network edge and micro-perimeter. Taking a simple decision tree as the base weak learner, AdaBoost algorithm is used to combine multiple weak learners into a strong learner by re-weighting the samples to further improve the defense effect of the entire trustworthy network against malicious behavior. After experimental verification, the average precision of the proposed method exceeds 0.999, indicating that it has a significant detection effect on abnormal network attacks and normal network access, and effectively improves the security of trustworthy networks. The next step will be to verify the real-time performance of the proposed method for practical application in large-scale networks.

Fig. 1

Trustworthy Network Protocol Stack
Trustworthy Network Protocol Stack

Fig. 2

The flow of AdaBoost algorithm for network intrusion detection
The flow of AdaBoost algorithm for network intrusion detection

Fig. 3

Comparison between open data frame and trustworthy data frame
Comparison between open data frame and trustworthy data frame

Fig. 4

The model construction process
The model construction process

Fig. 5

Experimental result
Experimental result

T. G. Dietterich, An experimental comparison of three methods for constructing ensembles of decision trees: bagging, boosting, and randomization. Machine Learning, 2000.40 (2):pp.139–157. DietterichT. G. An experimental comparison of three methods for constructing ensembles of decision trees: bagging, boosting, and randomization Machine Learning 2000 40 2 139 157 10.1023/A:1007607513941 Search in Google Scholar

R. E. Schapire and Y. Singer, Boos Texter: A Boosting-based System for Text Categorization. Machine Learning, 2000.39 (2):pp.135–168. SchapireR. E. SingerY. Boos Texter: A Boosting-based System for Text Categorization Machine Learning 2000 39 2 135 168 10.1023/A:1007649029923 Search in Google Scholar

M. Collins, R. E. Schapire and Y. Singer, Logistic Regression, AdaBoost and Bregman Distances. Machine Learning, 2002.48 (1):pp.253–285. CollinsM. SchapireR. E. SingerY. Logistic Regression, AdaBoost and Bregman Distances Machine Learning 2002 48 1 253 285 10.1023/A:1013912006537 Search in Google Scholar

R. A. de Assis, R. Pazim, M. C. Malavazi, P. P. da C. Petry, L. M. E. de Assis and E. Venturino, A Mathematical Model to describe the herd behaviour considering group defense. Applied Mathematics and Nonlinear Sciences, 2020.5 (1):pp.11–24. de AssisR. A. PazimR. MalavaziM. C. PetryP. P. da C. de AssisL. M. E. VenturinoE. A Mathematical Model to describe the herd behaviour considering group defense Applied Mathematics and Nonlinear Sciences 2020 5 1 11 24 10.2478/amns.2020.1.00002 Search in Google Scholar

T. Xie, R. Liu and Z. Wei, Improvement of the Fast Clustering Algorithm Improved by K-Means in the Big Data. Applied Mathematics and Nonlinear Sciences, 2020.5 (1):pp.1–10. XieT. LiuR. WeiZ. Improvement of the Fast Clustering Algorithm Improved by K-Means in the Big Data Applied Mathematics and Nonlinear Sciences 2020 5 1 1 10 10.2478/amns.2020.1.00001 Search in Google Scholar

S. Yin, P. Ouyang, X. Dai, L. Liu and S. Wei, An AdaBoost-Based Face Detection System Using Parallel Configurable Architecture With Optimized Computation. IEEE Systems Journal, 2017.11 (1):pp.260–271. YinS. OuyangP. DaiX. LiuL. WeiS. An AdaBoost-Based Face Detection System Using Parallel Configurable Architecture With Optimized Computation IEEE Systems Journal 2017 11 1 260 271 10.1109/JSYST.2015.2418680 Search in Google Scholar

S.W. Foo, Y. Lian and L. Dong, Recognition of visual speech elements using adaptively boosted hidden Markov models. IEEE Transactions on Circuits and Systems for Video Technology, 2004.14 (5):pp.693–705. FooS.W. LianY. DongL. Recognition of visual speech elements using adaptively boosted hidden Markov models IEEE Transactions on Circuits and Systems for Video Technology 2004 14 5 693 705 10.1109/TCSVT.2004.826773 Search in Google Scholar

W. Hu, J. Gao, Y. Wang, O. Wu and S. Maybank, Online Adaboost-Based Parameterized Methods for Dynamic Distributed Network Intrusion Detection, in IEEE Transactions on Cybernetics, 2014.44 (1):pp.66–82. HuW. GaoJ. WangY. WuO. MaybankS. Online Adaboost-Based Parameterized Methods for Dynamic Distributed Network Intrusion Detection in IEEE Transactions on Cybernetics 2014 44 1 66 82 10.1109/TCYB.2013.224759223757534 Search in Google Scholar

H. J. Liao, C. H. Richard Lin, Y. C. Lin and K. Y. Tung, Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 2013.36 (1):pp.16–24. LiaoH. J. Richard LinC. H. LinY. C. TungK. Y. Intrusion detection system: A comprehensive review Journal of Network and Computer Applications 2013 36 1 16 24 10.1016/j.jnca.2012.09.004 Search in Google Scholar

A. L. Buczak and E. Guven, A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection. IEEE Communications Surveys and Tutorials, 2016.18 (2):pp.1153–1176. BuczakA. L. GuvenE. A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection IEEE Communications Surveys and Tutorials 2016 18 2 1153 1176 10.1109/COMST.2015.2494502 Search in Google Scholar

S. Iglesias Pérez, S. Moral-Rubio and R. Criado, A new approach to combine multiplex networks and time series attributes: Building intrusion detection systems (IDS) in cybersecurity. Chaos, Solitons and Fractals, 2021.150: pp.111143. Iglesias PérezS. Moral-RubioS. CriadoR. A new approach to combine multiplex networks and time series attributes: Building intrusion detection systems (IDS) in cybersecurity Chaos, Solitons and Fractals 2021 150 111143 10.1016/j.chaos.2021.111143 Search in Google Scholar

M. Wei and K. Kim, Intrusion detection scheme using traffic prediction for wireless industrial networks. Journal of Communications and Networks, 2012.14 (3):pp.310–318. WeiM. KimK. Intrusion detection scheme using traffic prediction for wireless industrial networks Journal of Communications and Networks 2012 14 3 310 318 10.1109/JCN.2012.6253092 Search in Google Scholar

J. Peng, K. R. Choo and H. Ashman, User profiling in intrusion detection: A review. Journal of Network and Computer Applications, 2016.72:pp.14–27. PengJ. ChooK. R. AshmanH. User profiling in intrusion detection: A review Journal of Network and Computer Applications 2016 72 14 27 10.1016/j.jnca.2016.06.012 Search in Google Scholar

M. Safaldin, M. Otair and L. Abualigah, Improved binary gray wolf optimizer and SVM for intrusion detection system in wireless sensor networks. Journal of Ambient Intelligence and Humanized Computing, 2020.12 (2):pp.1559–1576. SafaldinM. OtairM. AbualigahL. Improved binary gray wolf optimizer and SVM for intrusion detection system in wireless sensor networks Journal of Ambient Intelligence and Humanized Computing 2020 12 2 1559 1576 10.1007/s12652-020-02228-z Search in Google Scholar

J. C. Joseph, B. S. Lee, A. Das and B. C. Seet, Cross-Layer Detection of Sinking Behavior in Wireless Ad Hoc Networks Using SVM and FDA. IEEE Transactions on Dependable and Secure Computing, 2011.8 (2):pp.233–245. JosephJ. C. LeeB. S. DasA. SeetB. C. Cross-Layer Detection of Sinking Behavior in Wireless Ad Hoc Networks Using SVM and FDA IEEE Transactions on Dependable and Secure Computing 2011 8 2 233 245 10.1109/TDSC.2009.48 Search in Google Scholar

W. Alhakami, A. ALharbi, Abdullah, S. Bourouis, R. Alroobaea and N. Bouguila, Network Anomaly Intrusion Detection Using a Nonparametric Bayesian Approach and Feature Selection. IEEE Access, 2019.7:pp.52181–52190. AlhakamiW. ALharbiA. Abdullah BourouisS. AlroobaeaR. BouguilaN. Network Anomaly Intrusion Detection Using a Nonparametric Bayesian Approach and Feature Selection IEEE Access 2019 7 52181 52190 10.1109/ACCESS.2019.2912115 Search in Google Scholar

Y. C. Wu, F. Yin and C. L. Liu, Improving handwritten Chinese text recognition using neural network language models and convolutional neural network shape models. Pattern Recognition, 2017.65: pp.251–264. WuY. C. YinF. LiuC. L. Improving handwritten Chinese text recognition using neural network language models and convolutional neural network shape models Pattern Recognition 2017 65 251 264 10.1016/j.patcog.2016.12.026 Search in Google Scholar

H. Yang & F. Wang, Wireless Network Intrusion Detection Based on Improved Convolutional Neural Network. IEEE Access, 2019.7: pp.64366–64374. YangH. WangF. Wireless Network Intrusion Detection Based on Improved Convolutional Neural Network IEEE Access 2019 7 64366 64374 10.1109/ACCESS.2019.2917299 Search in Google Scholar

N. Ye and Q. Chen, An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems. Quality and Reliability Engineering International, 2001.17 (2):pp.105–112. YeN. ChenQ. An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems Quality and Reliability Engineering International 2001 17 2 105 112 10.1002/qre.392 Search in Google Scholar

A. Milenkoski, M. Vieira, S. Kounev, A. Avritzer and B.D. Payne, Evaluating Computer Intrusion Detection Systems. ACM Computing Surveys, 2015.48 (1):pp.1–41. MilenkoskiA. VieiraM. KounevS. AvritzerA. PayneB.D. Evaluating Computer Intrusion Detection Systems ACM Computing Surveys 2015 48 1 1 41 10.1145/2808691 Search in Google Scholar

P. Velarde Alvarado, R. Martinez Pelaez, L. J. Mena-Camaré, A. M. Ochoa Brust, E. Moreno Garcia, J. D. J. Ceballos Mejia and A. Iriarte-Solis, Spatial and Temporal Characterization of Network Traffic for Intrusion Detection Based on Information Theory. International Journal of Technology, Knowledge and Society, 2018.14 (2):pp.1–7. Velarde AlvaradoP. Martinez PelaezR. Mena-CamaréL. J. Ochoa BrustA. M. Moreno GarciaE. Ceballos MejiaJ. D. J. Iriarte-SolisA. Spatial and Temporal Characterization of Network Traffic for Intrusion Detection Based on Information Theory International Journal of Technology, Knowledge and Society 2018 14 2 1 7 10.18848/1832-3669/CGP/v14i02/1-7 Search in Google Scholar

H. Zhang, L. Huang, C. Q. Wu and Z. Li, An effective convolutional neural network based on SMOTE and Gaussian mixture model for intrusion detection in imbalanced dataset. Computer Networks (Amsterdam, Netherlands: 1999), 2020.177:pp.107315. ZhangH. HuangL. WuC. Q. LiZ. An effective convolutional neural network based on SMOTE and Gaussian mixture model for intrusion detection in imbalanced dataset Computer Networks (Amsterdam, Netherlands: 1999) 2020 177 107315 10.1016/j.comnet.2020.107315 Search in Google Scholar

Y. Chen, N. Ashizawa, C. K. Yeo, N. Yanai and S. Yean, Multi-scale Self-Organizing Map assisted Deep Autoencoding Gaussian Mixture Model for unsupervised intrusion detection. Knowledge-based Systems, 2021.224:pp.107086. ChenY. AshizawaN. YeoC. K. YanaiN. YeanS. Multi-scale Self-Organizing Map assisted Deep Autoencoding Gaussian Mixture Model for unsupervised intrusion detection Knowledge-based Systems 2021 224 107086 10.1016/j.knosys.2021.107086 Search in Google Scholar

S. Otoum, B. Kantarci and H. T. Mouftah. On the Feasibility of Deep Learning in Sensor Network Intrusion Detection. IEEE Networking Letters, 2019.1 (2): pp.68–71. OtoumS. KantarciB. MouftahH. T. On the Feasibility of Deep Learning in Sensor Network Intrusion Detection IEEE Networking Letters 2019 1 2 68 71 10.1109/LNET.2019.2901792 Search in Google Scholar

C. F. Tsai, Y. F. Hsu, C. Y. Lin, W. Y. Lin, Intrusion detection by machine learning: A review. Expert Systems with applications, 2009.36 (10): pp.11994–12000. TsaiC. F. HsuY. F. LinC. Y. LinW. Y. Intrusion detection by machine learning: A review Expert Systems with applications 2009 36 10 11994 12000 10.1016/j.eswa.2009.05.029 Search in Google Scholar

Artículos recomendados de Trend MD

Planifique su conferencia remota con Sciendo