Performance Analysis of Intrusion Detection Systems Using a Feature Selection Method on the UNSW-NB15 Dataset

Kasongo, Sydney Mambwe; Sun, Yuqing

doi:10.1186/s40537-020-00379-6

Cited by 289 publications

(134 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…ADFA-LD12 [19] IDS Limited to normal tracing. UNSW-NB15 [20] Tcpdump & netflow Uncorrelated synthetic netflow. CICIDS [21] Netflow Lack of triangulated features.…”

Section: Dataset Type Disadvantagementioning

confidence: 99%

“…It uses a set of limited records to approximate how the Machine Learning model performed during the training stage. It is a well-known Machine Learning method due to its simplicity and generally produces less biased estimation/prediction compared to other methods [6,20]. In short, cross-validation splits the data source into a training partition (80%) and the remaining partition (20%) is used as a testing set.…”

Section: Testing Ugransomementioning

confidence: 99%

See 1 more Smart Citation

UGRansome1819: A Novel Dataset for Anomaly Detection and Zero-Day Threats

2021

Self Cite

View full text Add to dashboard Cite

This research attempts to introduce the production methodology of an anomaly detection dataset using ten desirable requirements. Subsequently, the article presents the produced dataset named UGRansome, created with up-to-date and modern network traffic (netflow), which represents cyclostationary patterns of normal and abnormal classes of threatening behaviours. It was discovered that the timestamp of various network attacks is inferior to one minute and this feature pattern was used to record the time taken by the threat to infiltrate a network node. The main asset of the proposed dataset is its implication in the detection of zero-day attacks and anomalies that have not been explored before and cannot be recognised by known threats signatures. For instance, the UDP Scan attack has been found to utilise the lowest netflow in the corpus, while the Razy utilises the highest one. In turn, the EDA2 and Globe malware are the most abnormal zero-day threats in the proposed dataset. These feature patterns are included in the corpus, but derived from two well-known datasets, namely, UGR’16 and ransomware that include real-life instances. The former incorporates cyclostationary patterns while the latter includes ransomware features. The UGRansome dataset was tested with cross-validation and compared to the KDD99 and NSL-KDD datasets to assess the performance of Ensemble Learning algorithms. False alarms have been minimized with a null empirical error during the experiment, which demonstrates that implementing the Random Forest algorithm applied to UGRansome can facilitate accurate results to enhance zero-day threats detection. Additionally, most zero-day threats such as Razy, Globe, EDA2, and TowerWeb are recognised as advanced persistent threats that are cyclostationary in nature and it is predicted that they will be using spamming and phishing for intrusion. Lastly, achieving the UGRansome balance was found to be NP-Hard due to real life-threatening classes that do not have a uniform distribution in terms of several instances.

show abstract

“…ADFA-LD12 [19] IDS Limited to normal tracing. UNSW-NB15 [20] Tcpdump & netflow Uncorrelated synthetic netflow. CICIDS [21] Netflow Lack of triangulated features.…”

Section: Dataset Type Disadvantagementioning

confidence: 99%

Section: Testing Ugransomementioning

confidence: 99%

UGRansome1819: A Novel Dataset for Anomaly Detection and Zero-Day Threats

2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…Zhang et al [7] proposed an effective network traffic classification method, which used principal component analysis (PCA) to remove the irrelevant features and applied Gaussian Naive Bayes as the classifier. Kasongo et al [8] applied a filter-based feature reduction technique on the UNSW-NB15 data set using the XGBoost algorithm and then implemented several algorithms to classify the data. Results demonstrated that the feature selection method increased the test accuracy.…”

Section: Related Workmentioning

confidence: 99%

A Residual Learning-Based Network Intrusion Detection System

Man

Sun

2021

Security and Communication Networks

View full text Add to dashboard Cite

Neural networks have been proved to perform well in network intrusion detection. In order to acquire better features of network traffic, more learning layers are necessarily required. However, according to the results of the previous research, adding layers to the neural networks might fail to improve the classification results. In fact, after the number of layers has reached a certain threshold, performance of the model tends to degrade. In this paper, we propose a network intrusion detection model based on residual learning. After transforming the UNSW-NB15 data set into images, deeper convolutional neural networks with residual blocks are built to learn more critical features. Instead of the cross-entropy loss function, the modified focal loss is calculated to address the class imbalance problem in the training set and identify minor attacks in the testing set. Batch normalization and global average pooling are used to avoid overfitting and enhance the model. Experimental results show that the proposed model can improve attack detection accuracy compared with existing models.

show abstract

“…Although many have used feature selection algorithms such as Principal Component Analysis (PCA) [ 65 , 66 ], KNN [ 67 , 68 ], NB [ 69 , 70 ], LR [ 71 , 72 ], but recent works predominantly use RF [ 73 , 74 , 75 , 76 , 77 ] and XGBoost [ 78 , 79 , 80 , 81 , 82 ]. In particular, the authors in [ 83 ] provide a detailed analysis of RF-based feature selection.…”

Section: Related Workmentioning

confidence: 99%

Using Embedded Feature Selection and CNN for Classification on CCD-INID-V1—A New IoT Dataset

Liu

Thapa

Shaver

et al. 2021

Sensors

View full text Add to dashboard Cite

As Internet of Things (IoT) networks expand globally with an annual increase of active devices, providing better safeguards to threats is becoming more prominent. An intrusion detection system (IDS) is the most viable solution that mitigates the threats of cyberattacks. Given the many constraints of the ever-changing network environment of IoT devices, an effective yet lightweight IDS is required to detect cyber anomalies and categorize various cyberattacks. Additionally, most publicly available datasets used for research do not reflect the recent network behaviors, nor are they made from IoT networks. To address these issues, in this paper, we have the following contributions: (1) we create a dataset from IoT networks, namely, the Center for Cyber Defense (CCD) IoT Network Intrusion Dataset V1 (CCD-INID-V1); (2) we propose a hybrid lightweight form of IDS—an embedded model (EM) for feature selection and a convolutional neural network (CNN) for attack detection and classification. The proposed method has two models: (a) RCNN: Random Forest (RF) is combined with CNN and (b) XCNN: eXtreme Gradient Boosting (XGBoost) is combined with CNN. RF and XGBoost are the embedded models to reduce less impactful features. (3) We attempt anomaly (binary) classifications and attack-based (multiclass) classifications on CCD-INID-V1 and two other IoT datasets, the detection_of_IoT_botnet_attacks_N_BaIoT dataset (Balot) and the CIRA-CIC-DoHBrw-2020 dataset (DoH20), to explore the effectiveness of these learning-based security models. Using RCNN, we achieved an Area under the Receiver Characteristic Operator (ROC) Curve (AUC) score of 0.956 with a runtime of 32.28 s on CCD-INID-V1, 0.999 with a runtime of 71.46 s on Balot, and 0.986 with a runtime of 35.45 s on DoH20. Using XCNN, we achieved an AUC score of 0.998 with a runtime of 51.38 s for CCD-INID-V1, 0.999 with a runtime of 72.12 s for Balot, and 0.999 with a runtime of 72.91 s for DoH20. Compared to KNN, XCNN required 86.98% less computational time, and RCNN required 91.74% less computational time to achieve equal or better accurate anomaly detections. We find XCNN and RCNN are consistently efficient and handle scalability well; in particular, 1000 times faster than KNN when dealing with a relatively larger dataset-Balot. Finally, we highlight RCNN and XCNN’s ability to accurately detect anomalies with a significant reduction in computational time. This advantage grants flexibility for the IDS placement strategy. Our IDS can be placed at a central server as well as resource-constrained edge devices. Our lightweight IDS requires low train time and hence decreases reaction time to zero-day attacks.

show abstract

Performance Analysis of Intrusion Detection Systems Using a Feature Selection Method on the UNSW-NB15 Dataset

Cited by 289 publications

References 37 publications

UGRansome1819: A Novel Dataset for Anomaly Detection and Zero-Day Threats

UGRansome1819: A Novel Dataset for Anomaly Detection and Zero-Day Threats

A Residual Learning-Based Network Intrusion Detection System

Using Embedded Feature Selection and CNN for Classification on CCD-INID-V1—A New IoT Dataset

Contact Info

Product

Resources

About