Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection

Umer, Muhammad Fahad; Sher, Muhammad; Yaxin, Bi

doi:10.22364/bjmc.2017.5.1.05

Cited by 4 publications

(2 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One-class SVM techniques give better results for intrusion detection in malicious flow records. However, the accuracy of one-class SVM is very sensitive to the value of ν parameter [ 36 ]. The ν is an upper bound on the fraction of outliers (normal flows) and lower bound on the number of support vectors.…”

Section: Resultsmentioning

confidence: 99%

“…Available once class classification includes density estimation, reconstruction methods and support vector machines (SVM). We use SVM-based one-class classification techniques because SVM techniques give accurate results for intrusion detection [ 35 , 36 ]. One-class SVM constructs a boundary around the target class objects in the form of a hyperplane.…”

Section: Proposed Approachmentioning

confidence: 99%

See 1 more Smart Citation

A two-stage flow-based intrusion detection model for next-generation networks

Umer

Sher

2018

PLoS ONE

Self Cite

View full text Add to dashboard Cite

The next-generation network provides state-of-the-art access-independent services over converged mobile and fixed networks. Security in the converged network environment is a major challenge. Traditional packet and protocol-based intrusion detection techniques cannot be used in next-generation networks due to slow throughput, low accuracy and their inability to inspect encrypted payload. An alternative solution for protection of next-generation networks is to use network flow records for detection of malicious activity in the network traffic. The network flow records are independent of access networks and user applications. In this paper, we propose a two-stage flow-based intrusion detection system for next-generation networks. The first stage uses an enhanced unsupervised one-class support vector machine which separates malicious flows from normal network traffic. The second stage uses a self-organizing map which automatically groups malicious flows into different alert clusters. We validated the proposed approach on two flow-based datasets and obtained promising results.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Proposed Approachmentioning

confidence: 99%

A two-stage flow-based intrusion detection model for next-generation networks

Umer

Sher

2018

PLoS ONE

Self Cite

View full text Add to dashboard Cite

show abstract

A dual-tier adaptive one-class classification IDS for emerging cyberthreats

Uddin,

Aryal,

Bouadjenek

et al. 2025

Computer Communications

View full text Add to dashboard Cite

usfAD based effective unknown attack detection focused IDS framework

Uddin,

Aryal,

Bouadjenek

et al. 2024

Sci Rep

View full text Add to dashboard Cite

The rapid expansion of varied network systems, including the Internet of Things (IoT) and the Industrial Internet of Things (IIoT), has led to an increasing range of cyber threats. Ensuring robust protection against these threats necessitates the implementation of an effective Intrusion Detection System (IDS). For more than a decade, researchers have delved into supervised machine learning techniques to develop IDS to classify normal and attack traffic. However, building effective IDS models using supervised learning requires a substantial number of benign and attack samples. To collect a sufficient number of attack samples from real-life scenarios is not possible since cyber attacks occur occasionally. Further, IDS trained and tested on known datasets fails in detecting zero-day or unknown attacks due to the swift evolution of attack patterns. To address this challenge, we put forth two strategies for semi-supervised learning-based IDS where training samples of attacks are not required: (1) training a supervised machine learning model using randomly and uniformly dispersed synthetic attack samples; (2) building a One Class Classification (OCC) model that is trained exclusively on benign network traffic. We have implemented both approaches and compared their performances using 10 recent benchmark IDS datasets. Our findings demonstrate that the OCC model based on the state-of-art anomaly detection technique called usfAD significantly outperforms conventional supervised classification and other OCC-based techniques when trained and tested considering real-life scenarios, particularly to detect previously unseen attacks.

show abstract

Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection

Cited by 4 publications

References 16 publications

A two-stage flow-based intrusion detection model for next-generation networks

A two-stage flow-based intrusion detection model for next-generation networks

A dual-tier adaptive one-class classification IDS for emerging cyberthreats

usfAD based effective unknown attack detection focused IDS framework

Contact Info

Product

Resources

About