Benchmarking of Machine Learning for Anomaly Based Intrusion Detection Systems in the CICIDS2017 Dataset

Maseer, Ziadoon Kamil; Yusof, Robiah; Bahaman, Nazrulazhar; Mostafa, Salama A.; Foozy, Cik Feresa Mohd

doi:10.1109/access.2021.3056614

Cited by 268 publications

(107 citation statements)

References 70 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [52,53], various assessment methods have been suggested to test and assess Machine Learning models without mentioning the confusion matrix. Recently, Maseer et al [54] have used the CICIDS 2017 dataset to evaluate the Machine Learning model but the time complexity and confusion matrix were not considered. The discussion of the validation drawbacks presented in [3,[51][52][53][54]] is summarised in Table 3.…”

Section: Ip Addressmentioning

confidence: 99%

“…Recently, Maseer et al [54] have used the CICIDS 2017 dataset to evaluate the Machine Learning model but the time complexity and confusion matrix were not considered. The discussion of the validation drawbacks presented in [3,[51][52][53][54]] is summarised in Table 3. Reference Drawbacks [3] The time complexity was not considered.…”

Section: Ip Addressmentioning

confidence: 99%

“…[53] Binary stratification was considered without confusion matrix. [54] The time complexity and confusion matrix are not considered.…”

Section: Ip Addressmentioning

confidence: 99%

See 2 more Smart Citations

UGRansome1819: A Novel Dataset for Anomaly Detection and Zero-Day Threats

2021

View full text Add to dashboard Cite

This research attempts to introduce the production methodology of an anomaly detection dataset using ten desirable requirements. Subsequently, the article presents the produced dataset named UGRansome, created with up-to-date and modern network traffic (netflow), which represents cyclostationary patterns of normal and abnormal classes of threatening behaviours. It was discovered that the timestamp of various network attacks is inferior to one minute and this feature pattern was used to record the time taken by the threat to infiltrate a network node. The main asset of the proposed dataset is its implication in the detection of zero-day attacks and anomalies that have not been explored before and cannot be recognised by known threats signatures. For instance, the UDP Scan attack has been found to utilise the lowest netflow in the corpus, while the Razy utilises the highest one. In turn, the EDA2 and Globe malware are the most abnormal zero-day threats in the proposed dataset. These feature patterns are included in the corpus, but derived from two well-known datasets, namely, UGR’16 and ransomware that include real-life instances. The former incorporates cyclostationary patterns while the latter includes ransomware features. The UGRansome dataset was tested with cross-validation and compared to the KDD99 and NSL-KDD datasets to assess the performance of Ensemble Learning algorithms. False alarms have been minimized with a null empirical error during the experiment, which demonstrates that implementing the Random Forest algorithm applied to UGRansome can facilitate accurate results to enhance zero-day threats detection. Additionally, most zero-day threats such as Razy, Globe, EDA2, and TowerWeb are recognised as advanced persistent threats that are cyclostationary in nature and it is predicted that they will be using spamming and phishing for intrusion. Lastly, achieving the UGRansome balance was found to be NP-Hard due to real life-threatening classes that do not have a uniform distribution in terms of several instances.

show abstract

Section: Ip Addressmentioning

confidence: 99%

Section: Ip Addressmentioning

confidence: 99%

See 1 more Smart Citation

UGRansome1819: A Novel Dataset for Anomaly Detection and Zero-Day Threats

2021

View full text Add to dashboard Cite

show abstract

“…UNSW-NB15 is different from other datasets such as KDDCUPP99, which has fewer features [74]. The KDDCUP99and NSL-KDD datasets do not contain a set of attack types, while the CICIDS2017 dataset contains a new IoT attack generated from real network traffic such as structured query language (SQL) injection, brute force, XSS, Botnet, web attack, and infiltration [75]. The NSL-KDD and KDDCUP99 datasets are not suitable for evaluating network intrusion detection systems (NIDSs) for IOT; however, the RPL-NIDDS17 dataset includes attack and normal network traffic.…”

Section: Datasetsmentioning

confidence: 99%

Monitoring Real Time Security Attacks for IoT Systems Using DevSecOps: A Systematic Literature Review

et al. 2021

View full text Add to dashboard Cite

In many enterprises and the private sector, the Internet of Things (IoT) has spread globally. The growing number of different devices connected to the IoT and their various protocols have contributed to the increasing number of attacks, such as denial-of-service (DoS) and remote-to-local (R2L) ones. There are several approaches and techniques that can be used to construct attack detection models, such as machine learning, data mining, and statistical analysis. Nowadays, this technique is commonly used because it can provide precise analysis and results. Therefore, we decided to study the previous literature on the detection of IoT attacks and machine learning in order to understand the process of creating detection models. We also evaluated various datasets used for the models, IoT attack types, independent variables used for the models, evaluation metrics for assessment of models, and monitoring infrastructure using DevSecOps pipelines. We found 49 primary studies, and the detection models were developed using seven different types of machine learning techniques. Most primary studies used IoT device testbed datasets, and others used public datasets such as NSL-KDD and UNSW-NB15. When it comes to measuring the efficiency of models, both numerical and graphical measures are commonly used. Most IoT attacks occur at the network layer according to the literature. If the detection models applied DevSecOps pipelines in development processes for IoT devices, they were more secure. From the results of this paper, we found that machine learning techniques can detect IoT attacks, but there are a few issues in the design of detection models. We also recommend the continued use of hybrid frameworks for the improved detection of IoT attacks, advanced monitoring infrastructure configurations using methods based on software pipelines, and the use of machine learning techniques for advanced supervision and monitoring.

show abstract

“…This classification can be used to predict the possibility of an instance entering a specific class. This classification is based on Bayesian philosophy, which will be discussed further down [145]. The primary Bayesian classifier's efficiency, also known as the naïve Bayesian classifier, is comparable to decision trees and selective neural network classifiers in classification algorithms studies [144].…”

Section: Decision Treementioning

confidence: 99%

A Review of Intrusion Detection Systems in RPL Routing Protocol Based on Machine Learning for Internet of Things Applications

Seyfollahi

Ghaffari

2021

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

IPv6 routing protocol for low-power and lossy networks (RPL) has been developed as a routing agent in low-power and lossy networks (LLN), where nodes’ resource constraint nature is challenging. This protocol operates at the network layer and can create routing and optimally distribute routing information between nodes. RPL is a low-power, high-throughput IPv6 routing protocol that uses distance vectors. Each sensor-to-wire network router has a collection of fixed parents and a preferred parent on the path to the Destination-oriented directed acyclic graph (DODAG) graph’s root in steady-state. Each router part of the graph sends DODAG information object (DIO) control messages and specifies its rank within the graph, indicating its position within the network relative to the root. When a node receives a DIO message, it determines its network rank, which must be higher than all its parents’ rank, and then continues sending DIO messages using the trickle timer. As a result, DODAG begins at the root and eventually extends to encompass the whole network. This paper is the first review to study intrusion detection systems in the RPL protocol based on machine learning (ML) techniques to the best of our knowledge. The complexity of the new attack models identified for RPL and the efficiency of ML in intelligent and collaborative threats detection, and the issues of deploying ML in challenging LLN environments underscore the importance of research in this area. The analysis is done using research sources of “Google Scholar,” “Crossref,” “Scopus,” and “Web of Science” resources. The evaluations are assessed for studies from 2016 to 2021. The results are illustrated with tables and figures.

show abstract

Benchmarking of Machine Learning for Anomaly Based Intrusion Detection Systems in the CICIDS2017 Dataset

Cited by 268 publications

References 70 publications

UGRansome1819: A Novel Dataset for Anomaly Detection and Zero-Day Threats

UGRansome1819: A Novel Dataset for Anomaly Detection and Zero-Day Threats

Monitoring Real Time Security Attacks for IoT Systems Using DevSecOps: A Systematic Literature Review

A Review of Intrusion Detection Systems in RPL Routing Protocol Based on Machine Learning for Internet of Things Applications

Contact Info

Product

Resources

About