TY - JOUR
T1 - Self-healing hybrid intrusion detection system
T2 - An ensemble machine learning approach
AU - Kushal, Sauharda
AU - Shanmugam, Bharanidharan
AU - Sundaram, Jawahar
AU - Thennadil, Suresh
N1 - Publisher Copyright:
© The Author(s) 2024.
PY - 2024/12
Y1 - 2024/12
N2 - The increasing complexity and adversity of cyber-attacks have prompted discussions in the cyber scenario for a prognosticate approach, rather than a reactionary one. In this paper, a signature-based intrusion detection system has been built based on C5 classifiers, to classify packets into normal and attack categories. Next, an anomaly-based intrusion detection was built based on the LSTM (Long-Short Term Memory) algorithm to detect anomalies. These anomalies are then fed into the signature generator to extract attributes. These attributes get uploaded into the C5 training set, aiding the ensemble model in continual learning with expanding signatures of unknown attacks. By generating signatures of unknown attacks, the self-healing attribute of the ensemble model contributes to the early detection of attacks. For the C5 classifier, the proposed model is evaluated on the UNSW-NB15 dataset, while for the LSTM model, it is evaluated on the ADFA-LD dataset. Compared to conventional models, the experimental results show better detection rates for both known and unknown attacks. The C5 classifier achieved a True Positive Rate of 97% while maintaining a false positive rate of 8%. Also, the LSTM model achieved a detection rate of 90% while retaining a 17% False Alarm Rate. As the proposed model learns, its performance in real network traffic also improves and it also eliminates human intervention when updating training data.
AB - The increasing complexity and adversity of cyber-attacks have prompted discussions in the cyber scenario for a prognosticate approach, rather than a reactionary one. In this paper, a signature-based intrusion detection system has been built based on C5 classifiers, to classify packets into normal and attack categories. Next, an anomaly-based intrusion detection was built based on the LSTM (Long-Short Term Memory) algorithm to detect anomalies. These anomalies are then fed into the signature generator to extract attributes. These attributes get uploaded into the C5 training set, aiding the ensemble model in continual learning with expanding signatures of unknown attacks. By generating signatures of unknown attacks, the self-healing attribute of the ensemble model contributes to the early detection of attacks. For the C5 classifier, the proposed model is evaluated on the UNSW-NB15 dataset, while for the LSTM model, it is evaluated on the ADFA-LD dataset. Compared to conventional models, the experimental results show better detection rates for both known and unknown attacks. The C5 classifier achieved a True Positive Rate of 97% while maintaining a false positive rate of 8%. Also, the LSTM model achieved a detection rate of 90% while retaining a 17% False Alarm Rate. As the proposed model learns, its performance in real network traffic also improves and it also eliminates human intervention when updating training data.
KW - Anomaly detection system
KW - Convolutional neural network
KW - Deep learning
KW - Long short-term memory
KW - Recurrent neural network
KW - Self-healing
UR - http://www.scopus.com/inward/record.url?scp=85190784502&partnerID=8YFLogxK
U2 - 10.1007/s44163-024-00120-9
DO - 10.1007/s44163-024-00120-9
M3 - Article
AN - SCOPUS:85190784502
SN - 2731-0809
VL - 4
SP - 1
EP - 20
JO - Discover Artificial Intelligence
JF - Discover Artificial Intelligence
IS - 1
M1 - 28
ER -