SwiftIDS: Real-time intrusion detection system based on LightGBM and parallel intrusion detection mechanism

High-speed networks are becoming common nowadays. Naturally, a challenge that arises is that the intrusion detection system (IDS) should timely detect attacks in huge volumes of traffic data produced by high-speed networks. Existing IDSs, however, mainly focus on improving detection rate and reducin...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2020-10, Vol.97, p.101984-12, Article 101984
Main Authors: Jin, Dongzi, Lu, Yiqin, Qin, Jiancheng, Cheng, Zhe, Mao, Zhongshu
Format: Article
Language:English
Subjects:
Algorithms
Data analysis
False alarms
High speed
High-speed network
IDS
Intrusion detection systems
LightGBM
Networks
Parallel intrusion detection mechanism
Real time
Timeliness
Traffic information
Traffic speed
Windows (intervals)
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:High-speed networks are becoming common nowadays. Naturally, a challenge that arises is that the intrusion detection system (IDS) should timely detect attacks in huge volumes of traffic data produced by high-speed networks. Existing IDSs, however, mainly focus on improving detection rate and reducing false alarm rate, which are complicated and time-consuming. In this paper, we propose an IDS named SwiftIDS, which is capable of both analyzing massive traffic data in high-speed networks timely and keeping satisfactory detection performance. SwiftIDS achieves these goals by two approaches. One approach is that light gradient boosting machine (LightGBM) is adopted as the intrusion detection algorithm to handle the massive traffic data. The motivation of this approach is to not only take advantage of LightGBM’s effective detection performance, but also use its support for categorical features to simplify the data preprocessing. The other approach is that a parallel intrusion detection mechanism is utilized to analyze traffic data arriving in different time windows. In this way, the delay caused by the later-arriving data waiting for the end of the intrusion detection cycle of the first-arriving data can be avoided. The time efficiency and satisfactory detection performance of SwiftIDS are verified through the offline experiments on three benchmark datasets. Furthermore, we perform a near real-time experiment to provide more convincing proofs for the timeliness of SwiftIDS.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2020.101984