Hybrid intrusion detection system based on Dempster-Shafer evidence theory

Cyber-attacks are becoming increasingly sophisticated, posing greater challenges in accurately detecting intrusions. Failure to prevent intrusions could degrade the credibility of security services. Intrusion Detection System (IDS) is one of the most effective paradigms to identify attack behaviors....

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2022-06, Vol.117, p.102709, Article 102709
Main Authors: Qiu, Weicheng, Ma, Yinghua, Chen, Xiuzhen, Yu, Haiyang, Chen, Lixing
Format: Article
Language:English
Subjects:
Communications traffic
Cybersecurity
Data collection
Datasets
Dempster-Shafer theory
Early detection
Hybrid framework
Hybrid systems
Intrusion detection system
Intrusion detection systems
Machine learning
Traffic flow
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Cyber-attacks are becoming increasingly sophisticated, posing greater challenges in accurately detecting intrusions. Failure to prevent intrusions could degrade the credibility of security services. Intrusion Detection System (IDS) is one of the most effective paradigms to identify attack behaviors. This paper proposes a novel hybrid intrusion detection system called DST-IDS. The proposed method employs both packet-based and flow-based intrusion detection techniques and combines them with Dempster-Shafer Theory (DST). DST-IDS has an ensemble-like framework. It takes both traffic flows and their first N packets as inputs; flow-based IDS aims to predict traffic flows and packet-based IDS detects attacks in the corresponding packets; DST is then applied to fuse predictions of flow-based IDS and packet-based IDS to a final detection result. We also design a novel data collection/processing tool in DST-IDS to reduce the data volume required to perform intrusion detection and enable early detection. In addition, DST-IDS is designed to work with heterogeneous data distribution where the distribution of the training dataset can differ from the data distribution during implementation. This property drastically improves the practicality of DST-IDS. We run experiments on public datasets and real networks to evaluate the proposed method. The experimental results show that DST-IDS outperforms state-of-the-art benchmarks in terms of intrusion detection accuracy and detection speed. Particularly, DST-IDS provides real-time detection in real networks and handles well heterogeneous data distribution.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2022.102709