Boosting algorithms for network intrusion detection: A comparative evaluation of Real AdaBoost, Gentle AdaBoost and Modest AdaBoost
Introduction
In recent years, the Internet and relatively its infrastructure are integral parts of the daily life of human society. The Internet plays an active role in connecting billions of machines in different applications e.g. healthcare, industry, and business. It provides a global network infrastructure to connect a massive number of virtual and physical things like communication devices, Cyber Physical Systems (CPSs), and social networks (Al-Fuqaha et al., 2015). The trend of connecting the world leads to an exponential growth in the amount of human and machine-generated network traffic that passes the network infrastructure to reach destinations. According to the Mobile and Wireless Communications Enablers for the Twenty-Twenty Information Society (METIS) (METIS, 2020), it is expected that the volume of mobile and wireless network traffic will increase by more than a thousand-fold in the next decade. Moreover, there are concrete reasons that we will have 50 billion connected devices by 2025 in the world (Beyene et al., 2017). Cisco reported that around 71% of total IP traffic by 2022 will be related to wireless and mobile devices (Conti et al., 2018) that oblige service providers to establish concrete and impenetrable network infrastructure for protecting users.
Due to the acceleration of Internet of Things (IoT) applications growth and heterogeneous-vulnerable connected devices, the last years have been the most difficult period from security perspectives. Although different techniques are emerging to detect and neutralize attacks, still there are severe concerns regarding the security and privacy of users. IBM X-Force Threat reports show that the client organizations monitored by this company have been experienced a lower percentage of attacks in 2016 than 2015 (Tounsi and Rais, 2018); however, the reduction in cyber-attacks could mean malicious users rely increasingly on proven attacks, hence malicious entities make fewer attempts for an intrusion. Cyber attacks can hurt real-world infrastructures that can disrupt vital services. In 2015, a malware, (called also malicious software), targeted the electrical power network supply in Ukraine and caused a power outage for a long time in the middle of the cold season (Liang et al., 2016). Furthermore, reports indicate a huge number of data breaches throughout the world, e.g. in Panama, Iceland, and the U.S (Graves et al., 2018). Attackers release privileged or sensitive data on the Internet or any other unsafe environments which lead to serious economic loss.
Intensive studies have been carried out by academics and private companies to detect, prevent, and inactivate cyber-attacks. Based on fundamental techniques like Artificial intelligence (AI) and statistical methods, different techniques have been proposed to improve the efficiency of IDS (Kolias et al., 2011). The literature introduces IDS as an essential element of every network security system. Machine learning algorithms as a type of AI technique have attracted lots of attention in the literature as an early detection or prevention network attacks methods (Sreeram and Vuppala, 2019). This scheme considerably eliminates the need for using humans as experts to detect the abnormal patterns manually. In addition, motivated by the recent advances and impressive performance in different fields such as mobile and wireless networks (Zhang et al., 2019), big data (Mohammadi et al., 2018), and computer vision (Akhtar and Mian, 2018), the feasibility of Deep Learning (DL) as a branch of machine learning methods for IDS purposes have been investigated by researchers (Wang et al., 2018). Here, one may categorize the main applications of machine learning in cybersecurity into five main classes:
- 1.
Misuse/Signature detection
- 2.
Anomaly detection
- 3.
Hybrid detection
- 4.
Scan detection
- 5.
Profiling modules
The detailed investigation of these classes is out of the scope of this paper that need further discussions. The interested readers are referred to Dua and Du (2016) and Buczak and Guven (2015) for the detailed descriptions.
As a simple definition, intrusion refers to any type of unauthorized activities that try to harm or access to a digital system (Nisioti et al., 2018). In other words, any cyberattack that could cause possible damage to the data confidentiality, integrity, or availability will be subsumed under the umbrella of intrusion definition. On the other hand, IDS can be defined as a piece of software or hardware that has the duty of monitoring information system to identify malicious activities, users, and/or programs (Liao et al., 2013). According to Hindy et al. (2018), IDS systems can be classified into two large groups, including Signature-based Intrusion Detection System (SIDS) and Anomaly-based Intrusion Detection System (AIDS). SIDSs, also called Knowledge-based Detection systems, use the prior knowledge on detected threats to create accurate signatures to recognize a known attack. The key advantage of SIDSs is that they can detect known attacks with reasonable accuracy (Kreibich and Crowcroft, 2004). Nevertheless, these methods give poor performance in confronting polymorphic and zero-day attacks because there is no matching pattern (i.e. signature) in their databases (Khraisat et al., 2019). To encounter the problem, arising from the poor performance of SIDSs in zero-days and polymorphic attacks detection, AIDSs have been proposed.
Since AIDSs can overcome the limitations of SIDSs, they have attracted lots of attention from researchers (Agrawal and Agrawal, 2015). Anomaly-based IDSs leverage machine learning, statistical-based, or knowledge-based techniques to model the normal patterns of an information system. In this system, if a user or program deviates considerably from the normal pattern, the AIDS will consider it as a potential anomaly, and consequently as an intrusion based on further evaluations. Implementation of an AIDS consists of two important phases, including the training and the testing phase (Patcha and Park, 2007). During the training phase, the AIDS will try to extract the knowledge and learn normal behaviors. In the test phase, the system exposed to unseen data to evaluate the performance. The literature study on anomaly-based IDS reveals that different kinds of machine learning methods were used for developing AIDS. Based on the training phase, one can categorize these methods into five groups:
- 1.
Supervised Learning
- 2.
Unsupervised Learning
- 3.
Semi-supervised Learning
- 4.
Weakly Supervised Learning
- 5.
Reinforcement Learning (RL)
Regardless of natural differences among these methods in their training phase and also matching input data to the labels, each method has its own advantages and disadvantages. For example, some machine learning techniques are expected to perform properly on specific kinds of attacks, but give a lacklustre performance on other kinds. Moreover, due to the broad types of cyber-attacks and network traffic volume and attributes, machine learning has risen to solve serious challenges, e.g. extreme computational and time complexity (Aljawarneh et al., 2018).
As authors in Buczak and Guven (2015) strongly mentioned, although there are a lot of efforts to use ML techniques in IDSs, there is a big difference between using ML in IDS and other applications of ML. In most ML applications, a model needs to be trained at the beginning and then it can be used for a long period. In most cases, there is no specific need to retrain the model in a short period. On the contrary, IDSs need to retrain ML models based on different events listed below:
- •
Daily training (Bilge et al., 2011).
- •
Based on analyst requirements (Jemili et al., 2007).
- •
After identifying a new intrusion (Hansen et al., 2007).
- •
Upon recognizing any important changes in network behavior (D’Alconzo et al., 2019).
As the first three cases happen unusually or on a regular basis, the rate of the last case is high in dynamic networks e.g., IoT. Regarding the network dynamicity, Network Traffic Monitoring and Analysis (NTMA) techniques recognize networks changes that trigger the ML models to be retrained based on new network behavior.
In this paper, we leverage the well-known ensemble learning approach, named boosting, for intrusion detection applications and present a comparative evaluation of its main variants, i.e. AdaBoost algorithms. Towards this end, we investigate the feasibility of intrusion detection by means of the most famous version of the AdaBoost algorithms, including Real AdaBoost (Schapire and Singer, 1999), Gentle AdaBoost (Friedman et al., 2000) and Modest AdaBoost (Vezhnevets and Vezhnevets, 2005). In Friedman et al. (2000), the authors compare the performance of Gentle AdaBoost with Real AdaBoost that shows the Gentle AdaBoost generally has a better performance. In addition, in Vezhnevets and Vezhnevets (2005) the authors compare the Modest AdaBoost with Gentle and Real AdaBoost. Their results show that Modest AdaBoost has a better performance.
The main idea behind ensemble learning is a combination of the multiple models instead of using a single model to increase performance in machine learning. For example, constructing a set of decision trees as a committee or ensemble of classifiers instead of a single decision tree. One may refer to bagging, boosting, and stacking as the outstanding machine learning techniques which benefit from the ensemble learning idea. Among them, boosting is the most powerful method. The main contributions of our work are summarized as follows:
- •
Showing the advantages of using booting approaches in IDSs and evaluate the well-known boosting approaches comparatively.
- •
Evaluating three of the most powerful boosting binary classifiers for accurate network intrusion detection based on the comparative results.
- •
Increasing the classification accuracy on the benchmark datasets by using the major preprocessing steps before using boosting algorithms.
- •
Leveraging five famous intrusion detection datasets to evaluate the models, and also provide example works from the literature to validate the results.
- •
Comparing the performance of the Real, Gentle, and Modest AdaBoost in different aspects e.g., running time and error rate in IDSs.
- •
Identifying the best models among three well-known AdaBoost algorithms to be used in IDS based on their performance on frequent retraining.
The rest of the paper is organized as follows. Section 2 provides a survey of the state-of-the-art literature tries to address intrusion detection issues. In Section 4, we present the necessary background on boosting, and the proposed methodology is described in Section 4, while the evaluation results and a comparative analysis is provided in Section 5. Finally, the conclusion is given in Section 6.
Section snippets
Previous work and background
In the context of IDS, scholars have deployed different techniques, such as machine learning algorithms, data mining, and ensemble methods to improve the accuracy of intrusion detection. This section surveys state-of-the-art researches on intrusion detection systems to clear the use of machine learning techniques in IDS. We review the related literature briefly in different ML techniques as follows. There are also some survey papers that focus on using ML techniques in IDS systems and also
Ensemble learning
Significant advantages of ensemble learning over using a single classifier motivates us to investigate the feasibility of using boosting algorithms for network intrusion detection. Before diving into the details of the evaluated methods, the necessary background on ensemble learning and boosting approach is provided in this section.
A broad definition of ensemble systems refers to use multiple learning models instead of a single model to obtain better performance. Sheela’s paper is one of the
Using AdaBoost algorithms in IDSs
This section provides the details of AdaBoost algorithms in different aspects. Let us assume that we have training data samples as follows: we can put these data samples in a random vector . Here, is an N-dimensional vector that models the network traffic features, and as an output variable shows the binary class label. The aim of a standard ML classification problem is to predict the class label for , depends on the features vector . In
Evaluation and results
In this section, the performance of the AdaBoost techniques are evaluated to show how the techniques confront with network intrusions in computer networks.
Conclusion
In this paper, three well-known AdaBoost binary classifiers are used as an intrusion detection system to process five public IDS datasets. Necessary preprocessing steps are applied and Real AdaBoost, Gentle AdaBoost, and Modest AdaBoost algorithms are used to deal with the binary classification problem. The simulation results on the datasets reveal that the proposed methods are efficient and make boosting approach a strong player for intrusion data classification. By comparing, we observe that
CRediT authorship contribution statement
Amin Shahraki: Conceptualization, Methodology, Validation, Investigation, Formal Analysis, Writing - original draft, Writing - review & editing, Visualization . Mahmoud Abbasi: Software, Resources, Data curation, Writing - original draft. Øystein Haugen: Supervision, Project administration.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (78)
- et al.
Afif4: deep gender classification based on adaboost-based fusion of isolated facial features and foggy faces
J. Vis. Commun. Image Represent.
(2019) - et al.
Survey on anomaly detection using data mining techniques
Procedia Comput. Sci.
(2015) - et al.
Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model
J. Comput. Sci.
(2018) - et al.
A decision-theoretic generalization of online learning and an application to boosting
J. Comput. System Sci.
(1997) - et al.
Genetic programming for prevention of cyberterrorism through dynamic and evolving intrusion detection
Decis. Support Syst.
(2007) - et al.
Fault diagnosis using novel adaboost based discriminant locality preserving projection with resamples
Eng. Appl. Artif. Intell.
(2020) - et al.
A novel hybrid intrusion detection method integrating anomaly detection with misuse detection
Expert Syst. Appl.
(2014) - et al.
Swarm intelligence in intrusion detection: A survey
Comput. Secur.
(2011) - et al.
Intrusion detection system: A comprehensive review
J. Netw. Comput. Appl.
(2013) - et al.
Pwadaboost: Possible world based adaboost algorithm for classifying uncertain data
Knowl.-Based Syst.
(2019)