Boosting algorithms for network intrusion detection: A comparative evaluation of Real AdaBoost, Gentle AdaBoost and Modest AdaBoost

https://doi.org/10.1016/j.engappai.2020.103770Get rights and content

Abstract

Computer networks have been experienced ever-increasing growth since they play a critical role in different aspects of human life. Regarding the vulnerabilities of computer networks, they should be monitored regularly to detect intrusions and attacks by using high-performance Intrusion Detection Systems (IDSs). IDSs try to differentiate between normal and abnormal behaviors to recognize intrusions. Due to the complex behavior of malicious entities, it is crucially important to adopt machine learning methods for intrusion detection with a fine performance and low time complexity. Boosting approach is considered as a way to deal with this challenge. In this paper, we prepare a clear summary of the latest progress in the context of intrusion detection methods, present a technical background on boosting, and demonstrate the ability of the three well-known boosting algorithms (Real Adaboost, Gentle Adaboost, and Modest Adaboost) as IDSs by using five IDS public benchmark datasets. The results show that the Modest AdaBoost has a higher error rate compared to Gentle and Real AdaBoost in IDSs. Besides, in the case of IDSs, Gentle and Real AdaBoost show the same performance as they have about 70% lower error rates compared to Modest Adaboost, however, Modest AdaBoost is about 7% faster than them. In addition, as IDSs need to retrain the model frequently, the results show that Modest AdaBoost has a much lower performance than Gentle and Real AdaBoost in case of error rate stability.

Introduction

In recent years, the Internet and relatively its infrastructure are integral parts of the daily life of human society. The Internet plays an active role in connecting billions of machines in different applications e.g. healthcare, industry, and business. It provides a global network infrastructure to connect a massive number of virtual and physical things like communication devices, Cyber Physical Systems (CPSs), and social networks (Al-Fuqaha et al., 2015). The trend of connecting the world leads to an exponential growth in the amount of human and machine-generated network traffic that passes the network infrastructure to reach destinations. According to the Mobile and Wireless Communications Enablers for the Twenty-Twenty Information Society (METIS) (METIS, 2020), it is expected that the volume of mobile and wireless network traffic will increase by more than a thousand-fold in the next decade. Moreover, there are concrete reasons that we will have 50 billion connected devices by 2025 in the world (Beyene et al., 2017). Cisco reported that around 71% of total IP traffic by 2022 will be related to wireless and mobile devices (Conti et al., 2018) that oblige service providers to establish concrete and impenetrable network infrastructure for protecting users.

Due to the acceleration of Internet of Things (IoT) applications growth and heterogeneous-vulnerable connected devices, the last years have been the most difficult period from security perspectives. Although different techniques are emerging to detect and neutralize attacks, still there are severe concerns regarding the security and privacy of users. IBM X-Force Threat reports show that the client organizations monitored by this company have been experienced a lower percentage of attacks in 2016 than 2015 (Tounsi and Rais, 2018); however, the reduction in cyber-attacks could mean malicious users rely increasingly on proven attacks, hence malicious entities make fewer attempts for an intrusion. Cyber attacks can hurt real-world infrastructures that can disrupt vital services. In 2015, a malware, (called also malicious software), targeted the electrical power network supply in Ukraine and caused a power outage for a long time in the middle of the cold season (Liang et al., 2016). Furthermore, reports indicate a huge number of data breaches throughout the world, e.g. in Panama, Iceland, and the U.S (Graves et al., 2018). Attackers release privileged or sensitive data on the Internet or any other unsafe environments which lead to serious economic loss.

Intensive studies have been carried out by academics and private companies to detect, prevent, and inactivate cyber-attacks. Based on fundamental techniques like Artificial intelligence (AI) and statistical methods, different techniques have been proposed to improve the efficiency of IDS (Kolias et al., 2011). The literature introduces IDS as an essential element of every network security system. Machine learning algorithms as a type of AI technique have attracted lots of attention in the literature as an early detection or prevention network attacks methods (Sreeram and Vuppala, 2019). This scheme considerably eliminates the need for using humans as experts to detect the abnormal patterns manually. In addition, motivated by the recent advances and impressive performance in different fields such as mobile and wireless networks (Zhang et al., 2019), big data (Mohammadi et al., 2018), and computer vision (Akhtar and Mian, 2018), the feasibility of Deep Learning (DL) as a branch of machine learning methods for IDS purposes have been investigated by researchers (Wang et al., 2018). Here, one may categorize the main applications of machine learning in cybersecurity into five main classes:

  • 1.

    Misuse/Signature detection

  • 2.

    Anomaly detection

  • 3.

    Hybrid detection

  • 4.

    Scan detection

  • 5.

    Profiling modules

The detailed investigation of these classes is out of the scope of this paper that need further discussions. The interested readers are referred to Dua and Du (2016) and Buczak and Guven (2015) for the detailed descriptions.

As a simple definition, intrusion refers to any type of unauthorized activities that try to harm or access to a digital system (Nisioti et al., 2018). In other words, any cyberattack that could cause possible damage to the data confidentiality, integrity, or availability will be subsumed under the umbrella of intrusion definition. On the other hand, IDS can be defined as a piece of software or hardware that has the duty of monitoring information system to identify malicious activities, users, and/or programs (Liao et al., 2013). According to Hindy et al. (2018), IDS systems can be classified into two large groups, including Signature-based Intrusion Detection System (SIDS) and Anomaly-based Intrusion Detection System (AIDS). SIDSs, also called Knowledge-based Detection systems, use the prior knowledge on detected threats to create accurate signatures to recognize a known attack. The key advantage of SIDSs is that they can detect known attacks with reasonable accuracy (Kreibich and Crowcroft, 2004). Nevertheless, these methods give poor performance in confronting polymorphic and zero-day attacks because there is no matching pattern (i.e. signature) in their databases (Khraisat et al., 2019). To encounter the problem, arising from the poor performance of SIDSs in zero-days and polymorphic attacks detection, AIDSs have been proposed.

Since AIDSs can overcome the limitations of SIDSs, they have attracted lots of attention from researchers (Agrawal and Agrawal, 2015). Anomaly-based IDSs leverage machine learning, statistical-based, or knowledge-based techniques to model the normal patterns of an information system. In this system, if a user or program deviates considerably from the normal pattern, the AIDS will consider it as a potential anomaly, and consequently as an intrusion based on further evaluations. Implementation of an AIDS consists of two important phases, including the training and the testing phase (Patcha and Park, 2007). During the training phase, the AIDS will try to extract the knowledge and learn normal behaviors. In the test phase, the system exposed to unseen data to evaluate the performance. The literature study on anomaly-based IDS reveals that different kinds of machine learning methods were used for developing AIDS. Based on the training phase, one can categorize these methods into five groups:

  • 1.

    Supervised Learning

  • 2.

    Unsupervised Learning

  • 3.

    Semi-supervised Learning

  • 4.

    Weakly Supervised Learning

  • 5.

    Reinforcement Learning (RL)

Regardless of natural differences among these methods in their training phase and also matching input data to the labels, each method has its own advantages and disadvantages. For example, some machine learning techniques are expected to perform properly on specific kinds of attacks, but give a lacklustre performance on other kinds. Moreover, due to the broad types of cyber-attacks and network traffic volume and attributes, machine learning has risen to solve serious challenges, e.g. extreme computational and time complexity (Aljawarneh et al., 2018).

As authors in Buczak and Guven (2015) strongly mentioned, although there are a lot of efforts to use ML techniques in IDSs, there is a big difference between using ML in IDS and other applications of ML. In most ML applications, a model needs to be trained at the beginning and then it can be used for a long period. In most cases, there is no specific need to retrain the model in a short period. On the contrary, IDSs need to retrain ML models based on different events listed below:

  • Daily training (Bilge et al., 2011).

  • Based on analyst requirements (Jemili et al., 2007).

  • After identifying a new intrusion (Hansen et al., 2007).

  • Upon recognizing any important changes in network behavior (D’Alconzo et al., 2019).

As the first three cases happen unusually or on a regular basis, the rate of the last case is high in dynamic networks e.g., IoT. Regarding the network dynamicity, Network Traffic Monitoring and Analysis (NTMA) techniques recognize networks changes that trigger the ML models to be retrained based on new network behavior.

In this paper, we leverage the well-known ensemble learning approach, named boosting, for intrusion detection applications and present a comparative evaluation of its main variants, i.e. AdaBoost algorithms. Towards this end, we investigate the feasibility of intrusion detection by means of the most famous version of the AdaBoost algorithms, including Real AdaBoost (Schapire and Singer, 1999), Gentle AdaBoost (Friedman et al., 2000) and Modest AdaBoost (Vezhnevets and Vezhnevets, 2005). In Friedman et al. (2000), the authors compare the performance of Gentle AdaBoost with Real AdaBoost that shows the Gentle AdaBoost generally has a better performance. In addition, in Vezhnevets and Vezhnevets (2005) the authors compare the Modest AdaBoost with Gentle and Real AdaBoost. Their results show that Modest AdaBoost has a better performance.

The main idea behind ensemble learning is a combination of the multiple models instead of using a single model to increase performance in machine learning. For example, constructing a set of decision trees as a committee or ensemble of classifiers instead of a single decision tree. One may refer to bagging, boosting, and stacking as the outstanding machine learning techniques which benefit from the ensemble learning idea. Among them, boosting is the most powerful method. The main contributions of our work are summarized as follows:

  • Showing the advantages of using booting approaches in IDSs and evaluate the well-known boosting approaches comparatively.

  • Evaluating three of the most powerful boosting binary classifiers for accurate network intrusion detection based on the comparative results.

  • Increasing the classification accuracy on the benchmark datasets by using the major preprocessing steps before using boosting algorithms.

  • Leveraging five famous intrusion detection datasets to evaluate the models, and also provide example works from the literature to validate the results.

  • Comparing the performance of the Real, Gentle, and Modest AdaBoost in different aspects e.g., running time and error rate in IDSs.

  • Identifying the best models among three well-known AdaBoost algorithms to be used in IDS based on their performance on frequent retraining.

The rest of the paper is organized as follows. Section 2 provides a survey of the state-of-the-art literature tries to address intrusion detection issues. In Section 4, we present the necessary background on boosting, and the proposed methodology is described in Section 4, while the evaluation results and a comparative analysis is provided in Section 5. Finally, the conclusion is given in Section 6.

Section snippets

Previous work and background

In the context of IDS, scholars have deployed different techniques, such as machine learning algorithms, data mining, and ensemble methods to improve the accuracy of intrusion detection. This section surveys state-of-the-art researches on intrusion detection systems to clear the use of machine learning techniques in IDS. We review the related literature briefly in different ML techniques as follows. There are also some survey papers that focus on using ML techniques in IDS systems and also

Ensemble learning

Significant advantages of ensemble learning over using a single classifier motivates us to investigate the feasibility of using boosting algorithms for network intrusion detection. Before diving into the details of the evaluated methods, the necessary background on ensemble learning and boosting approach is provided in this section.

A broad definition of ensemble systems refers to use multiple learning models instead of a single model to obtain better performance. Sheela’s paper is one of the

Using AdaBoost algorithms in IDSs

This section provides the details of AdaBoost algorithms in different aspects. Let us assume that we have N training data samples as follows: x1,y1,,(xN,yN), with xiRk and yi{1,+1},we can put these data samples in a random vector (X,Y). Here, X is an N-dimensional vector that models the network traffic features, and Y as an output variable shows the binary class label. The aim of a standard ML classification problem is to predict the class label for Y, depends on the features vector X. In

Evaluation and results

In this section, the performance of the AdaBoost techniques are evaluated to show how the techniques confront with network intrusions in computer networks.

Conclusion

In this paper, three well-known AdaBoost binary classifiers are used as an intrusion detection system to process five public IDS datasets. Necessary preprocessing steps are applied and Real AdaBoost, Gentle AdaBoost, and Modest AdaBoost algorithms are used to deal with the binary classification problem. The simulation results on the datasets reveal that the proposed methods are efficient and make boosting approach a strong player for intrusion data classification. By comparing, we observe that

CRediT authorship contribution statement

Amin Shahraki: Conceptualization, Methodology, Validation, Investigation, Formal Analysis, Writing - original draft, Writing - review & editing, Visualization . Mahmoud Abbasi: Software, Resources, Data curation, Writing - original draft. Øystein Haugen: Supervision, Project administration.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (78)

  • PatchaA. et al.

    An overview of anomaly detection techniques: Existing solutions and latest technological trends

    Comput. Netw.

    (2007)
  • SreeramI. et al.

    Http flood attack detection in application layer using machine learning metrics and bio inspired bat algorithm

    Appl. Comput. Inform.

    (2019)
  • TangD. et al.

    Mf-adaboost: Ldos attack detection based on multi-features and improved adaboost

    Future Gener. Comput. Syst.

    (2020)
  • TounsiW. et al.

    A survey on technical threat intelligence in the age of sophisticated cyber attacks

    Comput. Secur.

    (2018)
  • TsaiC.-F. et al.

    Intrusion detection by machine learning: A review

    Expert Syst. Appl.

    (2009)
  • ViegasE.K. et al.

    Toward a reliable anomalybased intrusion detection in real-world environments

    Comput. Netw.

    (2017)
  • AkhtarN. et al.

    Threat of adversarial attacks on deep learning in computer vision: A survey

    IEEE Access

    (2018)
  • Al-FuqahaA. et al.

    Internet of things: A survey on enabling technologies, protocols, and applications

    IEEE Commun. Surv. Tutor.

    (2015)
  • AlhakamiW. et al.

    Network anomaly intrusion detection using a nonparametric bayesian approach and feature selection

    IEEE Access

    (2019)
  • AliM.H. et al.

    A new intrusion detection system based on fast learning network and particle swarm optimization

    IEEE Access

    (2018)
  • BamakanS.M.H. et al.

    Ramp loss k-support vector classification-regression; a robust and sparse multi-class approach to the intrusion detection problem

    Knowl.-Based Syst.

    (2017)
  • BeyeneY.D. et al.

    Random access scheme for sporadic users in 5g

    IEEE Trans. Wireless Commun.

    (2017)
  • Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M., 2011. Exposure: Finding malicious domains using passive dns analysis....
  • BreimanL.

    Classification and Regression Trees

    (2017)
  • BreimanL. et al.

    Classification and Regression Trees

    (1984)
  • BuczakA.L. et al.

    A survey of data mining and machine learning methods for cyber security intrusion detection

    IEEE Commun. Surv. Tutor.

    (2015)
  • ContiM. et al.

    The dark side (- channel) of mobile devices: A survey on network traffic analysis

    IEEE Commun. Surv. Tutor.

    (2018)
  • D’AlconzoA. et al.

    A survey on big data for network traffic monitoring and analysis

    IEEE Trans. Netw. Serv. Manag.

    (2019)
  • DasarathyB.V. et al.

    A composite classifier system design: concepts and methodology

    Proc. IEEE

    (1979)
  • DuaS. et al.

    Data Mining and Machine Learning in Cybersecurity

    (2016)
  • FakerO. et al.

    Intrusion detection using big data and deep learning techniques

  • Freund, Y., Schapire, R.E., 1996. Game theory, on-line prediction and boosting. In: Proceedings of the ninth annual...
  • FreundY. et al.

    Experiments with a new boosting algorithm

  • FriedmanJ. et al.
  • FriedmanJ. et al.

    Additive logistic regression: a statistical view of boosting (with discussion and a rejoinder by the authors)

    Ann. Statist.

    (2000)
  • GaoX. et al.

    An adaptive ensemble machine learning model for intrusion detection

    IEEE Access

    (2019)
  • GosztolyaG. et al.

    Calibrating AdaBoost for phoneme classification

    Soft Comput.

    (2019)
  • GravesJ.T. et al.

    Should credit card issuers reissue cards in response to a data breach?: Uncertainty and transparency in metrics for data security policymaking

    ACM Trans. Internet Technol. (TOIT)

    (2018)
  • HansenL.K. et al.

    Neural network ensembles

    IEEE Trans. Pattern Anal. Mach. Intell.

    (1990)
  • Cited by (0)

    View full text