A multi-label network attack detection approach based on two-stage model fusion

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2024-05-22 DOI:10.1016/j.jisa.2024.103790

Yongqing Huang, Jin Gou, Zongwen Fan, Yongxin Liao, Yanmin Zhuang

{"title":"A multi-label network attack detection approach based on two-stage model fusion","authors":"Yongqing Huang, Jin Gou, Zongwen Fan, Yongxin Liao, Yanmin Zhuang","doi":"10.1016/j.jisa.2024.103790","DOIUrl":null,"url":null,"abstract":"<div><p>The diversification and complexity of network attacks pose a serious challenge to network security and lead to the phenomenon of overlapping attributes of network attack behaviors. In this context, traditional network attack detection methods are limited to single-label learning, which cannot effectively deal with complex and diverse network attacks. To better understand the relation between network attack behaviors and improve the effect of network security protection, we first analyze the well-known network attack datasets (UNSW-NB15 and CCCS-CIC-AndMal-2020) according to the proposed multi-label metrics. Subsequently, we propose a multi-label cyber-attack detection method based on two-stage model fusion. In the first stage, a category is selected based on the analysis of multi-label metrics, and binary classification is performed. In the second stage, the binary labels generated in the first stage are added to the feature space for the multi-label categorization. Experimental results show that the two-stage model fusion method effectively improves the performance of the baseline methods. In addition, we analyze the impact of different categories and binary classification performance for the multi-label detection. The experimental results show that, theoretically, when the binary classification accuracy of Normal and Adware reaches 77% and 95% respectively, the performance of the two-stage multi-label detection method exceeds the state-of-the-art methods. This indicates the effectiveness of the two-stage strategy used in our proposed method for improving the ability of multi-label network attack detection.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"83 ","pages":"Article 103790"},"PeriodicalIF":3.8000,"publicationDate":"2024-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624000930","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The diversification and complexity of network attacks pose a serious challenge to network security and lead to the phenomenon of overlapping attributes of network attack behaviors. In this context, traditional network attack detection methods are limited to single-label learning, which cannot effectively deal with complex and diverse network attacks. To better understand the relation between network attack behaviors and improve the effect of network security protection, we first analyze the well-known network attack datasets (UNSW-NB15 and CCCS-CIC-AndMal-2020) according to the proposed multi-label metrics. Subsequently, we propose a multi-label cyber-attack detection method based on two-stage model fusion. In the first stage, a category is selected based on the analysis of multi-label metrics, and binary classification is performed. In the second stage, the binary labels generated in the first stage are added to the feature space for the multi-label categorization. Experimental results show that the two-stage model fusion method effectively improves the performance of the baseline methods. In addition, we analyze the impact of different categories and binary classification performance for the multi-label detection. The experimental results show that, theoretically, when the binary classification accuracy of Normal and Adware reaches 77% and 95% respectively, the performance of the two-stage multi-label detection method exceeds the state-of-the-art methods. This indicates the effectiveness of the two-stage strategy used in our proposed method for improving the ability of multi-label network attack detection.

查看原文本刊更多论文

基于两阶段模型融合的多标签网络攻击检测方法

网络攻击的多样化和复杂化给网络安全带来了严峻的挑战，并导致网络攻击行为属性重叠的现象。在此背景下，传统的网络攻击检测方法局限于单标签学习，无法有效应对复杂多样的网络攻击。为了更好地理解网络攻击行为之间的关系，提高网络安全防护效果，我们首先根据提出的多标签度量方法分析了著名的网络攻击数据集（UNSW-NB15 和 CCCS-CIC-AndMal-2020）。随后，我们提出了一种基于两阶段模型融合的多标签网络攻击检测方法。在第一阶段，根据多标签指标分析选择类别，并进行二元分类。在第二阶段，将第一阶段生成的二进制标签添加到特征空间，进行多标签分类。实验结果表明，两阶段模型融合方法有效提高了基线方法的性能。此外，我们还分析了不同类别和二进制分类对多标签检测性能的影响。实验结果表明，从理论上讲，当 Normal 和 Adware 的二进制分类准确率分别达到 77% 和 95% 时，两阶段多标签检测方法的性能超过了最先进的方法。这表明我们提出的方法中使用的两阶段策略在提高多标签网络攻击检测能力方面是有效的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.