A novel open set Energy-based Flow Classifier for Network Intrusion Detection

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-06-23 DOI:10.1016/j.cose.2025.104569

Manuela M.C. Souza , Camila T. Pontes , João J.C. Gondim , Luís P.F. Garcia , Luiz DaSilva , Eduardo F.M. Cavalcante , Marcelo A. Marotta

{"title":"A novel open set Energy-based Flow Classifier for Network Intrusion Detection","authors":"Manuela M.C. Souza , Camila T. Pontes , João J.C. Gondim , Luís P.F. Garcia , Luiz DaSilva , Eduardo F.M. Cavalcante , Marcelo A. Marotta","doi":"10.1016/j.cose.2025.104569","DOIUrl":null,"url":null,"abstract":"<div><div>Several machine learning-based Network Intrusion Detection Systems (NIDS) have been proposed in recent years. Still, most of them were developed and evaluated under the assumption that the training context is similar to the test context. This assumption is false in real networks, given the emergence of new attacks and variants of known attacks. To deal with this reality, the open set recognition field, which is the most general task of recognizing classes not seen during training in any domain, began to gain importance in machine learning based NIDS research. Yet, existing solutions are often bound to high temporal complexities and performance bottlenecks. In this work, we propose an algorithm to be used in NIDS that performs open set recognition. Our proposal is an adaptation of the single-class Energy-based Flow Classifier (EFC), which proved to be an algorithm with strong generalization capability and low computational cost. The new version of EFC correctly classifies not only known attacks, but also unknown ones, and differs from other proposals from the literature by presenting a single layer with low temporal complexity. Our proposal was evaluated against well-established multi-class algorithms and as an open set classifier. It proved to be an accurate classifier in both evaluations, similar to the state of the art. As a conclusion of our work, we consider EFC a promising algorithm to be used in NIDS for its high performance and applicability in real networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104569"},"PeriodicalIF":5.4000,"publicationDate":"2025-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002585","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Several machine learning-based Network Intrusion Detection Systems (NIDS) have been proposed in recent years. Still, most of them were developed and evaluated under the assumption that the training context is similar to the test context. This assumption is false in real networks, given the emergence of new attacks and variants of known attacks. To deal with this reality, the open set recognition field, which is the most general task of recognizing classes not seen during training in any domain, began to gain importance in machine learning based NIDS research. Yet, existing solutions are often bound to high temporal complexities and performance bottlenecks. In this work, we propose an algorithm to be used in NIDS that performs open set recognition. Our proposal is an adaptation of the single-class Energy-based Flow Classifier (EFC), which proved to be an algorithm with strong generalization capability and low computational cost. The new version of EFC correctly classifies not only known attacks, but also unknown ones, and differs from other proposals from the literature by presenting a single layer with low temporal complexity. Our proposal was evaluated against well-established multi-class algorithms and as an open set classifier. It proved to be an accurate classifier in both evaluations, similar to the state of the art. As a conclusion of our work, we consider EFC a promising algorithm to be used in NIDS for its high performance and applicability in real networks.

查看原文本刊更多论文

一种新的基于开放集能量的网络入侵检测流分类器

近年来提出了几种基于机器学习的网络入侵检测系统（NIDS）。尽管如此，它们中的大多数都是在训练上下文与测试上下文相似的假设下开发和评估的。考虑到新攻击的出现和已知攻击的变体，这种假设在现实网络中是错误的。为了应对这一现实，开放集识别领域开始在基于机器学习的NIDS研究中变得越来越重要。开放集识别领域是识别任何领域训练中未见的类的最一般任务。然而，现有的解决方案往往具有较高的时间复杂性和性能瓶颈。在这项工作中，我们提出了一种用于NIDS的算法，该算法执行开放集识别。本文提出的算法是对单类能量流分类器（Energy-based Flow Classifier， EFC）的改进，该算法具有较强的泛化能力和较低的计算成本。新版本的EFC不仅对已知的攻击进行了正确的分类，而且对未知的攻击也进行了正确的分类，与文献中的其他建议不同的是，它呈现了一个低时间复杂度的单层。我们的建议是针对成熟的多类算法进行评估，并作为一个开放集分类器。在两项评估中，它都被证明是一个准确的分类器，与目前的技术水平相似。作为我们工作的结论，我们认为EFC算法具有高性能和在实际网络中的适用性，是一种很有希望用于NIDS的算法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.