ARMBoost+：通过动态规则存储库增强网络入侵检测的堆叠、集成和增强模型

IF 8 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Network and Computer Applications Pub Date : 2025-08-27 DOI:10.1016/j.jnca.2025.104292

Vullikanti Vivek , Bharadwaj Veeravalli

{"title":"ARMBoost+：通过动态规则存储库增强网络入侵检测的堆叠、集成和增强模型","authors":"Vullikanti Vivek , Bharadwaj Veeravalli","doi":"10.1016/j.jnca.2025.104292","DOIUrl":null,"url":null,"abstract":"<div><div>As network security threats become increasingly complex, the need for efficient and effective network intrusion detection systems (NIDS) is more important than ever. Machine learning (ML) has emerged as a promising solution for NIDS due to its ability to analyze large volumes of network traffic data and detect suspicious patterns. In this paper, we propose ARMBoost+ a novel integrated approach for NIDS using dynamic rule repository building with a combination of stacking, ensemble, and boosting ML models, and associative rule mining (ARM) and bloom filter techniques. ARMBoost+ approach involves generating frequent feature sets using ARM and building a feature repository using bloom filter to avoid duplicate patterns. We then use the feature repository to train the ML models, which are tested on live network traffic data to generate dynamic rules for the rule repository. The live traffic data allowed us to assess the performance and robustness of our NIDS under dynamic and unpredictable network scenarios. The dynamic rule repository is continuously updated with new attack patterns, ensuring that the NIDS is always up-to-date with the latest security threats. To evaluate the effectiveness of ARMBoost+, we conducted experiments using a publicly available datasets and compared the results to existing NIDS approaches. We tested our approach under various scenarios, including simulating ML models without ARM and without automated feature dropping, and using ARM and bloom filter. We employed several ML models, including Stacking Classifier (with logistic regression (LR), random forest (RF), and support vector machine (SVM)), Ensemble with SVM, AdaBoost with Decision Tree, Gradient Boosting, and XGBoosting. Our experimental results demonstrate that the proposed novel ARMBoost+ integrated approach outperforms existing NIDS approaches in terms of accuracy and detection rates. The combination of stacking, ensemble, and boosting ML models, along with ARM and bloom filter, proved to be highly effective in detecting network intrusions. The dynamic rule repository building approach allowed for continuous updating of the NIDS with the latest attack patterns, resulting in improved performance over time. Furthermore, ARMBoost+ approach showed robustness against various types of attacks, including denial-of-service (DoS) and port scanning attacks. We also observed that the inclusion of ARM and bloom filter resulted notable reduction in the False Positive Rate (FPR) by around 4.07% and improved the efficiency of the feature repository.</div></div>","PeriodicalId":54784,"journal":{"name":"Journal of Network and Computer Applications","volume":"243 ","pages":"Article 104292"},"PeriodicalIF":8.0000,"publicationDate":"2025-08-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"ARMBoost+: Empowering stacking, ensemble, and boosting models for network intrusion detection with dynamic rule repository\",\"authors\":\"Vullikanti Vivek , Bharadwaj Veeravalli\",\"doi\":\"10.1016/j.jnca.2025.104292\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>As network security threats become increasingly complex, the need for efficient and effective network intrusion detection systems (NIDS) is more important than ever. Machine learning (ML) has emerged as a promising solution for NIDS due to its ability to analyze large volumes of network traffic data and detect suspicious patterns. In this paper, we propose ARMBoost+ a novel integrated approach for NIDS using dynamic rule repository building with a combination of stacking, ensemble, and boosting ML models, and associative rule mining (ARM) and bloom filter techniques. ARMBoost+ approach involves generating frequent feature sets using ARM and building a feature repository using bloom filter to avoid duplicate patterns. We then use the feature repository to train the ML models, which are tested on live network traffic data to generate dynamic rules for the rule repository. The live traffic data allowed us to assess the performance and robustness of our NIDS under dynamic and unpredictable network scenarios. The dynamic rule repository is continuously updated with new attack patterns, ensuring that the NIDS is always up-to-date with the latest security threats. To evaluate the effectiveness of ARMBoost+, we conducted experiments using a publicly available datasets and compared the results to existing NIDS approaches. We tested our approach under various scenarios, including simulating ML models without ARM and without automated feature dropping, and using ARM and bloom filter. We employed several ML models, including Stacking Classifier (with logistic regression (LR), random forest (RF), and support vector machine (SVM)), Ensemble with SVM, AdaBoost with Decision Tree, Gradient Boosting, and XGBoosting. Our experimental results demonstrate that the proposed novel ARMBoost+ integrated approach outperforms existing NIDS approaches in terms of accuracy and detection rates. The combination of stacking, ensemble, and boosting ML models, along with ARM and bloom filter, proved to be highly effective in detecting network intrusions. The dynamic rule repository building approach allowed for continuous updating of the NIDS with the latest attack patterns, resulting in improved performance over time. Furthermore, ARMBoost+ approach showed robustness against various types of attacks, including denial-of-service (DoS) and port scanning attacks. We also observed that the inclusion of ARM and bloom filter resulted notable reduction in the False Positive Rate (FPR) by around 4.07% and improved the efficiency of the feature repository.</div></div>\",\"PeriodicalId\":54784,\"journal\":{\"name\":\"Journal of Network and Computer Applications\",\"volume\":\"243 \",\"pages\":\"Article 104292\"},\"PeriodicalIF\":8.0000,\"publicationDate\":\"2025-08-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Network and Computer Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S1084804525001894\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Computer Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1084804525001894","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

随着网络安全威胁的日益复杂，对高效、有效的网络入侵检测系统的需求比以往任何时候都更加重要。由于机器学习（ML）能够分析大量网络流量数据并检测可疑模式，因此它已成为NIDS的一个有前途的解决方案。在本文中，我们提出了ARMBoost+一种用于NIDS的新型集成方法，该方法使用动态规则存储库构建，结合了堆叠、集成和增强ML模型，以及关联规则挖掘（ARM）和bloom过滤器技术。ARMBoost+方法包括使用ARM生成频繁的特性集，并使用bloom过滤器构建特性存储库以避免重复模式。然后，我们使用特征存储库来训练ML模型，这些模型在实时网络流量数据上进行测试，以为规则存储库生成动态规则。实时流量数据使我们能够在动态和不可预测的网络场景下评估NIDS的性能和健壮性。动态规则存储库不断更新新的攻击模式，确保NIDS始终与最新的安全威胁保持同步。为了评估ARMBoost+的有效性，我们使用公开可用的数据集进行了实验，并将结果与现有的NIDS方法进行了比较。我们在各种场景下测试了我们的方法，包括模拟没有ARM和没有自动特征删除的ML模型，以及使用ARM和bloom过滤器。我们使用了几种机器学习模型，包括堆叠分类器（带有逻辑回归（LR）、随机森林（RF）和支持向量机（SVM））、集成支持向量机（SVM）、AdaBoost带有决策树、梯度增强和xg增强。实验结果表明，我们提出的新型ARMBoost+集成方法在准确率和检测率方面优于现有的NIDS方法。叠加、集成和增强ML模型的结合，以及ARM和bloom过滤器，被证明在检测网络入侵方面非常有效。动态规则存储库构建方法允许使用最新的攻击模式持续更新NIDS，从而随着时间的推移提高性能。此外，ARMBoost+方法显示了对各种类型攻击的健壮性，包括拒绝服务（DoS）和端口扫描攻击。我们还观察到，ARM和bloom filter的加入使误报率（FPR）显著降低了4.07%左右，并提高了特征库的效率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

ARMBoost+: Empowering stacking, ensemble, and boosting models for network intrusion detection with dynamic rule repository

As network security threats become increasingly complex, the need for efficient and effective network intrusion detection systems (NIDS) is more important than ever. Machine learning (ML) has emerged as a promising solution for NIDS due to its ability to analyze large volumes of network traffic data and detect suspicious patterns. In this paper, we propose ARMBoost+ a novel integrated approach for NIDS using dynamic rule repository building with a combination of stacking, ensemble, and boosting ML models, and associative rule mining (ARM) and bloom filter techniques. ARMBoost+ approach involves generating frequent feature sets using ARM and building a feature repository using bloom filter to avoid duplicate patterns. We then use the feature repository to train the ML models, which are tested on live network traffic data to generate dynamic rules for the rule repository. The live traffic data allowed us to assess the performance and robustness of our NIDS under dynamic and unpredictable network scenarios. The dynamic rule repository is continuously updated with new attack patterns, ensuring that the NIDS is always up-to-date with the latest security threats. To evaluate the effectiveness of ARMBoost+, we conducted experiments using a publicly available datasets and compared the results to existing NIDS approaches. We tested our approach under various scenarios, including simulating ML models without ARM and without automated feature dropping, and using ARM and bloom filter. We employed several ML models, including Stacking Classifier (with logistic regression (LR), random forest (RF), and support vector machine (SVM)), Ensemble with SVM, AdaBoost with Decision Tree, Gradient Boosting, and XGBoosting. Our experimental results demonstrate that the proposed novel ARMBoost+ integrated approach outperforms existing NIDS approaches in terms of accuracy and detection rates. The combination of stacking, ensemble, and boosting ML models, along with ARM and bloom filter, proved to be highly effective in detecting network intrusions. The dynamic rule repository building approach allowed for continuous updating of the NIDS with the latest attack patterns, resulting in improved performance over time. Furthermore, ARMBoost+ approach showed robustness against various types of attacks, including denial-of-service (DoS) and port scanning attacks. We also observed that the inclusion of ARM and bloom filter resulted notable reduction in the False Positive Rate (FPR) by around 4.07% and improved the efficiency of the feature repository.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Network and Computer Applications 工程技术-计算机：跨学科应用

CiteScore

21.50

自引率

3.40%

发文量

142

审稿时长

37 days

期刊介绍： The Journal of Network and Computer Applications welcomes research contributions, surveys, and notes in all areas relating to computer networks and applications thereof. Sample topics include new design techniques, interesting or novel applications, components or standards; computer networks with tools such as WWW; emerging standards for internet protocols; Wireless networks; Mobile Computing; emerging computing models such as cloud computing, grid computing; applications of networked systems for remote collaboration and telemedicine, etc. The journal is abstracted and indexed in Scopus, Engineering Index, Web of Science, Science Citation Index Expanded and INSPEC.