Open Access

ARTICLE

Unknown Attack Detection: Combining Relabeling and Hybrid Intrusion Detection

Gun-Yoon Shin¹, Dong-Wook Kim¹, Sang-Soo Kim², Myung-Mook Han^3,*

1 Department of Computer Engineering, Gachon University, Sungnam-si, 13120, Korea
2 Agency for Defense Development Songpa, Seoul, 05661, Korea
3 Department of Software, Gachon University, Sungnam-si, 13120, Korea

* Corresponding Author: Myung-Mook Han. Email:

Computers, Materials & Continua 2021, 68(3), 3289-3303. https://doi.org/10.32604/cmc.2021.017502

Received 01 February 2021; Accepted 11 March 2021; Issue published 06 May 2021

Abstract

Detection of unknown attacks like a zero-day attack is a research field that has long been studied. Recently, advances in Machine Learning (ML) and Artificial Intelligence (AI) have led to the emergence of many kinds of attack-generation tools developed using these technologies to evade detection skillfully. Anomaly detection and misuse detection are the most commonly used techniques for detecting intrusion by unknown attacks. Although anomaly detection is adequate for detecting unknown attacks, its disadvantage is the possibility of high false alarms. Misuse detection has low false alarms; its limitation is that it can detect only known attacks. To overcome such limitations, many researchers have proposed a hybrid intrusion detection that integrates these two detection techniques. This method can overcome the limitations of conventional methods and works better in detecting unknown attacks. However, this method does not accurately classify attacks like similar to normal or known attacks. Therefore, we proposed a hybrid intrusion detection to detect unknown attacks similar to normal and known attacks. In anomaly detection, the model was designed to perform normal detection using Fuzzy c-means (FCM) and identify attacks hidden in normal predicted data using relabeling. In misuse detection, the model was designed to detect previously known attacks using Classification and Regression Trees (CART) and apply Isolation Forest (iForest) to classify unknown attacks hidden in known attacks. As an experiment result, the application of relabeling improved attack detection accuracy in anomaly detection by approximately 11% and enhanced the performance of unknown attack detection in misuse detection by approximately 10%.

---

Keywords

---