Search Results (201)

In network intrusion detection, class imbalance, the scarcity of minority-class attack samples, high feature dimensionality, and substantial feature redundancy are prevalent issues that limit the detection capability of intrusion detection models. To address these issues, this paper proposes a network traffic anomaly detection method based on a Variational Autoencoder and a Conditional Wasserstein Generative Adversarial Network (VAE-CWGAN). First, a feature selection strategy that combines ANOVA and mutual information is employed to select informative network traffic features, thereby improving the discriminative capability of the input features. Second, a minority-class sample generation model that integrates VAE and CWGAN is constructed. The VAE is used to learn the latent distribution characteristics of minority-class attack samples, while class-conditional constraints and the Wasserstein distance are introduced to generate high-quality synthetic minority-class samples, thereby alleviating class imbalance in the training dataset. Finally, Random Forest (RF), a representative machine learning classifier, is adopted for the classification experiments. Experimental results on the NSL-KDD dataset demonstrate that the proposed method performs well in minority-class attack detection, achieving Precision, Recall, and F1-score values of 95.89%, 75.18%, and 84.28% for the R2L class and 77.08%, 55.22%, and 64.35% for the U2R class, respectively. Full article

Real-world autonomous agents learn under nonstationarity, safety constraints, and finite energetic budgets. We develop a framework for perennial learning—agents that continuously refine their models while provably controlling the cost of forgetting—by unifying three classical pillars: Kolmogorov complexity, which equates scientific discovery with algorithmic compression; Landauer's principle, which assigns a minimal thermodynamic cost of k_BT ln 2 per erased bit to every irreversible model update; and port-Hamiltonian (PH) dynamics, whose (J − R)∇H decomposition separates zero-cost reversible inference from costly irreversible forgetting by construction. The Maxwell demon analogy is formalized: each learning episode is a Szilard cycle in which information acquisition, belief transport, and memory erasure must balance thermodynamically. The information-distance framework, comprising the normalized information distance (NID) and normalized compression distance (NCD), provides a computable geometry for measuring learning progress and guiding curriculum design. We separate the ideal  uncomputable regularizer based on prefix complexity from the  practical  compressor/MDL (minimum description length) surrogate that appears in optimization and prove a calibration lemma linking the two under a mild uniform-accuracy assumption. Under explicit regularity, compact-sublevel, and non-energy-extracting assumptions, we prove a passivity speed limit for curriculum-induced contractions of the effective feasible set. Under local asymptotic normality, we reprove that Fisher information is a   local  posterior codelength proxy rather than an exact theorem about algorithmic entropy. A conditional sequential information-budget proposition shows that the per-stage sample requirement scales as \(\widetilde{O}(\Delta k_t/\lambda_\star)\), where \(\Delta k_t\) is the {number of materially changed model coordinates} (not the total model complexity \(k_t\)); the \(k^3\to\Delta k\) improvement is conditional on a warm-start assumption and a chosen cold-start baseline. A double-integrator running example with a moving obstacle illustrates the architecture. Full article

The ubiquity of resource-constrained Internet-of Things (IoT) nodes creates an urgent demand for network intrusion detection systems (NIDSs) optimized for edge devices with limited computing power. In this paper, we propose a new NIDS system based on Mamba. NIDS-Mamba uses a dynamic sparse attention and a lightweight state space to jointly learn from short-term anomaly and long-term attack patterns. We use standardized NF-UNSW-NB15 and NF-CSE-CIC-IDS2018 datasets to verify the effectiveness of this NIDS-Mamba model. We find that this NIDS-Mamba model is very effective in dealing with extreme class imbalance problems. In the NF-CSE-CIC-IDS2018 dataset, the model achieves 98.32% accuracy, 96.98% F1-score, and an AUC of 0.9996. Most notably, the model is very robust in handling extreme class imbalance problems in the NF-UNSW-NB15 dataset. It achieves 97.03% G-Mean, 0.7915 MCC, and 0.9983 AUC, far exceeding other baseline models. Compared to Transformer-based baselines, NIDS-Mamba achieves nearly an order-of-magnitude improvement in throughput while maintaining a parameter footprint compatible with edge deployment constraints. The proposed architecture effectively mitigates the quadratic complexity and memory wall inherent in standard Transformers, ensuring compatibility with Limited RAM and strict energy constraints. The proposed model achieves a compact design with 1.12 million parameters and a peak inference memory of 5.4 MB, ensuring its feasibility for edge-based IoT nodes. These properties make NIDS-Mamba a strong candidate for deployment on IoT gateways and edge sensor nodes in smart home, industrial IoT, and critical infrastructure scenarios. Full article

Network Intrusion Detection Systems (NIDSs) are critical to ensuring the resilience of modern digital infrastructures. Although traditionally deployed in large-scale corporate environments, the expanding threat landscape requires the integration of robust security measures into Small Office/Home Office (SOHO) and Edge-of-Things (EoT) networks. However, these environments often face significant constraints in terms of specialized hardware and technical expertise. This article presents R-Snort, an open-source NIDS based on Snort 3, optimized for low-cost Raspberry Pi 5 hardware. Its multi-agent architecture enables distributed deployment with centralized traffic analysis and cross-agent attack correlation, while an intuitive web interface simplifies alert visualization and system management for non-expert administrators. Its main contributions are: (1) a performance-optimized NIDS agent achieving 1 Gbps throughput; (2) a distributed multi-agent architecture enabling centralized event correlation and detection of multi-vector attacks; and (3) an IaC-based automated deployment framework with an intuitive web interface, democratizing professional-grade security for SOHO and EoT environments. Full article

A network intrusion detection system (NIDS) plays a critical role in protecting modern networked environments, but conventional approaches often struggle to balance the detection of previously unseen attacks with a low false alarm rate. This study proposes a hybrid intrusion detection model, HybridSAGETransformerGlobal, which integrates a SAGEConv-based graph neural network (GNN) and a Transformer encoder to jointly learn local structural information and global contextual dependencies from network traffic. In the proposed framework, network flows are represented as graph nodes, and edges are constructed using IP-group-aware k-nearest neighbors (KNNs) together with a temporal chain. The model further incorporates a gated fusion mechanism, multiple positional encodings, class weighting, label smoothing, and early stopping to improve training stability and detection performance. The proposed method was evaluated under a unified preprocessing and training pipeline on two benchmark datasets, UNSW-NB15 and CIC-IDS2017, using up to approximately 100,000 flow samples per dataset, and was compared with GCN, GAT, GraphSAGE, and a Transformer-only baseline. On UNSW-NB15, repeated-run evaluation over five random seeds showed that the proposed model achieved an accuracy of 0.9841 ± 0.0006, a macro-precision of 0.9684 ± 0.0010, a macro-recall of 0.9818 ± 0.0026, and a macro-F1-score of 0.9749 ± 0.0011, with statistically significant improvements over the strongest baseline in the macro-F1-score. On CIC-IDS2017, the proposed hybrid model also showed consistently strong performance, achieving an accuracy of 0.9749, a macro-precision of 0.9513, a macro-recall of 0.9722, a macro-F1-score of 0.9613, and an ROC-AUC of 0.9957. Additional ablation, sensitivity, and baseline re-optimization analyses further supported the robustness of the proposed design. These results suggest that a coordinated hybrid architecture combining structural graph learning and long-range contextual modeling can provide an effective framework for robust flow-based network intrusion detection under the evaluated settings. Full article

Machine learning-based network intrusion detection systems (NIDSs) remain vulnerable to adversarial manipulation, but the robustness literature for tabular NIDS data is still dominated by single-model, single-dataset, and non-adaptive evaluations. In this paper, we reposition the manuscript as a comparative robustness study of a four-component defense pipeline rather than as a claim of a universal defense primitive. We evaluate XGBoost, LightGBM, TabNet, and Residual MLP on RT_IOT2022 and Web_IDS23 under standard attacks, representative constrained/adaptive attacks, component-wise ablations, sample-fraction sensitivity, repeated-run significance tests, per-class F1 analysis, and computational-overhead measurements. The results show strong dataset and architecture dependence. On RT_IOT2022, tree-based models close most of the robustness gap under strong attacks but often only after large clean-accuracy reductions; Residual MLP achieves a more favorable balance, while the full defense stack over-regularizes TabNet. On Web_IDS23, aggregate robustness-gap reduction remains positive, yet simpler baselines such as adversarial-training-only or ensemble-only configurations frequently outperform the full four-stage pipeline in absolute clean/attack accuracy. Across both datasets, median filtering is the most fragile component: larger filter windows substantially degrade both clean and attacked accuracy, whereas contamination rate, anomaly-mixing weight, and ensemble size are comparatively stable. Representative constrained/adaptive evaluations reduce performance only modestly relative to standard FGSM/PGD, but per-class and overhead analyses show that minority-class collapse and training cost remain important deployment limitations. These findings support a more cautious conclusion: adversarial defense for tabular NIDS is validation driven and dataset specific, and the full defense stack should not be treated as a universal default. Full article

Network Intrusion Detection Systems (NIDS) face increasing challenges from sophisticated cyber threats, particularly zero-day attacks that evade signature-based methods. While supervised learning is effective for known attack classification, it struggles with novel threats, whereas anomaly-based approaches suffer from high false positive rates and unstable thresholds. To address these limitations, this paper proposes a decision-level adaptive intrusion-detection framework combining hierarchical CNN-based closed-set classification with autoencoder-based zero-day detection in a cascade architecture. The framework enables deployment-time adaptation by dynamically adjusting class-specific confidence thresholds and fusion parameters without model retraining. Experiments on the CSE-CIC-IDS2018 dataset demonstrate strong closed-set performance, achieving 98.98% accuracy and a macro-F1-score of 0.9342, with improved recall for minority attack classes under adaptive thresholding. Under a zero-day evaluation protocol in which Web_Attacks and Infiltration are excluded from training and validation, the proposed approach achieves an F1-score of 0.9319 while maintaining a low false positive rate of 0.0019. The framework is further evaluated on the Simulated University Network Environment (SUNE) dataset representing campus network traffic, achieving 96.18% closed-set accuracy and 97.54% accuracy in the integrated cascade setting. These results demonstrate that the proposed framework effectively balances minority attack detection, zero-day identification, and false-alarm control in dynamic and resource-constrained network environments. Full article

Machine learning-based Network Intrusion Detection Systems (NIDSs) typically optimize uniform metrics such as accuracy and F1-score, overlooking the asymmetric cost structure of real-world security operations, where a missed attack (False Negative (FN)) far outweighs a false alarm (False Positive (FP)). We propose a cost-sensitive threshold optimization framework based on XGBoost, using a 10:1 FN-to-FP cost ratio derived from established cost models. We first demonstrate that the default threshold of 0.5 is suboptimal and that a globally optimized threshold of 0.08 substantially reduces total cost. However, a single global threshold cannot accommodate the heterogeneous detection characteristics of diverse attack types. We therefore introduce Per-Class Thresholding, which assigns independently optimized thresholds to each attack class. Evaluated on CIC-IDS2018 and UNSW-NB15 across five independent random seeds, our method achieves a 28.19% cost reduction over the Random Forest baseline on CIC-IDS2018, demonstrating that attack classes undetectable under the global threshold—including DDoS attack-LOIC-UDP (100%), DoS attacks-SlowHTTPTest (99.79%), and FTP-BruteForce (98.16%)—can achieve near-complete cost elimination through individual per-class threshold search. Cross-dataset validation on UNSW-NB15 further confirms that per-class thresholding consistently improves class-level detection, with cost reductions of 74.10% for Reconnaissance, 69.06% for Backdoor, and 54.42% for Analysis attacks. These results confirm that class-specific threshold calibration is essential for cost-effective intrusion detection. Full article

Network Intrusion Detection Systems (NIDS) play a crucial role in protecting network environments against cyberattacks. However, traditional NIDS rely heavily on predefined attack signatures, which limits their ability to detect zero-day attacks. Although machine learning-based intrusion detection techniques have been widely adopted in Network Intrusion Prevention Systems (NIPS), publicly available network traffic datasets often suffer from severe class imbalance, leading to biased learning and degraded detection performance. To address this issue, this study proposes data augmentation framework based on a 3D-GAN (Three-Discriminator Generative Adversarial Network). The proposed architecture integrates an autoencoder, a CNN (Convolutional Neural Network), and an LSTM (Long Short-Term Memory) network as parallel discriminators to capture the statistical, spatial, and temporal characteristics of network traffic. By jointly optimizing multiple discriminator losses, the framework enhances training stability and generates high-quality synthetic samples. Experiments were conducted on the CIC-UNSW-NB15 dataset using Random Forest-, XGBoost (eXtreme Gradient Boosting)-, and BiGRU (Bidirectional Gated Recurrent Unit)-based classifiers. Two augmented datasets were constructed to address class imbalance, containing approximately 100,000 and 350,000 samples, respectively. Among them, Dataset 2, augmented using the proposed 3D-GAN, demonstrated the most significant performance improvement. Compared to the original imbalanced dataset, the XGBoost classifier trained on Dataset 2 achieved approximately a 4% increase in both accuracy and F1-score, while reducing the false positive rate and false negative rate by approximately 3.5%. Furthermore, the optimal configuration attained an F1-score of 0.9816, indicating superior capability in modeling complex network traffic patterns. Overall, this study highlights the potential of GAN-based data augmentation for alleviating class imbalance and improving the robustness and generalization of intrusion detection systems. Full article

Network intrusion detection systems (NIDS) are critical for maintaining the security and integrity of modern networks. Traditional IDS techniques, while effective, often struggle with the evolving nature of cyber threats and the need for real-time detection. This paper proposes WASAE-NIDS, a deep learning-based NIDS that leverages a generative adversarial network (GAN)-assisted conditional autoencoder combined with reverse-frequency class weighting to enhance detection, particularly under severe class imbalance. In evaluating NIDS benchmark datasets, our method demonstrates superior performance in detecting various types of cyber threats with high accuracy and improved performance on minority classes. The results demonstrate the potential of combining GAN-assisted representation learning and class weighting to improve NIDS robustness and effectiveness. Full article

Background/Objectives: Glypican-3 (GPC3), a membrane-bound heparan sulfate proteoglycan, has been identified as a promising target for both the diagnosis and treatment of hepatocellular carcinoma (HCC). However, the diagnosis of GPC3 expression mainly depended on invasive procedures. This study aimed to investigate the potential of dual-energy computed tomography (DECT)-derived parameters for noninvasive prediction of GPC3 expression in HCC. Methods: This retrospective study included 79 HCC patients with confirmed GPC3 immunohistochemistry and pretreatment contrast-enhanced DECT. Qualitative imaging features and quantitative DECT parameters, including iodine density of HCC (ID_Ca), normalized iodine density (NID), slope of spectral attenuation curve (λ_HU), and effective atomic number (Z_eff), were evaluated in both arterial and portal venous phases. Univariate and multivariate logistic regression analyses were employed to identify independent predictors, and a combined model was subsequently constructed. Receiver operating characteristic (ROC) curve analysis was performed to assess the diagnostic efficiency of imaging parameters in predicting GPC3 expression. Interobserver agreement of DECT parameters was evaluated using intraclass correlation coefficients (ICC). Results: GPC3-positive HCCs demonstrated significantly higher arterial phase (AP) ID_Ca, NID, λ_HU, and Z_eff (all p ≤ 0.001) than GPC3-negative HCCs. Multivariate logistic regression analysis identified NID-AP [Odds ratio (OR) = 2.00, p = 0.010] and peritumoral enhancement (OR = 9.25, p = 0.046) as independent predictors. The model combining NID-AP and peritumoral enhancement achieved the best diagnostic performance (AUC = 0.781, sensitivity = 67.86%, specificity = 78.26%) for predicting GPC3 expression. All DECT-derived parameters showed excellent interobserver reproducibility (ICC > 0.75 for all). Conclusions: Parameters derived from DECT, especially combining NID-AP and peritumoral enhancement, may be a potential tool to noninvasively predict GPC3 expression in HCC. Full article

Denial-of-Service (DoS) attacks remain one of the most dangerous threats in modern Internet environments. They aim to overwhelm networks, servers, or online services with massive volumes of traffic, and maintaining service availability is a core pillar of cybersecurity. More importantly, DoS attack techniques continue to evolve. However, traditional intrusion detection systems (IDS) trained on fixed attack categories struggle to identify previously unknown DoS attack types and cannot dynamically incorporate newly emerging classes. To address this challenge, this study proposes a stage-wise network intrusion detection framework that integrates unknown attack detection, attack discovery, and class-incremental learning into a unified pipeline. The framework consists of three stages. First, an autoencoder-based anomaly detection approach is used to separate potential unknown DoS attack samples from known classes. Second, a clustering-and-merging strategy is applied to the detected unknown DoS samples to discover emerging attack clusters with similar structural characteristics. Third, the classifier architecture is expanded for each newly discovered cluster through a class-incremental learning mechanism, enabling the continual incorporation of new attack classes while maintaining stable detection performance on previously learned classes. Experimental results on the DoS category of the NSL-KDD dataset demonstrate that the proposed stage-wise framework can effectively isolate samples of unknown DoS attacks, accurately aggregate emerging attack clusters, and incrementally integrate newly discovered attack classes without significantly degrading recognition performance on previously learned classes. These results confirm the capability of the proposed framework to handle progressively emerging unknown DoS attacks. Full article

Autism Spectrum Disorder (ASD) is a biologically heterogeneous neurodevelopmental condition, presenting a major barrier to the identification of robust and translatable molecular biomarkers. Here, we employ a cross-species proteomic framework to identify conserved protein signatures associated with ASD. Quantitative proteomic profiling of brain and serum from CNTNAP2 knockout mice, integrated with serum proteomes from individuals with ASD, revealed 132 proteins consistently dysregulated across species. Functional pathway analyses implicated coordinated alterations in lipid metabolism, synaptic signaling, and immune regulation. To prioritize diagnostically informative candidates, we applied machine learning-based feature selection and identified a minimal panel of ten proteins (COL1A1, ITIH4, CLU, NID1, C5, MASP1, PON1, PLTP, HSPA5, and FETUB) that robustly discriminated ASD from control samples. Gene ontology and KEGG pathway analyses highlighted enrichment of immune regulatory pathways, synaptic transmission, oxidative stress responses, and lipid metabolic processes, consistent with emerging models linking neuroimmune dysregulation and metabolic imbalance to ASD pathophysiology. An XGBClassifier trained on this biomarker panel achieved strong performance in independent test sets (AUC = 0.75). Together, these findings establish cross-species proteomic integration combined with machine learning as a powerful strategy for uncovering conserved, biologically grounded biomarkers in ASD, providing a framework for future validation and translational development. Full article

The effectiveness of Machine Learning (ML)-based Network Intrusion Detection Systems (NIDS) is critically hampered by the scarcity of realistic and up-to-date malware traffic datasets. To address this gap, we present an automated platform for generating real-world malware traffic datasets. Our solution leverages a production-environment honeynet (T-Pot), deployed within a university network and segmented via a secure WireGuard VPN, to capture live attacks using high-interaction honeypots (Dionaea, Cowrie, ADBhoney). A fully automated pipeline handles traffic capture, transfer, filtering based on honeypot logs, and malware analysis (VirusTotal, VxAPI). The output is the IPN-UAN-23 dataset—a curated, labeled corpus of malicious network traffic. This platform functions as a vital automated security tool, providing the continuous stream of actionable intelligence required to develop and refine robust ML-based NIDS within a DevSecOps lifecycle. Full article

The increasing scale and imbalance of modern network traffic pose significant challenges for multi-class intrusion detection systems (IDSs), particularly in identifying rare attack types. Traditional intrusion detection approaches based on supervised classification or unsupervised anomaly detection often suffer from limited generalization under severe class imbalance, high-dimensional feature spaces, and noisy traffic, resulting in poor detection of minority attack classes. To address these limitations, this study presents a hybrid intrusion detection framework that integrates unsupervised feature learning, anomaly scoring, and supervised classification within a unified pipeline. A denoising autoencoder trained exclusively on normal traffic is employed to learn compact and noise-resistant feature representations, while an isolation forest independently generates statistical anomaly scores. These complementary features are then fused and classified using a Light Gradient Boosting Machine (LightGBM). The main contribution of this work lies in the effective integration of these components, combined with a balanced training strategy based on the Synthetic Minority Over-sampling Technique with Edited Nearest Neighbors (SMOTE-ENN), as well as robust validation procedures. The framework is evaluated on the Network Security Laboratory Knowledge Discovery and Data Mining dataset (NSL-KDD) and the UNSW-NB15 intrusion detection dataset using stratified cross-validation and multiple independent runs. Experimental results demonstrate consistently high classification accuracy (~99%) and strong macro-F1 performance (>97%) across all attack categories on both NSL-KDD and UNSW-NB15 datasets. The framework achieves exceptional detection of rare classes (R2L: 99% F1, U2R: 100% F1), significantly outperforming prior approaches (AE-SAC: 83.97% F1, RL-NIDS: poor U2R recall), while maintaining low inference latency (~2–3 ms per sample, 415 samples/second) suitable for real-time network security deployment. Full article