近年來物聯網的設備日漸增加，許多裝置都開始了自動化，資訊安全的議題已經越來越被重視，除了傳統的防禦手段之外，能夠阻擋惡意攻擊的入侵偵測系統能夠將惡意攻擊先行阻擋，其使用數量也日漸提升，但網路駭客的攻擊手法十分多樣化，且傳播速度極快，許多資料集已經過於老舊或是缺乏多樣性。而入侵偵測系統為了提升其準確率，開始使用機器學習來判斷惡意攻擊，但是機器學習時常伴隨著運算效能高和標籤的需要性。為了解決上述問題，本研究使用CICIDS2017的資料集，首先在資料預處理階段透過隨機森林除去冗餘特徵和低相關特徵達到降低運算成本，再將不需要使用標籤的非監督式學習的方法孤立森林 進行改良，研究結果顯示，透過隨機森林移除冗餘特徵後，森林建置的時間降低20%，效能方面也有提升，且改良的孤立森林與孤立森林相比在F1-score方面高了17.44%，本研究所提出的方法在複雜度方面是屬於線性的，在其他線性非監督式演算法中的效能最佳，而相較於複雜度較高的VAE，在F1-score方面只低於VAE 2.21%，和監督式學習相比，在準確度只低於3.2%，於相關的非監督式學習中取得較佳的效能表現。

Due to the rapid development of the Internet, network security has gradually received attention, and many people start to use intrusion detection systems (IDS) for defense, where network-based intrusion detection systems (NIDS) can alert network managements before an attack occurs. However, due to the fast and varied modern cyberattacks, traditional defense systems may not be able to detect attacks quickly and effectively.
In recent years, network-based intrusion detection systems (NIDS) use machine learning to increase detection rates, but the inequality between abnormal traffic and normal traffic has caused machine learning to decide most traffic as normal in order to improve accuracy, and most machine learning requires a lot of Computing power is not suitable for some lightweight devices such as the Internet of Things. Most of them use supervised machine learning, and the supervised method requires the use of label optimization models, but labels are not necessarily provided in the new environment.
This research performed data cleaning and data preprocessing in the CICIDS2017 dataset, and then used random forest to rank features and delete redundant features. Then use the improved isolated forest for abnormal traffic detection. This research reduced the build time by 20% in total and achieved 96.8% accuracy in the low-time complexity unsupervised learning.

[1] I.Sharafaldin, A.H.Lashkari, A.A.Ghorbani, "Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization," 2018 International Conference on Information Systems Security and Privacy(ICISSP), pp. 108-116, 22-24 Jan 2018.
[2] "Check Point," 21 1 2019. [Online]. Available: https://research.checkpoint.com/2019/threat-trends-analysis-report/.
[3] "Tasks KDD Cup 1999: Computer network intrusion detection," KDD , 8 Jan 2018. [Online]. Available: https://www.kdd.org/kdd-cup/view/kdd-cup-1999/Tasks. [Accessed 4 Mar 2019].
[4] L. Breiman, "Random Forests," Jan 2001. [Online]. Available: https://www.stat.berkeley.edu/~breiman/randomforest2001.pdf. [Accessed 10 Feb 2019].
[5] S.Wold, K.Esbensen, P.Geladi, "Principal component analysis," Chemometrics and intelligent laboratory systems, vol. 2, no. 1-3, pp. 37-52, 1987.
[6] S.Balakrishnama,A.Ganapathiraju, "Linear discriminant analysis-a brief tutorial," Starkville, United States, Institute for Signal and information Processing, 1998.
[7] F.T.Liu, K.M.Ting, Z.H. Zhou, "Isolation forest," in Eighth IEEE International Conference on Data Mining, Pisa, Italy, 2008.
[8] A. Gharib, "An evaluation framework for intrusion detection dataset," in International Conference on Information Science and Security (ICISS)., Pattya, Thailand, 2016.
[9] A.H.Lashkari, G.Darper-Gil, M.S.I.Mamun, A.A.Ghorbani, "Characterization of Tor Traffic using Time based Features," in 2017 International Conference on Information Systems Security and Privacy(ICISSP), Porto, Portugal, 2017.
[10] S.Suratkar, F.Kazi, R.Gaikwad, A.Shete, R.Kabra, S.Khirsagar, "Multi Hidden Markov Models for Improved Anomaly Detection Using System Call Analysis," in 2019 IEEE Bombay Section Signature Conference (IBSSC), Mumbai, India, 2019.
[11] M.Xie, J.Hu, "Evaluating host-based anomaly detection systems: A preliminary analysis of adfa-ld," in 6th International Congress on Image and Signal Processing (CISP), Hangzhou, China, 2013.
[12] T.H.Cheng, Y.D.Lin, Y.C.Lai, P.C.Lin, "Evasion techniques: Sneaking through your intrusion detection/prevention systems.," IEEE Communications Surveys & Tutorials, pp. 1011-1020, 13 10 2011.
[13] K.Leung, C.Leckie, "Unsupervised anomaly detection in network intrusion detection using clusters," in Proceedings of the Twenty-eighth Australasian conference on Computer Science-Volume 38., Darlinghurst, Australia, 2005.
[14] A.Nisioti, A.Mylonas, P.D.Yoo, V.Katos, "From Intrusion Detection to Attacker Attribution: A Comprehensive Survey of Unsupervised Methods," IEEE Communications Surveys & Tutorials, vol. 20, no. 4, pp. 3369-3388, 2018.
[15] E.W.Forgy, "Cluster analysis of multivariate data: efficiency versus interpretability of classifications," biometrics, pp. 768-769, 1965.
[16] S.Wang, "Research of intrusion detection based on an improved K-means algorithm," 2011 Second International Conference on Innovations in Bio-inspired Computing and Applications, pp. 274-276, 16 12 2011.
[17] J.A.Sukumar, I.Pranav, M. Neetish, J.Narayanan, "Network Intrusion Detection Using Improved Genetic k-means Algorithm," in 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Bangalore ,India, 2018.
[18] M.M.Breunig, H.Kriegel,R.T.Ng, J.Sander, "LOF: identifying density-based local outliers," in Proceedings of the 2000 ACM SIGMOD international conference on Management of data, New York , United States, 2000.
[19] G.Madhupriya, S.M.Shalinlie, A.R.Rajeshwari, "Detecting DDoS attack in cloud computing using local outlier factors," in 2018 2nd International Conference on Trends in Electronics and Informatics (ICOEI), Tirunelveli, India, 2018.
[20] L.Rabiner, B.Juang, "An introduction to hidden Markov models," ieee assp magazine, vol. 3, no. 1, pp. 4-16, 1986.
[21] M.Zheludev, E.Nagradov, "Anomaly detection using Markov chain model," in 2017 Computer Science and Information Technologies (CSIT), Yerevan, Armenia, 2017.
[22] X.Tan, H.Xi, "Hidden semi-Markov model for anomaly detection," Applied Mathematics and Computation, pp. 562-567, 12 11 2008.
[23] J.An, S.Cho, Variational autoencoder based anomaly detection using reconstruction probability, Special Lecture on IE, 2015.
[24] B.Schölkopf, J.C.Platt, J.Shawe-Taylor, A.J.Smola, R.R.Williamson, "Estimating the support of a high-dimensional distribution," Neural computation, vol. 13, no. 7, pp. 1443-1471, 2001.
[25] K.L.Li,H.K.Huang, S.F.Tian, W.Xu, "Improving one-class SVM for anomaly detection," in Proceedings of the 2003 International Conference on Machine Learning and Cybernetics, Xi'an, China, 2003.
[26] M.Zhang, B.Xu, J.Gong, "An anomaly detection model based on one-class svm to detect network intrusions," in 2015 11th International Conference on Mobile Ad-hoc and Sensor Networks (MSN), Shenzhen, China, 2015.
[27] F.T.Liu, K.M.Ting, Z.H.Zhou, "Isolation-based anomaly detection," 2012 ACM Transactions on Knowledge Discovery from Data(TKDD), vol. 6, no. 1, pp. 1-39, 3 2012.
[28] S.Hariri, M.C.Kind,R.J.Brunner, "Extended Isolation Forest," in 2019 IEEE Transactions on Knowledge and Data Engineering, 2019.
[29] S.S.Panwar, Y. P.Raiwani, L.S.Panwar., "Evaluation of Network Intrusion Detection with Features Selection and Machine Learning Algorithms on CICIDS-2017 Dataset," in 2019 International Conference on Advances in Engineering Science Management & Technology (ICAESMT)-2019, Dehradun, India, 2019.