LAUSR

A network intrusion detection system (IDS) is commonly recognized as an effective solution for identifying threats and malicious attacks. Due to the rapid emergence of threats and new attack vectors, novel and adaptive approaches must be considered to maintain the effectiveness of IDSs. In this paper, we present a novel Threat Intelligence Detection Model (TIDM) for online intrusion detection. The proposed TIDM focuses on the online processing of massive data flows and is accordingly able to reveal unknown connections, including zero-day attacks. The TIDM consists of three components: an optimized filter (OptiFilter), an adaptive and hybrid classifier, and an alarm component. The main contributions of the OptiFilter component are in its ability to continuously capture data flows and construct unlabeled connection vectors. The second component of the TIDM employs a hybrid model made up of an enhanced growing hierarchical self-organizing map (EGHSOM) and a normal network behavior (NNB) model to jointly identify unknown connections. The proposed TIDM updates the hybrid model continually in real-time. The model’s performance evaluation has been carried out in both offline and online operational modes using a quantitative approach that considers all possible evaluation metrics for the datasets and the hybrid classification method. The achieved results show that the proposed TIDM is able, with promising performance, to process massive data flows in real-time, classify unlabeled connections, reveal the label of unknown connections, and perform online updates successfully.