Network intrusion detection systems (NIDS) to detect malicious attacks continue to meet challenges. NIDS are often developed offline while they face auto-generated port scan infiltration attempts, resulting in a significant time lag from adversarial adaption to NIDS response. To address these challenges, we use hypergraphs focused on internet protocol addresses and destination ports to capture evolving patterns of port scan attacks. The derived set of hypergraph-based metrics are then used to train an ensemble machine learning (ML) based NIDS that allows for real-time adaption in monitoring and detecting port scanning activities, other types of attacks, and adversarial intrusions at high accuracy, precision and recall performances. This ML adapting NIDS was developed through the combination of (1) intrusion examples, (2) NIDS update rules, (3) attack threshold choices to trigger NIDS retraining requests, and (4) a production environment with no prior knowledge of the nature of network traffic. 40 scenarios were auto-generated to evaluate the ML ensemble NIDS comprising three tree-based models. The resulting ML Ensemble NIDS was extended and evaluated with the CIC-IDS2017 dataset. Results show that under the model settings of an Update-ALL-NIDS rule (specifically retrain and update all the three models upon the same NIDS retraining request) the proposed ML ensemble NIDS evolved intelligently and produced the best results with nearly 100% detection performance throughout the simulation.

翻译：网络入侵检测系统（NIDS）用于检测恶意攻击仍面临诸多挑战。NIDS通常在离线状态下开发，而它们面对自动生成的端口扫描渗透尝试时，从对手适应到NIDS响应存在显著的时间延迟。为解决这些问题，我们利用聚焦于互联网协议地址和目的端口的超图来捕获端口扫描攻击的演化模式。由此导出的超图指标集被用于训练基于集成机器学习（ML）的NIDS，使其能够以高精度、高精确率和高召回率实时自适应地监测和检测端口扫描活动、其他类型的攻击以及对抗性入侵。这种自适应ML的NIDS通过以下要素的组合开发而成：（1）入侵示例、（2）NIDS更新规则、（3）触发NIDS重训练请求的攻击阈值选择，以及（4）对网络流量性质无先验知识的运行环境。我们自动生成了40个场景来评估由三种基于树的模型组成的ML集成NIDS。随后利用CIC-IDS2017数据集对最终的ML集成NIDS进行扩展和评估。结果表明，在Update-ALL-NIDS规则（即在同一NIDS重训练请求下重训练并更新所有三个模型）的模型设置下，所提出的ML集成NIDS能够智能演化，并在整个模拟过程中实现了接近100%的检测性能。