Bidirectional LSTM Autoencoder for Sequence Based Anomaly Detection in Cyber Security

Cyber-security is concerned with protecting information, a vital asset in today’s world. The volume of data that is generated can be usefully analyzed when cyber-security systems are effectively implemented with the aid of software support. Our approach is to determine normal behavior of a system based on sequences of system call traces made by the kernel processes in the system. This paper describes a robust and computationally efficient anomaly based host based intrusion detection system using an Encoder-Decoder mechanism. Using CuDNNLSTM networks, it is possible to obtain a set of comparable results with reduced training times. The Bidirectional Encoder and a unidirectional Decoder is trained on normal call sequences in the ADFA-LD dataset. Intrusion Detection is evaluated based on determining the probability of a sequence being reconstructed by the model representing normal data. The sequences with a low probability value are classified as an anomaly.

[1]  Jian Wang,et al.  Intrusion Prediction With System-Call Sequence-to-Sequence Model , 2018, IEEE Access.

[2]  Jiankun Hu,et al.  Generation of a new IDS test dataset: Time to retire the KDD collection , 2013, 2013 IEEE Wireless Communications and Networking Conference (WCNC).

[3]  Andrew L. Maas Rectifier Nonlinearities Improve Neural Network Acoustic Models , 2013 .

[4]  Yelong Shen,et al.  ReasoNet: Learning to Stop Reading in Machine Comprehension , 2016, CoCo@NIPS.

[5]  Yoshua Bengio,et al.  Attention-Based Models for Speech Recognition , 2015, NIPS.

[6]  Pavel Filonov,et al.  Multivariate Industrial Time Series with Cyber-Attack Simulation: Fault Detection Using an LSTM-based Predictive Data Model , 2016, ArXiv.

[7]  Kuldip K. Paliwal,et al.  Bidirectional recurrent neural networks , 1997, IEEE Trans. Signal Process..

[8]  Yoshua Bengio,et al.  Learning long-term dependencies with gradient descent is difficult , 1994, IEEE Trans. Neural Networks.

[9]  Paul Jacob,et al.  Host Based Intrusion Detection System with Combined CNN/RNN Model , 2018, Nemesis/UrbReas/SoGood/IWAISe/GDM@PKDD/ECML.

[10]  Minjia Zhang,et al.  DeepCPU: Serving RNN-based Deep Learning Models 10x Faster , 2018, USENIX Annual Technical Conference.

[11]  Yunheung Paek,et al.  LSTM-Based System-Call Language Modeling and Robust Ensemble Method for Designing Host-Based Intrusion Detection Systems , 2016, ArXiv.

[12]  Zoubin Ghahramani,et al.  An Introduction to Hidden Markov Models and Bayesian Networks , 2001, Int. J. Pattern Recognit. Artif. Intell..

[13]  Quoc V. Le,et al.  Sequence to Sequence Learning with Neural Networks , 2014, NIPS.

[14]  Feng Liu,et al.  Auto-encoder Based Data Clustering , 2013, CIARP.

[15]  Phil Blunsom,et al.  Optimizing Performance of Recurrent Neural Networks on GPUs , 2016, ArXiv.

[16]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[17]  Geoffrey E. Hinton,et al.  Speech recognition with deep recurrent neural networks , 2013, 2013 IEEE International Conference on Acoustics, Speech and Signal Processing.

[18]  Bowen Zhou,et al.  Abstractive Text Summarization using Sequence-to-sequence RNNs and Beyond , 2016, CoNLL.

[19]  Lovekesh Vig,et al.  LSTM-based Encoder-Decoder for Multi-sensor Anomaly Detection , 2016, ArXiv.

[20]  Navdeep Jaitly,et al.  Hybrid speech recognition with Deep Bidirectional LSTM , 2013, 2013 IEEE Workshop on Automatic Speech Recognition and Understanding.

[21]  Yoshua Bengio,et al.  A Neural Probabilistic Language Model , 2003, J. Mach. Learn. Res..