We show that a recurrent neural network is able to learn a model to represent sequences of communications between computers on a network and can be used to identify outlier network traffic. Defending computer networks is a challenging problem and is typically addressed by manually identifying known malicious actor behavior and then specifying rules to recognize such behavior in network communications. However, these rule-based approaches often generalize poorly and identify only those patterns that are already known to researchers. An alternative approach that does not rely on known malicious behavior patterns can potentially also detect previously unseen patterns. We tokenize and compress netflow into sequences of "words" that form "sentences" representative of a conversation between computers. These sentences are then used to generate a model that learns the semantic and syntactic grammar of the newly generated language. We use Long-Short-Term Memory (LSTM) cell Recurrent Neural Networks (RNN) to capture the complex relationships and nuances of this language. The language model is then used predict the communications between two IPs and the prediction error is used as a measurement of how typical or atyptical the observed communication are. By learning a model that is specific to each network, yet generalized to typical computer-to-computer traffic within and outside the network, a language model is able to identify sequences of network activity that are outliers with respect to the model. We demonstrate positive unsupervised attack identification performance (AUC 0.84) on the ISCX IDS dataset which contains seven days of network activity with normal traffic and four distinct attack patterns.
[1]
Arthur Zimek,et al.
Ensembles for unsupervised outlier detection: challenges and research questions a position paper
,
2014,
SKDD.
[2]
Kalyan Veeramachaneni,et al.
AI^2: Training a Big Data Machine to Defend
,
2016,
2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS).
[3]
Yonghui Wu,et al.
Exploring the Limits of Language Modeling
,
2016,
ArXiv.
[4]
Gyuwan Kim,et al.
HOST-BASED INTRUSION DETECTION SYSTEMS
,
2016
.
[5]
Ali A. Ghorbani,et al.
Toward developing a systematic approach to generate benchmark datasets for intrusion detection
,
2012,
Comput. Secur..
[6]
Martin Kay,et al.
Suffix Trees as Language Models
,
2012,
LREC.
[7]
Howon Kim,et al.
Long Short Term Memory Recurrent Neural Network Classifier for Intrusion Detection
,
2016,
2016 International Conference on Platform Technology and Service (PlatCon).
[8]
Hermann Ney,et al.
From Feedforward to Recurrent LSTM Neural Networks for Language Modeling
,
2015,
IEEE/ACM Transactions on Audio, Speech, and Language Processing.
[9]
Jeffrey Dean,et al.
Efficient Estimation of Word Representations in Vector Space
,
2013,
ICLR.
[10]
Quoc V. Le,et al.
Distributed Representations of Sentences and Documents
,
2014,
ICML.