Predicting Network Attacks with CNN by Constructing Images from NetFlow Data

Intrusion detection is a pivotal step for network protection. Usually, intrusion detection is performed at packet level by using deep packet or state-full protocol inspection to detect malicious requests in the network. However, flow based analyses were often overlooked. In addition, traditioinal machine learning approaches were leveraged by the researchers, not much attempts have been explored to employ increasingly popular CNN approaches to detect the network intrusions from flow based NetFlow data. In this paper, we extracted and encoded the features from the NetFlow data published in VAST 2013 challenge by converting NetFlow data to NetFlow images through feature correlation analysis and surrounding correlation (SC) matrix. The generated NetFlow images were then fed to CNN models. Results showed that the proposed approach was able to detect intrusions with an accuracy of 95.86%.

[1]  Victor Y. Chen,et al.  Detecting subtle port scans through characteristics based on interactive visualization , 2014, RIIT '14.

[2]  Victor Y. Chen,et al.  A visual analytics approach to detecting server redirections and data exfiltration , 2015, 2015 IEEE International Conference on Intelligence and Security Informatics (ISI).

[3]  Charles A. Shoniregun,et al.  A NetFlow based internet-worm detecting system in large network , 2008, 2008 Third International Conference on Digital Information Management.

[4]  Dumitru Erhan,et al.  Going deeper with convolutions , 2014, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[5]  Mihui Kim,et al.  A Combined Data Mining Approach for DDoS Attack Detection , 2004, ICOIN.

[6]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[7]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[8]  Yoshua Bengio,et al.  Gradient-based learning applied to document recognition , 1998, Proc. IEEE.

[9]  Shou-Chuan Lai,et al.  Defending against Internet worm-like infestations , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[10]  Weijie Wang,et al.  NetFlowMatrix: a visual approach for analysing large NetFlow data , 2017, Int. J. Secur. Networks.

[11]  Pere Barlet-Ros,et al.  Practical anomaly detection based on classifying frequent traffic patterns , 2012, 2012 Proceedings IEEE INFOCOM Workshops.

[12]  Yingjie Zhou,et al.  Large-scale IP network behavior anomaly detection and identification using substructure-based approach and multivariate time series mining , 2012, Telecommun. Syst..

[13]  Aiko Pras,et al.  Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX , 2014, IEEE Communications Surveys & Tutorials.

[14]  H.A. Chan,et al.  Honeycyber: Automated signature generation for zero-day polymorphic worms , 2008, MILCOM 2008 - 2008 IEEE Military Communications Conference.

[15]  Jan Vykopal,et al.  Security Monitoring of HTTP Traffic Using Extended Flows , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[16]  James Won-Ki Hong,et al.  A flow-based method for abnormal network traffic detection , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[17]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[18]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[19]  Simon Haykin,et al.  GradientBased Learning Applied to Document Recognition , 2001 .

[20]  Philipp Winter,et al.  Inductive Intrusion Detection in Flow-Based Network Data Using One-Class Support Vector Machines , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[21]  Muhammad Ejaz Ahmed,et al.  Mitigating DNS query-based DDoS attacks with machine learning on software-defined networking , 2017, MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM).

[22]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[23]  Aziz Mohaisen,et al.  A Survey on Deep Packet Inspection for Intrusion Detection Systems , 2008, ArXiv.

[24]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[25]  Zigang Cao,et al.  Machine Learning Based DDos Detection Through NetFlow Analysis , 2018, MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM).

[26]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[27]  M. Ishiguro Internet Threat Detection System Using Bayesian Estimation , 2004 .

[28]  Jiankun Hu,et al.  A Real-Time NetFlow-based Intrusion Detection System with Improved BBNN and High-Frequency Field Programmable Gate Arrays , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[29]  Philippe Owezarski,et al.  Unsupervised Network Intrusion Detection Systems: Detecting the Unknown without Knowledge , 2012, Comput. Commun..

[30]  Kensuke Fukuda,et al.  ADMIRE: Anomaly detection method using entropy-based PCA with three-step sketches , 2013, Comput. Commun..

[31]  Mansoor Alam,et al.  A Deep Learning Approach for Network Intrusion Detection System , 2016, EAI Endorsed Trans. Security Safety.

[32]  Quang Anh Tran,et al.  Evolving Block-Based Neural Network and Field Programmable Gate Arrays for Host-Based Intrusion Detection System , 2012, 2012 Fourth International Conference on Knowledge and Systems Engineering.

[33]  Meikang Qiu,et al.  Privacy Protection for Preventing Data Over-Collection in Smart City , 2016, IEEE Transactions on Computers.

[34]  Zhu Jian-qi,et al.  A novel DoS detection mechanism , 2011, 2011 International Conference on Mechatronic Science, Electric Engineering and Computer (MEC).