An LSTM-Based Deep Learning Approach for Classifying Malicious Traffic at the Packet Level

Recently, deep learning has been successfully applied to network security assessments and intrusion detection systems (IDSs) with various breakthroughs such as using Convolutional Neural Networks (CNN) and Long Short-Term Memory (LSTM) to classify malicious traffic. However, these state-of-the-art systems also face tremendous challenges to satisfy real-time analysis requirements due to the major delay of the flow-based data preprocessing, i.e., requiring time for accumulating the packets into particular flows and then extracting features. If detecting malicious traffic can be done at the packet level, detecting time will be significantly reduced, which makes the online real-time malicious traffic detection based on deep learning technologies become very promising. With the goal of accelerating the whole detection process by considering a packet level classification, which has not been studied in the literature, in this research, we propose a novel approach in building the malicious classification system with the primary support of word embedding and the LSTM model. Specifically, we propose a novel word embedding mechanism to extract packet semantic meanings and adopt LSTM to learn the temporal relation among fields in the packet header and for further classifying whether an incoming packet is normal or a part of malicious traffic. The evaluation results on ISCX2012, USTC-TFC2016, IoT dataset from Robert Gordon University and IoT dataset collected on our Mirai Botnet show that our approach is competitive to the prior literature which detects malicious traffic at the flow level. While the network traffic is booming year by year, our first attempt can inspire the research community to exploit the advantages of deep learning to build effective IDSs without suffering significant detection delay.

[1]  Yuval Elovici,et al.  N-BaIoT—Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders , 2018, IEEE Pervasive Computing.

[2]  홍원기,et al.  A Flow-based Method for Abnormal Network Traffic Detection , 2004 .

[3]  Xiaolin Li,et al.  DeepDefense: Identifying DDoS Attack via Deep Learning , 2017, 2017 IEEE International Conference on Smart Computing (SMARTCOMP).

[4]  Li Li,et al.  Using LSTM and GRU neural network methods for traffic flow prediction , 2016, 2016 31st Youth Academic Annual Conference of Chinese Association of Automation (YAC).

[5]  Qi Shi,et al.  A Deep Learning Approach to Network Intrusion Detection , 2018, IEEE Transactions on Emerging Topics in Computational Intelligence.

[6]  Yun-Chun Chen,et al.  Deep learning for malicious flow detection , 2017, 2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC).

[7]  Ming Zhu,et al.  Malware traffic classification using convolutional neural network for representation learning , 2017, 2017 International Conference on Information Networking (ICOIN).

[8]  Yuefei Zhu,et al.  A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks , 2017, IEEE Access.

[9]  Mansoor Alam,et al.  A Deep Learning Approach for Network Intrusion Detection System , 2016, EAI Endorsed Trans. Security Safety.

[10]  Yiqiang Sheng,et al.  HAST-IDS: Learning Hierarchical Spatial-Temporal Features Using Deep Neural Networks to Improve Intrusion Detection , 2018, IEEE Access.

[11]  Mansour Ahmadi,et al.  Microsoft Malware Classification Challenge , 2018, ArXiv.

[12]  Geoffrey Zweig,et al.  Linguistic Regularities in Continuous Space Word Representations , 2013, NAACL.

[13]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[14]  Andrei Petrovski,et al.  Botnet Detection in the Internet of Things using Deep Learning Approaches , 2018, 2018 International Joint Conference on Neural Networks (IJCNN).

[15]  Jim A. Simpson,et al.  Network Traffic Anomaly Detection Using Recurrent Neural Networks , 2018, ArXiv.

[16]  Ren-Hung Hwang,et al.  Detecting IoT Malicious Traffic Based on Autoencoder and Convolutional Neural Network , 2019, 2019 IEEE Globecom Workshops (GC Wkshps).

[17]  Chaopeng Li,et al.  Using a Recurrent Neural Network and Restricted Boltzmann Machines for Malicious Traffic Detection , 2018 .

[18]  Jeffrey Pennington,et al.  GloVe: Global Vectors for Word Representation , 2014, EMNLP.

[19]  Jun Long,et al.  WEDL-NIDS: Improving Network Intrusion Detection Using Word Embedding-Based Deep Learning Method , 2018, MDAI.

[20]  Omer Levy,et al.  word2vec Explained: deriving Mikolov et al.'s negative-sampling word-embedding method , 2014, ArXiv.