A deep learning method to detect network intrusion through flow‐based features

In this paper, we present a deep neural network model to enhance the intrusion detection performance. A deep learning architecture combining convolution neural network and long short‐term memory learns spatial‐temporal features of network flows automatically. Flow features are extracted from raw network traffic captures, flows are grouped, and the consecutive N flow records are transformed into a two‐dimensional array like an image. These constructed two‐dimensional feature vectors are normalized and forwarded to the deep learning model. Transformation of flow information assures deep learning in a computationally efficient manner. Overall, convolution neural network learns spatial features, and long short‐term memory learns temporal features from a sequence of network raw data packets. To maximize the detection performance of the deep neural network and to reach at the highest statistical metric values, we apply the tree‐structured Parzen estimator seeking the optimum parameters in the parameter hyper‐plane. Furthermore, we investigate the impact of flow status interval, flow window size, convolution filter size, and long short‐term memory units to the detection performance in terms of level in statistical metric values. The presented flow‐based intrusion method outperforms other publicly available methods, and it detects abnormal traffic with 99.09% accuracy and 0.0227 false alarm rate.

[1]  Qi Shi,et al.  A Deep Learning Approach to Network Intrusion Detection , 2018, IEEE Transactions on Emerging Topics in Computational Intelligence.

[2]  Yiqiang Sheng,et al.  HAST-IDS: Learning Hierarchical Spatial-Temporal Features Using Deep Neural Networks to Improve Intrusion Detection , 2018, IEEE Access.

[3]  Tankut Acarman,et al.  Classification of malware families based on runtime behaviors , 2017, J. Inf. Secur. Appl..

[4]  Neeraj Kumar,et al.  A feature reduced intrusion detection system using ANN classifier , 2017, Expert Syst. Appl..

[5]  Simone A. Ludwig Intrusion detection of multiple attack classes using a deep neural net ensemble , 2017, 2017 IEEE Symposium Series on Computational Intelligence (SSCI).

[6]  Yuefei Zhu,et al.  A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks , 2017, IEEE Access.

[7]  K. P. Soman,et al.  Applying convolutional neural network for network intrusion detection , 2017, 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI).

[8]  Ciprian Dobre,et al.  Internet traffic classification based on flows' statistical properties with machine learning , 2017, Int. J. Netw. Manag..

[9]  Ali A. Ghorbani,et al.  Towards a Reliable Intrusion Detection Benchmark Dataset , 2017 .

[10]  Yang Yu,et al.  Network Intrusion Detection through Stacking Dilated Convolutional Autoencoders , 2017, Secur. Commun. Networks.

[11]  Nikhil Ketkar,et al.  Deep Learning with Python , 2017 .

[12]  Mehmet Hacibeyoglu,et al.  Design of Multilevel Hybrid Classifier with Variant Feature Sets for Intrusion Detection System , 2016, IEICE Trans. Inf. Syst..

[13]  Yuan Yu,et al.  TensorFlow: A system for large-scale machine learning , 2016, OSDI.

[14]  Joel J. P. C. Rodrigues,et al.  Digital signature to help network management using flow analysis , 2016, Int. J. Netw. Manag..

[15]  Ananthram Swami,et al.  Malware traffic detection using tamper resistant features , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[16]  Xiangjian He,et al.  Detection of Denial-of-Service Attacks Based on Computer Vision Techniques , 2015, IEEE Transactions on Computers.

[17]  Jan Vykopal,et al.  Similarity as a central approach to flow‐based anomaly detection , 2014, Int. J. Netw. Manag..

[18]  Humphrey Waita Njogu,et al.  An efficient approach to reduce alerts generated by multiple IDS products , 2014, Int. J. Netw. Manag..

[19]  Nitish Srivastava,et al.  Dropout: a simple way to prevent neural networks from overfitting , 2014, J. Mach. Learn. Res..

[20]  Chris Sanders,et al.  Applied Network Security Monitoring: Collection, Detection, and Analysis , 2013 .

[21]  Sami Bourouis,et al.  A Real Time Adaptive Intrusion Detection Alert Classifier for High Speed Networks , 2013, 2013 IEEE 12th International Symposium on Network Computing and Applications.

[22]  Nur Izura Udzir,et al.  Anomaly-based intrusion detection through K-means clustering and naives bayes classification , 2013 .

[23]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[24]  Philippe Owezarski,et al.  Unsupervised Network Intrusion Detection Systems: Detecting the Unknown without Knowledge , 2012, Comput. Commun..

[25]  Yoshua Bengio,et al.  Random Search for Hyper-Parameter Optimization , 2012, J. Mach. Learn. Res..

[26]  Yoshua Bengio,et al.  Algorithms for Hyper-Parameter Optimization , 2011, NIPS.

[27]  Osman Salem,et al.  A scalable, efficient and informative approach for anomaly‐based intrusion detection systems: theory and practice , 2010, Int. J. Netw. Manag..

[28]  Mohammad Zulkernine,et al.  Random-Forests-Based Network Intrusion Detection Systems , 2008, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[29]  Nevil Brownlee,et al.  Passive measurement of one-way and two-way flow lifetimes , 2007, CCRV.

[30]  Andrew H. Sung,et al.  Intrusion detection using neural networks and support vector machines , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[31]  Charles Elkan,et al.  Results of the KDD'99 classifier learning , 2000, SKDD.