Conference PaperPDF Available

Using Deep Learning Techniques for Network Intrusion Detection

Authors:

Abstract and Figures

In recent years, there has been a significant increase in network intrusion attacks which raises a great concern from the privacy and security aspects. Due to the advancement of the technology, cyber-security attacks are becoming very complex such that the current detection systems are not sufficient enough to address this issue. Therefore, an implementation of an intelligent and effective network intrusion detection system would be crucial to solve this problem. In this paper, we use deep learning techniques, namely, Convolutional Neural Networks (CNN) and Recurrent Neural Networks (RNN) to design an intelligent detection system which is able to detect different network intrusions. Additionally, we compute the accuracy of the proposed solution using different evaluation matrices and we present a comparison between the results of our proposed solution to find the best model for the network intrusion detection system.
Content may be subject to copyright.
Using Deep Learning Techniques for Network
Intrusion Detection
Sara Al-Emadi, Aisha Al-Mohannadi, Felwa Al-Senaid
Department of Computer Science and Engineering
Qatar University
Doha, Qatar
Email: saraalemadi@ieee.org, [aa1401818, fa1003489]@qu.edu.qa
Abstract—In recent years, there has been a significant increase
in network intrusion attacks which raises a great concern from
the privacy and security aspects. Due to the advancement of the
technology, cyber-security attacks are becoming very complex
such that the current detection systems are not sufficient enough
to address this issue. Therefore, an implementation of an intel-
ligent and effective network intrusion detection system would
be crucial to solve this problem. In this paper, we use deep
learning techniques, namely, Convolutional Neural Networks
(CNN) and Recurrent Neural Networks (RNN) to design an
intelligent detection system which is able to detect different
network intrusions. Additionally, we evaluate the performance
of the proposed solution using different evaluation matrices and
we present a comparison between the results of our proposed
solution to find the best model for the network intrusion detection
system.
Index Terms—Network Intrusion Detection, Deep Learning,
Neural Network, Recurrent Neural Network, RNN, Convolutional
Neural Network, CNN, Network Security
I. INTRODUCTION
As technology develops, new and complex cyber-attacks are
being deployed to break through systems in order to exploit
vulnerabilities and other malicious activities. Network infras-
tructure is one of the main systems which experiences a dense
quantity of different types of cyber-attacks such as Denial of
Service (DoS) or distributed denial-of-service attacks (DDoS),
TCP SYN Flood attack, Ping of death attack, Teardrop attack,
Scan attacks, etc. Hence, it has been observed that a great
amount of effort was put in finding and implementing different
methods and techniques to block these attacks and ensure
that the network is safe and secure while maintaining high
availability to the legit users of the network.
A well-known method of securing the network is through
implementing an intrusion detection system (IDS). IDS was
originally implemented in 1980 by the authors in [1]. The main
aim of their work was to introduce a mechanism which differ-
entiate between benign activities from malicious ones. Further
research was carried out to optimizing this methodology to aid
monitoring the network traffic in case of attacks, this system
is now known as Network Intrusion Detection System (NIDS)
[2]. In NIDS, the detection system is inspecting the incoming
This is a personal copy of the authors. Not for redistribution. The definitive
version of the paper will be published soon through the IEEE Digital Library
on https://ieeexplore.ieee.org, along with the DOI.
and outgoing network traffic from all hosts in real time and
based on certain criteria, it can detect and identify the attack,
then, take the suitable security measures to stop or block it,
which significantly reduces the risk of damage to the network.
However, due to the rapid increase in the complexity of the
cyber-security attacks, the current methods used in NIDS are
failing to sufficiently address this issue. Therefore, in this
paper, we aim to design an intelligent detection system using
different Deep Learning algorithms, namely, Recurrent Neural
Network (RNN) and the Convolutional Neural Network (CNN)
which is capable of autonomously detecting, identifying and
differentiating between different network intrusion attacks.
A recent systematic review about the use of Artificial
Neural Networks(ANN) for NIDS identified that there is a
need for further studies in the use of deep neural networks
and its variants[3]. In the recent years, employing of Deep
Neural Networks in IDS has gained popularity due to its
robustness and usefulness. The NIDS today are facing vari-
ous challenges such as high-level feature extraction. Studies
show the usefulness of Machine learning or Deep Learning
algorithms in attacks classifications. A study by Vinyakumar,
Soman, and Poornachandran (2017) highlights that the Deep
Learning Networks are known for its “hierarchical feature
representations, learning long-term dependencies of temporal
patterns in large scale sequence data” [4].
Deep Learning Network architectures such as CNN and
RNN can overcome the complexities of existing classifiers.
Furthermore, Deep Learning Networks are known for their
high accuracy and improved performance, thus can be a
critical component in Network Intrusion Systems. Therefore,
in this study, we have chosen CNN based on its nature and
effectiveness in classifying objects which could be utilised
in the detecting normal and malicious traffics process. On
the other hand, RNN was selected due to its features of
remembering previous occurrences which could contribute to a
crucial performance in classifying consequence multiple types
of attacks. The principal objective of this research is to study
the effectiveness of implementing CNN and RNN in NIDS.
The study will conduct an experimental simulation to analyze
the proposed system’s performance in intrusion detection.
The contribution of this paper can be summarized as fol-
lows:
Providing a study on CNN and RNN in network intrusion
detection systems.
Evaluating the performance of the deep learning algo-
rithms in NIDS by analysing the accuracy, precision,
recall, and F1 score for each.
Providing a comparison between the results found
through the proposed solution with the literature with
different dataset.
The rest of the paper is organized as follows; Section II
discuss the state-of-the-art solutions using NIDS, Section III
explains the project design and illustrates the architecture of
the proposed solution, whereas the implementation is con-
ducted in Section IV-B, and experimental results discussion
in section V.
II. RE LATE D WOR K
In previous studies, there were different approaches used
for intrusion detection systems. Authors in [5], tackled an im-
proved intrusion detection scheme which was a three layered
RNN that is based on different features. The inputs for the
model were features that are classified based on basic features,
content features, time-based traffic features, and host-based
traffic features and the output of the model is either classifying
the normal class which indicates that there are no attacks
or classifying attacks such as DoS, R2L, U2R and probing.
Furthermore, they explained how they used KDD dataset to
train and test the model and the connections between the
hidden layers that are partially connected which speeds the
process of classification. The technique used for this paper
is misuse-based intrusion detection which compares user’s
activities with the known behaviors of attackers.
Another approach was introduced in [6] to detect network
intrusion using Gated Recurrent United Recurrent Neural Net-
work (GRU-RNN). In their work, the authors have attempted
to provide a novel solution for Network Intrusion Detection
(NID) in Software Defined Networks (SDN) using very low
number of features. The authors claimed that the advantage
of using GRU-RNN in comparison to the traditional RNN
or LSTM is that it avoids vanishing and exploding gradient
problems. Furthermore, the authors have implemented their
system as an application on the SDN controller using NSL-
KDD dataset for training and testing their model. The GRU-
RNN proposed have outperformed other machine learning
algorithms such as the VanillaRNN, SVM, DNN with de-
tection rate of 89% for legitimate events and 90% for the
anomaly events. Additionally, the author claimed that the
overall accuracy of their proposed solution is 89% which is the
highest in comparison to the other state-of-the-art algorithms
discussed.
Moreover, authors in paper [7] examined and proposed a
method for the intrusion detection using Neural Networks
which utilizes the concepts of Deep Brief Network (DBN),
probabilistic neural network (PNN), and particle swarm op-
timization (PSO) algorithm as it evolves four steps. In the
initial step, they used the concept of deep learning as the raw
data translates into low dimensional data thus reflecting the
characteristics of the data. This is achieved through a multi-
level or deep neural network. Also, those DBN are formed
through multi stacking of Restricted Boltzmann Machine
(RBM)s which ensure the normalization of the data. In the next
step, the authors optimized the data using the PSO algorithm
which optimizes the hidden layer nodes of data that facilitate
the learning performance of network. Finally, training and
testing will be performed by feeding data into a PNN as it uses
a local approximation network that uses Gaussian function and
the network activation function, thus produces an optimized
data.
In addition, authors in [8] used hybrid detection method that
is based on a combination of RNN with restricted Boltzmann
machines (RBM) as they begin with taking multi-layer RBM
model with byte level raw data inputs and then obtain network
packets feature vectors. Afterwards, a sequence of packets is
modelled by the RNN model which creates the micro flow
features. The proposed model takes raw data input without
feature engineering. Finally, a softmax classification is applied
in order to distinguish if a micro-flow is malicious or not. Also,
in order to identify how many layers of RBM features are
needed, they performed a series of experiments on the effects
of the 1-5-layer RBM model, including the convergence rate
and various evaluation indicators. And they have pointed out
that as the number of layers in the RBM model is improved,
the convergence rate decreases, and more epochs are needed
to obtain better results. That is why they recommended to use
3 layered RBM model.
Using CNN algorithm, a study was made by authors in [9]
that discusses and investigates the network intrusion detection
using the Convolutional Neural Networks (CNN). For the
purpose of study, behavior-based classifier learning model with
CNN has been developed. The CNN along with TensorFlow
and SoftMax function is utilized to extract the behavioral
features and recognize the class of threats using statistical data.
During the extraction phase, a benchmark of data is created
sources such as, an archive dataset of behavior features from
KDD Cup99 and Suspicious network flow order by NHSNC.
During the model learning phase, the current study uses a
revised model of LeNet-5 model along with gradient-descent
optimization algorithm. These algorithms facilitate to fine-
tune the model parameters using both error derivatives of
back propagation and the learning rate for all layers. In a
nutshell, these classification helps to draw the learning errors
of multiple layer neural nets and to minimize the weights
of neural network which eventually have an impact on the
learning process of CNN.
III. DEEP LEARNING MODELS
The proposed intrusion detection system uses the concept of
two major Deep Neural Networks architectures which are the
CNN and RNN. The CNN and RNN security enabled system
architecture addresses the identification and classifications of
attacks. In this paper, we use two types of RNNs algorithms
which is the Long short-term memory (LSTM) and the Gated
Recurrent Units (GRU). In LSTM, it has the ability to process
single data as well as complete sequence of data. Also, it has
the advantage of negligence to gap length. Moreover, Gated
Recurrent Units (GRU) is similar to LSTM layers however
they lack output gates and they have less parameters than
LSTM does as GRU are a kind of LSTM. In case of CNN
which is known as a feed forward Neural Network, it processes
only the current input. Clearly, every layer in the architecture
has its own functionality that determines the hidden layers and
implements feature extraction.
In this project, we use CNN architecture which has the
advantage of feature selection and extraction without human
interaction. The CNN architecture implemented with one con-
volutional layer followed by a max pooling layer that reduces
the number of parameters when the dataset is initially fed to
the algorithm, then a dense layer is applied in order to enable
connections between neurons with other layers and finally a
dropout layer is used in order to avoid any overfitting. In case
of RNN architecture, two layers of LSTM is used which has an
ability of remembering their inputs over a long period of time.
Also, after each LSTM layer a dropout layer is applied and
finally the dense layer followed by the activation layer. The
same architecture is used for the GRU approach only instead
of using LSTM layers, it was changed to GRU layers. Figure
1 shows the processing of the data when picked up from the
monitor and then being analyzed to distinguish if it was a
normal packet or not as this figure was an inspiration by the
architecture in [10].
Fig. 1. Deep learning models architecture
IV. METHODOLOGY
A. Dataset
Implementing IDS with Deep Learning require a quality
amount of dataset to train and test the algorithm which
resembles the real time environment. NSL-KDD, a standard
data set available from Canadian Institute of Cybersecurity,
is used in the current paper for training and testing. This
dataset ensure improved performance due to the absence of
https://www.unb.ca/cic/datasets/nsl.html
redundancy in both train and test sets. The dataset contains
only a reasonable number of traffic records, which facilitate
to run the experiment on the complete set rather than a portion
of the set. Out of all dataset, about 85% are specifically
allocated for training purpose while the remaining 15% for
the testing and validation purpose. In the NSL-KDD, each
records encompasses 41 attributes of different features and a
label to identify the traffic as malicious or normal. Table I
demonstrate the 41 attributes of records in NSL-KDD dataset.
The attributes are further categorized based on its core features
into four categories: such as basic, content, time, host. In the
following section, this paper will provide a brief overview of
each category with some examples.
TABLE I
LI ST OF NSL-KDD DATASE T REC OR DS ATT RIB UTE S [11]
Category No. Attribute Name
Basic Features
1 duration
2 protocol type
3 service
4 flag
5 src bytes
6 dst bytes
7 land
8 wrong Fragment
9 urgent
Content Related Features
10 hot
11 num Failed Logins
12 logged In
13 num compromised
14 root Shell
15 su attempted
16 num root
17 num file creations
18 num shells
19 num access files
20 num outbound commands
21 is host login
22 is guest login
Time Related Features
23 count
24 srv count
25 serror rate
26 srv error rate
27 rerror rate
28 srv rerror rate
29 same srv rate
30 diff srv rate
31 srv diff host rate
Host Based Traffic Features
32 dst host count
33 dst host srv count
34 dst host same srv rate
35 dst host diff srv rate
36 dst host same src port rate
37 dst host srv diff host rate
38 dst host serror rate
39 dst host srv serror rate
40 dst host rerror rate
41 dst host srv rerror rate
First category, known as basic, represents the network
connection attributes. This category consists of nine attributes
which represent the fundamental connection features
including protocol type, connection status, and number
of bytes transferred between source and destination. The
protocol type label in this group refers to the protocols which
may have used at the application layer like TCP/IP, UDP or
ICMP. Moreover, this category consist of an attribute, named
as Wrong-fragment, represent the total number of wrong
fragments in the connection. Likewise Urgent attribute refers
to the number of urgent packets which will have the urgent
bit activated for identification. Similarly, the second category
of attribute refers to the content related features of the data
records such as Number of failed logins (Num failed logins),
number of compromised situations(Num compromised),
number of file creation(Num file creations), number of
shell prompts (Num shells), and guest login identification
(Is guest login)[12]. The attribute representing number of
failed logins can essentially contribute to understand the
malicious possibilities associated to the record. In addition,
most of the content related features helps the system to learn
the abnormal characteristics of traffic using the content of
data records. The third category of features illustrates the time
associated traffic features of data records. The corresponding
category consisting of count of connection to same ends like
destination host and service port number. Additionally, this
category also include attribute which hold the percentage
of connections that have activated special flags for various
error rate. The next category of attribute corresponds to the
host based traffic features such as number of connection
with same destination host, number of connection with same
port number, percentage of connection to same service and
percentage of connection to different services. This category
include almost ten attributes with various functionalities.
Every record in dataset end with a label, which often
considering as the 42nd attribute, stating whether the record
is a normal or malicious activity. The label in turn contribute
to the system to learn and validate the traffic efficiently. In
general, NSL-KDD dataset attribute values are represented in
nominal, binary, and numeric depending on the type of data it
holds. For the purpose of study, the datasets are preprocessed
to meet the requirements of a machine learning system. In
particular, every value in a single entry of the dataset was
converted to numeric format to facilitate the needs of the
proposed system.
B. Implementation
In the implementation phase, we have used the open source
NSL-KDD dataset [13] which is an enhanced version of the
well-known KDD’99 dataset [14]. This dataset consists of
different network intrusion attacks such as U2R and R2L
attacks. Additionally, we have utilized and enhanced on the
code provided in [15] for both CNN and RNN to suit the
needs of the experiments carried out through the research.
As part of implementing this solution, we ran the exper-
iments multiple times with different parameters in order to
find the optimal hyperparameters which will ensure that we
leverage the highest performance of the models. Doing so, we
changed the output filter in the LSTM layer by increasing it to
256 as this results in increasing the accuracy. Furthermore, the
models were trained with 1000 epochs. The dataset distribution
was divided into multiple portions; 85% was used for the
training process and 15% was used for validation and testing.
V. PERFORMANCE EVAL UATIO N
The detection of network intrusion attack is considered a
binary classification problem in which the system will be
trained and tested to differentiate between a malicious packet
and a benign one. In this section, we will further explain and
demonstrate the use of deep learning technique in implement-
ing the NIDS and the effectiveness of its performance.
A. Experimental Setup
In order to implement the solution proposed in section IV-B,
a suitable environment setup, shown in Table II, was used to
run the deep learning algorithms in training, validation and
testing phases.
TABLE II
ENVIRONMENT SETUP
Operating System Ubuntu 18.04-Linux MacOS 10.14.4
GPU Nvidia Titan V -
CPU 2.10 GHz Intel Xeon 2.9 GHz Intel Core i5
Number of CPU 36 -
Framework/APIs Python 3.6 Keras APIs
The first workstation(Ubuntu 18.04 Linux) was used to
run the experiments of CNN algorithm, whereas the second
workstation (MacOS 10.14.4) was used to run both RNN-
LSTM and RNN-GRU experiments. It is important to note
that both workstations had similar performance in terms of
speed and time consumption for all the experiments carried
out in this paper.
The evaluation of the deep learning model performance
computed in the testing phase was based on four main evalu-
ation metrics, which are:
Accuracy: is used to find ratio of correct predictions to
total number of predictions.
Recall: provides an overview on the sensitivity of the
model, that is, the ratio of the positive data which was
correctly identified as positive to the overall positive data.
Precision: resembles the ratio of the correctly predicted
data to the overall positively predicted data, hence, a
model with high precision is able to identify majority
of the predicted data correctly.
F1 score: shows the overall performance of the model
in correlation to both precision and recall. The advantage
of using F1 score over accuracy to measure the overall
performance of a model is that it takes into consideration
the distribution of data and the scenario of uneven classes
where the false positive and false negatives are at play.
Moreover, it is important to use it in this application as
it will give us a better understanding of the system.
These metrics were selected based on the fact that CNN,
RNN-LSTM and RNN-GRU are deep learning algorithms
with different characteristics and we expect that each of these
algorithms will excel at one of multiple of the evaluation
matrices. For example, due to the nature of RNN algorithms
of remembering occurrence of previous events, we expect that
RNN-LSTM and RNN-GRU to outperform CNN in the recall
value.
B. Experimental Results
After the implementation of the deep learning architectures
using the open-source code in [15] which we extensively
modified to suit the needs of our study, we ran the experiments
for CNN, RNN-LSTM and RNN-GRU multiple times to
observe and analyze their performance. These experiments
were undertaken using the training procedure described in
algorithm 1. In the training phase, the validation dataset
is used to measure the accuracy of the algorithm at every
epoch. Therefore, the model is stored only when the validation
accuracy of the current epoch is higher than the best accuracy
measured so far, once this case occurs, a copy of the model at
this epoch is stored which can be used later on in the testing
phase.
Algorithm 1 Deep Learning Model Training Algorithm
0: procedure TRAINING PROCEDURE
0: TrainingDataset Pr eprocessed KDDTrain
0: ValidationDataset P r eprocessed KDDTest
0: i0
0: epoch 1000
1: while i6=epoch do
2: Training Phase for 1 epoch with Cross Validation
3: Evaluate on Unseen data
4: if V alidationAcc is 0 OR iis 0 then
5: BestV alidationAcc V alidationAcc
6: end if
7: if V alidationAcc > BestV alidationAcc then
8: BestV alidationAcc V alidationAcc
9: Saves Model i.hf5
10: end if
11: ii+ 1
12: end while
Several hyperparameters of training the Deep Learning
algorithms were defined based on heuristic experiments. As
mentioned in section IV-B, the training phase ran for 1000
epochs for each experiment. However, it has been observed
that each algorithm converges by reaching its optimal per-
formance before 1000 epochs as indicated in Table III. This
observation indicates that in NIDS where there is limited
computational power, these algorithm can achieve great output
while being trained in short time with number of epochs less
than 1000, hence, they are considered very efficient.
The experiments carried out throughout this work are sum-
marized in Table IV. From the result yielded from these
experiments, one can deduce that CNN have substantially
outperformed LSTM and GRU in terms of F1 score, precision
and accuracy with the lowest number of epochs required to
reach its optimal performance. However, another promising
finding was the results of RNN-LSTM and RNN-GRU in
TABLE III
OPTIMUM NUMBER OF EPOCHS
Algorithm Epochs
CNN 598
LSTM 987
GRU 879
recall matrix, as both of these algorithms have significantly
outperformed CNN. This is due to their architecture nature,
since both models are RNN models and have the characteristic
of remembering previous occurrence. Also, it can be concluded
from the results found that RNN-GRU algorithm is had the
weakest performance among the other two. Hence, using this
Deep Learning techniques without tuning the hyper-parameters
would not be beneficial in the NID process.
TABLE IV
NID RES ULTS
Metric CNN RNN-LSTM RNN-GRU
F1 Score 98.48% 89.54% 65.53%
Precision 100% 81.24% 48.77%
Recall 97.01% 99.74% 99.88%
Accuracy 97.01% 81.60% 50.25%
We have verified throughout this study that Deep Learning
techniques are useful and can play a key role in NIDS.
Although we did not conclude the exact results which were
previously reported in the literature [4] due to a number of
factors; such as the difference in the dataset used given that
we have used NSL-KDD and the authors of [4] opted for
KDDCup’99 and the difference in hyperparameters of the
Deep Learning models, yet, both studies agree on effectiveness
of using Deep Learning Techniques for NIDS. Furthermore,
our results suggest that in applications where very large
amount of data are present, limited computation capabilities
and time restrictions, CNN would provide a sufficient solution
to aid the process of NID.
Moreover, it is worth noting that during the implementation
phase of the experiments, it was observed that the process of
training the models required a very high computational time
on both workstations in order to complete 1000 epochs in the
training phase. In order to tackle the problem of high computa-
tion time, a change was made to the batch size of the models
from 32 to 64 which yielded a balance in the performance
and aided in speeding up the training process. Additionally,
although we increased the number of layers in each of the deep
learning models used in order to improve the performance, we
didn’t observe any distinguishable improvement in terms of the
accuracy, precision, recall or F1 score.
VI. CONCLUSION AND FUTURE WO RK
Currently, Network Intrusion Detection Systems (NIDS) are
being discussed heavily in the literature. Generally, there are
two broad categories of intrusion detection techniques; one is
based on a clear set of rules, technically known as ‘signature
detection’ and other is based on behaviour, technically known
as ‘anomaly based detection’. The current study applied the
later technique of anomaly based intrusion detection using
CNN and RNN with two types LSTM and GRU using the
NSL-KDD dataset for the purpose of training and testing.
Among the tested deep learning techniques, CNN found to
have outperform the other techniques with accuracy, F1 score,
recall and precision of above 97%. One of the main limi-
tations that were faced during the research was the limited
computational resources that caused longer training time for
each model. In order to tackle this issue, we plan to deploy
faster systems that are able to train the algorithms in much
shorter time. In future work, we will also further investigate the
performance of different deep learning techniques by imple-
menting various combinations of deep learning architectures
with different depths and hyperparameters and whether these
factors will have a great effect on the overall performance of
the NIDS.
ACK NOW LE DG EM EN T
We thank Prof.Amr Mohamed, Professor of Computer En-
gineering at Qatar University who provided his insights and
support throughout this research.
REFERENCES
[1] D. E. Denning, “An intrusion-detection model,” IEEE
Transactions on Software Engineering, vol. SE-13,
no. 2, pp. 222–232, Feb. 1987, ISSN: 0098-5589. DO I:
10.1109/TSE.1987.232894.
[2] M. K. Asif, T. A. Khan, T. A. Taj, U. Naeem, and
S. Yakoob, “Network intrusion detection and its strate-
gic importance,” in 2013 IEEE Business Engineering
and Industrial Applications Colloquium (BEIAC), Apr.
2013, pp. 140–144. DOI: 10 . 1109 / BEIAC . 2013 .
6560100.
[3] M. U. Oney and S. Peker, “The use of artificial neural
networks in network intrusion detection: A systematic
review,” 2018 International Conference on Artificial
Intelligence and Data Processing (IDAP), 2018. DO I:
10.1109/idap.2018.8620746.
[4] R. Vinayakumar, K. P. Soman, and P. Poornachandran,
Applying convolutional neural network for network
intrusion detection,” 2017 International Conference on
Advances in Computing, Communications and Infor-
matics (ICACCI), 2017. DOI: 10 . 1109 / icacci . 2017 .
8126009.
[5] M. Sheikhan, Z. Jadidi, and A. Farrokhi, “Intrusion de-
tection using reduced-size rnn based on feature group-
ing,” Neural Computing and Applications, vol. 21, no. 6,
pp. 1185–1190, 2010. DOI: 10.1007/s00521-010-0487-
0.
[6] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi,
and M. Ghogho, “Deep recurrent neural network for
intrusion detection in sdn-based networks,” in 2018
4th IEEE Conference on Network Softwarization and
Workshops (NetSoft), Jun. 2018, pp. 202–206. DO I: 10.
1109/NETSOFT.2018.8460090.
[7] G. Zhao, C. Zhang, and L. Zheng, “Intrusion detection
using deep belief network and probabilistic neural net-
work,” in 2017 IEEE International Conference on Com-
putational Science and Engineering (CSE) and IEEE
International Conference on Embedded and Ubiquitous
Computing (EUC), vol. 1, Jul. 2017, pp. 639–642. DOI:
10.1109/CSE-EUC.2017.119.
[8] C. Li, J. Wang, and X. Ye, “Using a recurrent neural net-
work and restricted boltzmann machines for malicious
traffic detection,NeuroQuantology, vol. 16, no. 5,
2018, IS SN: 1303-5150. [Online]. Available: https : / /
www.neuroquantology.com/index. php /journal/article /
view/1391.
[9] W. Lin, H. Lin, P. Wang, B. Wu, and J. Tsai, “Using
convolutional neural networks to network intrusion de-
tection for cyber threats,” in 2018 IEEE International
Conference on Applied System Invention (ICASI), Apr.
2018, pp. 1107–1110. DOI: 10 . 1109 / ICASI . 2018 .
8394474.
[10] 2019. [Online]. Available: https : / / github . com /
Anihilakos/RNN-LSTM-Network-Intrusion.
[11] ¨
U. C¸ avus¸o ˘
glu, “A new hybrid approach for intrusion
detection using machine learning methods,” Applied
Intelligence, 2019. DO I: 10.1007/s10489-018-01408-x.
[12] L. Dhanabal and D. S. P. Shantharajah, “A study on
nsl-kdd dataset for intrusion detection system based on
classification algorithms,” 2015.
[13] 2019. [Online]. Available: https : / / www. unb . ca / cic /
datasets/nsl.html.
[14] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani,
“A detailed analysis of the kdd cup 99 data set,” in
2009 IEEE Symposium on Computational Intelligence
for Security and Defense Applications, Jul. 2009, pp. 1–
6. DO I: 10.1109/CISDA.2009.5356528.
[15] 2019. [Online]. Available: https : / / github . com /
vinayakumarr / Network - Intrusion - Detection / tree /
master/NSL-KDD.
... The following figure 1 illustrates, the common structure of traditional neural networks. In RNN, instead of three different kinds of weight and biases value, can use same weight and biases value to n number of hidden layers [14]. So that, it can reduce the difficulties of remembering the existing layer's output. ...
... In addition, the behavior of the attack can be predicted, which helps in cyber-attack defense. The proposed IDS in [9] uses convolutional and recurrent neural network to find and classify attacks. The NSL-KDD data set is used to train and evaluate them. ...
Article
Artificial intelligence has been developed to be able to solve difficult problems that involve huge amounts of data and that require rapid decision-making in most branches of science and business. Machine learning is one of the most prominent areas of artificial intelligence, which has been used heavily in the last two decades in the field of network security, especially in Intrusion Detection Systems (IDS). Pattern recognition is a machine learning method applied in medical applications, image processing, and video processing. In this article, two layers’ IDS is proposed. The first layer classifies the network connection according to the used service. Then, a minimum number of features that optimize the detection accuracy of malicious activities on that service are identified. Using those features, the second layer classifies each network connection as an attack or normal activity based on the pattern recognition method. In the training phase, two multivariate normal statistical models are created: the normal behavior model and the attack behavior model. In the testing and running phases, a maximum likelihood estimation function is used to classify a network connection into attack or normal activity using the two multivariate normal statistical models. The experimental results prove that the proposed IDS has superiority over related IDSs for network intrusion detection. Using only four features, it successfully achieves DR of 97.5%, 0.001 FAR, MCC 95.7%, and 99.8% overall accuracy.
Chapter
Development of latest technologies creates human life more convenient and easier. However, along with such technological advancements, several complications are generated in various segments. Network security also experiences inconvenient situations those are literally originated from infinite number of complex intrusions. A network intrusion detection system (NIDS) is an advanced and revolutionary system that has been established to resolve the problematic behaviors of the networking environment through accurate detection of unidentified attacks. Several methods and techniques have been taken active part for the development of an ideal NIDS but merging with deep learning technologies, NIDS achieves miracle performance against various intrusive activities in the security domain. In this paper, we serialize and present an adequate number of existing deep learning-based NIDSs in the Internet of things (IoT), cloud, fog, and edge networks domain. Different NIDS approaches along with their utilization, advantages, and restrictions are perfectly described in this paper so that people can achieve proper and detailed knowledge of security issues in the above-mentioned networks.
Chapter
The rapid development of the Internet has brought great changes and convenience to the society and people. With the development of the Internet, its security has been paid more and more attention. Intrusion detection can detect network attacks in real time and respond to them in time, which has become an essential and important security line. With the novel of network attack and the diversification of network traffic, traditional intrusion detection based on attack load matching and the intrusion detection based on machine learning has problems of inaccurate feature extraction and insufficient detection effect. To solve the above problems, this paper designs a hybrid neural network DCT-IDS model, using dense convolution neural network to achieve traffic feature fusion, reducing the number of parameters, using Transformer to extract time sequence features, and experimental tests were carried out on the latest dataset CIC-IDS2018. The experimental results show that the accuracy of the proposed DCT-IDS model reaches 98%, and all the indexes are better than the existing excellent models.
Article
Introduction The growth of ubiquitous networked devices and the proliferation of geographically dispersed ‘Internet of Thing’ devices have exponentially increased network traffic. The socio-economical society is highly dependent on modern devices, and unavailability may lead to catastrophic results for even a short time. The less secure and heterogeneous devices in the public domain have shaped a cyber-attack surface in the cloud environment. Traditional approaches for Network Intrusion Detection Systems have proven ineffective and insufficient in defending against zero-day attacks. Methods This article visited the advancements in the intrusion detection realm in the last five years and conducted a comprehensive retrospection of modern network intrusion detection systems. The authors have performed a comprehensive SWOT (Strength, Weakness, Opportunities, Threats) analysis of contemporary Network Intrusion Detection Systems in multiple technology dimensions, including big-data processing of high volume network traffic, machine learning, deep learning for self-learning machines, readiness for zero-day attacks, distributed processing, cost-effective solution, and ability to perform autonomous operations. Results The paper turns SWOT analysis into TOWS inferences from the retrospective study for strategy formulation and features the attributes of a futuristic NIDS solution. Discussion The article concludes with the discussion and future scope as the pinnacle of security solution development against zero-day attacks.
Article
The computerized unrest has generously transformed ourselves in which Internet-of-Things (IoT) assumes a noticeable job. The quick improvement of IoT to most corners of life, nonetheless, prompts different arising online protection dangers. Consequently, recognizing and forestalling likely assaults in IoT networks have as of late pulled in vital premium from both scholarly world and industry. The development of the Internet of Things (IoT), distinctive IoT hubs, for example, 6LoWPAN gadgets can be associated as an organization to offer incorporated types of assistance. Since security and intrusion detection are becoming crucial among IoT devices, real-time detection of the attacks are critical to protect the IoT networks. However, there exists limited research for efficient network intrusion detection systems (NIDS) in the IoT networks.. However, there exists limited research for efficient network intrusion detection systems (NIDS) in the IoT networks. This paper therefore proposes a new NIDS protocol with an efficient replica detection algorithm to increase the utility and performance of existing NIDS, where a number of replica test nodes are intentionally inserted into the network to test the reliability and response of witness nodes. The proposed protocol, Enhanced NIDS, can address the vulnerability of NIDS and improve IoT network security to detect severe compromise attacks such as clone attacks. The simulation study shows that compared to the state-of-the-art SVELTE protocol, the proposed protocol can significantly increase the detection probability and reduce the energy consumption for detecting clone attacks in IoT networks. The aim of the research is As upcoming Phase, with design of proposed system focus on the going with issues, To analyze strong and powerless reasons for different area techniques IoT, to extend the assault disclosure reach to deliver more IoT advances to improve security of ready traffic and the heads and to develop advantageous solicitations, for instance, mindful association then autonomic organization structures.
Article
Full-text available
In this study, a hybrid and layered Intrusion Detection System (IDS) is proposed that uses a combination of different machine learning and feature selection techniques to provide high performance intrusion detection in different attack types. In the developed system, firstly data preprocessing is performed on the NSL-KDD dataset, then by using different feature selection algorithms, the size of the dataset is reduced. Two new approaches have been proposed for feature selection operation. The layered architecture is created by determining appropriate machine learning algorithms according to attack type. Performance tests such as accuracy, DR, TP Rate, FP Rate, F-Measure, MCC and time of the proposed system are performed on the NSL-KDD dataset. In order to demonstrate the performance of the proposed system, it is compared with the studies in the literature and performance evaluation is done. It has been shown that the proposed system has high accuracy and a low false positive rates in all attack types.
Conference Paper
Full-text available
In computer network security, a Network Intrusion Detection (NID) is an Intrusion Detection mechanism that attempts to discover unauthorized access to a computer network by analyzing traffic on the network for signs of malicious activity. There are many areas of research in this vast field of Network Intrusion Detection (NID) but in this survey paper, we will focus on its technology, development & strategic importance. Virus attacks, unauthorized access, theft of information and denial-of-service attacks were the greatest contributors to computer crime, a number of techniques have been developed in the past few years to help cyber security experts in strengthening the security of a single host or the whole computer network. Intrusion Detection is important for both Military as well as commercial sectors for the sack of their Information Security, which is the most important topic of research for the future networks.
Article
Full-text available
Intrusion detection is well-known as an essential component to secure the systems in Information and Communication Technology (ICT). Based on the type of analyzing events, two kinds of Intrusion Detection Systems (IDS) have been proposed: anomaly-based and misuse-based. In this paper, three-layer Recurrent Neural Network (RNN) architecture with categorized features as inputs and attack types as outputs of RNN is proposed as misuse-based IDS. The input features are categorized to basic features, content features, time-based traffic features, and host-based traffic features. The attack types are classified to Denial-of-Service (DoS), Probe, Remote-to-Local (R2L), and User-to-Root (U2R). For this purpose, in this study, we use the 41 features per connection defined by International Knowledge Discovery and Data mining group (KDD). The RNN has an extra output which corresponds to normal class (no attack). The connections between the nodes of two hidden layers of RNN are considered partial. Experimental results show that the proposed model is able to improve classification rate, particularly in R2L attacks. This method also offers better Detection Rate (DR) and Cost Per Example (CPE) when compared to similar related works and also the simulated Multi-Layer Perceptron (MLP) and Elman-based intrusion detectors. On the other hand, False Alarm Rate (FAR) of the proposed model is not degraded significantly when compared to some recent machine learning methods. KeywordsPartial connection-Recurrent neural network-Intrusion detection-Feature grouping
Article
In the studies of intrusion detection/prevention systems (IDS/IPS) and network security situational awareness, malicious traffic detection has been given significantly more attention to prevent malicious traffic. Meanwhile, with the development of machine learning technology, an increasing number of algorithms and models have been employed for attack detection. Previous studies generally used common and typical machine learning models such as SVM, KNN, or a random forest. However, the bottleneck of these types of approaches is two-fold. The input of the model is constructed using the feature engineering method of artificially designed representation, which requires a substantial amounts expertise. Additionally, most detection methods ignore the temporal information between network packets in one micro-flow. In this paper, we regard malicious traffic detection as a classification task and propose a hybrid model that combines a recurrent neural network (RNN) with restricted Boltzmann machines (RBM) which take byte-level raw data as input without feature engineering. Specifically, distributed embedding is utilized to pre-process network data to make it more suitable for deep neural network models. Subsequently, an RBM model is used to extract the feature vectors of the network packets and an RNN model is used to extract the flow feature vector. Finally, the flow vectors are sent to the Softmax layer to obtain the detection result. Experiments based on the ISCX-2012 and DARPA-1998 published datasets show that our proposed RNN-RBM model has a greater detection accuracy, recall rate, and lower false alarm rate than most traditional machine learning models. This proves the effectiveness of the proposed RNN-RBM model in malicious traffic detection.
Conference Paper
Software Defined Networking (SDN) has emerged as a key enabler for future agile Internet architecture. Nevertheless, the flexibility provided by SDN architecture manifests several new design issues in terms of network security. These issues must be addressed in a unified way to strengthen overall network security for future SDN deployments. Consequently, in this paper, we propose a Gated Recurrent Unit Recurrent Neural Network (GRU-RNN) enabled intrusion detection systems for SDNs. The proposed approach is tested using the NSL-KDD dataset, and we achieve an accuracy of 89% with only six raw features. Our experiment results also show that the proposed GRU-RNN does not deteriorate the network performance. Through extensive experiments, we conclude that the proposed approach exhibits a strong potential for intrusion detection in the SDN environments.
Article
A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusion-detection expert system. Index Terms-Abnormal behavior, auditing, intrusions, monitoring, profiles, security, statistical measures. I. INTRODUCTION