Active learning for network intrusion detection

Görnitz, Nico; Kloft, Marius; Rieck, Konrad; Brefeld, Ulf

doi:10.1145/1654988.1655002

Cited by 65 publications

(34 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Semi-supervised SVDD has no open source implementation, so we have implemented it for our experiments with the information provided in [12][13][14]. The parameters c, r, and the margin γ ∈ R are determined with the quasi-Newton optimization method BFGS [46] available in scipy [17].…”

Section: Labelling Strategiesmentioning

confidence: 99%

See 1 more Smart Citation

ILAB: An Interactive Labelling Strategy for Intrusion Detection

Beaugnon

Chifflier

Bach

2017

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

Abstract. Acquiring a representative labelled dataset is a hurdle that has to be overcome to learn a supervised detection model. Labelling a dataset is particularly expensive in computer security as expert knowledge is required to perform the annotations. In this paper, we introduce ILAB, a novel interactive labelling strategy that helps experts label large datasets for intrusion detection with a reduced workload. First, we compare ILAB with two state-of-the-art labelling strategies on public labelled datasets and demonstrate it is both an effective and a scalable solution. Second, we show ILAB is workable with a real-world annotation project carried out on a large unlabelled NetFlow dataset originating from a production environment. We provide an open source implementation (https://github.com/ANSSI-FR/SecuML/) to allow security experts to label their own datasets and researchers to compare labelling strategies.

show abstract

Section: Labelling Strategiesmentioning

confidence: 99%

“…We have set η U and η L to the inverse of the number of unlabelled and labelled instances, to give as much weight to unlabelled and labelled instances, and to ensure numerical stability. The detection model is trained without any kernel as in the experiments presented in [12][13][14].…”

Section: Labelling Strategiesmentioning

confidence: 99%

ILAB: An Interactive Labelling Strategy for Intrusion Detection

Beaugnon

Chifflier

Bach

2017

Research in Attacks, Intrusions, and Defenses

View full text Add to dashboard Cite

show abstract

“…To reduce the effort of generating training data, Görnitz et al [74] redefine anomaly detection as an active learning task that queries an expert when detection confidence is insufficient. The proposed learning setting is intended for techniques such as PAYL, Anagram, or McPAD.…”

Section: Anomaly Detection In Network Packet Headers and Payloadsmentioning

confidence: 99%

Monitoring of Client-Cloud Interaction

Lampesberger

Rady

2015

Correct Software in Web Applications and Web Services

View full text Add to dashboard Cite

When a client consumes a cloud service, computational liabilities are transferred to the service provider in accordance to the cloud paradigm, and the client loses some control over software components. One way to raise assurance about correctness and dependability of a consumed service and its software components is monitoring. In particular, a monitor is a system that observes the behavior of another system, and observation points that expose the target system's state and state changes are required. Due to the cloud paradigm, popular techniques for monitoring such as code instrumentation are often not available to the client because of limited visibility, lack of control, and black-box software components. Based on a literature review, we identify potential observation points in today's cloud services. Furthermore, we investigate two cloud-specific monitoring applications based on our ongoing research. While service level agreement (SLA) monitoring ensures that agreed-upon conditions between clients and providers are met, language-based anomaly detection monitors the interaction between client and cloud for misuse attempts.

show abstract

“…To reduce the labeling effort, Grnitz et al [58] proposed an effective active learning strategy to query low-confidence observations in intrusion detection. With Support Vector Domain Description (SVDD) [59], it queries instances that are not only close to the boundary of the hypersphere but also likely members of novel rejection categories.…”

Section: A Active Learning In Intrusion Detectionmentioning

confidence: 99%

Active Learning for Intrusion Detection

Zydek

2014

2014 National Wireless Research Collaboration Symposium

View full text Add to dashboard Cite

Intrusion detection is one of the most important problems in network security. Its target is to secure internal networks by identifying unusual access or attacks. Machine learning techniques have been playing a significant role in intrusion detection. Considering the large size of training data and timeconsuming labeling task, it is wise to select some informative data to train a classifier. Active learning is a family of approaches selecting samples for labeling to build classifier with maximum prediction accuracy. So it is able to improve the performance of intrusion detection while it is not time-costing and laborconsuming. In this paper, definition and some efficient query strategies of active learning are reviewed and suggested. Some popular algorithms of intrusion detection and the combination of active learning and intrusion detection are also introduced. But existing work of active learning for intrusion detection is very limited. We propose more active learning methods should be developed for intrusion detection.

show abstract

Active learning for network intrusion detection

Cited by 65 publications

References 22 publications

ILAB: An Interactive Labelling Strategy for Intrusion Detection

ILAB: An Interactive Labelling Strategy for Intrusion Detection

Monitoring of Client-Cloud Interaction

Active Learning for Intrusion Detection

Contact Info

Product

Resources

About