An Adaptable Deep Learning-Based Intrusion Detection System to Zero-Day Attacks

Mahdi, Soltani; Ousat, Behzad; Siavoshani, Mahdi Jafari; Jahangir, Amir Hossein

doi:10.48550/arxiv.2108.09199

Cited by 2 publications

(4 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [4], the authors propose DOC++ as a deep novelty-based classifier to detect not seen traffic (both the zero-day attacks and new benign behaviors). Besides, using a joint deep clustering algorithm, enough pieces of each new novel class evidence are gathered and used in the supervised labeling process and corresponding updating phase.…”

Section: Deep Learning-based Intrusion Detectionmentioning

confidence: 99%

“…In some cases, incrementally training solely on a new set of data samples from unknown traffic might make our model biased towards that new traffic, which will be an instance of catastrophic forgetting. As suggested in [38,4], with the advent of new data, we will constitute a training set that possesses the new data in conjuncture with samples corresponding to the previous attacks and benign flows that the model has been previously trained on. To implement this approach, the collective number of data samples belonging to the previous attacks should be equal to the number of the new attack samples.…”

Section: Data Samplingmentioning

confidence: 99%

“…Many studies in the literature apply deep learning methods in offline IDSes [3] [4]. Nevertheless, in this paper, we focus on simultaneously adapting DL-based IDSes for the following three practical challenges of online intrusion detection.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Multi-Agent Adaptive Deep Learning Framework for Online Intrusion Detection

Mahdi¹,

Khajavi²,

Siavoshani³

et al. 2023

Preprint

View full text Add to dashboard Cite

The network security analyzers use intrusion detection systems (IDSes) to distinguish malicious traffic from benign ones. The deep learning-based (DL-based) IDSes are proposed to auto-extract high-level features and eliminate the time-consuming and costly signature extraction process. However, this new generation of IDSes still suffers from a number of challenges. One of the main issues of an IDS is facing traffic concept drift which manifests itself as new (i.e., zero-day) attacks, in addition to the changing behavior of benign users/applications. Furthermore, a practical DL-based IDS needs to be conformed to a distributed architecture to handle big data challenges.In this paper, we propose a framework for adapting DL-based models to the changing attack/benign traffic behaviors, considering a more practical scenario (i.e., online adaptable IDSes). This framework employs continual deep anomaly detectors in addition to the federated learning approach to solve the above-mentioned challenges. Furthermore, the proposed framework implements sequential packet labeling for each flow, which provides an attack probability score for the flow by gradually observing each flow packet and updating its estimation. We evaluate the proposed framework by employing different deep models (including CNN-based and LSTM-based) over the CIC-IDS2017 and CSE-CIC-IDS2018 datasets. Through extensive evaluations and experiments, we show that the proposed distributed framework is well adapted to the traffic concept drift. More precisely, our results indicate that the CNN-based models are well suited for continually adapting to the traffic concept drift (i.e., achieving an average detection rate of above 95% while needing just 128 new flows for the updating phase), and the LSTM-based models are a good candidate for sequential packet labeling in practical online IDSes (i.e., detecting intrusions by just observing their first 15 packets).

show abstract

Section: Deep Learning-based Intrusion Detectionmentioning

confidence: 99%

Section: Data Samplingmentioning

confidence: 99%

See 1 more Smart Citation

A Multi-Agent Adaptive Deep Learning Framework for Online Intrusion Detection

Mahdi¹,

Khajavi²,

Siavoshani³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…More recently, [18] generated an unknown attack through a generative model, allowing data other than normal and known attacks to be detected as unknown attacks. [19] performed classification via OSR and clustering based on classified labels to detect unknown attacks. [20] used the extreme value machine (EVM) to obtain an extreme value distribution, leaving only critical data points, and proposed a fast-learning detection method using these data points.…”

Section: B Unknown Attack Detectionmentioning

confidence: 99%

Open Set Recognition With Dissimilarity Weight for Unknown Attack Detection

2023

View full text Add to dashboard Cite

As information technology advances, it provides user convenience but also has more vulnerabilities than ever before. In particular, attackers use advanced techniques to perform new attacks. In cyber security, such attacks are defined as unknown attacks and target previously undetected vulnerabilities or excavate gaps in the system. Because these attacks are unidentified or unanalyzed, they are difficult to identify in signature-based misuse detection that learns rules or patterns. Furthermore, anomaly-based detection that learns from normal data to detect outliers cannot detect unknown attacks accurately, because it does not distinguish between known and unknown attacks. To overcome these problems, this study applied Open-Set Recognition with dissimilarity weight(OSRDW). A OSRDW method was used to effectively train the extreme value distribution, which was calculated by applying the dissimilarity weight, through which unknown attack's weights were calculated and classified unknown attacks. Through research analysis, unknown attack divide two types, and three data sets(NSL-KDD, UNSW-NB15, CICIDS-2017) were used in the experiment. For the first type of unknown attack, the unknown attack detection rate of the proposed method was approximately 10%-20% better than that of the conventional method. For the second type of unknown attack, the accuracy and unknown attack detection rate were higher for the proposed method. The experimental results confirmed that the proposed method had better performance in detecting unknown attacks and it was detected various attacks in the three data sets.

show abstract

An Adaptable Deep Learning-Based Intrusion Detection System to Zero-Day Attacks

Cited by 2 publications

References 30 publications

A Multi-Agent Adaptive Deep Learning Framework for Online Intrusion Detection

A Multi-Agent Adaptive Deep Learning Framework for Online Intrusion Detection

Open Set Recognition With Dissimilarity Weight for Unknown Attack Detection

Contact Info

Product

Resources

About