Analysis of Autoencoders for Network Intrusion Detection

Song, Youngrok; Hyun, Sangwon; Cheong, Yun-Gyung

doi:10.3390/s21134294

Cited by 80 publications

(39 citation statements)

References 43 publications

(62 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Next, Song et al. [ 60 ] used autoencoders to develop an IDS method. The proposed method used three benchmark datasets, including NSL-KDD, IoTID20, and N-BaIoT.…”

Section: Related Workmentioning

confidence: 99%

Classification and Explanation for Intrusion Detection System Based on Ensemble Trees and SHAP Method

Kim

Kang

et al. 2022

Sensors

View full text Add to dashboard Cite

In recent years, many methods for intrusion detection systems (IDS) have been designed and developed in the research community, which have achieved a perfect detection rate using IDS datasets. Deep neural networks (DNNs) are representative examples applied widely in IDS. However, DNN models are becoming increasingly complex in model architectures with high resource computing in hardware requirements. In addition, it is difficult for humans to obtain explanations behind the decisions made by these DNN models using large IoT-based IDS datasets. Many proposed IDS methods have not been applied in practical deployments, because of the lack of explanation given to cybersecurity experts, to support them in terms of optimizing their decisions according to the judgments of the IDS models. This paper aims to enhance the attack detection performance of IDS with big IoT-based IDS datasets as well as provide explanations of machine learning (ML) model predictions. The proposed ML-based IDS method is based on the ensemble trees approach, including decision tree (DT) and random forest (RF) classifiers which do not require high computing resources for training models. In addition, two big datasets are used for the experimental evaluation of the proposed method, NF-BoT-IoT-v2, and NF-ToN-IoT-v2 (new versions of the original BoT-IoT and ToN-IoT datasets), through the feature set of the net flow meter. In addition, the IoTDS20 dataset is used for experiments. Furthermore, the SHapley additive exPlanations (SHAP) is applied to the eXplainable AI (XAI) methodology to explain and interpret the classification decisions of DT and RF models; this is not only effective in interpreting the final decision of the ensemble tree approach but also supports cybersecurity experts in quickly optimizing and evaluating the correctness of their judgments based on the explanations of the results.

show abstract

“…Next, Song et al. [ 60 ] used autoencoders to develop an IDS method. The proposed method used three benchmark datasets, including NSL-KDD, IoTID20, and N-BaIoT.…”

Section: Related Workmentioning

confidence: 99%

Classification and Explanation for Intrusion Detection System Based on Ensemble Trees and SHAP Method

Kim

Kang

et al. 2022

Sensors

View full text Add to dashboard Cite

show abstract

“…For instance, Hassan et al [23] optimized hyper-parameters of sparse AE to extract better feature embedding for classifying intrusion attacks. Similarly, Song et al [24] proposed an Autoencoder model (trained on normal samples) based on the principle that the reconstruction loss of normal traffic samples is lower than that of abnormal (attack) samples so that a threshold can be set for detecting future attacks. In addition, this work evaluates various hyperparameters, model architectures, and latent size settings in terms of attack detection performance.…”

Section: Related Workmentioning

confidence: 99%

Autoencoder-based Unsupervised Intrusion Detection using Multi-Scale Convolutional Recurrent Networks

Singh¹,

Jang-Jaccard²

2022

Preprint

View full text Add to dashboard Cite

The massive growth of network traffic data leads to a large volume of datasets. Labeling these datasets for identifying intrusion attacks is very laborious and error-prone. Furthermore, network traffic data have complex time-varying non-linear relationships. The existing state-of-the-art intrusion detection solutions use a combination of various supervised approaches along with fused features subsets based on correlations in traffic data. These solutions often require high computational cost, manual support in finetuning intrusion detection models, and labeling of data that limit real-time processing of network traffic. Unsupervised solutions do reduce computational complexities and manual support for labeling data but current unsupervised solutions do not consider spatio-temporal correlations in traffic data. To address this, we propose a unified Autoencoder based on combining multi-scale convolutional neural network and long short-term memory (MSCNN-LSTM-AE) for anomaly detection in network traffic. The model first employs Multiscale Convolutional Neural Network Autoencoder (MSCNN-AE) to analyze the spatial features of the dataset, and then latent space features learned from MSCNN-AE employs Long Short-Term Memory (LSTM) based Autoencoder Network to process the temporal features. Our model further employs two Isolation Forest algorithms as error correction mechanisms to detect false positives and false negatives to improve detection accuracy. We evaluated our model NSL-KDD, UNSW-NB15, and CICDDoS2019 dataset and showed our proposed method significantly outperforms the conventional unsupervised methods and other existing studies on the dataset.

show abstract

“…The technological advancements in present-day cyberattacks has made the activities of advanced attackers more complex to detect as a result of emerging obfuscation techniques [27], [38], [39] and interactions [40] with stealth variations carried out on IoT ecosystems.…”

Section: The Need To Convert Iot Malware Binaries To Imagesmentioning

confidence: 99%

“…In modern times, the emerging polymorphic malware attacks in the IoT ecosystems have been a major concern [1] due to complex obfuscation code structures that are mostly time based [41], [42]. These IoT malware signatures attacks that are predominantly multivariate [39], [40], [42]- [44] are updated sequentially on a minute-by-minute or hour-by-hour basis et al by the attackers, thereby inundating and silencing any potential alert system, which may cause massive vulnerabilities for exploitations in an IoT ecosystem. The current widespread detection and mitigation mechanisms for these emerging polymorphic IoT malware attacks that are largely obfuscated intricately can be problematic and resource intensive to both the traditional and automated malware detection solutions such as the signature based (e.g., large database), and automated based techniques (insufficient information) etc., adopted by major cybersecurity vendors, practitioners, and researchers in the cross-discipline cybersecurity industries.…”

Section: The Need To Convert Iot Malware Binaries To Imagesmentioning

confidence: 99%

iDRP Framework: An Intelligent Malware Exploration Framework for Big Data and Internet of Things (IoT) Ecosystem

Eboya¹,

Juremi²

2021

Adv. sci. technol. eng. syst. j.

View full text Add to dashboard Cite

The Internet of Things (IoT) is at a face paced growth in the advanced Industrial Revolution (IR) 4.0 in the modern digital world. Considering the current network security challenges and sophistication of attacks in the heavily computerized and interconnected systems, such as an IoT ecosystem, the need for an innovative, robust, intelligent and adaptive malware attacks and threats security solution is becoming predominant in the current cyberspace. An integrated and scalable IoT malware detection framework called iDRP framework with deep learning method was proposed as a solution to current IoT malware attacks that are largely obfuscated. The novel framework utilized systematic pre-processing and post-processing techniques and methods on the BoTNetIoT malware datasets that contains both benign and malicious IoT traffic data infected by modern day IoT attacks such as Mirai and Gafgyt etc. IoT malware variants in an IoT ecosystem. The raw IoT malware binaries were converted to image files (Gray-scaled) and computed statistically with synthesised sparsed and differential evolutionary hidden feature structures techniques, which were cyclically trained, tested, and cross-validated to establish empirical anomalies with precision in the detection, recognizing, and prediction of malware anomalies in a modern IoT ecosystem. Preliminary experiments were conducted with standardized image binary files such as the datasets as sound scientific exploratory experiments with profound results. The comparative results of the performance of our integrated techniques and methods on the BoTNetIoT IoT malware datasets achieved a 99.98% accuracy, 99.99% ROC/AUC, 99.95% precision, and 99.93 recall rate etc. utilizing the integrated iDRP framework mechanisms for effectively detecting IoT malware in an IoT ecosystem.

show abstract

Analysis of Autoencoders for Network Intrusion Detection

Cited by 80 publications

References 43 publications

Classification and Explanation for Intrusion Detection System Based on Ensemble Trees and SHAP Method

Classification and Explanation for Intrusion Detection System Based on Ensemble Trees and SHAP Method

Autoencoder-based Unsupervised Intrusion Detection using Multi-Scale Convolutional Recurrent Networks

iDRP Framework: An Intelligent Malware Exploration Framework for Big Data and Internet of Things (IoT) Ecosystem

Contact Info

Product

Resources

About