FARE: Enabling Fine-grained Attack Categorization under Low-quality Labeled Data

Liang, Junjie; Guo, Wenbo; Luo, Tongbo; Honavar, Vasant; Wang, Gang; Xing, Xinyu

doi:10.14722/ndss.2021.24403

Cited by 16 publications

(16 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In our experiments, FARE [10], ACID [11], and traditional machine learning algorithms are chosen as baseline methods for comparison. FARE and ACID are proposed recently in 2020 and 2021 with high citations.…”

Section: Comparison With Sota Methodsmentioning

confidence: 99%

“…Machine learning-based attack detection can be divided into coarse-grained attack detection [6] [7] and fine-grained attack detection [10] [11]. DiFF-RF [6] introduced an ensemble approach composed of random partitioning binary trees 1. https://github.com/HUANGLIZI/WTC.…”

Section: Machine Learning-based Intrusion Detectionmentioning

confidence: 99%

“…to detect anomalies, while Whisper [7] introduced a realtime machine learning-based malicious traffic detection system thorough utilizing sequential information represented by the frequency domain features to achieve bounded information loss, as well as ensuring high detection accuracy. In the field of cyber security, FARE [10] utilizes eans clustering as an unsupervised classification algorithm supplemented with partially labeled data for semi-supervised learning. Recently, Diallo [11] proposed an intrusion detection model based on adaptive clustering (ACID), which uses lowdimensional embeddings learned by efficient convolutional neural networks to solve the problem that traditional classification models are sensitive to feature changes and can effectively separate samples from different classes.…”

Section: Machine Learning-based Intrusion Detectionmentioning

confidence: 99%

“…Nowadays, machine learning-based network intrusion detection algorithms [4] [5] that can detect unseen attacks are flourishing. Existing methods can be divided into two categories: coarse-grained attack detection [6] [7] [8] [9] and fine-grained attack detection [10] [11]. Coarse-grained methods only distinguish between attack and normal, which are not well suited for detailed analysis of attacks.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Semi-WTC: A Practical Semi-supervised Framework for Attack Categorization through Weight-Task Consistency

Chen¹,

Wei²,

Luo³

et al. 2022

Preprint

View full text Add to dashboard Cite

Supervised learning has been widely used for attack detection, which requires large amounts of high-quality data and labels. However, the data is often imbalanced and sufficient annotations are difficult to obtain. Moreover, these supervised models are subject to real-world deployment issues, such as defending against unseen artificial attacks. We propose a semi-supervised fine-grained attack categorization framework consisting of an encoder and a two-branch structure to integrate information from labeled and unlabeled data to tackle these practical challenges. This framework can be generalized to different supervised models. The multilayer perceptron with residual connection and batch normalization is used as the encoder to extract features and reduce the complexity. The Recurrent Prototype Module (RPM) is proposed to train the encoder effectively in a semi-supervised manner. To alleviate the problem of data imbalance, we introduce the Weight-Task Consistency (WTC) into the iterative process of RPM by assigning larger weights to classes with fewer samples in the loss function. In addition, to cope with new attacks in real-world deployment, we further propose an Active Adaption Resampling (AAR) method, which can better discover the distribution of the unseen sample data and adapt the parameters of the encoder. Experimental results show that our model outperforms the state-of-the-art semi-supervised attack detection methods with a general 5% improvement in classification accuracy and a 90% reduction in training time.

show abstract

Section: Comparison With Sota Methodsmentioning

confidence: 99%

Section: Machine Learning-based Intrusion Detectionmentioning

confidence: 99%

Section: Machine Learning-based Intrusion Detectionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Semi-WTC: A Practical Semi-supervised Framework for Attack Categorization through Weight-Task Consistency

Chen¹,

Wei²,

Luo³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Improving DL-based security systems. Recently, several works have been proposed for improving the practicality of (unsupervised) DL-based security systems, such as improving the robustness of DLbased systems [17,21], performing lifelong learning [11], detecting concept drift [58], learning from low-quality labeled data [30]. They are orthogonal to our work and could be adopted together for developing more practical security systems.…”

Section: Related Workmentioning

confidence: 99%

DeepAID: Interpreting and Improving Deep Learning-based Anomaly Detection in Security Applications

Han

Wang

Chen

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Unsupervised Deep Learning (DL) techniques have been widely used in various security-related anomaly detection applications, owing to the great promise of being able to detect unforeseen threats and the superior performance provided by Deep Neural Networks (DNN). However, the lack of interpretability creates key barriers to the adoption of DL models in practice. Unfortunately, existing interpretation approaches are proposed for supervised learning models and/or non-security domains, which are unadaptable for unsupervised DL models and fail to satisfy special requirements in security domains.In this paper, we propose DeepAID, a general framework aiming to (1) interpret DL-based anomaly detection systems in security domains, and (2) improve the practicality of these systems based on the interpretations. We first propose a novel interpretation method for unsupervised DNNs by formulating and solving well-designed optimization problems with special constraints for security domains. Then, we provide several applications based on our Interpreter as well as a model-based extension Distiller to improve security systems by solving domain-specific problems. We apply DeepAID over three types of security-related anomaly detection systems and extensively evaluate our Interpreter with representative prior works. Experimental results show that DeepAID can provide high-quality interpretations for unsupervised DL models while meeting several special requirements in security domains. We also provide several use cases to show that DeepAID can help security operators to understand model decisions, diagnose system mistakes, give feedback to models, and reduce false positives.

show abstract

EvoIoT: An evolutionary IoT and non-IoT classification model in open environments

Fan

Dong

et al. 2022

Computer Networks

View full text Add to dashboard Cite

FARE: Enabling Fine-grained Attack Categorization under Low-quality Labeled Data

Cited by 16 publications

References 32 publications

Semi-WTC: A Practical Semi-supervised Framework for Attack Categorization through Weight-Task Consistency

Semi-WTC: A Practical Semi-supervised Framework for Attack Categorization through Weight-Task Consistency

DeepAID: Interpreting and Improving Deep Learning-based Anomaly Detection in Security Applications

EvoIoT: An evolutionary IoT and non-IoT classification model in open environments

Contact Info

Product

Resources

About