Learning to Detect: A Data-driven Approach for Network Intrusion Detection

Zachary, Tauscher,; Jiang, Yushan; Zhang, Kai; Wang, Jian; Song, Houbing

doi:10.1109/ipccc51483.2021.9679415

Cited by 6 publications

(6 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Standardization has been utilized to change numeric features, such that the mean of each feature will have a mean of 0 and a standard deviation of 1 [26,27]. This brings all features to a similar scale, making it easier for machine learning and deep algorithms to learn and converge faster.…”

Section: Standardizationmentioning

confidence: 99%

“…The NSL-KDD dataset contains network connection records labeled as either normal or belonging to a specific type of attack. Class imbalance is present in NSL-KDD as the number of instances in one class (e.g., normal) is significantly larger than the number of instances in another class [27]. To handle class imbalance in the NSL-KDD dataset, several techniques can be employed.…”

Section: Imbalance Handlingmentioning

confidence: 99%

See 1 more Smart Citation

A Robust Approach for Multi Classification-Based Intrusion Detection through Stacking Deep Learning Models

Chelloug

2024

CMC

View full text Add to dashboard Cite

Intrusion detection is a predominant task that monitors and protects the network infrastructure. Therefore, many datasets have been published and investigated by researchers to analyze and understand the problem of intrusion prediction and detection. In particular, the Network Security Laboratory-Knowledge Discovery in Databases (NSL-KDD) is an extensively used benchmark dataset for evaluating intrusion detection systems (IDSs) as it incorporates various network traffic attacks. It is worth mentioning that a large number of studies have tackled the problem of intrusion detection using machine learning models, but the performance of these models often decreases when evaluated on new attacks. This has led to the utilization of deep learning techniques, which have showcased significant potential for processing large datasets and therefore improving detection accuracy. For that reason, this paper focuses on the role of stacking deep learning models, including convolution neural network (CNN) and deep neural network (DNN) for improving the intrusion detection rate of the NSL-KDD dataset. Each base model is trained on the NSL-KDD dataset to extract significant features. Once the base models have been trained, the stacking process proceeds to the second stage, where a simple meta-model has been trained on the predictions generated from the proposed base models. The combination of the predictions allows the meta-model to distinguish different classes of attacks and increase the detection rate. Our experimental evaluations using the NSL-KDD dataset have shown the efficacy of stacking deep learning models for intrusion detection. The performance of the ensemble of base models, combined with the meta-model, exceeds the performance of individual models. Our stacking model has attained an accuracy of 99% and an average F1-score of 93% for the multi-classification scenario. Besides, the training time of the proposed ensemble model is lower than the training time of benchmark techniques, demonstrating its efficiency and robustness.

show abstract

Section: Standardizationmentioning

confidence: 99%

Section: Imbalance Handlingmentioning

confidence: 99%

A Robust Approach for Multi Classification-Based Intrusion Detection through Stacking Deep Learning Models

Chelloug

2024

CMC

View full text Add to dashboard Cite

show abstract

“…In another research on the cybersecurity dataset, NSL-KDD, Tauscher et al [25] utilized SVM-SMOTE for oversampling the minority instances in a four-class classification problem. They observe that oversampling, despite having a minor impact on the accuracy and the micro F1 score, helps the deep neural network based model in learning patterns and improving the F1 score of the U2R attack category.…”

Section: Related Workmentioning

confidence: 99%

Resampling to Classify Rare Attack Tactics in UWF-ZeekData22

Bagui,

Mink,

Bagui

et al. 2024

Knowledge

View full text Add to dashboard Cite

One of the major problems in classifying network attack tactics is the imbalanced nature of data. Typical network datasets have an extremely high percentage of normal or benign traffic and machine learners are skewed toward classes with more data; hence, attack data remain incorrectly classified. This paper addresses the class imbalance problem using resampling techniques on a newly created dataset, UWF-ZeekData22. This is the first dataset with tactic labels, labeled as per the MITRE ATT&CK framework. This dataset contains about half benign data and half attack tactic data, but specific tactics have a meager number of occurrences within the attack tactics. Our objective in this paper was to use resampling techniques to classify two rare tactics, privilege escalation and credential access, never before classified. The study also looks at the order of oversampling and undersampling. Varying resampling ratios were used with oversampling techniques such as BSMOTE and SVM-SMOTE and random undersampling without replacement was used. Based on the results, it can be observed that the order of oversampling and undersampling matters and, in many cases, even an oversampling ratio of 10% of the majority data is enough to obtain the best results.

show abstract

“…Intrusion Detection Systems (IDSs) are traditionally considered as a second line of defence, with the aim of monitoring the network tra c and detecting malicious activities that have eluded the security perimeter [19]. IDSs are generally divided into signature-based or anomalybased [29]. The first category, also known as misuse IDS, is based on pattern recognition, with the goal of comparing signatures of well-known attacks to current network tra c patterns.…”

Section: Related Workmentioning

confidence: 99%

“…In recent years, data-driven approaches for developing IDSs have been explored [15,26,29] considering di erent methods such as random forests, support vector machines, neural networks or clustering techniques. In particular, machine learning and deep learning are emerging as promising data-driven methods with the capability to learn and extract harmful patterns from network traffic, which can be beneficial for detecting security threats occurring in networked systems in general [26], and on IoT networks in particular [5,22].…”

Section: A Ml-based Intrusion Detection Systemsmentioning

confidence: 99%

A Clustering Strategy for Enhanced FL-Based Intrusion Detection in IoT Networks

Talpini

Sartori

Savi

2023

Proceedings of the 15th International Conference on Agents and Artificial Intelligence

View full text Add to dashboard Cite

The Internet of Things (IoT) is growing rapidly and so the need of ensuring protection against cybersecurity attacks to IoT devices. In this scenario, Intrusion Detection Systems (IDSs) play a crucial role and data-driven IDSs based on machine learning (ML) have recently attracted more and more interest by the research community. While conventional ML-based IDSs are based on a centralized architecture where IoT devices share their data with a central server for model training, we propose a novel approach that is based on federated learning (FL). However, conventional FL is ine ective in the considered scenario, due to the high statistical heterogeneity of data collected by IoT devices. To overcome this limitation, we propose a three-tier FL-based architecture where IoT devices are clustered together based on their statistical properties. Clustering decisions are taken by means of a novel entropy-based strategy, which helps improve model training performance. We tested our solution on the CIC-ToN-IoT dataset: our clustering strategy increases intrusion detection performance with respect to a conventional FL approach up to +17% in terms of F1-score, along with a significant reduction of the number of training rounds.

show abstract

Learning to Detect: A Data-driven Approach for Network Intrusion Detection

Cited by 6 publications

References 21 publications

A Robust Approach for Multi Classification-Based Intrusion Detection through Stacking Deep Learning Models

A Robust Approach for Multi Classification-Based Intrusion Detection through Stacking Deep Learning Models

Resampling to Classify Rare Attack Tactics in UWF-ZeekData22

A Clustering Strategy for Enhanced FL-Based Intrusion Detection in IoT Networks

Contact Info

Product

Resources

About