Network Intrusion Detection Based on Active Semi-supervised Learning

Zhang, Yong; Niu, Jie; He, Guojian; Zhu, Lin; Guo, Da

doi:10.1109/dsn-w52860.2021.00031

Cited by 10 publications

(22 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To showcase all scenarios envisioned in our CEF-SsL framework, we consider 9 SsL methods which are variations of two established SsL methods: self learning via pseudo-labelling (e.g., [65]) and active learning via uncertainty sampling (e.g., [66]), summarized in §2.3. Specifically, we consider 3 'pure' pseudo-labelling methods, 3 'pure' active learning methods, and 3 combinations thereof (e.g., [70]), where we cascade pseudo-labelling with active learning. The decision criterion is the confidence threshold c. Pseudo Labelling.…”

Section: Selected Ssl Methodsmentioning

confidence: 99%

“…The analysis is focused on 'suggesting' to the oracle which samples in U should be correctly labelled to improve the performance, and the suggestion is based on the confidence of the model on the samples in U. Intuitively, the model can learn 'more' from samples with a low confidence [70]. The oracle then assigns the correct ground truth to such samples, which are inserted into L and used to retrain the model-using a correctly labelled dataset.…”

Section: Focus Of the Papermentioning

confidence: 99%

See 1 more Smart Citation

SoK: The Impact of Unlabelled Data in Cyberthreat Detection

Apruzzese,

Laskov,

Tastemirova

2022

Preprint

View full text Add to dashboard Cite

Machine learning (ML) has become an important paradigm for cyberthreat detection (CTD) in the recent years. A substantial research effort has been invested in the development of specialized algorithms for CTD tasks. From the operational perspective, however, the progress of MLbased CTD is hindered by the difficulty in obtaining the large sets of labelled data to train ML detectors. A potential solution to this problem are semisupervised learning (SsL) methods, which combine small labelled datasets with large amounts of unlabelled data.This paper is aimed at systematization of existing work on SsL for CTD and, in particular, on understanding the utility of unlabelled data in such systems. To this end, we analyze the cost of labelling in various CTD tasks and develop a formal cost model for SsL in this context. Building on this foundation, we formalize a set of requirements for evaluation of SsL methods, which elucidates the contribution of unlabelled data. We review the state-of-the-art and observe that no previous work meets such requirements. To address this problem, we propose a framework for assessing the benefits of unlabelled data in SsL. We showcase an application of this framework by performing the first benchmark evaluation that highlights the tradeoffs of 9 existing SsL methods on 9 public datasets. Our findings verify that, in some cases, unlabelled data provides a small, but statistically significant, performance gain. This paper highlights that SsL in CTD has a lot of room for improvement, which should stimulate future research in this field.

show abstract

Section: Selected Ssl Methodsmentioning

confidence: 99%

Section: Focus Of the Papermentioning

confidence: 99%

SoK: The Impact of Unlabelled Data in Cyberthreat Detection

Apruzzese,

Laskov,

Tastemirova

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Among these, we mention semisupervised ML approaches (e.g. [28,45]), which combine unlabelled with labelled data, and are hence orthogonal to our work.…”

Section: Related Workmentioning

confidence: 99%

“…Specifically, the adopted splits s(N ) and s(M ) are always 80:20 for both T and E. We use such splits because they are common in related literature (e.g., [17,45]), therefore enabling a more fair comparison of our results with those of past works. We considered different ML algorithms, but we found that Random Forests consistently provided the best tradeoff in terms of detection performance, rate of false alarms, and training time-a result that confirms the state-of-the-art on the same datasets (e.g., [17,19,21,45]). Hence our results will refer to Random Forest as the learning algorithm for each classifier.…”

Section: Assessmentmentioning

confidence: 99%

See 1 more Smart Citation

The Cross-Evaluation of Machine Learning-Based Network Intrusion Detection Systems

Pajola

Conti

2022

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Enhancing Network Intrusion Detection Systems (NIDS) with supervised Machine Learning (ML) is tough. ML-NIDS must be trained and evaluated, operations requiring data where benign and malicious samples are clearly labelled. Such labels demand costly expert knowledge, resulting in a lack of real deployments, as well as on papers always relying on the same outdated data. The situation improved recently, as some efforts disclosed their labelled datasets. However, most past works used such datasets just as a 'yet another' testbed, overlooking the added potential provided by such availability.In contrast, we promote using such existing labelled data to cross-evaluate ML-NIDS. Such approach received only limited attention and, due to its complexity, requires a dedicated treatment. We hence propose the first cross-evaluation model. Our model highlights the broader range of realistic use-cases that can be assessed via cross-evaluations, allowing the discovery of still unknown qualities of state-of-the-art ML-NIDS. For instance, their detection surface can be extended-at no additional labelling cost. However, conducting such cross-evaluations is challenging. Hence, we propose the first framework, XeNIDS, for reliable cross-evaluations based on Network Flows. By using XeNIDS on six well-known datasets, we demonstrate the concealed potential, but also the risks, of cross-evaluations of ML-NIDS.

show abstract