Troubleshooting an Intrusion Detection Dataset: the CICIDS2017 Case Study

Engelen, Gints; Rimmer, Vera; Joosen, Wouter

doi:10.1109/spw53761.2021.00009

Cited by 67 publications

(53 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We assume that all the considered datasets are correctly labelled. However, such assumption may be overly optimistic: as described in §2, manual labelling is an error-prone task, and some recent papers highlighted that even well-known datasets may contain flaws (e.g., [151]). Due to the seminal nature of this SoK paper, we do not make any change to the provided labels-which also facilitates comparisons with previous works using such datasets, as the ground truth is the same.…”

Section: Discussion and Future Workmentioning

confidence: 99%

SoK: The Impact of Unlabelled Data in Cyberthreat Detection

Apruzzese,

Laskov,

Tastemirova

2022

Preprint

View full text Add to dashboard Cite

Machine learning (ML) has become an important paradigm for cyberthreat detection (CTD) in the recent years. A substantial research effort has been invested in the development of specialized algorithms for CTD tasks. From the operational perspective, however, the progress of MLbased CTD is hindered by the difficulty in obtaining the large sets of labelled data to train ML detectors. A potential solution to this problem are semisupervised learning (SsL) methods, which combine small labelled datasets with large amounts of unlabelled data.This paper is aimed at systematization of existing work on SsL for CTD and, in particular, on understanding the utility of unlabelled data in such systems. To this end, we analyze the cost of labelling in various CTD tasks and develop a formal cost model for SsL in this context. Building on this foundation, we formalize a set of requirements for evaluation of SsL methods, which elucidates the contribution of unlabelled data. We review the state-of-the-art and observe that no previous work meets such requirements. To address this problem, we propose a framework for assessing the benefits of unlabelled data in SsL. We showcase an application of this framework by performing the first benchmark evaluation that highlights the tradeoffs of 9 existing SsL methods on 9 public datasets. Our findings verify that, in some cases, unlabelled data provides a small, but statistically significant, performance gain. This paper highlights that SsL in CTD has a lot of room for improvement, which should stimulate future research in this field.

show abstract

Section: Discussion and Future Workmentioning

confidence: 99%

SoK: The Impact of Unlabelled Data in Cyberthreat Detection

Apruzzese,

Laskov,

Tastemirova

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Despite the recent Grammatopoulos, and Fabio Di Franco interest in ML led to the release of more open datasets (e.g., [10,31,142]), such datasets exhibit limitations [163]. For instance, inaccurate labels, fast obsolescence, small and synthetic environments (e.g., [115]), or even flawed generation process-as shown in [66]. All these problems can only be mitigated to some degree (e.g.…”

Section: Data Availability (Executives and Legislation Authorities)mentioning

confidence: 99%

The Role of Machine Learning in Cybersecurity

Apruzzese,

Laskov,

de Oca

et al. 2022

Preprint

View full text Add to dashboard Cite

Machine Learning (ML) represents a pivotal technology for current and future information systems, and many domains already leverage the capabilities of ML. However, deployment of ML in cybersecurity is still at an early stage, revealing a significant discrepancy between research and practice. Such discrepancy has its root cause in the current state-of-the-art, which does not allow to identify the role of ML in cybersecurity. The full potential of ML will never be unleashed unless its pros and cons are understood by a broad audience.This paper is the first attempt to provide a holistic understanding of the role of ML in the entire cybersecurity domain-to any potential reader with an interest in this topic. We highlight the advantages of ML with respect to human-driven detection methods, as well as the additional tasks that can be addressed by ML in cybersecurity. Moreover, we elucidate various intrinsic problems affecting real ML deployments in cybersecurity. Finally, we present how various stakeholders can contribute to future developments of ML in cybersecurity, which is essential for further progress in this field. Our contributions are complemented with two real case studies describing industrial applications of ML as defense against cyber-threats.

show abstract

“…Many of the defined requirements for testbeds also overlap with the criteria that network security datasets should meet [13,17,18]. The criteria can be summarized as follows: the dataset provides real and complete network traces; the traffic is generated using a valid network topology that includes clients, servers and network equipment; the dataset is labeled to distinguish between benign and malicious traces; highly heterogeneous regarding included services, network protocols, normal and attack behaviors; easily extendable; reproducible; shareable and documented.…”

Section: General Testbed and Dataset Requirementsmentioning

confidence: 99%

“…Besides offering different types of attacks, diversity within the same attack type should also be provided. This procedure includes combining different attack tools that perform similar actions and using multiple options and flags for each attack [17].…”

Section: Heterogeneitymentioning

confidence: 99%

See 1 more Smart Citation

Gotham Testbed: a Reproducible IoT Testbed for Security Experiments and Dataset Generation

Sáez-de-Cámara¹,

Flores²,

Arellano³

et al. 2022

Preprint

View full text Add to dashboard Cite

The scarcity of available Internet of Things (IoT) datasets remains a limiting factor in developing machine learning based security systems. Static datasets get outdated due to evolving IoT threat landscape. Meanwhile, the testbeds used to generate them are rarely published. This paper presents the Gotham testbed, a reproducible and flexible network security testbed, implemented as a middleware over the GNS3 emulator, that is extendable to accommodate new emulated devices, services or attackers. The testbed is used to build an IoT scenario composed of 100 emulated devices communicating via MQTT, CoAP and RTSP protocols in a topology composed of 30 switches and 10 routers. The scenario presents three threat actors, including the entire Mirai botnet lifecycle and additional red-teaming tools performing DoS, scanning and various attacks targeting the MQTT and CoAP protocols. The generated network traffic and application logs can be used to capture datasets containing legitimate and attacking traces. We hope that researchers can leverage the testbed and adapt it to include other types of devices and state-of-the-art attacks to generate new datasets that reflect the current threat landscape and IoT protocols. The source code to reproduce the scenario is publicly accessible from [1].

show abstract

Troubleshooting an Intrusion Detection Dataset: the CICIDS2017 Case Study

Cited by 67 publications

References 11 publications

SoK: The Impact of Unlabelled Data in Cyberthreat Detection

SoK: The Impact of Unlabelled Data in Cyberthreat Detection

The Role of Machine Learning in Cybersecurity

Gotham Testbed: a Reproducible IoT Testbed for Security Experiments and Dataset Generation

Contact Info

Product

Resources

About