A multi-task based deep learning approach for intrusion detection

Abstract

With the frequent occurrence of cyber-security incidents, intrusion detection system (IDS) has been payed more and more attention recently. However, detecting attacks from traffic data stream accurately is rather challenging. The great diversity and variation of network intrusions make the intrusion feature extraction difficult, and the serious imbalanced class distribution makes common classifiers cannot work properly. Traditional methods for intrusion detection suffer from some obvious drawbacks. Classic machine learning-based methods seriously depend on the pre-defined features, automatic feature learning-based methods usually overfit the training data and neglect the problem of imbalanced data distribution, and the unsupervised learning-based methods are not suitable for dealing with multi-class classification of attacks. In this paper, to understand the characteristics of network traffic clearly, we analyze the class distribution of classic intrusion datasets through visualization. Based on the observed characteristics we innovatively propose exploiting distinctive features of each type of traffic from three perspectives, namely, anomaly identification, clustering and classification. We consider the feature learning in each perspective as a single task, then propose three models to fulfill three tasks, namely, an Autoencoder-based contrastive learning model, a supervised learning-based clustering model, and MLP-based classifier, and we also develop a unified framework to integrate three models for accomplishing intrusion detection comprehensively. Additionally, we propose a customized loss function to deal with imbalanced distribution of traffic data. Finally, we conduct extensive experiments on three classic intrusion detection datasets. The results demonstrate that the proposed method can outperform the state-of-art methods on both binary and multi-class classification.