Abstract
The complexity of network intrusion detection systems (IDSs) is increasing due to the continuous increases in network traffic, various attacks and the ever-changing network environment. In addition, network traffic is asymmetric with few attack data, but the attack data are so complex that it is difficult to detect one. Many studies on improving intrusion detection performance using feature engineering have been conducted. These studies work well in the dataset environment; however, it is challenging to cope with a changing network environment. This paper proposes an intrusion detection hyperparameter control system (IDHCS) that controls and trains a deep neural network (DNN) feature extractor and k-means clustering module as a reinforcement learning model based on proximal policy optimization (PPO). An IDHCS controls the DNN feature extractor to extract the most valuable features in the network environment, and identifies intrusion through k-means clustering. Through iterative learning using the PPO-based reinforcement learning model, the system is optimized to improve performance automatically according to the network environment, where the IDHCS is used. Experiments were conducted to evaluate the system performance using the CICIDS2017 and UNSW-NB15 datasets. In CICIDS2017, an F1-score of 0.96552 was achieved and UNSW-NB15 achieved an F1-score of 0.94268. An experiment was conducted by merging the two datasets to build a more extensive and complex test environment. By merging datasets, the attack types in the experiment became more diverse and their patterns became more complex. An F1-score of 0.93567 was achieved in the merged dataset, indicating 97% to 99% performance compared with CICIDS2017 and UNSW-NB15. The results reveal that the proposed IDHCS improved the performance of the IDS by automating learning new types of attacks by managing intrusion detection features regardless of the network environment changes through continuous learning.
Highlights
As the use of large-scale high-performance systems, such as cloud systems, increases, the number of network packets rapidly increases
The misuse-based intrusion detection systems (IDSs) targets a specific pattern, and if the pattern is included in the network traffic, it is regarded as an attack
We examine how to automate the IDS using reinforcement learning to respond to changes in the network environment and overcome dataset limitations by merging datasets
Summary
As the use of large-scale high-performance systems, such as cloud systems, increases, the number of network packets rapidly increases. A network IDS belongs to one of two types based on the detection technique [2]. The misuse-based IDS targets a specific pattern, and if the pattern is included in the network traffic, it is regarded as an attack. This technique has the advantage of reliably detecting specific attacks. The existing system environment has the advantage of having a high truepositive detection rate for known attacks. This technique has the disadvantage that a new type of attack cannot be detected, and the detection speed is significantly lower in a big data environment than in the existing environment
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.