Host-Based Intrusion Detection Model Using Siamese Network

Abstract

As cyberattacks become more intelligent, the difficulty increases for traditional intrusion detection systems to detect advanced attacks that deviate from previously stored patterns. To solve this problem, a deep learning-based intrusion detection system model has emerged that analyzes intelligent attack patterns through data learning. However, deep learning models have the disadvantage of having to re-learn each time a new cyberattack method emerges. The time required to learn a large amount of data is not efficient. In this paper, an experiment was conducted using the Leipzig Intrusion Detection Data Set (LID-DS), which is a host-based intrusion detection data set released in 2018. In addition, in order to evaluate and improve the performance of the system, a host-based intrusion detection model consisting of pre-processing, vector-to-image processing, training and testing steps is proposed. In the training and testing steps, a Siamese Convolutional Neural Network (Siamese-CNN) is constructed using the few-shot learning method, which shows excellent performance by learning a small amount of data. Siamese-CNN determines whether the attack type is the same based on the similarity score of each cyberattack sample converted to an image. The accuracy was calculated using the few-shot learning technique. The performance of the Vanilla Convolutional Neural Network (Vanilla-CNN) and Siamese-CNN are compared to confirm the performance of Siamese-CNN. As a result of measuring the accuracy, precision, recall, and F1-score indicators, it was confirmed that the recall of the Siamese-CNN model proposed in this study increased by about 6% compared to the Vanilla-CNN model.