Improving the Stability of Intrusion Detection With Causal Deep Learning

Abstract

Due to factors such as differing distributions of training data and test data, false associations between features and weight associations lead to unstable detection performance and lack of generalization of network intrusion detection systems (NIDSs) based on machine learning (ML). To improve the stability and generalization of NIDSs, a detection system based on causal deep learning is proposed in this paper. First, causal weights were optimized by the propensity score through causal effects, the correlation between causal features and attack labels was increased, and the correlation between false correlation variables was weakened to improve the stability performance. Second, the approximate numerical optimization method of the Tammes problem was used to remove correlations between weights, maintain the independence of causal features, and improve the generalization of the detection system. Last, the feature distribution was disrupted by adding noise to four datasets to simulate different network environments. The results showed that our system can achieve good stability in various network environments where the training and testing datasets are not independently and identically distributed. In particular, after applying binary coding features and causal intervention (CIT) screening features, the average stability of the system improved by more than 10%.