LIO-IDS: Handling class imbalance using LSTM and improved one-vs-one technique in intrusion detection system

Abstract

Network-based Intrusion Detection Systems (NIDSs) are deployed in computer networks to identify intrusions. NIDSs analyse network traffic to detect malicious content generated from different types of cyber-attacks. Though NIDSs can classify frequent attacks correctly, their performance declines on infrequent network intrusions. This paper proposes LIO-IDS based on Long Short-Term Memory (LSTM) classifier and Improved One-vs-One technique for handling both frequent and infrequent network intrusions. LIO-IDS is a two-layer Anomaly-based NIDS (A-NIDS) that detects different network intrusions with high Accuracy and low computational time. Layer 1 of LIO-IDS identifies intrusions from normal network traffic by using the LSTM classifier. Layer 2 uses ensemble algorithms to classify the detected intrusions into different attack classes. This paper also proposes an Improved One-vs-One (I-OVO) technique for performing multi-class classification at the second layer of the proposed LIO-IDS. In contrast to the traditional OVO technique, the proposed I-OVO technique uses only three classifiers to test each sample, thereby reducing the testing time significantly. Also, oversampling techniques have been used at Layer 2 to enhance the detection ability of the proposed LIO-IDS. The performance of the proposed system has been evaluated in terms of Accuracy, Recall, Precision, F1-score, Receiver Characteristics Operating (ROC) curve, Area Under ROC (AUC) values, training time and testing time for the NSL-KDD, CIDDS-001, and CICIDS2017 datasets. The proposed LIO-IDS shows significant improvement in the results as compared to its counterparts. High attack detection rates and short computational times make the proposed LIO-IDS suitable to be deployed in the real-world for network-based intrusion detection.