MLSEC - Benchmarking Shallow and Deep Machine Learning Models for Network Security

Abstract

Network security represents a keystone to ISPs, who need to cope with an increasing number of network attacks that put the network's integrity at risk. The high-dimensionality of network data provided by current network monitoring systems opens the door to the massive application of Machine Learning (ML) approaches to improve the detection and classification of network attacks. In recent years, machine learning-based systems have gained popularity for network security applications, usually considering the application of shallow models, where a set of expert handcrafted features are needed to pre-process the data before training. Deep Learning (DL) models can alleviate the need of domain expert knowledge by relying on their ability to learn feature representations from input raw or basic, non-processed data. Still, it is not clear today which is the best model or best model-category to manage network security, as in general, only adhoc and tailored approaches have been proposed and evaluated so far. In this paper we train and benchmark different ML models for detection of network attacks in different real network data. We consider an extensive battery of supervised ML models, including both shallow and deep models, taking as input either pre-computed domain-knowledge based input features, or raw, byte-stream inputs. Proposed models are evaluated either using real, in the wild network measurements coming from the WIDE backbone network – the well-known MAWILab dataset, and through publicly available datasets. Results suggest that deep learning models can provide similar results to the best-performing shallow models, but without any sort of expert handcrafted inputs.