Multi-objective evolving long–short term memory networks with attention for network intrusion detection

Abstract

Cyber security has received increasing attention, as people use more Internet applications in their lives and worry about the security of their personal data on the Internet. Intrusion Detection Systems (IDSs) are critical security tools that can detect and respond to intrusions. In recent years, Deep Learning (DL) techniques have gained popularity in IDS design due to their promising performance in terms of detection accuracy. However, the design of DL architectures usually requires professional knowledge and significantly impacts the performance of the DL model. Furthermore, the existence of a small ratio of abnormal traffic in vast network traffic leads to a serious imbalanced data problem, which negatively affects the performance of the DL model in detecting minority attack classes. To alleviate these problems, this paper proposes a multi-objective evolutionary DL model (called EvoBMF) to detect network intrusion behaviors. The model incorporates bidirectional Long–short Term Memory (BiLSTM) for preliminary feature extraction, Multi-Head Attention (MHA) for further capturing features and global information of the network traffic, and Full-Connected Layer (FCL) module to perform final classification. To deal with the challenge of manually tuning the parameters of the DL model when tackling different tasks, the parameters of the EvoBMF model are first encoded as the chromosome of the Multi-objective Evolutionary Algorithm (MOEA), which aims to optimize the two conflicting objectives (complexity and classification ability) of the model. A state-of-the-art MOEA (MOEA/D-DRA) is then used to optimize the above two objectives, aiming to obtain the optimal architecture for EvoBMF, which can be easily deployed in cloud computing scenarios to detect and respond to network intrusions. Additionally, to alleviate the severe imbalance in routine network traffic, the synthetic minority over-sampling technique is introduced to generate representative samples of minority classes to improve the overall performance of the model. At last, the experimental results conducted on two popular datasets (UNSW-NB15 and CIC-IDS 2018) have demonstrated that the proposed EvoBMF model can provide superior performance for intrusion detection when compared to some state-of-the-art IDSs.