Abstract
In recent years, attacks on network environments continue to rapidly advance and are increasingly intelligent. Accordingly, it is evident that there are limitations in existing signature-based intrusion detection systems. In particular, for novel attacks such as Advanced Persistent Threat (APT), signature patterns have problems with poor generalization performance. Furthermore, in a network environment, attack samples are rarely collected compared to normal samples, creating the problem of imbalanced data. Anomaly detection using an autoencoder has been widely studied in this environment, and learning is through semi-supervised learning methods to overcome these problems. This approach is based on the assumption that reconstruction errors for samples that are not used for training will be large, but an autoencoder is often over-generalized and this assumption is often broken. In this paper, we propose a network intrusion detection method using a memory-augmented deep auto-encoder (MemAE) that can solve the over-generalization problem of autoencoders. The MemAE model is trained to reconstruct the input of an abnormal sample that is close to a normal sample, which solves the generalization problem for such abnormal samples. Experiments were conducted on the NSL-KDD, UNSW-NB15, and CICIDS 2017 datasets, and it was confirmed that the proposed method is better than other one-class models.
Highlights
As information and communication technologies advance, the network environment has expanded very rapidly, and cyber threats to the network environment are increasing
In the AE model, some attack samples are reconstructed very well. The reason for this problem is that the auto-encoder is trained to be over-generalized, or in a latent vector compressed for reconstruction, where the attack sample and the normal sample share some common construction patterns
In this study, we pointed out that over-generalization problems may occur in AE-based models commonly used in network anomaly detection domains, and to solve this problem, we proposed a method using the Memoryaugmented Deep Autoencoder (MemAE) method
Summary
As information and communication technologies advance, the network environment has expanded very rapidly, and cyber threats to the network environment are increasing. Many studies have turned to one-class learning based on Support Vector Machine (SVM) and Autoencoder (AE) to solve the anomaly detection problem from such imbalanced data. One-class learning trains a model through samples of only one specific class and is considered a form of semisupervised learning [6] This method is very suitable for a network intrusion detection environment where most of the samples are normal. We conduct a study on an AE-based anomaly detection method and point out the overgeneralization problem based on an autoencoder This method trains AE through only normal samples and assumes that it has a high reconstruction error for attack samples that are not used for training. AE often reconstructs some attack samples very well, making these assumptions suspicious This problem degrades the performance of the AE-based anomaly detection method
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
