Intrusion Detection System Architecture Research Articles

A micro Reinforcement Learning architecture for Intrusion Detection Systems

This paper proposes an Intrusion Detection System (IDS) that utilizes Deep Reinforcement Learning (DRL) in a fine-grained manner to enhance the performance of binary and multiclass intrusion classification tasks. The proposed system, named Micro Reinforcement Learning Classifier (MRLC), is evaluated using three standard datasets. MRLC architecture utilizes a fine-grained learning approach to enhance IDS accuracy. Simulation studies demonstrate that MRLC has a high efficiency in discriminating different intrusion classes, outperforming state-of-the-art RL-based methods. The average accuracy of MRLC is 99.56%, 99.99%, 99.01% for NSL-KDD, CIC-IDS2018, and UNSW-NB15 datasets respectively. The implementation codes are available at https://github.com/boshradarabi/MICRO-RL-IDS.

A Novel Architecture for an Intrusion Detection System Utilizing Cross-Check Filters for In-Vehicle Networks.

The Controller Area Network (CAN), widely used for vehicular communication, is vulnerable to multiple types of cyber-threats. Attackers can inject malicious messages into the CAN bus through various channels, including wireless methods, entertainment systems, and on-board diagnostic ports. Therefore, it is crucial to develop a reliable intrusion detection system (IDS) capable of effectively distinguishing between legitimate and malicious CAN messages. In this paper, we propose a novel IDS architecture aimed at enhancing the cybersecurity of CAN bus systems in vehicles. Various machine learning (ML) models have been widely used to address similar problems; however, although existing ML-based IDS are computationally efficient, they suffer from suboptimal detection performance. To mitigate this shortcoming, our architecture incorporates specially designed rule-based filters that cross-check outputs from the traditional ML-based IDS. These filters scrutinize message ID and payload data to precisely capture the unique characteristics of three distinct types of cyberattacks: DoS attacks, spoofing attacks, and fuzzy attacks. Experimental evidence demonstrates that the proposed architecture leads to a significant improvement in detection performance across all utilized ML models. Specifically, all ML-based IDS achieved an accuracy exceeding 99% for every type of attack. This achievement highlights the robustness and effectiveness of our proposed solution in detecting potential threats.

Parameterization and Performance Analysis of a Scalable, near Real-Time Packet Capturing Platform

The rapid evolution of technology has fostered an exponential rise in the number of individuals and devices interconnected via the Internet. This interconnectedness has prompted companies to expand their computing and communication infrastructures significantly to accommodate the escalating demands. However, this proliferation of connectivity has also opened new avenues for cyber threats, emphasizing the critical need for Intrusion Detection Systems (IDSs) to adapt and operate efficiently in this evolving landscape. In response, companies are increasingly seeking IDSs characterized by horizontal, modular, and elastic attributes, capable of dynamically scaling with the fluctuating volume of network data flows deemed essential for effective monitoring and threat detection. Yet, the task extends beyond mere data capture and storage; robust IDSs must integrate sophisticated components for data analysis and anomaly detection, ideally functioning in real-time or near real-time. While Machine Learning (ML) techniques present promising avenues for detecting and mitigating malicious activities, their efficacy hinges on the availability of high-quality training datasets, which in turn poses a significant challenge. This paper proposes a comprehensive solution in the form of an architecture and reference implementation for (near) real-time capture, storage, and analysis of network data within a 1 Gbps network environment. Performance benchmarks provided offer valuable insights for prototype optimization, demonstrating the capability of the proposed IDS architecture to meet objectives even under realistic operational scenarios.

Artificial Intelligence-Based Intrusion Detection System for Cloud Computing

Abstract: It is possible to communicate with others and do business across this global network, which is comprised of hundreds of millions of computers running a variety of hardware and software configurations. This makes it simpler for hackers to abuse resources and conduct Internet attacks since computers are linked to one another. There are significant roadblocks to the development of a security-oriented approach that may be flexible and adaptive in light of the expanding number of Internet assaults. Threats from the internet could be identified using an intrusion detection system (IDS). The utilization of an intrusion detection system, or IDS, is necessary to preserve network security. Because the cloud platform is continuously expanding and becoming more prevalent in our everyday lives, it is imperative that we develop an effective IDS for it as well. On the other hand, typical intrusion detection systems may encounter difficulties when used in the cloud. A cloud segment may get overburdened by the pre-determined IDS architecture because of the added detection overhead. In the context of a networked system with an adaptable architecture. Using a neural network-based IDS, we show how to make full utilize available resources while not putting undue strain on any single cloud server. The proposed IDS uses a neural network machine learning to identify new threats even more effectively

Enhancing Intrusion Detection Systems Using a Deep Learning and Data Augmentation Approach

Cybersecurity relies heavily on the effectiveness of intrusion detection systems (IDSs) in securing business communication because they play a pivotal role as the first line of defense against malicious activities. Despite the wide application of machine learning methods for intrusion detection, they have certain limitations that might be effectively addressed by leveraging different deep learning architectures. Furthermore, the evaluation of the proposed models is often hindered by imbalanced datasets, limiting a comprehensive assessment of model efficacy. Hence, this study aims to address these challenges by employing data augmentation methods on four prominent datasets, the UNSW-NB15, 5G-NIDD, FLNET2023, and CIC-IDS-2017, to enhance the performance of several deep learning architectures for intrusion detection systems. The experimental results underscored the capability of a simple CNN-based architecture to achieve highly accurate network attack detection, while more complex architectures showed only marginal improvements in performance. The findings highlight how the proposed methods of deep learning-based intrusion detection can be seamlessly integrated into cybersecurity frameworks, enhancing the ability to detect and mitigate sophisticated network attacks. The outcomes of this study have shown that the intrusion detection models have achieved high accuracy (up to 91% for the augmented CIC-IDS-2017 dataset) and are strongly influenced by the quality and quantity of the dataset used.

A Hierarchical Deep Learning Architecture for Robust Intrusion Detection in Time-Evolving Security Landscapes

Abstract: This paper introduces a novel architecture for Intrusion Detection Systems (IDS), designed to enhance resilience against adversarial attacks by integrating conventional machine learning (ML) models with Deep Learning (DL) models. The proposed system, termed DLL-IDS, comprises three key components: a DL-based IDS, an adversarial example (AE) detector based on local intrinsic dimensionality (LID), and an ML-based IDS. Initially, a novel AE detector is developed using LID to identify potential adversarial examples. This detector serves as a crucial component in identifying suspicious inputs that may be crafted to deceive the IDS. Subsequently, the system leverages the low transferability of attacks between DL and ML models to establish a robust ML model capable of discerning the maliciousness of potential AEs. The DLL-IDS architecture operates as follows: if incoming traffic is flagged as an AE by the detector, the MLbased IDS is employed to evaluate its maliciousness; otherwise, the DL-based IDS handles the prediction. By integrating both DL and ML approaches, the system benefits from the high prediction accuracy of DL models while exploiting the low susceptibility of ML models to adversarial attacks. Experimental results demonstrate significant enhancements in IDS prediction performance under adversarial conditions, achieving high accuracy with minimal resource consumption. This fusion mechanism effectively combines the strengths of DL and ML models, thereby bolstering the overall robustness of the IDS against sophisticated intrusion attempts.

Bi-channel hybrid GAN attention based anomaly detection system for multi-domain SDN environment

Software-Defined Networking (SDN) is a strategy that leads the network via software by separating its control plane from the underlying forwarding plane. In support of a global digital network, multi-domain SDN architecture emerges as a viable solution. However, the complex and ever-evolving nature of network threats in a multi-domain environment presents a significant security challenge for controllers in detecting abnormalities. Moreover, multi-domain anomaly detection poses a daunting problem due to the need to process vast amounts of data from diverse domains. Deep learning models have gained popularity for extracting high-level feature representations from massive datasets. In this work, a novel deep neural network architecture, supervised learning based LD-BiHGA (Low Dimensional Bi-channel Hybrid GAN Attention) system is designed to learn class-specific features for accurate anomaly detection. Two asymmetric GANs are employed for learning the normal and abnormal network flows separately. Then, to extract more relevant features, a bi-channel attention mechanism is added. This is the first study to introduce an innovative hybrid architecture that merges bi-channel hybrid GANs with attention models for the purpose of anomaly detection in a multi-domain SDN environment that effectively handles real-time unbalanced data. The suggested architecture demonstrates its effectiveness on three benchmark datasets, achieving an average accuracy improvement of 7.225% on balanced datasets and 3.335% on imbalanced datasets compared to previous intrusion detection system (IDS) architectures in the literature.

Artificial Intelligence based Intrusion Detection System – A Detailed Survey

The Internet and communications have rapidly expanded, leading to a significant rise in data generation and heterogeneity. Intrusion detection systems play a crucial role in ensuring the security and integrity of computer systems. These systems have been developed by researchers, academicians, and practitioners to effectively detect and mitigate network attacks. Intrusion detection systems are designed to analyze network traffic and compare it with a baseline of normal behavior, allowing them to identify any deviations or inconsistencies that may indicate an intrusion. Furthermore, the cooperative and distributed architecture of intrusion detection systems enables them to effectively detect attacks and protect the network from unauthorized access. Additionally, to enhance the performance of intrusion detection systems, techniques such as resampling the dataset and utilizing classifier ensemble are used to improve the classification accuracy. Moreover, intrusion detection systems have been integrated with intrusion response systems to ensure a timely and effective response to detected attacks. AI-based Intrusion Detection Systems have emerged as a crucial tool in ensuring network security and combating cyber threats. These systems utilize artificial intelligence algorithms to analyze network traffic, identify patterns of malicious activity, and detect potential cyber-attacks. They have proven to be highly effective in improving the detection accuracy, reducing false alarms, and even detecting previously unknown types of attacks. In summary, the development of accurate and efficient intrusion detection systems is crucial for ensuring network security. In today’s rapidly changing world, the significance of accurate intrusion detection systems cannot be overstated.

An adaptive distributed intrusion detection system in local network: Hybrid classification methods

In the realm of cybersecurity, the incessant evolution of network attacks necessitates advanced and robust intrusion detection systems (IDS). The major issues with these systems are numerous: false positivenegative alarms, delayed response and detection time, size of processed data, adaptability to future threats, scalability of the system, difficulty in detecting distributed attacks, and downtime (fault tolerance). We propose a system that introduces a distributed framework aimed at enhancing network security by effectively identifying subtle deviations from normal network behavior. This is achieved through transfer learning based on artificial neural networks, and support vector machine (SVM), capitalizing on their complementary strengths in recognizing complex patterns and addressing high-dimensional datasets. To validate the efficacy of the proposed approach, the NSL-KDD dataset is utilized within a distributed IDS architecture. It consists of several intrusion detection nodes representing subnetworks. A node consists of two agents that work collaboratively. A way is proposed to avoid interference between analysis agents: the network agents manager monitors the functioning of the nodes and displays the results of each vulnerability-detecting node in each subnet separately. Such communication between agents should reduce FPAS (false positive alarms) significantly. The Detection engine extracts relevant features of network attacks to solve the problem of SVM in processing huge sizes of data and detect adaptive future threats to detect famous distributed denial of services (DDOS) attacks in real-time. The system is highly scalable by increasing the number of intrusion detection system nodes if necessary. Central processing is avoided to circumvent a system failure situation, where processing and decision-making take place at the detection node level within each subnet.

A Cryptographic based I2ADO-DNN Security Framework for Intrusion Detection in Cloud Systems

Cloud computing's popularity and success are directly related to improvements in the use of Information and Communication Technologies (ICT). The adoption of cloud implementation and services has become crucial due to security and privacy concerns raised by outsourcing data and business applications to the cloud or a third party. To protect the confidentiality and security of cloud networks, a variety of Intrusion Detection System (IDS) frameworks have been developed in the conventional works. However, the main issues with the current works are their lengthy nature, difficulty in intrusion detection, over-fitting, high error rate, and false alarm rates. As a result, the proposed study attempts to create a compact IDS architecture based on cryptography for cloud security. Here, the balanced and normalized dataset is produced using the z-score preprocessing procedure. The best attributes for enhancing intrusion detection accuracy are then selected using an Intelligent Adorn Dragonfly Optimization (IADO). In addition, the trained features are used to classify the normal and attacking data using an Intermittent Deep Neural Network (IDNN) classification model. Finally, the Searchable Encryption (SE) mechanism is applied to ensure the security of cloud data against intruders. In this study, a thorough analysis has been conducted utilizing various parameters to validate the intrusion detection performance of the proposed I2ADO-DNN model.

Two-Stage Intrusion Detection System in Intelligent Transportation Systems Using Rule Extraction Methods From Deep Neural Networks

In recent years, intrusion detection systems (IDSs) are offering effective solutions to protect various types of cyber-attacks in different networks such as Internet of Vehicles (IoVs) network in Intelligent Transportation Systems (ITS). Deep learning models have largely been leveraged by these intrusion detection systems to achieve better effectiveness results. However, deep learning models are black boxes, which limits their acceptability in decision systems. Also, they require powerful processing capabilities such as GPU, which limit their deployments in resource-constrained devices in IoV environment. To deal with these issues, we propose a two-stage IDS in ITS to discover suspicious network activity of In-Vehicles Networks (IVN) and vehicles to everything (V2X) networks. Our proposed IDS system uses rule extraction methods from deep learning models, i.e., deep neural networks in two stages. In the first stage, we analyze network traffic to distinguish between normal and attack traffic. If the traffic is found malicious, the second stage is invoked to identify the type of attack. To this end, we propose three variants of rule extraction. The first and the second variants are homogeneous, and they apply <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$DeepRed$</tex-math> </inline-formula> and <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$HypInv$</tex-math> </inline-formula> rule extraction methods in both stages respectively. The third variant is heterogeneous, and it applies <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$HypInv$</tex-math> </inline-formula> in the first stage to perform binary classification, and <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$DeepRed$</tex-math> </inline-formula> in the second stage to perform attack classification. The key idea is to combine the advantages of rule extraction technique and two-stage IDS architecture to resource consumption and improve classification accuracy. The proposed IDS model was tested using four benchmark datasets, i.e. ISCXIDS2012, CIC-IDS2017, and CSE-CIC-IDS2018 datasets are used for external network communications and the car hacking dataset are used for in-vehicle communications. The evaluation results show that the homogeneous <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$DeepRed$</tex-math> </inline-formula> is the optimal one in all cases of IDS system with an accuracy scores ranging between 92.43%-98.32% under CIC-IDS2017 dataset, between 91.32%-99.46% under CSE-CIC-IDS2018 dataset, and between 96.05%-99.21% under Car-hacking dataset.

A Hybrid Modified Deep Learning Architecture for Intrusion Detection System with Optimal Feature Selection

With the exponentially evolving trends in technology, IoT networks are vulnerable to serious security issues, allowing intruders to break into networks without authorization and manipulate the data. Their actions can be recognized and avoided by using a system that can detect intrusions. This paper presents a hybrid intelligent system and inverted hour-glass-based layered network classifier for feature selection and classification processes, respectively. To accomplish this task, three different datasets have been utilized in the proposed model for identifying old and new attacks. Moreover, a hybrid optimization feature selection technique has been implemented for selecting only those features that can enhance the accuracy of the detection rate. Finally, the classification is performed by using the inverted hour-glass-based layered network model in which data are up-sampled with the increase in the number of layers for effective training. Data up-sampling is performed when small subset of datapoints are observed for any class, which in turn helps in improving the accuracy of the proposed model. The proposed model demonstrated an accuracy of 99.967%, 99.567%, and 99.726% for NSL-KDD, KDD-CUP99, and UNSW NB15 datasets, respectively, which is significantly better than the traditional CNID model. These results demonstrate that our model can detect different attacks with high accuracy and is expected to show good results for new datasets as well. Additionally, to reduce the computational cost of the proposed model, we have implemented it on CPU-based core i3 processors, which are much cheaper than GPU processors.

A self-adaptation-based approach to resilience improvement of complex internets of utility systems

Resilience improvement of complex internets of utility systems is still an open issue for the current research. Proposed solutions fail to implement an integrated approach to detection, mitigation, and reaction which is able to face both well-known and new, previously unknown cyber-attacks (in particular distributed ones, which constitute one of the most serious and still unresolved threat scenarios affecting networked systems). In this work, we present the conceptual architecture of a novel multi-layer distributed Intrusion Detection and Reaction System based on the Autonomic Communication paradigm. The architecture relies on a self-organizing cooperative overlay network of complementary components that are dynamically and autonomously adapted to face distributed cyberattacks against Industrial Control Systems. The proposed architecture aims at being a guideline for experts and practitioners to address the well-known problem of distributed nature of new types of cyber-attacks, by implementing mechanisms to orchestrate available resources for effective detection and remediation dynamically. A distributed flow monitoring system provides input data to cooperative intrusion detection agents, which allow correlating information from heterogeneous feeds to improve the identification of attacks originating from both the inside and the outside of the monitored network and to support customizable remediation mechanisms.

A Multi-Layer Intrusion Detection System for SOME/IP-Based In-Vehicle Network.

The automotive Ethernet is gradually replacing the traditional controller area network (CAN) as the backbone network of the vehicle. As an essential protocol to solve service-based communication, Scalable service-Oriented MiddlewarE over IP (SOME/IP) is expected to be applied to an in-vehicle network (IVN). The increasing number of external attack interfaces and the protocol's vulnerability makes SOME/IP in-vehicle networks vulnerable to intrusion. This paper proposes a multi-layer intrusion detection system (IDS) architecture, including rule-based and artificial intelligence (AI)-based modules. The rule-based module is used to detect the SOME/IP header, SOME/IP-SD message, message interval, and communication process. The AI-based module acts on the payload. We propose a SOME/IP dataset establishment method to evaluate the performance of the proposed multi-layer IDS. Experiments are carried out on a Jetson Xavier NX, showing that the accuracy of AI-based detection reached 99.7761% and that of rule-based detection was 100%. The average detection time per packet is 0.3958 ms with graphics processing unit (GPU) acceleration and 0.6669 ms with only a central processing unit (CPU). After vehicle-level real-time analyses, the proposed IDS can be deployed for distributed or select critical advanced driving assistance system (ADAS) traffic for detection in a centralized layout.

Network intrusion detection system for DDoS attacks in ICS using deep autoencoders

Anomaly detection in industrial control and cyber-physical systems has gained much attention over the past years due to the increasing modernisation and exposure of industrial environments. Current dangers to the connected industry include the theft of industrial intellectual property, denial of service, or the compromise of cloud components; all of which might result in a cyber-attack across the operational network. However, most scientific work employs device logs, which necessitate substantial understanding and preprocessing before they can be used in anomaly detection. In this paper, we propose a network intrusion detection system (NIDS) architecture based on a deep autoencoder trained on network flow data, which has the advantage of not requiring prior knowledge of the network topology or its underlying architecture. Experimental results show that the proposed model can detect anomalies, caused by distributed denial of service attacks, providing a high detection rate and low false alarms, outperforming the state-of-the-art and a baseline model in an unsupervised learning environment. Furthermore, the deep autoencoder model can detect abnormal behaviour in legitimate devices after an attack. We also demonstrate the suitability of the proposed NIDS in a real industrial plant from the alimentary sector, analysing the false positive rate and the viability of the data generation, filtering and preprocessing procedure for a near real time scenario. The suggested NIDS architecture is a low-cost solution that uses only fifteen network-based features, requires minimal processing, operates in unsupervised mode, and is straightforward to deploy in real-world scenarios.

Unsupervised Deep Learning Approach for In-Vehicle Intrusion Detection System

The controller area network (CAN) is a standard communication protocol used for sending messages between electronic control unit of a modern automotive system. CAN protocol does not have any in-built security mechanisms and, hence, various attacks can affect the vehicle and cause life threats to the passengers. This article presents an unsupervised deep learning architecture for detecting intrusions on a CAN bus. The CAN intrusion detection system (IDS) architecture has an autoencoder that helps to learn the optimal features from CAN packets to differentiate between the normal and attacks. The optimal features are passed as input to the Gaussian mixture model, which helps us to cluster the CAN network packet data samples into normal and attacks. A detailed analysis of the proposed architecture is done on the CAN IDS dataset. To develop a robust CAN IDS system and achieve generalization, the proposed method is evaluated on the other two computer network intrusion datasets and a wireless sensor network dataset. In all the experiments, the proposed method has performed better than the existing unsupervised method and mainly showed a performance gain of 6.4% on the CAN IDS dataset. This indicates that the proposed method is robust and generalizable across detecting various attacks in a CAN bus and most importantly, the method can be used in real time to effectively monitor the CAN network traffic to proactively alert possible attacks.

Hybrid Deep Learning Based Attack Detection for Imbalanced Data Classification

Internet of Things (IoT) is the most widespread and fastest growing technology today. Due to the increasing of IoT devices connected to the Internet, the IoT is the most technology under security attacks. The IoT devices are not designed with security because they are resource constrained devices. Therefore, having an accurate IoT security system to detect security attacks is challenging. Intrusion Detection Systems (IDSs) using machine learning and deep learning techniques can detect security attacks accurately. This paper develops an IDS architecture based on Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) deep learning algorithms. We implement our model on the UNSW-NB15 dataset which is a new network intrusion dataset that categorizes the network traffic into normal and attacks traffic. In this work, interpolation data preprocessing is used to compute the missing values. Also, the imbalanced data problem is solved using a synthetic data generation method. Extensive experiments have been implemented to compare the performance results of the proposed model (CNN+LSTM) with a basic model (CNN only) using both balanced and imbalanced dataset. Also, with some state-of-the-art machine learning classifiers (Decision Tree (DT) and Random Forest (RF)) using both balanced and imbalanced dataset. The results proved the impact of the balancing technique. The proposed hybrid model with the balance technique can classify the traffic into normal class and attack class with reasonable accuracy (92.10%) compared with the basic CNN model (89.90%) and the machine learning (DT 88.57% and RF 90.85%) models. Moreover, comparing the proposed model results with the most related works shows that the proposed model gives good results compared with the related works that used the balance techniques.

Genetic programming support vector machine model for a wireless intrusion detection system

Objectives. The rapid penetration of wireless communication technologies into the activities of both humans and Internet of Things (IoT) devices along with their widespread use by information consumers represents an epochal phenomenon. However, this is accompanied by the growing intensity of successful information attacks, involving the use of bot attacks via IoT, which, along with network attacks, has reached a critical level. Under such circumstances, there is an increasing need for new technological approaches to developing intrusion detection systems based on the latest achievements of artificial intelligence. The most important requirement for such a system consists in its operation on various unbalanced sets of attack data, which use different intrusion techniques. The synthesis of such an intrusion detection system is a difficult task due to the lack of universal methods for detecting technologically different attacks; moreover, the consistent application of known methods is unacceptably long. The aim of the present work is to eliminate such a scientific gap.Methods. Using the achievements of artificial intelligence in the fight against attacks, the authors proposed a method based on a combination of the genetic programming support vector machine (GPSVM) model using an unbalanced CICIDS2017 dataset.Results. The presented technological intrusion detection system architecture offers the possibility to train a dataset for detecting attacks on CICIDS2017 and extracting detection objects. The architecture provides for the separation of the dataset into verifiable and not verifiable elements, with the latter being added to the training set by feedback. By training the model and improving GPSVM training set, better accuracy is ensured. The operability of the new flowchart of the GPSVM model is demonstrated in terms of the entry of input data and output of data after processing using the training set of the GPSVM model. Numerical analysis based on the results of model experiments on selected quality indicators showed an increase in the accuracy of the results as compared to the known SVM method.Conclusions. Computer experiments have confirmed the methodological correctness of choosing a combination of the GPSVM model using an unbalanced CICIDS2017 dataset to increase the effectiveness of intrusion detection. A procedure for forming a training dataset based on feedback is proposed. The procedure involving the separation of datasets is shown to create conditions for improving the training of the model. The combination of the GPSVM model with an unbalanced CICIDS2017 dataset to collect a sample increases theaccuracy of intrusion detection to provide improved intrusion detection performance as compared to the SVM method.

Optimization of Intrusion Detection System Based on Improved Convolutional Neural Network Algorithm

The commonly used method in network intrusion detection is abnormal behavior detection, but because abnormal behavior detection is based on artificially setting abnormal values for judgment, the efficiency is low and the false alarm rate is high. For this problem, an intrusion detection system architecture combining K-means algorithm and convolutional neural network algorithm has been introduced. First, the data stream is clustered through the K-means algorithm, and the abnormal data is initially separated, and then the data is applied to the convolution. In the neural network algorithm, the intrusion data flow is judged. The experimental results prove that the framework improves the efficiency of the intrusion detection system to a certain extent and effectively improves the detection accuracy.

FS-IDS: A framework for intrusion detection based on few-shot learning

Due to the high dependency of traditional intrusion detection method on a fully-labeled large dataset, existing works can hardly be applied in real-world scenarios, especially facing zero-day attacks. In this paper we present a novel intrusion detection framework called “FS-IDS”, including flow data encoding method, feature fusion mechanism and architecture of intrusion detection system based on few-shot learning. We utilize task generator to split the dataset into separate tasks and train model in an episodic way, hoping model to learn general knowledge rather than those specific to a single class. The extraction module and distance metric module are responsible for learning and determining whether the traffic data are benign or not. We conduct three sets of experiments on “FS-IDS”, i.e., comparison study, ablation study and multiclass study. Comparison study firstly determines that the best measure metric for discrimination is Euclidean distance. Based on the optimal implementation, “FS-IDS” achieves comparable performance with existing works by using much fewer malicious samples. Ablation study sets two base models to explore how proposed encoding method and feature fusion mechanism improve detection capacity. Both the image representation and feature fusion achieve more than 2% improvement in accuracy and recall. Finally, to test whether “FS-IDS” can perform well under real-world scenario or not, we design network traffic containing various attacks to simulate complex malicious network environment. Experimental results show that “FS-IDS” maintains more than 90% detection accuracy and recall under the worst circumstances, which composes of various seen or unseen attacks with only a few malicious samples available.