HCRNNIDS: Hybrid Convolutional Recurrent Neural Network-Based Network Intrusion Detection System

Folino F., Folino G., Guarascio M., Pisani F.S., Pontieri L.

Classification-oriented Machine Learning methods are a precious tool, in modern Intrusion Detection Systems (IDSs), for discriminating between suspected intrusion attacks and normal behaviors. Many recent proposals in this field leveraged Deep Neural Network (DNN) methods, capable of learning effective hierarchical data representations automatically. However, many of these solutions were validated on data featuring stationary distributions and/or large amounts of training examples. By contrast, in real IDS applications different kinds of attack tend to occur over time, and only a small fraction of the data instances is labeled (usually with far fewer examples of attacks than of normal behavior). A novel ensemble-based Deep Learning framework is proposed here that tries to face the challenging issues above. Basically, the non-stationary nature of IDS log data is faced by maintaining an ensemble consisting of a number of specialized base DNN classifiers, trained on disjoint chunks of the data instances’ stream, plus a combiner model (reasoning on both the base classifiers predictions and original instance features). In order to learn deep base classifiers effectively from small training samples, an ad-hoc shared DNN architecture is adopted, featuring a combination of dropout capabilities, skip-connections, along with a cost-sensitive loss (for dealing with unbalanced data). Tests results, conducted on two benchmark IDS datasets and involving several competitors, confirmed the effectiveness of our proposal (in terms of both classification accuracy and robustness to data scarcity), and allowed us to evaluate different ensemble combination schemes. • We define a chunk-based framework for learning an ensemble of DNN classifiers for IDS. • Ad-hoc DNN architectures are proposed to model the base classifiers and the combiner. • Experiments on benchmark data confirm the proposal’s effectiveness and robustness. • The approach outperforms other well-known ensemble-based competitors. • Sensitivity to data scarcity and the use of different combiner schemes are studied.

Ahmad R., Alsmadi I.

With the continuous expansion and evolution of IoT applications, attacks on those IoT applications continue to grow rapidly. In this systematic literature review (SLR) paper, our goal is to provide a research asset to researchers on recent research trends in IoT security. As the main driver of our SLR paper, we proposed six research questions related to IoT security and machine learning. This extensive literature survey on the most recent publications in IoT security identified a few key research trends that will drive future research in this field. With the rapid growth of large scale IoT attacks, it is important to develop models that can integrate state of the art techniques and technologies from big data and machine learning. Accuracy and efficiency are key quality factors in finding the best algorithms and models to detect IoT attacks in real or near real-time

Millar S., McLaughlin N., Martinez del Rincon J., Miller P.

Zero-day malware samples pose a considerable danger to users as implicitly there are no documented defences for previously unseen, newly encountered behaviour. Malware detection therefore relies on past knowledge to attempt to deal with zero-days. Often such insight is provided by a human expert hand-crafting and pre-categorising certain features as malicious. However, tightly coupled feature-engineering based on previous domain knowledge risks not being effective when faced with a new threat. In this work we decouple this human expertise, instead encapsulating knowledge inside a deep learning neural net with no prior understanding of malicious characteristics. Raw input features consist of low-level opcodes, app permissions and proprietary Android API package usage. Our method makes three main contributions. Firstly, a novel multi-view deep learning Android malware detector with no specialist malware domain insight used to select, rank or hand-craft input features. Secondly, a comprehensive zero-day scenario evaluation using the Drebin and AMD benchmarks, with our model achieving weighted average detection rates of 91% and 81% respectively, an improvement of up to 57% over the state-of-the-art. Thirdly, a 77% reduction in false positives on average compared to the state-of-the-art, with excellent F1 scores of 0.9928 and 0.9963 for the general detection task again on the Drebin and AMD benchmark datasets respectively.

Ashfaq Khan M., Kim Y.

Girdler T., Vassilakis V.G.

This work focuses on infiltration methods, such as Address Resolution Protocol (ARP) spoofing, where adversaries sends fabricated ARP messages, linking their Media Access Control (MAC) address to a genuine device’s Internet Protocol (IP) address. We developed a Software-Defined Networking (SDN)-based Intrusion Detection and Prevention System (IDPS), which defends against ARP spoofing and Blacklisted MAC Addresses. This is done by dynamically adjusting SDN’s operating parameters to detect malicious network traffic. Bespoke software was written to conduct the attack tests and customise the IDPS; this was coupled to a specifically developed library to validate user input. Improvements were made to SDN in the areas of attack detection, firewall, intrusion prevention, packet dropping, and shorter timeouts. Our extensive experimental results show that the developed solution is effective and quickly responds to intrusion attempts. In the considered test scenarios, our measured detection and mitigation times are sufficiently low (in the order of a few seconds).

Makuvaza A., Jat D.S., Gamundani A.M.

Software-Defined Network (SDN) has emerged as the new big thing in networking. The separation of the control plane from the data plane and application plane gives SDN an edge over traditional networking. With SDN, the devices are configured at the control plane which makes it easier to manage network devices from one central point. However, decoupled architecture creates a single point of failure. A single point of failure attracts cyber-attacks, such as Distributed Denial of Service (DDoS) attacks. Attackers have recently been using multi-vector attacks from single-vector attacks. The need for real-time detection as a countermeasure is of paramount importance. The attackers using sophisticated techniques to launch DDoS attacks dictates the need for a sophisticated intrusion detection system. This paper proposes a Deep Neural Network (DNN) solution for real-time detection of DDoS attacks in SDN. The proposed IDS produced a detection accuracy of 97.59% using fewer resources and less time.

Oliveira N., Praça I., Maia E., Sousa O.

With the latest advances in information and communication technologies, greater amounts of sensitive user and corporate information are shared continuously across the network, making it susceptible to an attack that can compromise data confidentiality, integrity, and availability. Intrusion Detection Systems (IDS) are important security mechanisms that can perform the timely detection of malicious events through the inspection of network traffic or host-based logs. Many machine learning techniques have proven to be successful at conducting anomaly detection throughout the years, but only a few considered the sequential nature of data. This work proposes a sequential approach and evaluates the performance of a Random Forest (RF), a Multi-Layer Perceptron (MLP), and a Long-Short Term Memory (LSTM) on the CIDDS-001 dataset. The resulting performance measures of this particular approach are compared with the ones obtained from a more traditional one, which only considers individual flow information, in order to determine which methodology best suits the concerned scenario. The experimental outcomes suggest that anomaly detection can be better addressed from a sequential perspective. The LSTM is a highly reliable model for acquiring sequential patterns in network traffic data, achieving an accuracy of 99.94% and an f1-score of 91.66%.

Tama B.A., Lim S.

Intrusion detection systems (IDSs) are intrinsically linked to a comprehensive solution of cyberattacks prevention instruments. To achieve a higher detection rate, the ability to design an improved detection framework is sought after, particularly when utilizing ensemble learners. Designing an ensemble often lies in two main challenges such as the choice of available base classifiers and combiner methods. This paper performs an overview of how ensemble learners are exploited in IDSs by means of systematic mapping study. We collected and analyzed 124 prominent publications from the existing literature. The selected publications were then mapped into several categories such as years of publications, publication venues, datasets used, ensemble methods, and IDS techniques. Furthermore, this study reports and analyzes an empirical investigation of a new classifier ensemble approach, called stack of ensemble (SoE) for anomaly-based IDS. The SoE is an ensemble classifier that adopts parallel architecture to combine three individual ensemble learners such as random forest, gradient boosting machine, and extreme gradient boosting machine in a homogeneous manner. The performance significance among classification algorithms is statistically examined in terms of their Matthews correlation coefficients, accuracies, false positive rates, and area under ROC curve metrics. Our study fills the gap in current literature concerning an up-to-date systematic mapping study, not to mention an extensive empirical evaluation of the recent advances of ensemble learning techniques applied to IDSs.

Liu J., Song K., Feng M., Yan Y., Tu Z., Zhu L.

• A semi-supervised anomaly detection method, dual prototype autoencoder (DPAE), is proposed to distinguish anomalies on the industrial products surface. • The dual prototype loss in DPAE can reduce the intra-class distances of normal samples, resulting in a more separable boundary between the defective and defect-free images. • The aluminum profile surface defect (APSD) dataset is constructed in this work, which includes the defect-free samples and the defective images from ten defect types. • The proposed DPAE can achieve promising results when the defective samples are not available. • This work provides a new way to apply convolutional auto-encoder in data-limited industrial inspection tasks. Anomaly detection in the automated optical quality inspection is of great important for guaranteeing the surface quality of industrial products. Most related methods are based on supervised learning techniques, which require a large number of normal and anomalous samples to obtain a robust classifier. However, the diversity of potential defects and low availability of defective samples during manufacturing bring more challenges to anomaly detection. Based on the encoder-decoder-encoder paradigm, a semi-supervised anomaly detection method Dual Prototype Auto-Encoder (DPAE) is proposed in this paper. At the training stage, the dual prototype loss and reconstruction loss are introduced to encourage the latent vectors generated by the encoders to keep closer to their own prototype. Therefore, two latent vectors of the normal image tend to be closer, and large distance between the latent vectors indicates an anomaly. And we also construct the Aluminum Profile Surface Defect (APSD) dataset for the anomaly detection task. Finally, extensive experiments on four datasets show that DPAE is effective and outperforms state-of-the-art methods.

Avci O., Abdeljaber O., Kiranyaz S., Hussein M., Gabbouj M., Inman D.J.

• The transition from traditional methods to ML and DL has never been discussed for vibration-based SDD. • This paper aims to fulfill this gap. • Traditional methods and comprehensive review of the modern ML and DL use are presented. • The review is focusing on the vibration-based structural damage detection in civil structures only. Monitoring structural damage is extremely important for sustaining and preserving the service life of civil structures. While successful monitoring provides resolute and staunch information on the health, serviceability, integrity and safety of structures; maintaining continuous performance of a structure depends highly on monitoring the occurrence, formation and propagation of damage. Damage may accumulate on structures due to different environmental and human-induced factors. Numerous monitoring and detection approaches have been developed to provide practical means for early warning against structural damage or any type of anomaly. Considerable effort has been put into vibration-based methods, which utilize the vibration response of the monitored structure to assess its condition and identify structural damage. Meanwhile, with emerging computing power and sensing technology in the last decade, Machine Learning (ML) and especially Deep Learning (DL) algorithms have become more feasible and extensively used in vibration-based structural damage detection with elegant performance and often with rigorous accuracy. While there have been multiple review studies published on vibration-based structural damage detection, there has not been a study where the transition from traditional methods to ML and DL methods are described and discussed. This paper aims to fulfill this gap by presenting the highlights of the traditional methods and provide a comprehensive review of the most recent applications of ML and DL algorithms utilized for vibration-based structural damage detection in civil structures.

Farhan R.I., Maolood A.T., Hassan N.F.

<p>The emergence of the Internet of Things (IOT) as a result of the development of the communications system has made the study of cyber security more important. Day after day, attacks evolve and new attacks are emerged. Hence, network anomaly-based intrusion detection system is become very important, which plays an important role in protecting the network through early detection of attacks. Because of the development in  machine learning and the emergence of deep learning field,  and its ability to extract high-level features with high accuracy, made these systems involved to be worked with  real network traffic CSE-CIC-IDS2018 with a wide range of intrusions and normal behavior is an ideal way for testing and evaluation . In this paper , we  test and evaluate our  deep model (DNN) which achieved good detection accuracy about  90% .</p>

Khan M.A., Kim J.

Recently, due to the rapid development and remarkable result of deep learning (DL) and machine learning (ML) approaches in various domains for several long-standing artificial intelligence (AI) tasks, there has an extreme interest in applying toward network security too. Nowadays, in the information communication technology (ICT) era, the intrusion detection (ID) system has the great potential to be the frontier of security against cyberattacks and plays a vital role in achieving network infrastructure and resources. Conventional ID systems are not strong enough to detect advanced malicious threats. Heterogeneity is one of the important features of big data. Thus, designing an efficient ID system using a heterogeneous dataset is a massive research problem. There are several ID datasets openly existing for more research by the cybersecurity researcher community. However, no existing research has shown a detailed performance evaluation of several ML methods on various publicly available ID datasets. Due to the dynamic nature of malicious attacks with continuously changing attack detection methods, ID datasets are available publicly and are updated systematically. In this research, spark MLlib (machine learning library)-based robust classical ML classifiers for anomaly detection and state of the art DL, such as the convolutional-auto encoder (Conv-AE) for misuse attack, is used to develop an efficient and intelligent ID system to detect and classify unpredictable malicious attacks. To measure the effectiveness of our proposed ID system, we have used several important performance metrics, such as FAR, DR, and accuracy, while experiments are conducted on the publicly existing dataset, specifically the contemporary heterogeneous CSE-CIC-IDS2018 dataset.

Ahmad Z., Shahid Khan A., Wai Shiang C., Abdullah J., Ahmad F.

The rapid advances in the internet and communication fields have resulted in a huge increase in the network size and the corresponding data. As a result, many novel attacks are being gener...

Erhan D., Anarım E.

Distributed Denial of Service (DDoS) attacks is one of the most troublesome intrusions for online services on the internet. In general DDoS attacks are divided into two categories as bandwidth depletion and resource depletion attacks. We generate resource depletion-type DDoS attacks on the campus network of Boğaziçi University and recorded the ongoing traffic from the backbone router's mirrored port. We generate TCP SYN, and UDP flooding packets using Hping3 traffic generator software by flooding. This dataset includes attack-free user traffic and attack traffic, which is suitable for evaluating network-based DDoS detection methods. Attacks are towards one victim server connected to the backbone router of the campus. Attack packets have randomly generated spoofed source IP addresses. We removed payloads of packets and anonymized the source IP addresses of legitimate users for the confidentiality of legitimate users.

Bedi P., Gupta N., Jindal V.

Network-based Intrusion Detection Systems (NIDSs) identify malicious activities by analyzing network traffic. NIDSs are trained with the samples of benign and intrusive network traffic. Training samples belong to either majority or minority classes depending upon the number of available instances. Majority classes consist of abundant samples for the normal traffic as well as for recurrent intrusions. Whereas, minority classes include fewer samples for unknown events or infrequent intrusions. NIDSs trained on such imbalanced data tend to give biased predictions against minority attack classes, causing undetected or misclassified intrusions. Past research works handled this class imbalance problem using data-level approaches that either increase minority class samples or decrease majority class samples in the training data set. Although these data-level balancing approaches indirectly improve the performance of NIDSs, they do not address the underlying issue in NIDSs i.e. they are unable to identify attacks having limited training data only. This paper proposes an algorithm-level approach called Improved Siam-IDS (I-SiamIDS), which is a two-layer ensemble for handling class imbalance problem. I-SiamIDS identifies both majority and minority classes at the algorithm-level without using any data-level balancing techniques. The first layer of I-SiamIDS uses an ensemble of binary eXtreme Gradient Boosting (b-XGBoost), Siamese Neural Network (Siamese-NN) and Deep Neural Network (DNN) for hierarchical filtration of input samples to identify attacks. These attacks are then sent to the second layer of I-SiamIDS for classification into different attack classes using multi-class eXtreme Gradient Boosting classifier (m-XGBoost). As compared to its counterparts, I-SiamIDS showed significant improvement in terms of Accuracy, Recall, Precision, F1-score and values of Area Under the Curve (AUC) for both NSL-KDD and CIDDS-001 datasets. To further strengthen the results, computational cost analysis was also performed to study the acceptability of the proposed I-SiamIDS.

Teixeira R., Almeida L., Antunes M., Gomes D., Aguiar R.L.

Kumari D., Pranav P., Sinha A., Dutta S.

Semenov S., Krupska-Klimczak M., Czapla R., Krzaczek B., Gavrylenko S., Poltorazkiy V., Vladislav Z.

This paper examines traditional machine learning algorithms, neural networks, and the benefits of utilizing ensemble models. Data preprocessing methods for improving the quality of classification models are considered. To balance the classes, Undersampling, Oversampling, and their combination (Over + Undersampling) algorithms are explored. A procedure for reducing feature correlation is proposed. Classification models based on meta-algorithms such as SVM, KNN Naive Bayes, Perceptron, Bagging, Random Forest, AdaBoost, and Gradient Boosting have been thoroughly investigated. The settings of the base classifiers and meta-algorithm parameters have been optimized. The best result was obtained by using an ensemble classifier based on the Random Forest algorithm. Thus, an intrusion detection method based on the preprocessing of highly correlated and imbalanced data has been proposed. The scientific novelty of the obtained results lies in the integrated use of the developed procedure for reducing feature correlation, the application of the SMOTEENN data balancing method, the selection of an appropriate classifier, and the fine tuning of its parameters. The integration of these procedures and methods resulted in a higher F1 score, reduced training time, and faster recognition speed for the model. This allows us to recommend this method for practical use to improve the quality of network intrusion detection.

Selvam P., Karthikeyan P., Manochitra S., Sujith A.V., Ganesan T., Ayyasamy R., Shuaib M., Alam S., Rajendran A.

Singh S.K., Prasad B., Azmeera R., Swarnalatha G., Archana B., Kumar P.

Akkepalli S., K D.S.

Umar M.A., Chen Z., Shuaib K., Liu Y.

Hakami H., Faheem M., Ahmad M.B.

Shadeja M., Singh S., Prakash A.

Lunawat S., Rao J., Patil P.

Li X., He M.

The application of deep learning in classifying malicious network traffic is prevalent. However, our paper highlights two frequently neglected issues in current methodologies: first, network traffic data need to be truncated and zero-filled to adapt to the training process of deep learning, which brings a certain degree of information loss; second, individual packets of network traffic will show different importance in the classification task due to their own data quality and location. To solve these two problems, a multimodal attention network is proposed to mitigate the information loss by fusing data from two different modalities in the network traffic and solving the imbalance of data from different modalities in the training process using a regularization method. Additionally, we incorporate a dual attention module to assess the significance of each packet, enabling the model to prioritize and emphasize the most crucial ones. To evaluate the model’s effectiveness, we test it on three openly accessible datasets: UNSW-NB15, ISCXIDS2012, and CIC-DoS2017. Our findings reveal that the model presented herein surpasses several conventional deep learning approaches in terms of classification outcomes.

Zhao Z.

Lin L., Zhong Q., Qiu J., Liang Z., Yang Y., Hu S., Chen L.

Amid the intensifying network threats fueled by the swift advancement of information technology, we want to find a new way to ensure network security. The cornerstone of this methodology is the integration of the CatBoost algorithm with a model composed of two Inception V1 modules, each enhanced with three depthwise separable convolutions. The process entails meticulous data preprocessing, judicious feature selection via CatBoost, and exhaustive training and evaluation of the enhanced model. Stringent testing on select datasets has substantiated the exceptional prowess of this approach. The multi-class evaluations conducted on the CICIDS2017 dataset and the latest CICIoT2023 dataset achieved accuracies of 99.85% and 99.13%, and precisions of 99.84% and 99.13%, respectively. Meanwhile, the binary classification experiments on these datasets recorded accuracies and precisions of 99.95%, 99.40% and 99.94%, 99.77%, respectively. These results represent a performance improvement of 1% to 5% in related research contributions using the same datasets, demonstrating the advantages of our method.

Roy D.K., Kalita H.K.

Intrusion detection has been a vast-surveyed topic for many decades as network attacks are tremendously growing. This has heightened the need for security in networks as web-based communication systems are advanced nowadays. The proposed work introduces an intelligent semi-supervised intrusion detection system based on different algorithms to classify the network attacks accurately. Initially, the pre-processing is accomplished using null value dropping and standard scaler normalization. After pre-processing, an enhanced Deep Reinforcement Learning (EDRL) model is employed to extract high-level representations and learn complex patterns from data by means of interaction with the environment. The enhancement of deep reinforcement learning is made by associating a deep autoencoder (AE) and an improved flamingo search algorithm (IFSA) to approximate the Q-function and optimal policy selection. After feature representations, a support vector machine (SVM) classifier, which discriminates the input into normal and attack instances, is employed for classification. The presented model is simulated in the Python platform and evaluated using the UNSW-NB15, CICIDS2017, and NSL-KDD datasets. The overall classification accuracy is 99.6%, 99.93%, and 99.42% using UNSW-NB15, CICIDS2017, and NSL-KDD datasets, which is higher than the existing detection frameworks.

Sangeetha S.K., A N.B.