TY - GEN
T1 - Unsupervised Protocol-based Intrusion Detection for Real-world Networks
AU - Labonne, Maxime
AU - Olivereau, Alexis
AU - Polve, Baptise
AU - Zeghlache, Djamal
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/2/1
Y1 - 2020/2/1
N2 - Anomaly-based Intrusion Detection Systems (IDSs) are rarely deployed in real networks, because of their high false positive rate. Their ability to detect unknown attacks is, however, very valuable in a context where new threats are emerging almost daily. This paper presents an unsupervised anomaly-based intrusion detection solution focused on protocol headers analysis. This approach is tested on a recent and realistic dataset (CICIDS2017) over a 4-day period. Each protocol is converted to a set of normalized numeric features, which are processed by 5 neural network architectures: deep autoencoders, deep MLPs, LSTMs, BiLSTMs, and GANs. The output of these algorithms is an anomaly score, which is normalized and combined with the anomaly scores of other protocols. We argue that this classification problem is very different from the actual problem of intrusion detection and requires new metrics. In particular, packet anomaly scores must be refined in a post-processing step to aggregate anomalies into continuous attacks. This approach successfully detects 7 out of 11 attacks not seen during the training phase, without any false positives. It is thus possible to consider deployments in real-world networks of such IDSs, capable of reliably detecting zero-day attacks.
AB - Anomaly-based Intrusion Detection Systems (IDSs) are rarely deployed in real networks, because of their high false positive rate. Their ability to detect unknown attacks is, however, very valuable in a context where new threats are emerging almost daily. This paper presents an unsupervised anomaly-based intrusion detection solution focused on protocol headers analysis. This approach is tested on a recent and realistic dataset (CICIDS2017) over a 4-day period. Each protocol is converted to a set of normalized numeric features, which are processed by 5 neural network architectures: deep autoencoders, deep MLPs, LSTMs, BiLSTMs, and GANs. The output of these algorithms is an anomaly score, which is normalized and combined with the anomaly scores of other protocols. We argue that this classification problem is very different from the actual problem of intrusion detection and requires new metrics. In particular, packet anomaly scores must be refined in a post-processing step to aggregate anomalies into continuous attacks. This approach successfully detects 7 out of 11 attacks not seen during the training phase, without any false positives. It is thus possible to consider deployments in real-world networks of such IDSs, capable of reliably detecting zero-day attacks.
KW - CICIDS2017
KW - Intrusion detection
KW - Neural networks
KW - Unsupervised learning
UR - https://www.scopus.com/pages/publications/85083461600
U2 - 10.1109/ICNC47757.2020.9049796
DO - 10.1109/ICNC47757.2020.9049796
M3 - Conference contribution
AN - SCOPUS:85083461600
T3 - 2020 International Conference on Computing, Networking and Communications, ICNC 2020
SP - 299
EP - 303
BT - 2020 International Conference on Computing, Networking and Communications, ICNC 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2020 International Conference on Computing, Networking and Communications, ICNC 2020
Y2 - 17 February 2020 through 20 February 2020
ER -