-
A Multi-Agent Adaptive Deep Learning Framework for Online Intrusion Detection
Authors:
Mahdi Soltani,
Khashayar Khajavi,
Mahdi Jafari Siavoshani,
Amir Hossein Jahangir
Abstract:
The network security analyzers use intrusion detection systems (IDSes) to distinguish malicious traffic from benign ones. The deep learning-based IDSes are proposed to auto-extract high-level features and eliminate the time-consuming and costly signature extraction process. However, this new generation of IDSes still suffers from a number of challenges. One of the main issues of an IDS is facing t…
▽ More
The network security analyzers use intrusion detection systems (IDSes) to distinguish malicious traffic from benign ones. The deep learning-based IDSes are proposed to auto-extract high-level features and eliminate the time-consuming and costly signature extraction process. However, this new generation of IDSes still suffers from a number of challenges. One of the main issues of an IDS is facing traffic concept drift which manifests itself as new (i.e., zero-day) attacks, in addition to the changing behavior of benign users/applications. Furthermore, a practical DL-based IDS needs to be conformed to a distributed architecture to handle big data challenges.
We propose a framework for adapting DL-based models to the changing attack/benign traffic behaviors, considering a more practical scenario (i.e., online adaptable IDSes). This framework employs continual deep anomaly detectors in addition to the federated learning approach to solve the above-mentioned challenges. Furthermore, the proposed framework implements sequential packet labeling for each flow, which provides an attack probability score for the flow by gradually observing each flow packet and updating its estimation. We evaluate the proposed framework by employing different deep models (including CNN-based and LSTM-based) over the CIC-IDS2017 and CSE-CIC-IDS2018 datasets. Through extensive evaluations and experiments, we show that the proposed distributed framework is well adapted to the traffic concept drift. More precisely, our results indicate that the CNN-based models are well suited for continually adapting to the traffic concept drift (i.e., achieving an average detection rate of above 95% while needing just 128 new flows for the updating phase), and the LSTM-based models are a good candidate for sequential packet labeling in practical online IDSes (i.e., detecting intrusions by just observing their first 15 packets).
△ Less
Submitted 5 March, 2023;
originally announced March 2023.
-
An Adaptable Deep Learning-Based Intrusion Detection System to Zero-Day Attacks
Authors:
Mahdi Soltani,
Behzad Ousat,
Mahdi Jafari Siavoshani,
Amir Hossein Jahangir
Abstract:
The intrusion detection system (IDS) is an essential element of security monitoring in computer networks. An IDS distinguishes the malicious traffic from the benign one and determines the attack types targeting the assets of the organization. The main challenge of an IDS is facing new (i.e., zero-day) attacks and separating them from benign traffic and existing types of attacks. Along with the pow…
▽ More
The intrusion detection system (IDS) is an essential element of security monitoring in computer networks. An IDS distinguishes the malicious traffic from the benign one and determines the attack types targeting the assets of the organization. The main challenge of an IDS is facing new (i.e., zero-day) attacks and separating them from benign traffic and existing types of attacks. Along with the power of the deep learning-based IDSes in auto-extracting high-level features and its independence from the time-consuming and costly signature extraction process, the mentioned challenge still exists in this new generation of IDSes.
In this paper, we propose a framework for deep learning-based IDSes addressing new attacks. This framework is the first approach using both deep novelty-based classifiers besides the traditional clustering based on the specialized layer of deep structures, in the security scope. Additionally, we introduce DOC++ as a newer version of DOC as a deep novelty-based classifier. We also employ the Deep Intrusion Detection (DID) framework for the preprocessing phase, which improves the ability of deep learning algorithms to detect content-based attacks. We compare four different algorithms (including DOC, DOC++, OpenMax, and AutoSVM) as the novelty classifier of the framework and use both the CIC-IDS2017 and CSE-CIC-IDS2018 datasets for the evaluation. Our results show that DOC++ is the best implementation of the open set recognition module. Besides, the completeness and homogeneity of the clustering and post-training phase prove that this model is good enough for the supervised labeling and updating phase.
△ Less
Submitted 20 August, 2021;
originally announced August 2021.
-
A Content-Based Deep Intrusion Detection System
Authors:
Mahdi Soltani,
Mahdi Jafari Siavoshani,
Amir Hossein Jahangir
Abstract:
The growing number of Internet users and the prevalence of web applications make it necessary to deal with very complex software and applications in the network. This results in an increasing number of new vulnerabilities in the systems, and leading to an increase in cyber threats and, in particular, zero-day attacks. The cost of generating appropriate signatures for these attacks is a potential m…
▽ More
The growing number of Internet users and the prevalence of web applications make it necessary to deal with very complex software and applications in the network. This results in an increasing number of new vulnerabilities in the systems, and leading to an increase in cyber threats and, in particular, zero-day attacks. The cost of generating appropriate signatures for these attacks is a potential motive for using machine learning-based methodologies. Although there are many studies on using learning-based methods for attack detection, they generally use extracted features and overlook raw contents. This approach can lessen the performance of detection systems against content-based attacks like SQL injection, Cross-site Scripting (XSS), and various viruses.
In this work, we propose a framework, called deep intrusion detection (DID) system, that uses the pure content of traffic flows in addition to traffic metadata in the learning and detection phases of a passive DNN IDS. To this end, we deploy and evaluate an offline IDS following the framework using LSTM as a deep learning technique. Due to the inherent nature of deep learning, it can process high dimensional data content and, accordingly, discover the sophisticated relations between the auto extracted features of the traffic. To evaluate the proposed DID system, we use the CIC-IDS2017 and CSE-CIC-IDS2018 datasets. The evaluation metrics, such as precision and recall, reach $0.992$ and $0.998$ on CIC-IDS2017, and $0.933$ and $0.923$ on CSE-CIC-IDS2018 respectively, which show the high performance of the proposed DID method.
△ Less
Submitted 16 August, 2021; v1 submitted 14 January, 2020;
originally announced January 2020.
-
Analysis and Evaluation of Real-time and Safety Characteristics of IEEE 802.11p protocol in VANET
Authors:
Hossein Ahmadvand,
Amir Hossein Jahangir,
Ataollah Fatahi Baarzi
Abstract:
The need for safety in transportation systems has increased the popularity and applicability of Vehicular Ad-Hoc Networks (VANETs) in recent years. On-time reception and processing of alarms caused by possible accidents as well as the preventive actions have important roles in reducing human and financial losses in road accidents. In such cases, the performance of safety applications should be eva…
▽ More
The need for safety in transportation systems has increased the popularity and applicability of Vehicular Ad-Hoc Networks (VANETs) in recent years. On-time reception and processing of alarms caused by possible accidents as well as the preventive actions have important roles in reducing human and financial losses in road accidents. In such cases, the performance of safety applications should be evaluated and guaranteed to show whether or not they can ensure the safety of humans and cars. In this paper, we analyze the behavior of Vehicular Ad-Hoc Networks by checking the real-time properties of the IEEE 802.11p protocol using a Colored Petri Net model. To analyze the performance of related standards, simulations are conducted using CPNTools. Standards from European Telecommunications Standards Institute (ETSI), and Vehicle Safety Communications (VSC) are evaluated in this research. We will show that such standards may not completely fulfill the safety requirements in particular situations.
△ Less
Submitted 6 December, 2016;
originally announced December 2016.