Unsupervised Machine Learning Techniques for Network Intrusion Detection on Modern Data

2020 4th Cyber Security in Networking Conference (CSNet) Pub Date : 2020-10-21 DOI:10.1109/CSNet50428.2020.9265461

Miel Verkerken, Laurens D’hooge, T. Wauters, B. Volckaert, F. Turck

{"title":"Unsupervised Machine Learning Techniques for Network Intrusion Detection on Modern Data","authors":"Miel Verkerken, Laurens D’hooge, T. Wauters, B. Volckaert, F. Turck","doi":"10.1109/CSNet50428.2020.9265461","DOIUrl":null,"url":null,"abstract":"The rapid growth of the internet, connecting billions of people and businesses, brings with it an increased risk of misuse. Handling this misuse requires adaptive techniques detecting known as well as unknown, zero-day, attacks. The latter proved most challenging in recent studies, where supervised machine learning techniques excelled at detecting known attacks, but failed to recognize unknown patterns. Therefore, this paper focuses on anomaly-based detection of malicious behavior on the network by using flow-based features. Four unsupervised methods are evaluated of which two employ a self-supervised learning approach. A realistic modern dataset, CIC-IDS-2017, containing multiple different attack types is used to evaluate the proposed models in terms of classification performance and computational complexity. The results show that an autoencoder, obtained from the field of deep-learning, yields the highest area under the Receiver Operating Characteristics (AUROC) of 0.978 while maintaining an acceptable computational complexity, followed by one-class support vector machine, isolation forest and principal components analysis.","PeriodicalId":234911,"journal":{"name":"2020 4th Cyber Security in Networking Conference (CSNet)","volume":"111 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 4th Cyber Security in Networking Conference (CSNet)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSNet50428.2020.9265461","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

The rapid growth of the internet, connecting billions of people and businesses, brings with it an increased risk of misuse. Handling this misuse requires adaptive techniques detecting known as well as unknown, zero-day, attacks. The latter proved most challenging in recent studies, where supervised machine learning techniques excelled at detecting known attacks, but failed to recognize unknown patterns. Therefore, this paper focuses on anomaly-based detection of malicious behavior on the network by using flow-based features. Four unsupervised methods are evaluated of which two employ a self-supervised learning approach. A realistic modern dataset, CIC-IDS-2017, containing multiple different attack types is used to evaluate the proposed models in terms of classification performance and computational complexity. The results show that an autoencoder, obtained from the field of deep-learning, yields the highest area under the Receiver Operating Characteristics (AUROC) of 0.978 while maintaining an acceptable computational complexity, followed by one-class support vector machine, isolation forest and principal components analysis.

查看原文本刊更多论文

基于现代数据的网络入侵检测无监督机器学习技术

互联网的快速发展将数十亿人和企业联系在一起，同时也增加了误用的风险。处理这种误用需要自适应技术来检测已知和未知的零日攻击。后者在最近的研究中被证明是最具挑战性的，在这些研究中，监督机器学习技术擅长于检测已知的攻击，但无法识别未知的模式。因此，本文主要研究基于流量特征的网络恶意行为异常检测。评估了四种无监督方法，其中两种采用自监督学习方法。使用现实的现代数据集CIC-IDS-2017，包含多种不同的攻击类型，从分类性能和计算复杂度方面评估所提出的模型。结果表明，深度学习领域的自编码器在保持可接受的计算复杂度的情况下，在接收操作特征(AUROC)下产生的面积最高(0.978)，其次是一类支持向量机、隔离森林和主成分分析。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 4th Cyber Security in Networking Conference (CSNet)

自引率

0.00%

发文量