Training Autoencoders with Noisy Training Sets for Detecting Low-rate Attacks on the Network

Abstract

A Network-based Intrusion Detection System (NIDS) monitors network traffic and analyses it to look for any sign of malicious behaviour. A NIDS may be using of these two methods to look for malicious activities, signature-based or anomaly-based. A Signature-based NIDS relies on a database of rulesets to determine whether a packet or a flow is malicious. Therefore, it suffers when the database is not updated regularly or when a zero-day attack appears. An Anomaly-based NIDS works by learning the behaviour of normal traffic and looking for anomalous activities. The anomalous activities are then deemed malicious. In doing so, this kind of NIDS does not have to rely on an updated database. It can identify deviation from the normal behaviour by training itself with some training data obtained from the organisation network traffic. The issue is cleaning the network traffic data from a real-world capture is time-consuming. Thus, in this paper, we proposed an anomaly detection method that was trained with network traffic that contains malicious activities. We were looking for evidence of whether using Autoencoders is robust to noisy data in the training set. Our experiments show that the detection method can achieve an F2-score of 0.87 for FTP traffic, 0.83 for HTTP traffic, and 0.98 for SMTP traffic. These results were obtained from models that had been trained with a training set which contains 0.3% of malicious traffic.