Detecting DoS and DDoS Attacks through Sparse U-Net-like Autoencoders

Abstract

In the last few years, we experienced exponential growth in the number of cyber-attacks performed against com-panies and organizations. In particular, because of their ability to mask themselves as legitimate traffic, DoS and DDoS have become two of the most common kinds of attacks on computer networks. Modern Intrusion Detection Systems (IDSs) represent a precious tool to mitigate the risk of unauthorized network access as they allow for accurately discriminating between benign and malicious traffic. Among the plethora of approaches proposed in the literature for detecting network intrusions, Deep Learning (DL)-based IDSs have been proved to be an effective solution because of their ability to analyze low-level data (e.g., flow and packet traffic) directly. However, many current solutions require large amounts of labeled data to yield reliable models. Unfortunately, in real scenarios, small portions of data carry label information due to the cost of manual labeling conducted by human experts. Labels can even be completely missing for some reason (e.g., privacy concerns). To cope with the lack of labeled data, we propose an unsupervised DL-based intrusion detection methodology, combining an ad-hoc preprocessing procedure on input data with a sparse U-Net-like autoencoder architecture. The experimentation on an IDS benchmark dataset substantiates our approach's ability to recognize malicious behaviors correctly.