Multi-domain Network Intrusion Detection Based on Attention-based Bidirectional LSTM

Abstract

Different types of network traffic can be treated as data originated from different domains with the same objectives of problem solving. Most previous work utilizing multi-domain machine learning simply assumes that data in different domains have the same distribution, which can neither address the domain offset problem effectively, nor achieve excellent performance in every domain. This study proposes an attention-based bidirectional LSTM (Bi-LSTM) model to detect different types of coordinated network attacks (i.e., malware detection, VPN encapsulation recognition, and Trojan horse classification). First, the HTTP traffic is modeled as a series of natural language sequence, and each request follows strict structural standards and language logic. Second, the model is designed in the frame of multi-domain machine learning technologies to rec-ognize anomalies of network attacks from different domains. Experiments on real HTTP traffic data sets demonstrate that the model proposed in this study has good performance on detection of abnormal network traffic and generalization ability and can effectively detect different network attacks at the same time.