DTL-5G: Deep transfer learning-based DDoS attack detection in 5G and beyond networks

IF 4.5 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computer Communications Pub Date : 2024-08-24 DOI:10.1016/j.comcom.2024.107927

Behnam Farzaneh , Nashid Shahriar , Abu Hena Al Muktadir , Md. Shamim Towhid , Mohammad Sadegh Khosravani

{"title":"DTL-5G: Deep transfer learning-based DDoS attack detection in 5G and beyond networks","authors":"Behnam Farzaneh , Nashid Shahriar , Abu Hena Al Muktadir , Md. Shamim Towhid , Mohammad Sadegh Khosravani","doi":"10.1016/j.comcom.2024.107927","DOIUrl":null,"url":null,"abstract":"<div><p>Network slicing is considered as a key enabler for 5G and beyond mobile networks for supporting a variety of new services, including enhanced mobile broadband, ultra-reliable and low-latency communication, and massive connectivity, on the same physical infrastructure. However, this technology increases the susceptibility of networks to cyber threats, particularly Distributed Denial-of-Service (DDoS) attacks. These attacks have the potential to cause service quality degradation by overloading network function(s) that are central to network slices to operate seamlessly. This calls for an Intrusion Detection System (IDS) as a shield against a wide array of DDoS attacks. In this regard, one promising solution would be the use of Deep Learning (DL) models for detecting possible DDoS attacks, an approach that has already made its way into the field given its manifest effectiveness. However, one particular challenge with DL models is that they require large volumes of labeled data for efficient training, which are not readily available in operational networks. A possible workaround is to resort to Transfer Learning (TL) approaches that can utilize the knowledge learned from prior training to a target domain with limited labeled data. This paper investigates how Deep Transfer Learning (DTL) based approaches can improve the detection of DDoS attacks in 5G networks by leveraging DL models, such as Bidirectional Long Short-Term Memory (BiLSTM), Convolutional Neural Network (CNN), Residual Network (ResNet), and Inception as base models. A comprehensive dataset generated in our 5G network slicing testbed serves as the source dataset for DTL, which includes both benign and different types of DDoS attack traffic. After learning features, patterns, and representations from the source dataset using initial training, we fine-tune base models using a variety of TL processes on a target DDoS attack dataset. The 5G-NIDD dataset, which has a sparse amount of annotated traffic pertaining to several DDoS attack generated in a real 5G network, is chosen as the target dataset. The results show that the proposed DTL models have performance improvements in detecting different types of DDoS attacks in 5G-NIDD dataset compared to the case when no TL is applied. According to the results, the BiLSTM and Inception models being identified as the top-performing models. BiLSTM indicates an improvement of 13.90%, 21.48%, and 12.22% in terms of accuracy, recall, and F1-score, respectively, whereas, Inception demonstrates an enhancement of 10.09% in terms of precision, compared to the models that do not adopt TL.</p></div>","PeriodicalId":55224,"journal":{"name":"Computer Communications","volume":"228 ","pages":"Article 107927"},"PeriodicalIF":4.5000,"publicationDate":"2024-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Communications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0140366424002743","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Network slicing is considered as a key enabler for 5G and beyond mobile networks for supporting a variety of new services, including enhanced mobile broadband, ultra-reliable and low-latency communication, and massive connectivity, on the same physical infrastructure. However, this technology increases the susceptibility of networks to cyber threats, particularly Distributed Denial-of-Service (DDoS) attacks. These attacks have the potential to cause service quality degradation by overloading network function(s) that are central to network slices to operate seamlessly. This calls for an Intrusion Detection System (IDS) as a shield against a wide array of DDoS attacks. In this regard, one promising solution would be the use of Deep Learning (DL) models for detecting possible DDoS attacks, an approach that has already made its way into the field given its manifest effectiveness. However, one particular challenge with DL models is that they require large volumes of labeled data for efficient training, which are not readily available in operational networks. A possible workaround is to resort to Transfer Learning (TL) approaches that can utilize the knowledge learned from prior training to a target domain with limited labeled data. This paper investigates how Deep Transfer Learning (DTL) based approaches can improve the detection of DDoS attacks in 5G networks by leveraging DL models, such as Bidirectional Long Short-Term Memory (BiLSTM), Convolutional Neural Network (CNN), Residual Network (ResNet), and Inception as base models. A comprehensive dataset generated in our 5G network slicing testbed serves as the source dataset for DTL, which includes both benign and different types of DDoS attack traffic. After learning features, patterns, and representations from the source dataset using initial training, we fine-tune base models using a variety of TL processes on a target DDoS attack dataset. The 5G-NIDD dataset, which has a sparse amount of annotated traffic pertaining to several DDoS attack generated in a real 5G network, is chosen as the target dataset. The results show that the proposed DTL models have performance improvements in detecting different types of DDoS attacks in 5G-NIDD dataset compared to the case when no TL is applied. According to the results, the BiLSTM and Inception models being identified as the top-performing models. BiLSTM indicates an improvement of 13.90%, 21.48%, and 12.22% in terms of accuracy, recall, and F1-score, respectively, whereas, Inception demonstrates an enhancement of 10.09% in terms of precision, compared to the models that do not adopt TL.

查看原文本刊更多论文

DTL-5G：5G 及更高网络中基于深度迁移学习的 DDoS 攻击检测

网络切片被认为是 5G 及以后移动网络的关键推动因素，可在相同的物理基础设施上支持各种新服务，包括增强型移动宽带、超可靠和低延迟通信以及大规模连接。然而，这种技术增加了网络对网络威胁的敏感性，特别是分布式拒绝服务（DDoS）攻击。这些攻击有可能使网络功能超负荷，从而导致服务质量下降，而这些功能对于网络切片的无缝运行至关重要。这就需要入侵检测系统（IDS）来抵御各种 DDoS 攻击。在这方面，一个很有前景的解决方案是使用深度学习（DL）模型来检测可能的 DDoS 攻击。然而，深度学习模型面临的一个特殊挑战是，它们需要大量标注数据来进行有效训练，而这在运营网络中并不容易获得。一种可能的变通方法是采用迁移学习（TL）方法，这种方法可以利用从先前训练中学到的知识，将其应用到标注数据有限的目标领域。本文研究了基于深度迁移学习（DTL）的方法如何利用双向长短期记忆（BiLSTM）、卷积神经网络（CNN）、残差网络（ResNet）和 Inception 等 DL 模型作为基础模型，改进 5G 网络中 DDoS 攻击的检测。我们的 5G 网络切片测试平台生成的综合数据集是 DTL 的源数据集，其中包括良性和不同类型的 DDoS 攻击流量。通过初始训练从源数据集中学习特征、模式和表示之后，我们在目标 DDoS 攻击数据集上使用各种 TL 流程对基础模型进行微调。我们选择了 5G-NIDD 数据集作为目标数据集，该数据集拥有与真实 5G 网络中产生的若干 DDoS 攻击相关的稀疏注释流量。结果表明，与未应用 TL 的情况相比，所提出的 DTL 模型在 5G-NIDD 数据集中检测不同类型的 DDoS 攻击时性能有所提高。结果表明，BiLSTM 和 Inception 模型表现最佳。与未采用 TL 的模型相比，BiLSTM 在准确率、召回率和 F1 分数方面分别提高了 13.90%、21.48% 和 12.22%，而 Inception 在精度方面提高了 10.09%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Communications 工程技术-电信学

CiteScore

14.10

自引率

5.00%

发文量

397

审稿时长

66 days

期刊介绍： Computer and Communications networks are key infrastructures of the information society with high socio-economic value as they contribute to the correct operations of many critical services (from healthcare to finance and transportation). Internet is the core of today''s computer-communication infrastructures. This has transformed the Internet, from a robust network for data transfer between computers, to a global, content-rich, communication and information system where contents are increasingly generated by the users, and distributed according to human social relations. Next-generation network technologies, architectures and protocols are therefore required to overcome the limitations of the legacy Internet and add new capabilities and services. The future Internet should be ubiquitous, secure, resilient, and closer to human communication paradigms. Computer Communications is a peer-reviewed international journal that publishes high-quality scientific articles (both theory and practice) and survey papers covering all aspects of future computer communication networks (on all layers, except the physical layer), with a special attention to the evolution of the Internet architecture, protocols, services, and applications.