Few-Shot Class-Incremental Learning for Network Intrusion Detection Systems

IF 6.3 Q1 ENGINEERING, ELECTRICAL & ELECTRONIC

IEEE Open Journal of the Communications Society Pub Date : 2024-10-16 DOI:10.1109/OJCOMS.2024.3481895

Davide Di Monda;Antonio Montieri;Valerio Persico;Pasquale Voria;Matteo De Ieso;Antonio Pescapè

{"title":"Few-Shot Class-Incremental Learning for Network Intrusion Detection Systems","authors":"Davide Di Monda;Antonio Montieri;Valerio Persico;Pasquale Voria;Matteo De Ieso;Antonio Pescapè","doi":"10.1109/OJCOMS.2024.3481895","DOIUrl":null,"url":null,"abstract":"In today’s digital landscape, critical services are increasingly dependent on network connectivity, thus cybersecurity has become paramount. Indeed, the constant escalation of cyberattacks, including zero-day exploits, poses a significant threat. While Network Intrusion Detection Systems (NIDSs) leveraging machine-learning and deep-learning models have proven effective in recent studies, they encounter limitations such as the need for abundant samples of malicious traffic and full retraining upon encountering new attacks. These limitations hinder their adaptability in real-world scenarios. To address these challenges, we design a novel NIDS capable of promptly adapting to classify new attacks and provide timely predictions. Our proposal for attack-traffic classification adopts Few-Shot Class-Incremental Learning (\n<monospace>FSCIL</monospace>\n) and is based on the Rethinking Few-Shot (\n<monospace>RFS</monospace>\n) approach, which we experimentally prove to overcome other \n<monospace>FSCIL</monospace>\n state-of-the-art alternatives based on either meta-learning or transfer learning. We evaluate the proposed NIDS across a wide array of cyberattacks whose traffic is collected in recent publicly available datasets to demonstrate its robustness across diverse network-attack scenarios, including malicious activities in an Internet-of-Things context and cyberattacks targeting servers. We validate various design choices as well, involving the number of traffic samples per attack available, the impact of the features used to represent the traffic objects, and the time to deliver the classification verdict. Experimental results witness that our proposed NIDS effectively retains previously acquired knowledge (with over 94% F1-score) while adapting to new attacks with only few samples available (with over 98% F1-score). Thus, it outperforms non-\n<monospace>FSCIL</monospace>\n state of the art in terms of classification effectiveness and adaptation time. Moreover, our NIDS exhibits high performance even with traffic collected within short time frames, achieving 95% F1-score while reducing the time-to-insight. Finally, we identify possible limitations likely arising in specific application contexts and envision promising research avenues to mitigate them.","PeriodicalId":33803,"journal":{"name":"IEEE Open Journal of the Communications Society","volume":"5 ","pages":"6736-6757"},"PeriodicalIF":6.3000,"publicationDate":"2024-10-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10720176","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Open Journal of the Communications Society","FirstCategoryId":"1085","ListUrlMain":"https://ieeexplore.ieee.org/document/10720176/","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

Abstract

In today’s digital landscape, critical services are increasingly dependent on network connectivity, thus cybersecurity has become paramount. Indeed, the constant escalation of cyberattacks, including zero-day exploits, poses a significant threat. While Network Intrusion Detection Systems (NIDSs) leveraging machine-learning and deep-learning models have proven effective in recent studies, they encounter limitations such as the need for abundant samples of malicious traffic and full retraining upon encountering new attacks. These limitations hinder their adaptability in real-world scenarios. To address these challenges, we design a novel NIDS capable of promptly adapting to classify new attacks and provide timely predictions. Our proposal for attack-traffic classification adopts Few-Shot Class-Incremental Learning ( FSCIL ) and is based on the Rethinking Few-Shot ( RFS ) approach, which we experimentally prove to overcome other FSCIL state-of-the-art alternatives based on either meta-learning or transfer learning. We evaluate the proposed NIDS across a wide array of cyberattacks whose traffic is collected in recent publicly available datasets to demonstrate its robustness across diverse network-attack scenarios, including malicious activities in an Internet-of-Things context and cyberattacks targeting servers. We validate various design choices as well, involving the number of traffic samples per attack available, the impact of the features used to represent the traffic objects, and the time to deliver the classification verdict. Experimental results witness that our proposed NIDS effectively retains previously acquired knowledge (with over 94% F1-score) while adapting to new attacks with only few samples available (with over 98% F1-score). Thus, it outperforms non- FSCIL state of the art in terms of classification effectiveness and adaptation time. Moreover, our NIDS exhibits high performance even with traffic collected within short time frames, achieving 95% F1-score while reducing the time-to-insight. Finally, we identify possible limitations likely arising in specific application contexts and envision promising research avenues to mitigate them.

查看原文本刊更多论文

用于网络入侵检测系统的少量类增量学习

在当今的数字化环境中，关键服务越来越依赖于网络连接，因此网络安全变得至关重要。事实上，网络攻击（包括零日漏洞）的不断升级构成了重大威胁。虽然利用机器学习和深度学习模型的网络入侵检测系统（NIDS）在最近的研究中被证明是有效的，但它们也遇到了一些限制，例如需要大量的恶意流量样本，以及在遇到新的攻击时需要进行全面的再训练。这些局限性阻碍了它们在现实世界场景中的适应性。为了应对这些挑战，我们设计了一种新型 NIDS，它能够迅速适应新攻击的分类并提供及时的预测。我们提出的攻击-流量分类建议采用了 "少点分类-增量学习"（FSCIL），并以 "反思少点"（RFS）方法为基础，通过实验证明，该方法克服了其他基于元学习或迁移学习的 FSCIL 先进替代方法。我们在大量网络攻击中对所提出的 NIDS 进行了评估，这些攻击的流量收集于最近公开的数据集，以证明它在各种网络攻击场景中的鲁棒性，包括物联网背景下的恶意活动和针对服务器的网络攻击。我们还验证了各种设计选择，包括每次攻击可用的流量样本数量、用于表示流量对象的特征的影响以及提供分类判决的时间。实验结果表明，我们提出的 NIDS 能有效保留以前获得的知识（F1 分数超过 94%），同时在只有少量可用样本的情况下适应新的攻击（F1 分数超过 98%）。因此，就分类效果和适应时间而言，它优于非 FSCIL 技术。此外，即使在短时间内收集到的流量，我们的 NIDS 也能表现出很高的性能，F1 分数达到 95%，同时缩短了洞察时间。最后，我们指出了在特定应用环境中可能出现的局限性，并展望了缓解这些局限性的可行研究途径。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Open Journal of the Communications Society Multiple-

CiteScore

13.70

自引率

3.80%

发文量

审稿时长

10 weeks

期刊介绍： The IEEE Open Journal of the Communications Society (OJ-COMS) is an open access, all-electronic journal that publishes original high-quality manuscripts on advances in the state of the art of telecommunications systems and networks. The papers in IEEE OJ-COMS are included in Scopus. Submissions reporting new theoretical findings (including novel methods, concepts, and studies) and practical contributions (including experiments and development of prototypes) are welcome. Additionally, survey and tutorial articles are considered. The IEEE OJCOMS received its debut impact factor of 7.9 according to the Journal Citation Reports (JCR) 2023. The IEEE Open Journal of the Communications Society covers science, technology, applications and standards for information organization, collection and transfer using electronic, optical and wireless channels and networks. Some specific areas covered include: Systems and network architecture, control and management Protocols, software, and middleware Quality of service, reliability, and security Modulation, detection, coding, and signaling Switching and routing Mobile and portable communications Terminals and other end-user devices Networks for content distribution and distributed computing Communications-based distributed resources control.