Unsupervised Machine Learning for Cybersecurity Anomaly Detection in Traditional and Software-Defined Networking Environments

IF 4.7 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Network and Service Management Pub Date : 2024-11-04 DOI:10.1109/TNSM.2024.3490181

Curtis Rookard;Anahita Khojandi

{"title":"Unsupervised Machine Learning for Cybersecurity Anomaly Detection in Traditional and Software-Defined Networking Environments","authors":"Curtis Rookard;Anahita Khojandi","doi":"10.1109/TNSM.2024.3490181","DOIUrl":null,"url":null,"abstract":"Cybersecurity has become a field of increasing importance within the past years, with the National Academy of Engineering most recently designating securing cyberspace as one of the fourteen Grand Challenges in Engineering in the 21st Century. Henceforth, it is imperative to design a robust anomaly detection and response approach that can identify and mitigate anomalous Internet traffic. In this study, we present several unsupervised/semi-supervised machine learning models to combat prolific anomalous data on a computer network. Specifically, we employ five unsupervised machine learning models, including a Generative Adversarial Network (GAN), Deep Belief Network (DBN), Restricted Boltzmann Machine (RBM), One-Class Support Vector Machine (OCSVM), and Isolation Forest (I-Forest). We use these models separately and, when applicable, combined together to examine their anomaly detection performance on three prominent traditional networking datasets, namely the KDD-Cup 99, NSL-KDD, and CIC-IDS2017 dataset, and implement these models within a software-defined networking and industrial Internet-of-Things environment using the DNP3 intrusion detection dataset. Furthermore, we investigate the generalizability of the models across the two datasets. Our results suggest I-Forest and DBN overall perform better than other models in traditional and software-defined networking environments; our GAN manages to outperform some benchmark models on the CIC-IDS2017 dataset.","PeriodicalId":13423,"journal":{"name":"IEEE Transactions on Network and Service Management","volume":"22 2","pages":"1129-1144"},"PeriodicalIF":4.7000,"publicationDate":"2024-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Network and Service Management","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10742107/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Cybersecurity has become a field of increasing importance within the past years, with the National Academy of Engineering most recently designating securing cyberspace as one of the fourteen Grand Challenges in Engineering in the 21st Century. Henceforth, it is imperative to design a robust anomaly detection and response approach that can identify and mitigate anomalous Internet traffic. In this study, we present several unsupervised/semi-supervised machine learning models to combat prolific anomalous data on a computer network. Specifically, we employ five unsupervised machine learning models, including a Generative Adversarial Network (GAN), Deep Belief Network (DBN), Restricted Boltzmann Machine (RBM), One-Class Support Vector Machine (OCSVM), and Isolation Forest (I-Forest). We use these models separately and, when applicable, combined together to examine their anomaly detection performance on three prominent traditional networking datasets, namely the KDD-Cup 99, NSL-KDD, and CIC-IDS2017 dataset, and implement these models within a software-defined networking and industrial Internet-of-Things environment using the DNP3 intrusion detection dataset. Furthermore, we investigate the generalizability of the models across the two datasets. Our results suggest I-Forest and DBN overall perform better than other models in traditional and software-defined networking environments; our GAN manages to outperform some benchmark models on the CIC-IDS2017 dataset.

查看原文本刊更多论文

用于传统和软件定义网络环境中网络安全异常检测的无监督机器学习

在过去几年中，网络安全已成为一个日益重要的领域，美国国家工程院最近将网络空间安全指定为21世纪工程领域的十四项重大挑战之一。因此，必须设计一种鲁棒的异常检测和响应方法来识别和减轻异常互联网流量。在这项研究中，我们提出了几个无监督/半监督机器学习模型来处理计算机网络上的大量异常数据。具体来说，我们采用了五种无监督机器学习模型，包括生成对抗网络（GAN）、深度信念网络（DBN）、受限玻尔兹曼机（RBM）、一类支持向量机（OCSVM）和隔离森林（I-Forest）。我们分别使用这些模型，并在适用的情况下将它们结合在一起，在三个著名的传统网络数据集（即KDD-Cup 99、NSL-KDD和CIC-IDS2017数据集）上检查它们的异常检测性能，并使用DNP3入侵检测数据集在软件定义网络和工业物联网环境中实现这些模型。此外，我们还研究了两个数据集之间模型的泛化性。结果表明，在传统和软件定义的网络环境中，I-Forest和DBN的总体性能优于其他模型；我们的GAN在CIC-IDS2017数据集上的表现优于一些基准模型。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Network and Service Management Computer Science-Computer Networks and Communications

CiteScore

9.30

自引率

15.10%

发文量

325

期刊介绍： IEEE Transactions on Network and Service Management will publish (online only) peerreviewed archival quality papers that advance the state-of-the-art and practical applications of network and service management. Theoretical research contributions (presenting new concepts and techniques) and applied contributions (reporting on experiences and experiments with actual systems) will be encouraged. These transactions will focus on the key technical issues related to: Management Models, Architectures and Frameworks; Service Provisioning, Reliability and Quality Assurance; Management Functions; Enabling Technologies; Information and Communication Models; Policies; Applications and Case Studies; Emerging Technologies and Standards.