Mask-based Self-supervised Network Intrusion Detection System

IF 6.6 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Applied Soft Computing Pub Date : 2025-06-30 DOI:10.1016/j.asoc.2025.113498

Xiaoya Lu , Yifan Liu , Fan Feng , Yi Liu , Zhenpeng Liu

{"title":"Mask-based Self-supervised Network Intrusion Detection System","authors":"Xiaoya Lu , Yifan Liu , Fan Feng , Yi Liu , Zhenpeng Liu","doi":"10.1016/j.asoc.2025.113498","DOIUrl":null,"url":null,"abstract":"<div><div>A significant number of network intrusion detection systems utilize unsupervised anomaly detection methodologies, the majority of which fail to account for the potential for contamination in the data, resulting in suboptimal detection outcomes.This paper proposes an unsupervised method, designated MS-IDS (Mask-based Self-supervised Network Intrusion Detection System), which employs the techniques of mask shielding and Stacked Sparse Autoencoder (SSAE).MS-IDS is trained on data that has been contaminated in some way, generating a variety of masks through the process of learning. These masked inputs are subsequently reconstructed by SSAE. A composite loss function is devised, encompassing losses from both the mask unit and the SSAE. During the training phase, the combined loss function is optimized with the objective of identifying the optimal parameters and transformations for the SSAE. In the testing phase, the loss function assigns a score to each sample, which is used to classify outliers based on their scores. The performance of MS-IDS was evaluated across four intrusion datasets: The datasets used for evaluation were NSL-KDD, CIC-IDS2017, ToN-IoT, and CIC-DDOS2019. The results demonstrate that even when varying levels of contamination are introduced into the benign traffic, MS-IDS maintains robust performance with minimal decline. Notably, MS-IDS outperforms other models in terms of accuracy, AUC-ROC, and F1 scores, and its ability to detect attacks in contaminated data undergoes significant enhancement.</div></div>","PeriodicalId":50737,"journal":{"name":"Applied Soft Computing","volume":"181 ","pages":"Article 113498"},"PeriodicalIF":6.6000,"publicationDate":"2025-06-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Applied Soft Computing","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1568494625008099","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

A significant number of network intrusion detection systems utilize unsupervised anomaly detection methodologies, the majority of which fail to account for the potential for contamination in the data, resulting in suboptimal detection outcomes.This paper proposes an unsupervised method, designated MS-IDS (Mask-based Self-supervised Network Intrusion Detection System), which employs the techniques of mask shielding and Stacked Sparse Autoencoder (SSAE).MS-IDS is trained on data that has been contaminated in some way, generating a variety of masks through the process of learning. These masked inputs are subsequently reconstructed by SSAE. A composite loss function is devised, encompassing losses from both the mask unit and the SSAE. During the training phase, the combined loss function is optimized with the objective of identifying the optimal parameters and transformations for the SSAE. In the testing phase, the loss function assigns a score to each sample, which is used to classify outliers based on their scores. The performance of MS-IDS was evaluated across four intrusion datasets: The datasets used for evaluation were NSL-KDD, CIC-IDS2017, ToN-IoT, and CIC-DDOS2019. The results demonstrate that even when varying levels of contamination are introduced into the benign traffic, MS-IDS maintains robust performance with minimal decline. Notably, MS-IDS outperforms other models in terms of accuracy, AUC-ROC, and F1 scores, and its ability to detect attacks in contaminated data undergoes significant enhancement.

查看原文本刊更多论文

基于掩码的自监督网络入侵检测系统

大量的网络入侵检测系统使用无监督的异常检测方法，其中大多数无法考虑数据中潜在的污染，导致次优检测结果。本文提出了一种基于掩码的自监督网络入侵检测系统（MS-IDS, mask -based Self-supervised Network Intrusion Detection System），该系统采用掩码屏蔽和堆叠稀疏自编码器（SSAE）技术。MS-IDS以某种方式被污染的数据为训练对象，通过学习过程生成各种掩码。这些被屏蔽的输入随后由SSAE重建。设计了一个复合损失函数，包括掩模单元和SSAE的损失。在训练阶段，对组合损失函数进行优化，以确定SSAE的最优参数和最优变换。在测试阶段，损失函数为每个样本分配一个分数，该分数用于根据其分数对异常值进行分类。通过四个入侵数据集对MS-IDS的性能进行了评估：用于评估的数据集为NSL-KDD、CIC-IDS2017、ToN-IoT和CIC-DDOS2019。结果表明，即使在良性流量中引入不同程度的污染，MS-IDS也能以最小的下降保持稳健的性能。值得注意的是，MS-IDS在准确率、AUC-ROC和F1分数方面优于其他模型，并且在污染数据中检测攻击的能力得到了显著增强。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Applied Soft Computing 工程技术-计算机：跨学科应用

CiteScore

15.80

自引率

6.90%

发文量

874

审稿时长

10.9 months

期刊介绍： Applied Soft Computing is an international journal promoting an integrated view of soft computing to solve real life problems.The focus is to publish the highest quality research in application and convergence of the areas of Fuzzy Logic, Neural Networks, Evolutionary Computing, Rough Sets and other similar techniques to address real world complexities. Applied Soft Computing is a rolling publication: articles are published as soon as the editor-in-chief has accepted them. Therefore, the web site will continuously be updated with new articles and the publication time will be short.