Network Intrusion Detection Using Deep Learning

A special issue of Electronics (ISSN 2079-9292). This special issue belongs to the section "Computer Science & Engineering".

Deadline for manuscript submissions: closed (31 May 2024) | Viewed by 24098

Special Issue Editor


E-Mail Website
Guest Editor
1. Department of Computer Science, Faculty of Science, Open Universiteit, Heerlen, The Netherlands
2. Institute for Computing and Information Sciences, Faculty of Science, Radboud University, Nijmegen, The Netherlands
Interests: network security; software security

Special Issue Information

Dear Colleagues,

The design of network intrusion detection systems that are able to handle ever-increasing traffic volumes and new types of intrusions has been a challenging task for decades. In recent years, researchers have achieved impressive results by applying deep-learning models for network intrusion detection, especially with auto-encoders and deep neural networks. Despite this steady progress, we are still facing many challenges related to both the nature of deep-learning models, the evolving types of intrusions, and the availability of realistic datasets.

The key advantage of deep-learning models is that they, by themselves, have a good ability to identify traffic features related to intrusions at several layers of abstraction in large data volumes. However, these deep-learning models are rather complex. Training such complex models requires extensive computing resources. The complexity of these models also restricts their application in real-time intrusion detection. Another challenge is that the internal operation of deep-learning models is rather opaque. Although their operation can be expressed in a (large) set of mathematical equations, it is extremely difficult to reveal and explain the decision rules taken by the models. A better understanding of the internal operation would make it possible to improve the models, for instance, to reduce their complexity or increase their detection accuracy.

The evolving types of intrusions and how they are manifested in network traffic also raises concerns. Network intrusion detection systems should be able to detect new types of intrusions that exploit zero-day vulnerabilities. This is challenging for deep-learning models, which might be overfitted and trained too well, which leads to reduced detection accuracy when the models are applied to traffic with slightly different characteristics. In the future, self-adaptable models that learn and adapt to changes in traffic characteristics on-the-fly may provide a solution. Additionally, detection systems should be able to detect intrusions that apply evasion techniques such as low-frequency attacks, traffic fragmentation, and obfuscation or encryption of payload data.

A general difficulty for deep-learning models is that they require large and realistic datasets for training. Many publications to date have used old datasets, which raises the question of how well the models would perform with newer datasets that reflect current traffic characteristics. This also hampers the comparison of novel deep-learning models with prior intrusion detection systems. The creation of realistic datasets is a problem in itself, where issues like imbalance, including a realistic mix of intrusions, and the labelling of traffic have to be addressed.

The objective of this Special Issue is to publish high-quality research papers that advance the state-of-the-art by addressing the challenges in network intrusion detection using deep learning as described above. We particularly welcome papers that address the complexity, applicability, adaptability, and explainability of deep-learning models; papers that improve the performance of deep-learning models for detecting evolving types of intrusion; and corresponding datasets.

Dr. Harald Vranken
Guest Editor

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All submissions that pass pre-check are peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 100 words) can be sent to the Editorial Office for announcement on this website.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Electronics is an international peer-reviewed open access semimonthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 2400 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Keywords

  • network intrusion detection
  • deep learning

Benefits of Publishing in a Special Issue

  • Ease of navigation: Grouping papers by topic helps scholars navigate broad scope journals more efficiently.
  • Greater discoverability: Special Issues support the reach and impact of scientific research. Articles in Special Issues are more discoverable and cited more frequently.
  • Expansion of research network: Special Issues facilitate connections among authors, fostering scientific collaborations.
  • External promotion: Articles in Special Issues are often promoted through the journal's social media, increasing their visibility.
  • e-Book format: Special Issues with more than 10 articles can be published as dedicated e-books, ensuring wide and rapid dissemination.

Further information on MDPI's Special Issue polices can be found here.

Published Papers (9 papers)

Order results
Result details
Select all
Export citation of selected articles as:

Research

15 pages, 2730 KiB  
Article
Deep Learning for Network Intrusion Detection in Virtual Networks
by Daniel Spiekermann, Tobias Eggendorfer and Jörg Keller
Electronics 2024, 13(18), 3617; https://doi.org/10.3390/electronics13183617 - 11 Sep 2024
Viewed by 1171
Abstract
As organizations increasingly adopt virtualized environments for enhanced flexibility and scalability, securing virtual networks has become a critical part of current infrastructures. This research paper addresses the challenges related to intrusion detection in virtual networks, with a focus on various deep learning techniques. [...] Read more.
As organizations increasingly adopt virtualized environments for enhanced flexibility and scalability, securing virtual networks has become a critical part of current infrastructures. This research paper addresses the challenges related to intrusion detection in virtual networks, with a focus on various deep learning techniques. Since physical networks do not use encapsulation, but virtual networks do, packet analysis based on rules or machine learning outcomes for physical networks cannot be transferred directly to virtual environments. Encapsulation methods in current virtual networks include VXLAN (Virtual Extensible LAN), an EVPN (Ethernet Virtual Private Network), and NVGRE (Network Virtualization using Generic Routing Encapsulation). This paper analyzes the performance and effectiveness of network intrusion detection in virtual networks. It delves into challenges inherent in virtual network intrusion detection with deep learning, including issues such as traffic encapsulation, VM migration, and changing network internals inside the infrastructure. Experiments on detection performance demonstrate the differences between intrusion detection in virtual and physical networks. Full article
(This article belongs to the Special Issue Network Intrusion Detection Using Deep Learning)
Show Figures

Figure 1

25 pages, 5932 KiB  
Article
SEDAT: A Stacked Ensemble Learning-Based Detection Model for Multiscale Network Attacks
by Yan Feng, Zhihai Yang, Qindong Sun and Yanxiao Liu
Electronics 2024, 13(15), 2953; https://doi.org/10.3390/electronics13152953 - 26 Jul 2024
Viewed by 1014
Abstract
Anomaly detection for network traffic aims to analyze the characteristics of network traffic in order to discover unknown attacks. Currently, existing detection methods have achieved promising results against high-intensity attacks that aim to interrupt the operation of the target system. In reality, attack [...] Read more.
Anomaly detection for network traffic aims to analyze the characteristics of network traffic in order to discover unknown attacks. Currently, existing detection methods have achieved promising results against high-intensity attacks that aim to interrupt the operation of the target system. In reality, attack behaviors that are commonly exhibited are highly concealed and disruptive. In addition, the attack scales are flexible and variable. In this paper, we construct a multiscale network intrusion behavior dataset, which includes three attack scales and two multiscale attack patterns based on probability distribution. Specifically, we propose a stacked ensemble learning-based detection model for anomalous traffic (or SEDAT for short) to defend against highly concealed multiscale attacks. The model employs a random forest (RF)-based method to select features and introduces multiple base learning autoencoders (AEs) to enhance the representation of multiscale attack behaviors. In addressing the challenge of a single model’s inability to capture the regularities of multiscale attack behaviors, SEDAT is capable of adapting to the complex multiscale characteristics in network traffic, enabling the prediction of network access behavior. Comparative experiments demonstrate that SEDAT exhibits superior detection capabilities in multiscale network attacks. In particular, SEDAT achieves an improvement of at least 5% accuracy over baseline methods for detecting multiscale attacks. Full article
(This article belongs to the Special Issue Network Intrusion Detection Using Deep Learning)
Show Figures

Figure 1

19 pages, 3939 KiB  
Article
Pattern Augmented Lightweight Convolutional Neural Network for Intrusion Detection System
by Yonatan Embiza Tadesse and Young-June Choi
Electronics 2024, 13(5), 932; https://doi.org/10.3390/electronics13050932 - 29 Feb 2024
Cited by 1 | Viewed by 1760
Abstract
As the world increasingly becomes more interconnected, the demand for safety and security is ever-increasing, particularly for industrial networks. This has prompted numerous researchers to investigate different methodologies and techniques suitable for intrusion detection systems (IDS) requirements. Over the years, many studies have [...] Read more.
As the world increasingly becomes more interconnected, the demand for safety and security is ever-increasing, particularly for industrial networks. This has prompted numerous researchers to investigate different methodologies and techniques suitable for intrusion detection systems (IDS) requirements. Over the years, many studies have proposed various solutions in this regard, including signature-based and machine learning (ML)-based systems. More recently, researchers are considering deep learning (DL)-based anomaly detection approaches. Most proposed works in this research field aim to achieve either one or a combination of high accuracy, considerably low false alarm rates (FARs), high classification specificity and detection sensitivity, lightweight DL models, or other ML and DL-related performance measurement metrics. In this study, we propose a novel method to convert a raw dataset to an image dataset to magnify patterns by utilizing the Short-Term Fourier transform (STFT). The resulting high-quality image dataset allowed us to devise an anomaly detection system for IDS using a simple lightweight convolutional neural network (CNN) that classifies denial of service and distributed denial of service. The proposed methods were evaluated using a modern dataset, CSE-CIC-IDS2018, and a legacy dataset, NSLKDD. We have also applied a combined dataset to assess the generalization of the proposed model across various datasets. Our experimental results have demonstrated that the proposed methods achieved high accuracy and considerably low FARs with high specificity and sensitivity. The resulting loss and accuracy curves have demonstrated the efficacy of our raw dataset to image dataset conversion methodology, which is evident as an excellent generalization of the proposed lightweight CNN model was observed, effectively avoiding overfitting. This holds for both the modern and legacy datasets, including their mixed versions. Full article
(This article belongs to the Special Issue Network Intrusion Detection Using Deep Learning)
Show Figures

Figure 1

26 pages, 5278 KiB  
Article
Machine Learning-Based Intrusion Detection for Rare-Class Network Attacks
by Yu Yang, Yuheng Gu and Yu Yan
Electronics 2023, 12(18), 3911; https://doi.org/10.3390/electronics12183911 - 16 Sep 2023
Cited by 6 | Viewed by 2780
Abstract
Due to the severe imbalance in the quantities of normal samples and attack samples, as well as among different types of attack samples, intrusion detection systems suffer from low detection rates for rare-class attack data. In this paper, we propose a geometric synthetic [...] Read more.
Due to the severe imbalance in the quantities of normal samples and attack samples, as well as among different types of attack samples, intrusion detection systems suffer from low detection rates for rare-class attack data. In this paper, we propose a geometric synthetic minority oversampling technique based on the optimized kernel density estimation algorithm. This method can generate diverse rare-class attack data by learning the distribution of rare-class attack data while maintaining similarity with the original sample features. Meanwhile, the balanced data is input to a feature extraction module built upon multiple denoising autoencoders, reducing information redundancy in high-dimensional data and improving the detection performance for unknown attacks. Subsequently, a soft-voting ensemble learning technique is utilized for multi-class anomaly detection on the balanced and dimensionally reduced data. Finally, an intrusion detection system is constructed based on data preprocessing, imbalance handling, feature extraction, and anomaly detection modules. The performance of the system was evaluated using two datasets, NSL-KDD and N-BaIoT, achieving 86.39% and 99.94% multiclassification accuracy, respectively. Through ablation experiments and comparison with the baseline model, it is found that the inherent limitations of a single machine-learning model directly affect the accuracy of the intrusion detection system, while the superiority of the proposed multi-module model in detecting unknown attacks and rare classes of attack traffic is demonstrated. Full article
(This article belongs to the Special Issue Network Intrusion Detection Using Deep Learning)
Show Figures

Figure 1

20 pages, 705 KiB  
Article
Data Exfiltration Detection on Network Metadata with Autoencoders
by Daan Willems, Katharina Kohls, Bob van der Kamp and Harald Vranken
Electronics 2023, 12(12), 2584; https://doi.org/10.3390/electronics12122584 - 8 Jun 2023
Cited by 2 | Viewed by 2721
Abstract
We designed a Network Exfiltration Detection System (NEDS) to detect data exfiltration as occurring in ransomware attacks. The NEDS operates on aggregated metadata, which is more privacy-friendly and allows analysis of large volumes of high-speed network traffic. The NEDS aggregates metadata from multiple, [...] Read more.
We designed a Network Exfiltration Detection System (NEDS) to detect data exfiltration as occurring in ransomware attacks. The NEDS operates on aggregated metadata, which is more privacy-friendly and allows analysis of large volumes of high-speed network traffic. The NEDS aggregates metadata from multiple, sequential sessions between pairs of hosts in a network, which captures exfiltration by both stateful and stateless protocols. The aggregated metadata include averages per session of both packet count, request entropy, duration, and payload size, as well as the average time between sequential sessions and the amount of aggregated sessions. The NEDS applies a number of autoencoder models with unsupervised learning to detect anomalies, where each autoencoder model targets different protocols. We trained the autoencoder models with real-life data collected at network sensors in the National Detection Network as operated by the National Cyber Security Centre in the Netherlands, and configured the detection threshold by varying the false positive rate. We evaluated the detection performance by injecting exfiltration over different channels, including DNS tunnels and uploads to FTP servers, web servers, and cloud storage. Our experimental results show that aggregation significantly increases detection performance of exfiltration that happens over longer time, most notably, DNS tunnels. Our NEDS can be applied to detect exfiltration either in near-real-time data analysis with limited false positive rates, or in captured data to aid in post-incident analysis. Full article
(This article belongs to the Special Issue Network Intrusion Detection Using Deep Learning)
Show Figures

Figure 1

19 pages, 691 KiB  
Article
Securing a Smart Home with a Transformer-Based IoT Intrusion Detection System
by Minxiao Wang, Ning Yang and Ning Weng
Electronics 2023, 12(9), 2100; https://doi.org/10.3390/electronics12092100 - 4 May 2023
Cited by 16 | Viewed by 4312
Abstract
Machine learning (ML)-based Network Intrusion Detection Systems (NIDSs) can classify each network’s flow behavior as benign or malicious by detecting heterogeneous features, including both categorical and numerical features. However, the present ML-based NIDSs are deemed insufficient in terms of their ability to generalize, [...] Read more.
Machine learning (ML)-based Network Intrusion Detection Systems (NIDSs) can classify each network’s flow behavior as benign or malicious by detecting heterogeneous features, including both categorical and numerical features. However, the present ML-based NIDSs are deemed insufficient in terms of their ability to generalize, particularly in changing network environments such as the Internet of Things (IoT)-based smart home. Although IoT devices add so much to home comforts, they also introduce potential risks and vulnerabilities. Recently, many NIDS studies on other IoT scenarios, such as the Internet of Vehicles (IoV) and smart cities, focus on utilizing the telemetry data of IoT devices for IoT intrusion detection. Because when IoT devices are under attack, their abnormal telemetry data values can reflect the anomaly state of those devices. Those telemetry data-based IoT NIDS methods detect intrusion events from a different view, focusing on the attack impact, from the traditional network traffic-based NIDS, which focuses on analyzing attack behavior. The telemetry data-based NIDS is more suitable for IoT devices without built-in security mechanisms. Considering the smart home IoT scenario, which has a smaller scope and a limited number of IoT devices compared to other IoT scenarios, both NIDS views can work independently. This motivated us to propose a novel ML-based NIDS to combine the network traffic-based and telemetry data-based NIDS together. In this paper, we propose a Transformer-based IoT NIDS method to learn the behaviors and effects of attacks from different types of data that are generated in the heterogeneous IoT environment. The proposed method utilizes a self-attention mechanism to learn contextual embeddings for input network features. Based on the contextual embeddings, our method can solve the feature set challenge, including both continuous and categorical features. Our method is the first to utilize both network traffic data and IoT sensors’ telemetry data at the same time for intrusion detection. Experiments reveal the effectiveness of our method on a realistic network traffic intrusion detection dataset named ToN_IoT, with an accuracy of 97.95% for binary classification and 95.78% for multiple classifications on pure network data. With the extra IoT information, the performance of our method has been improved to 98.39% and 97.06%, respectively. A comparative study with existing works shows that our method can achieve state-of-the-art performance on the ToN_IoT dataset. Full article
(This article belongs to the Special Issue Network Intrusion Detection Using Deep Learning)
Show Figures

Figure 1

17 pages, 2222 KiB  
Article
Detecting Parallel Covert Data Transmission Channels in Video Conferencing Using Machine Learning
by Ofir Joseph, Avshalom Elmalech and Chen Hajaj
Electronics 2023, 12(5), 1091; https://doi.org/10.3390/electronics12051091 - 22 Feb 2023
Cited by 1 | Viewed by 2083
Abstract
Covert communication channels are a concept in which a policy-breaking method is used in order to covertly transmit data from inside an organization to an external or accessible point. VoIP and Video systems are exposed to such attacks on different layers, such as [...] Read more.
Covert communication channels are a concept in which a policy-breaking method is used in order to covertly transmit data from inside an organization to an external or accessible point. VoIP and Video systems are exposed to such attacks on different layers, such as the underlying real-time transport protocol (RTP) which uses Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packet streams to punch a hole through Network address translation (NAT). This paper presents different innovative attack methods utilizing covert communication and RTP channels to spread malware or to create a data leak channel between different organizations. The demonstrated attacks are based on a UDP punch hole created using Skype peer-to-peer video conferencing communication. The different attack methods were successfully able to transmit a small text file in an undetectable manner by observing the communication channel, and without causing interruption to the audio/video channels or creating a noticeable disturbance to the quality. While these attacks are hard to detect by the eye, we show that applying classical Machine Learning algorithms to detect these covert channels on statistical features sampled from the communication channel is effective for one type of attack. Full article
(This article belongs to the Special Issue Network Intrusion Detection Using Deep Learning)
Show Figures

Figure 1

20 pages, 418 KiB  
Article
Deep Learning Model Transposition for Network Intrusion Detection Systems
by João Figueiredo, Carlos Serrão and Ana Maria de Almeida
Electronics 2023, 12(2), 293; https://doi.org/10.3390/electronics12020293 - 6 Jan 2023
Cited by 19 | Viewed by 3310
Abstract
Companies seek to promote a swift digitalization of their business processes and new disruptive features to gain an advantage over their competitors. This often results in a wider attack surface that may be exposed to exploitation from adversaries. As budgets are thin, one [...] Read more.
Companies seek to promote a swift digitalization of their business processes and new disruptive features to gain an advantage over their competitors. This often results in a wider attack surface that may be exposed to exploitation from adversaries. As budgets are thin, one of the most popular security solutions CISOs choose to invest in is Network-based Intrusion Detection Systems (NIDS). As anomaly-based NIDS work over a baseline of normal and expected activity, one of the key areas of development is the training of deep learning classification models robust enough so that, given a different network context, the system is still capable of high rate accuracy for intrusion detection. In this study, we propose an anomaly-based NIDS using a deep learning stacked-LSTM model with a novel pre-processing technique that gives it context-free features and outperforms most related works, obtaining over 99% accuracy over the CICIDS2017 dataset. This system can also be applied to different environments without losing its accuracy due to its basis on context-free features. Moreover, using synthetic network attacks, it has been shown that this NIDS approach can detect specific categories of attacks. Full article
(This article belongs to the Special Issue Network Intrusion Detection Using Deep Learning)
Show Figures

Figure 1

17 pages, 5959 KiB  
Article
Anomaly Detection for SCADA System Security Based on Unsupervised Learning and Function Codes Analysis in the DNP3 Protocol
by Mustafa Altaha and Sugwon Hong
Electronics 2022, 11(14), 2184; https://doi.org/10.3390/electronics11142184 - 12 Jul 2022
Cited by 17 | Viewed by 2901
Abstract
An Intrusion Detection System (IDS) is a tool used primarily for security monitoring, which is one of the security strategies for Supervisory Control and Data Acquisition (SCADA) systems. Distributed Network Protocol version 3 (DNP3) is the predominant SCADA protocol in the energy sector. [...] Read more.
An Intrusion Detection System (IDS) is a tool used primarily for security monitoring, which is one of the security strategies for Supervisory Control and Data Acquisition (SCADA) systems. Distributed Network Protocol version 3 (DNP3) is the predominant SCADA protocol in the energy sector. In this paper, we have developed an effective and flexible IDS for DNP3 networks, observing that most critical operations in DNP3 systems are utilized based on the function codes in DNP3 application messages, and that exploitation of those function codes enables attackers to manipulate the system operation. Our proposed anomaly-detection method deals with possible attacks that can bypass any rule-based deep packet inspection once attackers take over servers in the system. First, we generated datasets that reflected DNP3 traffic characteristics observed in real-world power grid substations for a reasonably long time. Next, we extracted input features that consisted of the occurrences of function codes per TCP connection, along with TCP characteristics. We then used an unsupervised deep learning model (Autoencoder) to learn the normal behavior of DNP3 traffic based on function code patterns. We called our approach FC-AE-IDS (Function Code Autoencoder IDS). The evaluation of the proposed method was carried out on three different datasets, to prove its accuracy and effectiveness. To evaluate the effectiveness of our proposed method, we performed various experiments that resulted in more than 95% detection accuracy for all considered attack scenarios that are mentioned in this study. We compared our approach to an IDS that is based on traditional features, to show the effectiveness of our approach. Full article
(This article belongs to the Special Issue Network Intrusion Detection Using Deep Learning)
Show Figures

Figure 1

Back to TopTop