cloud based real-time network intrusion detection …...s. parampottupadam & a.-n. moldovan...
TRANSCRIPT
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
Santhosh Parampottupadam & Arghir-Nicolae Moldovan
School of Computing, National College of Ireland, Mayor Street, IFSC, Dublin 1, [email protected]; [email protected]
The International Conference on Cyber Security and Protection of Digital Services (Cyber Security 2018)Glasgow, Scotland, UK
12th June 2018
Cloud Based Real-Time Network Intrusion Detection Using Deep Learning
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
Outline
Introduction
Goals
Methodology
Prototype
Results
Conclusions
Q&A
2
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
Introduction In 2017 the average cost of a data breach
was $3.6 million, or $141 per data record (Ponemon Institute / IBM, 2018)
NIDS systems Signature or rule-based look for specific
patterns or signatures based on different factors such as IP addresses, ports, protocol, payload information, etc.
Anomaly-based use machine learning to build an anomaly model based on different factors and then compare traffic to this model
Deep learning Neural network algorithms that transform data in
multiple layers, where each layer uses output from the previous layer as input
Capable of automatic feature extraction, reducing the necessity to select features explicitly
3
Source: http://earthsky.org/space/machine-
deep-learning-2-astronomy-studies
Source: https://gbhackers.com/intrusion-
detection-system-ids-2/
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
Research Goals
Investigate the capabilities of Deep Learning for network intrusion detection Compare DL models built using H2O and DeepLearning4J, with other
commonly used ML models such as SVM, Random Forest, Logistic Regression and Naïve Bayes
Propose a cloud-based prototype system for real-time network intrusion detection using Deep Learning
4
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
Methodology (1)
Followed the cross-industry standard process for data mining (CRISP-DM)
Problem understanding Review of previous research studies
showed that DL models do not always outperform other ML models
More research needed to investigate the capabilities of DL for intrusion detection
5
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
Methodology (2) Data understanding NSL-KDD dataset
Selected records of KDDcup99 dataset, but without its shortcomings (i.e., removed duplicated records, more difficult to achieve high accuracy)
41 attributes
3 nominal (i.e., protocol, service, flag)
38 numerical (e.g., duration, source and destination bytes, number failed logins, etc.)
Contains normal traffic and 39 attack types categorised into 4 classes
Data preparation NSL-KDD required little pre-processing
No record elimination or imputation was necessary
Removed one attribute as it was 0 for all train and test records
Added 2 columns for normal/intrusion and attack class
6
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
Methodology (3)
Modelling Binomial classification models to detect intrusions from normal traffic
Multinomial models to detect the intrusion class (i.e., DoS, Probe, R2L and U2R)
Models were built with the default settings of the libraries, and without performing class balancing
Java-based ML Libraries used
DL: H2O Deep Learning, DeepLearning4J
ML: Support Vector Machines (LibSVM), Random Forest, Logistic Regression, Naïve Bayes
Evaluation 5-fold cross validation on the NSL-KDD train data
Train models on NSL-KDD train data and test models on the test data
Metrics: Accuracy, Precision, Recall, F-Measure, AUC, Detection Rate
7
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
Prototype System
Web app developed using: Java, jQuery, Bootstrap, Gradle
Integrates the POJO binomial and multinomial DL models
Twilio API integrated for real-time notifications to admin
Cloud-based deployment to AWS EC2 instance
8
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
Evaluation Results (1) Binomial Classification
All models achieved over 90% accuracy on training data
DL H2O achieved highest accuracy of 84% on test data
Higher than the 78.06% value of DL model based on soft-max regression (SMR), but less than the 88.39% value of the self-taught learning (STL) model from Niyaz et al. (2016)
DL H2O also has most balanced performance for detecting normal traffic and intrusions
9
99.6
6
97.0
5
99.9
6
98.2
2
93.5
9
99.4
3
96.4
8
99.8
6
95.7
7
86.6
5
99.5296.79
99.9197.08
90.34
50
60
70
80
90
100
DL H2O DL4J RF LR NB
De
tect
ion
Rat
e [
%]
Binomial Models for Train Data CV
Normal Intrusion Accuracy [%]
87.0
8
91.3
0
97.8
0
97.2
7
92.5
5
93.1
4
84.2
0
64.6
4
53.1
0
67.3
7
60.9
8
63.2
3
83.87
76.1272.36
80.25
74.58 76.11
50
60
70
80
90
100
DL H2O DL4J SVM RF LR NB
De
tect
ion
Rat
e [
%]
Binomial Models for Test Data
Normal Intrusion Accuracy [%]
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
Evaluation Results (2)
Multinomial Classification
All models except NB achievedover 99% accuracy
DL H2O achieved 84% accuracy on test data
Higher than the 5-class SMR (75.23%) and STL (79.10%) DLmodels from Niyaz et al. (2016)
DL H2O provides good detection rates for DoS and Probe, second best for R2L
NB provides highest detectionrate for U2R
10
99.9
8
99.0
4
99.7
2
99.9
9
99.9
8
96.4
3
99.8
7
98
.23
98.0
6
99.9
7
99.8
7
87.0
8
98.7
9
95
.38
87
.14
99.5
0
99.4
0
42.7
165.3
8
44.2
3
5.7
7
90.3
8
69.2
3 90.3
8
99.91 98.77 99.09 99.97 99.9293.66
0
10
20
30
40
50
60
70
80
90
100
DL H2O DL4J SVM RF LR NB
De
tect
ion
Rat
e [
%]
Multinomial Models for Train Data CV
DoS Probe R2L U2R Accuracy [%]
94.5
7
84
.66
69.3
8 88.3
5
97.5
3
75.2
3
86.6
6
67.2
0 91.8
6
88.7
6
77.9
4
90.9
1
56.2
6
41
.07
0.0
7 37.7
5 61.6
6
43.9
5
29.8
5
44
.78
1.4
9
62.6
9
52.2
4
67.1
6
84.13
71.36
57.69
76.9285.54
71.11
0
10
20
30
40
50
60
70
80
90
100
DL H2O DL4J SVM RF LR NB
De
tect
ion
Rat
e [
%]
Multinomial Models for Test Data
DoS Probe R2L U2R Accuracy [%]
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 2018
ConclusionsProposed a cloud based prototype system that integrates two DL
models binomial model to identify if there is an intrusion or not
multinomial model to detect the attack class in case of an intrusion
DL H2O binomial and multinomial models outperformed DL4J and the other ML models, in terms of accuracy
DL H2O binomial model also provides better intrusion detection rates than the other models
No model provided consistent and best detection rate for all four intrusion classes
Future work directions Investigate ensemble approaches that combine multiple ML algorithms to
improve detection rates
Use additional datasets and/or real-time network traffic data
11
S. Parampottupadam & A.-N. Moldovan – “Cloud Based Real-Time Network Intrusion Detection Using Deep
Learning”, Cyber Security 2018, Glasgow, Scotland, UK, 12th June 201812
Thank you for your attention!
Q&A