Content uploaded by Diego F. Rueda
Author content
All content in this area was uploaded by Diego F. Rueda on Mar 18, 2022
Content may be subject to copyright.
A Hybrid Intrusion Detection Approach based on
Deep Learning Techniques
*Diego F. Rueda1, Juan C. Caviedes 2, and Wilmar Yesid Campo Muñoz3
1Institute of Informatics and Applications, Universitat de Girona, Girona, Spain
u1930599@campus.udg.edu
2 Department of Systems and Industrial Engineering, Universidad Nacional de Co-
lombia, Bogotá D.C., Colombia
jcaviedesv@unal.edu.co
3 Department of Electronic Engineering, Universidad del Quindío, Armenia, Co-
lombia
wycampo@uniquindio.edu.co
* Corresponding Author
Abstract. Intrusion detection systems (IDS) are designed to protect the
networks from computer attacks. Through the constant monitoring of the
network traffic, it is possible to identify anomaly behaviors that infer a
likelihood of security threats. However, the growth of network traffic, the
development of new techniques and algorithms to perform attacks, and the
need to guarantee the security policies, force the community to research and
develop novel intrusion detection models that are able to detect threats
through anomalies in the traffic behavior. In this work, a novel intrusion
detection model based on image recognition and classification algorithms is
presented. In this proposal, each data record in the dataset is first converted
into an image, and then Convolutional Neural Networks (CNN) are used to
perform feature extraction. Then, a Support Vector Machine (SVM)-based
algorithm is applied to identify the type of attack. The proposed hybrid model
is trained and tested with the CIC-IDS2017 dataset. Experimental results
evidence that our model is capable of detecting several intrusion threats with
high accuracy and for some attack types our model outperforms the related
work.
Keywords: CNN, deep learning, hybrid intrusion detection, network
security, network attacks, CIC-IDS2017, SVM.
1 Introduction
Network security is a key aspect of any company's data policy nowadays. Roughly,
these policies contemplate from application deployments, transfer of sensitive
2
information, until the implementation of a communications network to offer
external and internal services [11]. The security violations such as unauthorized
accesses or intrusions can put at risk some of the established policies which, in
summary, are related to availability, integrity, and confidentiality of the company
information. The NIST (National Institute of Standards and Technology) defines an
intrusion as the attempt to create a threat on the security policies or jump security
mechanisms in networks or hosts [12]. These intrusion threats are fought by
intrusion detection systems (IDS).
Previously, intrusion detection models were based on a catalog of threats that
were updated periodically and protected only some parts of the network, such as
centralized nodes or priority hosts. Thus, the system exposed other parts of the same
network which the attackers use to invade a segment of interest. Accordingly, the
trend of designing and implementing new methodologies and approaches to detect
intrusion attacks is being highly influenced by the inclusion of machine learning-
based methods [18]
Both, the threats and the traffic volume in networks have increased at an
exponential rate in the last years. For instance, only in the last ten years, traffic
volume in mobile networks went from Gigabytes to Exabytes in monthly measures
[8]. On the other hand, it is estimated that cyber-attacks can generate losses in the
order of trillions of dollars in businesses [14]. Accordingly, the implementation of
an intrusion detection model based on a static threat catalog is not relevant. Instead,
it is better to choose a dynamic option to continuously monitor and classify traffic
threats. Many types of attack can dramatically affect a network, some of them are
Denial of Service (DoS), Distributed Denial of Service (DDoS), User to Root
(U2R), Web Attack, Infiltration, or Probing and Remote to Local (R2L) attacks.
Typically, IDS can be classified in two types: host-based and network-based. In
host-based IDS, some software is installed on a particular host (e.g. antivirus
plugins) and its operation is reactive, i.e. it waits for a potential attack to enter its
domain and then neutralizes it. A network-based IDS is similar, only that it is
implemented in network elements such as firewalls, allowing the analysis of
network traffic coming from or going to multiple hosts [13]. At a functional level,
the intrusion detection models can detect anomalies based on normal traffic
behavior or directly classify attacks based on previous training. The advantage of
detection based on normal traffic patterns is that intrusions that are unknown (i.e.,
they are not known in the training stage), can be detected. However, this can
produce a decrease in the efficiency of the model due to the increase of false
positives when anomalous behavior is generated by normal traffic. Despite this, the
classification of attacks according to a training bench is ineffective against unknown
attacks [24].
In order to address the problems presented in traditional intrusion detection
models, machine learning, as well as deep learning techniques, are very effective in
detecting such attacks [5], [6]. Support Vector Machines (SVM) [7], [9], neural
networks [15], [19], [25], and clustering algorithms are widely studied techniques
in this field. The combination of intrusion detection techniques in data preparation,
3
data processing, and data classification is considered emergent and has many
potentialities. Although there are several proposals for intrusion detection, most of
them have been tested on old datasets such as NLS-KDD [20] that do not consider
the diversity of contemporary attacks as well current changes in traffic behavior.
This work aims to implement a hybrid intrusion detection model using deep
learning and other traditional machine learning technique. Thus, the major
contributions of this paper are the use of image recognition based on Convolutional
Neural Networks (CNN) to perform feature extraction of traffic patterns, and image
classification using an SVM to identify the type of attack. Furthermore, the model
has been trained and tested by using a modern dataset called CIC-IDS2017 [16] that
contains several types of attack and allows its performance to be measured in order
to compare the proposed model with previous approaches.
The rest of this paper is structured as follows: Section 2 contains a general
review of previous work. The proposed intrusion detection model is described in
Section 3. In Section 4 dataset description and preparation are provided.
Performance analysis and detection results are also discussed. Finally, the
conclusions and future work are presented in Section 5.
2 Related Work
Traditional network intrusion detection methods are rule-based, ignore contextual
information, and because the size of the data is extremely high, these methods
introduce complexity and reduce detection accuracy. In order to deal with these
problems, in the literature several works have implemented intrusion detection
methods based on machine learning [5] or deep learning techniques [6]. However,
deep learning techniques are being widely used to improve the accuracy of intrusion
predictions instead of traditional machine learning-based methods. The intrusion
detection method presented in [11] combines multiple assembled classifiers in a
way that the individual results are merged in favor of multi-class classification. In
this work, the authors used various Deep Neural Networks (DNN) to distinguish
normal behaviors from attacks. While the results show that a precision above 95%
can be achieved applied to NLS-KDD dataset, the authors suggest that by including
more techniques in the model, overall precision can be improved.
A hybrid model, based on the Auto-encoder Network (AN) to feature
dimensionality reduction and LSTM (Long Short-Time Memory) to predict
intrusion detection types, is addressed in [25]. With this proposal, the accuracy of
this method is improved by 2% on average when compared with classical IDS. A
Semantic Re-encoding and Deep Learning Model (SRDLM) is proposed in [22] for
intrusion detection. The SRDLM model re-encodes the semantics of network traffic
(i.e., transform traffic data to words), increments the distinguishability of traffic,
and improves the generalization by using deep learning techniques (i.e., ResNet
network architecture). Results showed that the SRDLM method achieves more than
4
99% of accuracy to detect the Web character injection attack.
A deep learning network is implemented in [4] to automatically build a smart
intrusion detection model. The authors rely on hybrid optimization framework
(IGASAA) based on Improved Genetic Algorithm (IGA) and a Simulated
Annealing Algorithm (SAA). This approach, which is called MLIDS (Machine
Learning IDS), uses the IGASAA to find the optimal combination of the most
relevant values that will serve as parameters in the construction of the IDS using a
DNN. The values to consider are the input features, the data normalization, the
activation function for the neural model, the learning rate, and the momentum.
Optimal selection ensures a high efficiently of the model in terms of its hit rate,
precision, and false-positive rate. The results obtained with this technique show an
accuracy greater than 99.8%, which exceeds other approaches compared by authors.
A technique that shows promising results to improve the accuracy, false alarm
rate, and timeliness of traditional intrusion detection algorithms is to convert the
traffic data of an incoming network into images to transform the intrusion detection
in an image classification problem. According to [23], the use of CNN provides a
method to automatically extract the features of the dimensionality reduction data,
and the supervised learning to extract more effective information for intrusion
identification. In this approach, the computational cost is reduced by converting the
original traffic vector format into an image. The simulation results on NLS-KDD
dataset indicated that the model reaches a detection accuracy of 94.0%, but for U2R
and R2L attacks, the detection rates are significantly low at 20.61% and 18.96%,
respectively. In [19] the traffic data of an incoming network is represented in
grayscale images, thus transforming the anomaly detection problem to an image
processing problem where texture is the key for detection. The authors also use the
NSL-KDD dataset for model implementation, training and validation. The results
showed that the performance reaches a precision higher than 97.8%. However, the
execution time of the model is very long when the number of layers of the CNN
increases. Consequently, the authors mentioned the need for more work to improve
the proposed model.
In a more recent work, Network Traffic Feature (NTF) is transformed into four-
channel RGBA (Red, Green, Blue and Alpha) images [21]. In [21], a multistage
deep learning image recognition system (ResNet50) employing transfer learning is
proposed to detect contemporary malicious behavior (network attack) and to
recognize the attack type. Empirical quantification of the attack type recognition
allowed to achieve 99.8% in detection accuracy of the generic attack on the UNSW-
NB15 dataset, and 99.7% in detection accuracy of the DDos attack on the BOUN
DDos dataset. In [17], authors proposed a hybrid model which combines an LSTM
for feature extraction and a CNN for intrusion detection. The model validation in
the UNSW-NB15 data set showed a detection accuracy of 98% which improves the
performance of RNN-based intrusion detection models.
Note that most of the literature reviewed focused on external intrusions. In fact,
there are attacks such as operating system scripts that can be represented an internal
threat per host. In [15] authors have studied the possibility of predicting whether a
5
Table 1. Summary of related work.
Reference
Strategy
Dataset
Performance
Ludwing et al. [11]
AN, DBN, DNN, ELM
NLS-KDD
95.0%
Zhang et al. [25]
AN-LSTM
NLS-KDD
99.6%
Wu et al. [22]
SRDLM
NLS-KDD
99%
Chiba et al. [4]
MLIDS
CICIDS2017, NSL-KDD, CIDDS-001
99.8%
Xiao et al. [23]
CNN
NLS-KDD
94.0%
Tao et al. [19]
CNN
NLS-KDD
97.8%
Toldinas et al. [21]
CNN
UNSW-NB15, BOUN DDos
99.7%
Syms et al. [17]
CNN-LSTM
UNSW-NB15
99.7%
Rhode et al. [15]
RNN
VirusTotal
95.0%
script executed in the operating system may be malicious based on a short sample
of the data it manipulates. Consequently, the authors propose a Recurrent Neural
Network (RNN) to predict malicious behavior based on data from the operating
system. The scope was to study the ability of the model for detecting malware
families and variants that have not been previously stored known as Zero-Day
attacks. In training the model, around 3000 malware samples are used, reaching
95% accuracy when one second of malicious code execution has passed.
Regardless of the type of technique used for the implementation of intrusion
detection systems, in Table 1 can be seen that there is a trend towards the use of
deep learning techniques to enhance the models accuracy compared to traditional
methods. On the other hand, the possibility of implementing techniques based on
image processing is highlighted to transform each data record of the dataset into an
image. Most of the works reviewed can provide a guide to design an intrusion
detection model applying deep learning techniques. But, to evaluate the perfor-
mance model, it is relevant to use a dataset that includes modern attack types and
traffic patterns rather than just data contained in legacy dataset such as NSL-KDD.
In this paper, the proposed hybrid method for intrusion detection is supported
on a CNN to perform feature extraction of traffic patterns. Furthermore, in order to
provide the capability to detect several types of attack, a SVM based classifier is
incorporated into the proposed model, because SVM has proven to be effective in
intrusion classification problems [7], [9], [23]. Therefore, unlike previous works, a
hybrid intrusion detection model using deep learning and a classification algorithm
is proposed to address the detection of several contemporary types of attack. To
train and test the proposed hybrid model, the CIC-IDS2017 dataset is considered.
Note that this dataset is cleaned and normalized, eliminating out-of-range data, and
using a common data scale for used features.
3 Proposed Method
In order to take advantage of deep learning and traditional machine learning tech-
6
niques for intrusion detection, a hybrid model is proposed. The key to the imple-
mentation of this model arises in image recognition and a classifier algorithm. In
this section, the hybrid model implementation process is described.
3.1 Hybrid Intrusion Detection Model Description
Fig. 1 summarizes the overall framework used to detect and classify attacks using
the proposed hybrid model. The model implementation considers six fundamental
steps:
‒ Step 1. Data cleansing: To generate a normalized, balanced and diverse dataset
for training the proposed model. The key is to preserve the features with high
variability while a dimension reduction is applied.
‒ Step 2. Labeling attacks: To categorize attacks of the same type in a unique
label in order to group attacks with similar effects in the network behavior or
damage.
‒ Step 3. Feature normalization and image creations: To balance the dataset
and generate a bank of images through the transformation of each traffic record
in an 8*8 image with 8-bit depth.
‒ Step 4. Image dataset consolidation: To train the model based on image recog-
nition and test the classification performance. The dataset is randomly divided
into 70% records for training and 30%for testing. Next, an image scaling tech-
nique and a summer color map are applied to convert it into a 224*224 RGB
image.
‒ Step 5. Hybrid intrusion detection model: To implement the hybrid intrusion
detection model combining CNN and SVM algorithms: CNN for feature extrac-
tion and image recognition, and SVM for attacks classification.
‒ Step 6. Performance evaluation: To analyze the detection accuracy applying
the hybrid model in the testing dataset.
Fig. 1. Process flow of the proposed hybrid IDS model.
7
3.2 Implementation Process
A Convolutional Neural Network (CNN) processes data with a grid pattern, such as
images, and to automatically and adaptively learn spatial hierarchies of features,
from low-to high-level patterns. The CNN is built as a set of three layers between
the input and output layers: a convolutional layer, a pooling layer and, a fully-
connected layer. The number of convolution layers as well as the number of pooling
layers defines the CNNs structure. Suppose the CNN input feature is feature map
of the layer i is Mi (M0 = X). Then, the Equation (1) expresses the convolution
process as [23]:
M1 = f (Mi-1 * Wi + bi) (1)
where Wi corresponds to the convolution kernel weight vector of the i layer; *
represents the convolution operation; bi corresponds to the offset vector of the i
layer; and f(x) is the activation function and corresponds to the ReLU function. This
activation function is widely used in CNN to replace all negative values in the
feature map to zero. By specifying different window values, distinct feature
information are extracted from the Mi-1 data matrix in the convolutional layer, and
through different convolution kernels, distinct features Mi in the data are extracted.
The same parameters (weight and offset) are shared in the same convolutional
kernel of the convolutional operation, which substantially reduces the number of
parameters in the whole CNN. In the pooling layer, the feature map is mapped
according to different sampling rules after the convolutional layer. The feature
dimension is reduced in the pooling layer, and as a consequence, the influence of
redundant features in the model is also decreased.
In the proposed hybrid model, the advantages of a CNN are exploited. There-
fore, in order to provide the appropriated input to the proposed hybrid intrusion
detection model, as part of the implementation, each record of the cleansed and
normalized dataset is transformed in an 8*8 image with 8-bit depth. This image
bank is the input of a Residual Network 50 (ResNet50 [1]) CNN for image feature
extraction. It receives a 224*224 image of three layers (i.e. RGB), so the constructed
images are transformed using a nearest-neighbor interpolation image scaling tech-
nique and grayscale to color conversion using a summer color map. In Fig. 2 is
presented the implementation details of the ResNet50.
Fig. 2. Implementation details of the proposed hybrid IDS model.
8
A ResNet50 architecture has demonstrated high accuracy for intrusion detection
[21], [22]. On the other hand, as shown in [3], a ResNet architecture, particularly
ResNet50, has less computational complexity than other CNN models such as VGG
or AlexNet. Likewise, it is more accurate than models like GoogleNet or ShufleNet.
While the ResNet101 or ResNet152 improve the accuracy of the model, they in-
crease its complexity to a greater extent compared to the ResNet50. For these rea-
sons, the ResNet50 was chosen as CNN because it maintains a balance between
precision and computational complexity compared to other models.
Additionally, the capability to classify various types of attack in the proposed
hybrid model is provided by a Support Vector Machine (SVM). This is because
SVM has been showed to be an effective method to train the base learners in intru-
sion classifiers to detect several types of attack [7] [23], and the combination CNN-
SVM achieves a better performance than FCN or the use of other classifiers [2].
Thus, the second last output of the ResNet50 is considered to train an SVM classi-
fier, and its input is a vector with 1000 features of the image built to represent the
intrusion attack and being traffic. In the SVM classifier, this input vector is first
mapped into a higher-dimensional feature space where the optimal separation hy-
per-plane is obtained [4].
Furthermore, a decision boundary, which is basically the separation hyper-
plane, is defined by support vectors rather than all training samples, thus the SVM
provides high robustness to outliers. In the proposed model, a linear SVM is imple-
mented that encodes the input samples using a one vs all encoder, which consists of
dividing the multi-class classification problem into multiple binary classification
problems. In this way, a new entry only satisfies the condition imposed by the region
of the closest class. Finally, the output of the SVM is the classification of the input
vectors into the attack classes and being traffic as learned from the input labels. The
complexity of the proposed model is given by the ResNet50 i.e. O(n4).
4 Simulation and Results
In order to test and evaluate the accuracy of the proposed hybrid model for intrusion
detection, we have implemented the model in MatlabR2020b using a machine with
4 CPU, 16GB of RAM and 1 TB of storage. This section describes the data prepa-
ration and normalization processes and the image creation to consolidate the image
bank. Finally, the performance analysis of the hybrid model is presented.
4.1 Dataset Preparation
Sharafaldin et al. [16] proposed the CIC-IDS2017 dataset with the eleven most
significant characteristics required by the Canadian Institute for Cybersecurity
(CIC): attack diversity, anonymity, available protocols, full capture, full interaction,
full network configuration, full traffic, feature set, heterogeneity tagging and
metadata. Compliance with these characteristics makes the dataset contains 13 up-
to-date attacks that resemble data from networks deployed in reality. In addition, it
9
has records for benign traffic, and all of them are labeled [16]. The network
architecture used to collect data is based on two networks: attack and victim [16].
The selected dataset consists of 78 columns, an additional column labeled the
type of attack, and 2.8 millions of records. In this work, all the fields in the dataset
are not used for the analysis of our hybrid approach because they have no relevance
to the intrusion detection case study. For this reason, columns 1 and 44 to 51 of the
dataset were removed, leaving a total of 69 columns. The cleaning process
(presented in Fig. 1), has the main objective to preserve the features in the dataset
that generate more variability, delete duplicated records and keep the attacks with
more diversity of records. It is important to note how the features that represent
attributes of the size of the packets (either sent or received), duration of the traffic
session during attacks and other time variables, such as inter-arrival time, that have
high variability in the dataset. The result is a dataset with 24 features and about 2.5
million records that can be grouped 4 types of measurements:
1. Four measures of traffic for total packets and their lengths: Total Fwd/Bwd
Packets, and Total Length Of Fwd/Bwd Packets
2. Eight measures of forwarding and backwarding packages involved in com-
munication: Fwd Packet Length Max/Min/Mean/Std, and Bwd Packet Len-gth
Max/Min/Mean/Std
3. Four measures of duration time of the flows in communication: Flow Dura-
tion, Flow Bytes_s, Flow Packets_s
4. Eight measures of inter-arrival time for the communication flows and the
forwarding packets: Flow IAT Mean/Std/Max/Min and Fwd IAT To-
tal/Mean/Std/Max/Min
At this point, the dataset is still labeled with eleven different attacks. However,
analyzing the dataset it can observe that there exist some attacks with several sub-
types, but globally these represent a single attack e.g. DoS Hulk, DoS Goldeneye,
and DoS Slowloris can be represented as a DoS attack. The difference between them
is the script that generates them. Moreover, some attacks such as Heartbleed, Infil-
tration, and Botnet have irrelevant representation in the dataset as they have less
than 0.01% of total dataset size so the associated records are excluded from the
analysis of this work. After filtering and grouping procedure, the attacks were thus
classified in the seven classes as shown in Table 2.
Table 2. Attacks classification in new classes.
New label
Dataset label
Benign (B)
Benign
DDoS (A1)
DDoS
DoS (A2)
DoS Goldeneye, DoS Hulk, DoS Slowhttptest, DoS Slowloris
FTP Patator (A3)
FTP Patator
PortScan (A4)
PortScan
SSH Patator (A5)
SSH Patator
Web Attack (A6)
SQL Injection, XSS, Brute Force
10
(a) Histogram before balancing procedure (b) Histogram after balancing procedure
Fig. 3. Data balancing result per each traffic label.
When a histogram is generated to see how many records belong to each label, it
becomes evident that the data is unbalanced as shown in Fig. 3a. In order to balance
the amount of data per attack, the type with the fewest number of records is taken
into account as a reference to others. Thus, Web Attack with a total of 2.1 thousand
records is selected to limit the number of data records per attack class. Then, from
each class, a random sample of the same amount of records is taken, so a new dataset
is built with near 15 thousand records which contain the six types of attack and an
additional class for benign traffic. Balancing the data allows avoiding bias in the
training of a neural network, in this case, the ResNet-50 CNN. The result of balanc-
ing the number of records per attack is shown in Fig. 3b.
4.2 Dataset Normalization
For dataset normalization, it is considered that the range between maximum and
minimum values in some features is too large and needs some preprocessing. First,
we apply a logarithmic function to shorten the range. Note that all features are in
the positive domain because their measures are related to lengths, time, or
quantities. However, zero value is possible. Therefore, before applying the
logarithmic function, a unit is added to all values. The next step is to perform a
linear normalization using the Equation (2).
(2)
where xi’ = ln(xi + 1) and xi’’ is the normalized value. With this normalization, all
features in the dataset are compressed to a range from 0 to 1. When a descriptive
analysis is performed separating the benign from the malign traffic (i.e., grouping
all attacks in one unique class) the result shows that attacks typically have more
packets sent but fewer packets received which is to be expected in attacks such as
a DoS attack. Also, the total size of packets sent shows that in the attacks there is
greater variability towards values closer to zero. These considerations are key for
11
(a) Intervals for one-hot encoding. (b) Binary to decimal map for
constructing an 8*8 matrix.
Fig. 4. Encoding procedure performed on each data record.
training the model and discussing the results.
4.3 Image Creation
Each record of the cleansed and normalized dataset is converted in an 8*8 image
with 8 bit depth in concordance with the method presented in [10]. Thus, 20
intervals are set for encoding the values of the features using one-hot encoding as
shown in Fig. 4a, i.e. each normalized value of 24 features or metrics is considered
as a symbol that is encoded into a word of 20 bits. Once this is applied to each record
of the normalized traffic dataset, the result is a new binary dataset with 480 columns.
Considering the target dimensions of the image, 32 columns with zero values are
added to dataset to complete 512 columns. After that, an 8*8 matrix is constructed
using a binary to decimal conversion each 8-bits in the record as shown in Fig. 4b.
It is important to have in mind that the same procedure is applied to all data records
in the cleansed dataset to generate an image bank with six types of attack and also
being traffic.
Then, the decimal values in the matrix are converted to an image using a
grayscale conversion with 8 bits of depth. With this method, for each class of attack
in the dataset, at least two thousand images are obtained to be used as input of the
deep learning model. An example of the resulting images for some data records is
shown in Fig. 5. Since the ResNet50 has 224*224 RGB images as input, an image
scaling method is applied, as well as a summer type color map. This ensures that
the images meet the ResNet50 entry conditions.
4.4 Performance Evaluation
Performance evaluation of the proposed hybrid model is carried out by considering
the accuracy and the confusion matrix generated from the detection results as shown
in Table 3). Attack classified correctly or incorrectly by the model is represented as
T (True) or F (False), respectively. P (Positive) and N (Negative) symbolize the
prediction results of the hybrid detection model as an attack or being traffic,
12
Fig. 5. Images created for the traffic dataset records.
respectively. In this sense, four groups (TP, TN, FP, and FN) are considered to
categorize the output of the hybrid model. If the detection result of the hybrid model
is an attack for testing data, and the detection result is correct then the result is TP,
i.e. the model has detected and classified appropriately the attack; TN indicates that
the detection result of the model is positive and correct, i.e. benign traffic is not
detected as an attack; FP means that the model predicts the data as an attack, but the
detection result is incorrect, i.e. the benign traffic is detected as attack; FN indicates
that the model predicts the data as benign traffic, but the detection result is
erroneous, i.e. attack traffic is classified as benign traffic. As can be seen in the
Equation (3), accuracy (AC) represents the probability that the samples are correctly
classified by the hybrid model with respect to the total number of samples.
(3)
The Fig. 6. shows that our model can achieve 86.7% detection accuracy in the
case of benign traffic (B), 95.3% in the DoS (A2) case, 96.8% for Web Attack (A6),
and 97.5% for SSH Patator (A5) when it is applied to a contemporary dataset such
Table 3. Confusion matrix using the proposed hybrid model.
B
A1
A2
A3
A4
A5
A6
B
86.7%
2.6%
3.7%
0%
3.0%
1.2%
2.8%
A1
0%
100%
0%
0%
0%
0%
0%
A2
3.7%
0%
95.3%
0.2%
0%
0.2%
0.6%
A3
0%
0%
0%
99.7%
0%
0%
0.3%
A4
0%
0%
0%
0%
99.7%
0%
0.3%
A5
0.8%
0.5%
0.3%
0.3%
0%
97.5%
0.6%
A6
1.9%
0%
0.8%
0%
0%
0.5%
96.8%
13
as CIC-IDS2017. Also, the accuracy obtained in the classification of DDoS (A1),
FTP-Patator (A3), and PortScan (A4) attacks is greater than 99%. One possible
explanation for the relatively low accuracy in benign traffic is that benign traffic
generated by applications such as bittorrent, online video games, or video
conferencing is more likely to have been labeled as an attack than an attack as
benign traffic. This is an important consideration when choosing a dataset because
the dynamic behavior in modern services demand to generate multiple patterns in
network traffic measures. In addition, the number of benign data records is the same
that each attack data record, so in this work, the probability of benign data record
being classified as an attack is higher than if all the data records had been
considered.
In order to compare the performance of the proposed hybrid model for intrusion
detection with other related works, the average of the accuracy obtained for all
traffic classes is calculated. Thus, the proposed hybrid model has 96.53% accuracy
in the average for intrusion detection. Other models like the one proposed in [22]
can achieve a 94.03% accuracy when applying a semantic re-encoding and deep
learning model but on the NSL-KDD dataset. Then, the proposed hybrid model
outperforms the detection accuracy of this model. Regarding the model proposed in
[25], which is based on an auto-encoder and an LSTM, it achieved 97.6% accuracy
for benign traffic classification and 95.3% for the DoS case on the NSL-KDD
dataset. If compared to this last case, the proposed hybrid model is capable of
detecting DoS attacks with better accuracy.
Similar to the approach on this paper, in [19] and [23] the authors have already
proposed a method that converts the traffic data into an image and transforms the
anomaly detection problem into an image processing problem. Despite these two
works also considering the use of CNN as part of their models, they had not
contemplated the use of an external classifier to detect the type of attack. In [23],
PCA (Principal Component Analysis) is considered data dimensionality reduction
as part of data preprocessing in the entire IDS. Thus, detection accuracy using the
IDS-CNN model on the NSL-KDD dataset is 94.0% [23]. Whereas in [19] the CNN
is used for intrusion detection with any other technique for images classification of
the NSL-KDD traffic patterns achieving a detection accuracy of 97.8%. Compared
with these results, our hybrid approach is capable of detecting several intrusion
threats with a similar accuracy but in a contemporary dataset.
Fig. 6. Detection accuracy results for the proposed hybrid model.
14
5 Conclusions and Future Work
In this work, a hybrid intrusion detection model was implemented using a deep
learning framework in combination with traditional machine learning techniques on
a modern dataset. Our approach uses Convolutional Neural Networks (CNN) to
perform feature extraction of traffic patterns, and classification using Support
Vector Machines (SVM) to identify the type of attack. Experimental results
demonstrated that it is possible to use image processing techniques to characterize
network traffic in order to detect anomalies related to intrusion attacks.
Moreover, with the proposed hybrid approach, it was possible to obtain a global
accuracy of 96.53% and more than 99% accuracy in the recognition of attacks such
as DDoS, FTP-Patator, and PortScan. Compared with previous works, the global
precision reaches similar values in the recognition of attacks with the advantage that
it was tested to a contemporary dataset that contemplates several types of behavior
in network traffic. Therefore, the combination of deep learning techniques can be
considered an interesting strategy to improve the effectiveness of intrusion detection
systems.
An intrusion detection that is not applied to a real environment does not show
its true functionality to protect a network. For this reason, in future work the
deployment of the proposed hybrid model in some network environment either real
or simulated will be carried out. Also, some attacks can be included in the approach
such as zero-day attacks. The aim is to build a zero-day attack system and retrain
the proposed approach to detect it. Last, new techniques to create images from the
dataset (e.g. RGBA) and other classifiers models (e.g. K-Nearest Neighbors (KNN)
or Random Forest (RF)) can be considered to address a new comparative study with
the proposed model and other contemporary datasets (e.g. UNSW-NB15 or
BOUN).
References
1. Akiba, T., Suzuki, S., Fukuda, K.: Extremely Large Minibatch SGD: Training ResNet-
50 on ImageNet in 15 Minutes. In: 2017 Conference on Neural Information Processing
Systems. NIPS (2017)
2. Basly, H., et al.: Cnn-svm learning approach based human activity recognition. In: Image
and Signal Processing. pp. 271-281. Springer (2020)
3. Bianco, S., et al.: Benchmark analysis of representative deep neural network
architectures. IEEE Access 6(4), 64270-64277 (2018)
4. Chiba, Z., et al.: Intelligent approach to build a Deep Neural Network based IDS for cloud
environment using combination of machine learning algorithms. Computers and Security
86, 291-317 (2019)
5. Chih-Fong, T., et al.: Intrusion detection by machine learning: A review. Expert Systems
with Applications 36, 11994-12000 (2009)
6. Ferrag, M.A., et al.: Deep learning for cyber security intrusion detection: Approaches,
datasets, and comparative study. Journal of Information Security and Applications 50,
102419 (2020)
15
7. Gu, J., et al.: A novel approach to intrusion detection using SVM ensemble with feature
augmentation. Computers and Security 86, 53-62 (2019)
8. Jonsson, P., et al.: Ericsson Mobility Report June 2021. Tech. rep., Ericsson (2021)
9. Kuang, F., Xu, W., Zhang, S.: A novel hybrid kpca and svm with ga model for intrusion
detection. Applied Soft Computing 18, 178-184 (2014)
10. Li, Z., et al.: Intrusion detection using convolutional neural networks for representation
learning. In: Lecture Notes in Computer Science (LNCS). pp. 858-866. Springer Verlag
(2017)
11. Ludwig, S.A.: Intrusion detection of multiple attack classes using a deep neural net
ensemble. In: 2017 IEEE SSCI. pp. 1-7. IEEE (2017)
12. Mell, P., Grance, T.: The NIST Definition of Cloud Computing (2011),
https://csrc.nist.gov/publications/detail/sp/800-145/final
13. Mohammed, M., Pathan, A.S.K.: Intrusion Detection and Prevention Systems (IDPSs).
In: Automatic Defense Against Zero-day Polymorphic Worms in Communication
Networks, chap. 3, pp. 47-84. Auerbach Publications, 2 edn. (2013)
14. Rafter, D.: Cyberthreat trends: 2019 cybersecurity threat review (2019)
15. Rhode, M., Burnap, P., Jones, K.: Early-stage malware prediction using recurrent neural
networks. Computers and Security 77, 578-594 (2018)
16. Sharafaldin, I., et al.: Toward generating a new intrusion detection dataset and intrusion
traffic characterization. In: ICISSP 2018 - 4th International Conference on Information
Systems Security and Privacy. pp. 108-116 (2018)
17. Smys, S., Basar, A., Wang, H.: Hybrid intrusion detection system for internet of things
(iot). Journal of ISMAC 2(4), 190-199 (2020)
18. Stallings, W.: Network security essentials: applications and standards. Pearson
Education, 6 edn. (2017)
19. Tao, W., et al.: A Network Intrusion Detection Model Based on Convolutional Neural
Network. In: Security with Intelligent Computing and Big-data Services. pp. 771-783.
Springer (2020)
20. Tavallaee, M., et al.: A detailed analysis of the KDD CUP 99 data set. In: IEEE
Symposium on Computational Intelligence for Security and Defense Applications,
CISDA 2009. pp. 1-6. IEEE (2009)
21. Toldinas, J., et al.: A novel approach for network intrusion detection using multistage
deep learning image recognition. Electronics 10(15) (2021)
22. Wu, Z.,Wang, J., Hu, L., Zhang, Z.,Wu, H.: A network intrusion detection method based
on semantic re-encoding and deep learning. Journal of Network and Computer
Applications 164, 102688 (2020)
23. Xiao, Y., et al.: An intrusion detection model based on feature reduction and
convolutional neural networks. IEEE Access 7, 42210-42219 (2019)
24. Yin, C., et al.: A Deep Learning Approach for Intrusion Detection Using Recurrent
Neural Networks. IEEE Access 5, 21954-21961 (2017)
25. Zhang, Y., et al.: A network intrusion detection method based on deep learning with
higher accuracy. Procedia Computer Science 174, 50-54 (2020)
