Qianyu Li,Min Zhang,Yi Shen,Ruipeng Wang,Miao Hu,Yang Li,Hao Hao

DOI: https://doi.org/10.1016/j.cose.2023.103358

2023-06-22

Abstract:Penetration testing (PT) is an effective method to assess the security of a network, mainly carried out by experienced human experts, and is widely applied in practice. It is urgent to develop automated tools to alleviate the pressure of talent shortages. Reinforcement learning (RL) is a promising approach to achieving automated PT. However, the high complexity of PT scenarios and the low sample efficiency of RL hinder its applications in practice. Specifically, it faces two dilemmas: (1) vast state and action spaces and (2) highly ineffective exploration. We propose a hierarchical deep reinforcement learning (HDRL) model with expert prior knowledge to overcome the above dilemmas. The HDRL model mitigates the first dilemma. According to the characteristics of PT, we design the model as a hierarchical structure containing two layers of agents, and the agents as a deep neural network to decompose PT tasks and reduce their complexity. Expert prior knowledge mitigates the second dilemma. It is used as rules and knowledge graphs, carries out action constraints according to the rules, and obtains action advice according to knowledge graphs. The two jointly guide the decision-making of agents to reduce invalid exploration. To verify the effectiveness of the proposed method, we design scenarios based on actual network environments. The experimental results show that our model significantly improves the sample efficiency, greatly reduces the learning time of the agents, and shows good performance on large-scale network scenarios, which has the potential to promote the practical application of intelligent PT based on RL.

computer science, information systems

Yuanliang Li,Hanzheng Dai,Jun Yan

DOI: https://doi.org/10.48550/arXiv.2405.15908

2024-05-25

Abstract:Automated penetration testing (AutoPT) based on reinforcement learning (RL) has proven its ability to improve the efficiency of vulnerability identification in information systems. However, RL-based PT encounters several challenges, including poor sampling efficiency, intricate reward specification, and limited interpretability. To address these issues, we propose a knowledge-informed AutoPT framework called DRLRM-PT, which leverages reward machines (RMs) to encode domain knowledge as guidelines for training a PT policy. In our study, we specifically focus on lateral movement as a PT case study and formulate it as a partially observable Markov decision process (POMDP) guided by RMs. We design two RMs based on the MITRE ATT\&CK knowledge base for lateral movement. To solve the POMDP and optimize the PT policy, we employ the deep Q-learning algorithm with RM (DQRM). The experimental results demonstrate that the DQRM agent exhibits higher training efficiency in PT compared to agents without knowledge embedding. Moreover, RMs encoding more detailed domain knowledge demonstrated better PT performance compared to RMs with simpler knowledge.

Artificial Intelligence,Cryptography and Security,Machine Learning

Mohamed C. Ghanem,Thomas M. Chen,Erivelton G. Nepomuceno

DOI: https://doi.org/10.1007/s10844-022-00738-0

2022-09-13

Journal of Intelligent Information Systems

Abstract:Penetration testing (PT) is a method for assessing and evaluating the security of digital assets by planning, generating, and executing possible attacks that aim to discover and exploit vulnerabilities. In large networks, penetration testing becomes repetitive, complex and resource consuming despite the use of automated tools. This paper investigates reinforcement learning (RL) to make penetration testing more intelligent, targeted, and efficient. The proposed approach called Intelligent Automated Penetration Testing Framework (IAPTF) utilizes model-based RL to automate sequential decision making. Penetration testing tasks are treated as a partially observed Markov decision process (POMDP) which is solved with an external POMDP-solver using different algorithms to identify the most efficient options. A major difficulty encountered was solving large POMDPs resulting from large networks. This was overcome by representing networks hierarchically as a group of clusters and treating each cluster separately. This approach is tested through simulations of networks of various sizes. The results show that IAPTF with hierarchical network modeling outperforms previous approaches as well as human performance in terms of time, number of tested vectors and accuracy, and the advantage increases with the network size. Another advantage of IAPTF is the ease of repetition for retesting similar networks, which is often encountered in real PT. The results suggest that IAPTF is a promising approach to offload work from and ultimately replace human pen testing.

computer science, information systems, artificial intelligence

Kexiang Qian,Daojuan Zhang,Peng Zhang,Zhihong Zhou,Xiuzhen Chen,Shengxiong Duan

DOI: https://doi.org/10.1109/icaica52286.2021.9497911

2021-01-01

Abstract:Penetration testing (PT) is the best method for vulnerabilities assessment and evaluating the security of the system under test, by planning and generating possible attack exploits, consist of a series of complex and time consuming trial-and-error stages. Many automated Pentest tools have made. Current Reinforce Learning (RL) based PT tools can do systematic and regular tests to save human resources. Without the aid of prior knowledge, RL-based penetration is somehow more like brute-force test. In this paper, we propose a novel ontology based BDI-agent RL automatic PT framework. By combining SWRL penetration testing knowledge base and RL in a BDI (belief-desire-intention) agent, the proposed model can make use of the ontology based knowledge base (prior knowledge) to optimize the planning problem in the uncertain and dynamic environment. Finally, the simulation on ASL simulation platform Jason proved the new BDI-agent auto-PT model can improve the accuracy and speed performance.

Shicheng Zhou,Jingju Liu,Dongdong Hou,Xiaofeng Zhong,Yue Zhang

DOI: https://doi.org/10.3390/app11198823

2021-09-23

Applied Sciences

Abstract:Penetration testing is an effective way to test and evaluate cybersecurity by simulating a cyberattack. However, the traditional methods deeply rely on domain expert knowledge, which requires prohibitive labor and time costs. Autonomous penetration testing is a more efficient and intelligent way to solve this problem. In this paper, we model penetration testing as a Markov decision process problem and use reinforcement learning technology for autonomous penetration testing in large scale networks. We propose an improved deep Q-network (DQN) named NDSPI-DQN to address the sparse reward problem and large action space problem in large-scale scenarios. First, we reasonably integrate five extensions to DQN, including noisy nets, soft Q-learning, dueling architectures, prioritized experience replay, and intrinsic curiosity model to improve the exploration efficiency. Second, we decouple the action and split the estimators of the neural network to calculate two elements of action separately, so as to decrease the action space. Finally, the performance of algorithms is investigated in a range of scenarios. The experiment results demonstrate that our methods have better convergence and scaling performance.

Qianyu Li,Ruipeng Wang,Dong Li,Fan Shi,Min Zhang,Anupam Chattopadhyay,Yi Shen,Yang Li

DOI: https://doi.org/10.1109/tifs.2024.3461950

IF: 7.231

2024-10-05

IEEE Transactions on Information Forensics and Security

Abstract:Penetration testing, a crucial industrial practice for securing networked systems and infrastructures, has traditionally depended on the extensive expertise of human professionals. Addressing the scarcity of human experts, the development of automated penetration testing tools emerges as a promising avenue. Against the backdrop of rapid advancements in artificial intelligence technologies, reinforcement learning has demonstrated considerable potential for realizing automated penetration testing. However, existing research predominantly concentrates on reinforcement learning-based automated penetration testing tools within static scenarios, with limited exploration in dynamic network environments. This paper addresses a noteworthy challenge in developing autonomous agents for real-world applications, particularly focusing on scenarios marked by environmental changes. Such alterations necessitate autonomous agents to continuously monitor environmental characteristics, and adapt, and adjust learned actions to ensure the system's effective operation. Consequently, the paper proposes an automated reinforcement learning-based penetration testing scheme tailored for dynamic network scenarios, named DynPen. DynPen captures observed changes in the scenario, aiding the penetration testing agent in decision-making based on historical experiences. Simulation results demonstrate the proposed scheme's efficacy in significantly expediting the convergence speed of the penetration testing agent using reinforcement learning algorithms. Furthermore, the scheme successfully maintains the learning agility and adaptability of the agent in dynamic network scenarios.

computer science, theory & methods,engineering, electrical & electronic

Yizhou Yang,Mengxuan Chen,Haohuan Fu,Xin Liu

DOI: https://doi.org/10.1109/GLOBECOM54140.2023.10437804

2023-01-01

Abstract:Intelligent penetration testing (pen-testing), utilising Deep Reinforcement Learning (DRL) has gained attention due to its potential for improving testing efficiency and cost-effectiveness in evaluating network system security. Nonetheless, current approaches which rely on simplistic neural network architectures suffer limitations in transferability and their ability to generalise to new tasks, thus impeding their practical application. This paper aims to address these issues by formalising the pen-testing decision process as a Host-Centric Markov decision process (HC-MDP), as well as establishing a structural representation of the relationships among the hosts within a network system. Further, we propose a flexible policy architecture, the "SetTron", that leverages this structural representation to augment architectural inductive bias in a DRL agent and then practically evaluate our approach on pen-testing simulator platforms. The findings show SetTron to demonstrate superior performance, in terms of learning efficiency and policy convergence, compared to state-of-the-art methods and baselines with shorter penetration sequences and enhanced rewards. Besides, SetTron exhibits remarkable zero-shot generalisation capabilities, enabling perfect transfer to new tasks with randomly placed target hosts, achieving a 100% success rate, and outperforming baselines by a factor of 6 when comparing normalised scores.

Hongri Liu,Chuhan Liu,Xiansheng Wu,Yun Qu,Hongmei Liu

DOI: https://doi.org/10.3390/electronics13214311

IF: 2.9

2024-11-03

Electronics

Abstract:Given the large action space and state space involved in penetration testing, reinforcement learning is widely applied to enhance testing efficiency. This paper proposes an automatic penetration testing scheme based on hierarchical reinforcement learning to reduce both action space and state space. The scheme includes a network intelligence responsible for specifying the penetration host and a host intelligence designated to perform penetration testing on the selected host. Specifically, within the network intelligence, an action-masking mechanism is adopted to shield unenabled actions, thereby reducing the explorable action space and improving the penetration testing efficiency. Additionally, the host intelligence employs an invalid discrimination mechanism, terminating testing after actions that do not alter system states, thereby preventing sudden increases in the number of neural network training steps for an action. An optimistic estimation mechanism is also introduced to select penetration strategies suited to various hosts, preventing training crashes due to value confusion between different hosts. Ablation experiments demonstrate that the host intelligence can learn different penetration strategies for varying penetration depths without significant fluctuations in training steps, and the network intelligence can coordinate with the host intelligence to perform network penetration steadily. This hierarchical reinforcement learning framework can detect network vulnerabilities more quickly and accurately, significantly reducing the cost of security policy updates.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ziming Zhao,Zhaoxuan Li,Zhuoxue Song,Fan Zhang,Binbin Chen

DOI: https://doi.org/10.1109/infocom52122.2024.10621290

2024-01-01

Abstract:Existing Deep Learning (DL)-based network Intrusion Detection System (IDS) is able to characterize sequence semantics of traffic and discover malicious behaviors. Yet DL models are often nonlinear and highly non-convex functions that are difficult for in-network deployment. In this paper, we present RIDS, a hardware-friendly Recurrent Neural Network (RNN) model that is co-designed with programmable switches. As its core, RIDS is powered by two tightly-coupled components: (i) rLearner, the RNN learning module with in-network deployability as the first-class requirement; and (ii) rEnforcer, the concrete pipeline design to realize rLearner-generated models inside the network dataplane. We implement a prototype of RIDS and evaluate it on our physical testbed. The experiments show that RIDS could satisfy both detection performance and high-speed bandwidth adaptation simultaneously, when none of the other existing approaches could do so. Inspiringly, RIDS realizes remarkable intrusion/malware detection effect (e.g., similar to 99% F1 score) and model deployment (e.g., 100 Gbps per port), while only imposing nanoseconds of latency.

Zegang Li,Qian Zhang,Guangwen Yang

DOI: https://doi.org/10.1002/eng2.12818

2023-01-01

Engineering Reports

Abstract:In recent years, penetration testing (pen-testing) has emerged as a crucial process for evaluating the security level of network infrastructures by simulating real-world cyber-attacks. Automating pen-testing through reinforcement learning (RL) facilitates more frequent assessments, minimizes human effort, and enhances scalability. However, real-world pen-testing tasks often involve incomplete knowledge of the target network system. Effectively managing the intrinsic uncertainties via partially observable Markov decision processes (POMDPs) constitutes a persistent challenge within the realm of pen-testing. Furthermore, RL agents are compelled to formulate intricate strategies to contend with the challenges posed by partially observable environments, thereby engendering augmented computational and temporal expenditures. To address these issues, this study introduces EPPTA (efficient POMDP-driven penetration testing agent), an agent built on an asynchronous RL framework, designed for conducting pen-testing tasks within partially observable environments. We incorporate an implicit belief module in EPPTA, grounded on the belief update formula of the traditional POMDP model, which represents the agent's probabilistic estimation of the current environment state. Furthermore, by integrating the algorithm with the high-performance RL framework, sample factory, EPPTA significantly reduces convergence time compared to existing pen-testing methods, resulting in an approximately 20-fold acceleration. Empirical results across various pen-testing scenarios validate EPPTA's superior task reward performance and enhanced scalability, providing substantial support for efficient and advanced evaluation of network infrastructure security. The article introduces EPPTA, a reinforcement learning framework designed for penetration testing, and assesses its performance across diverse network configurations. EPPTA incorporates a belief module, augmenting its capacity to handle partially observable security challenges. EPPTA outperforms other methods in terms of convergence times, especially in larger and more complex scenarios, showcasing its scalability and adaptability to evolving security challenges.image

Ziming Zhao,Zhaoxuan Li,Zhuoxue Song,Fan Zhang

DOI: https://doi.org/10.1109/rtss59052.2023.00045

2023-01-01

Abstract:Existing Deep Learning (DL)-based network Intrusion Detection System (IDS) is able to characterize sequence semantics of traffic and discover malicious behaviors. Yet DL models are often nonlinear and highly non-convex functions that are difficult for in-network real-time deployment, i.e., existing DL solutions are essentially offline analysis. In this paper, we present RIDS, a hardware-friendly Recurrent Neural Network (RNN) model that is co-designed with programmable switches. As its core, RIDS is powered by two tightly-coupled components: (i) rLearner, the RNN learning module with in-network deployability as the first-class requirement; and (ii) rEnforcer, the concrete pipeline design to realize rLearner-generated models inside the network dataplane. We implement a prototype of RIDS and evaluate it on our physical testbed. The experiments show that RIDS could satisfy both detection performance and high-speed bandwidth adaptation simultaneously, when none of the other existing approaches could do so. Inspiringly, RIDS realizes remarkable intrusion/malware detection effect (e.g., ∽99% F1 score) and model deployment (e.g., 100 Gbps per port), while only imposing nanoseconds of latency.

Kezhou Ren,Yifan Zeng,Zhiqin Cao,Yingchao Zhang

DOI: https://doi.org/10.1038/s41598-022-19366-3

IF: 4.6

2022-09-14

Scientific Reports

Abstract:Network assaults pose significant security concerns to network services; hence, new technical solutions must be used to enhance the efficacy of intrusion detection systems. Existing approaches pay insufficient attention to data preparation and inadequately identify unknown network threats. This paper presents a network intrusion detection model (ID-RDRL) based on RFE feature extraction and deep reinforcement learning. ID-RDRL filters the optimum subset of features using the RFE feature selection technique, feeds them into a neural network to extract feature information and then trains a classifier using DRL to recognize network intrusions. We utilized CSE-CIC-IDS2018 as a dataset and conducted tests to evaluate the model's performance, which is comprised of a comprehensive collection of actual network traffic. The experimental results demonstrate that the proposed ID-RDRL model can select the optimal subset of features, remove approximately 80% of redundant features, and learn the selected features through DRL to enhance the IDS performance for network attack identification. In a complicated network environment, it has promising application potential in IDS.

multidisciplinary sciences

Jinyin Chen,Shulong Hu,Haibin Zheng,Changyou Xing,Guomin Zhang

DOI: https://doi.org/10.1016/j.cose.2022.103055

2022-12-09

Abstract:Penetration testing (PT) is an efficient tool for network testing and vulnerability mining by simulating the hackers' attacks to obtain valuable information applied in operating and database systems. Most of the traditional manual solutions are strongly relying on the domain knowledge of human experts with high penetration costs. Therefore, solutions based on the artificial intelligent algorithm such as reinforcement learning (RL) and deep reinforcement learning (DRL), with less time-consuming and lower labor costs, become a great solution to address the challenge. However, there are still a few challenges for RL/DRL-based PT in real penetration scenarios, such as the large dimension size of the agent's discrete action space usually causing difficulties in convergence. To address the above issue, this paper proposes a novel framework named G enerative A dversarial I mitation L earning based intelligent P enetration T esting (GAIL-PT), which utilizes expert knowledge base and GAIL network to guide the policy generation of RL/DRL agents with lower costs. Specifically, we first construct the expert knowledge bases by collecting state-action pairs from the successful exploitations of pre-trained RL/DRL models. Secondly, we feed the expert knowledge bases generated by different RL/DRL models online into the discriminator of GAIL-PT to guide its training process. Besides, we integrate the losses of the generator and the discriminator in GAIL-PT to optimize the overall objective and use the discriminator's discounted rewards for policy generation. The extensive experiments conducted on the practical target hosts and simulated network scenarios demonstrate that GAIL-PT achieves outstanding performance, and outperforms the state-of-art method DeepExploit in exploiting Metasploitable2 and Q-learning in different scale networks. It also verified that GAIL-PT is a general leading framework suitable for RL/DRL-based methods. The code of GAIL-PT is open-sourced at https://github.com/Shulong98/GAIL-PT//.

computer science, information systems

Yizhou Yang,Longde Chen,Sha Liu,Lanning Wang,Haohuan Fu,Xin Liu,Zuoning Chen

DOI: https://doi.org/10.1007/s11704-024-3380-1

IF: 2.6688

2024-11-27

Frontiers of Computer Science

Abstract:Reinforcement Learning (RL) is gaining importance in automating penetration testing as it reduces human effort and increases reliability. Nonetheless, given the rapidly expanding scale of modern network infrastructure, the limited testing scale and monotonous strategies of existing RL-based automated penetration testing methods make them less effective in practical application. In this paper, we present CLAP (Coverage-Based Reinforcement Learning to Automate Penetration Testing), an RL penetration testing agent that provides comprehensive network security assessments with diverse adversary testing behaviours on a massive scale. CLAP employs a novel neural network, namely the coverage mechanism, to address the enormous and growing action spaces in large networks. It also utilizes a Chebyshev decomposition critic to identify various adversary strategies and strike a balance between them. Experimental results across various scenarios demonstrate that CLAP outperforms state-of-the-art methods, by further reducing attack operations by nearly 35%. CLAP also provides enhanced training efficiency and stability and can effectively perform pen-testing over large-scale networks with up to 500 hosts. Additionally, the proposed agent is also able to discover pareto-dominant strategies that are both diverse and effective in achieving multiple objectives.

computer science, information systems, theory & methods, software engineering

Wanrong Yang,Alberto Acuto,Yihang Zhou,Dominik Wojtczak

2024-09-25

Abstract:Cyber-attacks are becoming increasingly sophisticated and frequent, highlighting the importance of network intrusion detection systems. This paper explores the potential and challenges of using deep reinforcement learning (DRL) in network intrusion detection. It begins by introducing key DRL concepts and frameworks, such as deep Q-networks and actor-critic algorithms, and reviews recent research utilizing DRL for intrusion detection. The study evaluates challenges related to model training efficiency, detection of minority and unknown class attacks, feature selection, and handling unbalanced datasets. The performance of DRL models is comprehensively analyzed, showing that while DRL holds promise, many recent technologies remain underexplored. Some DRL models achieve state-of-the-art results on public datasets, occasionally outperforming traditional deep learning methods. The paper concludes with recommendations for enhancing DRL deployment and testing in real-world network scenarios, with a focus on Internet of Things intrusion detection. It discusses recent DRL architectures and suggests future policy functions for DRL-based intrusion detection. Finally, the paper proposes integrating DRL with generative methods to further improve performance, addressing current gaps and supporting more robust and adaptive network intrusion detection systems.

Cryptography and Security,Artificial Intelligence

Van-Hau Pham,Hien Do Hoang,Phan Thanh Trung,Van Dinh Quoc,Trong-Nghia To,Phan The Duy

DOI: https://doi.org/10.48550/arXiv.2309.15518

2023-09-27

Abstract:In order to assess the risks of a network system, it is important to investigate the behaviors of attackers after successful exploitation, which is called post-exploitation. Although there are various efficient tools supporting post-exploitation implementation, no application can automate this process. Most of the steps of this process are completed by experts who have profound knowledge of security, known as penetration testers or pen-testers. To this end, our study proposes the Raijū framework, a Reinforcement Learning (RL)-driven automation approach that assists pen-testers in quickly implementing the process of post-exploitation for security-level evaluation in network systems. We implement two RL algorithms, Advantage Actor-Critic (A2C) and Proximal Policy Optimization (PPO), to train specialized agents capable of making intelligent actions, which are Metasploit modules to automatically launch attacks of privileges escalation, gathering hashdump, and lateral movement. By leveraging RL, we aim to empower these agents with the ability to autonomously select and execute actions that can exploit vulnerabilities in target systems. This approach allows us to automate certain aspects of the penetration testing workflow, making it more efficient and responsive to emerging threats and vulnerabilities. The experiments are performed in four real environments with agents trained in thousands of episodes. The agents automatically select actions and launch attacks on the environments and achieve over 84\% of successful attacks with under 55 attack steps given. Moreover, the A2C algorithm has proved extremely effective in the selection of proper actions for automation of post-exploitation.

Cryptography and Security,Artificial Intelligence

Boya Liu,Guoai Xu,Guosheng Xu,Chenyu Wang,Peiliang Zuo

DOI: https://doi.org/10.3390/s23031204

IF: 3.9

2023-01-21

Sensors

Abstract:The vehicular ad hoc network (VANET) constitutes a key technology for realizing intelligent transportation services. However, VANET is characterized by diverse message types, complex security attributes of communication nodes, and rapid network topology changes. In this case, how to ensure safe, efficient, convenient, and comfortable message services for users has become a challenge that should not be ignored. To improve the flexibility of routing matching multiple message types in VANET, this paper proposes a secure intelligent message forwarding strategy based on deep reinforcement learning (DRL). The key supporting elements of the model in the strategy are reasonably designed in combination with the scenario, and sufficient training of the model is carried out by deep Q networks (DQN). In the strategy, the state space is composed of the distance between candidate and destination nodes, the security attribute of candidate nodes and the type of message to be sent. The node can adaptively select the routing scheme according to the complex state space. Simulation and analysis show that the proposed strategy has the advantages of fast convergence, well generalization ability, high transmission security, and low network delay. The strategy has flexible and rich service patterns and provides flexible security for VANET message services.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ahmed Mohamed Ahmed,Thanh Thi Nguyen,Mohamed Abdelrazek,Sunil Aryal

DOI: https://doi.org/10.1007/s00521-024-09668-0

2024-05-08

Neural Computing and Applications

Abstract:In today's intricate information technology landscape, the escalating complexity of computer networks is accompanied by a myriad of malicious threats seeking to compromise network components. To address these security challenges, we propose an approach that synergizes reinforcement learning and deep neural networks. Our method involves training autonomous cyber-agents to strategically attack network nodes, aiming to expose vulnerabilities and extract confidential information. We employ various off-policy deep reinforcement learning algorithms, including deep Q-network (DQN), double DQN, and dueling DQN, to train and evaluate these agents within two enterprise simulation networks provided by Microsoft. The simulations, modeled as Markov games between attack and defense, exclude human intervention. Results demonstrate that agents trained by double DQN and dueling DQN surpass baseline agents trained using traditional reinforcement learning and DQN methods. This approach not only enhances our understanding of network vulnerabilities but also lays the groundwork for future efforts to fortify computer network defense and security.

computer science, artificial intelligence

Hooman Alavizadeh,Hootan Alavizadeh,Julian Jang-Jaccard

DOI: https://doi.org/10.3390/computers11030041

2022-03-11

Computers

Abstract:The rise of the new generation of cyber threats demands more sophisticated and intelligent cyber defense solutions equipped with autonomous agents capable of learning to make decisions without the knowledge of human experts. Several reinforcement learning methods (e.g., Markov) for automated network intrusion tasks have been proposed in recent years. In this paper, we introduce a new generation of the network intrusion detection method, which combines a Q-learning based reinforcement learning with a deep feed forward neural network method for network intrusion detection. Our proposed Deep Q-Learning (DQL) model provides an ongoing auto-learning capability for a network environment that can detect different types of network intrusions using an automated trial-error approach and continuously enhance its detection capabilities. We provide the details of fine-tuning different hyperparameters involved in the DQL model for more effective self-learning. According to our extensive experimental results based on the NSL-KDD dataset, we confirm that the lower discount factor, which is set as 0.001 under 250 episodes of training, yields the best performance results. Our experimental results also show that our proposed DQL is highly effective in detecting different intrusion classes and outperforms other similar machine learning approaches.

Congyuan Xu,Jizhong Shen,Xin Du,Fan Zhang

DOI: https://doi.org/10.1109/access.2018.2867564

IF: 3.9

2018-01-01

IEEE Access

Abstract:To improve the performance of network intrusion detection systems (IDS), we applied deep learning theory to intrusion detection and developed a deep network model with automatic feature extraction. In this paper, we consider the characteristics of the time-related intrusion and propose a novel IDS that consists of a recurrent neural network with gated recurrent units (GRU), multilayer perceptron (MLP), and softmax module. Experiments on the well-known KDD 99 and NSL-KDD data sets show that the system has leading performance. The overall detection rate was 99.42% using KDD 99 and 99.31% using NSL-KDD with false positive rates as low as 0.05% and 0.84%, respectively. In particular, for detecting the denial of service attacks, the system achieved detection rates of 99.98% and 99.55%, respectively. Comparative experiments showed that the GRU is more suitable as a memory unit for IDS than LSTM, and proved that it is an effective simplification and improvement of LSTM. Moreover, the bidirectional GRU can reach the best performance compared with the recently published methods.