Ammar Almomani

DOI: https://doi.org/10.1016/j.eij.2022.06.006

IF: 4.195

2022-07-27

Egyptian Informatics Journal

Abstract:Virtual Private Networks (VPNs) are one example of encrypted communication services commonly used to bypass censorship and access geographically locked services. This study performed VPN and non-VPN traffic analysis and developed a classification system based on the new techniques of machine learning classifiers known as stacking ensemble learning. The methods used for VPN and Non-VPN classification use three machine learning techniques: random forest, neural network, and support vector machine. To assess the proposed method's performance, we tested it on a dataset containing 61 features. The experiment results accurately prove the study's classifiers to differentiate between VPN and Non-VPN traffic. The accuracy level was approximately 99% in the training and testing phase. The study's classifiers also show the best standard deviation, with a 100% accuracy rate compared to other A.I. classifier methods.

computer science, information systems, artificial intelligence

Gazy Abbas,Umar Farooq,Parvinder Singh,Surinder Singh Khurana,Paramjeet Singh

DOI: https://doi.org/10.1007/s42979-023-01944-5

2023-07-29

SN Computer Science

Abstract:With the rapid advancement in technology, the constant emergence of new applications and services has resulted in a drastic increase in Internet traffic, making it increasingly challenging for network analysts to maintain network security and classify traffic, especially when encrypted or tunneled. To address this issue, the proposed strategy aims to distinguish between regular traffic and traffic tunneled through a virtual private network and characterize traffic from seven different applications. The proposed approach utilizes various ensemble machine learning techniques, which are efficient and accurate and consume minimal computational time for training and prediction compared to conventional machine and deep learning models. These models were applied for both the classification and characterization of network traffic, deriving efficient results. The extreme and light gradient boosting algorithms performed well in multiclass classification, while AdaBoost and Light GBM performed well in binary classification. However, when all the datasets were merged and categorized into two classes and various feature engineering methods were applied, the proposed system achieved an accuracy of more than 99%, with minimal error scores using light GBM with min–max scaling over stratified fivefold, thereby outperforming all existing approaches. This research highlights the efficiency and potential of the proposed model in detecting network traffic.

Fengrui Xiao,Feng Yang,Shuangwu Chen,Jian Yang

DOI: https://doi.org/10.1007/978-3-030-94029-4_1

2022-01-01

Abstract:Nowadays, network traffic detection plays a very important role in protecting cyberspace security, and more and more applications realize data privacy protection through encryption technology. Regular expression matching based methods, such as deep packet inspection that relies on plaintext traffic cannot be applied to detecting encrypted random communication content, and the existing detecting methods based on time-series features often ignore the encryption protocol features. In this work, we design an ensemble learning system based on stack algorithms to identify encrypted malicious traffic, which can detect the interactive behavior and the encryption protocols simultaneously. In detail, we construct a deep learning classifier based on Long Short-Term Memory (LSTM) for time-series features, and a machine learning classifier based on random forests for encryption protocol features. Then, we use the stacking algorithm in ensemble learning to combine them to form a new classifier. Finally, relying on the Datacon2020 dataset, extensive experiments are conducted. The experimental results indicate that the proposed method improves the detection rate of encrypted malicious traffic while keeping a low false positive rate.

Lulu Guo,Qianqiong Wu,Shengli Liu,Ming Duan,Huijie Li,Jianwen Sun

DOI: https://doi.org/10.1007/s11554-019-00930-6

2019-12-02

Abstract:With the widespread application of virtual private network (VPN) technology, real-time VPN traffic identification has become an increasingly important task in network management and security maintenance. Since traditional encrypted traffic identification technology is not effective in feature extraction and selection, this paper proposes two deep learning-based models to classify the traffic into VPN and non-VPN traffic, identify VPN traffic generated by six different applications much further. Our models utilize convolutional auto-encoding (CAE) and convolutional neural network (CNN), respectively, preprocessing the traffic samples into session pictures, to accomplish the experiment objectives. The CAE-based method, utilizing the unsupervised nature of CAE to extract the hidden layer features, can automatically learn the nonlinear relationship between original input and expected output. The CNN-based method performs well in extracting two-dimensional local features of images. Experimental results show that our models perform better than traditional identification methods. In the two-category identification, the best result comes from the CAE-based model; the overall identification accuracy rate is 98.77%. Among the six-category identification, the best result comes from CNN-based model; the overall identification accuracy rate is 92.92%.

computer science, artificial intelligence,engineering, electrical & electronic,imaging science & photographic technology

S. Pavithra,K. Venkata Vikas

DOI: https://doi.org/10.1109/access.2024.3405187

IF: 3.9

2024-05-31

IEEE Access

Abstract:The growth of cyber threats demands a robust and adaptive intrusion detection system (IDS) capable of effectively recognizing malicious activities from network traffic. However, the existing imbalance of class in network data possesses a significant challenge to traditional IDS. To overcome these challenges, this project proposes a novel hybrid Intrusion Detection System using machine learning algorithms, which includes XGBoost, Long Short-Term Memory (LSTM), Mini-VGGNet, and AlexNet, which is used to handle the unbalanced network traffic data. Furthermore, the Random Forest Regressor is used to ascertain the importance of features for enhancing detection accuracy and interpretability. Addressing the inherent class imbalance in network data is crucial for ensuring the IDS's effectiveness. The proposed system employs a combination of oversampling techniques for minority classes and under sampling techniques for majority classes during data preprocessing. This balanced representation of network traffic data helps prevent the IDS from being biased towards the majority class and improves its ability to detect rare or novel intrusions. The utilization of Random Forest Regressor for feature extraction serves a dual purpose. It helps identify the most relevant features within the network traffic data that contribute significantly to detecting intrusions. It enables the system to prioritize and focus on these important features during model training, thereby enhancing detection accuracy while reducing computational complexity. This research contributes to the ongoing efforts to mitigate cyber threats and safeguard critical network infrastructures.

computer science, information systems,telecommunications,engineering, electrical & electronic

Mohammad Lotfollahi,Ramin Shirali Hossein Zade,Mahdi Jafari Siavoshani,Mohammdsadegh Saberian

DOI: https://doi.org/10.48550/arXiv.1709.02656

2018-07-04

Abstract:Internet traffic classification has become more important with rapid growth of current Internet network and online applications. There have been numerous studies on this topic which have led to many different approaches. Most of these approaches use predefined features extracted by an expert in order to classify network traffic. In contrast, in this study, we propose a \emph{deep learning} based approach which integrates both feature extraction and classification phases into one system. Our proposed scheme, called "Deep Packet," can handle both \emph{traffic characterization} in which the network traffic is categorized into major classes (\eg, FTP and P2P) and application identification in which end-user applications (\eg, BitTorrent and Skype) identification is desired. Contrary to most of the current methods, Deep Packet can identify encrypted traffic and also distinguishes between VPN and non-VPN network traffic. After an initial pre-processing phase on data, packets are fed into Deep Packet framework that embeds stacked autoencoder and convolution neural network in order to classify network traffic. Deep packet with CNN as its classification model achieved recall of $0.98$ in application identification task and $0.94$ in traffic categorization task. To the best of our knowledge, Deep Packet outperforms all of the proposed classification methods on UNB ISCX VPN-nonVPN dataset.

Machine Learning,Cryptography and Security,Networking and Internet Architecture

ThankGod Obasi,M. Omair Shafiq

DOI: https://doi.org/10.1016/j.comcom.2022.02.006

IF: 5.047

2022-02-01

Computer Communications

Abstract:Classification of network traffic data into different applications, services, or types is critical for network service providers to monitor networks and maintain Quality of Service (QoS). With the continuous evolution of technological advancements and with the rapid increase in security and user privacy concerns, encryption techniques are commonly used. Encrypted network traffic makes it challenging for network service providers to monitor a network using classical network monitoring techniques and tools. Due to security and privacy reasons, data cannot be decrypted. The dynamics of encrypted network traffic data cannot be interpreted, and it makes the task of classifying the encrypted network traffic a major challenge. This presents Internet Service Providers with challenges as varying Quality of Service is being provided to clients along with the security and privacy concerns to monitor network traffic. Machine learning and deep learning techniques are being utilized to classify encrypted network traffic data. This paper presents an ensemble learning technique that is based on existing data pre-processing machine learning and deep learning techniques. We examine different models and identify the best and relevant statistical features from encrypted network traffic for the classification of non-VPN encrypted network traffic data. We performed multiple experiments that led us to developing an ensemble learning model based on the existing deep learning and machine learning models for the classification of non-VPN encrypted network traffic data. The proposed solution (named as CARD-B) is composed of Capsule Neural Networks, Artificial Neural Networks, Random Forest, Decision Trees, along with Boosting techniques such as Adaptive Boosting and Extreme Gradient Boosting. The techniques are stacked using Random Forest Classifier. The result of the experiment shows that the proposed model achieved an overall accuracy of 96% and an AUC of 98% using different possible extracted statistical features.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sumaiya Thaseen Ikram,Aswani Kumar Cherukuri,Babu Poorva,Pamidi Sai Ushasree,Yishuo Zhang,Xiao Liu,Gang Li

DOI: https://doi.org/10.2478/cait-2021-0037

2021-09-01

Cybernetics and Information Technologies

Abstract:Abstract Intrusion Detection Systems (IDSs) utilise deep learning techniques to identify intrusions with maximum accuracy and reduce false alarm rates. The feature extraction is also automated in these techniques. In this paper, an ensemble of different Deep Neural Network (DNN) models like MultiLayer Perceptron (MLP), BackPropagation Network (BPN) and Long Short Term Memory (LSTM) are stacked to build a robust anomaly detection model. The performance of the ensemble model is analysed on different datasets, namely UNSW-NB15 and a campus generated dataset named VIT_SPARC20. Other types of traffic, namely unencrypted normal traffic, normal encrypted traffic, encrypted and unencrypted malicious traffic, are captured in the VIT_SPARC20 dataset. Encrypted normal and malicious traffic of VIT_SPARC20 is categorised by the deep learning models without decrypting its contents, thus preserving the confidentiality and integrity of the data transmitted. XGBoost integrates the results of each deep learning model to achieve higher accuracy. From experimental analysis, it is inferred that UNSW_ NB results in a maximal accuracy of 99.5%. The performance of VIT_SPARC20 in terms of accuracy, precision and recall are 99.4%. 98% and 97%, respectively.

LV Sicai,Chao Wang,Zibo Wang,Shuo Wang,Bailing Wang,Yongzheng Zhang,Sicai LV

DOI: https://doi.org/10.1016/j.comnet.2023.109990

IF: 5.493

2023-08-25

Computer Networks

Abstract:Virtual Private Network(VPN) can provide a concealed transmission channel for communication and protect the privacy of users. However, it also brings hidden dangers to cybersecurity with its wide application. Malicious behavior or harmful information can be transmitted secretly through VPN tunnels to avoid firewall censorship. Therefore, VPN traffic identification is an important part of ensure cybersecurity. Although many efforts have been made for VPN traffic identification, existing methods mainly focus on supervised learning models. In this paper, we propose an one-class classification model called AAE-DSVDD for VPN traffic identification. First, we introduce Adversarial AutoEncoder(AAE) for preliminary modeling of VPN traffic. AAE can match the aggregated posterior distribution of the hidden layer to an arbitrary prior distribution. It associates the samples with a normal distribution in the hidden space. Secondly, We implement representation learning for VPN traffic via Deep Support Vector Data Description(DSVDD). A standardized method is designed to match the output distribution of DSVDD with the aggregated posterior distribution of AAE. It alleviates the hypersphere collapse problem of DSVDD and improves identification performance. Finally, we verify the abilities of the AAE-DSVDD model on the public dataset ISCXVPN. Compared with other one-class models, AAE-DSVDD achieved the best identification ability for VPN traffic identification. It also improves the recognition ability when identifying strange classes that are not included in the training data.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Saikat Das,Sajal Saha,Annita Tahsin Priyoti,Etee Kawna Roy,Frederick T. Sheldon,Anwar Haque,Sajjan Shiva

DOI: https://doi.org/10.1109/tnsm.2021.3138457

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:Proper security solutions in the cyber world are crucial for enforcing network security by providing real-time network protection against network vulnerabilities and data exploitation. An effective intrusion detection strategy is capable of taking a holistic approach for protecting critical systems against unauthorized access or attack. In this paper, we describe a machine learning (ML) based comprehensive security solution for network intrusion detection using ensemble supervised ML framework and ensemble feature selection methods. In addition, we provide a comparative analysis of several ML models and feature selection methods. The goal of this research is to design a generic detection mechanism and achieve higher accuracy with minimal false positive rates (FPR). NSL-KDD, UNSW-NB15, and CICIDS2017 datasets are used in the experiment, and results show that our detection model can identify 99.3% of intrusions successfully with the lowest 0.5% of false alarms, which depicts better performance metrics compared to existing solutions.

computer science, information systems

Rukhsar Sultana,Jyoti Grover,Meenakshi Tripathi,Manhar Singh Sachdev,Sparsh Taneja

DOI: https://doi.org/10.1007/s10922-024-09827-7

2024-05-24

Journal of Network and Systems Management

Abstract:Vehicular ad hoc networks (VANET) facilitate vehicle to everything (V2X) communication between vehicles and road side units (RSU) to exchange safety and alert messages required for the successful implementation of VANET applications. However, VANET is exposed to Sybil attacks, where malicious vehicles generate multiple false identities to seize control of network resources or create non-existent traffic situations. While several Sybil attack detection mechanisms based on deterministic and learning methods exist, their performance is restricted to particular scenarios. This work proposes a deep learning-based Sybil Attack Detection mechanism. It identifies the Sybil nodes by detecting the associativity between senders at a time instant using common vehicle characteristics, including Euclidean distance, speed, flow, and computed similarity between senders by using the dynamic time warping (DTW) method. Among the five applied deep learning models, the proposed solution achieves improved detection performance through convolutional neural network (CNN) and a combination of CNN with long short-term memory (LSTM) models in varying network scenarios.

computer science, information systems,telecommunications

Vibekananda Dutta,Michał Choraś,Marek Pawlicki,Rafał Kozik

DOI: https://doi.org/10.3390/s20164583

2020-08-15

Abstract:Currently, expert systems and applied machine learning algorithms are widely used to automate network intrusion detection. In critical infrastructure applications of communication technologies, the interaction among various industrial control systems and the Internet environment intrinsic to the IoT technology makes them susceptible to cyber-attacks. Given the existence of the enormous network traffic in critical Cyber-Physical Systems (CPSs), traditional methods of machine learning implemented in network anomaly detection are inefficient. Therefore, recently developed machine learning techniques, with the emphasis on deep learning, are finding their successful implementations in the detection and classification of anomalies at both the network and host levels. This paper presents an ensemble method that leverages deep models such as the Deep Neural Network (DNN) and Long Short-Term Memory (LSTM) and a meta-classifier (i.e., logistic regression) following the principle of stacked generalization. To enhance the capabilities of the proposed approach, the method utilizes a two-step process for the apprehension of network anomalies. In the first stage, data pre-processing, a Deep Sparse AutoEncoder (DSAE) is employed for the feature engineering problem. In the second phase, a stacking ensemble learning approach is utilized for classification. The efficiency of the method disclosed in this work is tested on heterogeneous datasets, including data gathered in the IoT environment, namely IoT-23, LITNET-2020, and NetML-2020. The results of the evaluation of the proposed approach are discussed. Statistical significance is tested and compared to the state-of-the-art approaches in network anomaly detection.

Zachary Tauscher,Yushan Jiang,Kai Zhang,Jian Wang,Houbing Song

DOI: https://doi.org/10.48550/arXiv.2108.08394

2021-08-19

Abstract:With massive data being generated daily and the ever-increasing interconnectivity of the world's Internet infrastructures, a machine learning based intrusion detection system (IDS) has become a vital component to protect our economic and national security. In this paper, we perform a comprehensive study on NSL-KDD, a network traffic dataset, by visualizing patterns and employing different learning-based models to detect cyber attacks. Unlike previous shallow learning and deep learning models that use the single learning model approach for intrusion detection, we adopt a hierarchy strategy, in which the intrusion and normal behavior are classified firstly, and then the specific types of attacks are classified. We demonstrate the advantage of the unsupervised representation learning model in binary intrusion detection tasks. Besides, we alleviate the data imbalance problem with SVM-SMOTE oversampling technique in 4-class classification and further demonstrate the effectiveness and the drawback of the oversampling mechanism with a deep neural network as a base model.

Cryptography and Security,Machine Learning

Rohit Singh,Krishna Pal Sharma,Lalit Kumar Awasthi

DOI: https://doi.org/10.1007/s10586-024-04519-y

2024-05-13

Cluster Computing

Abstract:The rapidly growing number of Internet of Things (IoT) devices has led to a rise in data transfers, which has raised security concerns. Due to the devices' limited processing capabilities and vulnerability to many cyber attacks, securing IoT communications is challenging. Security threats, especially Distributed Denial of Service (DDoS) attacks, take a toll on the network in the form of increased communication overhead. Hence, a centralized unit is required to detect DDoS attacks in IoT networks at the earliest. Software-Defined Networking (SDN) promises a potential solution for better network traffic management and data flow. This paper presents a machine learning-based ensemble model for the detection of DDoS attacks in IoT networks using SDN. The proposed model employs a multi-step approach utilizing various Machine Learning (ML) algorithms. The proposed Ensemble Model (EM) combines Logistic Regression (LR), k-Nearest Neighbors (KNN), Gradient Boosting (GB), Extra-tree (ET), AdaBoost, and XGBoost, with XGBoost as the final estimator classifier. Various metrics, including sensitivity, specificity, precision, accuracy, and others, derived from the confusion matrix, evaluate the proposed model's performance. The EM demonstrates superior performance during comparative analysis with state-of-the-art schemes, with a classification accuracy of 99.8%. Furthermore, the paper evaluates the model based on Receiver Operator Characteristic (ROC) curves, showing its superiority in True Positive Rates (TPR) compared to False Positive Rates (FPR). The AUC analysis supports the EM's effectiveness. Cross-validation results further validate the model's robustness, with a mean accuracy of 97.92%.

computer science, information systems, theory & methods

Sivamohan Krishnaveni,Sivanandam Sivamohan,Subramanian Sridhar,Subramani Prabhakaran

DOI: https://doi.org/10.1002/cpe.6838

2022-01-24

Concurrency and Computation: Practice and Experience

Abstract:Abstract Cloud computing security is the most critical factor for providers, cloud users, and organizations. The various novel approaches apply host‐based or network‐based methods to increase cloud security performance and detection rate. However, due to the virtual and distributed environment of the cloud, conventional network intrusion detection systems (NIDS) have been unreliable in handling these security attacks. Therefore, we design a methodology that incorporates feature selection and classification using ensemble techniques to provide efficient and accurate intrusion detection to address these problems. This proposed model combines the three most effective feature selection techniques (gain‐ratio, chi‐squared, and information gain) to offer a qualifying result and four top classifiers (SVM, LR, NB, and DT) using enhanced weighted majority voting. Moreover, we proposed an experimental technique using a new dataset called Honeypot. All experiments utilized three datasets: Honeypots, Kyoto, and NSL: KDD. In addition, the results of this experimental study were compared with other approaches and performed the statistical significance analysis. Finally, the results reveal that the proposed intrusion detection based on the Honeypot dataset was better and more efficient than other methods because we have an accuracy of 98.29%, FAR of 0.012%, DR of 97.9%, and AUC = 0.9921.

Ashfaq Hussain Farooqi,Shahzaib Akhtar,Hameedur Rahman,Touseef Sadiq,Waseem Abbass

DOI: https://doi.org/10.3390/s24010127

2023-12-26

Abstract:In the context of 6G technology, the Internet of Everything aims to create a vast network that connects both humans and devices across multiple dimensions. The integration of smart healthcare, agriculture, transportation, and homes is incredibly appealing, as it allows people to effortlessly control their environment through touch or voice commands. Consequently, with the increase in Internet connectivity, the security risk also rises. However, the future is centered on a six-fold increase in connectivity, necessitating the development of stronger security measures to handle the rapidly expanding concept of IoT-enabled metaverse connections. Various types of attacks, often orchestrated using botnets, pose a threat to the performance of IoT-enabled networks. Detecting anomalies within these networks is crucial for safeguarding applications from potentially disastrous consequences. The voting classifier is a machine learning (ML) model known for its effectiveness as it capitalizes on the strengths of individual ML models and has the potential to improve overall predictive performance. In this research, we proposed a novel classification technique based on the DRX approach that combines the advantages of the Decision tree, Random forest, and XGBoost algorithms. This ensemble voting classifier significantly enhances the accuracy and precision of network intrusion detection systems. Our experiments were conducted using the NSL-KDD, UNSW-NB15, and CIC-IDS2017 datasets. The findings of our study show that the DRX-based technique works better than the others. It achieved a higher accuracy of 99.88% on the NSL-KDD dataset, 99.93% on the UNSW-NB15 dataset, and 99.98% on the CIC-IDS2017 dataset, outperforming the other methods. Additionally, there is a notable reduction in the false positive rates to 0.003, 0.001, and 0.00012 for the NSL-KDD, UNSW-NB15, and CIC-IDS2017 datasets.

Shakil Ibne Ahsan,Phil Legg,S M Iftekharul Alam

2024-10-11

Abstract:Intrusion Detection Systems (IDS) are widely employed to detect and mitigate external network security events. Vehicle ad-hoc Networks (VANETs) continue to evolve, especially with developments related to Connected Autonomous Vehicles (CAVs). In this study, we explore the detection of cyber threats in vehicle networks through ensemble-based machine learning, to strengthen the performance of the learnt model compared to relying on a single model. We propose a model that uses Random Forest and CatBoost as our main investigators, with Logistic Regression used to then reason on their outputs to make a final decision. To further aid analysis, we use SHAP (SHapley Additive exPlanations) analysis to examine feature importance towards the final decision stage. We use the Vehicular Reference Misbehavior (VeReMi) dataset for our experimentation and observe that our approach improves classification accuracy, and results in fewer misclassifications compared to previous works. Overall, this layered approach to decision-making combining teamwork among models with an explainable view of why they act as they do can help to achieve a more reliable and easy-to-understand cyber security solution for smart transportation networks.

Cryptography and Security

Steven Jorgensen,John Holodnak,Jensen Dempsey,Karla de Souza,Ananditha Raghunath,Vernon Rivet,Noah DeMoes,Andrés Alejos,Allan Wollaber

DOI: https://doi.org/10.1109/TAI.2023.3244168

2023-10-07

Abstract:With the increasing prevalence of encrypted network traffic, cyber security analysts have been turning to machine learning (ML) techniques to elucidate the traffic on their networks. However, ML models can become stale as new traffic emerges that is outside of the distribution of the training set. In order to reliably adapt in this dynamic environment, ML models must additionally provide contextualized uncertainty quantification to their predictions, which has received little attention in the cyber security domain. Uncertainty quantification is necessary both to signal when the model is uncertain about which class to choose in its label assignment and when the traffic is not likely to belong to any pre-trained classes. We present a new, public dataset of network traffic that includes labeled, Virtual Private Network (VPN)-encrypted network traffic generated by 10 applications and corresponding to 5 application categories. We also present an ML framework that is designed to rapidly train with modest data requirements and provide both calibrated, predictive probabilities as well as an interpretable "out-of-distribution" (OOD) score to flag novel traffic samples. We describe calibrating OOD scores using p-values of the relative Mahalanobis distance. We demonstrate that our framework achieves an F1 score of 0.98 on our dataset and that it can extend to an enterprise network by testing the model: (1) on data from similar applications, (2) on dissimilar application traffic from an existing category, and (3) on application traffic from a new category. The model correctly flags uncertain traffic and, upon retraining, accurately incorporates the new data.

Cryptography and Security,Machine Learning

Adel Binbusayyis,Thavavel Vaiyapuri

DOI: https://doi.org/10.1007/s10489-021-02205-9

IF: 5.3

2021-02-24

Applied Intelligence

Abstract:With the rapid advancement in network technologies, the need for cybersecurity has gained increasing momentum in recent years. As a primary defense mechanism, an intrusion detection system (IDS) is expected to adapt and secure the computing infrastructures from the ever-changing sophisticated threat landscape. Many deep learning approaches have recently been proposed; however, these techniques face significant challenges in identifying all types of attacks, especially rare attacks due to network traffic imbalances and the lack of a sufficient number of abnormal traffic samples for model training. To overcome these shortcomings and improve detection performance, this paper presents an unsupervised deep learning approach for intrusion detection. Unlike the existing IDS model that extracts features and trains a classifier in two separate stages, a single-stage IDS approach that integrates a one-dimensional convolutional autoencoder (1D CAE) and a one-class support vector machine (OCSVM) as a classifier into a joint optimization framework is introduced in this paper for the first time. Using only the normal traffic samples, the approach simultaneously optimizes the 1D CAE for compact feature representation and the OCSVM for classification by defining a unified objective function combining reconstruction error with classification error. Thus, the generated compact feature representation has not only reconstruction ability but also discriminative ability for classification. An in-depth ablation analysis validates the design decisions and provides further insight of the proposed approach. An extensive set of experiments on two benchmark intrusion datasets, NSL-KDD and UNSW-NB15, demonstrates the generalization ability of the proposed model for unseen attacks and confirms it as a competitive approach over the recent state-of-the-art intrusion detection baselines. Overall, the obtained results emphasize that the proposed approach has potential to serve as a baseline for building an effective IDS.

computer science, artificial intelligence

Nedeljko Nikolić,Slavica Tomović,Igor Radusinović

DOI: https://doi.org/10.5937/telfor2202061n

2022-01-01

Telfor Journal

Abstract:In this paper, we apply Deep Learning (DL) and decision-tree-based ensemble learning algorithms to classify network traffic by application. Various Deep Learning (DL) models for network traffic identification have been presented, implemented and compared, including 1D convolutional, stacked autoencoder, multi-layer perceptron, and combination of the aforementioned. Then the results of DL models have been compared to those obtained with two popular ensemble learning models based on decision trees-Random Forest and XGBoost. To train and test the classification models, a dataset containing both encrypted and unencrypted traffic has been collected in a real network, under normal operating conditions, and pre-processed in a way that ensures non-biased results. The classification uncertainties of the models have been also quantified on publicly available ISCX VPN-nonVPN dataset. The models have been compared in terms of precision, recall, F1 score and accuracy, for different levels of complexity and training dataset sizes. The evaluation results indicate that the decision-tree ensemble learning algorithms provide more accurate results and outperform the DL algorithms. The performance gap reduces with the dataset complexity.