Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Jiaxin Liu,Xucheng Song,Yingjie Zhou,Xi Peng,Yanru Zhang,Pei Liu,Dapeng Wu,Ce Zhu

DOI: https://doi.org/10.1016/j.neucom.2021.01.146

IF: 6

2022-05-01

Neurocomputing

Abstract:With the wide deployment of edge devices, a variety of emerging applications have been deployed at the edge of network. To guarantee the safe and efficient operations of the edge applications, especially the extensive web applications, it is important and challenging to detect packet payload anomalies, which can be expressed as a number of specific strings that may cause attacks. Although some approaches have achieved remarkable progress, they are with limited applications since these approaches are dependent on in-depth expert knowledge, e.g., signatures describing anomalies or communication protocol at the application level. Moreover, they might fail to detect the payload anomalies that may have long-term dependency relationships at the edge of network. To overcome these limitations and adaptively detect anomalies from packet payloads, we propose a deep learning based framework which does not rely on any in-depth expert knowledge and is capable of detecting anomalies that have long-term dependency relationships. The proposed framework consists of two parts. First, a novel block sequence construction method is proposed to obtain a valid expression of a payload. The block sequence could encapsulate both the high-dimension information and the underlying sequential information which facilitate the anomaly detection. Secondly, we design a detection model to learn two different dependency relationships within the block sequence, which is based on Long Short-Term Memory (LSTM), Convolutional Neural Networks (CNN) and Multi-head Self Attention Mechanism. Furthermore, we cast the anomaly detection as a classification problem and employ a classifier with attention mechanism to integrate information and detect anomalies. Extensive experimental results on three public datasets indicate that our model could achieve a higher detection rate, while keeping a lower false positive rate compared with two traditional machine learning methods and three state-of-the-art methods.

computer science, artificial intelligence

Junchi Xing,Chunming Wu

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162940

2020-01-01

Abstract:The widely used encryption of network traffic poses a great challenge to anomaly detection. Currently, the supervised and semi-supervised solutions suffer from the problems of noisy label of data, non-stationary traffic distribution, and huge resource consumption for offline training. To address this, in this paper, we present an unsupervised, robust, and online anomaly detection method for encrypted traffic by using deep dictionary learning, called D2LAD. D2LAD offers the potential to extract sequential features from raw encrypted traffic data with the help of an LSTM-based autoencoder. Then, according to the sequential features, D2LAD is able to explore the hidden normal patterns by iterative deep dictionary learning. Eventually, D2LAD can obtain the anomaly score of raw data by calculating its relevance to the deep dictionary. We implement a prototype of D2LAD and evaluate its effectiveness and performance by experiments using realistic datasets. The experimental results show that our method achieves high accuracy and low resource usage, and outperforms the representative state-of-the-art methods in real-world settings.

Mayra Alexandra Macas Carrasco,Chunming Wu

DOI: https://doi.org/10.1109/icmla.2019.00212

2019-01-01

Abstract:Current Cyber-Physical Systems (CPSs) are sophisticated, complex, and equipped with networked sensors and actuators. As such, they have become further exposed to cyber-attacks. Recent catastrophic events have demonstrated that standard, human-based management of anomaly detection in complex systems is not efficient enough and have underlined the significance of automated detection, intelligent and rapid response. Nevertheless, existing anomaly detection frameworks usually are not capable of dealing with the dynamic and complicated nature of the CPSs. In this study, we introduce an unsupervised framework for anomaly detection based on an Attention-based Spatio-Temporal Autoencoder. In particular, we first construct statistical correlation matrices to characterize the system status across different time steps. Next, a 2D convolutional encoder is employed to encode the patterns of the correlation matrices, whereas an Attention-based Convolutional LSTM Encoder-Decoder (ConvLSTM-ED) is used to capture the temporal dependencies. More precisely, we introduce an input attention mechanism to adaptively select the most significant input features at each time step. Finally, the 2D convolutional decoder reconstructs the correlation matrices. The differences between the reconstructed correlation matrices and the original ones are used as indicators of anomalies. Extensive experimental analysis on data collected from all six stages of Secure Water Treatment (SWaT) testbed, a scaled-down version of a real-world industrial water treatment plant, demonstrates that the proposed model outperforms the state-of-the-art baseline techniques.

Shang Wu,Yijie Wang

DOI: https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00196

2021-09-01

Abstract:Attack payloads are often short segments hidden in HTTP requests; thus they can be found by HTTP payload anomaly detection. Deep learning models learn data features during training without manual feature extraction, and better performance has received more attention. Recurrent Neural Network models process sequences directly, which are widely used in payload anomaly detection. However, due to the gradient vanishing problem, RNN has limits on processing the long sequences. Meanwhile, RNN uses its final hidden state for detection and pays more attention to the content of the end of the payload. Besides, deep learning generally lacks interpretability. The paper proposes an unsupervised deep learning model for HTTP payload Anomaly Detection, namely Attention-based Encoder-Decoder Recurrent Neural Networks Anomaly Detection model (AEDRAD). AEDRAD utilizes the encoder-decoder RNN and attention mechanism to detect anomalies by reconstructing the original sequences. AEDRAD filters the fields of HTTP protocol that cannot exist anomalies, focusing on the suspicious segments. Through the encoder-decoder network, the normal payload can be well-reconstructed while the anomaly payload fails. With the attention mechanism, AEDRAD generates practical features for further anomaly detection from a global perspective. Meanwhile, it marks abnormal fragments visually, which is conducive to a subsequent analysis by experts. The experimental results show that AEDRAD significantly outperforms three state-of-the-art unsupervised algorithms on two real datasets.

Computer Science

Tao Yang,Zhenze Jiang,Peiyu Liu,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.1016/j.knosys.2023.110949

IF: 8.139

2023-01-01

Knowledge-Based Systems

Abstract:In Industrial Cyber-Physical Systems (ICPSs), the attacker can intrude into the cyber system through many penetration tools and attack the physical system. Payload-based traffic anomaly detection is a popular technique against these attacks. Due to the imbalanced distribution of normal and attack samples in ICPS, existing payload-based detection methods are mostly implemented based on unsupervised learning, typically comprising a word segmentation model and an unsupervised classifier. However, existing methods may disrupt semantic correlations and face challenges in extracting com-plex payload dependence relationships. To address these issues, this paper proposes a traffic anomaly detection approach, which consists of a data preprocessing model, an unsupervised word segmentation model, and an unsupervised classification model based on autoencoder. The unsupervised word segmentation model utilizes Long Short-Term Memory (LSTM) to calculate the probability of each word segmentation combination, effectively addressing the issue of inaccurate segmentation results in existing payload segmentation models. The unsupervised classification model, which combines 1D-Convolutional Neural Network (1D-CNN) and Bidirectional Encoder Representation from Transformers (BERT), addresses the challenge of extracting complex payload dependence relationships in existing classification models. The proposed detection approach is evaluated using a Cyber-Physical Attack Dataset (CPAD). Compared with the state-of-the-art detection approaches, the proposed approach has shown a significant improvement in Precision, with an increase of 18.83%. Additionally, the Recall has also been substantially enhanced, with a gain of 22.3%. Overall, the F1 has demonstrated a comprehensive improvement of 20.60%. (c) 2023 Elsevier B.V. All rights reserved.

Patrick Duessel,Christian Gehl,Ulrich Flegel,Sven Dietrich,Michael Meier

DOI: https://doi.org/10.1007/s10207-016-0344-y

2016-07-20

International Journal of Information Security

Abstract:Anomaly detection allows for the identification of unknown and novel attacks in network traffic. However, current approaches for anomaly detection of network packet payloads are limited to the analysis of plain byte sequences. Experiments have shown that application-layer attacks become difficult to detect in the presence of attack obfuscation using payload customization. The ability to incorporate syntactic context into anomaly detection provides valuable information and increases detection accuracy. In this contribution, we address the issue of incorporating protocol context into payload-based anomaly detection. We present a new data representation, called cn\documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$${c}_n$$\end{document}-grams, that allows to integrate syntactic and sequential features of payloads in an unified feature space and provides the basis for context-aware detection of network intrusions. We conduct experiments on both text-based and binary application-layer protocols which demonstrate superior accuracy on the detection of various types of attacks over regular anomaly detection methods. Furthermore, we show how cn\documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$${c}_n$$\end{document}-grams can be used to interpret detected anomalies and thus, provide explainable decisions in practice.

computer science, information systems, theory & methods, software engineering

Zeyi Li,Pan Wang,Zixuan Wang,De-chuan Zhan

DOI: https://doi.org/10.23919/cje.2022.00.173

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:In recent years, low recall rates and high dependencies on data labelling have become the biggest obstacle to developing deep anomaly detection (DAD) techniques. Inspired by the success of generative adversarial networks (GANs) in detecting anomalies in computer vision and imaging, we propose an anomaly detection model called FlowGANAnomaly for detecting anomalous traffic in network intrusion detection systems (NIDS). Unlike traditional GAN-based approaches, which are composed of a flow encoder, a convolutional encoder-decoder-encoder, a flow decoder and a convolutional encoder, the architecture of this model consists of a generator (G) and a discriminator (D). FlowGANAnomaly maps the different types of traffic feature data from separate datasets to a uniform feature space, thus can capture the normality of network traffic data more accurately in an adversarial manner to mitigate the problem of the high dependence on data labeling. Moreover, instead of simply detecting the anomalies by the output of D, we proposed a new anomaly scoring method that integrates the deviation between the output of two Gs' convolutional encoders with the output of D as weighted scores to improve the low recall rate of anomaly detection. We conducted several experiments comparing existing machine learning algorithms and existing deep learning methods (AutoEncoder and VAE) on four public datasets (NSL-KDD, CIC-IDS2017, CIC-DDoS2019, and UNSW-NB15). The evaluation results show that FlowGANAnomaly can significantly improve the performance of anomaly-based NIDS.

engineering, electrical & electronic

Rui Zhao,Cheng Luo,Fei Gao,Zhenhai Gao,Longyi Li,Dong Zhang,Wengang Yang

DOI: https://doi.org/10.3390/electronics13020377

IF: 2.9

2024-01-17

Electronics

Abstract:The Controller Area Network with Flexible Data-Rate (CAN-FD) bus is the predominant in-vehicle network protocol, responsible for transmitting crucial application semantic signals. Due to the absence of security measures, CAN-FD is vulnerable to numerous cyber threats, particularly those altering its authentic physical values. This paper introduces Physical Semantics-Enhanced Anomaly Detection (PSEAD) for CAN-FD networks. Our framework effectively extracts and standardizes the genuine physical meaning features present in the message data fields. The implementation involves a Long Short-Term Memory (LSTM) network augmented with a self-attention mechanism, thereby enabling the unsupervised capture of temporal information within high-dimensional data. Consequently, this approach fully exploits contextual information within the physical meaning features. In contrast to the non-physical semantics-aware whole frame combination detection method, our approach is more adept at harnessing the physical significance inherent in each segment of the message. This enhancement results in improved accuracy and interpretability of anomaly detection. Experimental results demonstrate that our method achieves a mere 0.64% misclassification rate for challenging-to-detect replay attacks and zero misclassifications for DoS, fuzzing, and spoofing attacks. The accuracy has been enhanced by over 4% in comparison to existing methods that rely on byte-level data field characterization at the data link layer.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhongjing Ma,Zhan Chen,Xiaochen Zheng,Tianyu Wang,Yuyang You,Suli Zou,Yu Wang

DOI: https://doi.org/10.34133/cbsystems.0086

2024-01-16

Abstract:Anomaly detection has wide applications to help people recognize false, intrusion, flaw, equipment failure, etc. In most practical scenarios, the amount of the annotated data and the trusted labels is low, resulting in poor performance of the detection. In this paper, we focus on the anomaly detection for the text type data and propose a detection network based on biological immunity for few-shot detection, by imitating the working mechanism of the immune system of biological organisms. This network enabling the protected system to distinguish the aggressive behavior of "nonself" from the legitimate behavior of "self" by embedding characters. First, it constructs episodic task sets and extracts data representations at the character level. Then, in the pretraining phase, Word2Vec is used to embed the representations. In the meta-learning phase, a dynamic prototype containing encoder, routing, and relation is designed to identify the data traffic. Compare to the mean-based prototype, the proposed prototype applies a dynamic routing algorithm that assigns different weights to samples in the support set through multiple iterations to obtain a prototype that combines the distribution of samples. The proposed method is validated on 2 real traffic datasets. The experimental results indicate that (a) the proposed anomaly detection prototype outperforms state-of-the-art few-shot techniques with 1.3% to 4.48% accuracy and 0.18% to 4.55% recall; (b) under the premise of ensuring the accuracy and recall, the number of training samples is reduced to 5 or 10; (c) ablation experiments are designed for each module, and the results show that more accurate prototypes can be obtained by using the dynamic routing algorithm.

Hajar Hameed Addeen,Yang Xiao,Tieshan Li

DOI: https://doi.org/10.1109/access.2024.3384295

IF: 3.9

2024-04-09

IEEE Access

Abstract:Modern technologies adopt Internet of Things (IoT) devices to increase water management efficiency and enhance water quality services. However, the limitations of IoT devices, such as small sizes and poor security, weaken the Water Distribution System (WDS) security, and many attackers compromise the critical components of WDS. Cyber-physical attacks (CPAs) are considered one of the biggest challenges that decrease the security factors in WDS by disrupting normal operations and tampering with the critical data of the water system. For instance, an attacker can change the water pump's speed, disrupting the service. An attacker can also alter the data of water quality parameters to contaminate the water. It is important to propose solutions to increase security in the WDS and defend against CPAs and security threats. Although several intrusion detection methods were proposed in the literature to detect WDS CPAs, many issues still need solutions, such as detecting attacks with smaller false alarms, minimizing the time to disclose the attacks, determining the location of the compromising components, and recovering solutions for the attacked components. Therefore, this paper proposes a model based on a deep learning algorithm called a Conditional variational Autoencoder (CVAE) to disclose CPAs and mitigate their bad effects on WDS. The proposed method consists of a neural network, an encoder to compress data, and a decoder to decompress data. The objective goal is to minimize the reconstruction error between the encoded-decoded data and the initial data. We apply the CVAE on some well-known datasets. The experiment results show that our proposed CVAE method performs better than others. After analyzing the CVAE model with other existing models, we get the highest performance by reaching %98 accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic

Qinghao Zhang,Miao Ye,Xiaofang Deng

DOI: https://doi.org/10.1080/09540091.2022.2078281

2022-06-16

Connection Science

Abstract:Anomaly detection is a critical technique that ensures the reliability of WSNs. However, most existing anomaly detectionmethods only consider the case of single modal data flow anomaly detection for each node or multiple modal time series data flowanomaly detection for a single node and do not consider the case of multiple nodes and multiple time series data flow simultaneously,and it limited the ability of anomaly detection. In this paper, a novel anomaly detection model is proposed for multimodal WSN data flows. First, the temporal features and modal correlation features extracted from each sensor node are fused into one vectorrepresentation, then it is further aggregated with the spatial features represented the spatial position relationship of the nodes; finally,the current time-series data of WSN nodes are predicted, and abnormal states are identified according to the fusion features. Thesimulation results obtained on a public dataset show that the proposed approach can significantly improve upon existing methods interms of robustness, and its F1 score reaches 0.90, which is 14.2% higher than that of the graph convolution network (GCN) with longshort-term memory (LSTM).

computer science, artificial intelligence, theory & methods

Miao Ye,Qinghao Zhang,Xingsi Xue,Yong Wang,Qiuxiang Jiang,Hongbing Qiu

DOI: https://doi.org/10.1109/jsyst.2023.3347435

IF: 4.802

2024-03-19

IEEE Systems Journal

Abstract:To address the issue that existing wireless sensor network (WSN)-based anomaly detection methods only consider and analyze temporal features, in this article, a self-supervised learning-based anomalous node detection method based on an autoencoder is designed. This method integrates the extraction of temporal WSN data flow feature, spatial position feature, and intermodal WSN correlation feature into the autoencoder design to make full use of the spatial and temporal information of the WSN for anomaly detection. First, a fully connected network is used to extract the temporal features of nodes by considering a single mode from a local spatial perspective. Second, a graph neural network is used to introduce the WSN topology from a global spatial perspective for anomaly detection and to extract the spatial and temporal features of the data flows of nodes and their neighbors by considering a single mode. Then, an adaptive fusion method involving weighted summation is used to extract the relevant features between different modes. In addition, the gated recurrent unit network structure is introduced to solve the long-term dependence problem in the time dimension. Eventually, the reconstructed output of the decoder and the hidden layer representation of the autoencoder are fed into a fully connected network to calculate the anomaly probability for the current system. Since the spatial feature extraction operation is performed first, the designed method can be applied for anomaly detection in large-scale networks with the addition of a clustering operation. Experiments show that the designed method outperforms baseline methods, and the F1 score reaches 90.6%, at least 5.2% higher than those of existing anomaly detection methods based on unsupervised reconstruction and prediction.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Zhi-Quan Qin,Xing-Kong Ma,Yong-Jun Wang

DOI: https://doi.org/10.1016/j.cose.2020.102070

2020-12-01

Abstract:<p>Detecting anomalous discrete sequences such as payloads and syscall traces is a crucial task of network security analysis for discovering novel attacks. The data characteristics that lack of labels, very long sequences and irregularly variable lengths make generating proper representations for the sequences for anomaly detection quite challenging. Traditional methods combining shallow models with feature engineering require lots of time and effort from researchers. And they only catch short patterns for the sequences. Recently deep learning is paid more and more attention due to its excellent performance on data representation. Current works simply adopt recurrent neural network based models to this task. They learn the local patterns of the sequences but can not view the sequences globally. Besides, the variable length makes the deep models that accept fixed-size inputs unavailable. Moreover, the deep models usually lack interpretability. Here an unsupervised deep learning framework utilizing attention mechanism called ADSAD is proposed to address these issues. ADSAD takes both the data characteristics and the limitation of the deep models into consideration and generate the global representations for the sequences by two steps, in which the attention mechanism is applied to improve the interpretability. The empirical results showed that the ADSAD instances significantly outperformed the state-of-the-art deep models, with the relative AUC improvement of up to 7%. The attention mechanism not only enhanced the detection performance by up to 73% in terms of AUC but was also able to assist experts for anomaly analysis by visualization.</p>

computer science, information systems

Haozhi Li,Tian Song,Yating Yang

DOI: https://doi.org/10.1109/tdsc.2022.3207573

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Network covert timing channels can be maliciously used to exfiltrate secrets, coordinate attacks and propagate malwares, posing serious threats to cybersecurity. Current covert timing channels normally conduct small-volume transmission under the covers of various disguising techniques, making them hard to detect especially when a detector has little priori knowledge of their traffic features. In this paper, we propose a generic and sensitive detection approach, which can simultaneously (i) identify various types of channels without their traffic knowledge and (ii) maintain reasonable performance on small traffic samples. The basis of our approach is the finding that the short-term timing behavior of covert and legitimate traffic is significantly different from the perspective of inter-packet delays&#x27; variation. This phenomenon can be a generic reference to detect various channels because it is resistant to major channel disguising techniques which only mimic long-term traffic features, while it is also a sensitive reference to spot small-volume covert transmission since it can capture traffic anomalies in a fine-grained manner. To obtain the inner patterns of inter-packet delays&#x27; variation, we design a context-sensitive feature-extraction technique. This technique transforms each raw inter-packet delay into a discrete counterpart based on its contextual properties, thus extracting its variation features and reducing traffic data complexity. Then we learn legitimate variation patterns using a neural network model, and identify samples showing anomalous variation as covert. The experimental results show that our approach effectively detects all currently representative channels in the absence of their knowledge, presenting once to twice higher sensitivity than the state-of-the-art solutions.

computer science, information systems, software engineering, hardware & architecture

Kun Wu,Lei Zhu,Weihang Shi,Wenwu Wang,Jin Wu

DOI: https://doi.org/10.1109/tcsvt.2022.3211839

IF: 5.859

2023-03-11

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Anomaly detection plays an important role in manufacturing quality control/assurance. Among approaches adopting computer vision techniques, reconstruction-based methods learn a content-aware mapping function that transfers abnormal regions to normal regions in an unsupervised manner. Such methods usually have difficulty in improving both the reconstruction quality and capacity for abnormal discovery. We observe that high-level semantic contextual features demonstrate a strong ability for abnormal discovery, while variational features help to preserve fine image details. Inspired by the observation, we propose a new abnormal detection model by utilizing features for different purposes depending on their frequency characteristics. The 2D-discrete wavelet transform (DWT) is introduced to obtain the low-frequency and high-frequency components of features and further used to generate the two essential features following different routing paths in our encoder process. To further improve the capacity for abnormal discovery, we propose a novel feature augmentation module that is informed by a customized self-attention mechanism. Extensive experiments are conducted on two popular datasets: MVTec AD and BTAD. The experimental results illustrate that the proposed method outperforms other state-of-the-art approaches in terms of the image-level AUROC score. In particular, our method achieves 100% of the image-level AUROC score on 8 out of 15 classes on the MVTec dataset.

engineering, electrical & electronic

Chunyan An,Yingyi Liu,Qi Li,Pengbo Si

DOI: https://doi.org/10.3390/electronics13173482

IF: 2.9

2024-09-03

Electronics

Abstract:As electronic sensors and sensor networks advance, perception data are increasingly characterized by mixed attributes. Traditional anomaly detection methods predominantly focus on numerical attributes. In this paper, we introduce a weighted neighborhood information network (WNIN)-enabled anomaly detection method tailored for mixed-attribute data from electronic sensors and sensor networks. Firstly, we employ the analytic hierarchy process (AHP) to analyze the security of sensor networks, leveraging a hierarchical electronic sensor network model to construct a hierarchical perception security architecture for anomaly detection. Subsequently, a neighborhood information system is established to ascertain the relationships between data objects with mixed attributes. We then develop the WNIN to encapsulate the relationships, and a state-transferring probability matrix based on data object similarity is derived. Ultimately, a random wandering process within the WNIN is executed, and the importance of data objects is evaluated using the steady-state distribution vector, thereby determining the anomaly data. Simulation outcomes reveal that our proposed method attains superior anomaly detection rates compared with existing methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

Andrew Golczynski,John A. Emanuello

DOI: https://doi.org/10.48550/arXiv.2108.12276

IF: 14.4

2021-08-27

Artificial Intelligence

Abstract:Rule-based IDS (intrusion detection systems) are being replaced by more robust neural IDS, which demonstrate great potential in the field of Cybersecurity. However, these ML approaches continue to rely on ad-hoc feature engineering techniques, which lack the capacity to vectorize inputs in ways that are fully relevant to the discovery of anomalous cyber activity. We propose a deep end-to-end framework with NLP-inspired components for identifying potentially malicious behaviors on enterprise computer networks. We also demonstrate the efficacy of this technique on the recently released DARPA OpTC data set.

Eric L. Goodman,Chase Zimmerman,Corey Hudson

DOI: https://doi.org/10.48550/arXiv.2004.14477

2020-04-30

Abstract:One of deep learning's attractive benefits is the ability to automatically extract relevant features for a target problem from largely raw data, instead of utilizing human engineered and error prone handcrafted features. While deep learning has shown success in fields such as image classification and natural language processing, its application for feature extraction on raw network packet data for intrusion detection is largely unexplored. In this paper we modify a Word2Vec approach, used for text processing, and apply it to packet data for automatic feature extraction. We call this approach Packet2Vec. For the classification task of benign versus malicious traffic on a 2009 DARPA network data set, we obtain an area under the curve (AUC) of the receiver operating characteristic (ROC) between 0.988-0.996 and an AUC of the Precision/Recall curve between 0.604-0.667.

Machine Learning,Cryptography and Security