Network Intrusion Detection System:A systematic study of Machine Learning and Deep Learning approaches

The rapid advances in the internet and communication fields have resulted in ahuge increase in the network size and the corresponding data. As a result, manynovel attacks are being generated and have posed challenges for network secu-rity to accurately detect intrusions. Furthermore, the presence of the intruderswiththeaimtolaunchvariousattackswithinthenetworkcannotbeignored.Anintrusion detection system (IDS) is one such tool that prevents the network frompossible intrusions by inspecting the network traffic, to ensure its confidential-ity, integrity, and availability. Despite enormous efforts by the researchers, IDSstillfaceschallengesinimprovingdetectionaccuracywhilereducingfalsealarmrates and in detecting novel intrusions. Recently, machine learning (ML) anddeep learning (DL)-based IDS systems are being deployed as potential solutionsto detect intrusions across the network in an efficient manner. This article firstclarifiestheconceptofIDSandthenprovidesthetaxonomybasedonthenotableML and DL techniques adopted in designing network-based IDS (NIDS) sys-tems. A comprehensive review of the recent NIDS-based articles is provided bydiscussing the strengths and limitations of the proposed solutions. Then, recenttrends and advancements of ML and DL-based NIDS are provided in terms ofthe proposed methodology, evaluation metrics, and dataset selection. Using theshortcomings of the proposed methods, we highlighted various research chal-lenges and provided the future scope for the research in improving ML andDL-based NIDS

An observation-centric analysis on the modeling of anomaly-based intrusion detection

It is generally agreed that two key points always attract special concerns during the modelling of anomaly-based intrusion detection. One is the techniques about discerning two classes with different features, another is the construction/ selection of the observed sample of normally occurring patterns for system normality characterization. In this paper, instead of focusing on the design of specific anomaly detection models, we restrict our attention to the analysis of the anomaly detector’s operating environments, which facilitates us to insight into anomaly detectors’ operational capabilities, including their detection coverage and blind spots, and thus to evaluate them in convincing manners. Taking the similarity with the induction problem as the starting point, we cast anomaly detection in a statistical framework, which gives a formal analysis of anomaly detector’s anticipated behavior from a high level. Some existing problems and possible solutions about the normality characterization for the observable subjects that from hosts and networks are addressed respectively. As case studies, several typical anomaly detectors are analyzed and compared from the prospective of their operating environments, especially those factors causing their special detection coverage or blind spots. Moreover, the evaluation of anomaly detectors are also roughly discussed based on some existing benchmarks. Careful analysis shows that the fundamental understanding of the operating environments (i.e., properties of observable subjects) is the elementary but essential stage in the process of establishing an effective anomaly detection model, which therefore worth insightful exploration, especially when we face the dilemma between anomaly detection performance and the computational cost.Zonghua Zhang, Hong Shen, Yingpeng San

An Observation-Centric Analysis on the Modeling of Anomaly-based Intrusion Detection Abstract

It is generally agreed that two key points always attract special concerns during the modelling of anomaly-based intrusion detection. One is the techniques about discerning two classes with different features, another is the construction/selection of the observed sample of normally occurring patterns for system normality characterization. In this paper, instead of focusing on the design of specific anomaly detection models, we restrict our attention to the analysis of the anomaly detector’s operating environments, which facilitates us to insight into anomaly detectors ’ operational capabilities, including their detection coverage and blind spots, and thus to evaluate them in convincing manners. Taking the similarity with the induction problem as the starting point, we cast anomaly detection in a statistical framework, which gives a formal analysis of anomaly detector’s anticipated behavior from a high level. Some existing problems and possible solutions about the normality characterization for the observable subjects that from hosts and networks are addressed respectively. As case studies, several typical anomaly detectors are analyzed and compared from the prospective of their operating environments, especially those factors causing their special detection coverage or blind spots. Moreover, the evaluation of anomaly detectors are also roughly discussed based on some existing benchmarks. Careful analysis shows that the fundamental understanding of the operating environments (i.e., properties of observable subjects) is the elementary but essential stage in the process of establishing an effective anomaly detection model, which therefore worth insightful exploration, especially when we face the dilemma between anomaly detection performance and the computational cost