A near-autonomous and incremental intrusion detection system through active learning of known and unknown attacks

Intrusion detection is a traditional practice of security experts, however, there are several issues which still need to be tackled. Therefore, in this paper, after highlighting these issues, we present an architecture for a hybrid Intrusion Detection System (IDS) for an adaptive and incremental detection of both known and unknown attacks. The IDS is composed of supervised and unsupervised modules, namely, a Deep Neural Network (DNN) and the K-Nearest Neighbors (KNN) algorithm, respectively. The proposed system is near-autonomous since the intervention of the expert is minimized through the active learning (AL) approach. A query strategy for the labeling process is presented, it aims at teaching the supervised module to detect unknown attacks and improve the detection of the already-known attacks. This teaching is achieved through sliding windows (SW) in an incremental fashion where the DNN is retrained when the data is available over time, thus rendering the IDS adaptive to cope with the evolutionary aspect of the network traffic. A set of experiments was conducted on the CICIDS2017 dataset in order to evaluate the performance of the IDS, promising results were obtained.Comment: 6 pages, 3 figures, 32 references, conferenc

A near-autonomous and incremental intrusion detection system through active learning of known and unknown attacks

International audienceIntrusion detection is a traditional practice of security experts, however, there are several issues which still need to be tackled. Therefore, in this paper, after highlighting these issues, we present an architecture for a hybrid Intrusion Detection System (IDS) for an adaptive and incremental detection of both known and unknown attacks. The IDS is composed of supervised and unsupervised modules, namely, a Deep Neural Network (DNN) and the K-Nearest Neighbors (KNN) algorithm, respectively. The proposed system is near-autonomous since the intervention of the expert is minimized through the active learning (AL) approach. A query strategy for the labeling process is presented, it aims at teaching the supervised module to detect unknown attacks and improve the detection of the already-known attacks. This teaching is achieved through sliding windows (SW) in an incremental fashion where the DNN is retrained when the data is available over time, thus rendering the IDS adaptive to cope with the evolutionary aspect of the network traffic. A set of experiments was conducted on the CICIDS2017 dataset in order to evaluate the performance of the IDS, promising results were obtained

An approach for unsupervised contextual anomaly detection and characterization

International audienceOutlier detection has been widely explored and applied to different real-world problems. However, outlier characterization that consists in finding and understanding the outlying aspects of the anomalous observations is still challenging. In this paper, we present a new approach to simultaneously detect subspace outliers and characterize them. We introduce the Dimension-wise Local Outlier Factor (DLOF) function to quantify the degree of outlierness of the data points in each feature dimension. The obtained DLOFs are used in an outlier ensemble so as to detect and rank the anomalous points. Subsequently, the same DLOFs are analyzed in order to characterize the detected outliers with their relevant subspace and their same-type anomalies. Experiments on various datasets show the efficacy of our method. Indeed, we demonstrate through an experimental evaluation that the proposed approach is competitive compared to the existing solutions in terms of both detection and characterization accuracy

A modified LOF based approach for outlier characterization in IoT

International audienceThe Internet of Things (IoT) is a growing paradigm that is revolutionary for Information and Communication Technology (ICT) because it gathers numerous application domains by integrating several enabling technologies. Outlier detection is a field of tremendous importance, including in IoT. In previous works on outlier detection, the proposed methods mainly tackled the efficacy and the efficiency challenges. However, a growing interest in the interpretation of the detected anomalies has been noticed by the research community, and some works have already contributed in this direction. Furthermore, characterizing anomalous events in IoT-related problems has not been conducted. Hence, in this paper, we introduce our modified Local Outlier Factor (LOF)-based outlier characterization approach and apply it to enhance the IoT security and reliability. Experiments on both synthetic and real-world datasets show the good performance of our solution