Utilising Deep Learning techniques for effective zero-day attack detection

Hanan Hindy; Robert Atkinson; Christos Tachtatzis; Jean-Noël Colin; Ethan Bayne; Xavier Bellekens

doi:10.3390/electronics9101684

Utilising Deep Learning techniques for effective zero-day attack detection

Hanan Hindy^*, Robert Atkinson, Christos Tachtatzis, Jean-Noël Colin, Ethan Bayne, Xavier Bellekens

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

25 Downloads (Pure)

Abstract

Machine Learning (ML) and Deep Learning (DL) have been used for building Intrusion Detection Systems (IDS). The increase in both the number and sheer variety of new cyber-attacks poses a tremendous challenge for IDS solutions that rely on a database of historical attack signatures. Therefore, the industrial pull for robust IDS capable of flagging zero-day attacks is growing. Current outlier-based zero-day detection research suffers from high false-negative rates, thus limiting their practical use and performance. This paper proposes an autoencoder implementation to detect zero-day attacks. The aim is to build an IDS model with high recall while keeping the miss rate (false-negatives) to an acceptable minimum. Two well-known IDS datasets are used for evaluation—CICIDS2017 and NSL-KDD. To demonstrate the efficacy of our model, we compare its results against a One-Class Support Vector Machine (SVM). The manuscript highlights the performance of a One-Class SVM when zero-day attacks are distinctive from normal behaviour. The proposed model benefits greatly from autoencoders encoding-decoding capabilities. The results show that autoencoders are well-suited at detecting complex zero-day attacks. The results demonstrate a zero-day detection accuracy of [89% - 99%] for the NSL-KDD dataset and [75% - 98%] for the CICIDS2017 dataset. Finally, the paper outlines the observed trade-off between recall and fallout.

Original language	English
Number of pages	16
Journal	Electronics
Volume	9
Issue number	10
DOIs	https://doi.org/10.3390/electronics9101684
Publication status	Published - 14 Oct 2020

Access to Document

10.3390/electronics9101684Licence: CC BY

Hindy_UtilisingDeepLearningTechniques_Published_2020Final published version, 526 KBLicence: CC BY

Fingerprint Dive into the research topics of 'Utilising Deep Learning techniques for effective zero-day attack detection'. Together they form a unique fingerprint.

Cite this

@article{bedb50fb07964d49ae565574d39e160c,

title = "Utilising Deep Learning techniques for effective zero-day attack detection",

abstract = "Machine Learning (ML) and Deep Learning (DL) have been used for building Intrusion Detection Systems (IDS). The increase in both the number and sheer variety of new cyber-attacks poses a tremendous challenge for IDS solutions that rely on a database of historical attack signatures. Therefore, the industrial pull for robust IDS capable of flagging zero-day attacks is growing. Current outlier-based zero-day detection research suffers from high false-negative rates, thus limiting their practical use and performance. This paper proposes an autoencoder implementation to detect zero-day attacks. The aim is to build an IDS model with high recall while keeping the miss rate (false-negatives) to an acceptable minimum. Two well-known IDS datasets are used for evaluation—CICIDS2017 and NSL-KDD. To demonstrate the efficacy of our model, we compare its results against a One-Class Support Vector Machine (SVM). The manuscript highlights the performance of a One-Class SVM when zero-day attacks are distinctive from normal behaviour. The proposed model benefits greatly from autoencoders encoding-decoding capabilities. The results show that autoencoders are well-suited at detecting complex zero-day attacks. The results demonstrate a zero-day detection accuracy of [89% - 99%] for the NSL-KDD dataset and [75% - 98%] for the CICIDS2017 dataset. Finally, the paper outlines the observed trade-off between recall and fallout.",

author = "Hanan Hindy and Robert Atkinson and Christos Tachtatzis and Jean-No{\"e}l Colin and Ethan Bayne and Xavier Bellekens",

year = "2020",

month = oct,

day = "14",

doi = "10.3390/electronics9101684",

language = "English",

volume = "9",

journal = "Electronics",

issn = "2079-9292",

publisher = "Multidisciplinary Digital Publishing Institute (MDPI)",

number = "10",

}

TY - JOUR

T1 - Utilising Deep Learning techniques for effective zero-day attack detection

AU - Hindy, Hanan

AU - Atkinson, Robert

AU - Tachtatzis, Christos

AU - Colin, Jean-Noël

AU - Bayne, Ethan

AU - Bellekens, Xavier

PY - 2020/10/14

Y1 - 2020/10/14

N2 - Machine Learning (ML) and Deep Learning (DL) have been used for building Intrusion Detection Systems (IDS). The increase in both the number and sheer variety of new cyber-attacks poses a tremendous challenge for IDS solutions that rely on a database of historical attack signatures. Therefore, the industrial pull for robust IDS capable of flagging zero-day attacks is growing. Current outlier-based zero-day detection research suffers from high false-negative rates, thus limiting their practical use and performance. This paper proposes an autoencoder implementation to detect zero-day attacks. The aim is to build an IDS model with high recall while keeping the miss rate (false-negatives) to an acceptable minimum. Two well-known IDS datasets are used for evaluation—CICIDS2017 and NSL-KDD. To demonstrate the efficacy of our model, we compare its results against a One-Class Support Vector Machine (SVM). The manuscript highlights the performance of a One-Class SVM when zero-day attacks are distinctive from normal behaviour. The proposed model benefits greatly from autoencoders encoding-decoding capabilities. The results show that autoencoders are well-suited at detecting complex zero-day attacks. The results demonstrate a zero-day detection accuracy of [89% - 99%] for the NSL-KDD dataset and [75% - 98%] for the CICIDS2017 dataset. Finally, the paper outlines the observed trade-off between recall and fallout.

AB - Machine Learning (ML) and Deep Learning (DL) have been used for building Intrusion Detection Systems (IDS). The increase in both the number and sheer variety of new cyber-attacks poses a tremendous challenge for IDS solutions that rely on a database of historical attack signatures. Therefore, the industrial pull for robust IDS capable of flagging zero-day attacks is growing. Current outlier-based zero-day detection research suffers from high false-negative rates, thus limiting their practical use and performance. This paper proposes an autoencoder implementation to detect zero-day attacks. The aim is to build an IDS model with high recall while keeping the miss rate (false-negatives) to an acceptable minimum. Two well-known IDS datasets are used for evaluation—CICIDS2017 and NSL-KDD. To demonstrate the efficacy of our model, we compare its results against a One-Class Support Vector Machine (SVM). The manuscript highlights the performance of a One-Class SVM when zero-day attacks are distinctive from normal behaviour. The proposed model benefits greatly from autoencoders encoding-decoding capabilities. The results show that autoencoders are well-suited at detecting complex zero-day attacks. The results demonstrate a zero-day detection accuracy of [89% - 99%] for the NSL-KDD dataset and [75% - 98%] for the CICIDS2017 dataset. Finally, the paper outlines the observed trade-off between recall and fallout.

U2 - 10.3390/electronics9101684

DO - 10.3390/electronics9101684

M3 - Article

VL - 9

JO - Electronics

JF - Electronics

SN - 2079-9292

IS - 10

ER -