A Deep Learning Approach for Intrusion Detection using Recurrent Neural Network Source: IEEE Access, vol. 5, pp. 54-61, October 2017 Author: Chuanlong Yin, Yuefei Zhu, Jinlong Fei, Xinzheng He Speaker: KUN-YIN LEE Date : 2018/06/07
Outline Introduction Preliminaries Proposed scheme Experiment results Conclusions
Scenario Web Server Firewall Internet IDS ( Intrusion Detection System)
Introduction Classification RNN RNN Binary classification Multiclass classification Denial of service User to Root Remote to local Normal or abnormal Normal, DoS, Probe, U2R, R2L R2L: Remote to Local 這類型的攻擊就是:遠端的使用者企圖取得本地端的存取權限。 通常入侵攻擊者都是利用一些網路服務的漏洞,如:網路服務系統本身的弱點、 或是程式撰寫者的疏忽所造成的漏洞來進行不合法的行為。 U2R: user to root 這類型的攻擊就是:使用者想要取得主機的超級管理者(ROOT)的權限。而這類攻擊分成兩類: 一類是使用者透過遠端連線來取得超級使用者的權限;另一類就是本地端的使用者企圖要取得超級使用者的權限; 通常入侵攻擊者利用緩衝滿溢的技巧,就是將網路上要傳回的地址利用滿溢的技術,改成入侵者想要執行的攻擊行為,而 U2R就是利用此方式取得存取畚箕超級使用者的權限。 PROBE: 此類型的入侵行為並不算是攻擊行為,而是在為後續的攻擊型做試探的動作,其主要的目的有:蒐集受害端主的相關資訊,如: 探測主機開放的PORT有哪些。蒐集受害端主機所提供之服務、得知受害端主機所安裝之作業系統、蒐集受害端主機現階段的弱點資訊。 RNN RNN Web log Web log
Preliminaries(1/11) . Neural networks ( NN ) Recurrent neural networks ( RNN ) Forward propagation Backward propagation Training Dataset (input, label) Function Linear function, 𝑦′=𝑤𝑥+𝑏 Non-linear function, 𝑦′=∅( 𝑤𝑥 + 𝑏 ) Loss function, loss(𝑦′- 𝑦) Input X f(X) output loss(output,label) optimization 𝑦 𝑥 𝐿oss 𝑤 .
Preliminaries(2/11) - NN He cooks every day Apple pie Burger Chicken
Preliminaries(3/11) - NN Weather
Preliminaries(4/11) - NN Neural Network NN
Preliminaries(5/11) - NN Vectors 1 0 0 0 1 0 0 0 1 1 0 0 1
Preliminaries(6/11) - NN 1 0 1 0 1 0 0 1 0 0 0 1 0 0 1 0 = 0 1 0 1
Preliminaries(7/11) - RNN Cooking Schedule Monday Tuesday Wednesday Thursday Friday Saturday Apple pie Burger Chicken Apple pie Burger Chicken
Preliminaries(8/11) - RNN Recurrent Neural Network RNN
Preliminaries(9/11) - RNN Recurrent Neural Network
Preliminaries(10/11) - RNN 1 0 0 1 0 0 1 0 0 0 1 0 0 0 1 0 1 0 0 1 0 0 0 1 1 0 0 0 1 0 = 0 0 1 0 0 1
Preliminaries(11/11) - RNN Result 0 Result 1 NN NN RAM RAM Data 0 Data 1 Data 2 Data 3
Proposed scheme(1/5) Training Set Testing Set Detection Data Preprocessing Numericalization RNN-IDS model Normalization Detection Training Forward Propagation Weight Update
Proposed scheme(2/5) Dataset description NSL-KDD dataset, 2009
Proposed scheme(3/5) Data preprocessing Numericalization Normalization Protocol_type : 3 types, tcp, udp, icmp -> (1,0,0), (0,1,0), (0,0,1) Service : 70 types Flag : 11 types 41 dimensional features map into 122 dimensional features Normalization Duration [0, 58329] -> [0, 4.77] Src_bytes [0, 1.3X109] -> [0, 9.11] Dst_bytes [0, 1.3X109] -> [0, 9.11] X2 X2 X1 X1
Proposed scheme(4/5) Training model … … 𝑥1 ℎ1 𝑦1 𝑥1 ℎ2 𝑦2 𝑥1 ℎ3 𝑦3 Forward propagation Input : 𝒙𝒊( 𝒊=𝟏, 𝟐, …, 𝒎) output : 𝐲𝒊′ For i from 1 to m do 𝐭𝐢=𝑾 𝒉𝒙 𝒊 𝒙𝒊+𝑾 𝒉𝒉 𝒊−𝟏 ℎ𝑖−1 𝐔𝐢=𝒔𝒊𝒈𝒎𝒐𝒊𝒅(𝒕𝒊) 𝐒𝐢=𝑾 𝒚𝒉 𝒊 𝑼𝒊 𝐲 𝐢 ′ =𝐬𝐨𝐟𝐭𝐦𝐚𝐱(𝐒𝐢) Input layer hidden layer Output layer 𝑊 ℎ𝑥 1 𝑊 𝑦ℎ 1 𝑥1 ℎ1 𝑦1 𝑊 ℎℎ 1 𝑊 ℎ𝑥 2 𝑊 𝑦ℎ 2 𝑥1 ℎ2 𝑦2 Backward propagation Calculate the cross entropy between the output value and label value: 𝐋𝐎𝐒𝐒( 𝐲𝐢, 𝐲 𝐢 ′ ) Then, Weight update 𝑊 ℎℎ 2 𝑥1 𝑊 ℎ𝑥 3 ℎ3 𝑊 ℎ𝑥 3 𝑦3 … …
Proposed scheme(5/5) Evaluation 𝐴𝐶= 𝑇𝑃+𝑇𝑁 𝑇𝑃+𝑇𝑁+𝐹𝑃+𝐹𝑁 𝑇𝑃𝑅= 𝑇𝑃 𝑇𝑃+𝐹𝑁 𝑇𝑃𝑅= 𝑇𝑃 𝑇𝑃+𝐹𝑁 𝐹𝑃𝑅= 𝐹𝑃 𝐹𝑃+𝑇𝑁 Predicted Actual Abnormal Normal TP FN FP TN
Experiment Results(1/5) Binary classification Epoch : 100 Hidden nodes : 20, 60, 80, 120, 240 Learning rate : 0.01, 0.1, 0.5 (s) Predicted Actual Abnormal Normal 9362 3471 298 9413
Experiment results(2/5) Multiclass classification Epoch : 100 Hidden nodes : 60, 80, 120, 160 Learning rate : 0.1, 0.5, 0.8 (s)
Experiment results(3/5)
Experiment results(4/5) Multiclass classification FPR(%) TPR(%)
Experiment results(5/5) Binary classification Multiclass classification
Conclusions High accuracy in binary and multiclass classification High detection rate with low false positive rate LSTM ( long short-term memory )
https://github.com/p0561199/Neural-learning
Thanks
Activation function - Sigmoid
Softmax 歸一化函數 [1, 2, 3, 4, 1, 2, 3] [0.024, 0.064, 0.175, 0.475, 0.024, 0.064, 0.175]
Learning rate . . 𝐿oss 𝐿oss 𝑤 𝑤 Large learning rate Small learning rate