Source: IEEE Access, vol. 5, pp , October 2017

Presentation on theme: "Source: IEEE Access, vol. 5, pp , October 2017"— Presentation transcript:

1 A Deep Learning Approach for Intrusion Detection using Recurrent Neural Network
Source: IEEE Access, vol. 5, pp , October 2017 Author: Chuanlong Yin, Yuefei Zhu, Jinlong Fei, Xinzheng He Speaker: KUN-YIN LEE Date : 2018/06/07

2 Outline Introduction Preliminaries Proposed scheme Experiment results
Conclusions

3 Scenario Web Server Firewall Internet
IDS ( Intrusion Detection System)

4 Introduction Classification RNN RNN Binary classification
Multiclass classification Denial of service User to Root Remote to local Normal or abnormal Normal, DoS, Probe, U2R, R2L R2L: Remote to Local 這類型的攻擊就是:遠端的使用者企圖取得本地端的存取權限。 通常入侵攻擊者都是利用一些網路服務的漏洞，如:網路服務系統本身的弱點、 或是程式撰寫者的疏忽所造成的漏洞來進行不合法的行為。 U2R: user to root 這類型的攻擊就是:使用者想要取得主機的超級管理者(ROOT)的權限。而這類攻擊分成兩類: 一類是使用者透過遠端連線來取得超級使用者的權限；另一類就是本地端的使用者企圖要取得超級使用者的權限； 通常入侵攻擊者利用緩衝滿溢的技巧，就是將網路上要傳回的地址利用滿溢的技術，改成入侵者想要執行的攻擊行為，而 U2R就是利用此方式取得存取畚箕超級使用者的權限。 PROBE: 此類型的入侵行為並不算是攻擊行為，而是在為後續的攻擊型做試探的動作，其主要的目的有:蒐集受害端主的相關資訊，如: 探測主機開放的PORT有哪些。蒐集受害端主機所提供之服務、得知受害端主機所安裝之作業系統、蒐集受害端主機現階段的弱點資訊。 RNN RNN Web log Web log

5 Preliminaries(1/11) . Neural networks ( NN )
Recurrent neural networks ( RNN ) Forward propagation Backward propagation Training Dataset (input, label) Function Linear function, 𝑦′=𝑤𝑥+𝑏 Non-linear function, 𝑦′=∅( 𝑤𝑥 + 𝑏 ) Loss function, loss(𝑦′- 𝑦) Input X f(X) output loss(output,label) optimization 𝑦 𝑥 𝐿oss 𝑤 .

6 Preliminaries(2/11) - NN He cooks every day Apple pie Burger Chicken

7 Preliminaries(3/11) - NN Weather

8 Preliminaries(4/11) - NN Neural Network NN

9 Preliminaries(5/11) - NN Vectors 1 0 0 0 1 0 0 0 1 1 0 0 1

10 Preliminaries(6/11) - NN 1 0 1 0 1 0 0 0 1 0 = 0 1 0 1

11 Preliminaries(7/11) - RNN
Cooking Schedule Monday Tuesday Wednesday Thursday Friday Saturday Apple pie Burger Chicken Apple pie Burger Chicken

12 Preliminaries(8/11) - RNN
Recurrent Neural Network RNN

13 Preliminaries(9/11) - RNN
Recurrent Neural Network

14 Preliminaries(10/11) - RNN
1 0 0 1 0 0 1 0 0 0 1 0 0 0 1 0 1 0 0 1 0 = 0 0 1 0 0 1

15 Preliminaries(11/11) - RNN
Result 0 Result 1 NN NN RAM RAM Data 0 Data 1 Data 2 Data 3

16 Proposed scheme(1/5) Training Set Testing Set Detection
Data Preprocessing Numericalization RNN-IDS model Normalization Detection Training Forward Propagation Weight Update

17 Proposed scheme(2/5) Dataset description NSL-KDD dataset, 2009

18 Proposed scheme(3/5) Data preprocessing Numericalization Normalization
Protocol_type : 3 types, tcp, udp, icmp -> (1,0,0), (0,1,0), (0,0,1) Service : 70 types Flag : 11 types 41 dimensional features map into 122 dimensional features Normalization Duration [0, 58329] -> [0, 4.77] Src_bytes [0, 1.3X109] -> [0, 9.11] Dst_bytes [0, 1.3X109] -> [0, 9.11] X2 X2 X1 X1

19 Proposed scheme(4/5) Training model … … 𝑥1 ℎ1 𝑦1 𝑥1 ℎ2 𝑦2 𝑥1 ℎ3 𝑦3
Forward propagation Input : 𝒙𝒊( 𝒊=𝟏, 𝟐, …, 𝒎) output : 𝐲𝒊′ For i from 1 to m do 　　𝐭𝐢=𝑾 𝒉𝒙 𝒊 𝒙𝒊+𝑾 𝒉𝒉 𝒊−𝟏 ℎ𝑖−1 　　𝐔𝐢=𝒔𝒊𝒈𝒎𝒐𝒊𝒅(𝒕𝒊) 　　𝐒𝐢=𝑾 𝒚𝒉 𝒊 𝑼𝒊 　　𝐲 𝐢 ′ =𝐬𝐨𝐟𝐭𝐦𝐚𝐱(𝐒𝐢) Input layer hidden layer Output layer 𝑊 ℎ𝑥 1 𝑊 𝑦ℎ 1 𝑥1 ℎ1 𝑦1 𝑊 ℎℎ 1 𝑊 ℎ𝑥 2 𝑊 𝑦ℎ 2 𝑥1 ℎ2 𝑦2 Backward propagation Calculate the cross entropy between the output value and label value: 𝐋𝐎𝐒𝐒( 𝐲𝐢, 𝐲 𝐢 ′ ) Then, Weight update 𝑊 ℎℎ 2 𝑥1 𝑊 ℎ𝑥 3 ℎ3 𝑊 ℎ𝑥 3 𝑦3 … …

20 Proposed scheme(5/5) Evaluation 𝐴𝐶= 𝑇𝑃+𝑇𝑁 𝑇𝑃+𝑇𝑁+𝐹𝑃+𝐹𝑁 𝑇𝑃𝑅= 𝑇𝑃 𝑇𝑃+𝐹𝑁
𝑇𝑃𝑅= 𝑇𝑃 𝑇𝑃+𝐹𝑁 𝐹𝑃𝑅= 𝐹𝑃 𝐹𝑃+𝑇𝑁 Predicted Actual Abnormal Normal TP FN FP TN

21 Experiment Results(1/5)
Binary classification Epoch : 100 Hidden nodes : 20, 60, 80, 120, 240 Learning rate : 0.01, 0.1, 0.5 (s) Predicted Actual Abnormal Normal 9362 3471 298 9413

22 Experiment results(2/5)
Multiclass classification Epoch : 100 Hidden nodes : 60, 80, 120, 160 Learning rate : 0.1, 0.5, 0.8 (s)

23 Experiment results(3/5)

24 Experiment results(4/5)
Multiclass classification FPR(%) TPR(%)

25 Experiment results(5/5)
Binary classification Multiclass classification

26 Conclusions High accuracy in binary and multiclass classification
High detection rate with low false positive rate LSTM ( long short-term memory )

27 https://github.com/p0561199/Neural-learning

28 Thanks

29

30 Activation function - Sigmoid

31 Softmax 歸一化函數 [1, 2, 3, 4, 1, 2, 3] [0.024, 0.064, 0.175, 0.475, 0.024, 0.064, 0.175]

32 Learning rate . . 𝐿oss 𝐿oss 𝑤 𝑤 Large learning rate
Small learning rate