Better Anomaly Detection for Access Attacks Using Deep Bidirectional LSTMs

Henry Clausen, Gudmund Grov, Marc Sabate, David Aspinall

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Recent evaluations show that the current anomaly-based network intrusion detection methods fail to detect remote access attacks reliably [10]. Here, we present a deep bidirectional LSTM approach that is designed specifically to detect such attacks as contextual network anomalies. The model efficiently learns short-term sequential patterns in network flows as conditional event probabilities to identify contextual anomalies. To verify our improvements on current detection rates, we re-implemented and evaluated three state-of-the-art methods in the field. We compared results on an assembly of datasets that provides both representative network access attacks as well as real normal traffic over a long timespan, which we contend is closer to a potential deployment environment than current NIDS benchmark datasets. We show that by building a deep model, we are able to reduce the false positive rate to 0.16backslash%0.16%while detecting effectively, which is significantly lower than the operational range of other methods. Furthermore, we reduce overall misclassification by more than 100backslash%100%from the next best method.
Original languageEnglish
Title of host publicationMachine Learning for Networking
EditorsÉric Renault, Selma Boumerdassi, Paul Mühlethaler
Place of PublicationCham
PublisherSpringer International Publishing
Pages1-18
Number of pages18
ISBN (Electronic)978-3-030-70866-5
ISBN (Print)978-3-030-70865-8
DOIs
Publication statusPublished - 3 Mar 2021

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume12629
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Fingerprint

Dive into the research topics of 'Better Anomaly Detection for Access Attacks Using Deep Bidirectional LSTMs'. Together they form a unique fingerprint.

Cite this