TY - JOUR
T1 - NetSentry: A deep learning approach to detecting incipient large-scale network attacks
AU - Liu, Haoyu
AU - Patras, Paul
N1 - Funding Information:
This material is based upon work supported by Arm Ltd and Scotland’s Innovation Centre for sensing, imaging and Internet of Things technologies (CENSIS) .
Publisher Copyright:
© 2022 The Author(s)
PY - 2022/7/1
Y1 - 2022/7/1
N2 - Machine Learning (ML) techniques are increasingly adopted to tackle ever-evolving high-profile network attacks, including Distributed Denial of Service (DDoS), botnet, and ransomware, due to their unique ability to extract complex patterns hidden in data streams. These approaches are however routinely validated with data collected in the same environment, and their performance degrades when deployed in different network topologies and/or applied on previously unseen traffic, as we uncover. This suggests malicious/benign behaviors are largely learned superficially and ML-based Network Intrusion Detection Systems (NIDS) need revisiting, to be effective in practice. In this paper we dive into the mechanics of large-scale network attacks, with a view to understanding how to use ML for Network Intrusion Detection (NID) in a principled way. We reveal that, although cyberattacks vary significantly in terms of payloads, vectors and targets, their early stages, which are critical to successful attack outcomes, share many similarities and exhibit important temporal correlations. Therefore, we treat NID as a time-sensitive task and propose NetSentry, perhaps the first of its kind NIDS that builds on Bidirectional Asymmetric LSTM (Bi-ALSTM), an original ensemble of sequential neural models, to detect network threats before they spread. We cross-evaluate NetSentry using two practical datasets, training on one and testing on the other, and demonstrate F1 score gains above 33% over the state-of-the-art, as well as up to 3× higher rates of detecting attacks such as Cross-Site Scripting (XSS) and web bruteforce. Further, we put forward a novel data augmentation technique that boosts the generalization abilities of a broad range of supervised deep learning algorithms, leading to average F1 score gains above 35%. Lastly, we shed light on the feasibility of deploying NetSentry in operational networks, demonstrating affordable computational overhead and robustness to evasion attacks.
AB - Machine Learning (ML) techniques are increasingly adopted to tackle ever-evolving high-profile network attacks, including Distributed Denial of Service (DDoS), botnet, and ransomware, due to their unique ability to extract complex patterns hidden in data streams. These approaches are however routinely validated with data collected in the same environment, and their performance degrades when deployed in different network topologies and/or applied on previously unseen traffic, as we uncover. This suggests malicious/benign behaviors are largely learned superficially and ML-based Network Intrusion Detection Systems (NIDS) need revisiting, to be effective in practice. In this paper we dive into the mechanics of large-scale network attacks, with a view to understanding how to use ML for Network Intrusion Detection (NID) in a principled way. We reveal that, although cyberattacks vary significantly in terms of payloads, vectors and targets, their early stages, which are critical to successful attack outcomes, share many similarities and exhibit important temporal correlations. Therefore, we treat NID as a time-sensitive task and propose NetSentry, perhaps the first of its kind NIDS that builds on Bidirectional Asymmetric LSTM (Bi-ALSTM), an original ensemble of sequential neural models, to detect network threats before they spread. We cross-evaluate NetSentry using two practical datasets, training on one and testing on the other, and demonstrate F1 score gains above 33% over the state-of-the-art, as well as up to 3× higher rates of detecting attacks such as Cross-Site Scripting (XSS) and web bruteforce. Further, we put forward a novel data augmentation technique that boosts the generalization abilities of a broad range of supervised deep learning algorithms, leading to average F1 score gains above 35%. Lastly, we shed light on the feasibility of deploying NetSentry in operational networks, demonstrating affordable computational overhead and robustness to evasion attacks.
KW - Deep learning
KW - Feature augmentation
KW - Network-based intrusion detection system
UR - http://www.scopus.com/inward/record.url?scp=85129982134&partnerID=8YFLogxK
U2 - 10.1016/j.comcom.2022.04.020
DO - 10.1016/j.comcom.2022.04.020
M3 - Article
AN - SCOPUS:85129982134
SN - 0140-3664
VL - 191
SP - 119
EP - 132
JO - Computer Communications
JF - Computer Communications
ER -