Skip to Main content Skip to Navigation
Conference papers

Unsupervised protocol-based intrusion detection for real-world networks

Abstract : Anomaly-based Intrusion Detection Systems (IDSs) are rarely deployed in real networks, because of their high false positive rate. Their ability to detect unknown attacks is, however, very valuable in a context where new threats are emerging almost daily. This paper presents an unsupervised anomaly-based intrusion detection solution focused on protocol headers analysis. This approach is tested on a recent and realistic dataset (CICIDS2017) over a 4-day period. Each protocol is converted to a set of normalized numeric features, which are processed by 5 neural network architectures: deep autoencoders, deep MLPs, LSTMs, BiLSTMs, and GANs. The output of these algorithms is an anomaly score, which is normalized and combined with the anomaly scores of other protocols. We argue that this classification problem is very different from the actual problem of intrusion detection and requires new metrics. In particular, packet anomaly scores must be refined in a post-processing step to aggregate anomalies into continuous attacks. This approach successfully detects 7 out of 11 attacks not seen during the training phase, without any false positives. It is thus possible to consider deployments in real-world networks of such IDSs, capable of reliably detecting zero-day attacks.
Complete list of metadatas

https://hal-cea.archives-ouvertes.fr/cea-02555669
Contributor : Baptiste Polve <>
Submitted on : Monday, April 27, 2020 - 2:50:20 PM
Last modification on : Saturday, October 10, 2020 - 3:07:30 AM

Identifiers

Citation

Maxime Labonne, Alexis Olivereau, Baptiste Polve, Djamal Zeghlache. Unsupervised protocol-based intrusion detection for real-world networks. ICNC 2020: International Conference on Computing, Networking and Communications, Feb 2020, Big Island, United States. pp.299-303, ⟨10.1109/ICNC47757.2020.9049796⟩. ⟨cea-02555669⟩

Share

Metrics

Record views

81