Unsupervised protocol-based intrusion detection for real-world networks - CEA - Commissariat à l’énergie atomique et aux énergies alternatives Access content directly
Conference Papers Year : 2020

Unsupervised protocol-based intrusion detection for real-world networks


Anomaly-based Intrusion Detection Systems (IDSs) are rarely deployed in real networks, because of their high false positive rate. Their ability to detect unknown attacks is, however, very valuable in a context where new threats are emerging almost daily. This paper presents an unsupervised anomaly-based intrusion detection solution focused on protocol headers analysis. This approach is tested on a recent and realistic dataset (CICIDS2017) over a 4-day period. Each protocol is converted to a set of normalized numeric features, which are processed by 5 neural network architectures: deep autoencoders, deep MLPs, LSTMs, BiLSTMs, and GANs. The output of these algorithms is an anomaly score, which is normalized and combined with the anomaly scores of other protocols. We argue that this classification problem is very different from the actual problem of intrusion detection and requires new metrics. In particular, packet anomaly scores must be refined in a post-processing step to aggregate anomalies into continuous attacks. This approach successfully detects 7 out of 11 attacks not seen during the training phase, without any false positives. It is thus possible to consider deployments in real-world networks of such IDSs, capable of reliably detecting zero-day attacks.
Not file

Dates and versions

cea-02555669 , version 1 (27-04-2020)



Maxime Labonne, Alexis Olivereau, Baptiste Polve, Djamal Zeghlache. Unsupervised protocol-based intrusion detection for real-world networks. ICNC 2020: International Conference on Computing, Networking and Communications, Feb 2020, Big Island, United States. pp.299-303, ⟨10.1109/ICNC47757.2020.9049796⟩. ⟨cea-02555669⟩
137 View
0 Download



Gmail Facebook Twitter LinkedIn More