Machine learning techniques have been used successfully to detect intrusions and attacks via network traffic analysis. Unfortunately, the detection model training process requires large labeled datasets, which are challenging to obtain due to the exceptional and elusive nature of network attacks. Moreover, the constant rise of novel malware and unknown attacks makes such models rapidly obsolete. Hence, security researchers struggle to keep up with new threats, since they cannot rely on sufficiently large and up-to-date datasets to detect such attacks effectively. This paper presents NetInDRL, a network intrusion detection method based on semi-supervised Deep Reinforcement Learning (DRL). This method trains a detection model by relying only on a limited network traffic dataset from known attacks and a much larger unlabeled dataset, which may contain both legitimate and malicious traffic produced by unknown attacks. By extracting statistical and frequency domain features, NetInDRL grasps the network behavior of known attacks and recognizes unknown ones within the unlabeled dataset. We evaluate the effectiveness and robustness of our method with a comprehensive set of experiments involving network traffic from 11 types of network attacks. Our results show that NetInDRL achieves an average AUC-ROC higher than 0.9, outperforming the other state-of-the-art methods in most experimental instances.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Robust Network Intrusion Detection via Semi-supervised Deep Reinforcement Learning

  • Riccardo Spolaor,
  • Tianhao Chen,
  • Pengfei Hu,
  • Xiuzhen Cheng

摘要

Machine learning techniques have been used successfully to detect intrusions and attacks via network traffic analysis. Unfortunately, the detection model training process requires large labeled datasets, which are challenging to obtain due to the exceptional and elusive nature of network attacks. Moreover, the constant rise of novel malware and unknown attacks makes such models rapidly obsolete. Hence, security researchers struggle to keep up with new threats, since they cannot rely on sufficiently large and up-to-date datasets to detect such attacks effectively. This paper presents NetInDRL, a network intrusion detection method based on semi-supervised Deep Reinforcement Learning (DRL). This method trains a detection model by relying only on a limited network traffic dataset from known attacks and a much larger unlabeled dataset, which may contain both legitimate and malicious traffic produced by unknown attacks. By extracting statistical and frequency domain features, NetInDRL grasps the network behavior of known attacks and recognizes unknown ones within the unlabeled dataset. We evaluate the effectiveness and robustness of our method with a comprehensive set of experiments involving network traffic from 11 types of network attacks. Our results show that NetInDRL achieves an average AUC-ROC higher than 0.9, outperforming the other state-of-the-art methods in most experimental instances.