With the widespread use of the Internet, network attacks are common and emerge endlessly. The Network Intrusion Detection System (NIDS) stands as a critical security infrastructure, commonly categorized into signature-based and anomaly-based approaches. The former pursues a fine-grained classification while the latter provides unknown attack detection in a binary-classification manner (i.e., merely identifying malicious or not). However, they cannot support both simultaneously, e.g., identify unknown attacks when performing fine-grained classification. This paper introduces HF-IDS, a hybrid method that combines the strengths of both anomaly and signature-based detection to address the challenge of fine-grained known/unknown intrusion detection. We first employs an anomaly detector to distinguish the anomaly (malicious) and benign traffic. Subsequently, a lightweight Variational Encoder-Augmented Classifier (VEAC) is designed for precise fine-grained classification. With the results of both models, a tailored unknown identification rule set is deployed to pinpoint unknown attacks and guarantee the fine-grained classification performance for known attacks. Extensive experiments showcase the superiority of HF-IDS over state-of-the-art methods, particularly in the detection rate of unknown attacks, with an average improvement of 14.54%. Moreover, we further produce a series of ablation experiments, overhead evaluations, and visualization results to provide a detailed discussion of HF-IDS.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

HF-IDS: A Hybrid Method for Fine-Grained Known/Unknown Intrusion Detection

  • Tianming Zheng,
  • Yixin Jiang,
  • Feiyang Huang,
  • Wenqian Xu,
  • Zhihong Liang,
  • Hua Li

摘要

With the widespread use of the Internet, network attacks are common and emerge endlessly. The Network Intrusion Detection System (NIDS) stands as a critical security infrastructure, commonly categorized into signature-based and anomaly-based approaches. The former pursues a fine-grained classification while the latter provides unknown attack detection in a binary-classification manner (i.e., merely identifying malicious or not). However, they cannot support both simultaneously, e.g., identify unknown attacks when performing fine-grained classification. This paper introduces HF-IDS, a hybrid method that combines the strengths of both anomaly and signature-based detection to address the challenge of fine-grained known/unknown intrusion detection. We first employs an anomaly detector to distinguish the anomaly (malicious) and benign traffic. Subsequently, a lightweight Variational Encoder-Augmented Classifier (VEAC) is designed for precise fine-grained classification. With the results of both models, a tailored unknown identification rule set is deployed to pinpoint unknown attacks and guarantee the fine-grained classification performance for known attacks. Extensive experiments showcase the superiority of HF-IDS over state-of-the-art methods, particularly in the detection rate of unknown attacks, with an average improvement of 14.54%. Moreover, we further produce a series of ablation experiments, overhead evaluations, and visualization results to provide a detailed discussion of HF-IDS.