Statistical Analysis Driven Optimized Deep Learning System for Intrusion Detection

08/16/2018 ∙ by Cosimo Ieracitano, et al. ∙ University of Stirling 0

Attackers have developed ever more sophisticated and intelligent ways to hack information and communication technology systems. The extent of damage an individual hacker can carry out upon infiltrating a system is well understood. A potentially catastrophic scenario can be envisaged where a nation-state intercepting encrypted financial data gets hacked. Thus, intelligent cybersecurity systems have become inevitably important for improved protection against malicious threats. However, as malware attacks continue to dramatically increase in volume and complexity, it has become ever more challenging for traditional analytic tools to detect and mitigate threat. Furthermore, a huge amount of data produced by large networks has made the recognition task even more complicated and challenging. In this work, we propose an innovative statistical analysis driven optimized deep learning system for intrusion detection. The proposed intrusion detection system (IDS) extracts optimized and more correlated features using big data visualization and statistical analysis methods (human-in-the-loop), followed by a deep autoencoder for potential threat detection. Specifically, a pre-processing module eliminates the outliers and converts categorical variables into one-hot-encoded vectors. The feature extraction module discard features with null values and selects the most significant features as input to the deep autoencoder model (trained in a greedy-wise manner). The NSL-KDD dataset from the Canadian Institute for Cybersecurity is used as a benchmark to evaluate the feasibility and effectiveness of the proposed architecture. Simulation results demonstrate the potential of our proposed system and its outperformance as compared to existing state-of-the-art methods and recently published novel approaches. Ongoing work includes further optimization and real-time evaluation of our proposed IDS.



There are no comments yet.


page 6

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The heterogeneity of data in modern networks and variety of new protocols have made the intrusion detection ever more complex and challenging. In this context, there is a great deal of interest in developing intelligent, robust and efficient Intrusion Detection Systems (IDS) capable of identifying the potential or unforeseen threat and consequently denying access to the system. In the literature, traditional machine learning algorithms have been widely employed to develop IDS

[19]. However, these techniques are based on handcrafted features by expert users and remain deficient to handle high-dimensional volume of training data. Deep learning (DL) is an advanced machine learning technique that addresses the limitations of shallow machine learning algorithms [11] by learning feature representation at varying level of granularity directly from raw input data through a deep hierarchical structure. Since DL has shown to achieve human-level performances in several real-world applications (i.e. health care [7],[13]

, sentiment analysis

[4],[5], saliency detection [20],[21]) recently, researchers have proposed several novel DL driven cybersecurity algorithms [14]. DL driven solutions are capable of efficiently analyzing big data and identifying temporal structures in long complex sequences in real-time.

In this paper, an innovative Statistical Analysis Driven Optimized DL System for Intrusion Detection is proposed. Specifically, a statistical-driven deep autoencoder (AE) is developed to detect normal and abnormal traffic patterns. The proposed framework has been evaluated using the recent NSL-KDD dataset (updated version of the previous KDD Cup 99 (KDD99) dataset [17]). The proposed framework constitutes three main modules as shown in Figure 1: data preprocessing, feature extraction, and classification. Data preprocessing discards the outliers and converts categorical variables into one-hot-encoded vectors. Feature extraction selects the most correlated features and discards features with null values grater than 80%; For classification

, a deep autoencoder and a shallow multilayer perceptron (MLP) classifier are used to classify different categories of the NSL-KDD dataset (Normal, DoS, R2L, Probe). The deep AE and shallow MLP classifiers are compared with four recent models which have been on NSL-KDD dataset. Experimental results (Table

5) showed that the deep AE classifier outperformed all other approaches and achieved accuracy up to 87%.

The remainder of this paper is organized as follows. Section 2, illustrates previous approaches, especially based on DL architectures trained with NSL-KDD dataset. Section 3 describes the proposed methodology, including NSL-KDD dataset description, data preprocessing, feature extraction and classification. Section 4 discusses the experimental results. Finally, Section 5 concludes the paper.

2 Related work

The KDD99 and NSL-KDD datasets have been widely employed as benchmarks to assess the performance and effectiveness of different intrusion detection models. Alrawashdeh et al. [3]

developed a deep belief network (DBN) based on Restricted Boltzmann Machine (RBM) modules, followed by a multi-class softmax layer. The model was tested on 10% of the KDD99 test dataset and achieved a detection accuracy up to 97.9% with a false alarm rate of 2.47%. Tang et al.


proposed a deep learning approach for flow-based anomaly detection in an Software Defined Networking (SDN) environment. The authors developed a Deep Neural Network (DNN) with 3 hidden layers, trained on the NSL-KDD dataset to perform only binary classification (normal, anomaly) using six basic features. However, the reported accuracy was 75.75%. Kim et al.

[10] developed a different DNN architecture (with 4 hidden layers and 100 hidden units) and optimized trained using adam optimization algorithm. However, the performance was measured using the KDD99 dataset. Javaid et al. [9] proposed a self-taught learning (STL) approach based on sparse autoencoders for anomaly detection. The NSL-KDD dataset was employed as benchmark to quantify the performance. In [22]

proposed a Recurrent Neural Network (RNN) for anomaly detection using the same benchmark, claiming accuracies of 83.28% and 81.29% in binary and multiclass classification, respectively. Shone et al.

[15] proposed a non-symmetric deep auto-encoder (NDAE) model for intrusion detection tested on both KDD99 and NSL-KDD dataset, achieving 5-class accuracy rate up to 97.85% and 85.42%, respectively. Recently, Diro et al. [1]

proposed a novel DL architecture based on autoencoders for attack detection in fog-to-things computing, using the NSL-KDD. However, the evaluation restricted to binary detection (normal, anomaly) only. In this paper, we propose an innovative statistical driven deep learning method for detecting network intrusion. The NSL-KDD dataset is used to estimate the reliability of the model for binary and multi-class classification and aforementioned limitations have been addressed.

3 Methodology

The flowchart of the proposed method is illustrated in Figure 1. The KDD dataset is first filtered by eliminating the outliers, followed by the transformation of categorical features into one-hot-encoded vectors. Afterwards a statistical analysis has been carried out over 38 numeric features in order to extract more correlated features. Finally, a deep and shallow classifiers are employed to test the detection accuracy.

3.1 NSL-KDD dataset

The used NSL-KDD dataset [18] is arranged into a training set of 125973 samples (KDDTrain+) and a testing set of 22544 samples (KDDTest+). The dataset has (i=1,2,..41) features with 38 numeric and 3 categorical features. Specifically, protocol_type, service, flag (, , ) represent 3 categorical variables. Table 1 summarizes attack types and 4 different categories: (1)DoS (Denial of Service attacks), (2) R2L (Root to Local attacks), (3) U2R (User to Root attack), (4) Probe (Probing attacks). The structure of the NSL-KDD dataset is shown in Table 2.

Figure 1: Flowchart of the proposed method
Attack class Attack type
Dos back, land, neptune, pod, smurf, teardrop
ftp_write, guess_passwd, imap, multihop,
phf, spy, warezclient, warezmaster
U2R buffer_overflow, loadmodule, perl, rootkit
Probe ipsweep, nmap, portsweep, satan
Table 1: Attack types of DoS, R2L, U2R, Probe categories.
NSL-KDD Total Normal Dos Probe R2L U2R
KDDTrain+ 125973 67343 45927 11656 995 52
KDDTest+ 18793 9710 5741 1106 2199 37
Table 2: NSL-KDD dataset composition without additional test attacks types.

3.2 Data preprocessing

3.2.1 Outliers analysis:

Removing outliers from the dataset before performing the data normalization has proven to be an essential task. This operation removes inconsistent values that makes the learning difficult. In this study, the Median Absolute Deviation (MAD) estimator is used for detecting the outliers. It is defined as follow:


where C=1.4826 is a multiplicative constant typically used under the assumption of data normality and is the instance belonged to the feature .

Specifically, was considered an outlier when (with k=10). The original size of training and testing sets was reduced from 125973 to 85421 and from 22544 to 11925 , respectively. Table 3 summarizes the dataset after removing outliers. It is to be noted that, the dataset is highly unbalanced with only 18 test samples in the U2R attack class. Therefore, the final dataset removed U2R class.

NSL-KDD Total Normal Dos Probe R2L U2R
85421 51551 23272 9683 874 41
11925 7341 1975 620 1971 18
Table 3: NSL-KDD dataset composition after removing outliers.

3.2.2 One hot encoding

Since features , , (protocol type, service and flag) consist of categorical values, these features were converted into one hot encoded vectors. For example, the protocol type feature includes 3 attributes: tcp, udp and icmp, and were represented as (1,0,0),(0,1,0),(0,0,1), respectively. Similarly, service and flag features were represented by binary values. This procedure maps the 41-dimensional features into 122-dimensional features: 38 continuous and 84 with binary values associated to the 3 categorical features ( protocol, flag, and service).

3.3 Feature extraction

Several feature extraction techniques exist in literature (i.e.[12]). However, in this study, the proposed feature extraction module selects the most correlated features according to the following procedure. Firstly, the percentage of null values are quantified for 38 numeric features vectors. The histogram in Figure 2 shows the distribution of zeros of each numeric feature in the training set. In this study, variables with number of zeros greater than 80 % are not included in the analyses.It is to be noted that 20 features (depicted in red in Figure 2 ) out of 38 consists of mostly zeros which are discarded. Therefore, the remaining 18 numeric features are combined with 84 one-hot-encoded features forming 102-dimensional input vector for deep AE and shallow MLP classifier.

Figure 2: Distribution of the number of zeros in each numeric features of the training set. Features with null values greater than 80% are depicted in red and are discarded from the analysis.

3.4 Classification

In this section, two machine learning algorithms are presented to classify different categories of the NSL-KDD dataset (Normal, DoS, R2L and Probe). Specifically, a deep architecture based on Autoencoder and a shallow architecture based on standard Multi Layer Perceptron are implemented. Details of the proposed frameworks are described in the following subsections.

3.4.1 Deep AE Classifier

An autoencoder is a type of unsupervised learning algorithm, typically used for dimensionality reduction purposes. The AE standard configuration includes one input layer, one output layer and one hidden layer, as showed in Figure

3 (a). It compresses the input data x into a lower dimension h through the encoding process:


where x, w, b

are the input vector, weight matrix, the bias vector, respectively and


is the activation function. Then, it attempts to reconstruct the same set of input (

x) from the compressed representation (h) through the decoding process:


The architecture of the deep AE classifier is showed in Figure 3 (a). The extracted 102 features are the input of the single hidden layer AE that compressed the input space from 102 into 50 latent features (). At this stage, the AE is trained with unsupervised learning through the scaled conjugate gradient algorithm, for 100 iterations. The saturating linear transfer function ( if , if , if ) and the linear transfer function () is used for encoding and decoding operations. The reconstruction of the input features (x

) is measured through the mean squared error (MSE) coefficient. The proposed AE achieved the reconstruction error of 0.0083. Subsequently, the 50 compressed features are fed into a softmax output layer trained with supervised learning for performing the multi-class detection task. Finally, the whole network (AE+softmax) is trained with supervised learning (backpropagation algorithm) to improve the classification performance (fine-tuning method). The training is stopped when the cross-entropy loss function

[6] saturates. In this study, the convergence is observed after 300 iterations.

3.4.2 Shallow MLP Classifier

The architecture of the shallow MLP classifier is showed in Figure 3

(b). it constitutes standard standard feed-forward neural network trained with supervising learning through scaled conjugate gradient algorithm. For fair comparative analysis, both shallow and deep AE models have adopted same architecture. The shallow MLP architecture has used a single hidden layer with 50 hidden neurons followed by a softmax output layer.

Figure 3: (a) Proposed Deep AE Classifier: The AE [102:50:102] compresses the 102 features (x) into 50 most significant variables (h) used as input for a final softmax output layer (o) to perform the multi-class detection. (b) Shallow MLP Classifier: standard single layer feed-forward neural network with 50 hidden neurons () followed by a softmax output layer (o) .

4 Experimental results

The effectiveness of the proposed deep (AE) and shallow (MLP) classifier is evaluated using standard metrics: Precision (PR), recall (RC), F_measure (or F_score) and accuracy (ACC):


where true positives (TP) represent the number of anomalous samples correctly identified as anomaly; true negatives (TN) represent the number of normal samples correctly identified as normal; false positives (FP) are the number of normal samples missclassified as anomaly; false negatives (FN) are the number of anomaly samples missclassified as normal. Table 4 reports the outcome of the experiments. The shallow MLP classifier showed good performances in detecting Normal, Dos and Probe categories, reporting F_measure values of 87.10%, 97.08%, 77.13%, respectively. However remained deficient to classify the R2L attack class accurately ( achieving F_measure of 11.74%).The deep AE classifier achieved better results in terms of F_measure rate in all categories, with performances up to 98%. To find out the most optimal AE architecture, different numbers of hidden layers were tested. Specifically, the performance of the proposed deep AE classifier (having one layer) with 50 hidden neurons () was compared with a two hidden layers AE architecture (with 50 and 25 hidden neurons respectively, ) and a three hidden layers AE architecture (with 50, 25, 12 hidden neurons respectively, ). Experimental results showed that the classifier achieved the best accuracy of 87% as compared to accuracies achieved by (82%) and (81%), this is possibly due to over compression in multilayered AE.

Attack class Precision Recall F_measure
Normal 96.35 96.19 79.46 85.03 87.10 90,27
Dos 96.96 98.18 97.21 97.05 97.08 97,61
Probe 96.29 94.03 64.33 69.82 77.13 80,14
R2L 6.24 39.78 99.19 99.49 11.74 56,83
Table 4: NSL-KDD performance (Precision, Recall, F_measure) for the deep AE classifier and the shallow MLP classifier.

Table 5 reports the comparison of proposed deep AE and shallow MLP classifier with four recently proposed approaches in the literature. In order to compare our results, we referred to studies that focused on multi-classification tasks using the NSL-KDD dataset. It is to be noted that, the proposed AE based deep learning architecture, outperformed all other approaches, achieving accuracy up to 87%. However, the MLP classifier achieved maximum accuracy of 81.6% . In [8] the authors proposed a sequential learning algorithm achieving an accuracy of 76.04%. In [9] the authors developed a sparse autoencoder based classifier and reported 79.10% accuracy. In [22] the authors developed a RNN based system and reported multiclass accuracy of 81.29%. In [15], the authors proposed a stacked non-symmetric deep autoencoders and reported 5-class accuracy of 85.42%. Here, instead, we propose an alternative statistical analysis driven deep AE classifier able to achieve multiclass accuracy of 87%.

Model Accuracy (%)
AE proposed 87
MLP proposed 81.43
Huang et al. [8] 76.04
Abeshu et al. [9] 79.10
Yin et al. [22] 81.29
Shone et al. [15] 85.42
Table 5: Accuracy performance and comparison with state of the art models.

5 Conclusion

The proposed approach leverages the complementary strengths of both automated feature engineering (provided by deep learning) and manual statistical driven optimized feature engineering (based on human-in-the-loop and big data visualization) that helps the learning model to better correlate the input-output relationship. Specifically, we introduced a statistical analysis driven optimized DL system for intrusion detection. The NSL-KDD dataset was employed as benchmark to identify normal and abnormal network traffic patterns. The most correlated features were extracted using statistical methods and were the input of a deep AE classifier. The feasibility and effectiveness of the proposed model were evaluated using precision, recall, F_measure and accuracy metrics. The comparative evaluation of proposed deep autoencoder with a shallow MLP classifier and state-of-the-art models showed that the proposed deep AE classifier outperformed all other approaches and achieved upto 87% accuracy. Future works include a more robust system capable of handling real-time traffic similar to NSL-KDD dataset to contextually detect intrusions in real-time applications. In addition, to concurrently acquire long-term learning, fast decision making, and low computational complexity for real-time Big Data processing, we intend to integrate the proposed work with our previously presented real-time autonomous decision making system [2].

6 Acknowledgment

Amir Hussain and Ahsan Adeel were supported by the UK Engineering and Physical Sciences Research Council (EPSRC) grant No.EP/M026981/1.


  • [1] Abeshu, A., Chilamkurti, N.: Deep learning: The frontier for distributed attack detection in fog-to-things computing. IEEE Communications Magazine 56(2), 169–175 (2018)
  • [2] Adeel, A., Larijani, H., Ahmadinia, A.: Random neural network based novel decision making framework for optimized and autonomous power control in lte uplink system. Physical Communication 19, 106–117 (2016)
  • [3] Alrawashdeh, K., Purdy, C.: Toward an online anomaly intrusion detection system based on deep learning. In: Machine Learning and Applications (ICMLA), 2016 15th IEEE International Conference on. pp. 195–200. IEEE (2016)
  • [4]

    Dashtipour, K., Gogate, M., Adeel, A., Algarafi, A., Howard, N., Hussain, A.: Persian named entity recognition. In: Cognitive Informatics & Cognitive Computing (ICCI* CC), 2017 IEEE 16th International Conference on. pp. 79–83. IEEE (2017)

  • [5]

    Dashtipour, K., Hussain, A., Zhou, Q., Gelbukh, A., Hawalah, A.Y., Cambria, E.: Persent: a freely available persian sentiment lexicon. In: International Conference on Brain Inspired Cognitive Systems. pp. 310–320. Springer (2016)

  • [6] De Boer, P.T., Kroese, D.P., Mannor, S., Rubinstein, R.Y.: A tutorial on the cross-entropy method. Annals of operations research 134(1), 19–67 (2005)
  • [7] Gasparini, S., Campolo, M., Ieracitano, C., Mammone, N., Ferlazzo, E., Sueri, C., Tripodi, G.G., Aguglia, U., Morabito, F.C.: Information theoretic-based interpretation of a deep neural network approach in diagnosing psychogenic non-epileptic seizures. Entropy 20(2),  43 (2018)
  • [8] Huang, H., Khalid, R.S., Liu, W., Yu, H.: Work-in-progress: a fast online sequential learning accelerator for iot network intrusion detection. In: Hardware/Software Codesign and System Synthesis (CODES+ ISSS), 2017 International Conference on. pp. 1–2. IEEE (2017)
  • [9] Javaid, A., Niyaz, Q., Sun, W., Alam, M.: A deep learning approach for network intrusion detection system. In: Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS). pp. 21–26. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering) (2016)
  • [10] Kim, J., Shin, N., Jo, S.Y., Kim, S.H.: Method of intrusion detection using deep neural network. In: Big Data and Smart Computing (BigComp), 2017 IEEE International Conference on. pp. 313–316. IEEE (2017)
  • [11] LeCun, Y., Bengio, Y., Hinton, G.: Deep learning. nature 521(7553),  436 (2015)
  • [12]

    Morabito, C.F.: Independent component analysis and feature extraction techniques for ndt data. Materials Evaluation

    58(1), 85–92 (2000)
  • [13]

    Morabito, F.C., Campolo, M., Ieracitano, C., Ebadi, J.M., Bonanno, L., Bramanti, A., Desalvo, S., Mammone, N., Bramanti, P.: Deep convolutional neural networks for classification of mild cognitive impaired and alzheimer’s disease patients from scalp eeg recordings. In: Research and Technologies for Society and Industry Leveraging a better tomorrow (RTSI), 2016 IEEE 2nd International Forum on. pp. 1–6. IEEE (2016)

  • [14] Najafabadi, M.M., Villanustre, F., Khoshgoftaar, T.M., Seliya, N., Wald, R., Muharemagic, E.: Deep learning applications and challenges in big data analytics. Journal of Big Data 2(1),  1 (2015)
  • [15] Shone, N., Ngoc, T.N., Phai, V.D., Shi, Q.: A deep learning approach to network intrusion detection. IEEE Transactions on Emerging Topics in Computational Intelligence 2(1), 41–50 (2018)
  • [16] Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S.A.R., Ghogho, M.: Deep learning approach for network intrusion detection in software defined networking. In: Wireless Networks and Mobile Communications (WINCOM), 2016 International Conference on. pp. 258–263. IEEE (2016)
  • [17] Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the kdd cup 99 data set. In: Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE Symposium on. pp. 1–6. IEEE (2009)
  • [18] Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: Nsl-kdd dataset. Available on http://www. unb. ca/research/iscx/dataset/iscx-NSL-KDD-dataset. html),[Accessed on 28 Feb. 2016] (2012)
  • [19] Tsai, C.F., Hsu, Y.F., Lin, C.Y., Lin, W.Y.: Intrusion detection by machine learning: A review. Expert Systems with Applications 36(10), 11994–12000 (2009)
  • [20] Wang, Z., Ren, J., Zhang, D., Sun, M., Jiang, J.: A deep-learning based feature hybrid framework for spatiotemporal saliency detection inside videos. Neurocomputing 287, 68–83 (2018)
  • [21]

    Yan, Y., Ren, J., Sun, G., Zhao, H., Han, J., Li, X., Marshall, S., Zhan, J.: Unsupervised image saliency detection with gestalt-laws guided optimization and visual attention based refinement. Pattern Recognition

    79, 65–78 (2018)
  • [22] Yin, C., Zhu, Y., Fei, J., He, X.: A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access 5, 21954–21961 (2017)