Anomaly network intrusion detection system based on NetFlow using machine/deep learning

Touati B. Adli; Salem-Bilal B.  Amokrane; Boban Z. Pavlović; Mohammad Zouaoui M.  Laidouni; Taki-eddine Ahmed A. Benyahia

doi:10.5937/vojtehg71-46058

Touati B. Adli Univerzitet odbrane u Beogradu, Vojna akademija, Katedra telekomunikacija i informatike, Beograd, Republika Srbija https://orcid.org/0009-0000-2673-6954
Salem-Bilal B. Amokrane Univerzitet odbrane u Beogradu, Vojna akademija, Katedra telekomunikacija i informatike, Beograd, Republika Srbija https://orcid.org/0009-0009-7588-5708
Boban Z. Pavlović Univerzitet odbrane u Beogradu, Vojna akademija, Katedra telekomunikacija i informatike, Beograd, Republika Srbija https://orcid.org/0000-0002-5476-7894
Mohammad Zouaoui M. Laidouni Univerzitet odbrane u Beogradu, Vojna akademija, Katedra telekomunikacija i informatike, Beograd, Republika Srbija https://orcid.org/0009-0008-6042-0513
Taki-eddine Ahmed A. Benyahia Univerzitet odbrane u Beogradu, Vojna akademija, Katedra telekomunikacija i informatike, Beograd, Republika Srbija https://orcid.org/0009-0006-6025-6915

DOI: https://doi.org/10.5937/vojtehg71-46058

Ključne reči: sistem otkrivanja upada u mrežu (NIDS), Netflow obeležja, mašinsko učenje (ML), duboko učenje (DL)

Sažetak

Uvod/cilj: Pronalaženje mrežnih anomalija, bazirano na primeni sistema za detekciju zlonamernih upada u mrežu (NIDS), predstavlja izuzetno vredan alat, posebno u vojnim primenama, za zaštitu mreža od sajber napada, sa posebnim fokusom na Netflow podatke radi identifikacije normalnih i incidentnih situacija. U ovom radu je sprovedeno istraživanje koje analizira efikasnost u borbi protiv anomalija primenom modela mašinskog učenja (ML) i dubokog učenja (DL) u NIDS-u korišćenjem javno dostupne baze podataka NF-UQ-NIDS koja sadrži Netflow podatke, radi poboljšanja zaštite mreže.

Metode: Autori Sarhan, M., Layeghy, S., Moustafa, N. i Portmann, M. u radu sa konferencije Big Data Technologies and Applications, iz 2021. godine, koristili su predobradu u kojoj se 8 obeležja izdvaja za fazu treninga od ukupno 12 dostupnih obeležja. Posebno su izuzete izvorne i odredišne IP adrese, kao i njihovi pripadajući portovi. Glavni doprinos ovog rada odnosi se na uključivanje svih dostupnih obeležja u fazu treninga, korišćenjem različitih algoritama klasifikacije ML i DL, kao što su ExtraTrees, ANN, jednostavni CNN i VGG16 za binarnu klasifikaciju.

Rezultati: Performanse analiziranih klasifikacionih modela evaluirane su pomoću nekoliko metrika (tačnost, odziv, preciznost i drugo), čime je omogućena sveobuhvatna komparacija dobijenih rezultata. U završnoj analizi rezultati pokazuju da ML model ExtraTrees nadmašuje sve ostale modele koristeći predloženu predobradu svih dostupnih obeležja, postigavši tačnost klasifikacije od 99,09%, u poređenju sa 97,25% u referentnom skupu podataka.

Zaključak: Sprovedeno istraživanje analizira efikasnost različitih algoritama klasifikacije ML i DL modela u NIDS-u korišćenjem baze Netflow.

Reference

Anitha, A.A. & Arockiam, L. 2019. ANNIDS: Artificial Neural Network based Intrusion Detection System for Internet of Things. International Journal of Innovative Technology and Exploring Engineering (IJITEE), 8(11), pp. 2583–2588. Available at: https://doi.org/10.35940/ijitee.K1875.0981119.

Bahlali, A.R. 2019. Anomaly-Based Network Intrusion Detection System: A Machine Learning Approach. Ma thesis. Biskra, Algeria: University of Mohamed Khider, Faculty of Exact, Natural and Life Sciences, Computer Science Departement. Available at: https://doi.org/10.13140/RG.2.2.29553.84325.

Cahyo, A.N., Hidayat, R. & Adhipta, D. 2016. Performance comparison of intrusion detection system based anomaly detection using artificial neural network and support vector machine. AIP Conference Proceedings, 1755(1,art.number:070011), pp. 1–7. Available at: https://doi.org/10.3969/j.issn.1002-6819.2015.01.028.

Cao, C., Panichella, A., Verwer, S., Blaise, A. & Rebecchi, F. 2022. ENCODE: Encoding NetFlows for State-Machine Learning. arXiv:2207.03890. Available at: https://doi.org/10.48550/arXiv.2207.03890.

Cisco. 2011. NetFlow Version 9 Flow-Record Format [online]. Available at: https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html [Accessed: 10 August 2023].

Figueiredo, J., Serrão, C. & de Almeida, A.M. 2023. Deep Learning Model Transposition for Network Intrusion Detection Systems. Electronics, 12(2,art.number:293). Available at: https://doi.org/10.3390/electronics12020293.

Fosić, I., Žagar, D., Grgić, K. & Križanović, V. 2023. Anomaly detection in NetFlow network traffic using supervised machine learning algorithms. Journal of Industrial Information Integration, 33, art.number:100466. Available at: https://doi.org/10.1016/j.jii.2023.100466.

Hofstede, R., Čeleda, P., Trammell, B., Drago, I., Sadre, R., Sperotto, A. & Pras, A. 2014. Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX. IEEE Communications Surveys and Tutorials, 16(4), pp. 2037–2064. Available at: https://doi.org/10.1109/COMST.2014.2321898.

Labonne, M. 2020. Anomaly-based network intrusion detection using machine learning. Ph.D. thesis, Institut polytechnique de Paris. [online]. Available at: https://theses.hal.science/tel-02988296 [Accessed: 10 August 2023].

Liu, X., Tang, Z. & Yang, B. 2019. Predicting Network Attacks with CNN by Constructing Images from NetFlow Data. In: 2019 IEEE 5th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS). Washington, DC, USA, pp.61–66, May 27-29. Available at: https://doi.org/10.1109/BigDataSecurity-HPSC-IDS.2019.00022.

Rizvi, S., Scanlon, M., McGibney, J. & Sheppard, J. 2023. Deep Learning Based Network Intrusion Detection System for Resource-Constrained Environments. In: Goel, S., Gladyshev, P., Nikolay, A., Markowsky, G. & Johnson, D. (Eds.) Digital Forensics and Cyber Crime. ICDF2C 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Boston, MA, 508, pp.355–367, November 16-18. Cham: Springer. Available at: https://doi.org/10.1007/978-3-031-36574-4_21.

Sarhan, M., Layeghy, S., Moustafa, N. & Portmann, M. 2021. NetFlow Datasets for Machine Learning-Based Network Intrusion Detection Systems. In: Deze, Z., Huang, H., Hou, R., Rho, S. & Chilamkurti, N. (Eds.) Big Data Technologies and Applications. BDTA WiCON 2020 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Virtual Event, 371, pp.117–135, December 11. Cham: Springer. Available at: https://doi.org/10.1007/978-3-030-72802-1_9.

Sarhan, M., Layeghy, S. & Portmann, M. 2022. Towards a Standard Feature Set for Network Intrusion Detection System Datasets. Mobile Networks and Applications, 27, pp. 357–370. Available at: https://doi.org/10.1007/s11036-021-01843-0.

Tufan, E., Tezcan, C. & Acartürk, C. 2021. Anomaly-Based Intrusion Detection by Machine Learning: A Case Study on Probing Attacks to an Institutional Network. IEEE Access, 9, pp. 50078–50092. Available at: https://doi.org/10.1109/ACCESS.2021.3068961.

Van, N.T., Thinh, T.N. & Sach, L.T. 2017. An anomaly-based network intrusion detection system using Deep learning. In: 2017 International Conference on System Science and Engineering (ICSSE). Ho Chi Minh City, Vietnam, pp.210-214, September 11. Available at: https://doi.org/10.1109/ICSSE.2017.8030867.

Sistem otkrivanja anomalija u mreži na bazi NetFLow protokola primenom mašinskog/dubokog učenja

Sažetak

Reference

Vojnotehnički glasnik omogućava otvoreni pristup i, u skladu sa preporukom CEON-a, primenjuje Creative Commons odredbe o autorskim pravima:

Autori koji objavljuju u Vojnotehničkom glasniku pristaju na sledeće uslove: