A Comparative Analysis of Deep Learning Approaches for Network Intrusion Detection Systems (N-IDSs): Deep Learning for N-IDSs

A Comparative Analysis of Deep Learning Approaches for Network Intrusion Detection Systems (N-IDSs): Deep Learning for N-IDSs

Vinayakumar R (Center for Computational Engineering and Networking (CEN), Amrita School of Engineering, Coimbatore, Amrita Vishwa Vidyapeetham, India), Soman KP (Center for Computational Engineering and Networking (CEN), Amrita School of Engineering, Coimbatore, Amrita Vishwa Vidyapeetham, India) and Prabaharan Poornachandran (Center for Cyber Security Systems and Networks, Amrita School of Engineering, Amritapuri, Amrita Vishwa Vidyapeetham, India)
Copyright: © 2019 |Pages: 25
DOI: 10.4018/IJDCF.2019070104
Article PDF Download
Open access articles are freely available for download


Recently, due to the advance and impressive results of deep learning techniques in the fields of image recognition, natural language processing and speech recognition for various long-standing artificial intelligence (AI) tasks, there has been a great interest in applying towards security tasks too. This article focuses on applying these deep taxonomy techniques to network intrusion detection system (N-IDS) with the aim to enhance the performance in classifying the network connections as either good or bad. To substantiate this to NIDS, this article models network traffic as a time series data, specifically transmission control protocol / internet protocol (TCP/IP) packets in a predefined time-window with a supervised deep learning methods such as recurrent neural network (RNN), identity matrix of initialized values typically termed as identity recurrent neural network (IRNN), long short-term memory (LSTM), clock-work RNN (CWRNN) and gated recurrent unit (GRU), utilizing connection records of KDDCup-99 challenge data set. The main interest is given to evaluate the performance of RNN over newly introduced method such as LSTM and IRNN to alleviate the vanishing and exploding gradient problem in memorizing the long-term dependencies. The efficient network architecture for all deep models is chosen based on comparing the performance of various network topologies and network parameters. The experiments of such chosen efficient configurations of deep models were run up to 1,000 epochs by varying learning-rates between 0.01-05. The observed results of IRNN are relatively close to the performance of LSTM on KDDCup-99 NIDS data set. In addition to KDDCup-99, the effectiveness of deep model architectures are evaluated on refined version of KDDCup-99: NSL-KDD and most recent one, UNSW-NB15 NIDS datasets.
Article Preview


Information and communication technology (ICT) systems have played a major role in most of the organizations, business, and so on. Human activities highly depend on this system. Alongside, the cyber-crimes to ICT systems are versatile in cyberspace and it has been exists since the birth of the computers. As ICT systems continues to evolve, cyber-crimes change accordingly. The taxonomy of cybercrimes, issues and methods is discussed in detail by (Lallement, 2013). The various attacks and its techniques used for cyber-crime are briefly reported by (Vaidya, 2015). To attack these cyber-crime activities and forensic investigation require a glaring need of comprehensive research study of an appropriate solutions system. One commonly studied critical area by industries and organization for the past several years is intrusion detection (ID). It is an important approach in network security. Many concepts and approaches of machine learning are transferred to ID with the aim to enhance the performance in distinguishing between the abnormal behaviors on the system from the normal network behavior. (Anderson, 1980) is an initial contributor towards the work in ID through a paper “Computer Security threat monitoring and surveillance” published in 1931. Fundamentally, the IDSs are categorized into two types based on the network type and its behaviors such as (1) network basis IDS (N-IDS): depend as far as the data prior to packets in network traffic to identify the malicious activities (2) host basis IDS: rely on the contents as far as the log files such as software logs, system logs, sensors, file systems, disk resources of particular host or a system. An organization uses the intercross as far as network and host-based system to effectively attack the malicious activities in real time environment. This has become an indispensable part of ICT systems and networks. However, the performances of detecting the unforeseen attacks are not acceptable with the existing traditional approaches in N-IDS.

Anomaly detection, state full protocol analysis and misuse detection are main significant methods used for network traffic data classification. Misuse detection is also termed as signature detection that depends on the predefined signatures and filters to efficiently determine the familiar intrusions. For anonymous intrusions, the performance is unacceptable, which may be due to the fact that signature detection relies on human task to constantly update the corpus of signatures with the aim to maintain the signature of new attacks. Anomaly detection aims at detecting the unknown intrusions based on heuristic approaches. Anomaly detection is not a reliable method for unknown intrusions mainly due to results in high false positive rate. Most of the commercial tools that exists in the market have used the hybrids of misuse detections and anomaly detections. A most commonly used powerful approach is state full protocol analysis. State full protocol analysis uses features that proprietarily designed by the software vendor to determine the divergence of specific conventions and applications.

The commercial tools prevailing in market are based on threshold computing approaches or statistical measures that utilize parameters for trafficking such as flow size, inter-arrival time, packet length and so on as features to learn the trafficking patterns for the network in a particular time window. The commercial system may limit the performance in detecting the complex attacks mainly due to the measures computed statistically based on packet header and packet length.

Complete Article List

Search this Journal:
Volume 14: 1 Issue (2022)
Volume 13: 6 Issues (2021)
Volume 12: 4 Issues (2020)
Volume 11: 4 Issues (2019)
Volume 10: 4 Issues (2018)
Volume 9: 4 Issues (2017)
Volume 8: 4 Issues (2016)
Volume 7: 4 Issues (2015)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing