Article Preview
Top1 Introduction
Detecting network intrusion is an old problem; however, the risk of network intrusion has continued to increase with advances in network technologies over the last decade. Network intruders have always found a way to bypass traditional network intrusion detection systems such as rule-based, expert, and statistical analysis-based systems.
Network intrusion detection systems have been divide into two categories, misuse detection and anomaly detection (Chen et al., 2005). In misuse detection, historical attack data are analyzed to identify attacks or intrusions in current network events. Several methods have been used to perform misuse detection. The most common techniques involved the analysis and profiling of network data, such as the work done in (Ghosh et al., 1999). However, this requires a great deal of manual labor. Techniques that require less manual work include fuzzy logic (Naik et al., 2018), k-nearest neighbors (Li et al., 2018), and supervised machine learning algorithms (Kabir et al., 2018; Resende & Drummond, 2018; Sakr et al., 2019). While misuse detection techniques have low false positives and high accuracies when detecting known attack types, they do not maintain these standards when confronting unseen attack types (Chen et al., 2005). This happens because misuse detection techniques depend on analyzing the patterns of known attacks (Chen et al., 2005).
Anomaly Network Intrusion Systems (ANIDS) attempt to address attack data dependency issue found in misuse detection (Agrawal & Agrawal, 2015). In ANIDS, the system analyzes normal transactions only. Any event that does not exhibit the same patterns as a normal transaction is considered an intrusion or anomaly. As with misuse detection, there are several techniques that implement ANIDS. These include, but are not limited to, rule-based systems and clustering (Agrawal & Agrawal, 2015), genetic algorithms (Agrawal & Agrawal, 2015) and other machine learning models such as One-Class Support Vectors Machine (OSVMs) (Ahmed et al., 2016; Kumar et al., 2011). Since ANIDS depends on normal network event data for intrusion detection, it can detect unseen or unknown attacks with high accuracy. However, ANIDS suffers from a high false positive rate (Chen et al., 2005) because of outliers in the normal event analyzed by the system.
Another difference in models is whether they are supervised or unsupervised. SVMs (Sakr et al., 2019), decision trees (Resende & Drummond, 2018) and k-nearest neighbors are supervised models, whereas OSVMs (Ahmed et al., 2016) and clustering (Agrawal & Agrawal, 2015) are unsupervised. Note that the system being supervised does not indicate whether misuse or anomaly detection is being used.
Recently, deep learning has been the focus of attention for network intrusion detection research (Gamage & Samarabandu, 2020; Gurung et al., 2019; KB, 2020; Man & Sun, 2021). Both supervised and unsupervised models have been under study. Examples include the work done in (Khan et al., 2019; Shone et al., 2018; Vikram, 2020; Wang et al., 2018), which showed higher accuracies when compared with previous work. Furthermore, to reduce false positives and increase systems accuracies, some researchers, such as in (Agarap, 2017) and (Erfani et al., 2016), have proposed combining deep and shallow learning to increase the accuracy of network intrusion detection. Meanwhile the work done in (Khan, 2021) and (Al & Dener, 2021) propose combining multiple deep learning models to enhance the accuracy of a network intrusion detection systems.