Introduction
-
We unveil a novel intrusion detection methodology grounded in Transformer technology, tailored for cloud ecosystems, showcasing adeptness in analyzing intrusion behavior characteristics, and offering protection against a broad spectrum of attacks.
-
We provide a thorough discussion on the process of network intrusion detection. Specifically, we initially delineate the architecture of the Transformer model, followed by an in-depth elucidation of the process entailed in our devised intrusion detection model, structured into pivotal stages: data preprocessing, model training, and label prediction.
-
We conduct a thorough evaluation of our methodology using well-established datasets and performance metrics, elaborating on the experimental setup, environment, and dataset. The diverse experimental outcomes highlight the robustness and effectiveness of our algorithm.
Related work
Network security and intrusion detection
Network intrusion detection in clouds
Description and design
Implementation of our algorithm
Attention mechanism
Transformer model structure
NIDS based on Transformer
Data preprocessing
Model training
Experimental evaluation
Experimental settings
Experimental environment and parameter configuration
Parameters | Value |
---|---|
Batch size | 1024 |
Encoder layer | 3,4,5 |
The number of neurons in the hidden layer of a fully connected network | 512 |
Q,K,V dimensions | 80 |
Heads of attention | 8 |
Loss rate | 0.1 |
Learning rate | 0.001 |
Dataset
Attack Type | Attack Description | Number of Attack |
---|---|---|
Benign | Normal. | 10856019 |
Botnet | By infecting a large number of hosts with bot program viruses, a one-to-many control network is formed between the controller and the infected hosts. | 144535 |
Infiltration | Exploit an application vulnerability to execute a backdoor on the victim’s computer, using the victim’s computer to scan the internal network and carry out an attack on other computers. | 144336 |
DDoS Attack | Multiple distributed servers are used to send requests to the target, resulting in responses that affect correct and legitimate requests. | 775955 |
DoS Attack | Attackers overload the system by carrying out a large number of attacks in a short period of time, making legitimate requests unresponsive. | 196631 |
Web Attack | Web programs scan websites for attacks on vulnerable sites, such as SQL injection. | 94101 |
Brute-force Attack | A common form of attack that uses programs to crack passwords by brute force, often to gain unauthorized access. | 884 |
Model evaluation
Detection performance
Experimental results
Accuracy | Precision | Recall | F1-score | |
---|---|---|---|---|
Normal | 93.572 | 94.6515 | 98.3251 | 96.4533 |
Botnet | 99.9891 | 99.7199 | 99.3589 | 99.5391 |
Infilteration | 98.7943 | 44.2619 | 11.776 | 13.228 |
DDoS | 94.7668 | 64.4014 | 39.4349 | 48.9167 |
DoS | 99.8151 | 99.2901 | 89.1539 | 93.9494 |
Web | 99.8675 | 85.5708 | 99.5962 | 92.0523 |
Brute-force | 99.9612 | 17.2378 | 36.9811 | 12.1062 |
Indicators | Benign | Botnet | Infilteration | DDoS | Web Attacks | Brute-force | DoS | |
---|---|---|---|---|---|---|---|---|
Our | Accuracy | 0.9357 | 0.9998 | 0.9879 | 0.9477 | 0.9988 | 0.9997 | 0.9982 |
Precision | 0.9465 | 0.9971 | 0.4427 | 0.6441 | 0.8557 | 0.1724 | 0.9929 | |
Recall | 0.9833 | 0.9936 | 0.1178 | 0.3944 | 0.996 | 0.3698 | 0.8916 | |
F1-score | 0.9645 | 0.9954 | 0.1323 | 0.4892 | 0.9205 | 0.1211 | 0.9395 | |
CNN-LSTM | Accuracy | 0.9457 | 0.9997 | 0.9476 | 0.9985 | 0.9988 | 0.9992 | 0.9993 |
Precision | 0.9074 | 0.9952 | 0.6373 | 0.9953 | 0.0165 | 0.9837 | 0.9912 | |
Recall | 0.9816 | 0.9986 | 0.1747 | 0.9986 | 0.7143 | 0.9944 | 0.9996 | |
F1-score | 0.9452 | 0.9992 | 0.2722 | 0.9975 | 0.0323 | 0.989 | 0.9953 |