Introduction
Related works
Basic concept
Long short-term memory LSTM
-
Forget gate layer (Fig. 4a): Looks at the input data, and the data received from the previously hidden layer, then decides which information LSTM is going to delete from the cell state, using a sigmoid function (One means keeps it, 0 means delete it). It is calculated as: \(f_{t}=\sigma (W_{f}.[h_{t-1}, x_{t}]+b_{f})\)
-
Input/Update gate layer (Fig. 4b): Decides which information LSTM is going to store in the cell state. At first, input gate layer decides which information will be updated using a sigmoid function, then a Tanh layer proposes a new vector to add to the cell state. Then the LSTM update the cell state, by forgetting the information that we decided to forget, and updating it with the new vector values. It is calculated as: \(i_{t}=\sigma (W_{i}.[h_{t-1}, x_{t}]+b_{i})\) and \({\tilde{C}}_{t} = tanh(W_{c}.[h_{t-1}, x_{t}] + b_{C})\)
-
Output Layer (Fig. 4c): decides what will be our output by executing a sigmoid function that decides which part of the cell LSTM is going to output, the result is passed through a Tanh layer (value between − 1 and 1) to output only the information we decide to pass to the next neuron. It is calculated as: \(O_{t} = \sigma (W_{o}[h_{t-1},x_{t}] + b_{o})\) and \(h_{t} = o_{t} * tanh (C_{t})\)
Feature selection
Principal component analysis (PCA)
Mutual information (MI)
Our approach
The KDD99 dataset
-
Denial of service attack (DoS): is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks typically function by overwhelming or flooding a targeted machine with requests until normal traffic is unable to be processed.
-
User to root attack (U2R): is an attack where hackers exploit some vulnerabilities to gain root access to the system, providing him unauthorized access to the local superuser.
-
Remote to local attack (R2L): occurs when the attacker finds vulnerable points in a computer or network security software to gain access to the machine or the system. The main goal of this attack is to explore or steal data illegally, introduce viruses or cause damage to the victim. Probing Attack: Also called Scanning/Discovery, which is the first step of an attack; probing is made to gather information on the targeted system. The network is scanned for known vulnerabilities in infrastructure software, as well as unknown vulnerabilities in the custom code developed for the specific target application.
Classification of attacks | Attack name |
---|---|
Probe | Portsweep, IPsweep, Nmap, Satan |
DoS | Neptune, Smurf, Pod, Teardrop, Land, back |
U2R | Bufferoverflow, LoadModule, Perl, Rootkit |
R2L | Guesspassword, Ftpwrite, Imap, Phf, Multihop, Warezmaster, Warezclient |
Attack type | Number of instances |
---|---|
SMURF(DOS) | 2,807,886 |
NEPTUNE(DOS) | 1,072,017 |
Back (DOS) | 2,203 |
POD (DOS) | 264 |
Teardrop (DOS) | 979 |
Buffer overflow (U2R) | 30 |
Load module (U2R) | 9 |
PERL (U2R) | 3 |
Rootkit (U2R) | 10 |
FTP write (R2L) | 8 |
Guess password (R2L) | 53 |
IMAP(R2L) | 12 |
MulitHop (R2L) | 7 |
PHF (R2L) | 4 |
SPY (R2L) | 2 |
Warez client (R2L) | 1,02 |
Warez master (R2L) | 20 |
IPSWEEP (PROBE) | 12,481 |
NMAP (PROBE) | 2,316 |
PORTSWEEP(PROBE) | 10,413 |
SATAN (PROBE) | 15,892 |
Normal | 972,781 |
Data preprocessing
Binary classification
Record type | Before sampling | After sampling |
---|---|---|
Normal | 972,781 | 100,000 |
Attacks | 3,925,650 | 100,148 |
Multiclass classification
Record type | Before sampling | After sampling |
---|---|---|
Normal | 972,781 | 120,000 |
DoS | 3,925,650 | 100,000 |
R2L | 1,114,267 | 100,000 |
PCA and mutual information
Principal component analysis (PCA)
Mutual information (MI)
Implementation and evaluation metrics
Parameter | Binary | Multiclass |
---|---|---|
Activation function | Sigmoid | Softmax |
Loss function | Binary crossentropy | Sparse categorical crossentropy |
Optimizer | Adam | Adam |
Learning rate | 0.002 | 0.002 |
Epsilon | 1e-08 | 1e-08 |
Schedule decay | 0.004 | 0.004 |
Epochs | 50 | 50 |
Dropout | 0.1 | 0.1 |