Full length articleIntelligent intrusion detection based on federated learning aided long short-term memory☆
Introduction
With the wide spread of network application and the continuous development of network attack technology, all social circles have paid close attention to the cyberspace security technology [1], [2], [3]. Intrusion detection problem is urgently to solve in the field of cyberspace security. In recent years, the detection of abnormal behaviours of users has become an important branch of intrusion detection. Because each user has different work tasks and personal habits, user commands input has the characteristics of serialization and diversification [4]. Shell commands are stored in bash_history in the system main folder, if the intrusion occurs, the intruder’s input command will be different from the normal user. Hence, it is necessary to design a detection system to audit shell commands entered by users to detect and prevent malicious actions such as directory traversal attacks, reading and deleting files in bulk, and uninstalling software in bulk.
In recent years, deep learning has been considered as one of the most effective tools to solve various problems in cyberspace security technology [5], [6], [7], due to its powerful feature extraction capability. However, the user’s input of shell commands involves operational privacy, many users cannot share personal datasets for algorithm model training. Recent studies show that there is a positive correlation between the performance of machine learning models and the amount of training dataset. The larger the amount of training dataset usually means the higher the performance of the model [8]. Most of the existing intrusion detection models are built based on traditional machine learning algorithms, and it is difficult to use the user’s local dataset for training without involving user privacy. This paper solves these problems by establishing a federated learning (FL) model. FL coordinates multiple sub-servers through a central server and unites user datasets to establish a common model and to jointly benefit. The original data of each user in the model is stored locally and is not exchanged or transmitted, which does not cause risk to user data privacy.
Due to the complexity of user input and the contextual relevance of shell commands, this paper proposes a federated learning-aided long-time short time (FL-LSTM) framework for intelligent intrusion detection (IID) method [9], [10], [11]. The model focuses on the detection of high-risk malicious behaviours, such as directory traversal attacks, reading and deleting files in bulk, uninstalling software in bulk, etc. The dataset is adjusted based on the open source SEA dataset. Set attack scenarios by adding attack commands and reset the label on the dataset. Finally, we used independent validation datasets for model performance testing. Simulation results show that the proposed method can comprehensively learn the features of the sub-end user server dataset while ensuring user privacy and has a high classification accuracy and strong practicality.
Section snippets
Related work
Due to the concern of many researchers regarding the detection of abnormal behaviour from user shell commands, the issue has become a research hotspot in recent years. At the same time, because of the excellent classification performance of machine learning [12], [13], [14], [15], [16], [17], [18], researchers have used machine learning approaches, such as Bayesian models, support vector machines, genetic algorithms and other machine learning models in intrusion detection. Generally, intrusion
Dataset preprocessing
The preprocessing of the dataset is mainly completed by a Tokenizer. A Tokenizer is used to vectorize text or convert text to corresponding sequences. After a shell command block is input into the network model, the word segmented is first used to count the words in the text to generate a dictionary document. The input shell command block is converted into a vector representation based on the lexicographic order. The input length is insufficient to fill the length and meet the length
Experimental results
In the experiment, the LSTM-based and CNN-based intrusion detection models were trained. Then, we build the FL-LSTM model. Finally, we compare the performance of the model according to the prediction accuracy, recall, precision, value and other aspects. The basic information of the four sub-end datasets and validation dataset is shown in Table 2. In this section, we will perform the following tests.
- •
Use the full dataset to train the intrusion detection model through the LSTM framework
Conclusion
In this paper, we have proposed an effective FL-LSTM based IID method for achieving excellent detection accuracy while protecting users’ privacy. Simulation results showed that the proposed FL-LSTM method can work well since LSTM framework can provide richer semantic information in feature vectors combined with context. Centralized learning has achieved the best performance as the upper limit of federated learning performance, but according to the simulation results, it can be seen that the
CRediT authorship contribution statement
Ruijie Zhao: Software, Methodology, Writing - original draft, Writing - review & editing. Yue Yin: Visualization, Validation. Yong Shi: Investigation, Writing - review & editing. Zhi Xue: Supervision.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Ruijie Zhao is currently pursuing the master’s degree with the School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, China. His research interest is deep learning, wireless network security, and intrusion detection systems.
References (37)
- et al.
Auto-detection of sophisticated malware using lazy-binding control flow graph and deep learning
Comput. Secur.
(2018) - et al.
Remaining useful life estimation of engineered systems using vanilla LSTM neural networks
Neurocomputing
(2018) - et al.
Empirical evaluation of SVM-based masquerade detection using UNIX commands
Comput. Secur.
(2005) - et al.
Ten challenges in advancing machine learning technologies towards 6G
IEEE Wireless Commun. Mag.
(2020) - et al.
Future intelligent and secure vehicular network towards 6G: Machine-learning approaches
Proc. IEEE
(2020) - et al.
6G: Opening new horizons for integration of comfort, security and intelligence
IEEE Wireless Commun. Mag.
(2020) - et al.
Detecting masquerades using a combination of Naive Bayes and weighted RBF approach
J. Comput. Virol.
(2007) - et al.
RTVD: A real-time volumetric detection scheme for DDoS in the internet of things
IEEE Access
(2020) - et al.
Understanding the usage of industrial control system devices on the internet
IEEE Internet Things J.
(2018) - C. Sun, A. Shrivastava, S. Singh, Revisiting unreasonable effectiveness of data in deep learning era, in: ICCV, Venice,...
Behavioral modeling and linearization of wideband RF power amplifiers using BiLSTM networks for 5G wireless systems
IEEE Trans. Veh. Technol.
Context embedding based on Bi-LSTM in semi-supervised biomedical word sense disambiguation
IEEE Access
The deep learning vision for heterogeneous network traffic control: Proposal, challenges, and future perspective
IEEE Wirel. Commun. Mag.
Transfer learning for semi-supervised automatic modulation classification in ZF-MIMO systems
IEEE J. Emerg. Sel. Top. Circuits Syst.
Deep learning based channel estimation for massive MIMO with mixed-resolution ADCs
IEEE Commun. Lett.
Flight delay prediction based on aviation big data and machine learning
IEEE Trans. Veh. Technol.
LightAMC: Lightweight automatic modulation classification using deep learning and compressive sensing
IEEE Trans. Veh. Technol.
A novel adaptive resource allocation model based on SMDP and reinforcement learning algorithm in vehicular cloud system
IEEE Trans. Veh. Technol.
Cited by (72)
F-NIDS — A Network Intrusion Detection System based on federated learning
2023, Computer NetworksArtificial intelligence for cybersecurity: Literature review and future research directions
2023, Information FusionGöwFed: A novel federated network intrusion detection system
2023, Journal of Network and Computer ApplicationsReview on application progress of federated learning model and security hazard protection
2023, Digital Communications and NetworksCitation Excerpt :In terms of federated learning combined with neural network to establish a model for intrusion detection. R. Zhao and his team established a model based on a Long and Short-Term Memory artificial neural network (LSTM) combined with a CNN and a federated learning framework [17], using the models for applications in intrusion detection while further comparing the models built by CNN combined with a federated learning framework for LSTM. With further experiments using the same dataset, the FL-LSTM model achieves an ultra-high detection accuracy of 99.21% after several rounds of training.
FEDDBN-IDS: federated deep belief network-based wireless network intrusion detection system
2024, Eurasip Journal on Information Security
Ruijie Zhao is currently pursuing the master’s degree with the School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, China. His research interest is deep learning, wireless network security, and intrusion detection systems.
Yue Yin received the B.S. degree in Communication engineering from Nanjing University of Posts and Telecommunications, Nanjing, China, in 2018. She is currently pursuing his Ph.D. degree of communication engineering at Nanjing University of Posts and Telecommunications, Nanjing China, from 2018. Her research interest is deep learning, non-orthogonal multiple access (NOMA) and advanced wireless techniques.
Yong Shi is currently a Lecturer with the School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, China. His research interests include cyber threat intelligence and intrusion detection systems.
Zhi Xue is currently a Professor with the School of Electronic Information and and Electrical Engineering, Shanghai Jiao Tong University, China. His research interests include wireless network security, cloud security, cryptography, and cyber threat intelligence.
- ☆
This work was supported by the Foundation Item: Cyber Security from the National Key Research and Development Program of Shanghai Jiao Tong University under Grant 2017YFB0803203.