| dc.description.abstract | Intrusion detection systems (IDS) play a critical role in cybersecurity and are used to identify malicious behaviour in network traffic. The weakness of modern approaches is that they are reactive responses reliant on having an understanding of the types of attacks the network might encounter, or policies based on assumed user behavior. This method requires someone to analyze past attacks to develop a preventive measure and to build policies around expected user behavior. Since it relies on human intervention, it is often slow to respond and can poorly anticipate the needs of the system. It is also often inadequate because it is susceptible to any new attack that does not fit the predefined expectations for malicious activity.
Traditional machine learning (ML) models, such as Decision Tree, Random Forest or Clustering algorithms, have been used to analyze network traffic and detect attacks that are already within a system, but can range in detection time from minutes to months, and are not a preventive measure. Deep learning (DL) models provide an alternative solution that can classify data based on high-level features extracted in near real time. This means that a deep learning IDS can operate without the domain expertise and human intervention required with traditional machine learning models. DL models also tend to outperform traditional ML in both efficiency and accuracy when dealing with large datasets.
First we reviewed several anomaly-based intrusion detection datasets, such as the widely used KDD-99 and CIC-DDoS2019, and the relevant research that had used ML and DL methods for intrusion detection. Next, multiple model configurations using Convolutional Neural Network (CNN) and Recurrent Neural Network (RNN) layers were trained on the CIC-DDoS2019 dataset in order to perform multiclass classification. The results were then used to guide future work in developing a novel DL model.
For the primary contribution of the research we then designed BLoCNet, a novel IDS model based on the combination of a CNN and Bidirectional Long Short-Term Memory (BLSTM) deep learning methods that performs multiclass classification. Using an extensive preprocessing, training, and testing protocol, we show that BLoCNet is over 98\% accurate when classifying the individual attacks in the CIC-IDS2017 dataset, 100\% accurate with the IoT-23 dataset, and outperforms most of the related work with higher precision and recall of individual classes. We also demonstrate that BLoCNet is dataset independent by evaluating it with two topical datasets while maintaining a the high level of accuracy. | |
