Golchin, Pegah (2024)
Machine Learning Models in Network Intrusion Detection Systems : Self-Supervised Detection of Malicious Flows and Traffic Patterns Recognition in Programmable Networks.
Technische Universität Darmstadt
doi: 10.26083/tuprints-00027840
Dissertation, Erstveröffentlichung, Verlagsversion
Kurzbeschreibung (Abstract)
The recent increase in cyber-attacks highlights the critical need for reliable Network Intrusion Detection Systems capable of detecting anomalies before they inflict substantial damage. Conventional intrusion detection methods often fail to classify previously unseen intrusion patterns accurately. This shortfall is exacerbated by the emergence of new network intrusion types and the evolving nature of network structures. Machine Learning (ML) models address this need by learning representations of network traffic flows. Nonetheless, challenges persist, particularly in ensuring their adaptability and ability to generalize in detecting various network traffic patterns and integrating them into programmable networks. The first contribution of this thesis highlights the presence of diverse flow feature patterns in existing network traffic patterns. To mitigate the impact of these disparities on the final detection performance and minimize noise in flow features, thereby reducing the complexity of ML models, an Ensemble Feature Selection approach is devised. This method integrates statistical and ML-based feature selectors, taking into account the imbalance of benign and attack traffic to avoid biased feature extraction. Evaluation results demonstrate the potential to attain high detection performance with a reduced flow feature dimension. Additionally, a data-driven approach is incorporated into the proposed feature selection method to improve the transferability of selected flow features across different network traffic patterns. The second contribution aimed at tackling two main challenges: the limited availability of annotated network traffic flow data required for training ML models and the limited ability of ML models to generalize across various network traffic patterns. To overcome these challenges, a Self-Supervised Contrastive Learning approach is introduced, which is specifically trained on benign flows to learn the abstract representation of benign flow patterns. The results illustrate improvements in the generalization of detection performance across diverse network traffic patterns. These improvements surpass the performance of both supervised and unsupervised ML models used as baselines. The last contribution explores integrating ML models into programmable networks, particularly following the Software-Defined Networking paradigm, which separates the data plane from the control plane. However, deploying complex ML models in the control plane can increase the risk of overwhelming it, given the necessity to forward flows through it. Conversely, employing lightweight models with few trainable parameters in the data plane may compromise detection performance. To tackle these challenges, we propose a collaborative ML-based intrusion detection approach. This approach facilitates cooperation between ML models deployed in the data plane and the control plane based on the confidence level of the deployed ML model in the data plane. Using this approach, a balance is achieved between attaining high detection performance and speed while reducing network load.
Typ des Eintrags: | Dissertation | ||||
---|---|---|---|---|---|
Erschienen: | 2024 | ||||
Autor(en): | Golchin, Pegah | ||||
Art des Eintrags: | Erstveröffentlichung | ||||
Titel: | Machine Learning Models in Network Intrusion Detection Systems : Self-Supervised Detection of Malicious Flows and Traffic Patterns Recognition in Programmable Networks | ||||
Sprache: | Englisch | ||||
Referenten: | Steinmetz, Prof. Dr. Ralf ; Mauthe, Prof. Dr. Andreas | ||||
Publikationsjahr: | 15 August 2024 | ||||
Ort: | Darmstadt | ||||
Kollation: | xiv, 148 Seiten | ||||
Datum der mündlichen Prüfung: | 16 Juli 2024 | ||||
DOI: | 10.26083/tuprints-00027840 | ||||
URL / URN: | https://tuprints.ulb.tu-darmstadt.de/27840 | ||||
Kurzbeschreibung (Abstract): | The recent increase in cyber-attacks highlights the critical need for reliable Network Intrusion Detection Systems capable of detecting anomalies before they inflict substantial damage. Conventional intrusion detection methods often fail to classify previously unseen intrusion patterns accurately. This shortfall is exacerbated by the emergence of new network intrusion types and the evolving nature of network structures. Machine Learning (ML) models address this need by learning representations of network traffic flows. Nonetheless, challenges persist, particularly in ensuring their adaptability and ability to generalize in detecting various network traffic patterns and integrating them into programmable networks. The first contribution of this thesis highlights the presence of diverse flow feature patterns in existing network traffic patterns. To mitigate the impact of these disparities on the final detection performance and minimize noise in flow features, thereby reducing the complexity of ML models, an Ensemble Feature Selection approach is devised. This method integrates statistical and ML-based feature selectors, taking into account the imbalance of benign and attack traffic to avoid biased feature extraction. Evaluation results demonstrate the potential to attain high detection performance with a reduced flow feature dimension. Additionally, a data-driven approach is incorporated into the proposed feature selection method to improve the transferability of selected flow features across different network traffic patterns. The second contribution aimed at tackling two main challenges: the limited availability of annotated network traffic flow data required for training ML models and the limited ability of ML models to generalize across various network traffic patterns. To overcome these challenges, a Self-Supervised Contrastive Learning approach is introduced, which is specifically trained on benign flows to learn the abstract representation of benign flow patterns. The results illustrate improvements in the generalization of detection performance across diverse network traffic patterns. These improvements surpass the performance of both supervised and unsupervised ML models used as baselines. The last contribution explores integrating ML models into programmable networks, particularly following the Software-Defined Networking paradigm, which separates the data plane from the control plane. However, deploying complex ML models in the control plane can increase the risk of overwhelming it, given the necessity to forward flows through it. Conversely, employing lightweight models with few trainable parameters in the data plane may compromise detection performance. To tackle these challenges, we propose a collaborative ML-based intrusion detection approach. This approach facilitates cooperation between ML models deployed in the data plane and the control plane based on the confidence level of the deployed ML model in the data plane. Using this approach, a balance is achieved between attaining high detection performance and speed while reducing network load. |
||||
Alternatives oder übersetztes Abstract: |
|
||||
Status: | Verlagsversion | ||||
URN: | urn:nbn:de:tuda-tuprints-278400 | ||||
Sachgruppe der Dewey Dezimalklassifikatin (DDC): | 000 Allgemeines, Informatik, Informationswissenschaft > 004 Informatik | ||||
Fachbereich(e)/-gebiet(e): | 18 Fachbereich Elektrotechnik und Informationstechnik 18 Fachbereich Elektrotechnik und Informationstechnik > Institut für Datentechnik 18 Fachbereich Elektrotechnik und Informationstechnik > Institut für Datentechnik > Multimedia Kommunikation |
||||
Hinterlegungsdatum: | 15 Aug 2024 12:09 | ||||
Letzte Änderung: | 16 Aug 2024 11:49 | ||||
PPN: | |||||
Referenten: | Steinmetz, Prof. Dr. Ralf ; Mauthe, Prof. Dr. Andreas | ||||
Datum der mündlichen Prüfung / Verteidigung / mdl. Prüfung: | 16 Juli 2024 | ||||
Export: | |||||
Suche nach Titel in: | TUfind oder in Google |
Frage zum Eintrag |
Optionen (nur für Redakteure)
Redaktionelle Details anzeigen |