Classification-oriented Machine Learning methods are a precious tool, in modern Intrusion Detection Systems (IDSs), for discriminating between suspected intrusion attacks and normal behaviors. Many recent proposals in this field leveraged Deep Neural Network (DNN) methods, capable of learning effective hierarchical data representations automatically. However, many of these solutions were validated on data featuring stationary distributions and/or large amounts of training examples. By contrast, in real IDS applications different kinds of attack tend to occur over time, and only a small fraction of the data instances is labeled (usually with far fewer examples of attacks than of normal behavior). A novel ensemble-based Deep Learning framework is proposed here that tries to face the challenging issues above. Basically, the non-stationary nature of IDS log data is faced by maintaining an ensemble consisting of a number of specialized base DNN classifiers, trained on disjoint chunks of the data instances’ stream, plus a combiner model (reasoning on both the base classifiers predictions and original instance features). In order to learn deep base classifiers effectively from small training samples, an ad-hoc shared DNN architecture is adopted, featuring a combination of dropout capabilities, skip-connections, along with a cost-sensitive loss (for dealing with unbalanced data). Tests results, conducted on two benchmark IDS datasets and involving several competitors, confirmed the effectiveness of our proposal (in terms of both classification accuracy and robustness to data scarcity), and allowed us to evaluate different ensemble combination schemes.

在现代入侵检测系统（IDS）中，面向分类的机器学习方法是一种宝贵的工具，用于区分可疑的入侵攻击和正常行为。该领域中的许多最新提议都利用了深度神经网络（DNN）方法，该方法能够自动学习有效的分层数据表示。但是，许多解决方案已在具有平稳分布和/或大量训练示例的数据上得到验证。相比之下，在实际的IDS应用程序中，随着时间的流逝往往会发生不同类型的攻击，并且只有一小部分数据实例被标记（通常，与正常行为相比，攻击示例的数量要少得多）。这里提出了一个新颖的基于集合的深度学习框架，该框架试图面对上面的挑战性问题。基本上，IDS日志数据的非平稳性质是通过维护一个集成体来解决的，该集成体包括多个专用的基本DNN分类器，在数据实例流的不连续块上进行训练，再加上组合器模型（基于基本分类器的预测和原始实例功能）。为了从小型训练样本中有效地学习深度基础分类器，采用了一种特殊的共享DNN架构，该架构具有辍学功能，跳过连接以及对成本敏感的损失（用于处理不平衡数据）的组合。在两个基准IDS数据集上进行的测试结果，涉及多个竞争者，证实了我们建议的有效性（就分类准确性和对数据稀缺性的鲁棒性而言），并使我们能够评估不同的整体组合方案。