Skip to main content
SpringerLink
Log in

A context-aware robust intrusion detection system: a reinforcement learning-based approach

  • regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Detection and prevention of intrusions in enterprise networks and systems is an important, but challenging problem due to extensive growth and usage of networks that are constantly facing novel attacks. An intrusion detection system (IDS) monitors the network traffic and system-level applications to detect malicious activities in the network. However, most of the existing IDSs are incapable of providing higher accuracy and less false positive rate (FPR). Therefore, there is a need for adaptive techniques to detect network intrusions that maintain a balance between accuracy and FPR. In this paper, we present a context-adaptive IDS that uses multiple independent deep reinforcement learning agents distributed across the network for accurate detection and classification of new and complex attacks. We have done extensive experimentation using three benchmark datasets including NSL-KDD, UNSW-NB15 and AWID on our model that shows better accuracy and less FPR compared to the state-of-the-art systems. Further, we analysed the robustness of our model against adversarial attack and observed only a small decrease in accuracy as compared to the existing models. To further improve the robustness of the system, we implemented the concept of denoising autoencoder. Also, we have shown the usability of our system in real-life application with changes in the attack pattern.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

Notes

  1. It is a Python library for generating adversarial samples.

  2. Each component of a classification vector indicates the classification result of a classifier.

  3. The sample represents a feature vector in our dataset.

  4. The numpy is a Python library that supports for large, multidimensional arrays and matrices.

References

  1. Mohamed, A.B., Idris, N.B., Shanmugum, B.: A brief introduction to intrusion detection system. In: International Conference on Intelligent Robotics, Automation, and Manufacturing, pp. 263–271. Springer, Berlin (2012). https://doi.org/10.1007/978-3-642-35197-6_29

  2. Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016). https://doi.org/10.1109/COMST.2015.2494502

    Article  Google Scholar 

  3. Kuang, F., Xu, W., Zhang, S.: A novel hybrid KPCA and SVM with GA model for intrusion detection. Appl. Soft Comput. 18, 178–184 (2014)

    Article  Google Scholar 

  4. Reddy, R.R., Ramadevi, Y., Sunitha, K.V.N.: Effective discriminant function for intrusion detection using SVM. In: Proceedings of International Conference on Advance in Computing, Communication and Information (ICACCI), pp. 1148–1153 (2016)

  5. Li, W., Yi, P., Wu, Y., Pan, L., Li, J.: A new intrusion detection system based on KNN classification algorithm in wireless sensor network. J. Electron. Comput. Eng. 2014, 240217 (2014)

  6. Bivens, A., Palagiri, C., Smith, R., Szymanski, B., Embrechts, M.: Network-based intrusion detection using neural networks. Intell. Eng. Syst. Artif. Neural Netw. 12(1), 579–584 (2002)

    Google Scholar 

  7. Quinlan, R.: Induction of decision trees. Mach. Learn. 1(1), 81–106 (1986)

    Google Scholar 

  8. Ross Quinlan, J.: C4.5: Programs for Machine Learning. Morgan Kaufmann, Burlington (1993)

    Google Scholar 

  9. Javaid, A., Niyaz, Q., Sun, W., Alam, M.: A deep learning approach for network intrusion detection system. In: Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (BICT), pp. 21–26 (2015)

  10. Yin, C., Zhu, Y., Fei, J., He, X.: A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access 5, 21954–21961 (2017). https://doi.org/10.1109/ACCESS.2017.2762418

    Article  Google Scholar 

  11. Lavet, V.F., Henderson, P., Islam, R., Bellemare, M.G., Pineau, J.: An introduction to deep reinforcement learning. arXiv:1811.12560 [cs.LG] (2018)

  12. Mnih, V., et al.: Human-level control through deep reinforcement learning. Nature 518, 529–533 (2015). https://doi.org/10.1038/nature14236

    Article  Google Scholar 

  13. Kober, J., Bagnell, J.A., Peters, J.: Reinforcement learning in robotics: a survey. Int. J. Robot. Res. 32(11), 1238–1274 (2013). https://doi.org/10.1177/0278364913495721

    Article  Google Scholar 

  14. Mahmud, M., Kaiser, M.S., Hussain, A., Vassanelli, S.: Applications of deep learning and reinforcement learning to biological data. IEEE Trans. Neural Netw. Learn. Syst. 29(6), 2063–2079 (2018). https://doi.org/10.1109/TNNLS.2018.2790388

    Article  MathSciNet  Google Scholar 

  15. Sutton, R.S., Barto, A.G.: Reinforcement Learning: An Introduction. The MIT Press, Cambridge (2015)

    MATH  Google Scholar 

  16. Kumar, N., Swain, S.N., Siva Ram Murthy, C.: A novel distributed Q-learning based resource reservation framework for facilitating D2D content access requests in LTE-A networks. IEEE Trans. Netw. Serv. Manag. 15(2), 718–731 (2018). https://doi.org/10.1109/TNSM.2018.2807594

    Article  Google Scholar 

  17. Roderick, M., MacGlashan, J.: Implementing the deep Q-network. Stefanie Tellex, Humans To Robots Laboratory, Brown University, Providence, RI 02912, CoRR (2017)

  18. RotaBulò, S., Biggio, B., Pillai, I., Pelillo, M., Roli, F.: Randomized prediction games for adversarial machine learning. IEEE Trans. Neural Netw. Learn. Syst. 28(11), 2466–2478 (2017). https://doi.org/10.1109/TNNLS.2016.2593488

    Article  MathSciNet  Google Scholar 

  19. Biggio, B., Fumera, G., Roli, F.: Security evaluation of pattern classifiers under attack. IEEE Trans. Knowl. Data Eng. 26(4), 984–996 (2014). https://doi.org/10.1109/TKDE.2013.57

    Article  Google Scholar 

  20. Biggio, B., et al.: Security evaluation of support vector machines in adversarial environments. In: Ma, Y., Guo, G. (eds.) Support Vector Machines Applications, pp. 105–153. Springer, Cham (2014)

    Chapter  Google Scholar 

  21. Papernot, N., McDaniel, P., Wux, X., Jhax, S., Swamiz, A.: Distillation as a defense to adversarial perturbations against deep neural networks. CoRR (2016). https://doi.org/10.1109/SP.2016.41.

  22. Pattanaik, A., Tang, Z., Liu, S., Bommannan, G., Chowdhary, G.: Robust Deep Reinforcement Learning with Adversarial Attacks. University of Illinois at Urbana-Champaign, CoRR (2017)

  23. Wang, Z.: Deep learning-based intrusion detection with adversaries. IEEE Access 6, 38367–38384 (2018)

    Article  Google Scholar 

  24. Jain, K., Dubes, R.C.: Algorithms for Clustering Data. Prentice-Hall, Englewood Cliffs (1988)

    MATH  Google Scholar 

  25. Blowers, M., Williams, J.: Machine learning applied to cyber operations. In: Network Science and Cybersecurity, pp. 55–175. Springer, New York (2014)

  26. Farnaaz, N., Jabbar, M.A.: Random forest modelling for network intrusion detection system. Procedia Comput. Sci. 89, 213–217 (2016)

    Article  Google Scholar 

  27. Tajbakhsh, A., Rahmati, M., Mirzaei, A.: Intrusion detection using fuzzy association rules. Appl. Soft Comput. 9, 462–469 (2009)

    Article  Google Scholar 

  28. Polikar, R.: Ensemble based systems in decision making. IEEE Circuits Syst. Mag. 6(3), 21–45 (2006). https://doi.org/10.1109/MCAS.2006.1688199

    Article  Google Scholar 

  29. Gharibian, F., Ghorbani, A.: Comparative study of supervised machine learning techniques for intrusion detection. In: Fifth Annual Conference on Communication Networks and Services Research (CNSR’07), pp. 350–358 (2007)

  30. Zhang, J., Zulkernine, M., Haque, A.: Random-forests-based network intrusion detection systems. IEEE Trans. Syst. Man Cybern. C Appl. Rev. 38(5), 649–659 (2008). https://doi.org/10.1109/TSMCC.2008.923876

    Article  Google Scholar 

  31. Mukkamalla, S., Sung, A.H., Abhraham, A.: Intrusion detection using an ensemble of intelligent paradigms. J. Netw. Comput. Appl. 28, 167–182 (2005)

    Article  Google Scholar 

  32. Shone, N., Ngoc, T.N., Phai, V.D., Shi, Q.: A deep learning approach to network intrusion detection. IEEE Trans. Emerg. Topics Comput. Intell. 2(1), 41–50 (2018). https://doi.org/10.1109/TETCI.2017.277279210.1109/TETCI.2017.2772792

    Article  Google Scholar 

  33. Szegedy, C., et al.: Intriguing properties of neural networks (2013). arXiv:1312.6199

  34. Cannady, J.: Next generation intrusion detection: autonomous reinforcement learning of network attacks. In: Proceedings of the 23rd National Information Systems Security Conference, Baltimore, pp. 1–12 (2000)

  35. Xu, X., Xie, T.: A reinforcement learning approach for host-based intrusion detection using sequences of system calls. In: Proceedings of International Conference on Intelligent Computing, Lecture Notes in Computer Science, LNCS 3644, pp. 995–1003 (2005)

  36. Malialis, K., Devlin, S., Kudenko, D.: Distributed reinforcement learning for adaptive and robust network intrusion response. Connect. Sci. 27(3), 234–252 (2015)

    Article  Google Scholar 

  37. Servin, A., Kudenko, D.: Multi-agent reinforcement learning for intrusion detection. In: Proceedings of the 5th, 6th and 7th European Conference on Adaptive and Learning Agents and Multi-agent Systems: Adaptation and Multi-agent Learning, pp. 211–223 (2008)

  38. Kolias, C., Kambourakis, G., Stavrou, A., Gritzalis, S.: Intrusion detection in 802.11 networks: empirical evaluation of threats and a public dataset. IEEE Commun. Surv. Tutor. 18(1), 184–208 (2016). https://doi.org/10.1109/COMST.2015.2402161

    Article  Google Scholar 

  39. Moustafa, N., Slay, J.: UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: Military Communications and Information Systems Conference (MilCIS). Canberra, ACT 2015, pp. 1–6 (2015). https://doi.org/10.1109/MilCIS.2015.7348942

  40. Moustafa, N., Slay, J., Creech, G.: Novel geometric area analysis technique for anomaly detection using trapezoidal area estimation on large-scale networks. IEEE Trans. Big Data (2017). https://doi.org/10.1109/TBDATA.2017.2715166

    Article  Google Scholar 

  41. Moustafa, N., Slay, J.: The evaluation of network anomaly detection systems: statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf. Secur. J. Glob. Perspect. 25(1–3), 18–31 (2016). https://doi.org/10.1080/19393555.2015.1125974

    Article  Google Scholar 

  42. Mikhail, J.W., Fossaceca, J.M., Iammartino, R.: A semi-boosted nested model with sensitivity-based weighted binarization for multi-domain network intrusion detection. ACM Trans. Intell. Syst. Technol. 10, 1–27 (2017). https://doi.org/10.1145/3313778

    Article  Google Scholar 

  43. Kolias, C., Kolias, V., Kambourakis, G.: TermID: a distributed swarm intelligence-based approach for wireless intrusion detection. Int. J. Inf. Secur. 16, 401–416 (2017). https://doi.org/10.1007/s10207-016-0335-z

    Article  Google Scholar 

  44. Nsl-kdd dataset. https://www.unb.ca/cic/datasets/nsl.html (2014). Accessed 23 July 2018

  45. Awid dataset—wireless security datasets project. http://icsdweb.aegean.gr/awid/ (2014). Accessed 6 July 2019

  46. The UNSW-NB15 Dataset Description. https://www.unsw.adfa.edu.au/unsw-canberra-cyber/cybersecurity/ADFA-NB15-Datasets/ (2015). Accessed 10 July 2019

  47. Meena, G., Choudhary, R.R.: A review paper on IDS classification using KDD 99 and NSL KDD dataset in WEKA. In: International Conference on Computer, Communications and Electronics, Jaipur, pp. 553–558 (2017)

  48. Shone, N., Ngoc, T.N., Phai, V.D., Shi, Q.: A deep learning approach to network intrusion detection. IEEE Trans. Emerg. Topics Comput. Intell. 2(1), 41–50 (2018). https://doi.org/10.1109/TETCI.2017.277279210.1109/TETCI.2017.2772792

    Article  Google Scholar 

  49. scikit-learn user guide, scikit-learn Developers, Release 0.21.dev0 [User Guide]. http://scikit-learn.org/dev/_downloads/scikit-learn-docs.pdf (2015). Accessed 3 May 2018

  50. Pedregosa, F., Varoquaux, G., Gramfort, A., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  51. Goodfellow, I., Papernot, N., Huang, S., Duan, Y., Abbeel, P., Clark, J.: Attacking machine learning with adversarial examples. OpenAI. https://blog.openai.com/adversarial-example-research/ (2017). Accessed 2 June 2018

  52. Goodfellow, I.J., Papernot, N., McDaniel, P.D.: cleverhans v0.1: an adversarial machine learning library. CoRR, arXiv:1610.00768 (2016)

  53. Papernot, N., McDaniel, P., Jhay, S., Fredriksonz, M., Berkay Celik, Z., Swamix, A.: The limitations of deep learning in adversarial setting. In: 1st IEEE European Symposium on Security and Privacy, Saarbrucken, Germany (2016). https://doi.org/10.1109/EuroSP.2016.36

  54. Google Inc.: OpenAI and Pennsylvania State University, a repository for \(cleverhans\) library [Github Repository]. https://github.com/tensorflow/cleverhans (2016). Accessed 3 May 2018

  55. Meng, L., Ding, S., Xue, Y.: Research on denoising sparse autoencoder. Int. J. Mach. Learn. Cybern. 8, 1719–1729 (2017)

    Article  Google Scholar 

  56. Chollet, F.: Building Autoencoders in Keras. The Keras Blog [Blog post]. https://blog.keras.io/building-autoencoders-in-keras.html (2016). Accessed 10 May 2018

  57. Ingre, B., Yadav, A.: Performance analysis of NSL-KDD dataset using ANN. In: International Conference on Signal Processing and Communication Engineering Systems, Guntur, pp. 92–96 (2015)

  58. Pham, N.T., Foo, E., Suriadi, S., Jeffrey, H., Lahza, H.F.M.: Improving performance of intrusion detection system using ensemble methods and feature selection. In: Proceedings of the Australasian Computer Science Week Multiconference, ACSW ’18, pp. 2:1–2:6. ACM, New York (2018) https://doi.org/10.1145/3167918.3167951

  59. Ibrahim, L.M., Basheer, D.T., Mahamod, M.S.: A comparison study for Intrusion Database (KDD99, NSL-KDD) based on Self Organization Map (SOM) artificial neural network. J. Eng. Sci. Technol. 8(1), 107–119 (2013)

    Google Scholar 

  60. Roshan, S., Miche, Y., Akusok, A., Lendasse, A.: Adaptive and online network intrusion detection system using clustering and extreme learning machines. J. Frankl. Inst. 355, 1752–1779 (2018). https://doi.org/10.1016/j.jfranklin.2017.06.006

    Article  MathSciNet  MATH  Google Scholar 

  61. Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S.A.R., Ghogho, M.: Deep learning approach for network intrusion detection in software defined networking. In: 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), pp. 258–263 (2016). https://doi.org/10.1109/WINCOM.2016.7777224

  62. Yang, K., Liu, J., Zhang, C., Fang, Y.: Adversarial examples against the deep learning based network intrusion detection systems,” MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM), Los Angeles, CA, USA, pp. 559–564 (2018). https://doi.org/10.1109/MILCOM.2018.8599759

  63. Zhu, M., Hu, Z., Liu, P.: Reinforcement learning algorithms for adaptive cyber defense against heartbleed. In: Proceedings of 1st ACM Workshop Moving Target Defense, pp. 51–58 (2014). https://doi.org/10.1145/2663474.2663481

  64. Blanco, R., Cilla, J.J., Briongos, S., Malagon, P., Moya, J.M.: Applying cost-sensitive classifiers with reinforcement learning to IDS. In: International Conference on Intelligent Data Engineering and Automated Learning, pp. 531–538. Springer, Berlin (2018). https://doi.org/10.1016/j.neucom.2019.02.056

  65. Moustafa, N., Slay, J.: The evaluation of network anomaly detection systems: statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf. Secur. J. Glob. Perspect. 25(1–3), 18–31 (2016)

    Article  Google Scholar 

  66. Khammassi, C., Krichen, S.: A GA-LR wrapper approach for feature selection in network intrusion detection. Comput. Secur. 70, 255–270 (2017). https://doi.org/10.1016/j.cose.2017.06.005

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Indian Institute of Technology, Bhubaneswar, Odisha, 752050, India

    Kamalakanta Sethi, E. Sai Rupesh, Rahul Kumar, Padmalochan Bera & Y. Venu Madhav

Authors
  1. Kamalakanta Sethi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. E. Sai Rupesh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rahul Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Padmalochan Bera
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Y. Venu Madhav
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kamalakanta Sethi.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sethi, K., Sai Rupesh, E., Kumar, R. et al. A context-aware robust intrusion detection system: a reinforcement learning-based approach. Int. J. Inf. Secur. 19, 657–678 (2020). https://doi.org/10.1007/s10207-019-00482-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-019-00482-7

Keywords

Search

Navigation