Skip to main content
SpringerLink
Log in

Multi-layer perceptron for network intrusion detection

From a study on two recent data sets to deployment on automotive processor

  • Published:
Annals of Telecommunications Aims and scope Submit manuscript

Abstract

The Internet connection is becoming ubiquitous in embedded systems, making them potential victims of intrusion. Although gaining popularity in recent years, deep learning based intrusion detection systems tend to produce worse results than those using traditional machine learning algorithms. On the contrary, we propose an end-to-end methodology allowing a neural network to outperform traditional machine learning algorithms. We demonstrate high performance score on CIC-IDS2017 data set, showing an accuracy greater than 99% and a false positive rate lower than 0.5%. Our results are compared to traditional machine learning algorithms and previous studies. Then, we show that our approach can be successfully applied to CSE-CIC-IDS2018 data set, confirming that neural network can reach better scores than other machine learning algorithms. Our performance is compared to previous work on this data set. We further deployed our solution on a system-on-chip for automotive, allowing to characterize real-time performance aspect on an embedded system, both for feature extraction and inference. Finally, a discussion opens up on problems related to some attacks that are particularly difficult to detect with flow-based techniques and weaknesses found in the data sets.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. CicFlowMeter (2021) A network traffic Biflow generator and analyzer (Formerly ISCXFlowMeter). https://www.unb.ca/cic/research/applications.html (Accessed Mar 6)

  2. Cse-cic-ids2018 on aws, a collaborative project between the communications security establishment (cse) & the canadian institute for cybersecurity (cic). https://www.unb.ca/cic/datasets/ids-2018.html. (Accessed Mar 6, 2021)

  3. Kali linux, the most advanced penetration testing distribution. https://www.kali.org/. (Accessed Mar 6, 2021)

  4. Owasp top ten 2017. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/. (Accessed Mar 6, 2021)

  5. A realistic cyber defense dataset (cse-cic-ids2018) - registry of open data on aws. https://registry.opendata.aws/cse-cic-ids2018/. (Accessed Mar 6, 2021)

  6. Bergstra J, Bengio Y (2012) Random search for hyper-parameter optimization. J Mach Learn Res 13:281–305

    MathSciNet  MATH  Google Scholar 

  7. Bošnjak L, Sreš J, Brumen B (2018) Brute-force and dictionary attack on hashed real-world passwords. In: 41st International convention on information and communication technology, electronics and microelectronics (MIPRO), pp 1161–1166. https://doi.org/10.23919/MIPRO.2018.8400211

  8. Bul’ajoul W, James A, Pannu M (2015) Improving network intrusion detection system performance through quality of service configuration and parallel technology. J Comput Syst Sci 81(6):981–999. https://doi.org/10.1016/j.jcss.2014.12.012. Special Issue on Optimisation, Security, Privacy and Trust in E-business Systems

    Article  Google Scholar 

  9. Chawla NV, Bowyer KW, Hall LO, Kegelmeyer WP (2002) SMOTE: Synthetic minority over-sampling technique. J Artif Intell Res 16:321–357

    Article  Google Scholar 

  10. Chicco D, Tötsch N., Jurman G (2021) The matthews correlation coefficient (mcc) is more reliable than balanced accuracy, bookmaker informedness, and markedness in two-class confusion matrix evaluation. BioData Mining 14(1):13. https://doi.org/10.1186/s13040-021-00244-z

    Article  Google Scholar 

  11. Derbyshire R, Green B, Prince D, Mauthe A, Hutchison D (2018) An analysis of cyber security attack taxonomies. In: IEEE European symposium on security and privacy workshops (EuroS PW), pp 153–161. https://doi.org/10.1109/EuroSPW.2018.00028

  12. Dhanabal L, Shantharajah DSP (2015) A Study on NSL-KDD dataset for intrusion detection system based on classification algorithms. In: International journal of advanced research in computer and communication engineering, vol 4, pp 446–452. https://doi.org/10.17148/IJARCCE.2015.4696

  13. Draper-Gil G, Lashkari AH, Mamun MSI, Ghorbani AA (2016) Characterization of encrypted and vpn traffic using time-related features. In: Proceedings of the 2nd International conference on information systems security and privacy (ICISSP), vol 1, pp 407–414. INSTICC, SciTePress. https://doi.org/10.5220/0005740704070414

  14. Durumeric Z, Li F, Kasten J, Amann J, Beekman J, Payer M, Weaver N, Adrian D, Paxson V, Bailey M, Halderman JA (2014) The matter of heartbleed. In: Proceedings of the 2014 conference on internet measurement conference, IMC ’14, p 475–488. association for computing machinery. https://doi.org/10.1145/2663716.2663755

  15. Eslahi M, Salleh R, Anuar NB (2012) Bots and botnets: An overview of characteristics, detection and challenges. In: IEEE International conference on control system, computing and engineering, pp 349–354. https://doi.org/10.1109/ICCSCE.2012.6487169

  16. Ferrag MA, Maglaras L (2019) Deliverycoin: An ids and blockchain-based delivery framework for drone-delivered services. Computers 8(3). https://doi.org/10.3390/computers8030058

  17. Fonseca J, Vieira M, Madeira H (2009) Vulnerability attack injection for web applications. In: IEEE/IFIP International conference on dependable systems networks, pp 93–102. https://doi.org/10.1109/DSN.2009.5270349

  18. Gamage S, Samarabandu J (2020) Deep learning methods in network intrusion detection: A survey and an objective comparison. J Netw Comput Appl 169(102):767. https://doi.org/10.1016/j.jnca.2020.102767

  19. Garg A, Maheshwari P (2016) Performance analysis of snort-based intrusion detection system. In: 3rd International conference on advanced computing and communication systems (ICACCS), vol 01, pp 1–5. https://doi.org/10.1109/ICACCS.2016.7586351

  20. Géron A (2019) Hands-on machine learning with scikit-learn, Keras, and TensorFlow: concepts, tools, and techniques to build intelligent systems. O’Reilly Media

  21. Goodfellow I, Bengio Y, Courville A (2016) Deep Learning. MIT Press, Cambridge

  22. Hornik K (1991) Approximation capabilities of multilayer feedforward networks. Neural Netw 4 (2):251–257. https://doi.org/10.1016/0893-6080(91)90009-T

    Article  MathSciNet  Google Scholar 

  23. Hua Y (2020) An efficient traffic classification scheme using embedded feature selection and lightgbm. In: Information communication technologies conference (ICTC), pp 125–130. https://doi.org/10.1109/ICTC49638.2020.9123302

  24. Jiang J, Yu Q, Yu M, Li G, Chen J, Liu K, Liu C, Huang W (2018) ALDD: A Hybrid Traffic-User Behavior Detection Method for Application Layer DDoS. In: 17th IEEE International conference on trust, security and privacy in computing and communications/ 12th IEEE international conference on big data science and engineering (TrustCom/BigDataSE), pp 1565–1569. https://doi.org/10.1109/TrustCom/BigDataSE.2018.00225

  25. Karatas G, Demir O, Sahingoz OK (2020) Increasing the performance of machine learning-based idss on an imbalanced and up-to-date dataset. IEEE Access 8:32,150–32,162. https://doi.org/10.1109/ACCESS.2020.2973219

  26. Kim J, Shin Y, Choi E (2019) An intrusion detection model based on a convolutional neural network. J Multimed Inf Syst 6(4):165–172. https://doi.org/10.33851/JMIS.2019.6.4.165

    Article  Google Scholar 

  27. Kingma DP, Ba J (2015) Adam: A method for stochastic optimization. 3rd international conference for learning representations

  28. Kjaerland M (2006) A taxonomy and comparison of computer security incidents from the commercial and government sectors. Comput Secur 25(7):522–538. https://doi.org/10.1016/j.cose.2006.08.004

    Article  Google Scholar 

  29. Klambauer G, Unterthiner T, Mayr A, Hochreiter S (2017) Self-normalizing neural networks. In: Advances in neural information processing systems, pp. 971–980

  30. Lai J, Wu J, Chen S, Wu C, Yang C (2008) Designing a taxonomy of web attacks. In: International conference on convergence and hybrid information technology (ICHIT), pp. 278–282. IEEE Computer Society. https://doi.org/10.1109/ICHIT.2008.280

  31. Lashkari AH, Gil GD, Mamun MSI, Ghorbani AA (2017) Characterization of tor traffic using time based features. In: Proceedings of the 3rd International conference on information systems security and privacy - Volume 1: ICISSP, p. 253–262. SciTePress. https://doi.org/10.5220/0006105602530262

  32. Lee W, Stolfo SJ, Mok KW (1999) Mining in a data-flow environment: Experience in network intrusion detection. In: Proceedings of the Fifth ACM SIGKDD international conference on knowledge discovery and data mining, KDD ’99, pp 114–124. ACM, New York, NY, USA. https://doi.org/10.1145/312129.312212

  33. Leevy JL, Khoshgoftaar TM (2020) A survey and analysis of intrusion detection models based on cse-cic-ids2018 big data. J Big Data 7(1):104. https://doi.org/10.1186/s40537-020-00382-x

  34. M Devendra Prasad Prasanta Babu V CA (2019) Machine learning ddos detection using stochastic gradient boosting. Int J Comput Sci Eng 7:157–166. https://doi.org/10.26438/ijcse/v7i4.157166

  35. Maniriho P, Ahmad T (2018) Analyzing the performance of machine learning algorithms in anomaly network intrusion detection systems. In: 4th International conference on science and technology (ICST), pp 1–6. https://doi.org/10.1109/ICSTC.2018.8528645

  36. Matthews B (1975) Comparison of the predicted and observed secondary structure of T4 phage lysozyme. Biochimica et Biophysica Acta (BBA) - Protein Structure 405(2):442–451. https://doi.org/10.1016/0005-2795(75)90109-9

  37. McHugh J (2000) Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations As Performed by Lincoln Laboratory. ACM Trans Inf Syst Secur 3 (4):262–294. https://doi.org/10.1145/382912.382923

    Article  Google Scholar 

  38. Gao M, Zhang K, Jiahua L (2006) Efficient packet matching for gigabit network intrusion detection using tcams. In: 20th International conference on advanced information networking and applications - Volume 1 (AINA’06), vol. 2, pp. 6 pp.–254. https://doi.org/10.1109/AINA.2006.164

  39. Moustafa N, Slay J (2015) UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: Military communications and information systems conference (MilCIS), pp 1–6. https://doi.org/10.1109/MilCIS.2015.7348942

  40. Moustafa N, Slay J (2016) The evaluation of network anomaly detection systems: Statistical analysis of the unsw-nb15 data set and the comparison with the kdd99 data set. Inf Sec J A Global Perspective 25 (1-3):18–31. https://doi.org/10.1080/19393555.2015.1125974

  41. Parliament E (2015) Regulation (EU) 2015/758 of the European Parliament and of the Council of 29 April 2015 concerning type-approval requirements for the deployment of the eCall in-vehicle system based on the 112 service and amending Directive 2007/46/EC. Official Journal of the European Union

  42. Patel P, Langin C, Yu F, Rahimi S (2012) Network intrusion detection types and computation. In: International journal of computer science and information security, vol 10, pp 14–21

  43. Paxson V (1999) Bro: a system for detecting network intruders in real-time. Comput Netw 31 (23):2435–2463. https://doi.org/10.1016/S1389-1286(99)00112-7

    Article  Google Scholar 

  44. Riyaz B, Ganapathy S (2018) An intelligent fuzzy rule based feature selection for effective intrusion detection. In: International conference on recent trends in advance computing (ICRTAC), pp 206–211. https://doi.org/10.1109/ICRTAC.2018.8679328

  45. Roesch M (1999) Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA ’99, 229–238, USENIX Association, USA. https://doi.org/10.5555/1039834.1039864

  46. Rosay A, Carlier F, Leroux P (2020) Mlp4nids: An efficient mlp-based network intrusion detection for cicids2017 dataset. In: Boumerdassi S, Renault É, Mühlethaler P (eds) Machine learning for networking, pp 240–254. Springer International Publishing. https://doi.org/10.1007/978-3-030-45778-5_16

  47. Shah M, Ahmed S, Saeed K, Junaid M, Khan H, ur rehman A (2019) Penetration testing active reconnaissance phase – optimized port scanning with nmap tool. In: 2nd International conference on computing, mathematics and engineering technologies (iCoMET), pp 1–6. https://doi.org/10.1109/ICOMET.2019.8673520

  48. Sharafaldin I, Lashkari AH, Ghorbani AA (2018) Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th international conference on information systems security and privacy (ICISSP), vol 1, pp 108–116. SciTePress. https://doi.org/10.5220/0006639801080116

  49. Shone N, Ngoc TN, Phai VD, Shi Q (2018) A deep learning approach to network intrusion detection. IEEE Trans Emerg Topics Comput Intell 2(1):41–50. https://doi.org/10.1109/TETCI.2017.2772792

  50. Shorey T, Subbaiah D, Goyal A, Sakxena A, Mishra AK (2018) Performance comparison and analysis of slowloris, goldeneye and xerxes ddos attack tools. In: International conference on advances in computing, communications and informatics (ICACCI), pp 318–322. https://doi.org/10.1109/ICACCI.2018.8554590

  51. Simmons CB, Ellis C, Shiva S, Dasgupta D, Wu Q (2009) Avoidit: A cyber attack taxonomy CTIT technical reports series

  52. Tang TA, Mhamdi L, McLernon D, Zaidi SAR, Ghogho M (2016) Deep learning approach for network intrusion detection in software defined networking. In: International conference on wireless networks and mobile communications (WINCOM), pp. 258–263. https://doi.org/10.1109/WINCOM.2016.7777224

  53. Tavallaee M, Bagheri E, Lu W, Ghorbani AA (2009) A detailed analysis of the KDD CUP 99 data set. In: IEEE Symposium on computational intelligence for security and defense applications, pp. 1–6. https://doi.org/10.1109/CISDA.2009.5356528

  54. Ullah I, Mahmoud QH (2019) A two-level hybrid model for anomalous activity detection in IoT networks. In: 16th IEEE annual consumer communications networking conference (CCNC), pp 1–6. https://doi.org/10.1109/CCNC.2019.8651782

  55. Ustebay S, Turgut Z, Aydin MA (2018) Intrusion detection system with recursive feature elimination by using random forest and deep learning classifier. In: International congress on big data, deep learning and fighting cyber terrorism (IBIGDELFT), pp 71–76. https://doi.org/10.1109/IBIGDELFT.2018.8625318

  56. Valluri V, Harika N, Shreya MV (2018) Exposure of sql injection in packet stream. International Journal of Engineering and Computer Science 5(11):19155–19158

    Google Scholar 

  57. Wolpert DH (1996) The lack of a priori distinctions between learning algorithms. Neural Comput 8(7):1341–1390. https://doi.org/10.1162/neco.1996.8.7.1341

    Article  Google Scholar 

  58. Zyad E, Taha A, Mohammed B (2019) Improve R2L attack detection using trimmed PCA. In: International conference on advanced communication technologies and networking (CommNet), pp 1–5. https://doi.org/10.1109/COMMNET.2019.8742361

Download references

Author information

Authors and Affiliations

  1. STMicroelectronics, 11 rue Pierre-Félix Delarue, 72100, Le Mans, France

    Arnaud Rosay

  2. Polytech Nantes, rue Christian Pauc, 44300, Nantes, France

    Kévin Riou

  3. CREN, Le Mans University, Avenue Olivier Messiaen, 72085, Le Mans, France

    Florent Carlier & Pascal Leroux

Authors
  1. Arnaud Rosay
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kévin Riou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Florent Carlier
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Pascal Leroux
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Arnaud Rosay.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rosay, A., Riou, K., Carlier, F. et al. Multi-layer perceptron for network intrusion detection. Ann. Telecommun. 77, 371–394 (2022). https://doi.org/10.1007/s12243-021-00852-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12243-021-00852-0

Keywords

Search

Navigation