A Multiple-Layer Representation Learning Model for Network-Based Attack Detection

Xueqin Zhang; Jiahao Chen; Yue Zhou; Liangxiu Han; Jiajun Lin

doi:10.1109/ACCESS.2019.2927465

IEEE Access (Jan 2019)

A Multiple-Layer Representation Learning Model for Network-Based Attack Detection

Xueqin Zhang,
Jiahao Chen,
Yue Zhou,
Liangxiu Han,
Jiajun Lin

Affiliations

Xueqin Zhang: College of Information Science and Engineering, East China University of Science and Technology, Shanghai, China
Jiahao Chen: ORCiD; College of Information Science and Engineering, East China University of Science and Technology, Shanghai, China
Yue Zhou: College of Information Science and Engineering, East China University of Science and Technology, Shanghai, China
Liangxiu Han: ORCiD; School of Computing, Mathematics and Digital Technology, Manchester Metropolitan University, Manchester, U.K.
Jiajun Lin: College of Information Science and Engineering, East China University of Science and Technology, Shanghai, China

DOI: https://doi.org/10.1109/ACCESS.2019.2927465
Journal volume & issue: Vol. 7
pp. 91992 – 92008

Abstract

Read online

Accurate detection of network-based attacks is crucial to prevent security breaches of information systems. The recent application of deep learning approaches for network intrusion detection has shown promising. However, the challenges remain on how to deal with imbalance data and small samples as well as reducing false alarm rate (FAR). To address these issues, this work has proposed a multiple-layer representation learning model for accurate end-to-end network intrusion detection by combining deep convolutional neural networks (CNN) with gcForest. The contributions of this work lie in 1) a new data encoding scheme based on P-Zigzag to encode network traffic data into two-dimensional gray-scale images for representation learning without loss of original information; 2) The combination of gcForest and CNN allows accurate detection on imbalanced data and small scale data with fewer hyperparamters comparing to most existing deep learning models, which increase computational efficiency. The proposed approach is based on a multiple-layer approach consisting of a coarse layer and a fine layer, in which the coarse layer with the improved CNN model (GoogLeNetNP) focuses on identification of N abnormal classes and a normal class. While in the fine layer, an improved model based on gcForest (caXGBoost) further classifies the abnormal classes into N-1 subclasses. This ensures fine-grained detection of various attacks. The proposed framework has been compared with the existing deep learning models using three real datasets (a new dataset NBC, a combination of UNSW-NB15 and CICIDS2017 consisting of 101 classes). The experimental results show that our proposed method outperforms other single deep learning methods (i.e., AlexNet, VGG19, GoogleNet, InceptionV3, ResNet18) in terms of accuracy, detection rate, and FAR, which demonstrates its effectiveness in detecting fine-grained attacks and handling imbalanced datasets with high-precision and low FAR.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords