Professional Documents
Culture Documents
Abstract. With the rapid development of the Internet, the methods of cyber
attack have become more complex and the damage to the world has become
increasingly greater. Therefore, timely detection of malicious behavior on the
Internet has become an important security issue today. This paper proposes an
intrusion detection system based on deep learning, applies bidirectional long
short term memory architecture to the system, and uses the UNSW-NB15 data
set for training and testing. Experimental tests show that the intrusion detection
system can effectively detect the known or unknown malicious behavior of the
network under the current network environment.
1 Introduction
In recent years, with the rapid development of Internet, cyber space security faces more
serious challenges. In the technology of protecting network security, the malicious
behavior detection system as an important protection means has been paid more and
more attention. Malicious behavior detection system, namely the intrusion detection
system (IDS) [1] by collecting and analyzing network behavior, security logs, audit
data, check the network or system whether there is a violation of security policy and the
phenomenon of being attacked.
According to the detection technology can be divided into two categories:
(a) anomaly detection: behaviors that are normal system by learning summary form
normal behavior patterns, the difference between the current behavior and normal mode
exceeds the threshold, was judged to be invaded. (b) feature detection. The system first
collects the behavior characteristics of the abnormal operation [10, 11]. When the
current behavior matches the abnormal pattern, it is determined as an invasion.
2 Bi-directional LSTM
Bi-directional LSTM [5] using finite sequence according to the context of elements in
the past and the future to predict or tag sequence of each element. This is the output of
two LSTM in series, one processing sequence from left to right, and the other from
right to left. Composite output is the prediction of a given target signal. This technique
has proved particularly useful.
functions. The recurrent neural network has been widely used in speech recognition,
language model and natural language generation (Figs. 1, 3 and Tables 1, 2, 3).
Fig. 1. A standard RNN and its unfold form. The chain characteristics reveal that RNN is
essentially related to the sequence and the list. They are the most natural neural networks for this
kind of data.
RNN has a circular connection, assuming that the input sequence, the hidden vector
sequence and the output vector sequence are represented by X, H and O. The input
sequence is given by X ¼ ðx1 ; x2 ; . . .; xT Þ.
RNN calculates the hidden vector sequence (H ¼ ðh1 ; h2 ; . . .; hT Þ) and output
vector sequence (O ¼ ðo1 ; o2 ; . . .; oT Þ) of t = 1 to t, as follows:
ot ¼ Who ht þ bo ð2Þ
Fig. 2. The basic architecture of the LSTM model, in which the middle four interacting layers
are the core of the entire model.
(B) the information stored in the cell state is mainly composed of two parts: the result
of the sigmoid layer of the input door as the updated information; The new vector,
created by the tanh function, is added to the cell state. Multiply the old cell state
by f, with the new candidate information, and generate cell status updates.
^t
Ct ¼ ft Ct1 þ it C ð6Þ
(C) output information is determined by the output gate. First, the sigmoid layer is
used to determine the cell status information to be output, and the cell state is
treated with tanh, and the product of two parts of information is output value.
In the field of network intrusion detection, the KDD99 data set [6] is the fact bench-
mark, which lays the foundation for the study of network intrusion detection based on
machine learning. But the KDD99 data set was founded in 1998, when the experi-
mental condition and means of attack is outdated and attack from the network layer
evolution for attacks on application layer, such as cross-site scripting, cross-site request
forgery, click on the hijacked, etc., the data set does not reflect the modern network
traffic scene.
To solve this problem, in 2015, Nour Moustafa and Jill Slay set up an integrated
network of UNSW-NB15 data set [7, 8]. It reflects the modern network traffic pattern,
which contains a lot of low footprint intrusion and deep structured network traffic
information. UNSW-NB15 is a collection of approximately 100 GB of original net-
work traffic created by the network space laboratory of the Australian network security
center (ACCS). This data set includes real modern normal activities and comprehensive
attacks. The dataset contains 49 features, as well as some 2540,044 data instances,
including normal records and nine attack types, namely, Fuzzers, Analysis, Backdoors,
DoS, Exploits, Generic, Reconnaissance, Shellcode, and Worms. A subset of the
training set and test set includes 175,341 records and 82,332 records.
The related attack types of UNSW-NB15 data sets are divided into nine categories,
as follows:
(1) Fuzzers: the attacker attempts to found in the applications, operating system or
network security vulnerabilities, through a large number of random input data
make it crash.
(2) Analysis: a variety of types of intrusions that penetrate web applications through
ports (e.g., port scanning), E-mail (e.g., spam), and web scripts (e.g., HTML files).
(3) Backdoor: is a bypass common authentication technology, can be unauthorized
remote access to a particular device, positioning to the plain text entry, because it
is hard to continue to be detected.
(4) DoS: intrusion destroys computer resources through memory, resulting in too
much business, in order to prevent unauthorized access to devices.
(5) Exploit: a set of instructions that exploits failures, vulnerabilities, or bugs,
resulting in unintentional or unsuspected behavior on a host or network.
(6) Generic: a technique that USES a hash function to establish each block cipher and
causes a collision without regard to the configuration of the block cipher.
(7) Reconnaissance: which is an attack to collect information about computer net-
works to evade its security control.
(8) Shellcode: malware, the attacker inserts a small piece of code from a shell to
control the hacked machine.
(9) Worm: it is the attacker who copies the attacks that he has spread on other
computers. Typically, it uses a computer network to spread itself, depending on
the security failure of the target computer to access it.
Network Malicious Behavior Detection Using Bidirectional LSTM 633
4 The Experiment
4.1 Experimental Environment
The experimental environment adopted in this paper is as follows:
CPU: Intel (R) Core (TM) i7-6700HQ 2.60 GHz.
Memory: 4 GB
GPU: GTX 960 M
Operating system: Windows 10.
Machine learning framework: Tensorflow1.3 + Keras2.1
5 Conclusion
References
1. Rowland, C.H.: Intrusion Detection System. US, US6405318 (2002)
2. Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780
(1997)
3. Staudemeyer, R.C.: Applying long short-term memory recurrent neural networks to intrusion
detection. S. Afr. Comput. J. 56(1), 136–154 (2015)
4. Kim, J., et al.: Long short term memory recurrent neural network classifier for intrusion
detection. In: International Conference on Platform Technology and Service IEEE, pp. 1–5
(2016)
5. Graves, A., Schmidhuber, J.: Framewise phoneme classification with bidirectional LSTM
and other neural network architectures. Neural Netw. 18(5), 602–610 (2005)
6. Stolfo, S.J., Stolfo, S.J.: KDD Cup 1999 Dataset (1999)
7. Moustafa, N., Slay, J: UNSW-NB15: a comprehensive data set for network intrusion
detection systems (UNSW-NB15 network data set). In: Military Communications and
Information Systems Conference (MilCIS), IEEE (2015)
8. Moustafa, N., Slay, J.: The evaluation of network anomaly detection systems: statistical
analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf.
Secur. J. Glob. Perspect. 25, 1–14 (2016)
9. Olah, C.: Understanding LSTM Networks (2015). http://colah.github.io/posts/2015-08-
Understanding-LSTMs/
10. Denning, D.E.: An Intrusion-Detection Model. IEEE Press, New York (1987)
11. Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection
models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, p. 0120
(1999)
12. Ryan, J., Lin, M.J., Miikkulainen, R.: Intrusion detection with neural networks. Adv. Neural.
Inf. Process. Syst. 28(10), 915 (1998)
13. Gers, F., Schmidhuber, J., Cummins, F.: Learning to forget: continual prediction with
LSTM. Neural Comput. 12(10), 2451–2471 (2000)