Professional Documents
Culture Documents
978-1-5386-0595-0/17/$31.00
Authorized licensed ©2017
use limited to: INDIAN INSTITUTE OFIEEE 17 Downloaded on April 27,2023 at 12:15:26 UTC from IEEE Xplore. Restrictions apply.
INFORMATION TECHNOLOGY.
Milcom 2017 Track 3 - Cyber Security and Trusted Computing
18 Downloaded on April 27,2023 at 12:15:26 UTC from IEEE Xplore. Restrictions apply.
Authorized licensed use limited to: INDIAN INSTITUTE OF INFORMATION TECHNOLOGY.
Milcom 2017 Track 3 - Cyber Security and Trusted Computing
and (3) Supervised classication. In the rst stage, features where (∗, ∗) is a distortion function that evaluates the
are extracted from the raw network trace data with statistic difference between the original data and projected data.
calculation of the network ow. Second, a good new feature D(VS , VT ) denotes the difference between the projected data
representation is learned from both source and target domain of the source and target domain. β is a trade-off parameter
via the feature-based transfer learning algorithms. The new which controls the similarity between the two datasets.
representation will be feed to a common base classier. The Thus, the rst two elements of (1) ensures the projected
choice of a common base classier here can be decision trees, data preserve the structures of the original data as much as
random forest trees, SVM, KNN or Naive Bayes. The classier possible. We dene (∗, ∗) as follows:
trained on known samples of one category can detect the new
samples from another different category. (VS , S) = S − VS PS 2 , (VT , T ) = T − VT PT 2 , (2)
where VS and VT are achieved by a linear transformations
IV. T RANSFER LEARNING APPROACH VIA SPECTRAL
with linear mapping matrices denoted as PS ∈ Rk×m and
TRANSFORMATION
PT ∈ Rk×n to the source and target respectively. X2
Problem formulation: We model the network attack de- is the Frobenius norm which can also be expressed as ma-
tection as a binary classication problem, which is to classify trix trace norm. In a different view, PST ∈ Rm×k and
19 Downloaded on April 27,2023 at 12:15:26 UTC from IEEE Xplore. Restrictions apply.
Authorized licensed use limited to: INDIAN INSTITUTE OF INFORMATION TECHNOLOGY.
Milcom 2017 Track 3 - Cyber Security and Trusted Computing
PTT ∈ Rn×k project the original data S and T into a k- Algorithm 1: Heterogeneous Transfer Learning via Spec-
dimensional space where the projected data are comparable tral Transformation
((VS , S) = SPS T − VS 2 ). But in this case, this will lead Input: T, S, β, k, learning rates α, steps = 1000
to a trivial solution PS = 0, VS = 0. We thus apply (2). It can Output: VT , VS
be viewed as a Matrix Factorization, which is widely known 1 Normalize T, S Initialize: VT , VS , PT , PS , step
as an effective tool to extract latent subspaces while preserving 2 while Optimized Function 4 not converge or step < steps
the original datas structures. do
We dene D(VS , VT ) in terms of l(∗, ∗) as: 3 Update VT by gradient descent with Eq. (5),
∂G
VT = VT − α ∂V T
D(VS , VT ) = (VS , VT ), (3) 4 Update VS by gradient descent with Eq. (6),
∂G
VS = VS − α ∂V
which is the difference between the projected target data 5
S
Update PT by gradient descent with Eq. (7),
and the projected source data. Hence, the projected source PT = PT − α ∂P ∂G
and target data are constrained to be similar by minimizing T
6 Update PS by gradient descent with Eq. (8),
the difference function (3) . ∂G
PS = PS − α ∂P
Optimization S
7 step++
Substituting (2) and (3) into (1), we obtain the following
8 end
optimization objective to minimize w.r.t VS , VT , PS and PT
as follows:
TABLE I
min G(VS , VT , PS , PT ) N UMBER OF I NSTANCES IN NSL-KDD
VST VS =I,VTT VT =I
20 Downloaded on April 27,2023 at 12:15:26 UTC from IEEE Xplore. Restrictions apply.
Authorized licensed use limited to: INDIAN INSTITUTE OF INFORMATION TECHNOLOGY.
Milcom 2017 Track 3 - Cyber Security and Trusted Computing
TABLE II
ACCURACY OF UNSEEN NETWORK ATTACK DETECTION base classiers without transfer learning approaches on three
Random Naive detection tasks. We have chosen decision tree (CART), random
Datasets Approach CART SVM KNN
Forests Bayes forests, linear SVM, Naive Bayes and KNN as the common
No TL 0.53 0.50 0.49 0.36 0.49 base classiers. From the results in Table II and Table III,
DoS→R2L
HeTL 0.81 0.78 0.81 0.72 0.78
No TL 0.63 0.63 0.74 0.54 0.73 we can see that the HeTL has signicantly improved the
DoS→Probe performance in all cases. Compared with the baselines, HeTL
HeTL 0.78 0.78 0.85 0.76 0.78
Probe→R2L
No TL 0.52 0.50 0.47 0.65 0.51 improved accuracy of 35% - 50% and achieved much higher
HeTL 0.73 0.75 0.75 0.71 0.78
improvements in F1 -scores. From the ROC Curve as shown
in Fig.5, we can see that HeTL improved the detection rates
against the baselines. For the second experimental setting,
TABLE III
F1 SCORE OF UNSEEN NETWORK ATTACK DETECTION
Fig.6 shows the potential benet of taking advantage of the
heterogeneous feature space.
Random Naive The results show that HeTL has a steady performance in
Datasets Approach CART SVM KNN
Forests Bayes
No TL 0.12 0.0 0.0 0.0 0.0
the ve common base classiers, which means HeTL can work
DoS→R2L with various supervised learning classiers. Moreover, We plot
HeTL 0.83 0.80 0.83 0.74 0.81
DoS→Probe
No TL 0.26 0.45 0.65 0.54 0.68 the distribution of the new feature representations in Fig.7 to
HeTL 0.76 0.74 0.84 0.73 0.75 demonstrate why HeTL can improve the peformance. We can
No TL 0.12 0.01 0.04 0.57 0.08
Probe→R2L
HeTL 0.67 0.77 0.79 0.77 0.78 see that HeTL successfully nd a subspace that can make the
distributions of different attacks similar, while still apart far
from the normal behaviors, which helps nding the decision
C. Evaluation boundary to distinguish malicious from the normal.
1) Transfer learning vs non-transfer learning: For the 2) Comparison of feature-based transfer learning ap-
rst experimental setting, which aims to detect the new and proaches: We have evaluated HeTL with other feature-based
unseen attacks, we compare the performance of the proposed transfer learning approaches, which are HeMap [8] and COR-
transfer learning detection technique HeTL with common relation Alignment (CORAL) [14] on network attack detection
21 Downloaded on April 27,2023 at 12:15:26 UTC from IEEE Xplore. Restrictions apply.
Authorized licensed use limited to: INDIAN INSTITUTE OF INFORMATION TECHNOLOGY.
Milcom 2017 Track 3 - Cyber Security and Trusted Computing
22 Downloaded on April 27,2023 at 12:15:26 UTC from IEEE Xplore. Restrictions apply.
Authorized licensed use limited to: INDIAN INSTITUTE OF INFORMATION TECHNOLOGY.