With the increased demand for intelligence, neural networks have become an increasingly popular solution for intrusion detection systems (IDS), as their ability to learn complex patterns and behaviors makes them a suitable solution for distinguishing normal traffic from network intrusions. Hence, this paper proposes a new unsupervised IDS ensemble framework that utilizes parallel deep learning techniques based on three different anomaly detection concepts. That is, modeling the detection of point anomalies, collective anomalies, and contextual anomalies simultaneously.These detectors are trained in parallel, and the anomaly scores obtained from each detector are combined to provide the final detection decision. This ensemble approach can simultaneously consider the different types of anomalies in time series data and reduce the impact of overfitting some unsupervised anomaly detectors. Compared to supervised methods, the developed scheme reduces the overhead of manually annotated data and detects online possible novel attack data streams. The proposed ensemble model has been tested on the UNSW-NB15, DAPT 2020 and CSE-CIC-IDS 2018 datasets. Compared to baseline models, the single detectors used to constitute the ensemble model achieve better performance separately in most cases. Through three simple ensemble strategies, Vote, ‘And’ logic and ‘Or’ logic, the ensemble model exhibits improved stability, precision performance, and recall performance, respectively. This demonstrates that the proposed ensemble model can successfully combine the advantages of different unsupervised detectors, offering an advantage over other single unsupervised anomaly detection models. Moreover, the suggested method is effective for detecting various traffic anomalies caused by network intrusions that occur in the datasets.
ZhouYChengGJiangS, et al.Building an efficient intrusion detection system based on feature selection and ensemble classifier. Comput Netw2020; 174: 107247.
3.
AvizienisALaprieJ-CRandellB, et al.Basic concepts and taxonomy of dependable and secure computing. IEEE Trans Dependable Secure Comput2004; 1: 11–33.
4.
JiaYQiYShangH, et al.A practical approach to constructing a knowledge graph for cybersecurity. Engineering2018; 4: 53–60.
5.
AlkadiOMoustafaNTurnbullB. A review of intrusion detection and blockchain applications in the cloud: approaches, challenges and solutions. IEEE Access2020; 8: 104893.
6.
WangWJianSTanY, et al.Representation learning-based network intrusion detection system by capturing explicit and implicit feature interactions. Comput Secur2022; 112: 102537.
7.
AtallahMJGwaderaRSzpankowskiW. Detection of significant sets of episodes in event sequences. In: Proceedings of the 4th IEEE international conference on data mining (ICDM 2004), 1-4 November 2004, Brighton, UK, 2004, pp.3–10. DOI: 10.1109/ICDM.2004.10090.
McWhorterD. Mandiant exposes APT1–one of China’s cyber espionage units & releases 3,000 indicators. Mandiant, February18 2013.
10.
T.M. Corporation. MITRE ATT&CK Matrix, (2019, accessed 19 June 2020).
11.
EngebretsonP. The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Waltham, MA: Elsevier, 2013.
12.
AhmedMMahmoodAN. Clustering based semantic data summarization technique: a new approach. In: 2014 9th IEEE conference on industrial electronics and applications, 2014, pp.1780–1785. IEEE.
13.
AhmedMMahmoodAN. Network traffic analysis based on collective anomaly detection. In: 2014 9th IEEE conference on industrial electronics and applications, 2014, pp.1141–1146. IEEE.
14.
AhmedMMahmoodAN. Novel approach for network traffic pattern analysis using clustering-based collective anomaly detection. Annals of Data Science2015; 2: 111–130.
15.
AhmedMMahmoodANHuJ. A survey of network anomaly detection techniques. J Netw Comput Appl2016; 60: 19–31.
16.
KimTChoS. Web traffic anomaly detection using C-LSTM neural networks. Expert Syst Appl2018; 106: 66–76.
ZimekACampelloRJSanderJ. Ensembles for unsupervised outlier detection: challenges and research questions a position paper. ACM SIGKDD Explor Newsl2014; 15: 11–22.
19.
ChiangADavidELeeY-J, et al.A study on anomaly detection ensembles. J Appl Log2017; 21: 1–13.
20.
VenterHEloffJH. A taxonomy for information security technologies. Comput Secur2003; 22: 299–307.
ShunJMalkiHA. Network intrusion detection system using neural networks. In: 2008 Fourth international conference on natural computation, vol. 5, 2008, pp.242–246. IEEE.
25.
AmerMGoldsteinMAbdennadherS. Enhancing one-class support vector machines for unsupervised anomaly detection. In: Proceedings of the ACM SIGKDD workshop on outlier detection and description, 2013, pp.8–15.
26.
BreunigMMKriegelH-PNgRT, et al.LOF: identifying density-based local outliers. In: Proceedings of the 2000 ACM SIGMOD international conference on management of data, 2000, pp.93–104.
27.
TangJChenZFuAW-C, et al.Enhancing effectiveness of outlier detections for low density patterns. In: Advances in knowledge discovery and data mining: 6th Pacific-Asia conference, PAKDD 2002 Taipei, Taiwan, May 6–8, 2002 Proceedings 6, 2002, pp.535–548. Springer.
28.
HeZXuXDengS. Discovering cluster-based local outliers. Pattern Recognit Lett2003; 24: 1641–1650.
29.
GoldsteinMDengelA. Histogram-based outlier score (HBOS): a fast unsupervised anomaly detection algorithm. In: KI-2012: poster and demo track, 2012.
30.
YuQJibinLJiangL. An improved ARIMA-based traffic anomaly detection algorithm for wireless sensor networks. Int J Distrib Sens Netw2016; 12: 9653230:1.
31.
YaacobAHTanIKTChienSF, et al.ARIMA based network anomaly detection. In: 2010 Second international conference on communication software and networks, 2010, pp.205–209. DOI: 10.1109/ICCSN.2010.55.
32.
FolinoGSabatinoP. Ensemble based collaborative and distributed intrusion detection systems: a survey. J Netw Comput Appl2016; 66: 1–16.
33.
SongJTakakuraHOkabeY, et al.Unsupervised anomaly detection based on clustering and multiple one-class SVM. IEICE Trans Comm2009; 92: 1981–1990.
34.
XiaYCaoXWenF, et al.Learning discriminative reconstructions for unsupervised outlier removal. In: 2015 IEEE international conference on computer vision, ICCV 2015, Santiago, Chile, December 7–13, 2015, 2015, pp.1511–1519. DOI: 10.1109/ICCV.2015.177.
35.
KieuTYangBJensenCS. Outlier detection for multidimensional time series using deep neural networks. In: 19th IEEE international conference on mobile data management, MDM 2018, Aalborg, Denmark, June 25–28, 2018, 2018, pp.125–134. DOI: 10.1109/MDM.2018.00029.
36.
MalhotraPRamakrishnanAAnandG, et al.LSTM-based encoder-decoder for multi-sensor anomaly detection. ArXiv abs/1607.00148 2016.
37.
ChenJSatheSAggarwalCC, et al.Outlier detection with autoencoder ensembles. In: Proceedings of the 2017 SIAM international conference on data mining, Houston, Texas, USA, April 27–29, 2017, 2017, pp.90–98. DOI: 10.1137/1.9781611974973.11.
38.
KieuTYangBGuoC, et al.Outlier detection for time series with recurrent autoencoder ensembles. In: Proceedings of the twenty-eighth international joint conference on artificial intelligence, IJCAI 2019, Macao, China, August 10–16, 2019, 2019, pp.2725–2732. DOI: 10.24963/ijcai.2019/378.
39.
MunirMSiddiquiSADengelA, et al.DeepAnT: a deep learning approach for unsupervised anomaly detection in time series. IEEE Access2018; 7: 1991–2005.
40.
ParkSHParkHChoiY. RNN-based prediction for network intrusion detection. In: 2020 International conference on artificial intelligence in information and communication, ICAIIC 2020, Fukuoka, Japan, February 19–21, 2020, 2020, pp.572–574. DOI: 10.1109/ICAIIC48513.2020.9065249.
41.
DuMLiFZhengG, et al.DeepLog: anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, CCS 2017, Dallas, TX, USA, October 30 – November 03, 2017, 2017, pp.1285–1298. DOI: 10.1145/3133956.3134015.
42.
LaptevNAmizadehSFlintI. Generic and scalable framework for automated time-series anomaly detection. In: Proceedings of the 21th ACM SIGKDD international conference on knowledge discovery and data mining, Sydney, NSW, Australia, August 10-13, 2015, 2015, pp.1939–1947. DOI: 10.1145/2783258.2788611.
43.
LavinAAhmadS. Evaluating real-time anomaly detection algorithms – the numenta anomaly benchmark. In: 14th IEEE international conference on machine learning and applications, ICMLA 2015, Miami, FL, USA, December 9–11, 2015, 2015, pp.38–44. DOI: 10.1109/ICMLA.2015.141.
44.
AhmadSLavinAPurdyS, et al.Unsupervised real-time anomaly detection for streaming data. Neurocomputing2017; 262: 134–147.
45.
SchleglTSeeböckPWaldsteinSM, et al.Unsupervised anomaly detection with generative adversarial networks to guide marker discovery. In: Information processing in medical imaging – 25th international conference, IPMI 2017, Boone, NC, USA, June 25–30, 2017, Proceedings, 2017, pp.146–157. DOI: 10.1007/978-3-319-59050-9_12.
46.
LiDChenDJinB, et al.MAD-GAN: multivariate anomaly detection for time series data with generative adversarial networks. In: Artificial neural networks and machine learning – ICANN 2019: text and time series – 28th international conference on artificial neural networks, Munich, Germany, September 17–19, 2019, Proceedings, Part IV, 2019, pp.703–716. DOI: 10.1007/978-3-030-30490-4_56.
47.
BasharMANayakR. TAnoGAN: time series anomaly detection with generative adversarial networks. In: 2020 IEEE symposium series on computational intelligence, SSCI 2020, Canberra, Australia, December 1–4, 2020, 2020, pp.1778–1785. DOI: 10.1109/SSCI47803.2020.9308512.
48.
GeigerALiuDAlnegheimishS, et al.TadGAN: time series anomaly detection using generative adversarial networks. In: 2020 IEEE international conference on big data (IEEE BigData 2020), Atlanta, GA, USA, December 10–13, 2020, 2020, pp.33–43. DOI: 10.1109/BigData50022.2020.9378139.
49.
Molina-CoronadoBMoriUMendiburuA, et al.Survey of network intrusion detection methods from the perspective of the knowledge discovery in databases process. IEEE Trans Netw Serv Manag2020; 17: 2451–2479.
50.
ClaiseBTrammellBAitkenP. Specification of the IP flow information export (IPFIX) protocol for the exchange of flow information. RFC2013; 7011: 1–76.
51.
DavisJJClarkAJ. Data preprocessing for anomaly based network intrusion detection: a review. Comput Secur2011; 30: 353–375.
52.
ElsayedMSLe-KhacN-ADevS, et al.DDoSNet: a deep-learning model for detecting network attacks. In: 2020 IEEE 21st international symposium on “A World of Wireless, Mobile and Multimedia Networks”(WoWMoM), 2020, pp.391–396. IEEE.
53.
ZuechRHancockJKhoshgoftaarTM. Detecting web attacks using random undersampling and ensemble learners. J Big Data2021; 8: 75.
54.
LeevyJLHancockJZuechR, et al.Detecting cybersecurity attacks using different network features with lightGBM and XGboost learners. In: 2020 IEEE second international conference on cognitive machine intelligence (CogMI), 2020, pp.190–197. IEEE.
55.
AnJChoS. Variational autoencoder based anomaly detection using reconstruction probability. Spec Lec IE2015; 2: 1–18.
56.
YenterAVermaA. Deep CNN-LSTM with combined kernels from multiple branches for IMDb review sentiment analysis. In: 2017 IEEE 8th annual ubiquitous computing, electronics and mobile communication conference (UEMCON), 2017, pp.540–546. IEEE.
GravesAGravesA. Long short-term memory. In: Supervised sequence labelling with recurrent neural networks 2012, pp.37–45.
59.
GersFAEckDSchmidhuberJ. Applying LSTM to time series predictable through time-window approaches. In: International conference on artificial neural networks, 2001, pp.669–676. Springer.
CirsteaRMicuDMuresanG, et al.Correlated time series forecasting using multi-task deep neural networks. In: Proceedings of the 27th ACM international conference on information and knowledge management, CIKM 2018, Torino, Italy, October 22–26, 2018, 2018, pp.1527–1530. DOI: 10.1145/3269206.3269310.
62.
KieuTYangBGuoC, et al.Distinguishing trajectories from different drivers using incompletely labeled trajectories. In: Proceedings of the 27th ACM international conference on information and knowledge management, CIKM 2018, Torino, Italy, October 22–26, 2018, 2018, pp.863–872. DOI: 10.1145/3269206.3271762.
63.
MoustafaNSlayJ. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 military communications and information systems conference (MilCIS), 2015, pp.1–6. IEEE.
64.
ZongBSongQMinMR, et al.Deep autoencoding gaussian mixture model for unsupervised anomaly detection. In: International conference on learning representations, 2018.
65.
MyneniSChowdharyASaburA, et al.DAPT 2020-constructing a benchmark dataset for advanced persistent threats. In: Deployable machine learning for security defense: first international workshop, MLHat 2020, San Diego, CA, USA, August 24, 2020, Proceedings 1, 2020, pp.138–163. Springer.
66.
SharafaldinILashkariAHGhorbaniAA. Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th international conference on information systems security and privacy, ICISSP 2018, Funchal, Madeira – Portugal, January 22–24, 2018, 2018, pp.108–116. DOI: 10.5220/0006639801080116.
67.
LiXChenWZhangQ, et al.Building auto-encoder intrusion detection system based on random forest feature selection. Comput Secur2020; 95: 101851.
68.
WangYSunGCaoX, et al.An intrusion detection system for the internet of things based on the ensemble of unsupervised techniques. Wirel Comm Mob Com2022; 2022: 8614903.
69.
ChenYZhouXSHuangTS. One-class SVM for learning in image retrieval. In: Proceedings 2001 international conference on image processing (Cat. No. 01CH37205), vol. 1, 2001, pp.34–37. IEEE.
70.
LiuFTTingKMZhouZ-H. Isolation-based anomaly detection. ACM Trans Knowl Discov Data (TKDD)2012; 6: 1–39.
