350 rub
Journal Neurocomputers №2 for 2019 г.
Article in number:
Network anomaly detection and classification using a combination of two artificial neural networks
Type of article: scientific article
DOI: 10.18127/j19998554-201902-05
UDC: 004.732.056
Keywords: Network anomalies network attacks machine learning artificial neural networks threats detection and classification hybrid structure detection reliability.
Authors:

O. I. Shelukhin – Dr.Sc. (Eng.), Professor, Head of Department of Information Security, Moscow Technical University of Communication and Informatics

E-mail: sheluhin@mail.ru

V. O. Musatov – Master’s Degree Student, Department of Information Security, Moscow Technical University of Communication and Informatics

E-mail: vladimirus@protonmail.com

Abstract:

We consider the detection of network attacks using two different artificial neural networks (ANNs): “fast” one and “slow” one. At the first stage, in order to increase the reliability of network anomaly detection, it has been proposed to submit the analyzed traffic to the “fast” primary ANN, recording the presence of any deviations from the norm. At the second stage, a “slow” ANN is used, which improves the classification accuracy of anomalous traffic.

A two-layer SVM (Support Vector Machine) type ANN {36-48-24-1} is used as “fast” one in the work. The main requirement for this ANN is high reliability of anomaly fixation, which is achieved by minimizing of type II errors with an acceptable level of type I errors. A three-layer ANN {36-36-48-36-6} based on BFGS (Broyden – Fletcher – Goldfarb – Shanno) algorithm is used as a “slow” ANN.

The proposed ANNs have been synthesized as follows. At the first stage, the ANN type which is implemented using the scikitlearn library has been selected. At the second stage, the structure of the ANN has been specified, including the number of layers and neurons in each layer. At the third stage, the obtained INS has been trained on the NSL KDD training set, until it reaches the limit of iterations or is stopped using the early stopping method.

For the experimental evaluation of the results obtained, the KDD CUP 1999 dataset has been used. It has been shown that in the considered classes of normal and anomalous traffic containing network attacks (DoS, R2L, U2R, Probe), the proposed hybrid structure demonstrates higher detection accuracy than conventional machine learning methods (SVM and Naive Bayes) or single Back Propagation Neural Network {36-36-36-6}. The model under study has been synthesized using the scikit-learn machine learning library for the Python programming language.

The main advantage of the proposed structure is the ability to detect attacks with a low frequency of occurrence of such records in the sample and a large number of classification features.

Pages: 45-53
References
  1. Beghdad R. Critical study of neural networks in detecting intrusions. Computers and Security. 2008. V. 27. P. 168–175. DOI: 10.1016/j.cose.2008.06.001
  2. Moradi M., Zulkernine M. A neural network based system for intrusion detection and classification of attacks. Proceedings of 2004 IEEE International Conference on Advances in Intelligent Systems – Theory and Applications. 2004.
  3. Shah B., Trivedi B.H. Artificial neural network based intrusion detection system: a survey. International Journal of Computer Applications. 2012. V. 39. № 6. P. 13–18. DOI: 10.5120/4823-7074
  4. Depren O., Topallar M., Anarim E., Ciliz M.K. An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks. Expert Systems with Applications. 2005. V. 29. P. 713–722.
  5. Nabor dannykh KDDCUP 1999. URL: http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
  6. Kim G., Lee S., Kim S. A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Systems with Applications. 2014. V. 41. P. 1690–1700.
  7. Faroun K.M., Boukelif A. Neural network learning improvement using k-means clustering algorithm to detect network intrusions. International Journal of Computational Intelligence. 2007. V. 3. № 2. P. 161–168.
  8. Lin S.W., Ying K.C., Lee C.Y., Lee Z.J. An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection // Applied Soft Computing. 2012. V. 12. P. 3285–3290.
  9. Sabhnani M., Serpen G. Application of machine learning algorithms to KDD intrusion detection dataset within misuse detection context // Proc. of International Conference on Machine Learning: Models, Technologies, and Applications. Las Vegas, Nevada, USA. 2003. P. 209–215.
  10. Hussain J., Lalmuanawma S., Chhakchhuak L. A novel network intrusion detection system using two-stage hybrid classification technique // International Journal of Computer & Communication Engineering Research (IJCCER). 2015. V. 3. № 2. P. 16–25.
  11. Nabor dannykh NSLKDD. URL: https://github.com/defcom17/NSL_KDD
  12. Géron A. Hands-on machine learning with Scikit-Learn and TensorFlow. Concepts, tools, and techniques to build intelligent systems. O'Reilly Media. 2017.
Date of receipt: 15 января 2019 г.