Skip to main content
SpringerLink
Log in

Model-agnostic generation-enhanced technology for few-shot intrusion detection

  • Published:
Applied Intelligence Aims and scope Submit manuscript

Abstract

Malicious traffic on the Internet has become an increasingly serious problem, and several artificial intelligence (AI)-based malicious traffic detection methods have been proposed. Generally, AI-based methods need numerous benign and specific types of malicious traffic training instances to achieve better detection results. However, for attacks with only a few instances, known as the few-shot attacks, these methods often perform poorly, and how to train a model for detecting few-shot attacks is a huge challenge. For this problem, we propose a novel intrusion detection system based on generative adversarial networks and model-agnostic meta-learning. The system adopts a hybrid detection mechanism where an anomaly-based classifier determines whether incoming traffic is malicious and a signature-based classifier identifies the class of malicious traffic. In the system, the samples of few-shot attacks are augmented by maximizing the use of meta-knowledge and then applied to assist the detection of few-shot attacks to obtain better detection results. The experiments show that for CSE-CIC-IDS2018 and Bot-IoT datasets, this system can detect malicious traffic with 94.3%/1.8% TPR/FPR and 99.8%/0.1% TPR/FPR, respectively, and also can identify the class of the few-shot attacks with 95.2% and 91.9% accuracy, respectively. Compared with other related methods, the system improves the accuracy of identifying few-shot attacks on these two datasets by at least 2.2% and 1.5%, respectively. Additionally, a parameter visualization process is designed, which shows the fast-adaptive property and better generalization capability of the system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Algorithm 1
Algorithm 2
Algorithm 3
Algorithm 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Data availability statement

All data generated and analysed during the current study are available from the corresponding author on reasonable request.

References

  1. Tariq M, Ali M, Naeem F, Poor HV (2020) Vulnerability assessment of 6g-enabled smart grid cyber-physical systems. IEEE Int Things J 8(7):5468–5475

    Article  Google Scholar 

  2. Wan Haslina H et al (2019) Current research on internet of things (iot) security: a survey. Comput Netw 148:283–294

    Article  Google Scholar 

  3. Khraisat A, Alazab A (2021) A critical review of intrusion detection systems in the internet of things: techniques, deployment strategy, validation strategy, attacks, public datasets and challenges. Cybersecurity 4(1):1–27

    Article  Google Scholar 

  4. Bhati BS, Rai CS (2020) Analysis of support vector machine-based intrusion detection techniques. Arabian J Sci Eng 45(4):2371–2383

    Article  Google Scholar 

  5. Resende PA, Drummond AC (2018) A survey of random forest based methods for intrusion detection systems. ACM Comput Surv (CSUR) 51(3):1–36

    Article  Google Scholar 

  6. Drewek-Ossowicka A, Pietrołaj M, Rumiński J (2021) A survey of neural networks usage for intrusion detection systems. J Ambient Intell Human Comput 12(1):497–514

    Article  Google Scholar 

  7. Latchoumi TP, Reddy MS, Balamurugan K (2020) Applied machine learning predictive analytics to sql injection attack detection and prevention. Eur J Molecular Clinical Med 7(02):2020

  8. Guo Y (2023) A review of machine learning-based zero-day attack detection: challenges and future directions. Comput Commun 198:175–185

    Article  Google Scholar 

  9. Lee J, Park K (2021) Gan-based imbalanced data intrusion detection system. Personal and Ubiquitous Comput 25(1):121–128

    Article  Google Scholar 

  10. He J, Luo L, Xiao K, Fang X, Li Y (2022) Generate qualified adversarial attacks and foster enhanced models based on generative adversarial networks. Intell Data Anal 26(5):1359–1377

    Article  Google Scholar 

  11. Huisman M, Van Rijn JN, Plaat A (2021) A survey of deep meta-learning. Artif Intell Rev 54(6):4483–4541

    Article  Google Scholar 

  12. Finn C, Abbeel P, Levine S (2017) Model-agnostic meta-learning for fast adaptation of deep networks. In: International conference on machine learning, PMLR, pp 1126–1135

  13. Wang T, Lv Q, Hu B, Sun D (2021) A few-shot class-incremental learning approach for intrusion detection. In: 2021 International conference on computer communications and networks (ICCCN), IEEE, pp 1–8

  14. Feng T, Qi Q, Wang J, Liao J (2021) Few-shot class-adaptive anomaly detection with model-agnostic meta-learning. In: 2021 IFIP networking conference (IFIP Networking), pp 1–9

  15. Anderson JP (1980) Computer security threat monitoring and surveillance. Anderson Company, Technical Report, James P

    Google Scholar 

  16. Ahmad Z, Shahid Khan A, Wai Shiang C, Abdullah J, Ahmad F (2021) Network intrusion detection system: a systematic study of machine learning and deep learning approaches. Trans Emerging Telecommun Technol 32(1):e4150

  17. Chaabouni N, Mosbah M, Zemmari A, Sauvignac C, Faruki P (2019) Network intrusion detection for iot security based on learning techniques. IEEE Commun Surv Tutorials 21(3):2671–2701

    Article  Google Scholar 

  18. Aljamal I, Tekeoğlu A, Bekiroglu K, Sengupta S (2019) Hybrid intrusion detection system using machine learning techniques in cloud computing environments. In: 2019 IEEE 17th International conference on software engineering research, management and applications (SERA), pp 84–89

  19. Goodfellow I, Pouget-Abadie J, Mirza M, Xu B, Warde-Farley D, Ozair S, Courville A, Bengio Y (2014) Generative adversarial nets. Adv Neural Inf Process Syst 27

  20. Xu C, Shen J, Du X (2020) A method of few-shot network intrusion detection based on meta-learning framework. IEEE Trans Inf Forensics Sec 15:3540–3552

    Article  Google Scholar 

  21. Liang W, Hu Y, Zhou X, Pan Y, Kevin I, Wang K (2021) Variational few-shot learning for microservice-oriented intrusion detection in distributed industrial iot. IEEE Tran Industrial Inf 18(8):5087–5095

    Article  Google Scholar 

  22. Sharafaldin I, Lashkari AH, Ghorbani AA (2018) Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp 1:108–116

    Google Scholar 

  23. Nsl-kdd dataset. http://nsl.cs.unb.ca/NSL-KDD/

  24. Yu Y, Bian N (2020) An intrusion detection method using few-shot learning. IEEE Access 8:49730–49740

    Article  Google Scholar 

  25. Yang J, Li H, Shao S, Zou F, Wu Y (2022) Fs-ids: a framework for intrusion detection based on few-shot learning. Comput Sec 122:102899

  26. Wang Z-M, Tian J-Y , Qin J, Fang H, Chen L-M (2021) A few-shot learning-based siamese capsule network for intrusion detection with imbalanced training data. Computat Intell Neurosci 2021

  27. Wu T, Fan H, Zhu H, You C, Zhou H (2022) Huang X (2022) Intrusion detection system combined enhanced random forest with smote algorithm. EURASIP J Adv Signal Process 1:1–20

    Google Scholar 

  28. Huang S, Lei K (2020) Igan-ids: an imbalanced generative adversarial network towards intrusion detection system in ad-hoc networks. Ad Hoc Netw 105:102177

  29. Phaphuangwittayakul A, Guo Y, Ying F (2022) Fast adaptive meta-learning for few-shot image generation. IEEE Trans Multimed 24:2205–2217

    Article  Google Scholar 

  30. Yang A, Lu C, Li J, Huang X, Ji T, Li X, Sheng Y (2022) Application of meta-learning in cyberspace security: a survey. Digital Commun Netw

  31. Usama M, Asim M, Latif S, Qadir J, Ala-Al-Fuqaha (2019) Generative adversarial networks for launching and thwarting adversarial attacks on network intrusion detection systems. In: 2019 15th International wireless communications and mobile computing conference, IWCMC 2019, pp 78–83

  32. Xie M, Liu B, Wang L, Li C, Kong Y, Tang R (2023) Auto encoder generative adversarial networks-based mineral prospectivity mapping in lhasa area, tibet. J Geochem Explorat 255:107326

    Article  Google Scholar 

  33. Canadian Institute for Cybersecurity. Cse-cic-ids2018 on aws. https://www.unb.ca/cic/datasets/ids-2018.html

  34. Koroniotis N, Moustafa N, Sitnikova E, Turnbull B (2019) Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset. Future Generation Comput Syst 100:779–796

    Article  Google Scholar 

  35. Ali BH, Sulaiman N, Al-Haddad SAR, Atan R, Hassan SLM (2022) Ddos detection using active and idle features of revised cicflowmeter and statistical approaches. In: 2022 4th International conference on advanced science and engineering (ICOASE), IEEE, pp 148–153

  36. Node-red tool. https://nodered.org/

  37. Argus tool. https://qosient.com/argus/index.shtml

  38. Minarno AE, Aripa L, Azhar Y, Munarko Y (2023) Classification of malaria cell image using inception-v3 architecture. JOIV: Int J Inf Visualizat 7(2):273–278

  39. Shahriar MH, Haque NI, Rahman MA, Alonso M (2020) G-ids: Generative adversarial networks assisted intrusion detection system. In: 2020 IEEE 44th Annual computers, software, and applications conference (COMPSAC), IEEE, pp 376–385

  40. Tang B, Lu Y, Li Q, Bai Y, Yu J, Yu X (2023) A diffusion model based on network intrusion detection method for industrial cyber-physical systems. Sensors 23(3):1141

    Article  Google Scholar 

  41. Aslansefat K, Sorokos I, Whiting D, Kolagari RT, Papadopoulos Y (2020) Safeml: safety monitoring of machine learning classifiers through statistical difference measures. In: International symposium on model-based safety and assessment, Springer, pp 197–211

  42. Hammad M, Hewahi N, Elmedany W (2022) Mmm-rf: a novel high accuracy multinomial mixture model for network intrusion detection systems. Comput Sec 120:10277

  43. Sarıkaya A, Günel Kılıç B, Demirci M (2022) Gru-gbm: A combined intrusion detection model using lightgbm and gated recurrent unit. Expert Syst 39(9):e13067

    Article  Google Scholar 

  44. de Elias EM, Carriel VS, De Oliveira GW, Dos Santos AL, Nogueira M, Junior RH, Batista DM (2022) A hybrid cnn-lstm model for iiot edge privacy-aware intrusion detection. In: 2022 IEEE Latin-American conference on communications (LATINCOM), pp 1–6

  45. Es GSR, Azees M, Vinodkumar CR, Parthasarathy G (2022) Hybrid optimization enabled deep learning technique for multi-level intrusion detection. Adv Eng Softw 173:103197

    Article  Google Scholar 

  46. Lazzarini R, Tianfield H, Charissis V (2023) A stacking ensemble of deep learning models for iot intrusion detection. Knowl-Based Syst 279:110941

    Article  Google Scholar 

  47. Wang N, Chen Y, Hu Y, Lou W, Hou YT (2021) Manda: on adversarial example detection for network intrusion detection system. In: IEEE INFOCOM 2021 - IEEE Conference on Computer Communications, pp 1–10

  48. Msika S, Quintero A, Khomh F (2019) SIGMA: strengthening IDS with GAN and Metaheuristics Attacks. pp 1–11

  49. Schonlau M, Zou RY (2020) The random forest algorithm for statistical learning. Stata J 20(1):3–29

    Article  Google Scholar 

  50. Lin Z, Shi Y, Xue Z (2022) Idsgan: generative adversarial networks for attack generation against intrusion detection. In: Pacific-Asia conference on knowledge discovery and data mining, Springer, pp 79–91

  51. Verkerken M, D’hooge L, Sudyana D, Lin Y-D, Wauters T, Volckaert B, Turck FD (2023) A novel multi-stage approach for hierarchical intrusion detection. IEEE Trans Netw Serv Manag

Download references

Acknowledgements

This work was supported by the Opening Project of Intelligent Policing Key Laboratory of Sichuan Province under grant number ZNJW2023KFQN00, the Chengdu Zhisuan Center for calculating resources, and the King Saud University, Riyadh, Saudi Arabia under project number (RSP2024R12).

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, 611731, People’s Republic of China

    Junpeng He, Lingfeng Yao, Xiong Li, Weina Niu, Xiaosong Zhang & Fagen Li

  2. Center of Excellence in Information Assurance (CoEIA), King Saud University, Street, Riyadh, State, 11653, Kingdom of Saudi Arabia

    Muhammad Khurram Khan

Authors
  1. Junpeng He
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lingfeng Yao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiong Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Muhammad Khurram Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Weina Niu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Xiaosong Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Fagen Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

Conceptualization: He Junpeng; Methodology: He Junpeng; Formal analysis and investigation: He Junpeng, Yao Lingfeng; Writing - original draft preparation: He Junpeng; Writing - review and editing: Li Xiong, Muhammad Khurram Khan; Funding acquisition: Niu Weina, Zhang Xiaosong; Resources: Li Fagen; Supervision: Li Xiong.

Corresponding author

Correspondence to Xiong Li.

Ethics declarations

Competing Interests

The authors have no competing interests to declare that are relevant to the content of this article.

Ethical and informed consent

No data is used for human participants or animals.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix

Appendix

Table 9 Acc comparison on signature-based classification for few-shot attacks in CCI under different \(M_s\) and A (\(\%\))
Full size table
Table 10 Acc comparison on signature-based classification for few-shot attacks in BI under different \(M_s\) and A (\(\%\))
Full size table
Table 11 Acc comparison on signature-based classification for few-shot and all attacks under different A (\(\%\))
Full size table
Table 12 Average training time and FID comparison on attack generation with generative-based methods in CCI
Full size table
Table 13 Average training time and FID comparison on attack generation with generative-based methods in BI
Full size table
Table 14 Comparison on sub-modules and combined one with an advanced method in CCI and BI (%)
Full size table
Table 15 Ablation experiment of MAGET on CCI and BI
Full size table
Fig. 12
figure 12

FID variations of the generative attack instances with epochs: (a), (b) is based on CSE-CIC-IDS2018 while (c), (d) is based on Bot-IoT; (a), (c) are for Algorithm 1 and (b), (d) are for Algorithm 2

Full size image
Fig. 13
figure 13

ROC curves on anomaly-based classification with baseline methods

Full size image

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

He, J., Yao, L., Li, X. et al. Model-agnostic generation-enhanced technology for few-shot intrusion detection. Appl Intell 54, 3181–3204 (2024). https://doi.org/10.1007/s10489-024-05290-8

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-024-05290-8

Keywords

Search

Navigation