Skip to main content

Advertisement

Springer Nature Link
Log in

A content-based deep intrusion detection system

  • regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The growing number of Internet users and the prevalence of web applications make it necessary to deal with very complex software and applications in the network. This results in an increasing number of new vulnerabilities in the systems, and leading to an increase in cyber threats and, in particular, zero-day attacks. The cost of generating appropriate signatures for these attacks is a potential motive for using machine learning-based methodologies. Although there are many studies on using learning-based methods for attack detection, they generally use extracted features and overlook raw contents. This approach can lessen the performance of detection systems against content-based attacks like SQL injection, Cross-site Scripting (XSS), and various viruses. In this work, we propose a framework, called deep intrusion detection (DID) system, that uses the pure content of traffic flows in addition to traffic metadata in the learning and detection phases of a passive DNN IDS. To this end, we deploy and evaluate an offline IDS following the framework using LSTM as a deep learning technique. Due to the inherent nature of deep learning, it can process high-dimensional data content and, accordingly, discover the sophisticated relations between the auto extracted features of the traffic. To evaluate the proposed DID system, we use the CIC-IDS2017 and CSE-CIC-IDS2018 datasets. The evaluation metrics, such as precision and recall, reach 0.992 and 0.998 on CIC-IDS2017, and 0.933 and 0.923 on CSE-CIC-IDS2018, respectively, which show the high performance of the proposed DID method.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+
from $39.99 /Month
  • Starting from 10 chapters or articles per month
  • Access and download chapters and articles from more than 300k books and 2,500 journals
  • Cancel anytime
View plans

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Explore related subjects

Discover the latest articles and news from researchers in related subjects, suggested using machine learning.

References

  1. Mcpad project. http://roberto.perdisci.com/projects/mcpad (2009). [Online; accessed 12-November-2018]

  2. Kdd cup 1999. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html (2018). [Online; accessed 12-November-2018]

  3. Snort 2.9. https://www.snort.org (2018). [Online; accessed 18-October-2018]

  4. Cse-cic-ids2018. https://www.unb.ca/cic/datasets/ids-2018.html (2021). [Online; accessed 18-May-2021]

  5. Abadi, M., Agarwal, A., Barham, P., Brevdo, E., Chen, Z., Citro, C., Corrado, G.S., Davis, A., Dean, J., Devin, M., Ghemawat, S., Goodfellow, I., Harp, A., Irving, G., Isard, M., Jia, Y., Jozefowicz, R., Kaiser, L., Kudlur, M., Levenberg, J., Mané, D., Monga, R., Moore, S., Murray, D., Olah, C., Schuster, M., Shlens, J., Steiner, B., Sutskever, I., Talwar, K., Tucker, P., Vanhoucke, V., Vasudevan, V., Viégas, F., Vinyals, O., Warden, P., Wattenberg, M., Wicke, M., Yu, Y., Zheng, X.: TensorFlow: Large-scale machine learning on heterogeneous systems (2015). http://tensorflow.org/. Software available from tensorflow.org

  6. Agarap Abien, F.M.: A neural network architecture combining gated recurrent unit (GRU) and support vector machine (SVM) for intrusion detection in network traffic data. Proceedings of the 2018 10th International Conference on Machine Learning and Computing. pp. 26-30 (2018)

  7. Akashdeep, Manzoor I., Kumar, N.: A feature reduced intrusion detection system using ann classifier. Expert Syst. Appl. 88, 249–257 (2017)

    Article  Google Scholar 

  8. Aminanto Muhamad, E., Choi, R., Tanuwidjaja Harry, C., Yoo Paul, D., Kwangjo, K.: Deep abstraction and weighted feature selection for wi-fi impersonation detection. IEEE Trans. Inf. Forensics Secur. 13(3), 621–636 (2018)

    Article  Google Scholar 

  9. Basumallik, S., Ma, R., Eftekharnejad, S.: Packet-data anomaly detection in pmu-based state estimator using convolutional neural network. Int. J. Electr. Power Energy Syst. 107, 690–702 (2019)

    Article  Google Scholar 

  10. Bengio, Y., Courville, A., Vincent, P.: Representation learning: a review and new perspectives. IEEE Trans. Pattern Anal. Mach. Intell. 35(8), 1798–1828 (2013)

    Article  Google Scholar 

  11. Bivens, A., Palagiri, C., Smith, R., Szymanski, B., Embrechts, M.: Network-based intrusion detection using neural networks. Intell. Eng. Syst. through Artif. Neural Netw. 12(1), 579–584 (2002)

    Google Scholar 

  12. Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)

    Article  Google Scholar 

  13. Chen, R.C., Cheng, K.F., Chen, Y.H., Hsieh, C.F.: In: Using rough set and support vector machine for network intrusion detection system,In: First Asian Conference on Intelligent Information and Database Systems, pp. 465–470. IEEE (2009)

  14. Chollet, F.: keras. https://github.com/fchollet/keras (2017)

  15. Cretu-Ciocarlie, G.F., Stavrou, A., Locasto, M.E., Stolfo, S.J., Keromytis, A.D.: Casting out demons: Sanitizing training data for anomaly sensors. IEEE Symposium on Security and Privacy (2008)

  16. Dorffner, G.: Neural networks for time series processing. Neural Netw. World 6, 447–468 (1996)

    Google Scholar 

  17. Farnaaz, N., Jabbar, M.: Random forest modeling for network intrusion detection system. Procedia Comput. Sci. 89, 213–217 (2016)

    Article  Google Scholar 

  18. Ferrag, M.A., Maglaras, L.: Deepcoin: A novel deep learning and blockchain-based energy exchange framework for smart grids. IEEE Transactions on Engineering Management (2019)

  19. Ferrag, M.A., Maglaras, L., Moschoyiannis, S., Janicke, H.: Deep learning for cyber security intrusion detection: approaches, datasets, and comparative study. J. Inf. Secur. Appl. 50, 102419 (2020)

    Google Scholar 

  20. Goodfellow, I., Bengio, Y., Courville, A.: Deep Learning. MIT Press (2016). http://www.deeplearningbook.org

  21. Heba, F.E., Darwish, A., Hassanien Aboul, E., Abraham, A.: Principle components analysis and support vector machine based intrusion detection system. 2010 10th International Conference on Intelligent Systems Design and Applications pp. 363–367 (2010)

  22. Heckerman, D.: A tutorial on learning with bayesian networks In Innovations in Bayesian networks, pp. 33–82. Springer, Berlin (2008)

    Book  Google Scholar 

  23. Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)

    Article  Google Scholar 

  24. Javaid, A., Niyaz, Q., Sun, W., Mansoor, A.: A deep learning approach for network intrusion detection system. BICT’15 Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS) pp. 21–26 (2016)

  25. Jemili, F., Zaghdoud, M., Ahmed Mohamed, B.: A framework for an adaptive intrusion detection system using Bayesian network. 2007 IEEE Intelligence and Security Informatics pp. 66–70 (2007)

  26. Jia, N., Liu, D.: Application of svm based on information entropy in intrusion detection. In: International Conference on Intelligent and Interactive Systems and Applications, pp. 464–468. Springer (2017)

  27. Jurkiewicz, P., Rzym, G., Borylo, P.: Flow length and size distributions in campus internet traffic. Comput. Commun. 167, 15–30 (2021)

    Article  Google Scholar 

  28. Kakavand, M., Mustapha, N., Mustapha, A., Abdullah, M.T.: Effective dimensionality reduction of payload-based anomaly detection in tmad model for http payload. TIIS 10(8), 3884–3910 (2016)

    Google Scholar 

  29. Khan, M.A., Karim, M., Kim, Y., et al.: A scalable and hybrid intrusion detection system based on the convolutional-lstm network. Symmetry 11(4), 583 (2019)

    Article  Google Scholar 

  30. Kim, J., Kim, J., Thu Huong, L.T., Kim, H.: Long short term memory recurrent neural network classifier for intrusion detection. 2016 International Conference on Platform Technology and Service (PlatCon) pp. 1–5 (2016)

  31. Kim, K., Aminato Muhaamad, E.: Deep learning in intrusion detection perspective: Overview and further challenges. 2017 International Workshop on Big Data and Information Security (IWBIS) pp. 5–10 (2017)

  32. Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian event classification for intrusion detection. Proceedings of the 19th Annual Computer Security Applications pp. 14–23 (2003)

  33. Kruegel, C., Toth, T.: Using decision trees to improve signature based intrusion detection. International Workshop on Recent Advances in Intrusion Detection pp. 173–191 (2003)

  34. LeCun, Y., Bengio, Y., Hinton, G.: Deep learning. Nature 521(7553), 436–444 (2015)

    Article  Google Scholar 

  35. Lippmann Richard, P., Cunningham Robert, K.: Improving intrusion detection performance using keyword selection and neural networks. Comput. Netw. 34(4), 597–603 (2000)

    Article  Google Scholar 

  36. Lippmann, R., Haines Joshua, W., Fried David, J., Korba, J., Das, K.: The 1999 darpa off-line intrusion detection evaluation. Comput. Netw. 34(4), 579–595 (2000)

    Article  Google Scholar 

  37. Mahoney Matthew, V., Chan Philip, K.: An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. International Workshop on Recent Advances in Intrusion Detection, pp. 220–237. (2003)

  38. Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: Mcpad- a multiple classifier system for accurate payload-based anomaly detection. Comput. Netw. 53(6), 864–881 (2009)

    Article  Google Scholar 

  39. Salama Mostafa, A., Eid Heba, F., Ramadan Rabie, A., Darwish, A., Hassanein Aboul, E.: Hybrid intelligent intrusion detection scheme In Soft computing in industrial applications, pp. 293–303. Springer, Berlin (2011)

    Google Scholar 

  40. Sharafaldin, I., Lashkari Arash, H., Ghorbani Ali, A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: ICISSP, pp. 108–116 (2018)

  41. Soheily-Khah, S., Marteau, P.F., Béchet, N.: Intrusion detection in network systems through hybrid supervised and unsupervised mining process-a detailed case study on the ISCX benchmark dataset. In: 2018 1st International Conference on Data Intelligence and Security (ICDIS), pp. 219–226. IEEE (2018)

  42. Song, Y., Locasto Michael, E., Starvrou, A., Keromytis, A., Stolfo Salvatroe, J.: On the infeasibility of modeling polymorphic shellcode. Mach. Learn. 81(2), 179–205 (2010)

    Article  MathSciNet  Google Scholar 

  43. Tang Tuan, A., Mhamdi, L., McLernon, D., Zaidi Syed, A.R., Ghogho, M.: Deep learning approach for network intrusion detection in software defined networking. 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM) pp. 258–263 (2016)

  44. Wang, H., Gu, J., Wang, S.: An effective intrusion detection framework based on svm with feature augmentation. Knowl-Based Syst. 136, 130–139 (2017)

    Article  Google Scholar 

  45. Wang, K., Parekh Janak, J., Salvatore, Stolfo, J.: Anagram: A content anomaly detector resistant to mimicry attack. International Workshop on Recent Advances in Intrusion Detection, pp. 226–248. (2006)

  46. Wang, K., Stolfo Salvatore, J.: Anomalous payload-based network intrusion detection. International Workshop on Recent Advances in Intrusion Detection pp. 203–222 (2004)

  47. Zavrak, S., Iskefiyeli, M.: Anomaly-based intrusion detection from network flow features using variational autoencoder. IEEE Access 8, 108346–108358 (2020)

    Article  Google Scholar 

  48. Zeng, Y., Gu, H., Wei, W., Guo, Y.: \( deep-full-range \): a deep learning based network encrypted traffic classification and intrusion detection framework. IEEE Access 7, 45182–45190 (2019)

    Article  Google Scholar 

  49. Zhang, J., Zulkernine, M., Haque, A.: Random-forests-based network intrusion detection systems. IEEE Trans. Syst., Man, Cybern., Part C (Appl. Rev.) 38(5), 649–659 (2008)

    Article  Google Scholar 

Download references

Acknowledgements

The authors would like to thank Ramin Shirali and Jafar Gholamzadeh for their invaluable help, discussion, and feedback on this work.

Funding

No funding was received to assist with the preparation of this manuscript.

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Sharif University of Technology, Azadi Ave, Tehran, 1458889694, Iran

    Mahdi Soltani, Mahdi Jafari Siavoshani & Amir Hossein Jahangir

Authors
  1. Mahdi Soltani
    View author publications

    Search author on:PubMed Google Scholar

  2. Mahdi Jafari Siavoshani
    View author publications

    Search author on:PubMed Google Scholar

  3. Amir Hossein Jahangir
    View author publications

    Search author on:PubMed Google Scholar

Corresponding author

Correspondence to Amir Hossein Jahangir.

Ethics declarations

Conflict of interests

The authors have no conflicts of interest to declare that are relevant to the content of this article.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Soltani, M., Siavoshani, M.J. & Jahangir, A.H. A content-based deep intrusion detection system. Int. J. Inf. Secur. 21, 547–562 (2022). https://doi.org/10.1007/s10207-021-00567-2

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-021-00567-2

Keywords