Intrusion detection in cyber-physical systems using a generic and domain specific deep autoencoder model

Abstract

The rapid growth of network-related services in the last decade has produced a huge amount of sensitive data on the internet. But networks are very much prone to intrusions where unauthorized users attempt to access sensitive information and even disrupt the system. Building a competent network intrusion detection system (IDS) is necessary to prevent such attacks. IDSs generally use machine learning algorithms for classifying the attacks. But the features used for classification are not always suitable or sufficient. Besides, the number of intrusions is much less than the number of non-intrusions. Hence naive approaches may fail to provide acceptable performance due to this class imbalance. To counter this problem, in this paper, we propose a model that extracts useful features from the given features and then uses a deep learning algorithm to classify the intrusions. It is to be noted that underlying data points cannot be thought of as sampled from the same distribution, rather from two different distributions - one generic to all network intrusions, and the other specific to the domain. Keeping this fact in mind, we propose a unique Generic-Specific autoencoder architecture where the generic one learns the features that are common across all forms of network intrusions, and the specific ones learn features that are pertaining only to that domain. The model has been evaluated on the CICIDS2017 dataset, which is the largest dataset of this type available online, and we have set new benchmark results on this dataset. Source code of this work is available at: https://github.com/SoumyadeepThakur/Intrusion-AE

Introduction

The use of network-related services has increased over the years and thus the amount of sensitive data on the internet has grown. Networks are prone to intrusions where unauthorized users, with malicious intent, gain entry to a system on a network and attempt to obtain sensitive information or sabotage the system. Despite numerous network security methods, cyber-attacks still appear. Network intrusion is, therefore, a prime concern and thus network intrusion detection systems (NIDSs) are necessary to prevent such attacks. The information obtained by analyzing the packet data during attacks may be helpful to detect such attacks in the future. Moreover, if after detecting an intrusion, we can further classify the type of intrusion namely, Denial of Service (DoS), Cross-Site Scripting (XSS), etc., and more effective countermeasures can be taken to prevent such attacks. One important factor to be kept in mind while building a NIDS is that if an intrusion wrongly classified as a non-intrusion is more dangerous than a false alarm (non-intrusion classified as an intrusion).

Using these network services, cyber-physical systems integrate computation with physical processes by using feedback loops. These systems consist of sensors, actuators, and other components that communicate with each other through a network. The communication network has the same protocols (of that of a computer network) at lower levels such as TCP/IP, and wireless protocols. Hence, cyber-physical systems are prone to the same intrusions as that of a simple computer network. However, cyber-physical systems are safety-critical and sudden failure due to cyber-attacks or otherwise can cause severe damage to the physical systems that are being controlled and also to the people dependent on these systems. Thus, it is of prime importance that such attacks are prevented. A Cyber-physical system (CPS) assimilates computing resources and physical processes, so that useful control is performed through computation and communication with the connected devices [1]. It enables the remote access and control of systems, devices, and machines, and thus are essential in many industrial environments. Nevertheless, the extensive implementation of CPS comes with various security threats which can lead to severe damages to the controlled physical objects and harm the users who completely rely on them. Hence, NIDS must be implemented on such systems so that preventive actions can be taken before there is irreparable damage due to these attacks.

Although network monitoring has been extensively used for security, forensics, etc., recent advancements in technology have thrown forward many new challenges [2]. Some of the most pressing issues are –

• Volume - The volume of data continues to drastically grow owing to the increasing popularity of the Internet of Things, cloud-based services, etc. New techniques have to be developed to efficiently and effectively analyze such huge quantities of data.

• Accuracy – To provide performance with the required levels of accuracy, greater levels of granularity and contextual understanding are needed to get a more holistic and comprehensive view.

• Diversity – This is caused by the number of new and different protocols and the vast variety of data traveling through modern networks. This makes it difficult to learn appropriate features that can distinguish between normal and abnormal traffic.

• Low-frequency attacks – These attacks lead to an imbalance in the training set for artificial intelligence approaches, leading to poor precision of detection when they occur.

Moreover, most IDSs make use of machine learning algorithms to classify the attacks. This necessitates the extraction of good features for different intrusions that can then be used for supervised learning to identify the attacks. However, sufficient and appropriate traffic data is often not available that facilitates proper feature learning. Further, the number of intrusions is much less compared to the number of non-intrusions, leading to more difficulties in training.

To handle these issues, network traffic data can be collected from different sources and unsupervised feature learning can be applied to learn appropriate feature representations for these data. These features can then be used to train a classifier using a labeled (and smaller if convenient) dataset comprising both benign and anomalous traffic. The traffic data for the labeled dataset can be collected in a confined, isolated, and private network environment. In this paper we propose a model to identify only the useful feature attributes from the given feature vector and then use machine learning algorithms to classify the intrusions using these features. Our proposed model has been evaluated on the CICIDS2017 [3] dataset.

The rest of the paper is organized as follows. Section 2 deals with the literature survey, Section 3 describes the proposed method, Section 4 presents the experimental results and the dataset description, and a comparative study of the results, and finally Section 5 concludes the paper.