Elsevier

Computers & Security

Volume 86, September 2019, Pages 291-317
Computers & Security

Intelligent approach to build a Deep Neural Network based IDS for cloud environment using combination of machine learning algorithms

https://doi.org/10.1016/j.cose.2019.06.013Get rights and content

Abstract

The appealing features of Cloud Computing continue to fuel its adoption and its integration in many sectors such industry, governments, education and entertainment. Nevertheless, uploading sensitive data to public cloud storage services poses security risks such as integrity, availability and confidentiality to organizations. Moreover, the open and distributed (decentralized) structure of the cloud has resulted this class of computing, prone to cyber attackers and intruders. Thereby, it is imperative to develop an anomaly network intrusion system to detect and prevent both inside and outside assaults in cloud environment with high detection precision and low false warnings. In this work, we propose an intelligent approach to build automatically an efficient and effective Deep Neural Network (DNN) based anomaly Network IDS using a hybrid optimization framework (IGASAA) based on Improved Genetic Algorithm (IGA) and Simulated Annealing Algorithm (SAA). The IDS resulted is called “MLIDS” (Machine Learning based Intrusion Detection System). Genetic Algorithm (GA) is improved through optimization strategies, namely Parallel Processing and Fitness Value Hashing, which reduce execution time, convergence time and save processing power. Moreover, SAA was incorporated to IGA with the aim to optimize its heuristic search. Our approach consists of using IGASAA in order to search the optimal or near-optimal combination of most relevant values of the parameters included in construction of DNN based IDS or impacting its performance, like feature selection, data normalization, architecture of DNN, activation function, learning rate and Momentum term, which ensure high detection rate, high accuracy and low false alarm rate. For simulation and validation of the proposed method, CloudSim 4.0 simulator platform and three benchmark IDS datasets were used, namely CICIDS2017, NSL-KDD version 2015 and CIDDS-001. The implementation results of our model demonstrate its ability to detect intrusions with high detection accuracy and low false alarm rate, and indicate its superiority in comparison with state-of-the-art methods.

Introduction

In recent years, cloud computing has revolutionized the IT world with rapidly emerging and widely accepted paradigm for computing systems. The appealing features of Cloud computing (CC) continue to fuel its integration in many sectors including governments, industry, education, entertainment, to name few (Fernandes et al., 2014). CC is defined by the National Institute of Standards and Technology (NIST) as computational model that delivers convenient, on-demand, network access to a shared pool of configurable computing resources (e.g. networks, servers, applications, storage, etc.) as “service” over the Internet for satisfying computing demand of users. Those offered resources can be quickly provisioned and released with minimal management effort or service provider interactions (Mell and Grance, 2011). NIST introduces CC by considering its 5 main features (i.e., bandwidth, rapid flexibility, measurable, on-demand service, and Resource Pooling) and its 3 service delivering models (i.e., software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS)) (Brunette and Mogull, 2009). The pay-as-you-go and the on-demand elastic operation Cloud characteristics are changing the enterprise computing model, shifting on-premises infrastructures to off premises data centers, accessed over the Internet and managed by cloud hosting providers (Idhammad et al., 2018). Development of CC has aroused as a multifaceted technology with the capability to support a broad spectrum of applications. It emerged as a breakaway in usage of Internet. Hence, CC is now a topic of great impact and has proved itself as a driver for small companies in rapidly developing world. It is an anatomy for providing various beneficial services using the Internet (Ghosh et al., 2016).Other attractive advantages of cloud computing are hardware cost reduction (since users do not need to accommodate powerful processors or any hardware resources), continuous and quick upgrading/updating of services, high capacity of storage, global access to documents (users could access their required documents and applications just by connecting to the Internet wherever they are), parallel processing, resource sharing, acceleration and time saving. However, some of the most important challenges of cloud computing are efficiency, security, privacy and trust, control and ownership, availability, fault tolerance and fault recovery, and the costs of connection bandwidth (Hatef et al., 2018).

Since cloud computing services are offered over the Internet, the data security and privacy are the major hurdles to the success of CC and its large scale adoption by organizations and companies. Moreover, the open and distributed (decentralized) nature of CC has resulted this class of computing, prone to cyber attacks and intrusions (Hatef et al., 2018). NIST defines intrusion as an attempt to endanger security policies (privacy, integrity and availability) or skip computer and network security mechanisms. One of major security issues in Cloud is to detect and prevent network intrusions since the network is the backbone of Cloud, and hence vulnerabilities in network directly affect the security of Cloud.

With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so. Regardless the important evolution of the information security technologies in recent years, intrusions and attacks continue to defeat existing intrusion detection systems in Cloud environments (Iqbal et al., 2016). Attackers developed new sophisticated techniques able to bring down an entire Cloud platform or even many within minutes. Recently a destructive DDoS attack has brought down more than 70 vital services of Internet including Github, Twitter, Amazon, Paypal, etc. Attackers have exploiting advantages of Cloud Computing and IoT (Internet of Things) to generate a tremendous amount of attack traffic; more than 665 Gb/s (Wikipedia 2016, Anon 2019a). Further, Epsilon leaked millions of names and email addresses from its customer database, and from Stratfor in the United States, 75,000 credit card numbers and 860,000 usernames and passwords were stolen (Chou, 2013). In 2017, ransomware attacks affected many banks, National Health Service hospitals in the United Kingdom, large telecom companies, and natural gas companies, while in 74 countries tens of thousands of systems were hacked (Ismael Valenzuela, 2019). Thus, intrusion and attack tools have become more sophisticated challenging existing network Cloud IDSs by large volumes of network traffic data, dynamic and complex behaviors and new types of attacks. It is obvious that a network Cloud IDS should analyze large volumes of network traffic data, detect efficiently the new attack behaviors and reach high accuracy with low false. However, preprocessing, analyzing and detecting intrusions in Cloud environments using traditional techniques have become very costly in terms of computation, time and budget. Therefore, efficient intrusions detection in Cloud environments requires adoption of new intelligent techniques such as Machine Learning (ML) techniques (Idhammad et al., 2018).

One of the main ML techniques that has successful used in solving complex practical problems is DNN. DNNs have the ability to solve several problems confronted by the other present techniques used in intrusion detection (Mehibs and Hashim, 2018). There are four advantages of intrusion detection based on DNN (Yassin et al., 2012; Wu and Banzhaf, 2010; Krizhevsky et al., 2012):

  • DNN provides elasticity in intrusion detection process, where DNN has the ability to analyze and ensure that data right or partially right. Likewise, DNN is capable of performing analysis on data in nonlinear fashion.

  • DNN has the ability to process data from a number of sources in a non-linear fashion .This is very important especially when coordinated attack by multiple attackers is conducted against the network.

  • High speed in processing data.

  • High capability of generalization.

  • Remarkable classification performance.

In this work, we present a machine learning based intrusion detection system for Cloud environments. We propose an intelligent approach to build automatically a network intrusion detection system (NIDS) based on Deep Neural Network (DNN), by using a novel hybrid Framework (IGASAA) that combines an improved Genetic Algorithm (GA) by means of optimization strategies, which are Fitness Value Hashing (FVH) and Parallel Processing. SAA is incorporated to IGA in order to optimize its heuristic search. DNN has been widely studied in a machine learning research field and ambly used for practical applications in image processing computer vision and speech recognition, etc. (Hinton et al., 2012). DNN is adopted to this study due to its appealing features in terms of intrusion detection cited previously. Our goal is to develop an effective and efficient Anomaly Network Intrusion Detection System called “MLIDS” (Machine Learning based Intrusion Detection System), based on Deep Neural Network (DNN), Genetic Algorithm (GA) and Simulated Annealing Algorithm (SAA), with the purpose to reduce impact of network attacks (known attacks, and unknown attacks), while ensuring higher detection rate, lower false positive rate, higher accuracy and higher precision with an affordable computational cost. Further, the proposed system is designed to be deployed both in front-end and back-end of the cloud. Consequently, that helps to detect attacks from external network of the cloud and also internal attacks either in internal physical network or virtual network within hypervisors.

The rest of this paper is organized as follows: Section 2 gives the literature surrounding network intrusion detection systems (NIDS) in Cloud Environments. Section 3 explains the background related to this study, such Deep Neural Network, Simulated Annealing Algorithm, Genetic Algorithm and its optimization strategies as Parallel processing and Fitness Value Hashing. Section 4 introduces the proposed system in detail, describes its work, explains the role of Simulated Annealing Algorithm in this system and provides the framework of our model. Section 5 presents positions of the proposed system in a Cloud Network. Detailed description of CICIDS 2017 NSL-KDD and CIDDS-001 datasets, experimental results obtained based on those datasets and analysis are provided in Section 6. Finally, Section 7 ends with the conclusions and Future work.

Section snippets

Literature review

Hatef et al. (2018) have proposed a hybrid network intrusion detection system called HIDCC, which combines signature-based detection technique and anomaly-based detection technique, in order to identify efficiently the internal and external attacks in the cloud environment. Snort was used as a signature-based intrusion detection module to detect known attacks by using the known attacks rules database and derived attacks database. For trapping unknown attacks that were not detected by Snort, the

Related background

This section provides the necessary background to understand the problem in hand. First subsection shed the light on Deep Neural Network (DNN). Next subsection introduces and describes the operation of a standard GA, followed by a presentation in the third subsection of some optimization strategies applied to GA in this study, namely Parallel Processing and Fitness Value Hashing. Finally, the last subsection presents Simulated Annealing Algorithm (SAA).

The proposed system

This section describes in detail our new proposed IDS and gives the model of that IDS.

Positions of the proposed system in a cloud network

The goal of the proposed MLIDS is to detect intruders and suspicious activities in and around the cloud computing environment by monitoring network traffic, while maintaining confidentiality, availability, integrity and performance of cloud resources and offered services. It allows detecting and stopping attacks in real time impairing the security of the Cloud Datacenter.

As shown in Fig. 6, we propose to deploy our NIDS on two strategic positions:

  • Front-end of cloud: Placing NIDS on front end of

Experimentation and discussion

The experiments have been conducted using a Windows 10 – 64 bits PC with 32 GB RAM and CPU Intel(R) Core-i7 2700 K CPU. For simulation, we have used CloudSim simulator 4.0. In the first subsection of the current section, we give the performance metrics employed for assessment of our model. Next, the second subsection presents in detail the main dataset used in our study namely CICIDS2017 for implementation and validation of our model, along with the data pre-processing procedure, followed by

Conclusions and future work

In order to develop an efficient and an effective anomaly network intrusion system (ANIDS) for detection and prevention of both inside and outside assaults in cloud environment with high detection precision and low false warnings, we have adopted an intelligent approach to build automatically such IDS based on Deep Neural network (DNN). Our method consists of using a hybrid framework called “IGASAA” that combines machine learning techniques, namely Improved Genetic Algorithm (IGA) and Simulated

Declaration of interests

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgment

We would like to thank all members of LIMSAD Labs for their help and support.

Zouhair Chiba is a Ph.D. Student at LIMSAD Labs within Faculty of Sciences, Hassan II University of Casablanca (Morocco). He had a Master in Computer and Internet Engineering in 2013, and a Bachelor of Mathematical Sciences. He research interests are in the area of Security, Big Data on Cloud Infrastructures, Computer Networks, Mobile Computing and Distributed Systems.

References (85)

  • M.E. Aminanto et al.

    Another fuzzy anomaly detection system based on ant clustering algorithm

    IEICE Trans Fundam Electron Commun Comput Sci

    (2017)
  • M. Amini et al.

    A neural network ensemble classifier for effective intrusion detection using fuzzy clustering and radial basis function networks

    Int J Artif Intell Tools

    (2016)
  • CIDDS (2019) CIDDS-001 dataset....
  • DDoS. (2019) “DDoS attack that disrupted internet was largest of its kind in history, experts say”....
  • Ismael Valenzuela. (2019) GSE #132 – Global Director, Foundstone Consulting Services. “Targeted ransomware attacks in...
  • Brainz. (2019)...
  • Evolved. (2019)...
  • CICIDS2017 data set. (2019),...
  • NSL-KDD. (2019) Dataset of NSL-KDD University of new Brunswick....
  • A.S.A. Aziz et al.

    Detectors generation using genetic algorithm for a negative selection inspired anomaly network intrusion detection system

  • A. Bansal et al.

    Extreme gradient boosting based tuning for classification in intrusion detection systems

  • S. Borah et al.

    An enhanced intrusion detection system based on clustering

  • S.M. Bridges et al.

    Fuzzy data mining and genetic algorithms applied to intrusion detection

  • Brunette G, Mogull R, et al. Security guidance for critical areas of focus in cloud computing v2.1. Cloud Secure...
  • Carr, J. (2014). An introduction to genetic algorithms. Senior project, 1,...
  • E. Chakir et al.

    False positives reduction in intrusion detection systems using alert correlation and datamining techniques

    Int J Adv Res Comput Sci Softw Eng

    (2015)
  • V.R Chaudhary et al.

    Detection of intrusions in KDDCup dataset using GA by enumeration technique

    Int J Innov Res Comput Commun Eng

    (2015)
  • ChenZ. et al.

    Intrusion detection based on minimax probability machine with immune clonal feature optimized

  • ChouT.S.

    Security threats on cloud computing vulnerabilities

    Int J Comput Sci Inf Technol

    (2013)
  • P.S. Deshpande et al.

    A network-based intrusion detection system

  • D.A. Fernandes et al.

    Security issues in cloud environments: a survey

    Int J Inf Secur

    (2014)
  • R. Gaidhane et al.

    Intrusion detection and attack classification using back-propagation neural network

    Int J Eng Res Technol

    (2014)
  • K.K. Ghanshala et al.

    BNID: a behavior-based network intrusion detection at network-layer in cloud environment

  • A. Gharib et al.

    An evaluation framework for intrusion detection dataset

  • P. Ghosh et al.

    Intrusion detection system based on BCS-GA in cloud environment

  • P. Ghosh et al.

    CS-PSO based intrusion detection system in cloud environment

  • GohV.T. et al.

    Towards intrusion detection for encrypted networks

  • D. Goldberg

    Genetic algorithms

    (1989)
  • K. Han et al.

    Speech emotion recognition using deep neural network and extreme learning machine

  • M.A. Hatef et al.

    HIDCC: a hybrid intrusion detection approach in cloud computing

    Concurr Comput: Pract Exp

    (2018)
  • G. Hinton et al.

    Deep neural networks for acoustic modeling in speech recognition: the shared views of four research groups

    IEEE Signal Process Mag

    (2012)
  • L. Jacobson et al.

    Genetic algorithms in Java basics

    (2015)
  • Cited by (127)

    View all citing articles on Scopus

    Zouhair Chiba is a Ph.D. Student at LIMSAD Labs within Faculty of Sciences, Hassan II University of Casablanca (Morocco). He had a Master in Computer and Internet Engineering in 2013, and a Bachelor of Mathematical Sciences. He research interests are in the area of Security, Big Data on Cloud Infrastructures, Computer Networks, Mobile Computing and Distributed Systems.

    Noreddine Abghour is currently associate professor in the Faculty of Science of Hassan II University, Morocco. He received his Ph.D. degree from National Polytechnic Institute of Toulouse (France) in 2004. His-research mainly deals with Security in Distributed Computing Systems.

    Khalid Moussaid is recently appointed director of Computer Science, Modeling Systems and Decision Support laboratory of the Hassan II University of Casablanca. He has a Ph.D. in Oriented Object Database; a Master in Computer Science and a Bachelor of Science in Applied Mathematics. He is interested in Optimization, Algorithmic and especially in the field of Big Data and Cloud Computing.

    Amina El omri is a professor of Higher Education in Computer Science at the Faculty of Sciences, University Hassan II Casablanca, Morocco. Her main scientific interests concern Algorithms, Optimization, Transport and the Logistic problems. She has participated with a lot of research papers in workshops and conferences, and published several journal articles.

    Mohamed Rida is a professor in Computer Science at the Faculty of Sciences, University Hassan II Casablanca (Morocco) and member of LIMSAD Labs within the same Faculty. He received his Ph.D. degree from University Hassan II Mohammadia in 2005, and his thesis subject was “Virtual Container Terminal: Design and Development of an object platform for the simulation of the operations of a container terminal ". His research area includes Transport, Geographic Information System and Big Data.

    View full text