ReviewDeep belief network based intrusion detection techniques: A survey
Introduction
Due to ever-increasing connections between digital devices related to smart home, transportation, manufacturing, healthcare, and monitoring, the society is experiencing increased productivity powered by the Internet of Things (IoT) technology (Park et al., 2016, Kar and Sanyal, 2018, Gyamfi et al., 2019, Nord et al., 2019). However, the massive volume of data flowing through the network between the IoT devices contains personal, sensitive, and important information. Thus, cybersecurity is the key to the success of IoT and is defined as technologies designed to identify, protect, detect, respond, and recover computing devices, networks, software, and data against malicious attacks. Among the five core elements of the cybersecurity, intrusion detection system (IDS) aims to solve the first and third elements by identifying hostile activities from the normal traffic data and detect or classify known attacks or zero-day attacks.
Since the birth of the concept of intrusion detection by Anderson in 1980 (Anderson, 1980), machine learning (ML) technologies such as neural networks (NN), k-nearest neighbor (KNN), support vector machine (SVM), and decision tree (DT) have been the key players in IDS research. However, due to drastic increase in volume and complexity in the network traffic data, the traditional ML based IDS with shallow structure is unsuited in the era of IoT with billions of devices. Thus, deep learning (DL) techniques have been applied to the conventional NN architecture with the name of deep neural network (DNN). The major DNN models are deep belief network (DBN), stacked autoencoder (SAE), convolutional neural network (CNN), and recurrent neural network (RNN). DBN is a DNN that is composed of multiple restricted Boltzmann machines (RBMs) that is trained in an unsupervised manner and fine-tuned with back-propagation algorithm. DBN is the most important and most frequently used technology in the state-of-art IDS models and is the main topic of this paper. SAE has a similar structure as DBN with multiple layers of autoencoder (AE). AE consists of an encoder that is trained to represent the input with reduced dimension and a decoder that approximately reconstructs the input data. Mohammadi and Namadchian (2017) proposed an IDS model based on AE and a Memetic algorithm, Farahnakian and Heikkonen (2018) presented another IDS model based on AE with softmax, and Ieracitano, Adeel, Morabito, and Hussain (2020) proposed a different AE-IDS model based on statistical analysis of the input data. CNN is also a popular DNN with hierarchical structure similar to digital images. The basic components of CNN are convolutional layer, pooling layer, and classification layer. McLaughlin, Martinez del Rincon, Kang, and Yerima (2017) proposed a CNN based malware detection model and Nix and Zhang (2017) presented a different detection model based on CNN for sequence classification. RNN has a different architecture compared to DBN, SAE, and CNN due to the cyclic connections. Due to the cyclic connections, past network activation states can be used in the current state to better represent the time dependent signals. Kim, Kim, Thu, and Kim (2016) investigated the use of long short term memory (LSTM) to RNN based IDS and Yin, Zhu, Fei, and He (2017) proposed a DL approach based on RNN for binary and multiclass classification.
Since the survey work by Nguyen and Armitage (2008), which is one of the first major overview work in traffic classification based on ML techniques, most of survey works in IDS is focused on ML techniques. Xin, Kong, Liu, and Chen (2018) presents literature surveys on ML and DNN with detailed description on the data set used with the techniques, but does not contain basic concepts on ML to help the readers understand the ML based IDS techniques. Mishra, Varadharajan, Tupakula, and Pilli (2019) presents a detailed investigation on ML based intrusion detection techniques with a focus on attack features, but does not include DL based techniques. Mahdavifar and Ghorbani (2019) provides a survey on intrusion detection, malware detection, and phishing/spam detection based on DL. However, Mahdavifar and Ghorbani (2019) does not have the data set and performance metric information used in DL based IDS models. Berman, Buczak, Chavis, and Corbett (2019) provides basic concepts on DL methods with survey on application works in DNN-IDS, but does not contain detailed comparative analysis of the surveyed IDS works. Aldweesh, Derhab, and Emam (2020) surveys DL based IDS models from 2014 to 2018, but important IDS models that optimize data features and system hyperparameters are not analyzed.
In contrast to the past surveys on DL based IDS that covers wide range of ML techniques, this paper focuses on one specific technique that is most popular among many DL methods, which is the DBN technology. To the best of our knowledge, this paper is the first among many surveys that presents basic concepts of data set, the performance metric, the DBN concept, and provide detailed review of the most important works on DBN based IDS from 2013 to 2020. Furthermore, we evaluate and compare the various DBN based detection models based on data set, structure, optimization algorithm, and applications utilized in the surveyed DBN based IDS research works.
The remainder of the paper is organized as follows. Section 2 presents basic concepts related to the data set and performance metrics used in intrusion detection research. Section 3 provides an overview on basic concepts related to restricted Boltzmann machine and deep belief network. In Section 4, we review different methods proposed on DBN based IDS models and analyze them based on various criteria in Section 5. Finally, concluding remarks are given in Section 6.
Section snippets
Data set
One of the most important factors in building an intrusion detection system (IDS) is the selection of dataset. The chosen dataset is not only used to train an IDS model, but also used to evaluate the effectiveness of a proposed IDS model. Due to the difficulty in direct collection of realtime attack and normal network traffic, publicly available standard data set, such as KDD Cup 99, NSL-KDD, UNSW-NB15, and ADFA, are commonly used in intrusion detection research community for comparative
Restricted Boltzmann Machine
Restricted Boltzmann machines (RBMs) (Hinton, 2012) are Boltzmann machines (BMs) (Aarts & Korst, 1989) without connections between visible units in the visible layer and between hidden units in the hidden layer as shown in Fig. 1. BMs are probabilistic graph models that consists of visible, representing observations, and hidden, representing hidden features, units. Based on the visible variables v = (v1, v2, …, vn) and hidden variables h = (h1, h2,…, hm), the joint distribution of a RBM’s
Comparative analysis of DBN based IDS methods
In this section, we present research works on intrusion detection based on deep belief network (DBN). The goal of this section is to describe and compare the key algorithm, training method, data set used, and performance results reported by the authors. Fiore, Palmieri, Castiglione, and De Santis (2013) presented an intrusion detection system (IDS) model, which is one of the first works in application of DBN to IDS. The proposed IDS consists of discriminative RBM (DRBM) that is trained in
Discussions
In this section, we study the general framework of DBN-IDS based on 16 important research works presented in the previous section with the time range from 2013 to 2020. To easily understand the general framework, it is divided into different aspects that represent the framework as shown in Fig. 3: training data preprocessor, DBN classifier, DBN optimizer, fine-tuning algorithm.
Conclusions
In order to provide a complete review of DBN based IDS models from the past to present and also help the readers understand the basic architecture of the proposed models, we started the paper with an overview of the data set and the performance metric used in intrusion detection research community. The data sets that were introduced in this paper were KDD Cup 99, NSL-KDD, UNSW-NB15, and ADFA that are publicly available standard data sets. Among many performance metrics used in intrusion
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRFK) funded by the Ministry of Education (2018R1D1A1B07041981).
References (54)
- et al.
Distributed attack detection scheme using deep learning approach for Internet of Things
Future Generation Computer Systems
(2018) - et al.
High-dimensional and large-scale anomaly detection using a linear one-class SVM with deep learning
Pattern Recognition
(2016) - et al.
Network anomaly detection with the restricted Boltzmann machine
Neurocomputing
(2013) - et al.
Heartbeat design for energy-aware IoT: Are your sensors alive?
Expert Systems with Applications
(2019) - et al.
Defending unknown attacks on cyber-physical systems by semi-supervised approach and available unlabeled data
Information Sciences
(2017) - et al.
A malicious threat detection model for cloud assisted internet of things (CoT) based industrial control system (ICS) networks using deep belief network
Journal of Parallel and Distributed Computing
(2018) - et al.
A novel statistical analysis and autoencoder driven intelligent intrusion detection approach
Neurocomputing
(2020) - et al.
An overview of device-to-device communication in cellular networks
ICT Express
(2018) - et al.
Application of deep learning to cybersecurity: A survey
Neurocomputing
(2019) - et al.
The Internet of Things: Review and theoretical framework
Expert Systems with Applications
(2019)
Recent advancements in the Internet-of-Things related standards: A oneM2M perspective
ICT Express
An approach for overlapping and hierarchical community detection in social networks based on coalition formation game theory
Expert Systems with Applications
Simulated annealing and boltzmann machines: A stochastic approach to combinatorial optimization and neural computing
Deep learning approaches for anomaly-based intrusion detection systems: A survey, taxonomy, and open issues
Knowledge-Based Systems
Intrusion detection using deep belief networks
A survey of deep learning methods for cyber security
Information
Generation of a new IDS test dataset: Time to retire the KDD collection
Application of Deep Belief Networks for opcode based malware detection
Evolving deep learning architectures for network intrusion detection using a double PSO metaheuristic
Computer Networks
A deep auto-encoder based approach for intrusion detection system
An intrusion detection model based on deep belief networks
The derivation of global estimates from a confusion matrix
Remote Sensing Letters
Training products of experts by minimizing contrastive divergence
Neural Computation
A fast learning algorithm for deep belief nets
Neural Computation
Cited by (69)
Multichannel semi-supervised active learning for PolSAR image classification
2024, International Journal of Applied Earth Observation and GeoinformationStochastic gradient descent classifier-based lightweight intrusion detection systems using the efficient feature subsets of datasets
2024, Expert Systems with ApplicationsA systematic literature review of recent lightweight detection approaches leveraging machine and deep learning mechanisms in Internet of Things networks
2024, Journal of King Saud University - Computer and Information SciencesTSGS: Two-stage security game solution based on deep reinforcement learning for Internet of Things
2023, Expert Systems with ApplicationsTransfer learning-driven inversion method for the imaging problem in electrical capacitance tomography
2023, Expert Systems with Applications