Multi-Task Learning for Intrusion Detection on web logs
Introduction
Intrusion detection concentrates on identifying attacks or anomalous activities for network or system in different ways. It mainly includes misuse detection and anomaly detection. Misuse detection matches patterns or signatures to uncover attacks, which can achieve a low false alarm rate but fail in diagnosing new attacks. Anomaly detection is based on the assumption that deviations from normal are considered as anomalous, which can discover unknown attacks via machine learning or data mining techniques [3], [4], [18], [29]. With the prevalence of the Internet and web applications, web-based attacks have become one of the most serious challenges to web security. In this paper, we study the web-based attacks on the basis of the analyses of web logs from the view of anomaly detection.
Referring to labeled dataset, two dominant approaches about anomaly detection are classification and outlier detection. Some methods in [2], [13], [14], [20] easily consider anomaly detection as a binary problem, and classify all samples into the normal or the anomalous. From this perspective, Kruegel and Vigna [18] provide many methods to extract feature. However, they cannot identify the specific type for attacks. Different types of attacks should be made different measures. Since different kinds have different features, identifying each kind can be considered as an independent task. To recognize the specific type of attacks, previous methods in [35], [41], [43] apply multi-class algorithms and build the corresponding model for each type, thus attacks can be further classified into fine categories. Notwithstanding existing methods make great progresses in anomaly detection, these attempts consider each kind as a single task, which ignore the correlation among tasks since different kinds of attacks share some common features in URL. Another weakness of the above methods is that novel attacks cannot be identified, and even are mistaken as normal. On the contrary, outlier detection methods in [1], [8], [39] construct the profile of normal activities and recognize deviations as anomalous, which can only discover unknown attacks but cannot obtain the specific type for attacks.
As an improvement to current studies, we propose a novel Multi-Task Learning for Intrusion Detection (MTLID) approach to learn the appropriate feature representations and to build prediction model for different types simultaneously. Moreover, MTLID apply GMM to identify novel attacks. Abundant methods about multi-task learning have get success in many applications [22], [28], [30], [44]. For reference, although detecting each kind of samples can be seen as an independent task, there is the relationship since they share the common features in URL. Our intuition is that multi-task learning can exploit the relationship across all tasks, which can get more accurate representations and improve the performance compared to the previous. Thus, we adopt multi-task learning to classification and recognize the specific type for attacks. However, classification leads to plenty of false negatives when faced with novel attacks. Gaussian Mixture Model (GMM) is assigned to build the profile of normal activities and recognizes those false negatives caused by classification as new type. This paper has the following contributions:
- (1)
A multi-task learning approach, named MTLID, is proposed to detect web attacks. MTLID is inspired by an observation that different kinds of web attacks share some common features in URL. Therefore, we formulate web attack classification as a multi-task problem, use multi-task learning technique to extract common features shared among multi-tasks simultaneously, and then classifies different kinds of web attacks into their corresponding types.
- (2)
To enhance the robustness of MTLID, we introduce Huber loss into multi-task learning, and leverages GMM to build the profile of normal activities. By combining multi-task learning with GMM, MTLID effectively reduces the false negatives caused by multi-task classification, and the ability of identifying novel attacks are enhanced at the same time.
- (3)
We collect a real-world dataset from April to May in 2015, which contains different kinds of web attacks such as code injection, file inclusion, SQL injection, sensitive file information leakage, and cross site scripting. A series of experiments are conducted to evaluate the performance of our approach. Furthermore, feature analysis is performed to reveal the influence of different n-gram features. The experimental results demonstrate that MTLID outperforms existing methods in terms of detection rate and false alarm rate.
The rest of this paper is organized as follows. Related works are presented in Sections 2 and3 gives details about the proposed approach MTLID. Section 4 discusses the experiments on real-life dataset and analyses the results from different aspects. In the end, Section 5 makes a conclusion.
Section snippets
Related work
Intrusion detection has been well researched and applied in a broad scope [45], [46], [47], [48]. Network security is one of most advanced and hot research topics internationally [6], [7], [21]. To counteract web attacks, Intrusion Detection Systems are equipped with web analyzing functions emerge and plays a more and more significant role in network security. There are two dominating approaches about intrusion detection: misuse detection and anomaly detection. Most of researches are about web
Multi-Task learning approach and framework
This section sheds light on the multi-task learning approach and framework to detect web-based attacks through web logs. The framework consists of three parts: feature generation, multi-task classification and Gaussian mixture model, as Fig. 1 shown. We firstly extract features from web logs by status code, URL length, URL entropy and URL n-gram. In multi-class problem, identifying each kind of samples can be seen as an independent task. Since attacks have some common features in URL,
Experiments
In this section, we use a dataset and evaluate the performance of MTLID. In intrusion detection, detection rate and false alarm rate are generally recognized as the metrics to validate the effectiveness of detection methods. The detection rate γd denotes the number of anomalies detected divided by the total number of anomalies present, which is similar to the true positive rate (TPR). The false alarm rate γf is defined as the number of normal mistaken as attacks divided by the total number of
Conclusion
In this paper, we aim to classify all samples into the specific type as well as identify novel attacks. Identifying each kind of samples is an independent task. However, since all kinds have some common features in the view of URL tokens, we propose a multi-task learning for intrusion detection approach to detect anomaly on web logs. According to the relationship between different kinds, MTLID learns the weight of features for each task simultaneously by mutual information across all tasks, and
Acknowledgments
The authors gratefully acknowledge the anonymous reviewers for their helpful suggestions and insightful comments to improve the quality of the paper. The work reported in this paper has been supported by China 863 program (No. 2015AA01A202), China National Science Foundation (No. 61502017), and Research Fund of Guangxi Key Lab of Multi-source Information Mining & Security (grant number MIMS15-02).
Bo Li received the B.E. and M.S. degrees from the Dalian University of Technology, Dalian, China, in 2002 and 2005, respectively, and the Ph.D. degree from Beihang University, Beijing, China, in 2011. He has been an Assistant Professor with the School of Computer Science and Engineering, Beihang University, since 2012. His current research interests include machine learning, virtualization, and computer security.
References (48)
- et al.
Passive robust fault detection using RBF neural modeling based on set membership identification
Eng. Appl. Artif. Intell.
(2014) - et al.
Stability and chaos analysis of a novel swarm dynamics with applications to multi-agent systems
Eng. Appl. Artif. Intell.
(2014) - et al.
Support vector machines for TCP traffic classification
Comput. Netw.
(2009) - et al.
Intrusion detection in computer networks by a modular ensemble of one-class classifiers
Inf. Fus.
(2008) - et al.
Minimal complexity attack classification intrusion detection system
Appl. Soft Comput.
(2013) - et al.
A novel hybrid intrusion detection method integrating anomaly detection with misuse detection
Expert Syst. Appl.
(2014) - et al.
A multi-model approach to the detection of web-based attacks
Comput. Netw.
(2005) - et al.
Proposing a classifier ensemble framework based on classifier selection and decision tree
Eng. Appl. Artif. Intell.
(2015) - et al.
Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks
Knowl. Based Syst.
(2014) A multinomial logistic regression modeling approach for anomaly intrusion detection
Comput. Security
(2005)
Random-forests-based network intrusion detection systems
IEEE Trans. Syst. Man Cybern. Part C
ADAM: detecting intrusions by data mining
Proceedings of the IEEE Workshop on Information Assurance and Security. IEEE
Network anomaly detection: methods, systems and tools
Commun. Surv. Tut. IEEE
Spoofing-jamming attack strategy using optimal power distributions in wireless smart grid networks
IEEE Trans. Smart Grid
Privacy-preserving data encryption strategy for big data in mobile cloud computing
IEEE Trans. Big Data
Support vector machine and random forest modeling for intrusion detection system (IDS)
J. Intell. Learn. Syst. Appl.
l2,1 regularized correntropy for robust feature selection
IEEE Conference on Computer Vision and Pattern Recognition. IEEE
Network-based intrusion detection using adaboost algorithm
Proceedings. Proceedings of IEEE/WIC/ACM International Conference on Web Intelligence. IEEE
Online adaboost-based parameterized methods for dynamic distributed network intrusion detection
IEEE Trans. Cybern.
Adaboost-based algorithm for network intrusion detection
IEEE Trans. Syst. Man Cybern. Part B
System approach to intrusion detection using hidden markov model
Proceedings of International Conference on Wireless Communications and Mobile Computing.
A cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection
Appl. Intell.
Anomaly detection of web-based attacks
Proceedings of the 10th ACM Conference on Computer and Communications Security.
A comparative study of anomaly detection schemes in network intrusion detection
Proceedings of third SIAM Conference on Data Mining
Cited by (11)
Enhancing blockchain-based filtration mechanism via IPFS for collaborative intrusion detection in IoT networks
2022, Journal of Systems ArchitectureCitation Excerpt :It could consider energy consumption during detection process and select a balanced strategy between detection efficiency and cost. Li et al. [18] presented a multi-task learning enabled IDS for web logs. Bai et al. [19] introduced an IDS algorithm based on the changing rates of multiple attributes (CRMA), which can figure out various cyber attacks.
Social media-based opinion retrieval for product analysis using multi-task deep neural networks
2021, Expert Systems with ApplicationsCitation Excerpt :Although the data source was the same for the tasks, jointly learning them with shared layers helped to reduce the risk of overfitting as well as the training time (Li et al., 2017; Park et al., 2019; Parwez & Abulaish, 2019). This way of learning, in which the network is forced to find (Li et al., 2017) a shared representation that can predict both tasks, can be considered another regularisation mechanism. As seen in Fig. 3, first, we concatenated features from two different text representation techniques into a single vector.
Video action recognition with visual privacy protection based on compressed sensing
2021, Journal of Systems ArchitectureCitation Excerpt :We use the C3D network structure as feature extractor for the final VSCS video due to its advantages of easy implementation and high operational speed. Traditional methods of classification, such as the support vector machine, have been commonly used [35–37]. However, we use the SRC algorithm as classifier for action recognition.
Developing graphical detection techniques for maintaining state estimation integrity against false data injection attack in integrated electric cyber-physical system
2020, Journal of Systems ArchitectureCitation Excerpt :In [30], Krishna et al. proposed an Kullback-Leibler (KL) divergence-based attack detector. Besides, there are some studies about FDI attacks detection which exploit machine learning algorithms [32–38]. In [35], Esmalifalak et al. point out that statistics can be used to identify the concealed attacks which exist in routine operations of power system.
Multi-teacher knowledge distillation for compressed video action recognition based on deep learning
2020, Journal of Systems ArchitectureCitation Excerpt :Traditional classification methods such as support vector machine (SVM) are commonly used [1–3], however, due to the rapid development of deep learning and the huge amount of datasets, neural network based learning approaches become more and more popular.
Intrusion Detection with Uncertainty based Loss Optimized Multi-Task Learning
2023, Proceedings of the Seminar on Information Systems Theory and Practice, ISTP 2023
Bo Li received the B.E. and M.S. degrees from the Dalian University of Technology, Dalian, China, in 2002 and 2005, respectively, and the Ph.D. degree from Beihang University, Beijing, China, in 2011. He has been an Assistant Professor with the School of Computer Science and Engineering, Beihang University, since 2012. His current research interests include machine learning, virtualization, and computer security.
Ying Lin received the B.E. from the Dalian University of Technology, Dalian, China, in 2016. Now she is pursuing a master’s degree in Beihang University, Beijing, China. Her current research interests include machine learning and computer security.
Simin Zhang received the B.E. from the Yangtze University, Jingzhou, Hubei, China, in 2014. Now she is pursuing a master’s degree in Beihang University, Beijing, China. Her current research interests include machine learning and computer security.