Leila Mohammadpour

Assoc. Prof. Dr. Ling Teck Chaw

Dr. Chee Sun LIEW

Dr. Chun Yong Chong

• Introduction

• Background

• CNN-NIDS Method

• Data Preprocessing

• Modify the Input Data Shape

• CNN-NIDS Architecture

• NSL-KDD Dataset

• Performance Evaluation

• Results

• References

➢The variety of network attacks, and their continuously changing nature, can make

difficult to achieve secure network.

➢Deep Learning (DL) can detect optimal features in raw data through consecutive

nonlinear transformations

➢DL had been effectively applied to diverse research fields such as medical image

processing, speech recognition, and signal recognition.

➢NIDS analyses the network traffic, such as traffic volume, IP addresses, service ports, and

protocol usage.

➢NIDS are required to process a huge amount of data, which might come from different

resources with dynamic network environment

➢DL computes higher-level features from lower-level ones from observational data.

➢2 main differences of CNN with MLPs: weight sharing and pooling

➢weight sharing: learn same pattern occurring at different position

➢Pooling layers: decreases the computational burden and increase the translation invariance

➢Each layer of CNN can be composed many convolution kernels

➢The CNN-NIDS is a Deep learning solution

➢Data Preprocessing

➢Modify the Input Data Shape

➢CNN-NIDS Architecture

➢Use 1-to-n encoding, the nominal attributes are converted into discrete attributes.

➢ The number of attribute has been expanded from 41 to 121

➢Attributes are normalized in [0, 1] (max-min normalization)

• 121 features are translated to a 11×11 array.

normal record

abnormal records

• 100 randomly samples of normal (left) and abnormal (right) data from NSL-KDD

➢NSL-KDD is standard benchmark dataset (derived from KDD Cup 99)

➢Records consists of 41 features and 1 label. The label is set either normal or a specific

type of attack (abnormal).

➢Training data consist of normal class and 22 attack types (abnormal).

➢ The testing data consist of normal data and 37 attack type, consist of 21 attack type

similar attacks in training data and 16 new attacks.

➢In the evaluation of learning algorithms, the novel attacks in testing data is considered as

the unknown attacks.

➢In NSL-KDD, training and test data are originally separated and the training and testing

are performed by using the original training and testing data.

➢We perform 2-class anomaly detection (detect the input is normal or abnormal)

➢We implemented a Deep Neural Network (DNN) model to compare the CNN-NIDS to

DNN-NIDS.

➢The evaluation result of test data of the NSL-KDD dataset shows 99.79% (accuracy of

correct detection )

➢The result using DNN is 98.90%

➢The locality and pooling improves NIDS.

➢Locality property protect model against noise effects on data.

➢CNN generate different higher-level features from similar lower level features to increase

the detection accuracy.

➢Pooling layers pools together the similar feature values computed at different locations

and exemplified by one value.

➢ The pooling layer can control the detection of anomaly with different distribution.

➢We have presented the feasibility of adopting CNNs for NIDS.

➢ It is possible to use CNN for anomaly detection. We translate a1D array from network flow to a 2D

array to feed into CNN.

➢The proposed CNN-NIDS method, leveraging the power of deep learning, is feasible to be used as

for identifying and detecting potential network intrusions.

➢we plan to evaluate the proposed model on real-time dataset to dynamically detect various form

of potential network intrusions.

[1] A. Javaid, Q. Niyaz, W. Sun, and M. Alam, “A Deep Learning Approach for Network Intrusion Detection System,” in Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), 2016, pp. 21–26.

[2] S. Vieira, W. H. L. Pinaya, and A. Mechelli, “Using deep learning to investigate the neuroimaging correlates of psychiatric and neurological disorders: Methods and applications,” Neurosci. Biobehav. Rev., 2017.

[3] G. LeCun, Yann and Bengio, Yoshua and Hinton, Y. LeCun, Y. Bengio, and G. E. Hinton, “Deep learning,” Nature, vol. 521, no. 7553, pp. 436–444, 2015.

[4] Y. Yoo et al., “Deep Learning of Joint Myelin-T1w MRI Features on Normal-Appearing Brain Tissues Distinguishes Multiple Sclerosis from Healthy Controls,” Mult. Scler. J., vol. 23, no. 2, p. 315, 2017.

[5] M. E. Aminanto and K. Kim, “Deep Learning in Intrusion Detection System: An Overview,” Proc. Int. Res. Conf. Eng. Technol., pp. 1–12, 2016.

[6] D. Silver et al., “2016 - Mastering the game of Go with deep neural networks and tree search - DeepMind nature16961,” Nature, vol. 529, no. 7587, pp. 484–489, 2016.

[7] E. Hodo, X. Bellekens, A. Hamilton, C. Tachtatzis, and R. Atkinson, “Shallow and Deep Networks Intrusion Detection System: A Taxonomy and Survey,” arXiv Prepr. arXiv1701.02145, pp. 1–43, 2017.

[8] M. Tavallaee and E. B. and W. a. G. A. A. Lu, “‘A detailed analysis of the KDD CUP 99 data set,’ in Computational Intelligence for Security and Defense Applications,” in Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE Symposium on, 2009, pp. 1–6.

[9] J. J. Davis and A. J. Clark, “Data preprocessing for anomaly based network intrusion detection: A review,” Comput. Secur., vol. 30, no. 6–7, pp. 353–375, 2011.

[10] L. Mohammadpour, M. Hussain, A. Aryanfar, V. M. Raee, and F. Sattar, “Evaluating performance of intrusion detection system using support vector machines: Review,” Int. J. Secur. its Appl., vol. 9, no. 9, 2015.

[11] D. Kwon, H. Kim, J. Kim, S. C. Suh, I. Kim, and K. J. Kim, “A survey of deep learning-based network anomaly detection,” Cluster Comput., pp. 1–13, 2017.

[12] G. Litjens et al., “A Survey on Deep Learning in Medical Image Analysis,” CoRR, vol. 1702.05747, 2017.

[13] R. C. O’Reilly, D. Wyatte, S. Herd, B. Mingus, and D. J. Jilk, “Recurrent processing during object recognition,” Front. Psychol., vol. 4, no. APR, pp. 1–38, 2013.

[14] G. E. Hinton, N. Srivastava, A. Krizhevsky, I. Sutskever, and R. R. Salakhutdinov, “Improving neural networks by preventing co-adaptation of feature detectors,” arXiv Prepr. arXiv1207.0580, 2012.

[15] M. D. Zeiler and R. Fergus, “Visualizing and Understanding Convolutional Networks arXiv:1311.2901v3 [cs.CV] 28 Nov 2013,” in Computer Vision–ECCV 2014, 2014, vol. 8689, pp. 818–833.

[16] Y. Shi et al., “Early endothelial progenitor cells as a source of myeloid cells to improve the pre-vascularisation of bone constructs,” Eur. Cells Mater., vol. 27, pp. 64–80, 2014.

[17] R. Singh, H. Kumar, and R. K. Singla, “An intrusion detection system using network traffic profiling and online sequential extreme learning machine,” Expert Syst. Appl., vol. 42, no. 22, pp. 8609–8624, 2015.

[18] H. S. and B. S. D., “KDD Cup ’99 Dataset,” 1999. [Online]. Available: http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.