Advertisement

Anomaly-Based Network Intrusion Detection Using Wavelets and Adversarial Autoencoders

  • Samir PuuskaEmail author
  • Tero Kokkonen
  • Janne Alatalo
  • Eppu Heilimo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11359)

Abstract

The number of intrusions and attacks against data networks and networked systems increases constantly, while encryption has made it more difficult to inspect network traffic and classify it as malicious. In this paper, an anomaly-based intrusion detection system using Haar wavelet transforms in combination with an adversarial autoencoder was developed for detecting malicious TLS-encrypted Internet traffic. Data containing legitimate, as well as advanced malicious traffic was collected from a large-scale cyber exercise and used in the analysis. Based on the findings and domain expertise, a set of features for distinguishing modern malware from packet timing analysis were chosen and evaluated. Performance of the adversarial autoencoder was compared with a traditional autoencoder. The results indicate that the adversarial model performs better than the traditional autoencoder. In addition, a machine learning pipeline capable of analyzing traffic in near real time was developed for data analysis.

Keywords

Adversarial autoencoder Intrusion detection Anomaly detection Haar wavelets 

Notes

Acknowledgment

This research project is funded by MATINE - The Scientific Advisory Board for Defence.

References

  1. 1.
    Apache Kafka: Apache kafka a distributed streaming platform. https://kafka.apache.org/. Accessed 31 Aug 2018
  2. 2.
    Apache Spark: Apache Spark lightning-fast unified analytics engine. https://spark.apache.org/ Accessed 31 Aug 2018
  3. 3.
    Chan, K., Fu, W.: Efficient time series matching by wavelets. In: Proceedings 15th International Conference on Data Engineering (Cat. No. 99CB36337), pp. 126–133, March 1999.  https://doi.org/10.1109/ICDE.1999.754915
  4. 4.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 15:1–15:58 (2009).  https://doi.org/10.1145/1541880.1541882CrossRefGoogle Scholar
  5. 5.
    Daubechies, I.: The wavelet transform, time-frequency localization and signal analysis. IEEE Trans. Inf. Theory 36(5), 961–1005 (1990).  https://doi.org/10.1109/18.57199MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Dhingra, M., Jain, M., Jadon, R.S.: Role of artificial intelligence in enterprise information security: a review. In: 2016 Fourth International Conference on Parallel, Distributed and Grid Computing (PDGC), pp. 188–191, December 2016.  https://doi.org/10.1109/PDGC.2016.7913142
  7. 7.
    Goodfellow, I., et al.: Generative adversarial nets. In: Ghahramani, Z., Welling, M., Cortes, C., Lawrence, N.D., Weinberger, K.Q. (eds.) Advances in Neural Information Processing Systems, vol. 27, pp. 2672–2680. Curran Associates, Inc. (2014)Google Scholar
  8. 8.
    Haar, A.: Zur theorie der orthogonalen funktionensysteme. Mathematische Annalen 69(3), 331–371 (1910).  https://doi.org/10.1007/BF01456326MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Hendler, D., Kels, S., Rubin, A.: Detecting malicious powershell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ASIACCS 2018, pp. 187–197. ACM, New York (2018).  https://doi.org/10.1145/3196494.3196511
  10. 10.
    Husák, M., Čermák, M., Jirsík, T., Čeleda, P.: HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. EURASIP J. Inf. Secur. 2016(1), 6 (2016).  https://doi.org/10.1186/s13635-016-0030-7CrossRefGoogle Scholar
  11. 11.
    JAMK University of Applied Sciences, Institute of Information Technology, JYVSECTEC: Rgce cyber range. http://www.jyvsectec.fi/en/rgce/. Accessed 23 Aug 2018
  12. 12.
    Kokkonen, T., Puuska, S.: Blue team communication and reporting for enhancing situational awareness from white team perspective in cyber security exercises. In: Galinina, O., Andreev, S., Balandin, S., Koucheryavy, Y. (eds.) NEW2AN/ruSMART -2018. LNCS, vol. 11118, pp. 277–288. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-01168-0_26CrossRefGoogle Scholar
  13. 13.
    Komar, M., et al.: High performance adaptive system for cyber attacks detection. In: 2017 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), vol. 2, pp. 853–858, September 2017.  https://doi.org/10.1109/IDAACS.2017.8095208
  14. 14.
    Le, T., Kim, J., Kim, H.: An effective intrusion detection classifier using long short-term memory with gradient descent optimization. In: 2017 International Conference on Platform Technology and Service (PlatCon), pp. 1–6, February 2017.  https://doi.org/10.1109/PlatCon.2017.7883684
  15. 15.
    Lin, J., Keogh, E., Lonardi, S., Chiu, B.: A symbolic representation of time series, with implications for streaming algorithms. In: Proceedings of the 8th ACM SIGMOD Workshop on Research Issues in Data Mining and Knowledge Discovery, DMKD 2003, pp. 2–11. ACM, New York (2003).  https://doi.org/10.1145/882082.882086
  16. 16.
    Lippmann, R.P., et al.: Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: Proceedings DARPA Information Survivability Conference and Exposition, DISCEX 2000, vol. 2, pp. 12–26, January 2000.  https://doi.org/10.1109/DISCEX.2000.821506
  17. 17.
    Makhzani, A., Shlens, J., Jaitly, N., Goodfellow, I.: Adversarial autoencoders. In: International Conference on Learning Representations (2016). http://arxiv.org/abs/1511.05644
  18. 18.
    Ministry of Defence Finland: The national cyber security exercises is organised in Jyväskylä - Kansallinen kyberturvallisuusharjoitus kyha18 järjestetään Jyväskylässä, official bulletin 11th of May 2018, May 2018. https://valtioneuvosto.fi/artikkeli/-/asset_publisher/kansallinen-kyberturvallisuusharjoitus-kyha18-jarjestetaan-jyvaskylassa. Accessed 23 Aug 2018
  19. 19.
    Mokarian, A., Faraahi, A., Delavar, A.G.: False positives reduction techniques in intrusion detection systems-a review. IJCSNS Int. J. Comput. Sci. Netw. Secur. 13(10), 128–134 (2013)Google Scholar
  20. 20.
    Pham, T.S., Hoang, T.H., Vu, V.C.: Machine learning techniques for web intrusion detection – a comparison. In: 2016 Eighth International Conference on Knowledge and Systems Engineering (KSE), pp. 291–297, October 2016.  https://doi.org/10.1109/KSE.2016.7758069
  21. 21.
    Rescorla, E., Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, August 2008. https://doi.org/10.17487/RFC5246
  22. 22.
    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy, pp. 305–316, May 2010.  https://doi.org/10.1109/SP.2010.25
  23. 23.
    Suricata: Suricata Open Source IDS/IPS/NSM engine. https://suricata-ids.org/. Accessed 31 Aug 2018
  24. 24.
    Suyal, P., Pant, J., Dwivedi, A., Lohani, M.C.: Performance evaluation of rough set based classification models to intrusion detection system. In: 2016 2nd International Conference on Advances in Computing, Communication, Automation (ICACCA) (Fall), pp. 1–6, September 2016.  https://doi.org/10.1109/ICACCAF.2016.7748991
  25. 25.
    Vartouni, A.M., Kashi, S.S., Teshnehlab, M.: An anomaly detection method to detect web attacks using stacked auto-encoder. In: 2018 6th Iranian Joint Congress on Fuzzy and Intelligent Systems (CFIS), pp. 131–134, February 2018.  https://doi.org/10.1109/CFIS.2018.8336654

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Samir Puuska
    • 1
    Email author
  • Tero Kokkonen
    • 1
  • Janne Alatalo
    • 1
  • Eppu Heilimo
    • 1
  1. 1.Institute of Information TechnologyJAMK University of Applied SciencesJyväskyläFinland

Personalised recommendations