1. Introduction
Computer network security entails a broad set of technologies, applications, and protocols to protect a given organization’s assets and user operations. For example, at the application layer, a set of secure protocols (e.g., HTTPS or SMTPS) can be used to implement confidential channels between client and server and hide the exchanged messages. The configuration of virtual private networks (VPN) and firewalls are also two examples of technologies to implement confidentiality and protection in client/server communication.
Regarding intrusion detection systems (IDSs), their primary function is to monitor the network traffic and distinguish between regular and malicious activity. The sense of normal network activity is defined by recurrent patterns, easily identified by common network flows features, such as the number of packets exchanged and error rate. On the other hand, network intrusions usually explore software vulnerabilities and correspond to a drift of context, observed by abnormal fluctuations of patterns or features values, when compared with the normal network activity patterns.
The signature-based IDSs are largely used in real-world networks. They take advantage of a database of known attacks and vulnerability exploits signatures, but fail to detect malicious unseen activity that never appeared. In this type of IDS, an alert is triggered when a match is found between the pattern analysed and an entry in the signatures database. Behaviour-based IDSs are designed to detect zero-day attacks and exploits and take advantage of machine learning (ML) algorithms characteristics to detect unknown and previously unseen patterns. Although they may theoretically detect unknown attacks, their applicability in real-world networks is low, mainly due to the complexity of the development and the high number of false positives they usually produce.
The benchmark and assessment of ML methods are pivotal to leveraging behaviour-based IDS adoption and implementation. Besides implementing ML models in real-world scenarios, the assessment and tuning of this type of IDSs take advantage of realistic datasets that represent normal and abnormal network activities. Several incursions have been made in recent decades to develop realistic datasets [
1,
2,
3]. However, the narrow scope, the lack of heterogeneity, the reduced available formats, and the level of criticism for some of them [
4] have allowed researchers to adopt and evaluate other promising and recent ones.
Despite being recent, CSE-CIC-IDS2018 dataset has been adopted to test and benchmark several approaches to develop behaviour-based IDS. It is very well organized and is publicly available at [
5]. The scientific community has widely used the dataset to benchmark IDS, as it includes a wide range of attacks, executed with different tools, organized in a timeline, and mixes normal and anomalous network packet flows. In addition, the traffic was dynamically generated to simulate a corporate network. Besides the features collected from the network flows, the dataset also includes the original PCAP files with all the packets collected, which increases the flexibility to apply different preprocessing and processing methods.
The CSE-CIC datasets have been evaluated by several authors, namely by benchmarking distinct methods. In [
6], the authors benchmark the CSE-CIC-IDS2017 dataset against several ML and deep learning models. Ferreira et al. [
7] evaluate CSE-CIC-IDS2017 dataset with two bio-inspired ML methods, namely CLONALG artificial immune system, learning vector quantization (LVQ), and back-propagation multi-layer perceptron (MLP). The detailed survey in [
8] analysed several intrusion detection methods evaluated with the CSE-CIC-IDS2018 dataset. In [
9], Ferrag et al. present a survey and a comparative study of deep learning approaches for behaviour-based intrusion detection. The authors describe 35 well-known datasets and provide their classification into 7 categories. In [
10], the authors compare a comprehensive set of deep learning frameworks in detecting network intrusions and also in classifying common network attack types through the CSE-CIC-IDS2018 dataset.
Among the multiplicity of existing ML methods, this paper evaluates a subset of deep-learning-based algorithms widely implemented by ML common tools, namely convolutional neural networks (CNN) and long short-term memory (LSTM) ML methods. Additionally, autoencoder and principal component analysis (PCA) methods were used to reduce the features involved in the dataset processing. The former reduces the number of perceptrons by compressing all the information, where the input and output layers are the same but in the hidden layers in the neural network. The latter correlates with the variables creating components that enable the clustering of several characteristics shared by themselves. The CSE-CIC-IDS2018 dataset was used to assess the deep learning methods, mainly due to the diversity of network traffic it encloses and by being massively adopted to benchmark behaviour-based IDS.
CNN and LSTM methods have already been successfully applied to evaluate other public IDS datasets, besides CSE-CIC-IDS2018. Some recent works described below reinforce the appropriateness of using CNN and LSTM methods to detect and classify intrusion detection in a wide range of public datasets, such as CSE-CIC-IDS2018, which was used in our experiments.
In [
11], the authors evaluate these methods evaluated on NSL-KDD and ISCX datasets. In [
12] the authors evaluate bi-directional LSTM deep learning method with KDDCUP-99 and UNSW-NB15 datasets, which result in an average of 99.5% accuracy for softmax and ReLu. NSL-KDD dataset has also been evaluated by several authors [
12,
13]. The former applies an RNN method with feature reduction, for combining a correlation and information gain, while the latter train an IDS model based on CNN and benchmark the performance of the model with traditional machine learning methods, such as random forest (RF) and support vector machine (SVM), and LSTM.
The significant contributions of this paper are the following: (i) the evaluation of the CSE-CIC-IDS2018 dataset processing with CNN and LSTM; (ii) the evaluation of the dataset with two features reduction methods, namely autoencoder and PCA; and (iii) a set of publicly available Python scripts to assess the dataset and replicate the experiments described in this paper.
The outcomes of the paper, namely the overall architecture and the processing pipeline, are the foundation to evaluate this learning strategy with other public datasets. The aim is to benchmark CNN and LSTM methods and to evaluate the influence of features reduction in the overall performance.
The rest of the paper is organized as follows:
Section 2 describes the background behind the IDS, deep learning methods, and features reduction techniques. Next, the overall architecture, the tools and the tests setup is described in
Section 3. The results analysis is detailed in
Section 4 and, finally, the conclusions and future work suggestions are delineated in
Section 5.
Author Contributions
Conceptualization, M.A. and L.O.; data curation, A.S., J.V., R.S. and T.M.; formal analysis, M.A. and L.O.; funding acquisition, L.O.; investigation, M.A., L.O., A.S., J.V., R.S. and T.M.; methodology, M.A. and L.O.; software, A.S., J.V., R.S. and T.M.; supervision, M.A. and L.O.; validation, M.A. and L.O.; visualization, A.S., J.V., R.S. and T.M.; writing—original draft preparation, M.A., L.O., A.S., J.V., R.S. and T.M.; writing—review and editing; M.A. and L.O. All authors have read and agreed to the published version of the manuscript.
Funding
This work has been funded by national funds through FCT—Fundação para a Ciência e Tecnologia, I.P. under the Project UIDB/05567/2020.
Institutional Review Board Statement
Not applicable.
Informed Consent Statement
Not applicable.
Data Availability Statement
The data presented in this study are available on request, from the corresponding authors.
Conflicts of Interest
The authors declare no conflict of interest.
Abbreviations
The following abbreviations are used in this manuscript:
A | accuracy |
AUC | area under the curve |
CNN | convolutional neural network |
CIC | Canadian Institute for Cybersecurity |
CSE | Communications Security Establishment |
DDoS | distributed denial of service |
DoS | denial of service |
DVWA | Damn Vulnerable Web Application |
FPR | false positive rate |
FP | false positive |
LSTM | long short-term memory |
LOIC | low orbit ion cannon |
LVQ | learning vector quantization |
MLP | multi-layer perceptron |
NN | neural network |
TNR | true negative rate |
P | precision |
PCA | principal component analysis |
R | recall |
RAM | random access memory |
RF | random forest |
ROC | receiver operating characteristic |
SVM | support vector machine |
TB | terabyte |
References
- Al Tobi, A.M.; Duncan, I. KDD 1999 generation faults: A review and analysis. J. Cyber Secur. Technol. 2018, 2, 164–200. [Google Scholar] [CrossRef]
- Tavallaee, M.; Bagheri, E.; Lu, W.; Ghorbani, A.A. A detailed analysis of the KDD CUP 99 data set. In Proceedings of the 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, Ottawa, ON, Canada, 8–10 July 2009; pp. 1–6. [Google Scholar]
- Massicotte, F.; Gagnon, F.; Labiche, Y.; Briand, L.; Couture, M. Automatic evaluation of intrusion detection systems. In Proceedings of the 2006 22nd Annual Computer Security Applications Conference (ACSAC’06), Miami Beach, FL, USA, 11–15 December 2006; pp. 361–370. [Google Scholar]
- McHugh, J. Testing intrusion detection systems: A critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. 2000, 3, 262–294. [Google Scholar] [CrossRef]
- A Realistic Cyberdefense Dataset (CSE-CIC-IDS2018). Available online: https://registry.opendata.aws/cse-cic-ids2018/ (accessed on 19 March 2022).
- Thapa, N.; Liu, Z.; Kc, D.B.; Gokaraju, B.; Roy, K. Comparison of machine learning and deep learning models for network intrusion detection systems. Future Internet 2020, 12, 167. [Google Scholar] [CrossRef]
- Ferreira, P.; Antunes, M. Benchmarking behaviour-Based Intrusion Detection Systems with Bio-inspired Algorithms. In Proceedings of the Security in Computing and Communications: 8th International Symposium, SSCC 2020, Chennai, India, 14–17 October 2020; Revised Selected Papers. Springer Nature: Singapore, 2021; Volume 1364, p. 152. [Google Scholar]
- Leevy, J.L.; Khoshgoftaar, T.M. A survey and analysis of intrusion detection models based on cse-cic-ids2018 big data. J. Big Data 2020, 7, 1–19. [Google Scholar] [CrossRef]
- Ferrag, M.A.; Maglaras, L.; Moschoyiannis, S.; Janicke, H. Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study. J. Inf. Secur. Appl. 2020, 50, 102419. [Google Scholar] [CrossRef]
- Basnet, R.B.; Shash, R.; Johnson, C.; Walgren, L.; Doleck, T. Towards Detecting and Classifying Network Intrusion Traffic Using Deep Learning Frameworks. J. Internet Serv. Inf. Secur. 2019, 9, 1–17. [Google Scholar]
- Le, T.T.H.; Kim, Y.; Kim, H. Network intrusion detection based on novel feature selection model and various recurrent neural networks. Appl. Sci. 2019, 9, 1392. [Google Scholar] [CrossRef] [Green Version]
- Pooja, T.; Shrinivasacharya, P. Evaluating neural networks using Bi-Directional LSTM for network IDS (intrusion detection systems) in cyber security. Glob. Transitions Proc. 2021, 2, 448–454. [Google Scholar]
- Ding, Y.; Zhai, Y. Intrusion detection system for NSL-KDD dataset using convolutional neural networks. In Proceedings of the 2018 2nd International Conference on Computer Science and Artificial Intelligence, Shenzhen, China, 8–10 December 2018; pp. 81–85. [Google Scholar]
- Fuchsberger, A. Intrusion detection systems and intrusion prevention systems. Inf. Secur. Tech. Rep. 2005, 10, 134–139. [Google Scholar] [CrossRef]
- Hindy, H.; Brosset, D.; Bayne, E.; Seeam, A.; Tachtatzis, C.; Atkinson, R.; Bellekens, X. A taxonomy and survey of intrusion detection system design techniques, network threats and datasets. arXiv 2018, arXiv:1806.03517v1. [Google Scholar]
- Snort—Network Intrusion Detection & Prevention System. Available online: https://www.snort.org/ (accessed on 19 March 2022).
- Mishra, P.; Varadharajan, V.; Tupakula, U.; Pilli, E.S. A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE Commun. Surv. Tutor. 2018, 21, 686–728. [Google Scholar] [CrossRef]
- Alsoufi, M.A.; Razak, S.; Siraj, M.M.; Nafea, I.; Ghaleb, F.A.; Saeed, F.; Nasser, M. Anomaly-based intrusion detection systems in iot using deep learning: A systematic literature review. Appl. Sci. 2021, 11, 8383. [Google Scholar] [CrossRef]
- Mirza, A.H.; Cosan, S. Computer network intrusion detection using sequential LSTM neural networks autoencoders. In Proceedings of the 2018 26th signal processing and communications applications conference (SIU), Izmir, Turkey, 2–5 May 2018; pp. 1–4. [Google Scholar]
- Sherstinsky, A. Fundamentals of recurrent neural network (RNN) and long short-term memory (LSTM) network. Phys. D Nonlinear Phenom. 2020, 404, 132306. [Google Scholar] [CrossRef] [Green Version]
- Susilo, B.; Sari, R.F. Intrusion detection in IoT networks using deep learning algorithm. Information 2020, 11, 279. [Google Scholar] [CrossRef]
- Patterson, J.; Gibson, A. Deep Learning: A practitioner’s Approach; O’Reilly Media, Inc.: Sebastopol, CA, USA, 2017. [Google Scholar]
- Kim, J.; Kim, J.; Kim, H.; Shim, M.; Choi, E. CNN-based network intrusion detection against denial-of-service attacks. Electronics 2020, 9, 916. [Google Scholar] [CrossRef]
- Chastikova, V.; Sotnikov, V. Method of analyzing computer traffic based on recurrent neural networks. J. Phys. Conf. Ser. 2019, 1353, 12133. [Google Scholar] [CrossRef]
- Lin, P.; Ye, K.; Xu, C.Z. Dynamic network anomaly detection system by using deep learning techniques. In Cloud Computing—CLOUD 2019, Proceedings of the International Conference on Cloud Computing, San Diego, CA, USA, 25–30 June 2019; Springer: Cham, Switzerland, 2019; pp. 161–176. [Google Scholar]
- Kwon, D.; Kim, H.; Kim, J.; Suh, S.C.; Kim, I.; Kim, K.J. A survey of deep-learning-based network anomaly detection. Clust. Comput. 2019, 22, 949–961. [Google Scholar] [CrossRef]
- Pinaya, W.H.L.; Vieira, S.; Garcia-Dias, R.; Mechelli, A. Autoencoders. In Machine Learning; Elsevier: Amsterdam, The Netherlands, 2020; pp. 193–208. [Google Scholar]
- Varma, P.R.K.; Kumari, V.V.; Kumar, S.S. A survey of feature selection techniques in intrusion detection system: A soft computing perspective. In Progress in Computing, Analytics and Networking; Springer: Singapore, 2018; pp. 785–793. [Google Scholar]
- Uddin, M.P.; Mamun, M.A.; Hossain, M.A. PCA-based feature reduction for hyperspectral remote sensing image classification. IETE Tech. Rev. 2021, 38, 377–396. [Google Scholar] [CrossRef]
- Sharafaldin, I.; Lashkari, A.H.; Ghorbani, A.A. Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp 2018, 1, 108–116. [Google Scholar]
- Muraleedharan, N.; Janet, B. A deep learning based HTTP slow DoS classification approach using flow data. ICT Express 2021, 7, 210–214. [Google Scholar]
- Patator—Penetration Testing Tools. Available online: https://en.kali.tools/?p=147 (accessed on 19 March 2022).
- DVWA—Damn Vulnerable Web Application. Available online: https://dvwa.co.uk/ (accessed on 19 March 2022).
- Shah, M.; Ahmed, S.; Saeed, K.; Junaid, M.; Khan, H.; Rehman, A.U. Penetration testing active reconnaissance phase–optimized port scanning with nmap tool. In Proceedings of the 2019 2nd International Conference on Computing, Mathematics and Engineering Technologies (iCoMET), Sukkur, Pakistan, 30–31 January 2019; pp. 1–6. [Google Scholar]
- Kompougias, O.; Papadopoulos, D.; Mantas, E.; Litke, A.; Papadakis, N.; Paraschos, D.; Kourtis, A.; Xylouris, G. IoT Botnet Detection on Flow Data using Autoencoders. In Proceedings of the 2021 IEEE International Mediterranean Conference on Communications and Networking (MeditCom), Athens, Greece, 7–10 September 2021; pp. 506–511. [Google Scholar]
- Nagpal, B.; Sharma, P.; Chauhan, N.; Panesar, A. DDoS tools: Classification, analysis and comparison. In Proceedings of the 2015 2nd International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India, 11–13 March 2015; pp. 342–346. [Google Scholar]
- Orange Data Mining—Data Mining. Available online: https://orangedatamining.com/ (accessed on 19 March 2022).
- Keras: The Python Deep Learning API. Available online: https://keras.io/ (accessed on 19 March 2022).
- Tensorflow. Available online: https://tensorflow.org/ (accessed on 19 March 2022).
- Scikit-Learn: Machine Learning in Python: Scikit-Lear 1.0.1. Available online: https://scikit-learn.org/ (accessed on 19 March 2022).
- Matplotlib—Visualization with Python. Available online: https://matplotlib.org/ (accessed on 19 March 2022).
- D’hooge, L.; Wauters, T.; Volckaert, B.; De Turck, F. Inter-dataset generalization strength of supervised machine learning methods for intrusion detection. J. Inf. Secur. Appl. 2020, 54, 102564. [Google Scholar] [CrossRef]
- Catillo, M.; Rak, M.; Villano, U. 2l-zed-ids: A two-level anomaly detector for multiple attack classes. In Artificial Intelligence and Network Applications—WAINA 2020, Proceedings of the Workshops of the International Conference on Advanced Information Networking and Applications, Caserta, Italy, 15–17 April 2020; Springer: Cham, Switzerland, 2020; pp. 687–696. [Google Scholar]
- Huancayo Ramos, K.S.; Sotelo Monge, M.A.; Maestre Vidal, J. Benchmark-based reference model for evaluating botnet detection tools driven by traffic-flow analytics. Sensors 2020, 20, 4501. [Google Scholar] [CrossRef] [PubMed]
- Fitni, Q.R.S.; Ramli, K. Implementation of ensemble learning and feature selection for performance improvements in anomaly-based intrusion detection systems. In Proceedings of the 2020 IEEE International Conference on Industry 4.0, Artificial Intelligence, and Communications Technology (IAICT), Bali, Indonesia, 7–8 July 2020; pp. 118–124. [Google Scholar]
Figure 1.
Intrusion detection systems taxonomy.
Figure 2.
Long short-term memory architecture.
Figure 3.
Convolutional neural network architecture.
Figure 4.
Autoencoder architecture.
Figure 5.
Principal component analysis architecture.
Figure 6.
Overall processing architecture.
Table 1.
Detailed of the attacks used for benchmark.
Date | Attack Type | Malicious Flows | Total Number of Flows |
---|
14 February 2018 | BruteForce | 380,943 | 1,044,751 |
15 February 2018 | DoS | 52,498 | 1,040,548 |
16 February 2018 | DoS | 601,802 | 1,048,574 |
21 February 2018 | DDoS | 687,746 | 1,048,575 |
22 February 2018 | Web App Attack | 362 | 1,042,965 |
23 February 2018 | Web App Attack | 566 | 1,042,867 |
28 February 2018 | Infiltration | 68,236 | 606,902 |
1 March 2018 | Infiltration | 92,403 | 328,181 |
2 March 2018 | Botnet | 286,191 | 1,044,525 |
Table 2.
Tools used in each attack.
Attack Type | Tools Used |
---|
BruteForce | FTP-Patator and SSH-Patator |
DoS | Hulk, GoldenEye, Slowloris, Slowhttptest |
Web Applications Attack | Damn Vulnerable Web Application (DVWA) |
Infiltration | nmap and port scan |
Botnet | Ares-botnet |
DDoS | Low Orbit Ion Cannon (LOIC) |
Table 3.
Results obtained with LSTM and CNN models with a split of 80% training and 20% testing.
Models | Precision | Recall | Accuracy | FPR | F1 |
---|
CNN | 0.9967 | 0.9982 | 0.9993 | 0.0005 | 0.9974 |
LSTM | 0.9985 | 0.9970 | 0.9994 | 0.0002 | 0.9977 |
Table 4.
Results obtained with LSTM and CNN models by applying 10-fold cross-validation.
Models | Precision | Recall | Accuracy | FPR | AUC | F1 |
---|
CNN | 0.9929 | 0.9981 | 0.9987 | 0.0011 | 0.9984 | 0.9955 |
LSTM | 0.9942 | 0.9932 | 0.9983 | 0.0009 | 0.9961 | 0.9937 |
Table 5.
Training dataset of 2 March 2018 with the initial features set.
Epoch | Time (s) | Accuracy | Loss |
---|
1 | 167 | 0.981 | 0.047 |
2 | 166 | 0.999 | 0.004 |
3 | 179 | 0.999 | 0.003 |
4 | 249 | 0.999 | 0.002 |
5 | 252 | 0.999 | 0.002 |
Table 6.
Training dataset of 2 March 2018 with the feature set reduction through autoencoder.
Epoch | Time (s) | Accuracy | Loss |
---|
1 | 45 | 0.933 | 0.157 |
2 | 44 | 0.998 | 0.010 |
3 | 44 | 0.998 | 0.008 |
4 | 44 | 0.999 | 0.006 |
5 | 44 | 0.999 | 0.005 |
Table 7.
Training dataset of 2 March 2018 with the feature set reduction through PCA.
Epoch | Time (s) | Accuracy | Loss |
---|
1 | 44 | 0.945 | 0.129 |
2 | 43 | 0.998 | 0.010 |
3 | 43 | 0.999 | 0.006 |
4 | 42 | 0.999 | 0.005 |
5 | 40 | 0.999 | 0.005 |
Table 8.
Results obtained with a training CNN and PCA.
Day/Attack | F1 | Precision | Recall | FPR | TNR | Accuracy |
---|
2 March 2018/Botnet | 0.9992 | 0.9993 | 0.9993 | 0.0002 | 0.9997 | 0.9996 |
21 February 2018/DDoS | 1.0000 | 1.0000 | 1.0000 | 0.0000 | 1.0000 | 1.0000 |
15 February 2018/DoS | 0.9972 | 0.9951 | 0.9994 | 0.0002 | 0.9997 | 0.9997 |
16 February 2018/DoS | 0.7293 | 0.5739 | 1.0000 | 1.0000 | 0.0000 | 0.5740 |
1 March 2018/Infiltration | 0.3463 | 0.7896 | 0.2218 | 0.0232 | 0.9768 | 0.7642 |
28 February 2018/Infiltration | NaN | NaN | 0.0000 | 0.0000 | 1.0000 | 0.8876 |
14 February 2018/SshFtpBruteForce | 1.0000 | 1.0000 | 1.0000 | 0.0000 | 1.0000 | 1.0000 |
22 February 2018/WebXssBruteForce | 0.6909 | 1.0000 | 0.5278 | 0.0000 | 1.0000 | 0.9998 |
23 February 2018/WebXssSQLBruteForce | 0.4865 | 1.0000 | 0.3214 | 0.0000 | 1.0000 | 0.9996 |
Table 9.
Results obtained with a training CNN and autoencoder.
Day/Attack | F1 | Precision | Recall | FPR | TNR | Accuracy |
---|
2 March 2018/Botnet | 0.9990 | 0.9984 | 0.9996 | 0.0005 | 0.9994 | 0.9995 |
21 February 2018/DDoS | 1.0000 | 1.0000 | 1.0000 | 0.0000 | 1.0000 | 1.0000 |
15 February 2018/DoS | 0.9960 | 0.9928 | 0.9992 | 0.0003 | 0.9996 | 0.9996 |
16 February 2018/DoS | 0.7293 | 0.5739 | 1.0000 | 1.0000 | 0.0000 | 0.5739 |
1 March 2018/Infiltration | 0.3421 | 0.7595 | 0.2208 | 0.0274 | 0.9726 | 0.7609 |
28 February 2018/Infiltration | NaN | NaN | 0.0000 | 0.0000 | 1.0000 | 0.8876 |
14 February 2018/SshFtpBruteForce | 0.9998 | 0.9995 | 1.0000 | 0.0002 | 0.9997 | 0.9998 |
22 February 2018/WebXssBruteForce | 0.5600 | 1.0000 | 0.3889 | 0.0000 | 1.0000 | 0.9998 |
23 February 2018/WebXssSQLBruteForce | 0.2769 | 1.0000 | 0.1607 | 0.0000 | 1.0000 | 0.9995 |
Table 10.
Results obtained with a training LSTM and PCA.
Day/Attack | F1 | Precision | Recall | FPR | TNR | Accuracy |
---|
2 March 2018/Botnet | 0.9994 | 0.9992 | 0.9997 | 0.0003 | 0.9997 | 0.9997 |
21 February 2018/Ddos | 0.9987 | 1.0000 | 0.9975 | 0.0001 | 0.9999 | 0.9983 |
15 February 2018/Dos | 0.9958 | 0.9945 | 0.9971 | 0.0003 | 0.9997 | 0.9996 |
16 February 2018/Dos | 1.0000 | 1.0000 | 1.0000 | 0.0000 | 1.0000 | 1.0000 |
1 March 2018/Infiltration | 0.4852 | 0.7757 | 0.3530 | 0.0400 | 0.9600 | 0.7891 |
28 February 2018/Infiltration | NaN | NaN | 0.0000 | 0.0000 | 1.0000 | 0.8876 |
14 February 2018/SshFtpBruteForce | 0.9998 | 0.9997 | 0.9999 | 0.0002 | 0.9998 | 0.9999 |
22 February 2018/WebXssBruteForce | 0.8174 | 0.7224 | 0.9412 | 0.4444 | 0.0001 | 1.0000 |
23 February 2018/WebXssSQLBruteForce | 0.4658 | 1.0000 | 0.3036 | 0.0000 | 1.0000 | 0.9996 |
Table 11.
Results obtained with a training LSTM and autoencoder.
Day/Attack | F1 | Precision | Recall | FPR | TNR | Accuracy |
---|
2 March 2018/Botnet | 0.9745 | 0.9788 | 0.9702 | 0.0079 | 0.9921 | 0.9861 |
21 February 2018/DDoS | 0.9990 | 1.0000 | 0.9979 | 0.0000 | 1.0000 | 0.9986 |
15 February 2018/DoS | 0.9917 | 0.9894 | 0.9941 | 0.0006 | 0.9994 | 0.9992 |
16 February 2018/DoS | 1.0000 | 1.0000 | 1.0000 | 0.0000 | 1.0000 | 1.0000 |
1 March 2018/Infiltration | 0.4407 | 0.7878 | 0.3059 | 0.0323 | 0.9677 | 0.7814 |
28 February 2018/Infiltration | NaN | NaN | 0.0000 | 0.0000 | 1.0000 | 0.8876 |
14 February 2018/SshFtpBruteForce | 0.9998 | 0.9996 | 0.9999 | 0.0000 | 0.9998 | 0.9998 |
22 February 2018/WebXssBruteForce | 0.4444 | 1.0000 | 0.2857 | 0.0000 | 1.0000 | 0.9998 |
23 February 2018/WebXssSQLBruteForce | 0.3824 | 1.0000 | 0.2364 | 0.0000 | 1.0000 | 0.9996 |
Table 12.
Averages of the F1 measure obtained for each pair of deep learning and feature reduction methods, and for each attack type.
Attack | CNN–PCA | CNN–Autoencoder | LSTM–PCA | LSTM–Autoencoder |
---|
Botnet | 0.9992 | 0.9990 | 0.9994 | 0.9745 |
DDoS | 1.0000 | 1.0000 | 0.9987 | 0.9990 |
DoS | 0.8632 | 0.8626 | 0.9979 | 0.9958 |
Infiltration | - | - | - | - |
BruteForce | 0.7258 | 0.6122 | 0.7610 | 0.6089 |
Table 13.
Comparison with other works available in the literature.
Models | Accuracy | Precision | Recall | AUC |
---|
CNN—our results | 0.9987 | 0.9929 | 0.9981 | 0.9984 |
LSTM—our results | 0.9983 | 0.9942 | 0.9932 | 0.9961 |
CNN [23] | 0.9999 | 0.8175 | 0.8225 | n/a |
LSTM [25] | 0.9620 | 0.9600 | 0.9600 | n/a |
XGBoost [42] | 0.9600 | 0.9900 | 0.7900 | n/a |
Deep autoencoder [43] | 0.9920 | 0.9500 | 0.9890 | n/a |
Random Forest, Decision Tree [44] | 0.9999 | 1.000 | 0.999 | n/a |
Logistic Regression, Decision Tree, and Gradient Boosting
[45] | 0.9880 | 0.9880 | 0.9710 | 0.9410 |
| Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).