ANALYSIS OF DEEP LEARNING ALGORITHM FOR ANOMALY BASED NETWORK INTRUSION DETECTION

DEEP LEARNING ALGORITHM FOR ANOMALY-BASED NETWORK INTRUSION DETECTION  

 

         Deep learning-based algorithms are frequently employed in intrusion detection due to their superior performance in categorization tasks. a convolutional neural network-based intrusion detection approach. -This method translates the vector format of the source data into an image format. As a result, the CNN algorithm is utilized to extract traffic characteristics and, via training, construct an intrusion detection model. Using the LSTM algorithm, assess if an incoming network data sequence is anomalous using a predefined threshold. When compared to LSTM, the GRU neural network is more suited for real-time processing.

        Combining CNNs and RNNs to extract the temporal and geographical aspects of network data might produce excellent classification performance for normal and abnormal traffic. Because the efficiency and accuracy of the NIDS detection method are both critical, Neural networks (NN) are groups of neurons that work together to accomplish a certain job or process information. These networks can also learn under supervision or on their own. Based on its architecture, NN may be divided into two categories. The Multi-Level Perception (MLP) is a supervised neural network, whereas the Self-Organizing Maps (SOM) is an unsupervised neural network (SOM). The Multi-Level Perceptron (MLP) is a common supervised learning NN approach, while Self-Organizing Maps (SOM) is a prominent unsupervised learning NN technique (SOM). 

        SOM may be used to identify novelty, automate grouping, and organize visual data. NN has been used to tackle the intrusion detection problem. In the IDES, a SOM for learning features of normal activity and NN for intrusion detection as an alternative to statistical approaches (intrusion detection expert system). to produce samples of different attack kinds using the GAN network in order to build a balanced training data set GAN was integrated into a classifier, and samples were collected from the data set using reinforcement learning to produce new samples and alter this initial sample production behavior using an adversarial network. However, simulating data samples with uncertain data distributions with the convergence of GAN models remains a difficulty.

Self-organizing Maps (SOM)

        The SOM is an unsupervised learning model, which means that it does not require labeled training data to construct its model. This is a useful feature for intrusion detection since categorizing thousands, if not millions, of data is a time-consuming job that might result in mislabeling. Furthermore, the SOM is used for anomaly detection more frequently than any other ANN model. The SOM is a clustering approach that has the advantage of being able to produce lower dimensional representations of multidimensional data in the form of what is known as a map. the use of SOM to characterize the usual behavior of a computer network The SOM's input was given via a monitor stack, which employs protocol analyzers to reduce and discriminate network traffic. The method was tested using buffer-overflow attacks. Used a SOM as part of a hybrid IDS, together with a DT and an RBS, to identify network-based anomalies.

         The DT detects abuse, and the RBS calculates the final output depending on the individual outputs of the two preceding approaches. The SOM detects the FTP write (R2L) attack, while the DT does not. However, there are more false positives in general. suggested a hierarchical hybrid intrusion detection system (IDS) for network-based intrusion detection, consisting of a SOM and NB This used a SOM technique for supervised learning, allowing it to learn and categorize a percentage of invasive data. A visual SOM was proposed to generate topological models of known assaults for forensic examination. SOM was employed in a model for identifying malicious network traffic. and created an IDS using an unsupervised neural network and Kohonen maps On the KDD data set, the Performance-based Ranking Method was utilized. It operates by removing input from the dataset and comparing the results before and after the removal.

Convolutional Neural Networks Implementation

        The original CNN (Convolutional Neural Networks) may be identified as a feature extractor, which means that it can be used to extract sequence information. Yoon proposed this premise. Text-CNN As an embedding layer, Text-CNN employs pre-trained word vectors. We can generate an embedding matrix for all words expressed as vectors, and each row in the matrix represents a word vector. This matrix can be either static or dynamic. The convolution layer technique then outputs a feature map to the pooling layer, and the pooling layer creates the final feature vector.

        To construct a deep neural network for detecting network intrusion, each component may be viewed as a network module, with numerous modules in a cascade connection. The system is made up of a preprocessing module, a feature extraction module, a classification decision module, and an output module. The preprocessing module normalizes the data so that it may be fed into the neural network without affecting its dimensions. Among the modules mentioned above, the feature extraction module has the greatest influence on performance. 

        The neural network architectures of GRU and Text-CNN vary. The former has a memory function, but the structure is both complicated and computationally costly, whereas the latter allows numerous layers to be stacked easily. The deep neural network is designed in a modular manner, with each module processing incoming data separately. In actual studies, additional typical machine learning techniques are used instead of the feature extraction module. These changes invariably influence the experimental findings, allowing the impact of different algorithms on detection outcomes to be assessed. Experiments can be used to thoroughly analyze these conditions.

LSTM

        The most common form of RNN architecture is LSTM. LSTM was developed to overcome RNN's vanishing gradients problem by incorporating non-linear controls into the RNN cell so that the gradient of the cost function does not disappear. It is implemented to prevent the problem of long-term reliance. As a result, recalling knowledge for a long period is regarded as one of the primary benefits of LSTM. The most common form of RNN architecture is LSTM. LSTM was developed to overcome RNN's vanishing gradients problem by incorporating non-linear controls into the RNN cell so that the gradient of the cost function does not disappear. It is implemented to prevent the problem of long-term reliance. As a result, recalling knowledge for a long period is regarded as one of the primary benefits of LSTM.

        The 'Forget Gate,' for example, determines what information from the previous state cell will be memorized and what information will be removed that is no longer useful, while the 'Input Gate,' determines which information should enter the cell state and the 'Output Gate,' determines and controls the outputs. The LSTM network is regarded as one of the most effective RNNs since it eliminates the problems associated with training a recurrent network. This is a common type of RNN design that employs special units to address the vanishing gradient problem. A memory cell in an LSTM unit can retain data for lengthy periods of time, and three gates control the flow of information into and out of the cell.

        The most well-known model for training temporal data is the recurrent neural network (RNN), yet the typical RNN is difficult to train to owe to gradient explosion or disappearance. To address these issues, LSTM employs memory-functioning units to replace the RNN's hidden units. Because of its modest weight changes over time, LSTM possesses long-term memory and can also trigger short-term memory in a short-range form. The LSTM's core information is transferred down the horizontal line, and the LSTM forgets the old information and learns the new information via the forget gate, input gate, and output gate structures.

Multi‑layer Perceptron (MLP)

        A substantial feedforward artificial neural network is the Multi-layer Perceptron (MLP), a supervised learning technique [36]. (ANN). It is also known as the deep neural network (DNN) based architecture or deep learning. A typical MLP is a fully connected network composed of an input layer that accepts input data, an output layer that makes a judgment or prediction about the input signal, and one or more hidden layers between these two that act as the network's computational engine. An MLP network's output is dictated by a variety of activation functions, also known as transfer functions, such as ReLU (Rectified Linear Unit), Tanh, Sigmoid, and SoftMax.

        MLP is trained using the most widely used algorithm "Backpropagation", a supervised learning approach that is also regarded as the most fundamental building block of a neural network. Various optimization algorithms, such as Stochastic Gradient Descent (SGD), and adaptive Moment Estimation (Adam), are used throughout the training phase. MLP necessitates the adjustment of various hyperparameters, such as the number of hidden layers, neurons, and iterations, which can make solving a complex model computationally costly

Restricted Boltzmann Machine (RBM)

         Boltzmann machines are often made up of visible and hidden nodes, and each node is linked to every other node, which allows us to identify abnormalities by understanding how the system functions under normal conditions. RBMs are a kind of Boltzmann machine in which the number of connections between the visible and hidden layers is limited This constraint allows training techniques like the gradient-based contrastive divergence algorithm to be more efficient than Boltzmann machine algorithms in general.

        They can be taught either supervised or unsupervised in the field of deep learning modeling, depending on the job. Overall, RBMs can automatically detect patterns in data and create probabilistic or stochastic models that are used for feature selection or extraction, as well as forming a deep belief network.

Generative Adversarial Network (GAN)

        A Generative Adversarial Network (GAN) is a neural network design used in generative modeling to generate new plausible samples on demand. It entails detecting and learning regularities or patterns in incoming data automatically, such that the model may be used to produce or output new instances from the original dataset. GANs are made up of two neural networks: a generator G that generates new data with comparable features to the original data and a discriminator D that predicts the likelihood of the following sample being chosen from genuine data rather than data generated by the generator.

        As a result, in GAN modeling, both the generator and the discriminator are trained to compete with one another. As a result, in GAN modeling, both the generator and the discriminator are trained to compete with one another. While the generator attempts to trick and confuse the discriminator by producing more realistic data, the discriminator attempts to distinguish genuine data from G-generated data.

        Because there were anomalies, the GAN architecture for anomaly identification was built to evaluate performance with RL approaches. The CNN + LSTM architecture was designed for the generator, whereas the MLP was designed for the discriminator. 

Auto‑Encoder (AE)

        An auto-encoder (AE)  is a well-known unsupervised learning approach that uses neural networks to learn representations. Auto-encoders are typically employed to work with high-dimensional data, and dimensionality reduction describes how a collection of data is represented. An autoencoder is made up of three parts: encoder, code, and decoder. The encoder compresses the input and creates the code, which is then used by the decoder to reconstruct the input. Recently, AEs have been utilized to learn generative data models. 

        Many unsupervised learning tasks, including dimensionality reduction, feature extraction, efficient coding, generative modeling, denoising, anomaly or outlier detection, and so on, make extensive use of the auto-encoder which is also used to decrease the dimensionality of large data sets, is fundamentally comparable to a single-layered AE with a linear activation function. Regularized autoencoders, such as sparse, denoising, and contractive, can be used to train representations for subsequent classification tasks, whilst variational autoencoders can be utilized as generative models.

Deep Belief Network (DBN)

        A Deep Belief Network (DBN) is a multi-layer generative graphical model composed of numerous discrete unsupervised networks, such as AEs or RBMs, with the hidden layer of each network serving as the input for the next layer., i.e., are connected sequentially. As a result, we may partition a DBN into. The ultimate objective is to build a faster-unsupervised training approach for each contrastive divergence-based sub-network. Based on its deep structure, DBN can capture a hierarchical representation of incoming data.

        DBN is based on the principle of training unsupervised feed-forward neural networks with unlabeled data before fine-tuning the network with labeled input. One of the most significant benefits of DBN over traditional shallow learning networks is the identification of deep patterns, which allows for reasoning abilities and the capture of the deep difference between normal and erroneous data. A continuous DBN is essentially a normal DBN that provides for a continuous range of decimals rather than binary data. Overall, because of its powerful feature extraction and classification capabilities, the DBN model may play a crucial role in a wide range of high-dimensional data applications and become one of the significant issues in the field of neural networks.