On learning effective ensembles of deep neural networks for intrusion detection

Classification-oriented Machine Learning methods are a precious tool, in modern Intrusion Detection Systems (IDSs), for discriminating between suspected intrusion attacks and normal behaviors. Many recent proposals in this field leveraged Deep Neural Network (DNN) methods, capable of learning effect...

Full description

Saved in:
Bibliographic Details
Published in:Information fusion 2021-08, Vol.72, p.48-69
Main Authors: Folino, F., Folino, G., Guarascio, M., Pisani, F.S., Pontieri, L.
Format: Article
Language:English
Subjects:
Deep learning
Ensemble learning
Intrusion Detection Systems
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Classification-oriented Machine Learning methods are a precious tool, in modern Intrusion Detection Systems (IDSs), for discriminating between suspected intrusion attacks and normal behaviors. Many recent proposals in this field leveraged Deep Neural Network (DNN) methods, capable of learning effective hierarchical data representations automatically. However, many of these solutions were validated on data featuring stationary distributions and/or large amounts of training examples. By contrast, in real IDS applications different kinds of attack tend to occur over time, and only a small fraction of the data instances is labeled (usually with far fewer examples of attacks than of normal behavior). A novel ensemble-based Deep Learning framework is proposed here that tries to face the challenging issues above. Basically, the non-stationary nature of IDS log data is faced by maintaining an ensemble consisting of a number of specialized base DNN classifiers, trained on disjoint chunks of the data instances’ stream, plus a combiner model (reasoning on both the base classifiers predictions and original instance features). In order to learn deep base classifiers effectively from small training samples, an ad-hoc shared DNN architecture is adopted, featuring a combination of dropout capabilities, skip-connections, along with a cost-sensitive loss (for dealing with unbalanced data). Tests results, conducted on two benchmark IDS datasets and involving several competitors, confirmed the effectiveness of our proposal (in terms of both classification accuracy and robustness to data scarcity), and allowed us to evaluate different ensemble combination schemes. •We define a chunk-based framework for learning an ensemble of DNN classifiers for IDS.•Ad-hoc DNN architectures are proposed to model the base classifiers and the combiner.•Experiments on benchmark data confirm the proposal’s effectiveness and robustness.•The approach outperforms other well-known ensemble-based competitors.•Sensitivity to data scarcity and the use of different combiner schemes are studied.
ISSN:1566-2535
1872-6305
DOI:10.1016/j.inffus.2021.02.007