MINISTRY OF EDUCATION AND TRAINING MINISTRY OF NATIONAL DEFENCE MILITARY TECHNICAL ACADEMY VU THI LY DEVELOPING DEEP NEURAL NETWORKS FOR NETWORK ATTACK DETECTION DOCTORAL THESIS HA NOI - 2021 MINISTRY OF EDUCATION AND TRAINING MINISTRY OF NATIONAL DEFENCE MILITARY TECHNICAL ACADEMY VU THI LY DEVELOPING DEEP NEURAL NETWORKS FOR NETWORK ATTACK DETECTION DOCTORAL THESIS Major: Mathematical Foundations for Informatics Code: 946 0110 RESEARCH SUPERVISORS: 1. Nguyen Quang Uy 2. Eryk Duzkite HA NOI - 2021 ASSURANCE I certify that this thesis is a research work done by the author under the guidance of the research supervisors. The thesis has used citation information from many different references, and the citation informa- tion is clearly stated.
Experimental results presented in the thesis are completely honest and not published by any other author or work. Author Vu Thi Ly ACKNOWLEDGEMENTS First, I would like to express my sincere gratitude to my advisor Assoc. Nguyen Quang Uy for the continuous support of my Ph.D study and related research, for his patience, motivation, and immense knowledge. His guidance helped me in all the time of research and writing of this thesis.
I wish to thank my co-supervisor, Prof. Eryk Duzkite, Dr. Nguyen, and Dr. Dinh Thai Hoang at University Technology of Sydney, Australia.
Working with them, I have learned how to do research and write an academic paper systematically. I would also like to acknowledge to Dr. Cao Van Loi, the lecturer of the Faculty of Information Technology, Military Technical Academy, for his thorough comments and suggestions on my thesis. Second, I also would like to thank the leaders and lecturers of the Faculty of Information Technology, Military Technical Academy, for en- couraging me with beneficial conditions and readily helping me in the study and research process.
Finally, I must express my very profound gratitude to my parents, to my husband, Dao Duc Bien, for providing me with unfailing support and continuous encouragement, to my son, Dao Gia Khanh, and my daughter Dao Vu Khanh Chi for trying to grow up by themselves. This accomplishment would not have been possible without them. Author Vu Thi Ly CONTENTS Contents. vi List of figures.
ix List of tables. Bot-IoT Datasets (IoT Datasets). Deep Neural Networks. Generative Adversarial Network.
Maximum mean discrepancy (MMD). Complexity of Models. Review of Network Attack Detection Methods. Knowledge-based Methods.
Statistical-based Methods. Machine Learning-based Methods. LEARNING LATENT REPRESENTATION FOR NETWORK ATTACK DETECTION. Proposed Representation Learning Models.
Muti-distribution Variational AutoEncoder. Multi-distribution AutoEncoder. Multi-distribution Denoising AutoEncoder. Using Proposed Models for Network Attack Detection.
Hyper-parameter Settings. Results and Analysis. Ability to Detect Unknown Attacks. Cross-datasets Evaluation.
Influence of Parameters. Complexity of Proposed Models. Assumptions and Limitations. DEEP GENERATIVE LEARNING MODELS FOR NETWORK ATTACK DETECTION.
Deep Generative Models for NAD. Generating Synthesized Attacks using ACGAN-SVM. Conditional Denoising Adversarial AutoEncoder. Borderline Sampling with CDAAE-KNN.
Using Proposed Generative Models for Network Attack Detection 72 3. Hyper-parameter Setting. Results and Discussions. Generative Models Analysis.
Complexity of Proposed Models. Assumptions and Limitations. DEEP TRANSFER LEARNING FOR NETWORK ATTACK DETECTION. Proposed Deep Transfer Learning Model.
Transfer Learning Model. Training and Predicting Process using the MMD-AE Model 87 4. Hyper-parameters Setting. Results and Discussions.
Effectiveness of Transferring Information in MMD-AE. Processing Time and Complexity Analysis. 95 iv CONCLUSIONS AND FUTURE WORK. Abbreviation Meaning 1 AAE Adversarial AutoEncoder 2 ACGAN Auxiliary Classifier Generative Adversarial Net- work 3 ACK Acknowledgment 4 AE AutoEncoder 5 AUC Area Under the Receiver Operating Characteristics Curve 6 CDAAE Conditional Denosing Adversarial 7 CNN Convolutional Neural Network 8 CTU Czech Technical University 9 CVAE Conditional Variational AutoEncoder 10 DAAE Denosing Adversarial AutoEncoder 11 DAE Denoising AutoEncoder 12 DBN Deep Beleif Network 13 DDoS Distributed Deny of Service 14 De Decoder 15 Di Discriminator 16 DT Decision Tree 17 DTL Deep Transfer Learning 18 En Encoder 19 FN False Negative 20 FP False Positive 21 FTP File Transfer Protocol 22 GAN Generative Adversarial Network vi No.
Abbreviation Meaning 23 Ge Generator 24 IoT Internet of Things 25 IP Internet Protocol 26 KL Kullback-Leibler 27 KNN K-nearest Neighbor 28 LR Linear Regression 29 MAE Multi-Distribution AutoEncoder 30 MDAE Multi-Distribution Denoising AutoEncoder 31 MMD Maximum Mean Discrepancy 32 MVAE Multi-Distribution Variational AutoEncoder 33 NAD Network Attack Detection 34 NCT Nearest CenTroid 35 PCT PerCepTron 36 R2L Remote to Login 37 RE Reconstruction Error 38 RF Random Forest 39 RG Regularization Phase 40 RP Reconstruction Phase 41 ReLU Rectified Linear Unit 42 SAAE Supervised Adversarial AutoEncoder 43 SKL-AE DTL method using the KL metric and transferring task is executed on the AE’s bottleneck layer 44 SMD-AE DTL method using the MMD metric and transfer- ring task is executed on the AE’s bottleneck layer 45 SMD-AE DTL method using the MMD metric and trans- ferring task is executed on the encoding layers of AE 46 SMOTE Synthetic Minority Over-sampling Technique vii No. Abbreviation Meaning 47 SVM Support Vector Machine 48 SYN Synchronize 49 TCP Transmission Control Protocol 50 TL Transfer Learning 51 TN True Negative 52 TP True Positive 53 TPR True Positive Rate 54 U2L User to Login 55 UDP User Datagram Protocol 56 VAE Variational AutoEncoder viii LIST OF FIGURES 1.1 AUC comparison for AE model using different activation function of IoT-4 dataset.2 Structure of generative models (a) AE, (b) VAE, (c) GAN, and (d) AAE.3 Traditional machine learning vs.1 Visualization of our proposed ideas: Known and unknown abnormal samples are separated from normal samples in the latent representation space.2 The probability distribution of the latent data (z0 ) of MAE at epoch 0, 40 and 80 in the training process.3 Using non-saturating area of activation function to sepa- rate known and unknown attacks from normal data.4 Illustration of an AE-based model (a) and using it for classification (c,d).5 Latent representation resulting from AE model (a,b) and MAE model (c,d).6 Influence of noise factor on the performance of MDAE measuring by the average of AUC scores, FAR, and MDR produced from SVM, PCT, NCT and LR on the IoT-1 dataset. The noise standard deviation value at σnoise = 0.01 results in the highest AUC, and lowest FAR and MDR.7 AUC scores of (a) the SVM classifier and (b) the NCT classifier with different parameters on the IoT-2 dataset.8 Average testing time for one data sample of four classifiers with different representations on IoT-9.1 Structure of CDAAE.1 Proposed system structure.2 Architecture of MMD-AE.3 MMD of latent representations of the source (IoT-1) and the target (IoT-2) when transferring task on one, two, and three encoding layers. 91 x LIST OF TABLES 1.1 Number of training data samples of network attack datasets.2 Number of training data samples of malware datasets.3 The nine IoT datasets.1 Hyper-parameters for AE-based models.2 AUC scores produced from the four classifiers SVM, PCT, NCT and LR when working with standalone (STA), our models, DBN, CNN, AE, VAE, and DAE on the nine IoT datasets.
In each classifier, we highlight top three highest AUC scores where the higher AUC is highlighted by the darker gray. Particularly, RF is chosen to compare STA with a non-linear classifier and deep learning representa- tion with linear classifiers.3 AUC score of the NCT classifier on the IoT-2 dataset in the cross-datasets experiment.4 Complexity of AE-based models trained on the IoT-1 dataset.1 Values of grid search for classifiers.2 Hyper-parameters for CDAAE.3 Result of SVM, DT, and RF of on the network attack datasets.4 Parzen window-based log-likelihood estimates of genera- tive models.5 Processing time of training and generating samples pro- cesses in seconds.1 Hyper-parameter setting for the DTL models.2 AUC scores of AE [1], SKL-AE [2], SMD-AE [3] and MMD-AE on nine IoT datasets.3 Processing time and complexity of DTL models. Motivation Over the last few years, we have been experiencing an explosion in communications and information technology in network environments. Cisco predicted that the Global Internet Protocol (IP) traffic will in- crease nearly threefold over the next five years, and will increase 127-fold from 2005 to 2021 [4].
Furthermore, IP traffic will grow at a Compound Annual Growth Rate of 24% from 2016 to 2021. The unprecedented de- velopment of communication networks has significant contributions for human beings but also places many challenges for information security problems due to the diversity of emerging cyberattacks. According to a study in [5], 53 % of all network attacks resulted in financial damages of more than US$500,000, including lost revenue, customers, opportunities, and so on. As a result, early detecting network attacks plays a crucial role in preventing cyberattacks and ensuring confidentiality, integrity, and availability of information in communication networks [6].
A network attack detection (NAD) monitors the network traffic to identify abnormal activities in the network environments such as com- puter networks, cloud, and Internet of Things (IoT). There are three popular approaches for analyzing network traffic to detect intrusive be- haviors [7], i., knowledge-based methods, statistic-based methods, and machine learning-based methods. First, in order to detect network at- tacks, knowledge-based methods generate network attack rules or sig- natures to match network behaviors. The popular knowledge-based method is an expert system that extracts features from training data to build the rules to classify new traffic data.
Knowledge-based methods can detect attacks robustly in a short time. However, they need high- 1 quality prior knowledge of attacks. Moreover, they are unable to detect unknown attacks. Second, statistic-based methods consider network traffic activity as normal traffic.
In the sequel, an anomaly score is calculated by some statistical methods on the currently observed network traffic data. If the score is more significant than a certain threshold, it will raise the alarm for this network traffic [7]. There are some statistical methods, such as information entropy, conditional entropy, information gain [8]. These methods explore the network traffic distribution by capturing the essential features of network traffic.
Then, the distribution is compared with the predefined distribution of normal traffic to detect anomalous behaviors. Third, machine learning-based methods for NAD have received in- creasing attention in the research community due to their outstanding advantages [9–13]. The main idea of applying machine learning tech- niques for NAD is to build a detection model based on training datasets automatically. Depending on the availability of data labels, machine learning-based NAD can be categorized into three main approaches: supervised learning, semi-supervised learning, and unsupervised learn- ing [14].
Although machine learning, especially deep learning, has achieved re- markable success in NAD, there are still some unsolved problems that can affect the accuracy of detection models. First, the network traffic is heterogeneous and complicated due to the diversity of network environ- ments. Thus, it is challenging to represent the network traffic data that fascinates machine learning classification algorithms. Second, to train a good detection model, we need to collect a large amount of network at- tack data.
However, collecting network attack data is often harder than those of normal data. Therefore, network attack datasets are usually highly imbalanced. When being trained on such skewed datasets, con- ventional machine learning algorithms are often biassed and inaccurate. 2 Third, in some network environments, e., IoTs, we are often unable to collect the network traffic from all IoT devices for training the detection model.
The reason is due to the privacy of IoTs devices. Subsequently, the detection model trained on the data collected from one device may be used to detect the attacks on other devices. However, the data dis- tribution in one device may be very different from that in other devices and it affects to the accuracy of the detection model. Research Aims The thesis aims to develop deep neural networks for analyzing security data.
These techniques improve the accuracy of machine learning-based models applied in NAD. Therefore, the thesis attempts to address the above challenging problems in NAD using models and techniques in deep neural networks. Specifically, the following problems are studied.