A context-aware robust intrusion detection system: a reinforcement learning-based approach

  • PDF / 2,885,023 Bytes
  • 22 Pages / 595.276 x 790.866 pts Page_size
  • 37 Downloads / 239 Views

DOWNLOAD

REPORT


REGULAR CONTRIBUTION

A context-aware robust intrusion detection system: a reinforcement learning-based approach Kamalakanta Sethi1 · E. Sai Rupesh1 · Rahul Kumar1 · Padmalochan Bera1 · Y. Venu Madhav1

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Abstract Detection and prevention of intrusions in enterprise networks and systems is an important, but challenging problem due to extensive growth and usage of networks that are constantly facing novel attacks. An intrusion detection system (IDS) monitors the network traffic and system-level applications to detect malicious activities in the network. However, most of the existing IDSs are incapable of providing higher accuracy and less false positive rate (FPR). Therefore, there is a need for adaptive techniques to detect network intrusions that maintain a balance between accuracy and FPR. In this paper, we present a context-adaptive IDS that uses multiple independent deep reinforcement learning agents distributed across the network for accurate detection and classification of new and complex attacks. We have done extensive experimentation using three benchmark datasets including NSL-KDD, UNSW-NB15 and AWID on our model that shows better accuracy and less FPR compared to the state-of-the-art systems. Further, we analysed the robustness of our model against adversarial attack and observed only a small decrease in accuracy as compared to the existing models. To further improve the robustness of the system, we implemented the concept of denoising autoencoder. Also, we have shown the usability of our system in real-life application with changes in the attack pattern. Keywords Adversarial attack · Context · Denoising autoencoder · FPR · IDS · Deep reinforcement learning (DRL) agent · NSL-KDD · AWID · UNSW-NB15

1 Introduction As the number of hosts connected to the internet increases, the task of enforcing security and availability of the network services to the users is becoming a challenging task. In the last two decades, various tools and techniques have been developed by organizations towards the protection of networks and systems against different security threats such

B

Kamalakanta Sethi [email protected] E. Sai Rupesh [email protected] Rahul Kumar [email protected] Padmalochan Bera [email protected] Y. Venu Madhav [email protected]

1

Indian Institute of Technology, Bhubaneswar, Odisha 752050, India

as access control mechanisms, user authentication, and firewalls. Although these solutions prevent unauthorized access by outsiders, they are not resilient against insider attacks. Thus, intrusion detection system (IDS) [1] was developed to act as the second line of defence to protect information loss to intruders. It is used to detect malicious network traffic and computer usage that is invisible to the traditional firewall. This includes network attacks against exposed services, attacks on applications, host-based attacks such as unauthorized logins and access to confidential files. In general, IDS can be classified into two categories, i.e. (1) host-