The growing number of Internet users and the prevalence of web applications make it necessary to deal with very complex software and applications in the network. This results in an increasing number of new vulnerabilities in the systems, and leading to an increase in cyber threats and, in particular, zero-day attacks. The cost of generating appropriate signatures for these attacks is a potential motive for using machine learning-based methodologies. Although there are many studies on using learning-based methods for attack detection, they generally use extracted features and overlook raw contents. This approach can lessen the performance of detection systems against content-based attacks like SQL injection, Cross-site Scripting (XSS), and various viruses. In this work, we propose a framework, called deep intrusion detection (DID) system, that uses the pure content of traffic flows in addition to traffic metadata in the learning and detection phases of a passive DNN IDS. To this end, we deploy and evaluate an offline IDS following the framework using LSTM as a deep learning technique. Due to the inherent nature of deep learning, it can process high dimensional data content and, accordingly, discover the sophisticated relations between the auto extracted features of the traffic. To evaluate the proposed DID system, we use the CIC-IDS2017 and CSE-CIC-IDS2018 datasets. The evaluation metrics, such as precision and recall, reach $0.992$ and $0.998$ on CIC-IDS2017, and $0.933$ and $0.923$ on CSE-CIC-IDS2018 respectively, which show the high performance of the proposed DID method.
翻译:互联网用户数量不断增加,网络应用程序普及,因此有必要处理网络中非常复杂的软件和应用,这导致这些系统中新的弱点越来越多,导致网络威胁增加,特别是零天袭击增加。为这些袭击制作适当签名的费用是使用基于机器学习的方法的潜在动机。虽然有许多关于使用基于学习的方法探测袭击的检测方法的研究,但通常使用提取的特征和忽略原始内容。这一方法可以降低对SQL注射、跨地点Sripting(XSS)和各种病毒等基于内容的袭击的检测系统的性能。在这项工作中,我们提出了一个框架,称为深度入侵探测(DID)系统,在被动的DNNIS的学习和检测阶段使用纯交通流量数据元数据。为此,我们部署并评价了以LSTM为深层次学习技术的离线性信息数据集。由于深层次学习的性质,它可以处理高层次数据内容,并因此,我们发现了在CSEIC.90-IS的自动提取特征和CSEIS的精确性能评估系统,例如CSEADRSS的绩效评估,以及CS. 2020美元。