Network intrusion detection systems (NIDS) are one of many solutions that make up a computer security system. Several machine learning-based NIDS have been proposed in recent years, but most of them were developed and evaluated under the assumption that the training context is similar to the test context. In real networks, this assumption is false, given the emergence of new attacks and variants of known attacks. To deal with this reality, the open set recognition field, which is the most general task of recognizing classes not seen during training in any domain, began to gain importance in NIDS research. Yet, existing solutions are often bounded to high temporal complexities and performance bottlenecks. In this work, we propose an algorithm to be used in NIDS that performs open set recognition. Our proposal is an adaptation of the single-class Energy-based Flow Classifier (EFC), which proved to be an algorithm with strong generalization capability and low computational cost. The new version of EFC correctly classifies not only known attacks, but also unknown ones, and differs from other proposals from the literature by presenting a single layer with low temporal complexity. Our proposal was evaluated against well-established multi-class algorithms and as an open set classifier. It proved to be an accurate classifier in both evaluations, similar to the state of the art. As a conclusion of our work, we consider EFC a promising algorithm to be used in NIDS for its high performance and applicability in real networks.
翻译:网络入侵探测系统(NIDS)是构成计算机安全系统的许多解决办法之一。近年来,提出了数个基于机器学习的NIDS,但大多数是在培训背景与测试背景相似的假设下开发和评价的。在真实的网络中,这一假设是虚假的,因为出现了新的攻击和已知攻击的变体。为了应对这一现实,公开的成套识别领域(这是在任何领域培训期间没有看到的课程的最一般识别任务)开始成为NIDS研究的重要内容。然而,现有解决方案往往与时间复杂性和性能瓶颈高度相关。在这项工作中,我们提议在NIDS中使用一种适用性算法,进行公开的承认。我们的提议是对单级基于能源的流动分类(EFC)的调整,事实证明,这是一个具有很强的通用能力和低计算成本的算法。新的EFC系统不仅对已知攻击进行了正确分类,而且并不为人所知,而且与文献中的其他建议不同,提出一个单一的时空复杂性层次。我们的提议被评估了,而我们的提议是针对成熟的多级算法的多级算法,而作为一个有前途的高级的系统,要考虑一个有希望的版本。