Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
NETWORK
A Thesis
Submitted in partial fulfilment of the Requirements for the award of the
Degree of
MASTER TECHNOLOGY
IN
COMPUTER SCIENCE
By
SARA NOOR
(MT/CS/15009/18)
This is to certify that the work presented in the thesis entitled “An Intrusion
Detection System using Deep Neural Network” In partial fulfilment of the
requirement for the award of degree of Master of Technology in Computer
Science of Birla Institute of Technology Mesra, Ranchi, Extension centre
Patna is an authentic work carried out under my supervision and guidance.
Prof. In charge
Dept. of CSE Director
Birla Institute of Technology Birla Institute of Technology
Mesra , Ranchi-835215 Mesra , Ranchi-835215
Extension Centre: Extension Centre:
Patna-800014 Patna-800014
CERTIFICATE OF APPROVAL
The foregoing thesis entitled “An Intrusion Detection System using Deep
Neural Network” Is hereby approved as a creditable study of research topic
and has been presented in satisfactory manner to warrant its acceptance as
prerequisite to the degree for which it has been submitted.
(Chairman)
I have taken efforts in this research work. However, it would not have been possible without
the kind support and help of many individuals and organizations. I would like to extent
sincere gratitude to all of them.
First of all I would like to extent my deep gratitude towards my guide, Birla
Institute of Technology, Mesra, Ranchi, Patna campus, under whose supervision this
research work has been carried out.
Along with this, I want to thank the director of my institution for providing a
supporting environment for education in the college premises. Without his support and
guidance, it would have been difficult to carry on this research work. Also, I want to express
my heartily gratitude to the head/In Charge department of Computer Science and
Engineering for his kind support and guidance throughout this research work.
SARA NOOR
(MT/CS/15009/18)
ABSTRACT
Machine learning techniques are being widely used to develop an intrusion detection
system (IDS) for detecting and classifying cyber-attacks at the network-level and host-level
in a timely and automatic manner. However, many challenges arise since malicious attacks
are continually changing and are occurring in very large volumes requiring a scalable
solution. However, no existing study has shown the detailed analysis of the performance
of various machine learning algorithms on various publicly available datasets. Due to the
dynamic nature of malware with continuously changing attacking methods, the malware
datasets available publicly are to be updated systematically and benchmarked. In this
paper, deep neural network (DNN), a type of deep learning model is explored to develop a
flexible and effective IDS to detect and classify unforeseen and unpredictable cyber-
attacks. The continuous change in network behaviour and rapid evolution of attacks makes
it necessary to evaluate various datasets which are generated over the years through static
and dynamic approaches. This type of study facilitates to identify the best algorithm which
can effectively work in detecting future cyber-attacks. A comprehensive evaluation of
experiments of DNNs and other classical machine learning classifiers are shown on various
publicly available benchmark malware datasets. The optimal network parameters and
network topologies for DNNs is chosen through following hyper parameter selection
methods with KDDCup 99 dataset. All experiments of DNNs are run till 1,000 epochs with
learning rate varying in the range [0.01-0.5]. The DNN model which performed well on
KDDCup 99 is applied on other datasets such as NSL-KDD, UNSW-NB15 and CICIDS 2017 to
conduct the benchmark. Our DNN model learns the abstract and high dimensional feature
representation of the IDS data by passing them into many hidden layers. Through a rigorous
experimental testing it is confirmed that DNNs perform well in comparison to the classical
machine learning classifiers. Finally, we propose a highly scalable and hybrid DNNs
framework, which can be used in real time to effectively monitor the network traffic and
host-level events to proactively alert possible cyber-attacks. A comprehensive evaluation
of experiments of DNNs and other classical machine learning classifiers are shown on
various publicly available benchmark malware datasets. The optimal network parameters
and network topologies for DNNs is chosen through following hyper parameter selection
methods with KDDCup 99 dataset. All experiments of DNNs are run till 100 epochs with
learning rate varying in the range [0.01-0.5]. The DNN model which performed well on
KDDCup 99 is applied on other datasets such as NSL-KDD, UNSW-NB15, Kyoto, WSN-DS and
CICIDS 2017 to conduct the benchmark. Our DNN model learns the abstract and high
dimensional feature representation of the IDS data by passing them into many hidden
layers. Through a rigorous experimental testing it is confirmed that DNNs perform well in
comparison to the classical machine learning classifiers. Finally, we will propose a highly
scalable and hybrid DNNs framework which will be used in real time to effectively monitor
the network traffic and host-level events to proactively alert possible cyber-attacks.
CONTENTS
INTRODUCTION
RELATED WORK
RESEARCH METHODOLOGY
CONCLUSION
REFRENCES
1. INTRODUCTION
Figure :1
2.4TYPES OF ATTACKS
IDS play a major role in identifying different types of attacks. The main aim of
IDS is finding intrusion which is considered as classification problem. IDS is
divided into various attacks such as DOS, probe, U2R, R2L.
1. Denial of Service (DOS)
In this attack the person tries to exploit vulnerability for gaining root access.
Some attacks of this type are Eject, Ps, Perl, Fbconfig and others.
4. Remote to Login (R2L)
It is an attempt in which the user gets an unauthorized access from a remote
machine. Some of the R2L attacks are Guest, Phf, Sendmail, Named and
others.
The functioning of IDS is done in four stages namely data collection, feature selection, analysis, and
action.
Data collection
Feature selection
Analysis
Action
Data Collection
This particular module collects the data and sends it to IDS. Here the data is
saved and it is analyzed.
Feature Selection
This module selects a feature among the data which is present on the internet.
Example like IP addresses of source and destination can be taken as feature
for intrusion selection.
Analysis
Here Rule based IDS (RIDS) and Anomaly based IDS (AIDS) are used for
analyzing the data. RIDS analyzes the incoming traffic and AIDS analyzes the
system behavior.
Action
Figure :4
3.RESEARCH METHODOLOGY
As DNNs are parametrized , the performance depends on the optimal parameters. The
optimal parameter determination for DNNs network parameter and DNNs network
topologies was done only for KDDCup 99 dataset. To identify the ideal parameter for the
DNNs, a medium sized architecture was used for experiments with a specific hidden units,
learning rate and activation function. A medium sized DNN contains 3 layers. One is input
layer, second one is hidden layer or fully connected layer and third one is output layer.
For KDDCup 99, the input layer contains 41 neurons, hidden layer contains 128, 256, 384,
512, 640, 768, 896 and 1,024 units and output layer contains 1 neuron in classifying the
connection record as either normal or attack. It contains 5 neurons in classifying the
connection record as either normal or attack and categorizing attack into corresponding
attack categories. The connection between the units between input layer and hidden
layer and hidden layer to output layer are fully connected. Initially, the train and test
datasets were normalized using L2 normalization. Two trials of experiments were run for
hidden units 128, 256, 384, 512, 640, 768, 896 and 1,024 with a medium sized DNN. The
experiment was run for each parameter with appropriate units and for 300 epochs. The
DNN with various units have learnt the patterns of normal connection records with
epochs 200 in comparison to the those with attacks. To capture the significant features
which can distinguish the attack connection record by DNN, 200 epochs were required.
After 200 epochs, the performance of normal connection records fluctuated due to
overfitting.
Using Hit & Trial method I will adjust the number of neurons in the hidden
layer to avoid the problem of overfitting and will produce the result without the problem
of overfitting and underfitting.