Survey Summary
Survey Summary
Survey Summary
A Novel Two-Stage Deep Learning Model for Network Intrusion Detection: LSTM-AE
Abstract:
The deep neural network (DNN) and convolutional neural network (CNN) are examined in this paper as types
of deep learning models for developing a flexible and effective IDS capable of detecting and comparing them
with the proposed model in detecting cyber-attacks.
A novel two-stage deep learning technique hybridizing Long-Short Term Memory (LSTM) and Auto-
Encoders (AE) is proposed for detecting attacks. The CICIDS2017 and CSE-CICDIS2018 datasets are used to
determine the optimum network parameters for the proposed LSTM-AE.
In this paper, the main goal of research is to propose a robust IDS that is able to process a large volume of
complicated raw network data efficiently and to provide effective detection with higher performance results.
Methodology:
In this paper, we propose a novel two-stage model that combines AE and LSTM with a data preprocessing
phase to effectively identify attack categories from regular traffic.
The AE encodes the original data and forms a bottleneck, and the decoding network restores all the data. The
main challenges of the proposed model are the combination of two types of architectures and the training with
smoothing constraints.
Some reasons why the proposed LSTM-AE may be better suited for intrusion detection tasks compared
to DNN and CNN:
• Sequential data processing: LSTM-AE is well-suited for processing sequential data, such as time series or
natural language data, which require a model to remember and analyse past events or words. LSTM-AE’s
memory cells allow it to retain information for an extended period, making it useful for tasks that require a
model to remember patterns over time.
• Feature extraction: Autoencoders, including LSTM-AE, are well-suited for feature extraction tasks, where
the goal is to identify and represent the most important features of the input data. This makes LSTM-AE useful
for dimensionality reduction tasks, where it can learn a compressed representation of the input data.
• Anomaly detection: LSTM-AE is useful for anomaly detection tasks, where the goal is to identify unusual or
unexpected patterns in the data. Because LSTM-AE is trained to reconstruct the input data, it can identify
anomalies that do not fit the learned patterns.
• Data efficiency: LSTM-AE can be more data-efficient than DNN and CNN, especially in cases where there is
imbalanced training data available. This is because LSTM-AE can learn to generalize from a set of examples
• A two-stage Deep Learning-based IDS by hybridizing an LSTM and an AE termed LSTM-AE, where data
has been filtered in order to lessen the over-fitting and under-fitting.
• The LSTM-AE can effectively balance the dimensionality reduction and feature retention in highly
imbalanced datasets. Therefore, the proposed model has been tested with two datasets.
• The LSTM-AE has a much higher detection performance than other popular intrusion detection models.
A novel two-stage intrusion detection system in this article that utilizes a highly efficient framework and is
capable of analysing network activity is proposed.
The system employs a distributed deep-learning model for real-time data processing and analysis, which
includes the DNN model and CNN model that were selected for a thorough comparison with the proposed
LSTM-AE model.
The proposed hybrid model achieved remarkable multi-class detection accuracy of 99.99% on the
CICIDS2017 dataset, compared to 99.10% on the CSE-CICIDS2018 dataset when trained for up to 30 epochs.
These experimental results outperformed those of other state-of-the-art intrusion detection models in terms of
accuracy performance metrics.
The LSTM-AE model for IDS has a promising future with potential advancements that can further improve its
performance. For instance, researchers can experiment with alternative architectures, such as stacked or
bidirectional LSTM-AE models, to evaluate whether they can achieve better out-comes.
Paper 2:
Automated Deep Learning BLACK-BOX Attack for Multimedia P-BOX Security Assessment
Abstract:
This paper provides a deep learning-based decryptor for investigating the permutation primitives used in
multimedia block cipher encryption algorithms.
The aim to investigate how deep learning can be used to improve on previous classical works by employing
ciphertext pair aspects to maximize information extraction with low-data constraints by using
convolution neural network features to discover the correlation among permutable atoms to extract the
plaintext from the ciphered text without any P-box expertise.
The evaluation of testing methods has been conceptualized as a regression task in which neural networks are
supervised using a variety of parameters such as variations between input and output, number of iterations, and
P-box generation patterns.
Methodology:
The work will proceed by recovering permutation pattern information from cipher images using a
convolutional encoder network.
Furthermore, using a symmetric deconvolutional generator network, we construct encrypted pictures from the
features to match their equivalent plain images. To decrypt the P-box encryption technique, we must involve a
strong mapping function that can be expressed as the inverse transform between encrypted and plain images.
Deep convolutional neural networks (CNN) are used to mimic such complex inverse characteristics.
The system is split into convolutional and deconvolutional groups. The input is encrypted images specifically
mentioned as X in convolutional groups, and we start generating six convolutional layers to quantify input
image composition that gets low-dimensional characteristic features.
From the dense layer, we reverse the convolution stage in deconvolutional groups and reestablish the basic
images with good accuracy.
The regenerated images are compared to corresponding ground truth plain images presented as objective, with
the error function MeanSquaredError (MSE).
Conclusion:
In this research, findings provide an innovative methodology for leveraging deep learning to identify
decryptors. At its heart, adoption of frequent dissimilarities to solve the challenge of discriminating in two-
dimensional space.
The presented research is intended to be used separately from the operational mode of cryptography
implementations. It should be used a prior, such that, during the design stage of cipher architecture, it can be
used to examine the strongest permutation mechanism to be used.
Otherwise, it can be implemented to assess and compare different permutation patterns algorithms with a
scientific hypothesis.
In future research, the deep learning-based cryptanalysis for video and sound encryption as well as other
multimedia encryption systems should be addressed.
Paper 3:
Abstract:
In this survey, The focus on the applications of graph representation learning to the detection of network-based
and host-based intrusions, with special attention to GNN methods.
For both network and host levels, the graph data structures that can be leveraged and is comprehensively
reviewed the state-of-the-art papers along with the used datasets.
Analysis reveals that GNNs are particularly efficient in cybersecurity, since they can learn effective
representations without requiring any external domain knowledge. The robustness of these techniques based
on adversarial attacks is evaluated.
• Transductive learning: in this setting, the predictions are taking place on a single large graph and cannot
generalize to new graphs. Consequently, the model can predict labels solely from nodes and edges that have
been seen during training.
In the special case of intrusion detection, an inductive detection model may be able to generalize on new
enterprise net-works or new host machines, whereas a transductive detection model may be trained on a
specific network with a fix set of hosts, or on a specific host machine.
1) Preprocessing: In the first step, raw data such as network captures or system logs are converted into graph
structures.
2) GNN Embedding: The second step involves projecting the nodes and edges of an input graph into an
embedding space to capture desired similarities among them, such as structural and contextual similarity, or
feature similarity.
3) Detection & Training: The last step of the intrusion detection process is to leverage the embedding space to
search for potential anomalies or attacks. Depending on the use case, a classifier can predict the label of a
node, an edge, or the whole graph.
Methodology:
The proposed method uses a saliency map technique to identify critical features that can be modified with
minimal perturbations.
Additionally, a hierarchical node selection algorithm based on random walk with restart is employed to
select the most vulnerable nodes with high attack priority. This adversarial attack works in black-box scenario,
meaning that only the output prediction is known by the attacker.
The proposed Hierarchical Adversarial Attacks (HAA) method is evaluated using the UNSW-SOSR2019
dataset, and results has to show that it can reduce classification precision by more than 30%.
The findings suggest that this approach is an effective strategy for implementing level-aware black-box
adversarial attacks against GNN-based IDSs in IoT environment.
Final Discussion:
Although the use of GNNs in intrusion detection is relatively new, existing research has demonstrated that
representing systems as graph structures offers properties that can enhance the accuracy of detection models.
In this paper, focus is on the extraction of graph structures along with the training of GNN models for
downstream classification tasks on both network-based and host-based intrusion detection.
We comprehensively review and categorize the state-of-the-art approaches and the datasets used, highlighting
the potential of GNNs in generating efficient embeddings for robust detection of various types of intrusions.
Paper 4:
Abstract:
This paper presents a cloud-based intrusion detection model based on random forest (RF) and feature
engineering. Specifically, the RF classifier is obtained and integrated to enhance accuracy (ACC) of the
proposed detection model.
The proposed model approach has been evaluated and validated on two datasets and gives 98.3% ACC and
99.99% ACC using Bot-IoT and Network Security Laboratory - Knowledge Discovery in Databases (NSL-
KDD) datasets, respectively.
Consequently, the obtained results present good performances in terms of ACC, precision, and recall when
compared to the recent related works.
Methodology:
The features reducing are integrated to minimize execution time and to perform prediction. In addition, the RF
classifier is trained with the two features selected as a subset from the NSL-KDD dataset to identify intrusions.
Our proposed model adopts the main standard components of IDS.
Hence, our model implements the collecting data module, preprocessing module data, and decision
module. Our contribution focused more on the preprocessing data module by enhancing feature engineering
tasks and obtaining reliable predictions.
The preprocessing module focuses on data normalization. Therefore, the categorical features are transformed
into numeric values with the dummies function that allows symbolic features to be mapped as numeric values.
Then, the detected inconsistencies are deleted.
Our intrusion detection model includes feature selection to identify and combine useful features for accurate
detection. The graphic data visualization task is used to select the optimum feature subset that can enhance the
prediction of the proposed model.
Once the subset is selected, the RF algorithm is applied to obtain a reliable classifier.
In this paper, an approach for detecting intrusions by combining graphic visualization and RF for cloud
security is presented. Then the first one is used for feature engineering and the second one is used to predict
and detect intrusions.
Before the training of the model, we reduced the number of features to two. Based on the obtained results, the
RF classifier is a remarkably more accurate method to predict and classify the attack type than DNN, DT, and
SVM.
Demonstration of the potential using a small number of features by contrasting the results with those of other
classifiers has been done. But recall is still not well enough using NSL-KDD, so in future work, focus should
be on this point, by using DL and ensemble learning techniques to improve our model.
Paper 5:
Machine and Deep Learning Solutions for Intrusion Detection and Prevention in IoTs: A Survey
Abstract:
Intrusion Detection System (IDS) is a secondary intelligent system to monitor, detect, and alert about
malicious activities; an Intrusion Prevention System (IPS) is an extension of a detection system that triggers
relevant action when an attack is suspected in a futuristic aspect.
Our survey is to present a study of risk factor analysis using mapping technique, and provide a proposal for
hybrid framework for an efficient security model for intrusion detection and/or prevention.
We explore the importance of various Artificial Intelligence (AI)-based techniques, tools, and methods used
for the detection and/or prevention systems in IoTs. More specifically, we emphasize on Machine Learning
(ML) and Deep Learning (DL) techniques for intrusion detection-prevention systems and provide a
comparative analysis focusing on the feasibility, compatibility, challenges, and real-time issues.
Contribution
The present survey focuses on Machine Learning (ML) and Deep Learning (DL) approaches for IDPS. Our
main contributions are as follows.
Comprehensive taxonomy: study provides a detailed taxonomy of intrusion detection and prevention system
in IoT using machine learning and deep learning techniques with systematic review literature.
Performance analysis: providing the performance analysis of the latest IDPS models based on ML and DL
techniques with accuracy and notify the limitations.
Prevention techniques: study explores various prevention techniques, mitigation strategies, and the methods
implemented for IPS in IoT.
Risk analysis: A risk factor analyser to identify the level of risk and take an action to implement a counter
measure and mitigate effects by improving the security control in the manufacturing unit.
Hybrid framework: A hybrid framework to avoid the disadvantages raised by anomaly and signature-based
techniques and apply the risk factor based on the complication levels.
Lack of interoperability and accessibility in the vast heterogeneous landscape results in poor monitoring of the
security mechanism in IoT networks. Therefore, a comprehensive and dis-tinct security mechanism is very
much required to protect the digital world and secure it from serious security threats.
NETWORK BASED INTRUSION DETECTION SYSTEM (NIDS) is placed near a rewall with an
independent sensor device specially to monitor local network traffic. This identifies the malicious events from
incoming packets as denial of attacks on services and scanned ports on the network. This system resides in the
network ports and works with a rewall for better protection against known attacks.
HOST-BASED INTRUSION DETECTION SYSTEM (HIDS) is an intelligent detection system that acts as
an agent to inspect and report suspicious activities attempted on a host device. Continuous observation of the
dynamic behavior, state of the system, storage area, internal configuration, network packets targeted, program
executed, and resource accessed are the primary function of HIDS.
SIGNATURE INTRUSION DETECTION SYSTEM (SIDS) is a Signature-based detection technique
looks for evidence known to be indicative based on designed patterns. Searching for a specific payload in a
data packet, matching with the existing patterns generated by the NIDS/HIDS, and registering it as a signature
of misuse is the procedure of the SIDS technique.
ANOMALY INTRUSION DETECTION SYSTEM(AIDS) is an anomaly detection is based on the
observation and deviation of behavior or activity from the normal baseline. An anomaly detection system in
NIDS detects the intrusion at the physical network after passing the rewall, and in HIDS it is the last layer of
the protection that exists in the endpoint that allow ne-tuned protection at the application level.
Intrusion Prevention System (IPS) monitors the network and identifies the abnormal activity with the
traditional techniques. IPS prevents the similar attack occurrence in future by closing the access points,
terminating the TCP session, reprogram the rewall, removing the traces of attack from payloads and headers.
Raghavendra et al. [1] propose a Least square Bolster-based support vector machine-based prevention
technique with two segments. A half and half components are used to remove the redundant information in
the upper level. It uses the wrapper method to select the relevant features for the classification in the lower
level. After the classification of attack, the features having a high impact on the classification are observed to
block the related entries for preventing intrusions.
A Software Designed Network (SDN)[2] based IDPS for IoT network proposed by Amir Ali et al. [99] uses a
three-tier framework. It process the user validation for IoT layer as the main tier, packet validation for
data plane layer using fuzzy filtering methods to classify the attack records. Finally, the third tier ows
validation with control plane layer for detection and prevention.
OPPORTUNISTIC SOLUTIONS
Continuous network monitoring and defending are the essential factors of network security to predict and
avoid the malicious activity. Traditional detection system monitors and alerts when suspicious event occurs,
whereas the prevention system take a relevant action when the malware is detected. Based on the models and
theories developed for detection, anticipating the importance of the risk and take significant actions,
A mapping technique has been proposed and this evaluates the event type, analyse the risk factor and
suggested a mitigation strategy. Identifying and providing early warning for intrusion and violating the next
action is very much necessary for IoT network structure.
The system must be active in classifying and analysing the risk factor to distinguish the suspicious packets
and trigger the prevention technique. IPS is an inline product that focuses on identifying and blocking.
References:
1. N. R. Sai, A. G. Raghavendra, N. C. M. Deepak, and M. Poojitha, ‘‘A machine learning intrusion prevention
and detection system using securing smart grid,’’ Int. J. Recent Technol. Eng., vol. 8, no. 5, 2278 3878, 2020.
2. V. Balamurugan and R. Saravanan, ‘‘Enhanced intrusion detection and prevention system on cloud
environment using hybrid classi cation and OTS generation,’’ Cluster Comput., vol. 22, no. S6, pp. 13027
13039, Nov. 2019.