A Comparative Study of Transfer Learning in the Field of Intrusion Detection
In recent times, organizations have faced many cyberattacks daily. The Internet is the main means of these attacks. Between the time an attack occurs, is detected, and a remedy is found and implemented, a lot of damage might have been done. Thus, there is a great need to get much faster detection and remedial times. In networks, an Intrusion Detection System (IDS) is a major component in alleviating these attacks and securing organizations from these attacks. For this reason, much research is being done to develop IDSs that can evolve rapidly to detect these attacks, and especially dayzero attacks. The traditional approach has been that once new attack vectors are detected, the models are re-trained to determine these specific attacks and to determine their threat level. This research proposes the use of Transfer Learning (TL) in the aspect of Deep Learning (DL) for Intrusion Detection. Transfer Learning allows learning from existing models. There are two base models implemented. One is for the PortScan attack only while the other model is created for Botnet, DDoS, and PortScan attacks. Each model is transferred to learn about the target DoS and Heartbleed attacks. The proposed methodology is evaluated for different training sizes of the target domain. Out of the proposed base models, the best result is acquired using PortScan based DNN model. Experimental results show that with 60% training data, the transfer learning based deep learning model achieves the best F1-score of 89.7% that is at least 10% more than the machine learning algorithms like LightGBM, LR, GNB, SGD, and Adaboost. The detection time of these models is also observed to be approximately 75% inferior to LightGBM.
Authors: Harsh Mandali, Charlie Obimbo
- Date of Conference: 7-9 December 2021
- DOI: 10.20533/ICITST.2021.0020
- ISBN: 978-1-913572-39-6
- Conference Location: Virtual (London, UK)