SECL: A Zero-Day Attack Detector and Classifier based on Contrastive Learning and Strong Regularization
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security
Article No.: 22, Pages 1 - 12
Abstract
Intrusion Detection Systems (IDSs) always had difficulties in detecting Zero-Day Attacks (ZDAs). One of the advantages of Machine Learning (ML)-based IDSs, which is their superiority in detecting ZDAs, remains largely unexplored, especially when considering multiple ZDAs. This is mainly due to the fact that ML-based IDSs are mainly using supervised ML methods. Although they exhibit better performance in detecting known attacks, they are by design unable to detect unknown attacks because they are limited to detecting the classes present in the dataset they were trained on. This paper introduces SECL, a method that combines Contrastive Learning (CL) and a new regularization method composed of dropout, Von Neumann Entropy (VNE) and Sepmix (a regularization inspired from mixup). SECL is close to, or even better than supervised ML methods in detecting known attacks, while gaining the ability to detect and differentiate multiple ZDAs. Experiments were performed on three datasets, UNSW-NB15, CIC-IDS2017 and WADI, effectively showing that this method is able to detect multiple ZDAs while achieving performance similar to supervised methods on known attacks. Notably, the proposed method even has an overall better performance than a supervised method knowing all attacks on the WADI dataset. These results pave the way for better detection of ZDAs, without reduction of performance on known attacks.
References
[1]
1999. KDD Cup 99 Data. [Online]. Available:http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
[2]
Chuadhry Mujeeb Ahmed, Venkata Reddy Palleti, and Aditya P. Mathur. 2017. WADI. In Proceedings of the 3rd International Workshop on Cyber-Physical Systems for Smart Water Networks. https://doi.org/10.1145/3055366.3055375
[3]
Abhijit Bendale and Terrance Boult. 2015. Towards Open World Recognition. In 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). https://doi.org/10.1109/cvpr.2015.7298799
[4]
Gustavo de Carvalho Bertoli, Lourenço Alves Pereira Junior, Aldri Luiz dos Santos, and Osamu Saotome. 2022. Generalizing Intrusion Detection for Heterogeneous Networks: a Stacked-Unsupervised Federated Learning Approach. CoRR (2022). arxiv:2209.00721 [cs.CR] http://arxiv.org/abs/2209.00721v3
[5]
T. E. Boult, S. Cruz, A.R. Dhamija, M. Gunther, J. Henrydoss, and W.J. Scheirer. 2019. Learning and the Unknown: Surveying Steps Toward Open World Recognition. Proceedings of the AAAI Conference on Artificial Intelligence 33 (2019), 9801–9807. https://doi.org/10.1609/aaai.v33i01.33019801
[6]
Kaidi Cao, Maria Brbic, and Jure Leskovec. 2022. Open-World Semi-Supervised Learning. In International Conference on Learning Representations. https://openreview.net/forum?id=O-r8LOR-CCA
[7]
Ting Chen, Simon Kornblith, Mohammad Norouzi, and Geoffrey Hinton. 2020. A Simple Framework for Contrastive Learning of Visual Representations. CoRR (2020). arxiv:2002.05709v3 [cs.LG] http://arxiv.org/abs/2002.05709v3
[8]
Andrea Corsini and Shanchieh Jay Yang. 2023. Are Existing Out-Of-Distribution Techniques Suitable for Network Intrusion Detection?. In 2023 IEEE Conference on Communications and Network Security (CNS). 1–9. https://doi.org/10.1109/cns59707.2023.10288685
[9]
Gideon Creech and Jiankun Hu. 2013. Generation of a new IDS test dataset: Time to retire the KDD collection. In 2013 IEEE Wireless Communications and Networking Conference (WCNC). 4487–4492. https://doi.org/10.1109/wcnc.2013.6555301
[10]
Sajad Darabi, Shayan Fazeli, Ali Pazoki, Sriram Sankararaman, and Majid Sarrafzadeh. 2021. Contrastive Mixup: Self- and Semi-Supervised Learning for Tabular Domain. CoRR (2021). arxiv:2108.12296 [cs.LG] http://arxiv.org/abs/2108.12296v2
[11]
Mohamed Amine Ferrag, Leandros Maglaras, Sotiris Moschoyiannis, and Helge Janicke. 2020. Deep Learning for Cyber Security Intrusion Detection: Approaches, Datasets, and Comparative Study. Journal of Information Security and Applications 50, 102419 (2020). https://doi.org/10.1016/j.jisa.2019.102419
[12]
Kazuki Hara and Kohei Shiomoto. 2020. Intrusion Detection System using Semi-Supervised Learning with Adversarial Auto-encoder. In NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium. 1–8. https://doi.org/10.1109/noms47738.2020.9110343
[13]
Kaiming He, Haoqi Fan, Yuxin Wu, Saining Xie, and Ross Girshick. 2019. Momentum Contrast for Unsupervised Visual Representation Learning. CoRR (2019). arxiv:1911.05722v3 [cs.CV] http://arxiv.org/abs/1911.05722v3
[14]
Hanan Hindy, David Brosset, Ethan Bayne, Amar Kumar Seeam, Christos Tachtatzis, Robert Atkinson, and Xavier Bellekens. 2020. A Taxonomy of Network Threats and the Effect of Current Datasets on Intrusion Detection Systems. IEEE Access 8 (2020), 104650–104675. https://doi.org/10.1109/access.2020.3000179
[15]
A. Hussain, F. Aguiló-Gost, E. Simó-Mezquita, E. Marín-Tordera, and X. Massip. 2023. An NIDS for Known and Zero-Day Anomalies. In 2023 19th International Conference on the Design of Reliable Communication Networks (DRCN). 1–7. https://doi.org/10.1109/drcn57075.2023.10108319
[16]
Ashish Jaiswal, Ashwin Ramesh Babu, Mohammad Zaki Zadeh, Debapriya Banerjee, and Fillia Makedon. 2020. A Survey on Contrastive Self-Supervised Learning. CoRR (2020). arxiv:2011.00362 [cs.CV] http://arxiv.org/abs/2011.00362v3
[17]
Yannis Kalantidis, Mert Bulent Sariyildiz, Noe Pion, Philippe Weinzaepfel, and Diane Larlus. 2020. Hard Negative Mixing for Contrastive Learning. CoRR (2020). arxiv:2010.01028 [cs.CV] http://arxiv.org/abs/2010.01028v2
[18]
Prannay Khosla, Piotr Teterwak, Chen Wang, Aaron Sarna, Yonglong Tian, Phillip Isola, Aaron Maschinot, Ce Liu, and Dilip Krishnan. 2020. Supervised Contrastive Learning. CoRR (2020). arxiv:2004.11362 [cs.LG] http://arxiv.org/abs/2004.11362v5
[19]
Jaeill Kim, Suhyun Kang, Duhun Hwang, Jungwook Shin, and Wonjong Rhee. 2023. VNE: An Effective Method for Improving Deep Representation by Manipulating Eigenvalue Distribution. In 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 3799–3810. https://doi.org/10.1109/cvpr52729.2023.00370
[20]
Satoru Koda and Ikuya Morikawa. 2023. OOD-Robust Boosting Tree for Intrusion Detection Systems. In 2023 International Joint Conference on Neural Networks (IJCNN). 01–10. https://doi.org/10.1109/ijcnn54540.2023.10191603
[21]
Kibok Lee, Yian Zhu, Kihyuk Sohn, Chun-Liang Li, Jinwoo Shin, and Honglak Lee. 2021. i-Mix: A Domain-Agnostic Strategy for Contrastive Representation Learning. In International Conference on Learning Representations. https://openreview.net/forum?id=T6AxtOaWydQ
[22]
Dominik Lewy and Jacek Mańdziuk. 2022. An Overview of Mixing Augmentation Methods and Augmentation Strategies. Artificial Intelligence Review 56, 3 (2022), 2111–2169. https://doi.org/10.1007/s10462-022-10227-z
[23]
Zengyi Li, Yubei Chen, Yann LeCun, and Friedrich T. Sommer. 2022. Neural Manifold Clustering and Embedding. CoRR (2022). arxiv:2201.10000 [cs.LG] http://arxiv.org/abs/2201.10000v1
[24]
Manuel Lopez-Martin, Antonio Sanchez-Esguevillas, Juan Ignacio Arribas, and Belen Carro. 2022. Supervised Contrastive Learning Over Prototype-Label Embeddings for Network Intrusion Detection. Information Fusion 79 (2022), 200–228. https://doi.org/10.1016/j.inffus.2021.09.014
[25]
Jorge Meira, Rui Andrade, Isabel Praça, João Carneiro, Veronica Bolon-Canedo, Amparo Alonso-Betanzos, and Goreti Marreiros. 2019. Performance Evaluation of Unsupervised Techniques in Cyber-Attack Anomaly Detection. Journal of Ambient Intelligence and Humanized Computing 11, 11 (2019), 4477–4489. https://doi.org/10.1007/s12652-019-01417-9
[26]
Nicolas Michel, Romain Negrel, Giovanni Chierchia, and Jean-François Bercher. 2022. Contrastive Learning for Online Semi-Supervised General Continual Learning. CoRR (2022). arxiv:2207.05615 [cs.LG] http://arxiv.org/abs/2207.05615v1
[27]
Nour Moustafa and Jill Slay. 2015. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In 2015 Military Communications and Information Systems Conference (MilCIS). 1–6. https://doi.org/10.1109/milcis.2015.7348942
[28]
David Pujol-Perich, Jose Suarez-Varela, Albert Cabellos-Aparicio, and Pere Barlet-Ros. 2022. Unveiling the Potential of Graph Neural Networks for Robust Intrusion Detection. ACM SIGMETRICS Performance Evaluation Review 49, 4 (2022), 111–117. https://doi.org/10.1145/3543146.3543171
[29]
Mohanad Sarhan, Siamak Layeghy, Marcus Gallagher, and Marius Portmann. 2023. From Zero-Shot Machine Learning To Zero-Day Attack Detection. International Journal of Information Security 22, 4 (2023), 947–959. https://doi.org/10.1007/s10207-023-00676-0
[30]
W. J. Scheirer, A. de Rezende Rocha, A. Sapkota, and T. E. Boult. 2013. Toward Open Set Recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence 35, 7 (2013), 1757–1772. https://doi.org/10.1109/tpami.2012.256
[31]
Iman Sharafaldin, Arash Habibi Lashkari, and Ali A. Ghorbani. 2018. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. In Proceedings of the 4th International Conference on Information Systems Security and Privacy. 108–116. https://doi.org/10.5220/0006639801080116
[32]
Nitish Srivastava, Geoffrey Hinton, Alex Krizhevsky, Ilya Sutskever, and Ruslan Salakhutdinov. 2014. Dropout: a Simple Way To Prevent Neural Networks From Overfitting. Journal of Machine Learning Research 15, 56 (2014), 1929–1958. http://jmlr.org/papers/v15/srivastava14a.html
[33]
Yiyou Sun and Yixuan Li. 2023. Opencon: Open-World Contrastive Learning. Transactions on Machine Learning Research (2023). https://openreview.net/forum?id=2wWJxtpFer
[34]
Mahbod Tavallaee, Ebrahim Bagheri, Wei Lu, and Ali A. Ghorbani. 2009. A detailed analysis of the KDD CUP 99 data set. In 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications. https://doi.org/10.1109/cisda.2009.5356528
[35]
Yingjie Tian and Yuqi Zhang. 2022. A Comprehensive Survey on Regularization Strategies in Machine Learning. Information Fusion 80 (2022), 146–166. https://doi.org/10.1016/j.inffus.2021.11.005
[36]
Hong Xuan, Abby Stylianou, and Robert Pless. 2020. Improved Embeddings with Easy Positive Triplet Mining. In 2020 IEEE Winter Conference on Applications of Computer Vision (WACV). 2463–2471. https://doi.org/10.1109/wacv45572.2020.9093432
[37]
Yawei Yue, Xingshu Chen, Zhenhui Han, Xuemei Zeng, and Yi Zhu. 2022. Contrastive Learning Enhanced Intrusion Detection. IEEE Transactions on Network and Service Management 19, 4 (2022), 4232–4247. https://doi.org/10.1109/tnsm.2022.3218843
[38]
Hongyi Zhang, Moustapha Cisse, Yann N. Dauphin, and David Lopez-Paz. 2017. Mixup: Beyond Empirical Risk Minimization. CoRR (2017). arxiv:1710.09412 [cs.LG] http://arxiv.org/abs/1710.09412v2
[39]
Tommaso Zoppi, Andrea Ceccarelli, Tommaso Puccetti, and Andrea Bondavalli. 2023. Which Algorithm Can Detect Unknown Attacks? Comparison of Supervised, Unsupervised and Meta-Learning Algorithms for Intrusion Detection. Computers & Security 127 (2023), 103107. https://doi.org/10.1016/j.cose.2023.103107
Index Terms
- SECL: A Zero-Day Attack Detector and Classifier based on Contrastive Learning and Strong Regularization
Recommendations
Deep Learning for Zero-day Malware Detection and Classification: A Survey
Zero-day malware is malware that has never been seen before or is so new that no anti-malware software can catch it. This novelty and the lack of existing mitigation strategies make zero-day malware challenging to detect and defend against. In recent ...
Honeypot Baselining for Zero Day Attack Detection
Honeypots are the network sensors used for capturing the network attacks. As these sensors are solely deployed for the purpose of being attacked and compromised hence they have to be closely monitored and controlled. In the work presented in this paper ...
A review of Machine Learning-based zero-day attack detection: Challenges and future directions
AbstractZero-day attacks exploit unknown vulnerabilities so as to avoid being detected by cybersecurity detection tools. The studies (Bilge and Dumitraş, 2012, Google, 0000, Ponemon Sullivan Privacy Report, 2020) show that zero-day attacks are ...
Comments
Information & Contributors
Information
Published In
July 2024
2032 pages
ISBN:9798400717185
DOI:10.1145/3664476
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2024
ARES 2024: The 19th International Conference on Availability, Reliability and Security
July 30 - August 2, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 28Total Downloads
- Downloads (Last 12 months)28
- Downloads (Last 6 weeks)14
Reflects downloads up to 13 Nov 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format