SKT-IDS: Unknown attack detection method based on Sigmoid Kernel Transformation and encoder–decoder architecture

Intrusion Detection Systems (IDS) are crucial in cybersecurity for monitoring network traffic and identifying potential attacks. Existing IDS research largely focuses on known attack detection, leaving a significant gap in research regarding unknown attack detection, where achieving a balance betwee...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security Vol. 146; p. 104056
Main Authors: Zha, Chao, Wang, Zhiyu, Fan, Yifei, Zhang, Xingming, Bai, Bing, Zhang, Yinjie, Shi, Sainan, Zhang, Ruyun
Format: Journal Article
Language:English
Published: Elsevier Ltd 01.11.2024
Subjects:
Cosine similarity
Encoder–decoder
Intrusion detection
Pre-trained encoder
Sigmoid Kernel Transformation
Encoder–decoder
Cosine similarity
Pre-trained encoder
Intrusion detection
Sigmoid Kernel Transformation
ISSN:0167-4048
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Intrusion Detection Systems (IDS) are crucial in cybersecurity for monitoring network traffic and identifying potential attacks. Existing IDS research largely focuses on known attack detection, leaving a significant gap in research regarding unknown attack detection, where achieving a balance between false alarm rate (identifying normal traffic as attack traffic) and recall rate of unknown attack detection remains challenging. To address these gaps, we propose a novel IDS based on Sigmoid Kernel Transformation and Encoder-Decoder architecture, namely SKT-IDS, where SKT stands for Sigmoid Kernel Transformation. We start with pre-training an attention-based encoder for coarse-grained intrusion detection. Then, we use this encoder to build an encoder–decoder model specifically for 0-day attack detection, training it solely on known traffic using the cosine similarity loss function. To enhance detection, we introduce a Sigmoid Kernel Transformation for feature engineering, improving the discriminative ability between normal traffic and 0-day attacks. Finally, we conducted a series of ablation and comparative experiments on the NSL-KDD and CSE-CIC-IDS2018 datasets, confirming the effectiveness of our proposed method. With a false alarm rate of 1%, we achieved recall rates for unknown attack detection of 65% and 69% on the two datasets, respectively, demonstrating significant performance improvements compared to existing state-of-the-art models.
ISSN:0167-4048
DOI:10.1016/j.cose.2024.104056