Developing a Siamese network for intrusion detection systems

Hindy, Hanan and Tachtatzis, Christos and Atkinson, Robert and Bayne, Ethan and Bellekens, Xavier; (2021) Developing a Siamese network for intrusion detection systems. In: EuroMLSys '21. Association for Computing Machinery, GBR, 120–126. ISBN 9781450382984 (https://doi.org/10.1145/3437984.3458842)

[thumbnail of Hindy-etal-EuroMLS-2021-Developing-a-Siamese-network-for-intrusion-detection]
Preview
 Text. Filename: Hindy_etal_EuroMLS_2021_Developing_a_Siamese_network_for_intrusion_detection.pdf
Accepted Author Manuscript
Download (586kB)| Preview

Abstract

Machine Learning (ML) for developing Intrusion Detection Systems (IDS) is a fast-evolving research area that has many unsolved domain challenges. Current IDS models face two challenges that limit their performance and robustness. Firstly, they require large datasets to train and their performance is highly dependent on the dataset size. Secondly, zero-day attacks demand that machine learning models are retrained in order to identify future attacks of this type. However, the sophistication and increasing rate of cyber attacks make retraining time prohibitive for practical implementation. This paper proposes a new IDS model that can learn from pair similarities rather than class discriminative features. Learning similarities requires less data for training and provides the ability to flexibly adapt to new cyber attacks, thus reducing the burden of retraining. The underlying model is based on Siamese Networks, therefore, given a number of instances, numerous similar and dissimilar pairs can be generated. The model is evaluated using three mainstream IDS datasets; CICIDS2017, KDD Cup'99, and NSL-KDD. The evaluation results confirm the ability of the Siamese Network model to suit IDS purposes by classifying cyber attacks based on similarity-based learning. This opens a new research direction for building adaptable IDS models using non-conventional ML techniques.

CORE (COnnecting REpositories)