Ứng dụng mô hình học sâu trong phát hiện tấn công trinh sát mạng

Authors

  • Nguyen Thi Dung
  • Nguyen Van Quan
  • Nguyen Viet Hung

DOI:

https://doi.org/10.54654/isj.v1i16.922

Keywords:

network reconnaissance, anomaly detection, intrusion detection system, machine learning, deep learning

Tóm tắt

Tóm tắt— Ngày nay, cùng với sự phát triển nhanh chóng của Internet là thực trạng gia tăng các cuộc tấn công mạng cả về quy mô lẫn số lượng. Trong đó, tin tặc có thể sử dụng nhiều phương pháp tấn công khác nhau, nhưng tất cả thường diễn ra theo quy trình nhất định, bắt đầu từ bước trinh sát mạng. Chính vì vậy, để kịp thời phát hiện sớm các hành vi xâm nhập mạng trái phép, đặc biệt là từ giai đoạn trinh sát mạng, cần triển khai các giải pháp, hệ thống phát hiện xâm nhập ứng dụng với những kỹ thuật phát hiện tiên tiến. Trên thực tế, các hệ thống phát hiện xâm nhập mạng (Intrusion Detection System - IDS) thường dựa trên các dấu hiệu thông qua các luật đã được thiết lập trước. Kỹ thuật này còn nhiều hạn chế do không phát hiện được các cuộc tấn công mới hoặc biến thể của các cuộc tấn công đã biết. Nhằm khắc phục hạn chế này, nhiều kỹ thuật ứng dụng máy học đã được nghiên cứu và triển khai. Trong bài báo này, nhóm tác giả đề xuất hướng tiếp cận cải tiến mô hình mạng học sâu hai giai đoạn ứng dụng trong hệ thống phát hiện và phân loại các hình thức tấn công trinh sát mạng. Đề xuất sẽ được đánh giá, thử nghiệm với bộ dữ liệu tiêu chuẩn NSL-KDD, UNSW-NB15, CTU13.

Abstract— In recent years, the number of new types of attacks has increased dramatically. Although there are many types of attack techniques, all of them are following the similar chain of attack, beginning with network reconnaissance phase. Therefore, network reconnaissance attack detection problem is important for every Intrusion Detection System (IDS). In fact, network intrusion detection systems are based on pre-defined rules so they are not able to detect new attacks or variants of known attacks. Meanwhile, hackers have developed many automated toolkits that allow subtle changes to the attack  behavior sufficient for IDS to treat as a zero-day attack. To overcome this limitation, many machine learning models have been applied in IDS and implemented in a real network. In this paper, we propose a new approach that uses two stage AutoEncoder to detect network reconnaissance attacks. The proposed approach is evaluated on network security datasets: NSL-KDD, UNSW_NB15, four scenarios of the CTU13 datasets and compared to existing methods.

Downloads

Download data is not yet available.

References

Elias Bou-Harb, Mourad Debbabi, and Chadi Assi, Cyber Scanning: A Comprehensive Survey, IEEE Communications Surveys and Tutorials, 2014, 16.3: 1496-1519.

Lee, S. Y, Kim, Y. S., Lee, B. H., Kang, S. H.,Youn, C. H., A probe detection model using the analysis of the fuzzy cognitive maps, Computational Science and Its ApplicationsICCSA 2005, 287-291

Vidhya. M, Efficient classification of portscan attacks using

Support Vector Machine, Green High Performance Computing (ICGHPC), 2013 IEEE International Conference, 2013.

Meijuan Gao, Jingwen Tian, Mingping Xia, Intrusion Detection Method Based on Classify Support Vector Machine, secondInternational Conference on Intelligent Computation Technology and Automation, ICICTA ’09, vol. 2, pp. 391-394.

BHUYAN, Monowar H.; BHATTACHARYYA, Dhruba K.; KALITA, Jugal K, AOCD: An Adaptive Outlier Based oordinated Scan Detection Approach, IJ Network Security, 2012, 14.6: 339-351.

Nguyen Viet Hung, Nguyen Van Quan, Le Thi Trang Linh, Shone Nathan, (2018), “Using Deep Learning Model for Network Scanning Detection”, ICFET '18: Proceedings of the 4th International Conference on Frontiers of Educational Technologies , [117–121].

Van Quan Nguyen; Viet Hung Nguyen; Van Loi Cao; Nhien - An Le Khac; Nathan Shone, (2020), “Clustering-Based Deep Autoencoders for Network Anomaly Detection”, Future Data and Security Engineering (pp.290-303).

Nour Moustafa, Jill Slay, (2015), “NSW-NB15 A Comprehensive Data set for Network Intrusion Detection Systems”, School of Engineering and Information Technology, University of New South Wales at the Australian Defence Force Academy Canberra, Australia.

Xavier Glorot, Yoshua Bengio, (2010), “Understanding the difficulty of training deep feedforward neural networks”, Journal of Machine Learning Research 9, [249-256].

Thang, N. M., & Luong, T. T. (2022). Algorithm for detecting attacks on Web applications based on machine learning methods and attributes queries. Journal of Science and Technology on Information Security, 2(14), 26-34.

Downloads

Abstract views: 85 / PDF downloads: 60

Published

2023-02-13

How to Cite

Dung, N. T., Quân, N. V., & Hùng, N. V. (2023). Ứng dụng mô hình học sâu trong phát hiện tấn công trinh sát mạng. Journal of Science and Technology on Information Security, 2(16), 60-72. https://doi.org/10.54654/isj.v1i16.922

Issue

Vol. 2. No. (16) 2022

Section

Papers

License

Proposed Policy for Journals That Offer Open Access

Authors who publish with this journal agree to the following terms:

1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).

Proposed Policy for Journals That Offer Delayed Open Access

Authors who publish with this journal agree to the following terms:

1. Authors retain copyright and grant the journal right of first publication, with the work [SPECIFY PERIOD OF TIME] after publication simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).