Broad Learning System for Classifying Network Intrusions
We implement the recently proposed Broad Learning System (BLS) and its extensions to detect network anomalies and intrusions. Developed Python code includes modules for BLS, RBF-BLS, cascades of mapped features (CFBLS), cascades of enhancement nodes (CEBLS), and cascades of mapped features and enhancement nodes (CFEBLS) models as well as their incremental learning variants. We evaluate the performance of the BLS models by employing datasets from the Canadian Institute for Cybersecurity Intrusion (CIC) Detection System (CICIDS2017) and the collaborative project between the Communications Security Establishment (CSE) and the CIC (CSE-CIC-IDS2018) containing DoS attacks. The algorithms are compared based on accuracy, F-Score, and training time.
The CICIDS2017 dataset includes intrusions that rely on various network vulnerabilities and were executed using malicious attack tools: Patator, Slowloris, Heartleech, Damn Vulnerable Web App, Metasploit, Ares, and Low Orbit Ion Cannon. Extraction of 84 features including duration, size of packets, number of packets, and number of bytes was performed using an application for generating and analyzing network traffic flows. We use DoS data collected on Wednesday, 05.07.2017 and labeled Slowloris, Hulk, GoldenEye, and SlowHTTPTest having 5,796, 230,124, 10,293, and 5,499 intrusions, respectively.
The recent CSE-CIC-IDS2018 testbed for intrusion detection is a collaborative project between CSE and CIC. The attacker-network includes 50 terminals while the victim-network is implemented as a Local Area Network (LAN) with 420 terminals and 30 servers divided into 5 subnets. The Ubuntu and MS Windows 8.1 and 10 were used for host machines while MS Windows 2012 and 2016 were used for servers. Both victim and attacker networks were implemented using the Amazon Web Services computing platform. The CSE-CIC-IDS2018 dataset was captured over ten days between Wednesday 14.02.2018 and Friday 02.03.2018 and includes attack scenarios, date, and start and end times of the attack(s). Extracted are 83 features including flow duration, maximum/minimum packet size, flow packets rate. We consider DoS attacks GoldenEye and Slowloris collected on Thursday, 15.02.2018 from 09:26 to 10:09 and from 10:59 to 11:40, respectively.
Related Publications & codes: http://www.sfu.ca/~ljilja/cnl/projects/BLS_intrusion_detection/index.html