Structure
There are many changes in the way BLS links in each layer. Through structural changes, BLS can utilize its advantages of flat structure and incremental learning better. Here, the framework of several BLS variants with their mathematical modeling is given [1]. The variations include cascade, recurrent, and broad–deep combination structures. In addition, a novel recurrent BLS (RBLS) is proposed based on the typical BLSs. The nodes in the enhancement units of the BLS are recurrently connected, for the purpose of capturing the dynamic characteristics of a time series.
[1] Chen C , Liu Z , Feng S . Universal Approximation Capability of Broad Learning System and Its Structural Variations[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019, 30(4):1191-1204. https://ieeexplore.ieee.org/document/8457525
Cascade BLS Variants for Classifying Network Instrusions
We implement the recently proposed Broad Learning System (BLS) and its extensions to detect network anomalies and intrusions. Developed Python code includes modules for BLS, RBF-BLS, cascades of mapped features (CFBLS), cascades of enhancement nodes (CEBLS), and cascades of mapped features and enhancement nodes (CFEBLS) models as well as their incremental learning variants. We evaluate the performance of the BLS models by employing datasets from the Canadian Institute for Cybersecurity Intrusion (CIC) Detection System (CICIDS2017) and the collaborative project between the Communications Security Establishment (CSE) and the CIC (CSE-CIC-IDS2018) containing DoS attacks. The algorithms are compared based on accuracy, F-Score, and training time.
The CICIDS2017 dataset includes intrusions that rely on various network vulnerabilities and were executed using malicious attack tools: Patator, Slowloris, Heartleech, Damn Vulnerable Web App, Metasploit, Ares, and Low Orbit Ion Cannon. Extraction of 84 features including duration, size of packets, number of packets, and number of bytes was performed using an application for generating and analyzing network traffic flows. We use DoS data collected on Wednesday, 05.07.2017 and labeled Slowloris, Hulk, GoldenEye, and SlowHTTPTest having 5,796, 230,124, 10,293, and 5,499 intrusions, respectively.
The recent CSE-CIC-IDS2018 testbed for intrusion detection is a collaborative project between CSE and CIC. The attacker-network includes 50 terminals while the victim-network is implemented as a Local Area Network (LAN) with 420 terminals and 30 servers divided into 5 subnets. The Ubuntu and MS Windows 8.1 and 10 were used for host machines while MS Windows 2012 and 2016 were used for servers. Both victim and attacker networks were implemented using the Amazon Web Services computing platform. The CSE-CIC-IDS2018 dataset was captured over ten days between Wednesday 14.02.2018 and Friday 02.03.2018 and includes attack scenarios, date, and start and end times of the attack(s). Extracted are 83 features including flow duration, maximum/minimum packet size, flow packets rate. We consider DoS attacks GoldenEye and Slowloris collected on Thursday, 15.02.2018 from 09:26 to 10:09 and from 10:59 to 11:40, respectively.
Related Publications & codes: http://www.sfu.ca/~ljilja/cnl/projects/BLS_intrusion_detection/index.html