期刊
IEEE ACCESS
卷 9, 期 -, 页码 106790-106805出版社
IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
DOI: 10.1109/ACCESS.2021.3101188
关键词
Cybersecurity; datasets; intrusion detection system; machine learning; network security; supervised learning
资金
- Instituto Tecnologico de Aeronautica, Programa de Pos-graduacao em Aplicacoes Operacionais (ITA/PPGAO)
The AB-TRAP framework is introduced to address challenges in network intrusion detection systems, utilizing up-to-date network traffic and attacks, and providing a reproducible solution. The implementation of this framework in local and global environments showed successful detection of TCP port scanning attacks, with emphasis on model deployment and performance evaluation.
The increase of connected devices and the constantly evolving methods and techniques by attackers pose a challenge for network intrusion detection systems from conception to operation. As a result, we see a constant adoption of machine learning algorithms for network intrusion detection systems. However, the dataset used by these studies has become obsolete regarding both background and attack traffic. This work describes the AB-TRAP framework that enables the use of updated network traffic and considers operational concerns to enable the complete deployment of the solution. AB-TRAP is a five-step framework consisting of (i) the generation of the attack dataset, (ii) the bonafide dataset, (iii) training of machine learning models, (iv) realization (implementation) of the models, and (v) the performance evaluation of the realized model after deployment. We exercised the AB-TRAP for local (LAN) and global (internet) environments to detect TCP port scanning attacks. The LAN study case presented an f1-score of 0:96, and an area under the ROC curve of 0:99 using a decision tree with minimal CPU and RAM usage on kernel-space. For the internet case with eight machine learning algorithms with an average f1-score of 0.95, an average area under the ROC curve of 0:98, and an average overhead of 1:4% CPU and 3:6% RAM on user-space in a single-board computer. This framework has the following paramount characteristics: it is reproducible, uses the most up-to-date network traffic, attacks, and addresses the concerns to the model's realization and deployment.
作者
我是这篇论文的作者
点击您的名字以认领此论文并将其添加到您的个人资料中。
推荐
暂无数据