Intrusion Detection Systems (IDS) are relevant tools employed in cybersecurity to protect networks from possible cyber attacks.
In recent years, the world of cyber security has become more turbulent, with a rise in the number of cyber-attacks that target businesses worldwide. For this reason, always new methodologies are needed to shield vital assets from hostile actors in reaction to this expanding danger.
Recently, an increasing focus on the use of Artificial Intelligence (AI) in cyber security. As a subset of artificial intelligence, machine learning algorithms can improve danger detection and automate procedures. Organizations may examine massive volumes of data in real-time, spot patterns suggestive of malicious behaviour, and take preemptive measures to reduce risks by utilizing machine learning algorithms.
In this work, we propose ReTiNA-IDS, a framework that integrates the CICFlowmeter tool with Machine Learning techniques to analyze real-time network traffic patterns and detect abnormalities that may suggest a possible intrusion. The integrated methodology, which is based on random forest and multi-layer networks, is based on selected features to enhance efficiency and scalability. To select the features and train the models, the public dataset CSECICI-IDS2018 has been used. The framework's effectiveness has been tested in real-case scenarios by identifying different forms of intrusion. Analyzing the results, we conclude that the proposed solution shows valuable features. The paper is structured as follows. In Section 2 related works are discussed while in Section 3 some basic background is introduced. In Section 4 the tool ReTiNa-IDS is presented, while in Section 5 some evaluation experiments are proposed. Section 6 concludes the paper.
The use of machine learning approaches in intrusion detection systems to obtain real-time analysis has been exploited by many researchers. Many of them take advantage of Deep Learning (DL) approaches. ARCADE is an unsupervised DL-based approach for early anomaly detection using 1D Convolutional Neural Networks (CNNs) proposed by Lunardi et al. [1]. The approach builds a profile of normal traffic based on raw packet bytes. Kathareios et al. designed and tested a real-time net-work AD system, able to operate on encrypted and nonencrypted network packets, based on two learning stages: an autoencoder for adaptive unsupervised AD and a custom nearest-neighbour classifier to filter false positives [2]. Shuai proposed a prototype that combines big data processing frameworks like Apache Hadoop, Apache Kafka, and Apache Storm, along with ML techniques, i.e., NaΓ―ve Bayesian (NB), Support Vector Machine (SVM), and Decision Tree (DT). The proposed approach considers six features related to the IP addresses of the sender, receiver, and correspondent port without taking into account flow measurements. Ho et al. suggested an Intrusion Detection System (IDS) based on CNN that classifies all packet traffic as benign or malicious, detecting network intrusions [3]. Atefnia and Ahmadi proposed a modular deep neural network model that consists of four complete architectures that are combined with an aggregator module, each generating distinct outputs [4]. The four architectures are a Deep Feed-Forward Module (DFFM), a Stacked Restricted Boltzmann Machine Module (SRBMM), and two recurrent modules, one utilizing gated recurrent units (GRUM) and the other utilizing long short-term memory (LSTMM). Catillo et al. [5] proposed an approach based on Deep Autoencoder, and Fitni and Ramli [6] proposed a model based on decision trees that takes into account 23 features selected by Spearman's rank correlation coefficient [7]. Gamage and Samarabandu considered four DL architectures, i.e., feed-forward neural network, autoencoder, deep belief network, and LSTM [8]. Karatas et al. in [9] reviewed the implementation of a Synthetic Minority Oversampling Technique (SMOTE) [10] to balance the data by exploiting six models. Kanimozhi and Jacob presented a two-layer MLP to detect only botnet attacks that exploit a grid search for hyper-parameter optimization and a 10-fold cross-validation for mitigating the overfitting problems [11]. Huancayo Ramos et al. extended this approach by considering botnet data and Random Forests. Kim et al. also designed a model that exploits CNN for training on a single type of attack, specifically Denial of Service (DoS) attacks [12].
In this section, we present the CICFlowMeter, an Ethernet traffic Bi-flow generator and analyzer for anomaly detection, and the Random Forest, a machine learning method used for classifying flow data and evaluating the importance of features. This classifier will then be integrated into CICFlowMeter for classifying network flows.
CICFlowmeter is a network traffic flow generator and analyser [13,14]. It generates bidirectional flows, where the first packet determines the forward (source to destination) and backward (destination to source) directions. The tool enables the extraction of more than 80 statistical network traffic features such as Duration, Number of packets, Number of bytes, Length of packets, etc. Such features can be calculated independently for both directions. The tool is developed in JAVA and provides a useful Graphical User Interface, shown in Figure 1 to monitor network flows in real-time. TCP flows are usually terminated upon connection teardown (by FINpacket), while a flow timeout terminates UDP flows [15].
The tool is developed in JAVA and provides a useful GUI (Graphical User Interface) to monitor network flows in real time.
The Random Forest is an ML ensemble model used for both classification and regression tasks. During training, the model creates numerous decision trees and determines the output class by either the mode (for classification) or the mean/average prediction (for regression) of the classes predicted by individual trees. Introduced by Breiman in [16], this approach combines the bagging technique with the random selection of features. Such a random selection ensures that the decision trees within the forest are uncorrelated. In the bagging phase, decision trees are constructed from bootstrap samples of the training dataset, where each sample is drawn with replacement, allowing for the possibility of repeated samples. These replicated datasets are then used to train decision trees, ensuring that each tree only sees different portions of the original dataset during training. This bagging approach is coupled with random feature selection, which involves using distinct random subsets of the entire feature space to train each tree in the random forest. Usually, around β π features are employed in each split for a classification task that considers β² π β² features.
The data used in this study is the CSE-CIC-IDS2018, a benchmark dataset for the evaluation of IDSs. Such data was collected by the Communications Security Establishment (CSE) and the Canadian Institute for Cybersecurity (CIC). The recorded data consists of ten days of traffic and includes seven types of attacks. Liu et al. identified some issues in such dataset related to the creation lifecycle, including attack orchestration, feature generation, documentation, and labelling and provided to reconstruct the datasets by deleting artefacts and corrected labelling logic, including corrected implementations of existing features and new features that capture valuable flow state information [17].
We evaluate the performance and effectiveness of the approaches by using Precision (π ), Recall (π ) and , defined as follows
where π π represents the number of true positive, πΉ π denotes the number of false negative, πΉ π represents the number of false positive, π π denotes the number of true negative.
The first 13 attributes ordered by importance
ReTiNA-IDS, Real-Time anomaly Detection IDS Approach, integrates a ML model mainly based on Random Forest in the CICFlowMeter tool to detect Real-Time cyber-attacks and act as a simple IDS. The Random Forest classifier considers only 13 of the 80 features calculated by the CICFlowMeter tool. The list of features with the relative description, selected by another Random Forest model, is in Table 2. After being trained, the model has been exported in a pmml format with the use of the "sklearn-pmml-model" library from Sklearn [18]. The exported model is then imported into CICFlowMeter, which is developed in Java.
The proposed approach is based on Random Forest, described in Section 3.2, and its scheme is shown in Figure 2.
In this study, the used dataset is a revised version of CSE-CIC-IDS2018, as introduced in Section 3.3. The dataset consists of the network traffic captured on ten days, stored in 10 distinct files according to the day of data capture, as shown in Table 3. The first step of the preprocessing consists of data cleaning, i.e., removing missing values, such as incomplete rows, and containing invalid (or infinite) numerical values. Moreover, many non-relevant features for spotting cyber-attacks have been eliminated, such as the IP address of the sender and receiver, the connection timestamp, the protocol type, and the destination/sender port. Furthermore, the traffic data related to Web Attacks is deleted since its volume is insufficient.
The collected data related to network traffic is substantially unbalanced: benign traffic is more prevalent than malicious traffic. To balance the data, we have used the one step of the bootstrapping procedure, implemented in the resample function of Sklearn. Due to the corrupted data on the original dataset, it does not contain data related to FTP Brute Force attacks. Therefore, we have added this kind of data by collecting such data during a simulation of brute force attacks via FTP (File Transfer Protocol). The simulation involved the use of a Windows host (victim machine) and a Kali-Linux host (attacker machine), both in the same local area network (connected to the same router). The victim machine runs a FileZilla server, an open-source software utility that facilitates the transmission of files using the File FTP. It enables users to establish their own FTP servers or connect to existing FTP servers to exchange data, and the victim machine accepts connections on port 21, used to attack. When the FileZilla server on the victim machine is running, the Kali Linux host performs a brute-force attack using Patator, a multi-purpose brute-forcer tool [19]. Table 4 shows the amount of data and the relative kind of attack, after the cleaning and balancing phases.
To select the features, a Random Forest has been considered and implemented by setting up the depth of each decision tree and number of estimators to 16 and 20, respectively. To avoid eventually issue related to overfitting, we consider the cross-validation with 5-fold. Figure 3 shows the obtained confusion matrix. The performance of the model, evaluated in terms of Precision, Recall and πΉ1-score, is shown in the Table 5.
The ML models have been implemented in a Google Colab document with Python 3. The default CPU in the environment is an Intel Xeon CPU equipped with 2 virtual CPUs (vCPUs) and 13GB of RAM [20]. For this study, the configuration involved the utilization of extra RAM, resulting in a total memory capacity of 50GB (included with Google Colab Pro [20]).
For data handling, preprocessing, analysis, training, and evaluation metrics, the recommended model was built and evaluated using Numpy [21], Pandas [22], and Scikit Learn [23]. Matplotlib [24] were used to visualize the data. The testing phase for this study used a Windows operating system for the with the following specifications: an Intel Core i5-4670 CPU at 3.40GHz, 16 GB of DDR4 memory and a Nvidia GTX 1050 Ti GPU.
Retina-IDS, a tool that integrates an ML model into CI-CFlowMeter, analyzes data patterns and distinguishes benign traffic from malicious traffic. The testing phase of ReTiNA-IDS intends to assess the efficiency and efficacy of the machine learning model in real-world network situations. We take advantage of the Graphical Network Simulator-3 (GNS3) software, an open-source network simulation tool used for creating, modelling, and testing virtual and real networks [25], to perform the simulations. To reach the aim, we create a simple network composed of a Cisco router [26] and two generic switches, outlining two different areas of a hypothetical Local Area Network (LAN), a Windows machine and a Kali Linux machine. Figure 4shows the network infrastructure.
In this work, we have presented ReTiNA-IDS, a tool that integrates an ML model into CICFlowMeter, which analyzes data patterns and distinguishes benign traffic from malicious traffic in real-time. The ML model is based on a Random Forest, used to select features and to classify the data. The testing phase, performed by running the tool in a normal traffic situation (without performing any cyberattack) in a local network and the University of Camerino's network, shows that the tool does not identify false positives.
In the near future, we intend to test the approach in botnet traffic to investigate the performance of the ReTiNA-IDS. To reach this aim, we intend to create a central server to control potentially infected hosts. Moreover, we have planned to consider other machine learning models, both supervised and unsupervised. Moreover, motivated by the results obtained for modelling and verifying properties of Collective Adaptive Systems [27,28,29], we intend to define formal approaches to specify and verify properties of the data traffic to monitor the traffic and identify anomalous pattern in the traffic.
Acknowledgements. This work has been funded by the European Union -NextGenerationEU under the Italian Ministry of University and Research (MUR) National Innovation Ecosystem grant ECS00000041 -VITALITY -CUP J13C22000430001