Host-Based Intrusion Detection Model Using Few-Shot Learning


KIPS Transactions on Software and Data Engineering, Vol. 10, No. 7, pp. 271-278, Jul. 2021
https://doi.org/10.3745/KTSDE.2021.10.7.271,   PDF Download:
Keywords: Machine Learning, LID-DS, Few-Shot Learning, Siamese Network, HIDS
Abstract

As the current cyber attacks become more intelligent, the existing Intrusion Detection System is difficult for detecting intelligent attacks that deviate from the existing stored patterns. In an attempt to solve this, a model of a deep learning-based intrusion detection system that analyzes the pattern of intelligent attacks through data learning has emerged. Intrusion detection systems are divided into host-based and network-based depending on the installation location. Unlike network-based intrusion detection systems, host-based intrusion detection systems have the disadvantage of having to observe the inside and outside of the system as a whole. However, it has the advantage of being able to detect intrusions that cannot be detected by a network-based intrusion detection system. Therefore, in this study, we conducted a study on a host-based intrusion detection system. In order to evaluate and improve the performance of the host-based intrusion detection system model, we used the host-based Leipzig Intrusion Detection-Data Set (LID-DS) published in 2018. In the performance evaluation of the model using that data set, in order to confirm the similarity of each data and reconstructed to identify whether it is normal data or abnormal data, 1D vector data is converted to 3D image data. Also, the deep learning model has the drawback of having to re-learn every time a new cyber attack method is seen. In other words, it is not efficient because it takes a long time to learn a large amount of data. To solve this problem, this paper proposes the Siamese Convolutional Neural Network (Siamese-CNN) to use the Few-Shot Learning method that shows excellent performance by learning the little amount of data. Siamese-CNN determines whether the attacks are of the same type by the similarity score of each sample of cyber attacks converted into images. The accuracy was calculated using Few-Shot Learning technique, and the performance of Vanilla Convolutional Neural Network (Vanilla-CNN) and Siamese-CNN was compared to confirm the performance of Siamese-CNN. As a result of measuring Accuracy, Precision, Recall and F1-Score index, it was confirmed that the recall of the Siamese-CNN model proposed in this study was increased by about 6% from the Vanilla-CNN model.


Statistics
Show / Hide Statistics

Statistics (Cumulative Counts from September 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article
[IEEE Style]
P. DaeKyeong, S. DongIl, S. DongKyoo, K. Sangsoo, "Host-Based Intrusion Detection Model Using Few-Shot Learning," KIPS Transactions on Software and Data Engineering, vol. 10, no. 7, pp. 271-278, 2021. DOI: https://doi.org/10.3745/KTSDE.2021.10.7.271.

[ACM Style]
Park DaeKyeong, Shin DongIl, Shin DongKyoo, and Kim Sangsoo. 2021. Host-Based Intrusion Detection Model Using Few-Shot Learning. KIPS Transactions on Software and Data Engineering, 10, 7, (2021), 271-278. DOI: https://doi.org/10.3745/KTSDE.2021.10.7.271.