A new method for flow-based network intrusion detection using the inverse Potts model

TL;DR

This paper introduces the Energy-based Flow Classifier (EFC), a novel anomaly detection method for flow-based network intrusion detection that overcomes limitations of traditional machine learning classifiers, demonstrating robustness across multiple datasets.

Contribution

The paper presents a new energy-based anomaly detection algorithm for flow classification that is more adaptable and explainable than existing ML-based methods.

Findings

EFC accurately classifies network flows in binary detection tasks.

EFC shows better adaptability to different data distributions.

EFC performs well on multiple benchmark datasets.

Abstract

Network Intrusion Detection Systems (NIDS) play an important role as tools for identifying potential network threats. In the context of ever-increasing traffic volume on computer networks, flow-based NIDS arise as good solutions for real-time traffic classification. In recent years, different flow-based classifiers have been proposed using Machine Learning (ML) algorithms. Nevertheless, classical ML-based classifiers have some limitations. For instance, they require large amounts of labeled data for training, which might be difficult to obtain. Additionally, most ML-based classifiers are not capable of domain adaptation, i.e. after being trained on an specific data distribution, they are not general enough to be applied to other related data distributions. And, finally, many of the models inferred by these algorithms are black boxes, which do not provide explainable results. To overcome these limitations, we propose a new algorithm, called Energy-based Flow Classifier (EFC). This anomaly-based classifier uses inverse statistics to infer a statistical model based on labeled benign examples. We show that EFC is capable of accurately performing binary flow classification and is more adaptable to different data distributions than classical ML-based classifiers. Given the positive results obtained on three different datasets (CIDDS-001, CICIDS17 and CICDDoS19), we consider EFC to be a promising algorithm to perform robust flow-based traffic classification.