On the Evaluation of Sequential Machine Learning for Network Intrusion Detection

TL;DR

This paper evaluates the effectiveness of sequential learning models, specifically LSTM, for network intrusion detection using NetFlow data, comparing their performance to static models across two datasets.

Contribution

It introduces a methodology for extracting NetFlow sequences and provides a comparative analysis of LSTM and FNN models for NIDS, highlighting the advantages of sequential models.

Findings

LSTM achieves over 99.5% F1-score on CICIDS2017.

LSTM outperforms FNN on CTU13 with 95.7% F1-score.

Sequential models show promise for future NIDS applications.

Abstract

Recent advances in deep learning renewed the research interests in machine learning for Network Intrusion Detection Systems (NIDS). Specifically, attention has been given to sequential learning models, due to their ability to extract the temporal characteristics of Network traffic Flows (NetFlows), and use them for NIDS tasks. However, the applications of these sequential models often consist of transferring and adapting methodologies directly from other fields, without an in-depth investigation on how to leverage the specific circumstances of cybersecurity scenarios; moreover, there is a lack of comprehensive studies on sequential models that rely on NetFlow data, which presents significant advantages over traditional full packet captures. We tackle this problem in this paper. We propose a detailed methodology to extract temporal sequences of NetFlows that denote patterns of malicious activities. Then, we apply this methodology to compare the efficacy of sequential learning models against traditional static learning models. In particular, we perform a fair comparison of a `sequential' Long Short-Term Memory (LSTM) against a `static' Feedforward Neural Networks (FNN) in distinct environments represented by two well-known datasets for NIDS: the CICIDS2017 and the CTU13. Our results highlight that LSTM achieves comparable performance to FNN in the CICIDS2017 with over 99.5\% F1-score; while obtaining superior performance in the CTU13, with 95.7\% F1-score against 91.5\%. This paper thus paves the way to future applications of sequential learning models for NIDS.