Collaborative Feature Maps of Networks and Hosts for AI-driven Intrusion Detection

TL;DR

This paper introduces a novel combined intrusion detection system that integrates network and host data using a new dataset and a transformer-based model, significantly improving detection performance.

Contribution

It presents a new dataset formation framework, a combined dataset SCVIC-CIDS-2021, and a transformer-based model CIDS-Net for improved intrusion detection accuracy.

Findings

CIDS-Net outperforms baseline models by 6.36% in macro F1 score.

The new dataset enables effective integration of network and host data.

Combining host and network features enhances intrusion detection performance.

Abstract

Intrusion Detection Systems (IDS) are critical security mechanisms that protect against a wide variety of network threats and malicious behaviors on networks or hosts. As both Network-based IDS (NIDS) or Host-based IDS (HIDS) have been widely investigated, this paper aims to present a Combined Intrusion Detection System (CIDS) that integrates network and host data in order to improve IDS performance. Due to the scarcity of datasets that include both network packet and host data, we present a novel CIDS dataset formation framework that can handle log files from a variety of operating systems and align log entities with network flows. A new CIDS dataset named SCVIC-CIDS-2021 is derived from the meta-data from the well-known benchmark dataset, CIC-IDS-2018 by utilizing the proposed framework. Furthermore, a transformer-based deep learning model named CIDS-Net is proposed that can take network flow and host features as inputs and outperform baseline models that rely on network flow features only. Experimental results to evaluate the proposed CIDS-Net under the SCVIC-CIDS-2021 dataset support the hypothesis for the benefits of combining host and flow features as the proposed CIDS-Net can improve the macro F1 score of baseline solutions by 6.36% (up to 99.89%).