DI-NIDS: Domain Invariant Network Intrusion Detection System

TL;DR

This paper introduces DI-NIDS, a domain-invariant network intrusion detection system that leverages adversarial domain adaptation and anomaly detection to improve cross-domain performance of machine learning-based NIDS.

Contribution

The paper proposes a novel approach combining adversarial domain adaptation with unsupervised anomaly detection to enhance NIDS generalizability across different network domains.

Findings

Outperforms previous methods in cross-domain detection accuracy.

Effective in extracting domain-invariant features for intrusion detection.

Demonstrates robustness on NFv2-CIC-2018 and NFv2-UNSW-NB15 datasets.

Abstract

The performance of machine learning based network intrusion detection systems (NIDSs) severely degrades when deployed on a network with significantly different feature distributions from the ones of the training dataset. In various applications, such as computer vision, domain adaptation techniques have been successful in mitigating the gap between the distributions of the training and test data. In the case of network intrusion detection however, the state-of-the-art domain adaptation approaches have had limited success. According to recent studies, as well as our own results, the performance of an NIDS considerably deteriorates when the `unseen' test dataset does not follow the training dataset distribution. In some cases, swapping the train and test datasets makes this even more severe. In order to enhance the generalisibility of machine learning based network intrusion detection systems, we propose to extract domain invariant features using adversarial domain adaptation from multiple network domains, and then apply an unsupervised technique for recognising abnormalities, i.e., intrusions. More specifically, we train a domain adversarial neural network on labelled source domains, extract the domain invariant features, and train a One-Class SVM (OSVM) model to detect anomalies. At test time, we feedforward the unlabeled test data to the feature extractor network to project it into a domain invariant space, and then apply OSVM on the extracted features to achieve our final goal of detecting intrusions. Our extensive experiments on the NIDS benchmark datasets of NFv2-CIC-2018 and NFv2-UNSW-NB15 show that our proposed setup demonstrates superior cross-domain performance in comparison to the previous approaches.