SF-IDS: An Imbalanced Semi-Supervised Learning Framework for Fine-grained Intrusion Detection

TL;DR

This paper introduces SF-IDS, a semi-supervised learning framework for fine-grained intrusion detection that effectively handles limited labels and class imbalance, improving detection accuracy on benchmark datasets.

Contribution

The paper proposes a novel semi-supervised framework with a self-training model and hybrid loss to address label scarcity and class imbalance in fine-grained NIDS.

Findings

Achieves over 3% improvement in Marco-F1 scores on benchmark datasets.

Effectively filters pseudo-labels using uncertainty and prediction probability.

Mitigates class imbalance with a hybrid loss combining contrastive and weighted classification losses.

Abstract

Deep learning-based fine-grained network intrusion detection systems (NIDS) enable different attacks to be responded to in a fast and targeted manner with the help of large-scale labels. However, the cost of labeling causes insufficient labeled samples. Also, the real fine-grained traffic shows a long-tailed distribution with great class imbalance. These two problems often appear simultaneously, posing serious challenges to fine-grained NIDS. In this work, we propose a novel semi-supervised fine-grained intrusion detection framework, SF-IDS, to achieve attack classification in the label-limited and highly class imbalanced case. We design a self-training backbone model called RI-1DCNN to boost the feature extraction by reconstructing the input samples into a multichannel image format. The uncertainty of the generated pseudo-labels is evaluated and used as a reference for pseudo-label filtering in combination with the prediction probability. To mitigate the effects of fine-grained class imbalance, we propose a hybrid loss function combining supervised contrastive loss and multi-weighted classification loss to obtain more compact intra-class features and clearer inter-class intervals. Experiments show that the proposed SF-IDS achieves 3.01% and 2.71% Marco-F1 improvement on two classical datasets with 1% labeled, respectively.