Multi-class Network Intrusion Detection with Class Imbalance via LSTM & SMOTE

TL;DR

This paper presents a deep learning approach using LSTM combined with SMOTE and focal loss to improve multi-class network intrusion detection, especially for rare attack types, addressing class imbalance issues.

Contribution

It introduces a novel combination of oversampling with SMOTE and focal loss in an LSTM-based model for effective multi-class intrusion detection with imbalanced data.

Findings

Enhanced detection of rare attack types like Probe and DDoS.

Improved performance over baseline models on KDD99 and CICIDS2017 datasets.

Effective handling of class imbalance in network intrusion detection.

Abstract

Monitoring network traffic to maintain the quality of service (QoS) and to detect network intrusions in a timely and efficient manner is essential. As network traffic is sequential, recurrent neural networks (RNNs) such as long short-term memory (LSTM) are suitable for building network intrusion detection systems. However, in the case of a few dataset examples of the rare attack types, even these networks perform poorly. This paper proposes to use oversampling techniques along with appropriate loss functions to handle class imbalance for the detection of various types of network intrusions. Our deep learning model employs LSTM with fully connected layers to perform multi-class classification of network attacks. We enhance the representation of minority classes: i) through the application of the Synthetic Minority Over-sampling Technique (SMOTE), and ii) by employing categorical focal cross-entropy loss to apply a focal factor to down-weight examples of the majority classes and focus more on hard examples of the minority classes. Extensive experiments on KDD99 and CICIDS2017 datasets show promising results in detecting network intrusions (with many rare attack types, e.g., Probe, R2L, DDoS, PortScan, etc.).