CSE-IDS: Using cost-sensitive deep learning and ensemble algorithms to handle class imbalance in network-based intrusion detection systems

In recent times, Network-based Intrusion Detection Systems (NIDSs) have become very popular for detecting intrusions in computer networks. Existing NIDSs can easily identify those intrusions that have been frequently witnessed in the network (majority attacks), but they cannot identify new and infre...

Full description

Saved in:
Bibliographic Details
Published inComputers & security Vol. 112; p. 102499
Main Authors Gupta, Neha, Jindal, Vinita, Bedi, Punam
Format Journal Article
LanguageEnglish
Published Amsterdam Elsevier Ltd 01.01.2022
Elsevier Sequoia S.A
Subjects
Alarms
Algorithms
Artificial neural networks
Bagging
Boosting
Classification
Communications traffic
Computer networks
Cost-sensitive algorithms
Cybersecurity
Deep learning
False alarms
Intrusion detection systems
Machine learning
Network-based intrusion detection system
Deep learning
Boosting
Cybersecurity
Cost-sensitive algorithms
Network-based intrusion detection system
Bagging
Online AccessGet full text
ISSN0167-4048
1872-6208
DOI10.1016/j.cose.2021.102499

Cover

More Information
Summary:In recent times, Network-based Intrusion Detection Systems (NIDSs) have become very popular for detecting intrusions in computer networks. Existing NIDSs can easily identify those intrusions that have been frequently witnessed in the network (majority attacks), but they cannot identify new and infrequent intrusions (minority attacks) accurately. Moreover, such systems solely focus on maximizing the overall Attack Detection Rate while overlooking the number of false alarms. To address these issues, this paper proposes CSE-IDS, a three-layer NIDS, based on Cost-Sensitive Deep Learning and Ensemble algorithms. Layer 1 of the proposed CSE-IDS uses Cost-Sensitive Deep Neural Network to separate normal traffic from suspicious network traffic. These suspicious samples are then sent to Layer 2, which uses the eXtreme Gradient Boosting algorithm to classify them into normal class, different majority attack classes, and a single class representing all minority attack classes. At last, Random Forest is used at Layer 3 to classify the minority attacks identified at Layer 2 into their respective classes. The performance of the proposed CSE-IDS was evaluated on the NSL-KDD, CIDDS-001, and CICIDS2017 datasets with respect to Accuracy, Recall, Precision, F1-score, ROC curve, AUC values, and computational times. The proposed system outperforms its counterparts by achieving a high Attack Detection Rate for both majority attacks and minority attacks present in the network. Further, it minimizes the number of false alarms by correctly segregating normal traffic from attack traffic. The obtained results confirm that the proposed CSE-IDS can be deployed in the real world for performing network-based intrusion detection.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2021.102499