LIO-IDS: Handling class imbalance using LSTM and improved one-vs-one technique in intrusion detection system

• Published in: Computer networks (Amsterdam, Netherlands : 1999) Vol. 192; p. 108076
• Main Authors: Gupta, Neha, Jindal, Vinita, Bedi, Punam
• Format: Journal Article
• Language: English
• Published: Amsterdam Elsevier B.V 19.06.2021; Elsevier Sequoia S.A
• Subjects: Algorithms; Class imbalance problem; Classification; Classifiers; Communications traffic; Computer networks; Computing time; Cybersecurity; Improved one-vs-one technique (I-OVO); Intrusion detection systems; Long short-term memory (LSTM); Network security; Network-based intrusion detection system (NIDS); Oversampling; Testing time; Network security; Cybersecurity; Network-based intrusion detection system (NIDS); Long short-term memory (LSTM); Class imbalance problem; Improved one-vs-one technique (I-OVO)
• ISSN: 1389-1286; 1872-7069
• DOI: 10.1016/j.comnet.2021.108076

Network-based Intrusion Detection Systems (NIDSs) are deployed in computer networks to identify intrusions. NIDSs analyse network traffic to detect malicious content generated from different types of cyber-attacks. Though NIDSs can classify frequent attacks correctly, their performance declines on infrequent network intrusions. This paper proposes LIO-IDS based on Long Short-Term Memory (LSTM) classifier and Improved One-vs-One technique for handling both frequent and infrequent network intrusions. LIO-IDS is a two-layer Anomaly-based NIDS (A-NIDS) that detects different network intrusions with high Accuracy and low computational time. Layer 1 of LIO-IDS identifies intrusions from normal network traffic by using the LSTM classifier. Layer 2 uses ensemble algorithms to classify the detected intrusions into different attack classes. This paper also proposes an Improved One-vs-One (I-OVO) technique for performing multi-class classification at the second layer of the proposed LIO-IDS. In contrast to the traditional OVO technique, the proposed I-OVO technique uses only three classifiers to test each sample, thereby reducing the testing time significantly. Also, oversampling techniques have been used at Layer 2 to enhance the detection ability of the proposed LIO-IDS. The performance of the proposed system has been evaluated in terms of Accuracy, Recall, Precision, F1-score, Receiver Characteristics Operating (ROC) curve, Area Under ROC (AUC) values, training time and testing time for the NSL-KDD, CIDDS-001, and CICIDS2017 datasets. The proposed LIO-IDS shows significant improvement in the results as compared to its counterparts. High attack detection rates and short computational times make the proposed LIO-IDS suitable to be deployed in the real-world for network-based intrusion detection.