RT info:eu-repo/semantics/article
T1 Network intrusion detection with a novel hierarchy of distances between embeddings of hash IP addresses
A1 López Martín, Manuel
A1 Carro Martínez, Belén
A1 Arribas Sánchez, Juan Ignacio
A1 Sánchez Esguevillas, Antonio Javier
K1 Hash function
K1 Self-supervised learning
K1 Neural network
K1 Network address embedding
K1 Network intrusion detection
K1 33 Ciencias Tecnológicas
K1 3325 Tecnología de las Telecomunicaciones
AB Including high-dimensional categorical predictors in a machine learning model is a major challenge. This is particularly appropriate for the IP and Port addresses of network connections when they are considered as predictors (features) in machine learning models. These features are particularly important for network intrusion detection, as many attacks exploit information about IP/Port addresses. The sparsity and high dimensionality of these features make it difficult their inclusion into the models, being discarded as useful information in many cases. This work proposes to replace the original network addresses by new features based on a set of distances defined between different components of the source and destination IP and Port addresses. These distances incorporate information on the probability of co-occurrence of source and destination addresses. The distances are calculated using a dense, low-dimensional vector representation (embedding) of the different network address components. The embeddings are obtained with a neural network, which requires few computational resources, plus an additional hash function that collapses the extremely large range of IP and Port values, making the model implementation feasible. A self-supervised learning framework under a hierarchical model is used to train the encoding network.The novel features can be used to predict future co-occurrence of source and destination network addresses, and, when applied as features in a supervised model, they significantly increase the prediction performance of most classifiers for the detection of network intrusions. We demonstrate this prediction improvement over two modern network intrusion datasets: CICIDS2017 and CICDDoS2019.
PB Elsevier
SN 0950-7051
YR 2021
FD 2021
LK https://uvadoc.uva.es/handle/10324/54206
UL https://uvadoc.uva.es/handle/10324/54206
LA eng
NO Knowledge-Based Systems, 2021, vol. 219, p. 106887
NO Producción Científica
DS UVaDOC
RD 12-jul-2024