RT info:eu-repo/semantics/article T1 Network intrusion detection with a novel hierarchy of distances between embeddings of hash IP addresses A1 López Martín, Manuel A1 Carro Martínez, Belén A1 Arribas Sánchez, Juan Ignacio A1 Sánchez Esguevillas, Antonio Javier K1 Hash function K1 Self-supervised learning K1 Neural network K1 Network address embedding K1 Network intrusion detection K1 33 Ciencias Tecnológicas K1 3325 Tecnología de las Telecomunicaciones AB Including high-dimensional categorical predictors in a machine learning model is a major challenge. This is particularly appropriate for the IP and Port addresses of network connections when they are considered as predictors (features) in machine learning models. These features are particularly important for network intrusion detection, as many attacks exploit information about IP/Port addresses. The sparsity and high dimensionality of these features make it difficult their inclusion into the models, being discarded as useful information in many cases. This work proposes to replace the original network addresses by new features based on a set of distances defined between different components of the source and destination IP and Port addresses. These distances incorporate information on the probability of co-occurrence of source and destination addresses. The distances are calculated using a dense, low-dimensional vector representation (embedding) of the different network address components. The embeddings are obtained with a neural network, which requires few computational resources, plus an additional hash function that collapses the extremely large range of IP and Port values, making the model implementation feasible. A self-supervised learning framework under a hierarchical model is used to train the encoding network.The novel features can be used to predict future co-occurrence of source and destination network addresses, and, when applied as features in a supervised model, they significantly increase the prediction performance of most classifiers for the detection of network intrusions. We demonstrate this prediction improvement over two modern network intrusion datasets: CICIDS2017 and CICDDoS2019. PB Elsevier SN 0950-7051 YR 2021 FD 2021 LK https://uvadoc.uva.es/handle/10324/54206 UL https://uvadoc.uva.es/handle/10324/54206 LA eng NO Knowledge-Based Systems, 2021, vol. 219, p. 106887 NO Producción Científica DS UVaDOC RD 24-nov-2024