FSA-IDS: A Flow-based Self-Active Intrusion Detection System
Key: HBG23
Author: Mehrdad Hajizadeh, Sudip Barua, Pegah Golchin
Date: May 2023
Kind:
Abstract: As the first line of defense, an Intrusion Detection System (IDS) plays a crucial role in early cyber threat detection and successful mitigation operations. IDSs are increasingly adopting machine learning (ML)-based methods to enhance their detection engines by learning network traffic characteristics and improving the scalability. Although ML-based IDSs have proven effective in detecting diverse cyber attacks, their success is highly dependent on the input data. The scarcity of labeled benign/malicious traffic samples affects various aspects of ML model operations, e.g., benchmarking, explaining and interpreting the results, and continuous model adaptation/improvement. In addition, network traffic sample labeling is costly, complex, requires massive human effort, and is sometimes even impossible.This paper introduces a Flow-based Self-Active IDS (FSA-IDS), which is a novel framework adopting active learning (AL) into self-learning to reduce the labeling cost significantly and to realize an effective IDS. FSA-IDS improves the cyber attack detection performance while reducing false alarms. It employs a novel cluster-based sampling approach that facilitates the labeling automation process and minimizes expert involvement by up to 47% compared to various baselines. We evaluate FSA-IDS using two real-world network traffic datasets comprising a wide range of benign and malicious network traffic samples.
View Full paper (PDF) | Download Full paper (PDF)

The documents distributed by this server have been provided by the contributing authors as a means to ensure timely dissemination of scholarly and technical work on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, not withstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.