Reinforcement Learning for Intrusion Detection: More Model Longness and Fewer Updates

Santos, Roger R. dos; Viegas, Eduardo K.; Santin, Altair O.; Cogo, Vinicius Vielmo

doi:10.1109/tnsm.2022.3207094

Cited by 24 publications

(7 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…A large number of studies have focused on applying reinforcement learning to use cases similar to the intrusion response use case we discuss in this paper [9]- [11], [17]- [52], [64], [72]. These works use a variety of models, including MDPs [20], [23], [25], [26], [31], [34], [36], [42], [51], [52], [64], Stochastic games [10], [18], [28], [33], [45], [72], attack graphs [35], Petri nets [43], and POMDPs [9], [11], [21], [27], as well as various reinforcement learning algorithms, including Q-learning [18], [20], [23], [40], [43], [48], [64], [69], SARSA [21], PPO [10], [11], [34], [35], [37], hierarchical reinforcement learning [25], DQN [26], [36]-…”

Section: Reinforcement Learning For Automated Intrusion Responsementioning

confidence: 99%

“…This novel formulation allows us a) to derive and prove structural properties of optimal strategies; and b) to find defender strategies that are effective against an attacker with a dynamic strategy. We thus address a key limitation of many related works, which only consider static attackers [9], [11], [17], [20], [21], [23], [25]- [27], [31], [36], [37], [39], [40], [42], [48], [51]- [53], [60]- [65]. Second, we propose T-FP, an efficient reinforcement learning algorithm that exploits threshold properties of optimal stopping strategies and outperforms a state-of-the-art algorithm for our use case.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Learning Near-Optimal Intrusion Responses Against Dynamic Attackers

Hammar¹,

Stadler²

2023

Preprint

View full text Add to dashboard Cite

We study automated intrusion response and formulate the interaction between an attacker and a defender as an optimal stopping game where attack and defense strategies evolve through reinforcement learning and self-play. The gametheoretic modeling enables us to find defender strategies that are effective against a dynamic attacker, i.e. an attacker that adapts its strategy in response to the defender strategy. Further, the optimal stopping formulation allows us to prove that optimal strategies have threshold properties. To obtain nearoptimal defender strategies, we develop Threshold Fictitious Self-Play (T-FP), a fictitious self-play algorithm that learns Nash equilibria through stochastic approximation. We show that T-FP outperforms a state-of-the-art algorithm for our use case. The experimental part of this investigation includes two systems: a simulation system where defender strategies are incrementally learned and an emulation system where statistics are collected that drive simulation runs and where learned strategies are evaluated. We argue that this approach can produce effective defender strategies for a practical IT infrastructure.

show abstract

Section: Reinforcement Learning For Automated Intrusion Responsementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Learning Near-Optimal Intrusion Responses Against Dynamic Attackers

Hammar¹,

Stadler²

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…In [ 27 ], a novel intrusion detection model based on reinforcement learning was proposed. The model is designed to operate for extended periods without frequent updates and consists of two strategies.…”

Section: Literature Surveymentioning

confidence: 99%

Enhanced Intrusion Detection with Data Stream Classification and Concept Drift Guided by the Incremental Learning Genetic Programming Combiner

Shyaa

Zainol

Abdullah

et al. 2023

Sensors

View full text Add to dashboard Cite

Concept drift (CD) in data streaming scenarios such as networking intrusion detection systems (IDS) refers to the change in the statistical distribution of the data over time. There are five principal variants related to CD: incremental, gradual, recurrent, sudden, and blip. Genetic programming combiner (GPC) classification is an effective core candidate for data stream classification for IDS. However, its basic structure relies on the usage of traditional static machine learning models that receive onetime training, limiting its ability to handle CD. To address this issue, we propose an extended variant of the GPC using three main components. First, we replace existing classifiers with alternatives: online sequential extreme learning machine (OSELM), feature adaptive OSELM (FA-OSELM), and knowledge preservation OSELM (KP-OSELM). Second, we add two new components to the GPC, specifically, a data balancing and a classifier update. Third, the coordination between the sub-models produces three novel variants of the GPC: GPC-KOS for KA-OSELM; GPC-FOS for FA-OSELM; and GPC-OS for OSELM. This article presents the first data stream-based classification framework that provides novel strategies for handling CD variants. The experimental results demonstrate that both GPC-KOS and GPC-FOS outperform the traditional GPC and other state-of-the-art methods, and the transfer learning and memory features contribute to the effective handling of most types of CD. Moreover, the application of our incremental variants on real-world datasets (KDD Cup ‘99, CICIDS-2017, CSE-CIC-IDS-2018, and ISCX ‘12) demonstrate improved performance (GPC-FOS in connection with CSE-CIC-IDS-2018 and CICIDS-2017; GPC-KOS in connection with ISCX2012 and KDD Cup ‘99), with maximum accuracy rates of 100% and 98% by GPC-KOS and GPC-FOS, respectively. Additionally, our GPC variants do not show superior performance in handling blip drift.

show abstract

“…An ensemble‐based intrusion detection system was developed in Abbas et al 29 to consider both on binary and multi‐class classification scenarios. A new intrusion recognition mechanism based on reinforcement learning was designed in dos Santos et al 30 with a minimum false positive rate. But, the time was not focused.…”

Section: Related Workmentioning

confidence: 99%

Artificial intelligence enabled Luong Attention and Hosmer Lemeshow Regression Window‐based attack detection in 6G

Bhuvaneshwari¹,

Balusamy

Dhanaraj

et al. 2023

Int J Communication

View full text Add to dashboard Cite

SummaryRegardless of the developments of networking and communication technologies, security is without exception a predominant feature to ensure network reliability. The future sixth‐generation (6G) network is anticipated to be carried out with artificial intelligence (AI) powered communication via machine learning (ML), post‐quantum cryptography, and so on. AI‐powered communication has been in recent years utilized in enhancing network traffic performance with respect to resource management, optimal frequency spectrum design, security, and latency. The studies of modern wireless communications and anticipated features of 6G networks revealed a prerequisite for designing a trustworthy attack detection mechanism. In this work, a method called, Luong Attention and Hosmer Lemeshow Regression Window‐based (LA‐HLRW) attack detection in 6G is proposed. Initially, with the raw Botnet Attack dataset obtained as input, preprocessing is performed to normalize network traffic features. Next, the dimensionality of network traffic feature of large‐scale network traffic data is reduced using the Luong Attention integrated with Long Short Term Memory (LSTM)‐based Feature extraction model. Finally, with the objective of classifying network traffic samples for attack detection in 6G, we analyze the low dimensional network traffic feature set produced by Luong Attention integrated with LSTM using the Hosmer Lemeshow Logistic Regression Window‐based Attack Detection model. Extensive experiments are performed with the Botnet Attack dataset to validate the efficiency of the proposed LA‐HLRW method by using different parameters such as attack detection accuracy, attack detection time, precision, and recall. The overall analysis of proposed LA‐HLRW results significantly reduced the attack detection time by 24%, and additionally improved attack detection accuracy, precision, and recall by 5%, 5%, and 6% as compared to existing attack detection methods respectively.

show abstract

Reinforcement Learning for Intrusion Detection: More Model Longness and Fewer Updates

Cited by 24 publications

References 37 publications

Learning Near-Optimal Intrusion Responses Against Dynamic Attackers

Learning Near-Optimal Intrusion Responses Against Dynamic Attackers

Enhanced Intrusion Detection with Data Stream Classification and Concept Drift Guided by the Incremental Learning Genetic Programming Combiner

Artificial intelligence enabled Luong Attention and Hosmer Lemeshow Regression Window‐based attack detection in 6G

Contact Info

Product

Resources

About