BAT DEEP LEARNING METHODS ON NETWORK
INTRUSTION DETECTION USING NSL-KDD DATASET
B.S.Swapnashanthi1, K.Chinmayee2, M.kovid3, M.tejaswi4, N.rakesh5
1Assistant Professor, Department of CSE, Sri Indu Institute of Engineering & Technology, Hyderabad
2,3,4,5 IVth Btech Student, Department of CSE, Sri Indu Institute of Engineering & Technology, Hyderabad
ABSTRACT
Intrusion detection can identify unknown attacks from network traffics and has been an
effective means of network security. Nowadays, existing methods for network anomaly
detection are usually based on traditional machine learning models, such as KNN, SVM,
etc. Although these methods can obtain some outstanding features, they get a relatively
low accuracy and rely heavily on manual design of traffic features, which has been
obsolete in the age of big data. To solve the problems of low accuracy and feature
engineering in intrusion detection, a traffic anomaly detection model BAT is proposed.
The BAT model combines BLSTM (Bidirectional Long Short-term memory) and
attention mechanism. Attention mechanism is used to screen the network flow vector
composed of packet vectors generated by the BLSTM model, which can obtain the key
features for network traffic classification. In addition, we adopt multiple convolutional
layers to capture the local features of traffic data. As multiple convolutional layers are
used to process data samples, we refer BAT model as BAT-MC. The softmax classifier is
used for network traffic classification. The proposed end-to-end model does not use any
feature engineering skills and can automatically learn the key features of the hierarchy. It
can well describe the network traffic behavior and improve the ability of anomaly
detection effectively. We test our model on a public benchmark dataset, and the
experimental results demonstrate our model has better performance than other
comparison methods.
key words: Deep learning,NSL-KDD dataset,BAT,neural network,BLSTM,attention
mechanism.
1
�INTRODUCTION
1.1 MOTIVATION softmax classifier is used for network
traffic classification.
Intrusion detection plays an
1.4 LIMITATIONS OF
important part in ensuring network
PROJECT
information security. Machine learning The current deep learning
methods have been widely used in methods in the network traffic
intrusion detection to identify malicious classification research don’t make full use
traffic. However, these methods belong to of the network traffic structured
shallow learning and often emphasize information. Drawing on the application
feature engineering and selection. They methods of deep learning in the field of
have difficulty in features selection and natural language processing, we propose a
cannot effectively solve the massive novel model BAT-MC via the two phase’s
intrusion data classification problem, learning of BLSTM and attention on the
which leads to low recognition accuracy time series features for intrusion detection
and high false alarm rate. In recent years, using NSL-KDD dataset.
intrusion detection methods based on deep
learning have been proposed successively.
2.LITERATURE SURVEY
1.2 PROBLEM DEFINITION
Sarika Choudhary et al, the latest
The existing methods for network
buzzword in internet technology
anomaly detection are usually based on
nowadaysisthe Internet of Things. The
traditional machine learning models, such
Internet of Things (IoT) is an ever-
as KNN, SVM, etc. Although these
growing network which will transform
methods can obtain some outstanding
real-world objects into smart or intelligent
features, they get a relatively low accuracy
virtual objects. IoT is a heterogeneous
and rely heavily on manual design of
network in which devices with different
traffic features, which has been absolete in
protocols can connect with each other in
the age of big data.
order to exchange information. These days,
1.3 OBJECTIVE OF PROJECT
human life depends upon the smart things
We adopt multiple convolutional and their activities. Therefore,
layers to capture the local features of implementing protected communications
traffic data. As multiple convolutional in the IoT network is a challenge. Since
layers are used to process data samples, the IoT network is secured with
we refer BAT model as BAT-MC. The
2
�authentication and encryption, but not statistical anomaly and rulebased misuse
secured against cyber-attacks, an Intrusion models in order to detect intrusions. A
Detection System is needed. This research number of prototype IDSs have been
article focuses on IoT introduction, developed at several institutions, and some
architecture, technologies, attacks and IDS. of them have.
The main objective of this article is to
provide a general idea of the Internet of Network intrusion detection
Things, various intrusion detection system: A machine learning
techniques, and security attacks associated approach
with IoT.
Mrutyunjaya Panda et,al Intrusion
Network intrusion detection detection systems (IDSs) are currently
drawing a great amount of interest as a
B. Mukherjee et,al Intrusion detection is a key part of system defence. IDSs collect
new, retrofit approach for providing a network traffic information from some
sense of security in existing computers point on the network or computer system
and data networks, while allowing them to and then use this information to secure the
operate in their current "open" mode. The network. Recently, machine learning
goal of intrusion detection is to identify methodologies are playing an important
unauthorized use, misuse, and abuse of role in detecting network intrusions (or
computer systems by both system insiders attacks), which further helps the network
and external penetrators. The intrusion administrator to take precautionary
detection problem is becoming a measures for preventing intrusions. In this
challenging task due to the proliferation of paper, we propose to use ten machine
heterogeneous computer networks since learning approaches that include Decision
the increased connectivity of computer Tree (J48), Bayesian Belief Network,
systems gives greater access to outsiders Hybrid Na¨ıve Bayes with Decision Tree,
and makes it easier for intruders to avoid Rotation Forest, Hybrid J48 with Lazy
identification. Intrusion detection systems Locally weighted learning, Discriminative
(IDSs) are based on the beliefs that an multinomial Na¨ıve Bayes, Combining
intruder's behavior will be noticeably random Forest with Na¨ıve Bayes and
different from that of a legitimate user and finally ensemble of classifiers using J48
that many unauthorized actions are and NB with AdaBoost (AB) to detect
detectable. Typically, IDSs employ network intrusions efficiently. We use
3
�NSL-KDD dataset, a variant of widely referred to as KNN below) classification
used KDDCup 1999 intrusion detection algorithm in wireless sensor network. This
benchmark dataset, for evaluating our system can separate abnormal nodes from
proposed machine learning approaches for normal nodes by observing their abnormal
network intrusion detection. Finally, behaviors, and we analyse parameter
Experimental results with 5-class selection and error rate of the intrusion
classification are demonstrated that detection system. The paper elaborates on
include: Detection rate, false positive rate, the design and implementation of the
and average cost for misclassification. detection system. This system has
These are used to aid a better achieved efficient, rapid intrusion
understanding for the researchers in the detection by improving the wireless ad
domain of network intrusion detection. hoc on-demand distance vector routing
A new intrusion detection system protocol (Ad hoc On-Demand Distance
based on KNN classification the Vector Routing, AODV). Finally, the
test results show that: the system has high
algorithm in wireless sensor
detection accuracy and speed, in
network
accordance with the requirement of
L. Pan et,al The Internet of Things has
wireless sensor network intrusion
broad application in military field,
detection.
commerce, environmental monitoring, and
2.2 EXISTING SYSTEM:
many other fields. However, the open
Most algorithms have been
nature of the information media and the
considered for use in the past. In the
poor deployment environment have
authors make a summary of pattern
brought great risks to the security of
matching algorithm in Intrusion Detection
wireless sensor networks, seriously
System: KMP algorithm, BM algorithm,
restricting the application of wireless
BMH algorithm, BMHS algorithm, AC
sensor network. Internet of Things
algorithm and AC-BM algorithm.
composed of wireless sensor network
Experiments show that the improved
faces security threats mainly from Dos
algorithm can accelerate the matching
attack, replay attack, integrity attack, false
speed and has a good time performance. In
routing information attack, and flooding
[17], Naive approach, Knuth-MorrisPratt
attack. In this paper, we proposed a new
algorithm and RabinKarp Algorithm are
intrusion detection system based on K-
compared in order to check which of them
nearest neighbor ( K-nearest neighbor,
4
�is most efficient in pattern/intrusion 2) We introduce the attention mechanism
detection. Pcap files have been used as into the BLSTM model to highlight the
datasets in order to determine the key input. Attention mechanism conducts
efficiency of the algorithm by taking into feature learning on sequential data
consideration their running times composed of data package vectors. The
respectively. obtained feature information is reasonable
and accurate.
2.2.1 DRAWBACKS OF 3) We compare the performance of BAT-
EXISTING SYSTEM: MC with traditional deep learning
methods, the BAT-MC model can extract
1. We are also facing various security
information from each packet. By making
threats. Network viruses, eavesdropping
full use of the structure information of
and malicious attacks are on the rise,
network traffic, the BAT-MC model can
causing network security to become the
capture features more comprehensively.
focus of attention of the society and
government departments. 2.3.2 ADVANTAGES OF
2. To identify various malicious network PROPOSED SYSTEM:
traffics, especially unexpected malicious
1. The BAT-MC model consists of five
network traffics, is a key problem that
components, including the input layer,
cannot be avoided.
multiple convolutional Layers, BSLTM
2.3 PROPOSED SYSTEM:
layer, attention layer and output layer,
The accuracy of the BAT-MC network
from bottom to top.
can reach 84.25%, which is about 4.12%
2. At the input layer, BAT-MC model
and 2.96% higher than the existing CNN
converts each traffic byte into a one-hot
and RNN model, respectively. The
data format. Each traffic byte is encoded
following are some of the key
as an n-dimensional vector. After traffic
contributions and findings of our work:
byte is converted into a numerical form,
1) We propose an end-to-end deep
we perform normalization operation.
learning model BAT-MC that is
2.4 FEASIBILITY STUDY
composed of BLSTM and attention
mechanism. BAT-MC can well solve the The feasibility of the project is
problem of intrusion detection and analyzed in this phase and business
provide a new research method for proposal is put forth with a very general
intrusion detection. plan for the project and some cost
5
�estimates. During system analysis the will lead to high demands being placed on
feasibility study of the proposed system is the client. The developed system must
to be carried out. This is to ensure that the have a modest requirement, as only
proposed system is not a burden to the minimal or null changes are required for
company. For feasibility analysis, some implementing this system.
understanding of the major requirements
for the system is essential. SOCIAL FEASIBILITY
Three key considerations involved in the The aspect of study is to check the
feasibility analysis are level of acceptance of the system by the
ECONOMICAL FEASIBILITY user. This includes the process of training
TECHNICAL FEASIBILITY the user to use the system efficiently. The
SOCIAL FEASIBILITY user must not feel threatened by the
ECONOMICAL FEASIBILITY system, instead must accept it as a
necessity. The level of acceptance by the
This study is carried out to check
users solely depends on the methods that
the economic impact that the system will
are employed to educate the user about the
have on the organization. The amount of
system and to make him familiar with it.
fund that the company can pour into the
His level of confidence must be raised so
research and development of the system is
that he is also able to make some
limited. The expenditures must be justified.
constructive criticism, which is welcomed,
Thus the developed system as well within
as he is the final user of the system.
the budget and this was achieved because
most of the technologies used are freely
available. Only the customized products 2.5 FEATURES OF THE
had to be purchased. PROJECT
The BAT-MC model consists of five
TECHNICAL FEASIBILITY
components, including the input layer,
This study is carried out to
multiple convolutional Layers, BSLTM
check the technical feasibility, that is, the
layer, attention layer and output layer,
technical requirements of the system. Any
from bottom to top. At the input layer,
system developed must not have a high
BAT-MC model converts each traffic byte
demand on the available technical
into a one-hot data format. Each traffic
resources. This will lead to high demands
byte is encoded as an n-dimensional
on the available technical resources. This
vector. After traffic byte is converted into
6
�a numerical form, we perform local features of traffic data.
normalization operations. At the multiple Convolutional layer is the most important
convolutional layer, we convert the part of the CNN, which convolves the
numerical data into traffic images. input images (or feature maps) with
Convolutional operation is used as a multiple convolutional kernels to create
feature extractor that takes an image different feature maps. The shallower
representation of data packet. At the convolutional layers whose receptive field
BLSTM layer, BLSTM model which is narrow can extract local
connects the forward LSTM and the information,and while the deeper layers
backward LSTM is used to extract can capture global information with larger
features on the the traffic bytes of each vision field. Hence, as the number of the
packet. BLSTM model can learn the convolutional layers increases, the scale of
sequential characteristics within the traffic the convolutional feature gradually
bytes because BLSTM is suitable to the becomes coarser.
structure of network traffic. C. BLSTM LAYER
A. DATA PREPROCESSING LAYER For the time series data composed of
There are three symbolic data types in traffic bytes, BLSTM can effectively use
NSL-KDD data features: protocol type, the context information of data for feature
flag and service. We use one-hot encoder learning. The BLSTM is used to learn the
mapping these features into binary vectors. time series feature in the data packet.
One-Hot Processing: NSL-KDD dataset is Traffic bytes of each data packet are
processed by one-hot method to transform sequentially input into an BLSTM, which
symbolic features into numerical features. finally obtain a packet vector. BLSTM is
For example, the second feature of the an enhanced version of LSTM (Long
NSL-KDD data sample is protocol type. Short-Term Memory). The BLSTM model
The protocol type has three values: tcp, is used to extract coarse-grained features
udp, and icmp. One-hot method is by connecting forward LSTM and
processed into a binary code that can be backward LSTM.
recognized by a computer, where tcp is [1, D. ATTENTION LAYER
0, 0], udp is [0, 1, 0], and icmp is [0, 0, 1]. BLSTM eventually generates a packet
B. MULTIPLE CONVOLUTIONAL vector for each packet. These packet
LAYERS vectors are arranged in the order of
After the above processing operations, interaction between the two parties in the
convolutional layer is used to capture the network stream to form a sequence of
7
�packet vectors. The relationships within Python is currently the most
packet vectors will be learned by attention widely used multi-purpose, high-
layer. Attention mechanism is used to level programming language.
adjust probability of packet vectors so that
Python allows programming in Object-
our model pays more attention to
Oriented and Procedural paradigms.
important features.
Python programs generally are smaller
E. MODEL TRAINING
than other programming languages like
Training the proposed network contains a
Java.
forward pass and a backward pass.
Programmers have to type
Forward Propagation The BAT-MC model
relatively less and indentation
is mainly composed of BLSTM layer and
requirement of the language, makes
attention layer, each of which presents
them readable all the time.
different structures and thus plays
Python language is being used by
different role in the whole model. The
almost all tech-giant companies like
forward propagation is conducted from
– Google, Amazon, Facebook,
BLSTM layer to attention layer. The input
Instagram, Dropbox, Uber… etc.
of current model is obtained by the
The biggest strength of Python is
processing of the previous model. After
huge collection of standard library
the completion of forward propagation,
which can be used for the following
the final recognition result is obtained.
–
Backward Propagation: The model is
⚫ Machine Learning
trained with adam. Adam is calculated by
⚫ GUI Applications (like Kivy, Tkinter,
the back-propagation algorithm. Error
PyQt etc. )
differentials are back-propagated with the
⚫ Web frameworks like Django (used
forward-backward algorithm. Back-
by YouTube, Instagram, Dropbox)
Propagation Through Time (BPTT) is
⚫ Image processing (like Opencv,
applied to calculate the error differentials.
Pillow)
2.6 TECHNOLOGIES USED ⚫ Web scraping (like Scrapy,
FOR IMPLEMENTION BeautifulSoup, Selenium)
WHAT IS PYTHON :- ⚫ Test frameworks
Below are some facts about Python. ⚫ Multimedia
8
�Advantages of Python :- productive than languages like Java
and C++ do. Also, the fact that you need
Let’s see how Python dominates over
to write less and get more things done.
other languages.
5. IOT Opportunities
1. Extensive Libraries
Since Python forms the basis of new
Python downloads with an extensive platforms like Raspberry Pi, it finds the
library and it contain code for various future bright for the Internet Of Things.
purposes like regular expressions, This is a way to connect the language
documentation-generation, unit-testing, with the real world.
web browsers, threading, databases,
CGI, email, image manipulation, and 6. Simple and Easy
more. So, we don’t have to write the
When working with Java, you may
complete code for that manually.
have to create a class to print ‘Hello
2. Extensible World’. But in Python, just a print
statement will do. It is also quite easy
As we have seen earlier, Python can
to learn, understand, and code. This
be extended to other languages. You
is why when people pick up Python,
can write some of your code in
they have a hard time adjusting to other
languages like C++ or C. This comes in
more verbose languages like Java.
handy, especially in projects.
7. Readable
3. Embeddable
Because it is not such a verbose
Complimentary to extensibility, Python
language, reading Python is much like
is embeddable as well. You can put your
reading English. This is the reason why
Python code in your source code of a
it is so easy to learn, understand, and
different language, like C++. This lets
code. It also does not need curly braces
us add scripting capabilities to our
to define blocks, and indentation is
code in the other language.
mandatory. This further aids the
4. Improved Productivity readability of the code.
The language’s simplicity and extensive
libraries render programmers more
9
�8. Object-Oriented 11. Interpreted
This language supports both Lastly, we will say that it is an
the procedural and object- interpreted language. Since statements
oriented programming paradigms. are executed one by one, debugging is
While functions help us with code easier than in compiled languages.
reusability, classes and objects let us Any doubts till now in the advantages
model the real world. A class allows of Python? Mention in the comment
the encapsulation of data and section.
functions into one.
Advantages of Python Over
9. Free and Open-Source Other Languages
Like we said earlier, Python is freely 1. Less Coding
available. But not only can
you download Python for free, but Almost all of the tasks done in Python
you can also download its source code, requires less coding when the same
make changes to it, and even distribute task is done in other languages. Python
it. It downloads with an extensive also has an awesome standard library
collection of libraries to help you with support, so you don’t have to search for
your tasks. any third-party libraries to get your job
done. This is the reason that many
10. Portable people suggest learning Python to
beginners.
When you code your project in a
language like C++, you may need to
2. Affordable
make some changes to it if you want to
run it on another platform. But it isn’t Python is free therefore individuals,
the same with Python. Here, you need small companies or big organizations
to code only once, and you can run it can leverage the free available
anywhere. This is called Write Once resources to build applications. Python
Run Anywhere (WORA). However, is popular and widely used so it gives
you need to be careful enough not to you better community support.
include any system-dependent features.
The 2019 Github annual survey
showed us that Python has overtaken
10
�Java in the most popular Python are enough to distract us from its
programming language category. speed limitations.
3. Python is for Everyone 2. Weak in Mobile Computing
and Browsers
Python code can run on any machine
whether it is Linux, Mac or Windows. While it serves as an excellent server-
Programmers need to learn different side language, Python is much rarely
languages for different jobs but with seen on the client-side. Besides that, it
Python, you can professionally build is rarely ever used to implement
web apps, perform data analysis smartphone-based applications. One
and machine learning, automate things, such application is called Carbonnelle.
do web scraping and also build games The reason it is not so famous despite
and powerful visualizations. It is an all- the existence of Brython is that it isn’t
rounder programming language. that secure.
Disadvantages of Python 3. Design Restrictions
So far, we’ve seen why Python is a As you know, Python is dynamically-
great choice for your project. But if you typed. This means that you don’t need
choose it, you should be aware of its to declare the type of variable while
consequences as well. Let’s now see the writing the code. It uses duck-typing.
downsides of choosing Python over But wait, what’s that? Well, it just
another language. means that if it looks like a duck, it must
be a duck. While this is easy on the
1. Speed Limitations
programmers during coding, it can raise
We have seen that Python code is run-time errors.
executed line by line. But
4. Underdeveloped Database
since Python is interpreted, it often
results in slow execution. This, Access Layers
however, isn’t a problem unless speed is
Compared to more widely used
a focal point for the project. In other
technologies like JDBC (Java
words, unless high speed is a
DataBase Connectivity) and ODBC
requirement, the benefits offered by
(Open DataBase Connectivity),
Python’s database access layers are a bit
11
�underdeveloped. Consequently, it is less Rossum said: "In the early 1980s, I
often applied in huge enterprises. worked as an implementer on a team
building a language called ABC at
5. Simple
Centrum voor Wiskunde en Informatica
No, we’re not kidding. Python’s (CWI). I don't know how well people
simplicity can indeed be a problem. know ABC's influence on Python. I try
Take my example. I don’t do Java, I’m to mention ABC's influence because I'm
more of a Python person. To me, its indebted to everything I learned during
syntax is so simple that the verbosity of that project and to the people who
Java code seems unnecessary. worked on it."Later on in the same
Interview, Guido van Rossum continued:
This was all about the Advantages and "I remembered all my experience and
Disadvantages of Python Programming some of my frustration with ABC. I
Language. decided to try to design a simple
scripting language that possessed some
History of Python : -
of ABC's better properties, but without
What do the alphabet and the
its problems. So I started typing. I
programming language Python have in
created a simple virtual machine, a
common? Right, both start with ABC. If
simple parser, and a simple runtime. I
we are talking about ABC in the Python
made my own version of the various
context, it's clear that the programming
ABC parts that I liked. I created a basic
language ABC is meant. ABC is a
syntax, used indentation for statement
general-purpose programming language
grouping instead of curly braces or
and programming environment, which
begin-end blocks, and developed a small
had been developed in the Netherlands,
number of powerful data types: a hash
Amsterdam, at the CWI (Centrum
table (or dictionary, as we call it), a list,
Wiskunde &Informatica). The greatest
strings, and numbers."
achievement of ABC was to influence
the design of Python.Python was
3. RESULT:
conceptualized in the late 1980s. Guido
This model effectively avoids the problem
van Rossum worked that time in a
of manual design features. Performance of
project at the CWI, called Amoeba, a
the BAT-MC method is tested by
distributed operating system. In an
KDDTest+ and KDDTest-21 dataset.
interview with Bill Venners1, Guido van
12
�Experimental results on the NSL-KDD deep neural network without any feature
dataset indicate that the BAT-MC model engineering
achieves pretty high accuracy. By technology
comparing with some standard classifier,
these comparisons show that BAT-MC 5. REFERENCES
models results are very promising when
B. B. Zarpelo, R. S Miani, C. T. Kawakani,
compared to other current deep learning-
and S. C. de Alvarenga, ‘‘A survey of
based methods. Hence, we believe that the
intrusion detection in Internet of Things,’’
proposed method is a powerful tool for
J. Netw. Comput. Appl., vol. 84, pp. 25–
the intrusion detection problem.
37, Apr. 2017.
2. B. Mukherjee, L. T. Heberlein, and K.
4. CONCLUSION: N. Levitt, ‘‘Network intrusion detection,’’
The current deep learning methods in the IEEE Netw., vol. 8, no. 3, pp. 26–41, May
network traffic classification research 1994.
don’t make full use of the network traffic 3. S. Kishorwagh, V. K. Pachghare, and S.
structured information. Drawing on the R. Kolhe, ‘‘Survey on intrusion detection
application methods of deep learning in system using machine learning
the field of natural language processing, techniques,’’ Int. J. Control Automat., vol.
we propose a novel model BAT- MC via 78, no. 16, pp. 30–37, Sep. 2013.
the two phase’s learning of BLSTM and 4. N. Sultana, N. Chilamkurti, W. Peng,
attention on the time series features for and R. Alhadad, ‘‘Survey on SDN based
intrusion detection using NSL-KDD network intrusion detection system using
dataset. BLSTM layer which connects the machine learning approaches,’’ Peer-to-
forward LSTM and the backward LSTM Peer Netw. Appl., vol. 12, no. 2, pp. 493–
is used to extract features on the the traffic 501, Mar. 2019.
bytes of each packet. Each data packet can 5. M. Panda, A. Abraham, S. Das, and M.
produce a packet vector. These packet R. Patra, ‘‘Network intrusion detection
vectors are arranged to system: A machine learning approach,’’
form a network flow vector. Attention Intell. Decis. Technol., vol. 5, no. 4, pp.
layer is used to perform feature learning 347–356, 2011.
on the network flow vector composed of 6 W. Li, P. Yi, Y. Wu, L. Pan, and J. Li,
packet vectors. The above feature learning ‘‘A new intrusion detection system based
process is automatically completed by on KNN classification algorithm in
13
�wireless sensor network,’’ J. Electr.
Comput. Eng., vol. 2014, pp. 1–8, Jun.
2014.
7.S. Garg and S. Batra, ‘‘A novel
ensembled technique for anomaly
detection,’’ Int. J. Commun. Syst., vol. 30,
no. 11, p. e3248, Jul. 2017.
8. F. Kuang, W. Xu, and S. Zhang, ‘‘A
novel hybrid KPCA and SVM with GA
model for intrusion detection,’’ Appl. Soft
Comput.., vol. 18, pp. 178–184, May 2014.
9. W. Wang, M. Zhu, X. Zeng, X. Ye, and
Y. Sheng, ‘‘Malware traffic classification
using convolutional neural network for
representation learning,’’ in Proc. Int.
Conf. Inf. Netw. (ICOIN), 2017, pp. 712–
717.
10. P. Torres, C. Catania, S. Garcia, and C.
G. Garino, ‘‘An analysis of Recurrent
Neural Networks for Botnet detection
behavior,’’ in Proc. IEEE Biennial Congr.
Argentina (ARGENCON), Jun. 2016, pp.
1–6.
14
