WIXLIB

Complex NetworksLjiljana Trajkovićljilja@cs.sfu.caCommunication Networks Laboratoryhttp://www.sfu.ca/ ljilja/cnlSchool of Engineering ScienceSimon Fraser University, Vancouver,British Columbia, Canada

Simon Fraser UniversityBurnaby CampusSeptember 12, 2019SISY 2019, Subotica, Serbia2

RoadmapnnnnnnIntroductionData processingMachine learning modelsExperimental procedurePerformance evaluationConclusion and referencesSeptember 12, 2019SISY 2019, Subotica, Serbia3

RoadmapnnnnnnIntroduction:n Complex networksn Machine learningData processingMachine learning modelsExperimental procedurePerformance evaluationConclusion and referencesSeptember 12, 2019SISY 2019, Subotica, Serbia4

Complexity SciencesSeptember 12, 2019SISY 2019, Subotica, Serbia5

The Internethttps://en.wikipedia.org/wiki/Complex network#/media/File:Internet map 1024.jpgBy The Opte Project - Originally from the English ?curid 1538544September 12, 2019SISY 2019, Subotica, Serbia6

The Internet Partial map of the Internet based on the January 15, 2005data found on opte.org. Each line is drawn between two nodes, representing two IPaddresses. The length of the lines are indicative of the delay betweenthose two nodes. This graph represents less than 30% of the Class Cnetworks reachable by the data collection program in early2005. Lines are color-coded according to their corresponding RFC1918 allocation as follows: Dark blue: net, ca, us; Green:com, org; Red: mil, gov, edu; Yellow: jp, cn, tw, au, de;Magenta: uk, it, pl, fr; Gold: br, kr, nl; White: unknown.September 12, 2019SISY 2019, Subotica, Serbia7

Scale-Free curid 29364647September 12, 2019SISY 2019, Subotica, Serbia8

Scale-Free Network An example of complex scale-free network. Graph represents the metadata of thousands of archivedocuments, documenting the social network of hundreds ofLeague of Nations personals. M. Grandjean, "La connaissance est un réseau," LesCahiers du Numérique, vol. 10, no. 3, pp. 37-54, 2014.September 12, 2019SISY 2019, Subotica, Serbia9

RoadmapnnnnnnIntroduction:n Complex networksn Machine learningData processingMachine learning modelsExperimental procedurePerformance evaluationConclusion and referencesSeptember 12, 2019SISY 2019, Subotica, Serbia10

Machine LearningnnnUsing machine learning techniques to detect networkintrusions is an important topic in cybersecurity.Machine learning algorithms have been used tosuccessfully classify network anomalies and intrusions.Supervised machine learning algorithms:n Support vector machine: SVMn Long short-term memory: LSTMn Gated recurrent unit: GRUn Broad learning system: BLSSeptember 12, 2019SISY 2019, Subotica, Serbia11

RoadmapnnnnnnIntroductionData processing:n BGP datasetsn NSL-KDD datasetn CICIDS2017n CSE-CIC-IDS2018Machine learning modelsExperimental procedurePerformance evaluationConclusion and ReferencesSeptember 12, 2019SISY 2019, Subotica, Serbia12

BGP and NSL-KDD Datasets§ Used to evaluate anomaly detection and intrusiontechniques§ BGP:§ Routing records from Réseaux IP Européens (RIPE)§ BCNET regular traffic§ NSL-KDD:§ an improvement of the KDD’99 dataset§ used in various intrusion detection systems (IDSs)September 12, 2019SISY 2019, Subotica, Serbia13

CICIDS2017 and CSE-CIC-IDS2018§ CICIDS2017 and CSE-CIC-IDS2018:§ Testbed used to create the publicly available datasetthat includes multiple types of recent cyber attacks.§ Network traffic collected between:§ Monday, 03.07.2017§ Friday, 07.07.2017§ Wednesday, 14.02.2018§ Friday, 02.03.2018September 12, 2019SISY 2019, Subotica, Serbia14

BGP Datasets§ Anomalous data: days of the attack§ Regular data: two days prior and two days after theattack§ 37 numerical features from BGP update messages§ Best performance: 60% for training and 40% for testingRegular(min)Anomaly(min)Code Red ber 12, 2019Regular Anomaly(training) 772,12311,3993,2095313121339SISY 2019, Subotica, Serbia15

NSL-KDD Dataset§ KDDTrain and KDDTest : training and test datasets§ KDDTes-21: a subset of the KDDTest dataset that doesnot include records correctly classified by 21 modelsRegularDoSU2RR2LProbeTotalKDDTrain 67,34345,9275299511,656125,973KDDTest 002,7542,40211,850September 12, 2019SISY 2019, Subotica, Serbia16

CICD2017 Dataset:Types of Intrusion AttacksAttackLabelDayNumber of intrusionsBrute forceFTP, SSHTuesday7,935; 5,897HeartbleedHeartbleedWednesday11Web attackBrute force,XSS, SQLInjectionThursdaymorning1,507; 652; wloris, Hulk,GoldenEye,SlowHTTPTestWednesday5,796; 230,124; 10,293; 5,499DDosDDoSFridayafternoon128,027September 12, 2019Thursday andFridayafternoonsFriday morning36; 158,9301,956SISY 2019, Subotica, Serbia17

CICD2017 Dataset: Number of FlowsDaySeptember 12, 2019Valid 9Wednesday691,406692,703Thursday (morning)170,231170,366Thursday (afternoon)288,395288,602Friday (morning)190,911191,033Friday (afternoon, PortScan)286,096286,467Friday (afternoon, DDoS)225,711225,745SISY 2019, Subotica, Serbia18

CICD2018 Dataset:Types of Intrusion AttacksDateAttackDay14.02.2018 FTP-BF, SSH-BFWednesdayDoS-GE, S-HOICWeb-BF, XSS-BF,22.02.2018ThursdaySQL InjectionWeb-BF, XSS-BF,23.02.2018FridaySQL Injection28.02.2018 InfiltrationWednesday01.03.2018 InfiltrationThursday02.03.2018 BotFridaySeptember 12, 2019Numberof benigninstances667626380949Number ofintrusionsSISY 2019, Subotica, 238037762384613104331125104857519

RoadmapnnnnnnIntroductionData processingMachine learning models:n Deep learning: multi-layer recurrent neural networksn Broad learning systemExperimental procedurePerformance evaluationConclusion and referencesSeptember 12, 2019SISY 2019, Subotica, Serbia20

Deep Learning Neural Networkn37 (BGP)/109 (NSL-KDD) RNNs, 80 FC1, 32 FC2, and16 FC3 fully connected (FC) hidden nodes:September 12, 2019SISY 2019, Subotica, Serbia21

Long Short-Term MemorynRepeating module for the Long Short-Term Memory(LSTM) neural network:September 12, 2019SISY 2019, Subotica, Serbia22

Long Short-Term Memory: LSTMThe outputs of the forget gate 𝑓! , the input gate 𝑖! ,and the output gate 𝑜! at time t are:𝑓! 𝜎 𝑊"# 𝑥! 𝑏"# 𝑈 # ℎ!%& 𝑏 #𝑖! 𝜎 𝑊"" 𝑥! 𝑏"" 𝑈 " ℎ!%& 𝑏 "𝑜! 𝜎(𝑊"' 𝑥! 𝑏"' 𝑈 ' ℎ!%& 𝑏 ' ),where:𝜎 . : logistic sigmoid function𝑥! : current input vectorℎ!%&: previous output vector𝑊"# , 𝑈 # , 𝑊"" , 𝑈 " , 𝑊"' and 𝑈 ' : weight matricesn𝑏"# , 𝑏 # , 𝑏"" , 𝑏 " , 𝑏"' , and 𝑏 ' : bias vectorsSeptember 12, 2019SISY 2019, Subotica, Serbia23

Long Short-Term Memory: LSTMOutput 𝑖! of the input gate decides if the informationwill be stored in the cell state. The sigmoid function isused to update the information.n Cell state 𝑐! :𝑐! 𝑓! 𝑐!%& 𝑖! 𝑡𝑎𝑛ℎ 𝑊"( 𝑥! 𝑏"( 𝑈 ( ℎ!%& 𝑏 ( ,where:n denotes element-wise multiplicationsn 𝑡𝑎𝑛ℎ function: used to create a vector for the nextcell staten Output of the LSTM cell:ℎ! 𝑜! 𝑡𝑎𝑛ℎ(𝑐! )nSeptember 12, 2019SISY 2019, Subotica, Serbia24

Gated Recurrent UnitnRepeating module for the Gated Recurrent Unit (GRU)neural network:September 12, 2019SISY 2019, Subotica, Serbia25

Gated Recurrent Unit: GRUThe outputs of the reset gate 𝑟! and the update gate 𝑧!at time t:𝑟! 𝜎 𝑊") 𝑥! 𝑏") 𝑈 ) ℎ!%& 𝑏 )𝑧! 𝜎(𝑊"* 𝑥! 𝑏"* 𝑈 * ℎ!%& 𝑏 * ),where:n 𝜎: sigmoid functionn 𝑥! : input, ℎ!%& is the previous output of the GRU celln 𝑊") , 𝑈 ) , 𝑊"* , and 𝑈 * : weight matricesn 𝑏") , 𝑏 ) , 𝑏"* , and 𝑏 * : bias vectorsnSeptember 12, 2019SISY 2019, Subotica, Serbia26

Gated Recurrent Unit: GRUOutput of the GRU cell:ℎ! 1 𝑧! 𝑛! 𝑧! ℎ!%&,where 𝑛! :n 𝑛! 𝑡𝑎𝑛ℎ(𝑊" 𝑥! 𝑏" 𝑟! (𝑈 ℎ!%& 𝑏 ))n 𝑊" and 𝑈 : weight matricesn 𝑏" and 𝑏 : bias vectorsnSeptember 12, 2019SISY 2019, Subotica, Serbia27

RoadmapnnnnnnIntroductionData processingMachine learning models:n Deep learning: multi-layer recurrent neural networksn Broad learning systemExperimental procedurePerformance evaluationConclusion and referencesSeptember 12, 2019SISY 2019, Subotica, Serbia28

Broad Learning SystemnModule of the Broad Learning System (BLS) algorithmwith increments of mapped features, enhancementnodes, and new input data:September 12, 2019SISY 2019, Subotica, Serbia29

Original BLSnMatrix 𝑨, is constructed from groups of mappedfeatures 𝒁 and groups of enhancement nodes 𝑯- as:𝐴! 𝒁" 𝑯# ] 𝜙 𝑿𝑾 ! 𝛽 ! 𝜉(𝒁"! 𝑾%" 𝛽%" ) ,where: 𝑖 1, 2, , 𝑛 𝑎𝑛𝑑 𝑗 1, 2, , 𝑚n 𝜙 and 𝜉: projection mappingsn 𝑾. , 𝑾 : weights!"n𝛽.! , 𝛽 " : bias parametersModified to include additional mapped features 𝒁 /&,enhancement nodes 𝑯-/&, and/or input nodes 𝑿0September 12, 2019SISY 2019, Subotica, Serbia30

Original BLSnMoore-Penrose pseudo inverse of matrix 𝑨, iscomputed to calculate the weights of the output:# &𝑾#" [𝑨" ] 𝒀nDuring the testing process, data labels are deducedusing the calculated weights 𝑾 , mapped features 𝒁 ,and enhancement nodes 𝑯- :#𝒀 𝑨#" 𝑾" 𝒁𝟏 , , 𝒁" 𝑯( , , 𝑯# ]𝑾#"September 12, 2019SISY 2019, Subotica, Serbia31

RBF-BLS ExtensionnnThe RBF function is implemented using Gaussian kernel: 𝑥 𝑐 2𝜉 𝑥 𝑒𝑥𝑝 𝛾2Weight vectors of the output 𝑯𝑾 are deduced from:𝑾 (𝑯1 𝑯)%&𝑯1 𝒀 𝑯/𝒀,where:n 𝑾 𝜔& , 𝜔2 , , 𝜔3 : output weightsn 𝑯 𝜉& , 𝜉2 , , 𝜉3 : hidden nodes/n 𝑯 : pseudoinverse of 𝑯September 12, 2019SISY 2019, Subotica, Serbia32

Cascades of Mapped FeaturesSeptember 12, 2019SISY 2019, Subotica, Serbia33

Cascades of Mapped FeaturesnnCascade of mapped features (CFBLS):the new group of mapped features is created by usingthe previous group (𝑘 1).Groups of mapped features are formulated as:𝒁3 𝜙(𝒁3%&𝑾.# 𝛽.# ) 𝜙 3 𝑿 ; {𝑾.! , 𝛽.! }3"4& , 𝑓𝑜𝑟 𝑘 1, , 𝑛September 12, 2019SISY 2019, Subotica, Serbia34

Cascades of Enhancement NodesSeptember 12, 2019SISY 2019, Subotica, Serbia35

Cascades of Enhancement NodesnnThe first enhancement node in cascade ofenhancement nodes (CEBLS) is generated frommapped features.The subsequent enhancement nodes are generatedfrom previous enhancement nodes creating a cascade:𝜉5𝒁 5𝐻5 ; 𝑾 ! , 𝛽 !, 𝑓𝑜𝑟 𝑢 1, , 𝑚,"4&where:n 𝑾 and 𝛽 : randomly generated!!September 12, 2019SISY 2019, Subotica, Serbia36

Cascades with Incremental LearningSeptember 12, 2019SISY 2019, Subotica, Serbia37

RoadmapnnnnnnIntroductionData processing:Machine learning models:Experimental procedurePerformance evaluationConclusion and referencesSeptember 12, 2019SISY 2019, Subotica, Serbia38

Intrusion Detection SystemnArchitecture:September 12, 2019SISY 2019, Subotica, Serbia39

Experimental Procedure§ Step 1: Normalize training and test datasets.§ Step 2: Train the RNN models and BLS using 10-foldvalidation. Tune parameters of the RNN and BLSmodels.§ Step 3: Test the RNN and BLS models.§ Step 4: Evaluate models based on:§ Accuracy§ F-Score*RNN: recurrent neural network*BLS: broadd learning systemSeptember 12, 2019SISY 2019, Subotica, Serbia40

Most Relevant Features§ CICIDS 2017: 16 most relevant featuresSeptember 12, 2019SISY 2019, Subotica, Serbia41

Most Relevant Features§ CSE-CIC-IDS2018: 16 most relevant featuresSeptember 12, 2019SISY 2019, Subotica, Serbia42

Number of BLS Training ParametersParametersCode Red INimdaSlammerNSL-KDD10050010010011255Enhancement nodes500700300100Incremental learningsteps10923Data 5060Mapped featuresGroups of mappedfeaturesSeptember 12, 2019SISY 2019, Subotica, Serbia43

Number of BLS Training r of BLSMapped features201010202015Groups ofmapped delSeptember 12, 2019SISY 2019, Subotica, Serbia44

Number of Incremental BLSTraining r of featuresIncremental BLSModel78CFBLS6432CFEBLS CEBLS786432BLSCEBLSBLSMapped features102010152010Groups of 4020Incrementallearning 020202020Data points/stepEnhancementnodes/stepSeptember 12, 2019SISY 2019, Subotica, Serbia45