Network Intrusion Detection System using Machine Learning (Reinforcement algorithm)
To detect these intrusions our proposed approach would be using Deep Reinforcement Learning and Q Learning which improves the stability and performance of the system.
I want to detect Network attacks like DDoS, R2L&U2R, Probing and Spoofing:
DDoS: Distributed Denial of Service attack is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack. These attacks are one of the most dangerous security threats, in which attackers aim to break down the victim’s computer network or cyber system and interrupt their services. MEC systems are especially vulnerable to distributed DoS attacks, in which some distributed edge devices that are not well protected by security protocols can be easily compromised and then used to attack other edge nodes. Some attackers also aim to prevent the collaborative caching users from accessing the caching data. Jamming can be viewed as a special type of DoS attack.
The simplest approach could be to examine the logs of the web server and to identify whether the query relates to the DoS/DDoS attack or not. Collect the good and bad queries, label them (either bot or not). The tricky part will be to extract features. As features, you can use HTTP request method HTTP status code URL File name ([login to view URL]) User-agent IP address Geolocation of the IP address Train and test machine learning model. The drawback of the proposed approach is that the requests are treated as single objects and not as a part of the attack.
R2L: unauthorized access from a remote to the local machine.
U2R: unauthorized access to local superuser.
A remote to user attack is an attack in which a user sends packets to a machine over the internet, which s/he does not have access to in order to expose the machines vulnerabilities and exploit privileges which a local user would have on the computer e.g. xlock, guest,xnsnoop, phf, sendmail dictionary etc.
Probing: A probe attack scans the network to gather the information of computers to identify the vulnerabilities. It is an attack in which the hacker scans a machine or a networking device in order to determine weaknesses or vulnerabilities that may later be exploited so as to compromise the system. This technique is commonly used in data mining. Types of probe attacks are saint, portsweep, mscan, nmap etc.
We are using CICIDS 2017 dataset for intrusion detection which has the latest attributes with new types of attacks. In this section, we have analyzed various types of the publicly available dataset which we have used for training our neural network.
CICIDS 2017: Generating the realistic background traffic is one of the highest priorities of this work. For this dataset, we used our proposed B-Profile system (Sharafaldin et al., 2017), which is responsible for profiling the abstract behavior of human interactions and generate a naturalistic benign background traffic. Our B-Profile for this dataset extracts the abstract behavior of 25 users based on the HTTP, HTTPS, FTP, SSH, and email protocols.
It also includes the results of the network traffic analysis using CICFlowMeter with labeled flows based on the time stamp, source, and destination IPs, source and destination ports, protocols and attack (CSV files).