Developing Cross-Domain Host-Based Intrusion Detection
Digital transformation has continued to have a remarkable impact on industries, creating new possibilities and improving the performance of existing ones. Recently, we have seen more deployments of cyber-physical systems and the Internet of Things (IoT) as in no other time. However, cybersecurity is...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2022-11-01
|
| Series: | Electronics |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2079-9292/11/21/3631 |
| _version_ | 1797468509363503104 |
|---|---|
| author | Oluwagbemiga Ajayi Aryya Gangopadhyay Robert F. Erbacher Carl Bursat |
| author_facet | Oluwagbemiga Ajayi Aryya Gangopadhyay Robert F. Erbacher Carl Bursat |
| author_sort | Oluwagbemiga Ajayi |
| collection | DOAJ |
| description | Digital transformation has continued to have a remarkable impact on industries, creating new possibilities and improving the performance of existing ones. Recently, we have seen more deployments of cyber-physical systems and the Internet of Things (IoT) as in no other time. However, cybersecurity is often an afterthought in the design and implementation of many systems; therefore, there usually is an introduction of new attack surfaces as new systems and applications are being deployed. Machine learning has been helpful in creating intrusion detection models, but it is impractical to create attack detection models with acceptable performance for every single computing infrastructure and the various attack scenarios due to the cost of collecting quality labeled data and training models. Hence, there is a need to develop models that can take advantage of knowledge available in a high resource source domain to improve performance of a low resource target domain model. In this work, we propose a novel cross-domain deep learning-based approach for attack detection in Host-based Intrusion Detection Systems (HIDS). Specifically, we developed a method for candidate source domain selection from among a group of potential source domains by computing the similarity score a target domain records when paired with a potential source domain. Then, using different word embedding space combination techniques and transfer learning approach, we leverage the knowledge from a well performing source domain model to improve the performance of a similar model in the target domain. To evaluate our proposed approach, we used Leipzig Intrusion Detection Dataset (LID-DS), a HIDS dataset recorded on a modern operating system that consists of different attack scenarios. Our proposed cross-domain approach recorded significant improvement in the target domains when compared with the results from in-domain approach experiments. Based on the result, the F2-score of the target domain CWE-307 improved from 80% in the in-domain approach to 87% in the cross-domain approach while the target domain CVE-2014-0160 improved from 13% to 85%. |
| first_indexed | 2024-03-09T19:07:29Z |
| format | Article |
| id | doaj.art-7b7fa805b0434ddea9e64b8bcdcb0561 |
| institution | Directory Open Access Journal |
| issn | 2079-9292 |
| language | English |
| last_indexed | 2024-03-09T19:07:29Z |
| publishDate | 2022-11-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Electronics |
| spelling | doaj.art-7b7fa805b0434ddea9e64b8bcdcb05612023-11-24T04:27:02ZengMDPI AGElectronics2079-92922022-11-011121363110.3390/electronics11213631Developing Cross-Domain Host-Based Intrusion DetectionOluwagbemiga Ajayi0Aryya Gangopadhyay1Robert F. Erbacher2Carl Bursat3Department of Information Systems, University of Maryland Baltimore County, Baltimore, MD 21250, USADepartment of Information Systems, University of Maryland Baltimore County, Baltimore, MD 21250, USADEVCOM Army Research Laboratory, Adelphi, MD 20783, USADEVCOM Army Research Laboratory, Adelphi, MD 20783, USADigital transformation has continued to have a remarkable impact on industries, creating new possibilities and improving the performance of existing ones. Recently, we have seen more deployments of cyber-physical systems and the Internet of Things (IoT) as in no other time. However, cybersecurity is often an afterthought in the design and implementation of many systems; therefore, there usually is an introduction of new attack surfaces as new systems and applications are being deployed. Machine learning has been helpful in creating intrusion detection models, but it is impractical to create attack detection models with acceptable performance for every single computing infrastructure and the various attack scenarios due to the cost of collecting quality labeled data and training models. Hence, there is a need to develop models that can take advantage of knowledge available in a high resource source domain to improve performance of a low resource target domain model. In this work, we propose a novel cross-domain deep learning-based approach for attack detection in Host-based Intrusion Detection Systems (HIDS). Specifically, we developed a method for candidate source domain selection from among a group of potential source domains by computing the similarity score a target domain records when paired with a potential source domain. Then, using different word embedding space combination techniques and transfer learning approach, we leverage the knowledge from a well performing source domain model to improve the performance of a similar model in the target domain. To evaluate our proposed approach, we used Leipzig Intrusion Detection Dataset (LID-DS), a HIDS dataset recorded on a modern operating system that consists of different attack scenarios. Our proposed cross-domain approach recorded significant improvement in the target domains when compared with the results from in-domain approach experiments. Based on the result, the F2-score of the target domain CWE-307 improved from 80% in the in-domain approach to 87% in the cross-domain approach while the target domain CVE-2014-0160 improved from 13% to 85%.https://www.mdpi.com/2079-9292/11/21/3631deep learningcybersecurityHIDStransfer learningword embeddingsimilarity measure |
| spellingShingle | Oluwagbemiga Ajayi Aryya Gangopadhyay Robert F. Erbacher Carl Bursat Developing Cross-Domain Host-Based Intrusion Detection Electronics deep learning cybersecurity HIDS transfer learning word embedding similarity measure |
| title | Developing Cross-Domain Host-Based Intrusion Detection |
| title_full | Developing Cross-Domain Host-Based Intrusion Detection |
| title_fullStr | Developing Cross-Domain Host-Based Intrusion Detection |
| title_full_unstemmed | Developing Cross-Domain Host-Based Intrusion Detection |
| title_short | Developing Cross-Domain Host-Based Intrusion Detection |
| title_sort | developing cross domain host based intrusion detection |
| topic | deep learning cybersecurity HIDS transfer learning word embedding similarity measure |
| url | https://www.mdpi.com/2079-9292/11/21/3631 |
| work_keys_str_mv | AT oluwagbemigaajayi developingcrossdomainhostbasedintrusiondetection AT aryyagangopadhyay developingcrossdomainhostbasedintrusiondetection AT robertferbacher developingcrossdomainhostbasedintrusiondetection AT carlbursat developingcrossdomainhostbasedintrusiondetection |