Early Detection of Network Intrusions Using a GAN-Based One-Class Classifier

Early detection of network intrusions is a very important factor in network security. However, most studies of network intrusion detection systems utilize features for full sessions, making it difficult to detect intrusions before a session ends. To solve this problem, the proposed method uses packet data for features to determine if packets are malicious traffic. Such an approach inevitably increases the probability of falsely detecting normal packets as an intrusion or an intrusion as normal traffic for the initial session. As a solution, the proposed method learns the patterns of packets that are unhelpful in order to classify network intrusions and benign sessions. To this end, a new training dataset for Generative Adversarial Network (GAN) is created using misclassified data from an original training dataset by the LSTM-DNN model trained using the original one. The GAN trained with this dataset has ability to determine whether the currently received packet can be accurately classified in the LSTM-DNN. If the GAN determines that the packet cannot be classified correctly, the detection process is canceled and will be tried again when the next packet is received. Meticulously designed classification algorithm based on LSTM-DNN and validation model using GAN enable the proposed algorithm to accurately perform network intrusion detection in real time without session termination or delay time for collecting a certain number of packets. Various experiments confirm that the proposed method can detect intrusions very early (before the end of the session) while maintaining detection performance at a level similar to that of the existing methods.