Publication Type

Journal Article

Version

acceptedVersion

Publication Date

8-2024

Abstract

Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with (i) fine-grained unknown attack detection and (ii) ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named FOSS, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that FOSS significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of FOSS by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of FOSS to identify previously-unseen attacks in a fine-grained manner.

Keywords

Intrusion detection system, fine-grained unknown class detection, isolation forest

Discipline

Information Security

Research Areas

Software and Cyber-Physical Systems

Publication

IEEE/ACM Transactions on Networking

First Page

1

Last Page

16

ISSN

1063-6692

Identifier

10.1109/TNET.2024.3413789

Publisher

Institute of Electrical and Electronics Engineers

Copyright Owner and License

Authors

Additional URL

https://doi.org/10.1109/TNET.2024.3413789

Download

Share

COinS