hh.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
ITL-IDS: Incremental Transfer Learning for Intrusion Detection Systems
Isfahan University of Technology, Isfahan, Iran.ORCID iD: 0000-0002-3287-2511
Isfahan University of Technology, Isfahan, Iran.ORCID iD: 0000-0003-0966-9862
Isfahan University of Technology, Isfahan, Iran.ORCID iD: 0000-0002-6810-3554
Halmstad University, School of Information Technology.ORCID iD: 0000-0002-1759-8593
2022 (English)In: Knowledge-Based Systems, ISSN 0950-7051, E-ISSN 1872-7409, Vol. 253, article id 109542Article in journal (Refereed) Published
Abstract [en]

Utilizing machine learning methods to detect intrusion into computer networks is a trending topic in information security research. The limitation of labeled samples is one of the challenges in this area. This challenge makes it difficult to build accurate learning models for intrusion detection. Transfer learning is one of the methods to counter such a challenge in machine learning topics. On the other hand, the emergence of new technologies and applications might bring new vulnerabilities to computer networks. Therefore, the learning process cannot occur all at once. Incremental learning is a practical standpoint to confront this challenge. This research presents a new framework for intrusion detection systems called ITL-IDS that can potentially start learning in a network without prior knowledge. It begins with an incremental clustering algorithm to detect clusters’ numbers and shape without prior assumptions about the attacks. The outcomes are candidates to transfer knowledge between other instances of ITL-IDS. In each iteration, transfer learning provides target environments with incremental knowledge. Our evaluation shows that this method can combine incremental and transfer learning to identify new attacks. © 2022 Published by Elsevier B.V.
Place, publisher, year, edition, pages
Amsterdam: Elsevier, 2022. Vol. 253, article id 109542
Keywords [en]
Network security, Intrusion detection system, NIDS, Transfer learning, Incremental learning
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:hh:diva-47891DOI: 10.1016/j.knosys.2022.109542ISI: 000861208200008Scopus ID: 2-s2.0-85135717752OAI: oai:DiVA.org:hh-47891DiVA, id: diva2:1687979
Available from: 2022-08-17 Created: 2022-08-17 Last updated: 2022-10-24Bibliographically approved
In thesis
1. Learning from Multiple Domains
Open this publication in new window or tab >>Learning from Multiple Domains
2022 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

Domain adaptation (DA) transfers knowledge between domains by adapting them. The most well-known DA scenario in the literature is adapting two domains of source and target using the available labeled source samples to construct a model generalizable to the target domain. Although the primary purpose of DA is to compensate for the target domain’s labeled data shortage, the concept of adaptation can be utilized to solve other problems.

One issue that may occur during adaptation is the problem of class misalignment, which would result in a negative transfer. Therefore, preventing negative transfer should be considered while designing DA methods. In addition, the sample availability in domains is another matter that should also be taken into account.

Considering the two mentioned matters, this thesis aims to develop DA techniques to solve primary predictive maintenance problems.

This thesis considers a spectrum of cases with different amounts of available target data. One endpoint is the case in which we have access to enough labeled target samples for all classes. In this case, we use the concept of DA for 1) Analyzing two different physical properties, i.e., vibration and current, to measure their robustness for fault identification and 2) Developing a denoising method to construct a robust model for a noisy test environment.

Next, we consider the case where we have access to unlabeled and a few labeled target samples. Using the few labeled samples available, we aim to prevent negative transfer while adapting source and target domains. To achieve this, we construct a unified features representation using a few-shot and an adaptation learning technique.

In the subsequent considered setting, we assume we only have access to very few labeled target samples, which are insufficient to train a domain-specific model. Furthermore, for the first time in the literature, we solve the DA for regression in a setting in which it adapts multiple domains with any arbitrary shift.

Sometimes, due to the dynamic nature of the environment, we need to update a model to reflect the changes continuously. An example is in the field of computer network security. There is always the possibility of intrusion into a computer network, which makes each Intrusion Detection System (IDS) subject to concept shifts. In addition, different types of intrusions may occur in different networks. This thesis presents a framework for handling concept shift in one single network through incremental learning and simultaneously adapting samples from different networks to transfer knowledge about various intrusions. In addition, we employ active learning to use expert knowledge to label the samples for the adaptation purpose.

During adaptation, all cases mentioned so far have the same label space for the source and target domains. Occasionally, this is not the case, and we do not have access to samples for specific classes, either in the source or target; This is the final scenario addressed in this thesis.

One case is when we do not have access to some classes in the source domain. This setting is called Partial Domain Adaptation (PDA). This setting is beneficial to network traffic classification systems because, in general, every network has different types of applications and, therefore, different types of traffic. We develop a method for transferring knowledge from a source network to a target network even if the source network does not contain all types of traffic.

Another case is when we have access to unlabeled target samples but not for all classes. We call this Limited Domain Adaptation (LDA) setting and propose a DA method for fault identification. The motivation behind this setting is that for developing a fault identification model for a system, we don’t want to wait until the occurrence of all faults for collecting even unlabeled samples; instead, we aim to use the knowledge about those faults from other domains.

We provide results on synthetic and real-world datasets for the scenarios mentioned above. Results indicate that the proposed methods outperform the state-of-art and are effective and practical in solving real-world problems.

For future works, we plan to extend the proposed methods to adapt domains with different input features, especially for solving predictive maintenance problems. Furthermore, we intend to extend our work to out-of-distribution learning methods, such as domain generalization.
Place, publisher, year, edition, pages
Halmstad: Halmstad University Press, 2022. p. 26
Series
Halmstad University Dissertations ; 92
National Category
Computer Sciences
Identifiers
urn:nbn:se:hh:diva-47890 (URN)978-91-88749-96-3 (ISBN)978-91-88749-95-6 (ISBN)
Presentation
2022-09-14, Wigforssalen, Hus J (Visionen), Kristian IV:s väg 3, Halmstad, 13:00 (English)
Opponent
Supervisors
Funder
Vinnova
Available from: 2022-08-18 Created: 2022-08-17 Last updated: 2022-08-18Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Taghiyarrenani, Zahra

Search in DiVA

By author/editor
Mahdavi, EhsanFanian, AliMirzaei, AbdolrezaTaghiyarrenani, Zahra
By organisation
School of Information Technology
In the same journal
Knowledge-Based Systems
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 320 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.40.0
|
WCAG
|
Halmstad University Library
|
Info for students
|
Info for researchers
|
Log in