Methodology for the Detection of Contaminated Training Datasets for Machine Learning-Based Network Intrusion-Detection Systems

With the significant increase in cyber-attacks and attempts to gain unauthorised access to systems and information, Network Intrusion-Detection Systems (NIDSs) have become essential detection tools. Anomaly-based systems use machine learning techniques to distinguish between normal and anomalous tra...

Full description

Saved in:
Bibliographic Details
Published inSensors (Basel, Switzerland) Vol. 24; no. 2; p. 479
Main Authors Medina-Arco, Joaquín Gaspar, Magán-Carrión, Roberto, Rodríguez-Gómez, Rafael Alejandro, García-Teodoro, Pedro
Format Journal Article
LanguageEnglish
Published Switzerland MDPI AG 01.01.2024
MDPI
Subjects
anomaly detection
Artificial intelligence
autoencoders
Computer networks
Cybersecurity
Cyberterrorism
Datasets
deep learning
Detectors
Internet of Things
Labeling
Machine learning
methodology
Methods
NIDS
real network datasets
Germany
autoencoders
data quality
deep learning
anomaly detection
real network datasets
NIDS
methodology
Online AccessGet full text

Cover

More Information
Summary:With the significant increase in cyber-attacks and attempts to gain unauthorised access to systems and information, Network Intrusion-Detection Systems (NIDSs) have become essential detection tools. Anomaly-based systems use machine learning techniques to distinguish between normal and anomalous traffic. They do this by using training datasets that have been previously gathered and labelled, allowing them to learn to detect anomalies in future data. However, such datasets can be accidentally or deliberately contaminated, compromising the performance of NIDS. This has been the case of the UGR'16 dataset, in which, during the labelling process, botnet-type attacks were not identified in the subset intended for training. This paper addresses the mislabelling problem of real network traffic datasets by introducing a novel methodology that (i) allows analysing the quality of a network traffic dataset by identifying possible hidden or unidentified anomalies and (ii) selects the ideal subset of data to optimise the performance of the anomaly detection model even in the presence of hidden attacks erroneously labelled as normal network traffic. To this end, a two-step process that makes incremental use of the training dataset is proposed. Experiments conducted on the contaminated UGR'16 dataset in conjunction with the state-of-the-art NIDS, Kitsune, conclude with the feasibility of the approach to reveal observations of hidden botnet-based attacks on this dataset.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 23
This paper is an extended version of our paper published in FQAS 2023.
ISSN:1424-8220
1424-8220
DOI:10.3390/s24020479