Abstract
Despite decades of research in network traffic analysis and great advances in artificial intelligence, network intrusion detection systems based on machine learning (ML) have yet to prove their worth. One core obstacle is the existence of concept drift, an issue for all adversary-facing security systems. Additionally, specific challenges set intrusion detection apart from other ML-based security tasks, such as malware detection. In this work, we offer a new perspective on these challenges. We propose INSOMNIA, a semi-supervised intrusion detector which continuously updates the underlying ML model as network traffic characteristics are affected by concept drift. We use active learning to reduce latency in the model updates, label estimation to reduce labeling overhead, and apply explainable AI to better interpret how the model reacts to the shifting distribution. To evaluate INSOMNIA, we extend TESSERACT—a framework originally proposed for performing sound time-aware evaluations of ML-based malware detectors—to the network intrusion domain and show that accounting for drift is vital for effective detection.
| Original language | English |
|---|---|
| Title of host publication | AISec '21 |
| Subtitle of host publication | Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security |
| Publisher | ACM |
| Pages | 111-122 |
| Number of pages | 12 |
| DOIs | |
| Publication status | Published - 15 Nov 2021 |