Detecting Port Scan Attempts With Comparative Analysis of Deep Learning and Support Vector Machine Algorithms

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism Ankara, Turkey, 3-4 Dec, 2018

Detecting Port Scan Attempts with Comparative


Analysis of Deep Learning and Support Vector
Machine Algorithms
Dogukan AKSU M. Ali AYDIN
Computer Engineering Department Computer Engineering Department
Istanbul University-Cerrahpasa Istanbul University-Cerrahpasa
Istanbul, Turkey Istanbul, Turkey
d.aksu@istanbul.edu.tr aydinali@istanbul.edu.tr

Abstract—Compared to the past, developments in computer an explanation of used material and methods. Experimental
and communication technologies have provided extensive and results of the classification algorithms and performance mea-
advanced changes. The usage of new technologies provide great surements were introduced in Section 4. Section 5 provided
benefits to individuals, companies, and governments, however, it
causes some problems against them. For example, the privacy conclusion and future works.
of important information, security of stored data platforms,
availability of knowledge etc. Depending on these problems, cyber II. L ITERATURE R EVIEW
terrorism is one of the most important issues in todays world. Information security concepts consist of human, period,
Cyber terror, which caused a lot of problems to individuals and methodology, knowledge, system and technology as is shown
institutions, has reached a level that could threaten public and
country security by various groups such as criminal organiza-
in Figure 1. Confidentiality, integrity, and accessibility have
tions, professional persons and cyber activists. Thus, Intrusion to be provided by a secure system. First, the confidentiality
Detection Systems (IDS) have been developed to avoid cyber of the information means allowing access only to the person
attacks. In this study, deep learning and support vector machine who needs to access that information. Second, the integrity of
(SVM) algorithms were used to detect port scan attempts based the information is ensuring that the information is protected
on the new CICIDS2017 dataset and 97.80%, 69.79% accuracy
rates were achieved respectively.
without distortion and the original structure is intact. Finally,
Index Terms—Cyber Terror, IDS, Deep Learning, SVM, CI- the accessibility of information is the ability to access and use
CIDS2017 information at the desired time.

I. I NTRODUCTION
Computer crimes continue to increase over the years. They
are not only restricted to insignificant acts such as estimating
the login credentials of a system but also they are much more
dangerous.
Information security is the process of protecting informa-
tion from unauthorized access, usage, disclosure, destruction,
modification or damage. The terms ”Information security”,
”computer security” and ”information insurance” are often Fig. 1. Information security concepts [3].
used interchangeably. These areas are related to each other and
have common goals to provide availability, confidentiality, and As is signified by Staniford et al, there has been astonish-
integrity of information. Studies show that the first step of an ingly limited work on the issue of detecting port scans [4].
attack is discovery [1]. Reconnaissance is made in order to get Robertson et al. used a threshold method to detect the failed
information about the system in this stage. Finding a list of connection attempts [5].
open ports in a system provides very critical information for Linear Discriminant Analysis (LDA) and Principal Compo-
an attacker. For this reason, there are a lot of tools to identify nent Analysis (PCA) were applied by Ibrahimi and Ouaddane
open ports [2] such as antivirus and IDS. to identify the intrusion with NSL-KDD dataset [6]. Com-
In this work, deep learning and SVM machine learning parative consequences of KDD99 and UNSW-NB15 datasets
algorithms were applied to create IDS models to detect port analyzing network behaviours were showed by Moustafa and
scan attempts.The models were presented comparatively. Slay [7]. Liuying et al. detected and classified malicious
We categorized other parts of the paper as follows: a liter- patterns in network traffic based on the KDD99 dataset [8].
ature review was presented in Section 2. Section 3 presented Naive Bayes and Principal Component Analysis (PCA) were

978-1-7281-0472-0/18/$31.00 ©2018 IEEE

IBIGDELFT2018 77
International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism Ankara, Turkey, 3-4 Dec, 2018

used with the KDD99 dataset by Almansob and Lomte [9]. TABLE I
Similarly, PCA, SVM, and KDD99 were used Chithik and A SAMPLE SET OF RECORDS FROM DATASET [12]
Rabbani for IDS [10]. In Aljawarneh et al.’s paper, their Source IP Source Port Flow Duration Total Fwd Packets
analysis and experiments were produced based on the NSL- 192.168.10.12 35396 1266342 41
192.168.10.16 60058 1319353 41
KDD dataset for their IDS model [11]. 192.168.10.12 35396 160 1
Literature studies show that KDD99 dataset is always used 192.168.10.12 35398 1303488 41
192.168.10.50 22 77 1
for IDS [6]–[10]. There are 41 features in KDD99 and it was 192.168.10.16 60058 244 1
developed in 1999. For this reason, KDD99 is old and does 192.168.10.16 60060 1307239 41
not provide any information about up-to-date new attack types 192.168.10.50 22 ... 82 1
192.168.10.12 35398 171 1
such as zero day exploits etc. Therefore we used an up-to-date 192.168.10.16 60060 210 1
and new CICIDS2017 dataset [12] in our study. 192.168.10.50 22 75 1
192.168.10.50 22 77 1
There are different but limited studies based on the CI- 192.168.10.14 53235 2 2
CIDS2017 dataset. Some of them were discussed here. D. 192.168.10.14 53235 27701 15
192.168.10.14 53234 152547 19
Aksu et al. showed performances of various machine learning 192.168.10.50 52320 4 3
algorithms detecting DDoS attacks based on the CICIDS2017
dataset in their previous work [13]. They did not apply all
dataset and used limited data 26.167 DDoS and 26.805 Benign SVM is a supervised learning method because it uses tagged
samples from the dataset in their study. Moreover, they used data in a dataset as an input. The number of output classes
the Fisher score feature selection algorithm to select the best changes depending on the dataset. For example, two classes
features. Therefore, their previous SVM models reached a of output data are generated when a dataset of two classes is
very high accuracy result. However, they were planning to given as the input. Therefore, the samples given as the input
apply deep learning algorithm as a feature work to detect are categorized according to these classes. During the training
DDoS attacks. N. Marir et al. proposed a distributed study process, a model is created according to the input dataset and
to discover abnormal activity in a large scale network [14]. In classification is performed by using the model.
another study, Resende et al. used genetic algorithms to detect
intrusions on the CICIDS2017 dataset [15]. C. Deep Learning
Deep Learning algorithms allow to extract features automat-
III. M ATERIAL AND M ETHODS ically from a given dataset and they consist of a sequential
The CICIDS2017 dataset and deep learning and SVM layer architecture. Applying non-linear transformation func-
algorithms are explained respectively in this section. tions to the sequential layer structure constitute the basis of
deep learning algorithms. Increasing the number of layers
A. CICIDS2017 Dataset will increase the complexity of nonlinear transformations to
be constructed. Deep learning algorithms learn the abstract
The CICIDS2017 dataset is used in our study. The dataset hidden properties of the data obtained in the last layer from its
is developed by the Canadian Institute for Cyber Security abstract representations acquired at multiple levels. Therefore,
and includes various common attack types. In this study, we the abstract properties of the final layer’ s output are obtained
focused on port scan attempts. There are 286467 records by introducing the data into a high-level non-linear function.
consisting 127537 benign and 158930 port scan attempts
and each record has 85 features such as source IP, source D. Methodology
port, destination port, flow duration, total fwd packets, total The SVM and deep learning algorithms were used to detect
backward packets etc. A part of the records is as shown in port scan attempts based on the CICIDS2017 dataset. The
Table I. flowchart of the proposed method was presented in figure 2.
When creating the dataset, Attack-Network and Victim- First of all, 286.467 records which consist of 158.930 port
Network, completely were separated two networks, were de- scan attempts and 127.537 benign behaviours are taken from
signed and implemented by Sharafaldin H. et al [12]. They the dataset and then these records were normalized. After
collected data from July 3, 2017, to July 7, 2017, for the normalization samples were split into two as a 67% training
dataset. data and 33% testing data. In addition, the SVM and deep
learning IDS models were created based on the training data.
B. SVM Finally, the models were tested with test data and the perfor-
Statistical learning and convex optimization, based on the mance of models was calculated comparatively. In addition,
principle of structural risk minimization, form the basis of the deep learning IDS model consist of 7 hidden layers and
Support Vector Machine (SVM) algorithms. Vapnik et al each layer include the different number of neurons such as
developed SVM as a solution to different problems [16]. 100,150,70,40 and 6 respectively. The relu was selected and
For example, it can be used in many different areas such used as an activation function in the model. Depending on
as learning, pattern recognition, regression, classification, and the number of neurons and hidden layer model performances
analysis. were changed. In this paper, we selected optimum numbers

IBIGDELFT2018 78
International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism Ankara, Turkey, 3-4 Dec, 2018

based on the model’s accuracy. On the other hand, we did not TABLE II
apply any feature selection algorithm for SVM and we used C ONFUSION MATRIX
all features. As a future work, we are going to use different Actual Class\Predicted Class Normal (Benign) Anomaly (Port Scan)
artificial intelligence approaches to define select this optimum Normal (Benign) TN FP
Anomaly (Port Scan) FN TP
values.

• TP : Actual Port Scan is classified as Port Scan.


Accuracy, recall, precision and f1 score performance metrics
are calculated using the statistics of the confusion matrix
(Table III).

TABLE III
P ERFORMANCE METRICS [17]

Measure Formula
Accuracy (TP+TN) / (TP+FP+FN+TN)
Recall TP / (TP+FN)
Precision TP/(TP+FP)
F1 score 2TP / (2TP+FP+FN)

The ratio of correctly predicted observations is accuracy,


while precision means a ratio of correct positive observations.
The recall is a proportion of correctly predicted positive events.
F1 score signifies the weighted average of precision and recall.
IV. E XPERIMENTAL R ESULTS
The personal computer which has Intel(R) Core(TM) i7-
5700HQ CPU @2.70 GHz, 16 GB Ram capacity was used for
experiments. We used the CPU, however, we are considering
to apply GPU as a future work.
Fig. 2. Flowchart of the our method. 286.096 records, which were taken from the normalized
dataset, were divided into two sets with 67% training and 33%
As is shown in figure 2, main steps of the algorithm are testing ratios such as 191684 samples for training and 94412
presented in below. samples for testing. The deep learning model was trained in 30
1) Normalize the dataset. epochs and performance measurement of the SVM and deep
2) Split the normalized dataset into two as training and learning models presented in Table IV.
testing.
3) Create IDS models with using SVM and deep learning TABLE IV
algorithms. P ERFORMANCE METRICS OF USED CLASSIFICATION TECHNIQUES BASED
ON CICIDS2017 DATASET.
4) Evaluate the models’ performances.
In normalization, nonnumeric label features were converted Method Accuracy Precision Recall F1 score
into numeric forms. In addition, unrelated features such as Deep Learning 0.9780 0.99 0.99 0.99
SVM 0.6979 0.80 0.70 0.65
Timestamp and some samples that have NaN, infinity and
empty values were removed. Furthermore, we rescaled all Table IV shows the accuracy, recall, precision and F1 score
observed values of features to have a length of 1. rates of the IDS models which were developed by using deep
As a second step, the normalized dataset was split into 67% learning and SVM. Deep learning achieved a higher success
training and 33% testing. than SVM.
In the third step, the IDS models were trained and generated
to detect port scan attempts by using the training data. V. C ONCLUSION AND F UTURE W ORKS
Consequently, the performances of the models were calcu- In this paper, performance measurements of support vector
lated. True Positive (TP), True Negative (TN), False Positive machine and deep learning algorithms based on up-to-date
(FP) and False Negative (FN) statistics (Table II) are used for CICIDS2017 dataset were presented comparatively. Results
evaluation of model performances. show that the deep learning algorithm performed significantly
Table II can be explained in below items. better results than SVM. We are going to use not only
• TN : Actual Benign is classified as Benign. port scan attempts but also other attack types with machine
• FP : Actual Benign is classified as Port Scan. learning and deep learning algorithms, apache hadoop and
• FN : Actual Port Scan is classified as Benign. spark technologies together based on this dataset in the future.

IBIGDELFT2018 79
International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism Ankara, Turkey, 3-4 Dec, 2018

ACKNOWLEDGEMENT
This work is also a part of the MSc thesis titled Performance
Analysis of Log Based Intrusion Detection Systems Istanbul
University, Institute of Physical Sciences.
R EFERENCES
[1] K. Graves, Ceh: Official certified ethical hacker review guide: Exam
312-50. John Wiley & Sons, 2007.
[2] R. Christopher, “Port scanning techniques and the defense against them,”
SANS Institute, 2001.
[3] M. Baykara, R. Daş, and İ. Karadoğan, “Bilgi güvenliği sistemlerinde
kullanılan araçların incelenmesi,” in 1st International Symposium on
Digital Forensics and Security (ISDFS13), 2013, pp. 231–239.
[4] S. Staniford, J. A. Hoagland, and J. M. McAlerney, “Practical automated
detection of stealthy portscans,” Journal of Computer Security, vol. 10,
no. 1-2, pp. 105–136, 2002.
[5] S. Robertson, E. V. Siegel, M. Miller, and S. J. Stolfo, “Surveillance
detection in high bandwidth environments,” in DARPA Information
Survivability Conference and Exposition, 2003. Proceedings, vol. 1.
IEEE, 2003, pp. 130–138.
[6] K. Ibrahimi and M. Ouaddane, “Management of intrusion detection sys-
tems based-kdd99: Analysis with lda and pca,” in Wireless Networks and
Mobile Communications (WINCOM), 2017 International Conference on.
IEEE, 2017, pp. 1–6.
[7] N. Moustafa and J. Slay, “The significant features of the unsw-nb15
and the kdd99 data sets for network intrusion detection systems,”
in Building Analysis Datasets and Gathering Experience Returns for
Security (BADGERS), 2015 4th International Workshop on. IEEE,
2015, pp. 25–31.
[8] L. Sun, T. Anthony, H. Z. Xia, J. Chen, X. Huang, and Y. Zhang,
“Detection and classification of malicious patterns in network traffic
using benford’s law,” in Asia-Pacific Signal and Information Processing
Association Annual Summit and Conference (APSIPA ASC), 2017.
IEEE, 2017, pp. 864–872.
[9] S. M. Almansob and S. S. Lomte, “Addressing challenges for intrusion
detection system using naive bayes and pca algorithm,” in Convergence
in Technology (I2CT), 2017 2nd International Conference for. IEEE,
2017, pp. 565–568.
[10] M. C. Raja and M. M. A. Rabbani, “Combined analysis of support
vector machine and principle component analysis for ids,” in IEEE
International Conference on Communication and Electronics Systems,
2016, pp. 1–5.
[11] S. Aljawarneh, M. Aldwairi, and M. B. Yassein, “Anomaly-based in-
trusion detection system through feature selection analysis and building
hybrid efficient model,” Journal of Computational Science, vol. 25, pp.
152–160, 2018.
[12] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating
a new intrusion detection dataset and intrusion traffic characterization.”
in ICISSP, 2018, pp. 108–116.
[13] D. Aksu, S. Üstebay, M. A. Aydin, and T. Atmaca, “Intrusion detec-
tion with comparative analysis of supervised learning techniques and
fisher score feature selection algorithm,” in International Symposium on
Computer and Information Sciences. Springer, 2018, pp. 141–149.
[14] N. Marir, H. Wang, G. Feng, B. Li, and M. Jia, “Distributed abnormal
behavior detection approach based on deep belief network and ensemble
svm using spark,” IEEE Access, 2018.
[15] P. A. A. Resende and A. C. Drummond, “Adaptive anomaly-based in-
trusion detection system using genetic algorithm and profiling,” Security
and Privacy, vol. 1, no. 4, p. e36, 2018.
[16] C. Cortes and V. Vapnik, “Support-vector networks,” Machine learning,
vol. 20, no. 3, pp. 273–297, 1995.
[17] R. Shouval, O. Bondi, H. Mishan, A. Shimoni, R. Unger, and A. Nagler,
“Application of machine learning algorithms for clinical predictive
modeling: a data-mining approach in sct,” Bone marrow transplantation,
vol. 49, no. 3, p. 332, 2014.

IBIGDELFT2018 80

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy