Abstract- In theever developing world of computers, internet and cyber activities, cyberattacksand malware stands as a serious and ever growing threat to security of thecyberspace, causing the detection of these attacks and malware of greatconcern.
A lot of research efforts has been made to create an intelligent cyberattackand malware detection by using machine language and data mining methods.Although large number of result have been seen with these techniques but also alarge number of them constitute a shallow learning framework which to a greatextent does not satisfy cyberattacks and malware problems. In this paper, ipropose a deep learning dependent technique to implement an effective, good andflexible Network Intrusion Detection System (NIDS), using a Self-TaughtLearning (STL) which is a deep learning based method on NSL-KDD, a benchmarkdata for network intrusion and cyber-attacks. Key words: cyber-attacks,STL, malware, network security, NIDS, sparse auto-encoder, deep learning,NSL-KDD 1. Introduction Cyber-attacksinvolve the use of malware which are malicious software aimed at infiltratingthe integrity, secrecy and overall functionality of a system 8 these includeviruses, Trojan, worms, back ware, spyware etc.
With computers, internet andcyberspace being essential in our everyday life, malware therefore stand as aserious security threat. Malware not just stand as an emotional but also afinancial treat. According to a recent report from Kaspersky Lab, up to onebillion dollars was stolen in roughly two years from financial institutionsworldwide, due to malware attacks 7. Therefore, the recognition of malware isof significant worry to both the counter malware industry and researchers. Toprotect legitimate users from the attacks, the majority of anti-malwaresoftware products (e.g.
, Comodo, Symantec, Kaspersky) use the signature-basedmethod of detection 10, 9. Signature is a short string of bytes, which isunique for each known malware so that its future examples can be correctlyclassified with a small error rate 5. However, this technique can be easilyevaded by malware attackers through the techniques such as encryption,polymorphism and obfuscation 15, 2. Furthermore, malicious files are beingdisseminated at a rate of thousands per day 6, making it difficult for thissignature-based method to be effective. In order to combat the malware attacks,intelligent malware detection techniques need to be investigated. The need fora Network Intrusion Detection System(NIDS) cannot be underestimated as they areimportant tools for network system users and administrators to detect varioussecurity breaches in and around their network. NIDS monitors, analyzes andfurther raisesalarm for network traffic entering and or exiting from the network devices ofan organization. Based on the methods ofintrusion detection, NIDSs are categorized into two classes: i) signature(misuse) based NIDS (SNIDS): will monitor network trafficpackets on the network and matches them against a database of signatures or rules of known maliciousthreats.
ii) anomaly detectionbased NIDS (ADNIDS): will monitornetwork traffic and compare it against an established normal traffic. Anydeviation from normal traffic alerts the administrator or user, indicating anomalous behavior. Therate of false positives is high as not all anomalies are intrusions. These IDSsrequire system administrators to identify real attacks versus false positivessince incoming traffic packets and trained pattern might have severaldeviations 3.SNIDS is mosteffective in the detection of known attack and it shows great detectionaccuracy exhibiting less false alarm rate where on the other hand itsperformance suffers when it is needed to detect unknown or new attacks. ForADNIDS it is well suited for the detection of unknown and new attacks althoughADNIDS produces high rate of false positive, its theoretical capability inidentification of novel attacks has caused it to be widely accepted in theresearch community. In order to curb the siege of cyber-attack,intelligent intrusion detection techniques need to be researched making manyresearchers conduct malware detection by applying machine learning and datamining technologies over the years which include Decision tree, ArtificialNeutral network(ANN), Naïve-Bayesian(NB), Support Vector Machine(SVM), RadomForest(RF), Self-Organized Map(SOM) etc.
But most of these methods are based onlearning architectures which are shallow 11 12 13. Though these methodshad success which were isolated in cyber-attack and malware detection. Shallowlearning architecture still do not satisfy cyber-attack and malware detectionproblem.Base on this limitation a new frontier in data miningand machine learning called deep learning architecture is beginning to gainprominence in academic and industrial research for different application. Deeplearning architecture overcomes the difficulty of learning through layer wisepre- training i.
e. multiple layers pre-training of feature detections startingfrom the lowest level to the highest to create the final classification model.14. In this paper, a deep learningarchitecture using the self-taughtlearning(STL), based on sparse auto-encoder and soft-max regression using NSL-KDD intrusion dataset, to develop an NIDS for malwaredetection is studied.This paper is grouped in 5 sections with section 2 being thereview of related works, section 3 presenting an overview of the self-taughtlearning(STL) and NSL-KDD intrusiondataset. Performance, results and comparative, analysis in Section 4 and finallysection 5 concludes the work. 2 Related Works In the cyber-attack and malware industry,signature based method is widely used 910.
However most cyber attackers andmalware creators can easily bypass this signature based method by usingtechniques which include polymorphism ,encryption, obfuscation15.Previous work seen inliterature use Artificial Neural Network(ANN) with improved resilient backpropagation for the design of an NIDS 16 where the training dataset used was70% for training, validation and testing 15%. As a result, the use of unlabeleddata for testing resulted in a reduction of performance. Also a more recentwork used J48 decision tree classifier where only the training dataset of a10-fold cross validation was used in testing 17.
In this work only a reducedfeature set of 22 is proposed instead of the full set of 41 features. Anotherrelated work used various popular supervise tree-based model, performance was