Video of the presentation is available here: https://youtu.be/L6EMnvALYtU
Talk: An Asynchronous Distributed Deep Learning Based Intrusion Detection System for IoT Devices
Speaker: Pu Tian
Intrusion Detection Systems (IDS) in IoT devices are crucial for cybersecurity. Existing models may fail due to increased traffic pattern complexity and data complexity. To address these challenges, we propose an asynchronous distributed deep learning based IDS in which only training weights are shared and devices of heterogeneous computing power can train asynchronously. Empirical results on a large network intrusion dataset show that the system achieves high detection accuracy.
An Asynchronous Distributed Deep Learning Based Intrusion Detection System for IoT Devices
1. AN ASYNCHRONOUS DISTRIBUTED
DEEP LEARNING BASED INTRUSION
DETECTION SYSTEM FOR IOT DEVICES
PU TIAN
ADVISOR: DR. WEIXIAN LIAO
DEPARTMENT OF COMPUTER AND INFORMATION SCIENCES
TOWSON UNIVERSITY
5/29/2019
2. Background
• Internet of Things (IoTs).
• The connection of a wider range of everyday physical
devices, such as smart watch/phone and different
sensors.
• To collect a wider range of real-time data.
• Security issue.
• IoT Intrusion Detection System.
3. Design Goals
Effective
• Identification of malicious network flow from complicated
protocols.
Efficient
• Detection in a timely manner.
4. Existing IDS Models
Knowledge Based Method:
• To establish exact rules for intrusion behaviors.
• Pros: Accurate and fast.
• Cons: (1) Vulnerable to new attacks.
(2) Time-consuming to create rules manually.
5. Existing IDS Models
Machine Learning(ML) Method:
• Build model with labeled/unlabeled training data.
• Pros: Improved adaptability.
• Cons: (1) Computation resource consuming .
(2) Large data transmission for single-node
training.
6. General Federated Learning Model
Synchronous Model
Distributed nodes collect and train
local data independently.
The central server fetches and
aggregates parameters after all
agents’ local updates are received.
7. General Federated Learning Model
• Pros: Reduced data transmission over the network.
• Cons: Performance problem of the slowest client.
8. Design Target
Asynchronous Federated Learning Model
Distributed nodes send their local
parameter update requests to the
server.
The central server aggregates
immediately and sends updated
parameters back.
12. Autoencoder(AE)
• Description: A NN used to
learn to represent itself as
close as possible.
• Encoder: Map(encode) input to
the latent layer, denoted by 𝓏.
• Decoder: Reconstruct the input
by mapping 𝓏 to the output
layer.
Proposed Method
13. Proposed Method
Autoencoder(AE)
• Loss function: To measure the
discrepancy between the input 𝑥 𝑖
and
its reconstruction 𝑥 𝑖
.
• Root Mean Squared Error (RMSE)
RMSE =
∑ 𝑖=1
𝑛
(𝑥 𝑖− 𝑥 𝑖)2
𝑛
For training: To minimize the RMSE value in order to reconstruct original input.
For execution(detection): A smaller value indicates a higher possibility of similarity to the training
instances.
14. Proposed Method
Intrusion Detection with AE
𝑋 𝑖+1
= {𝑥1, 𝑥1, 𝑥1, … … … , 𝑥 𝑛}
Case 1: 𝑅𝑀𝑆𝐸 < 𝑇ℎ𝑟𝑒𝑠ℎ𝑜𝑙𝑑 → 𝑋 𝑖+1 is GOOD.
Case 2: 𝑅𝑀𝑆𝐸 > 𝑇ℎ𝑟𝑒𝑠ℎ𝑜𝑙𝑑 → 𝑋 𝑖+1
is BAD.
𝑇ℎ𝑟𝑒𝑠ℎ𝑜𝑙𝑑 = 0.45
15. Proposed Method
Asynchronous Parameter Update
• The gradient descent delay compensation method based on the approximation for the delayed value. *
• Originally proposed for image classification with ResNet and adopted for AE in IDS scenario.
*Zheng, Shuxin, Qi Meng, Taifeng Wang, Wei Chen, Nenghai Yu, Zhi-Ming Ma, and Tie-Yan Liu. "Asynchronous
stochastic gradient descent with delay compensation." In Proceedings of the 34th International Conference on
Machine Learning-Volume 70, pp. 4120-4129. JMLR. org, 2017.
16. Experiments
Dataset
• CICIDS2017 : Normal and common attacks ranging from 9 a.m., Monday, July 3, 2017 to 5 p.m. on
Friday July 7, 2017, for a total of 5 days.
• Training Data: 100,000 normal data instances randomly chosen from Monday dataset.
• Testing Data: 200,000 normal as well as abnormal data(DDoS) instances extracted .
Experiment Setup
• Server and Clients: One parameter server and four clients.
• Input Data Dimension: 77 features.
• Hidden Layer: 75% of the input layer dimension, 55 in this case.
• Parameter Update Method: 50 iterations for local updates and then a request for a global
parameter aggregation (20 iterations of global updates).
20. Conclusion
Deep learning network (Autoencoder) for intrusion detection.
Asynchronous parameter update for efficiency with accuracy guaranteed.
Test with relatively new dataset.
21. Future Work
Optimize asynchronous parameter update mechanism for large
scale distributed IDS network.
Test more attack types.
Give a full theoretical analysis for the convergence of
Autoencoder in asynchronous parameter update scenario.