research project Generative oversasmling

1. Attention-Based Convolutional Neural Network for Network
Intrusion Detection System
Shubhendra Pratap (2106017)
Manish Kumar (2106020)
Ayush Agrawal (2106053)
Presented By:
Under the Guidance of :
Dr. Ditipriya Sinha
Department of Computer Science & Engineering
National Institute Of Technology Patna
Oct 25, 2024

2. Outline
➢ Introduction
➢ Literature Review
➢ Problem Statement
➢ Research objective
➢ Proposed Approach
➢ Result Analysis
➢ Conclusion & Future Directions
➢ References

3. Introduction
What is a Cyberattack?
➢A cyberattack is an intentional and malicious attempt to breach
the security of a computer system, network, or technology
infrastructure.
➢It involves unauthorized access, use, disclosure, disruption,
modification, or destruction of computer systems, electronic
data, or networks.

4. Types of Cyberattack
Fig. 1.Different Types of Cyberattack1
1https://testvox.com/role-of-qa-in-cyber-security/

5. Types of Attack
➢Malware
➢Phishing
➢Man-in-the-Middle (MitM) Attack
➢Denial of Service (DoS) Attack
➢SQL Injection
➢Zero-Day Exploit
➢Cryptojacking

6. Statistics
• There were over 560 million Ticketmaster customers had their
information stolen in a 2024 breach.
• In 2023, Americans lost $12.3 billion due to cyberattack
incidents, according to the FB
• A 2021 LinkedIn data breach exposed the personal information
of 700 million users or about 93 percent of all LinkedIn
members.
• An attack on Microsoft in March 2021 affected more than
30,000 organizations in the U.S., including businesses and
government agencies.

7. Introduction to IDS
Fig. 2. Placement of IDS in a Network2
2https://www.softxjournal.com/article/S2352-7110(24)00119-5/fulltext

8. Introduction to IDS
➢IDS helps to identify and respond to security threats by detecting
suspicious patterns or anomalies that may indicate a potential
intrusion or security breach.
➢A security tool designed to detect unauthorized access or malicious
activities within a computer network or system.

9. Types of IDS
1. Based on Detection
1. Signature Based IDS
2. Anomaly Based IDS
3. Hybrid IDS
2. Based on Placement
1. Host Based
2. Network Based
3. Hybrid Based

10. Based on Detection Technique
Signature Based IDS:
Fig. 3. Signature-Based IDS3
➢ Detect attacks based on specific
patterns
➢ Can easily detect the attack
whose pattern(signature) already
exist in the system​
3https://www.researchgate.net/figure/Signature-based-intrusion-detection-system_fig3_354083895

11. Based on Detection Technique
Anomaly Based IDS:
➢Detects intrusions by establishing
a baseline of normal behavior
➢The IDS continuously monitors
network traffic or system activities
for deviations or anomalies from
the baseline
Fig. 4. Anomaly-Based IDS4
4https://www.researchgate.net/figure/Anomaly-based-intrusion-detection-system_fig4_354083895

12. Based on Detection Technique
Hybrid IDS
➢Combination of signature and
anomaly
➢Provide comprehensive threat
detection capabilities
➢Organizations can customize and
configure the Hybrid IDS to suit
their specific security
requirements
Fig. 5. Hybrid IDS5
5https://www.semanticscholar.org/paper/Hybrid-Intrusion-Detection-System-Based-on-the-of-Khraisat-
Gondal/9061caa20202b62e9766307be833f41698260616

13. Based on Placement
Host Based IDS:
➢security tools that monitor and
analyze activities on individual
host
➢continuously monitors various
aspects of the host's activities
eg- file system changes, log
entries, system calls, network
connections, and application
behavior Fig. 6. Host IDS6
6https://www.softobotics.com/blogs/securing-your-iot-landscape-powerful-intrusion-detection-systems-to-safeguard-your-connected-
devices/

14. Based on Placement
Network Based IDS:
➢ Security tool used to monitor and
analyze network traffic for
suspicious activities or patterns.
➢NIDS helps organizations identify
and respond to security incidents
promptly.
Fig. 7. Network IDS7
7https://www.softobotics.com/blogs/securing-your-iot-landscape-powerful-intrusion-detection-systems-to-
safeguard-your-connected-devices/

15. Based on Placement
Hybrid IDS:
➢Combines the strengths of both
Network-based IDS (NIDS) and
Host-based IDS (HIDS).
➢can better protect their networks
and systems against a wide range
of security threats.
Fig. 8. Hybrid IDS8
8https://thesis.unipd.it/retrieve/5aa7d4d2-c940-417f-bb12-95e837d4b1a6/Antonutti_Manuel.pdf

16. Literature Survey

17. Paper 1- ROULETTE: A neural attention multi-output model for
explainable network intrusion detection [1]1
Objective Methodology Dataset Result Advantage Limitation
➢ Propose
ROULETTE
➢ A
neural attenti
on multi-
output model
for explainable
network
intrusion
detection
➢ Image Encoding
of Network
Traffic
➢ An attention
mechanism is
integrated into
the CNN
➢ NSL-KDD
➢ UNSW-
NB15
➢ Reformulates
network traffic
classification as an
image
classification
problem by
encoding flow
features into
images
➢ Integrates the
attention
mechanism to
achieve both
accuracy and
transpareny in
multi-class
classifications.
➢ Introduces
additional
complexity
due to the
attention
mechanism
and multi-
output
architecture
➢ May lead
to
overfitting.
1Andresini, G., Appice, A., Caforio, F. P., Malerba, D., & Vessio, G. (2022). ROULETTE: A neural attention multi-output model for
explainable network intrusion detection. Expert Systems with Applications, 201, 117144.

18. Paper1- ROULETTE: A neural attention multi-output model for
explainable network intrusion detection [1]1
Objective Methodology Dataset Result Advantage Limitation
➢ To improves
accuracy
and
interpretabil
ity in
classifying
network
traffic data
into multiple
categories
➢ Multi-Output
Architecture
➢ Training and
Evaluation
➢ NSL-KDD
➢ UNSW-
NB15
➢ Employs a multi-
output learning
strategy with two
branches:
1) A main branch for
multi-class classification
of attack types
2) An auxiliary branch
for binary classification
(normal vs attack)
➢ Enhanced
Explainability
➢ Improved
Classification
Performance
➢ Explore the
effect of
several
properties i.e.,
compactness,
robustness and
separability
➢ Could hinder
the model's
ability to
generalize
well
to unseen
data in real-
world
scenarios
➢ Absence of a
specific
mechanism
for dealing
with rare
classes
1Andresini, G., Appice, A., Caforio, F. P., Malerba, D., & Vessio, G. (2022). ROULETTE: A neural attention multi-output model for
explainable network intrusion detection. Expert Systems with Applications, 201, 117144.

19. Paper 2- Anomaly-based error and intrusion detection in
tabular data: No DNN outperforms tree-based classifiers [2]2
Objective Methodology Dataset Result Advantage Limitation
➢ Combining
classifiers to
improve
anomaly
detection
performance
➢ Classification
of large
tabular data
Classifier
Selection
Ensemble
Techniques
Meta-Learner
Integration
UNSW-NB15
Nslkdd
➢ Tree-Based
Classifiers
Outperform
DNN
➢ Random
Forest
Achieves
Highest MCC
➢ DNNs Are
Less Efficient
➢ Superior
Performance
of Tree-
Based
Classifiers
➢ Simplicity
and Ease of
Use
➢ Lower
Computation
al Costs
Hyperparamete
r Tuning
Limited
Applicability to
Other Data
Types
2Zoppi, T., Gazzini, S., & Ceccarelli, A. (2024). Anomaly-based error and intrusion detection in tabular data: No DNN outperforms
tree-based classifiers. Future Generation Computer Systems, 160, 951-965.

20. Paper 3- An artificial immunity based intrusion detection
system for unknown cyberattacks [3]3
Objective Methodology Dataset Result Advantage Limitation
➢ To develop a
novel IDS for
unknown
cyber-attacks
➢ Mapping
flow data
➢ Novel Aim-
based IDS
➢ Hierarchical
differential
Evolution
Algorithm
➢ NSL-KDD
➢ UNSW-NB15
➢ SDS
➢ Skin dataset
➢ Iris
➢ Achieving
higher TPR
maintaining
lower FPR
➢ TPR for
unknown
attack 2.8
times higher
than others
➢ F1 score is
higher than
other
➢ Training time
lower
Paper suggest
improvement in
refining the
direction &
magnitude of
mutation
vectors
3Huang, H., Li, T., Ding, Y., Li, B., & Liu, A. (2023). An artificial immunity based intrusion detection system for unknown
cyberattacks. Applied Soft Computing, 148, 110875.

21. Brief Analysis of state-of-the-art
Aspect Expert Systems with Applications Applied Soft Computing
Future Generation Computer
Systems
Model Type Hybrid (e.g., CNN + Attention)
Hierarchical differential evolution
and artificial immunity
Tree based classifier
Dimensionality Reduction Often uses (e.g., UMAP) May use (e.g., PCA, LDA) Uses (t-SNE,PCA)
Real-time Processing Yes Often Yes
Scalability High Medium to High Very High
Adaptability Medium to High High Medium
Interpretability Medium Medium to High Low to Medium
Multi-class Classification Yes Yes Yes
Anomaly Detection Yes Yes Yes
False Positive Rate Low Very Low Low
Accuracy 90-95%
F1-Score 0.92-0.94 Higher than others
Computational Complexity Medium Medium to High High
Dataset Used NSL-KDD, UNSW-NB15
NSL-KDD, UNSW-NB15, SDS , Skin,
Iris
NSL-KDD, UNSW-NB15
And many more

22. Problem Statement
• Identifying cyber-attacks is a challenging issue
• Designing and training the optimal tabular data classifier requires
extensive experimentation, sensitive analyses, big datasets, and
domain-specific knowledge

23. Research Objective
➢To design network intrusion detection system using attention-
based modified CNN model to classify normal and malicious
behaviour
➢To binary classify attack and normal in Network Intrusion
detection using UMAP

24. PROPOSED MODEL
Fig 9:Flow Diagram of proposed model

25. Why we converting tabular data to image data
➢Utilization of CNN: CNNs are highly effective for image data.
➢Pre-trained CNN models can be used for image classification tasks
➢Visual Representation: Image can provide a more intuitive
understanding.
➢Handling Non-linear Relationships: Tabular data often contains non-
linear relationships that are difficult to model wih traditional
algorithms
➢Application in specific domains:
• Network intrusion detection
• Medical data

26. Step 1: Data Collection

27. Dataset Description: NSL-KDD
➢The NSL_KDD dataset comprises 22 training intrusion
attacks and 41 attributes
➢Training set: 1,25,973
➢Testing set: 22,544
➢Features : 41
➢It includes five types of class: Normal, DoS, Probe, U2R,
R2L

28. NSL-KDD

29. NSL-KDD

30. Step 2: Data Preprocessing

31. Data Preprocessing code
➢Handling missing value
➢Checking duplicate Values
➢Converting multi class
label into binary
➢Label Encoding
➢Normalization

32. Step 3 : Converting Tabular data to 2D Image data
What is UMAP? UMAP (Uniform Manifold Approximation and
Projection) is a powerful dimensionality reduction technique. It allows
you to take high-dimensional data (like your 1D sample) and represent
it in a lower-dimensional space while preserving important
relationships and structures.

33. Steps to Convert 1D to 2D (with UMAP)
➢Import Libraries: Start by importing the necessary Python libraries
➢Load your 1 D data: It could be list , array or Data Frame
➢Create a UMAP Model: Initialize a UMAP model. You can adjust
parameters like ‘n_neighbors’ and ‘min_dist’ to control how the data
is embedded.
➢Apply UMAP to Your Data: Transform your 1D data into a 2D
representation.
➢Visualize the 2D Representation: Use Matplotlib to create a scatter
plot of the 2D embedding.

34. Step 4: Implement attention based modified CNN
model
Hyperparameter Value
Learning rate 0.001
Epochs 10
Batch size 20
Activation function (Convolutional
layers)
Sigmoid
Activation function (Dense layers) Sigmoid
Optimizer Lion
Loss function Focal loss
Gamma (Focal loss) 2.0
Alpha (Focal loss) 0.25
Dropout rate 0.5

35. Modified CNN
Feature Description Impact
Global Average Pooling
Reduces the feature map's spatial
dimensions to a single vector per
channel, capturing global features
Improves robustness to variations in
image size and position
Channel-Wise Attention
Learns weights for each feature
channel, emphasizing the most relevant
channels for the classification task
Enhances focus on key features,
improving accuracy and reducing noise
Multiply Operation
Applies the attention weights to the
feature map, amplifying the
contribution of important channels and
suppressing irrelevant ones
Enhances feature representation and
boosts classification performance
Sigmoid Activation
Used in both attention layers and
convolutional layers to constrain
outputs between 0 and 1, representing
probabilities or attention weights
Provides a more nuanced
representation of feature importance
and contributes to better gradient flow
Focal Loss
Addresses class imbalance by weighting
the loss of misclassified samples based
on their confidence level
Improves learning for minority classes,
achieving better overall accuracy
Lion Optimizer
Offers faster convergence and improved
performance compared to traditional
optimizers like Adam or SGD
Faster training and potentially better
accuracy

36. Architectural Details
Layer Type Output Shape Parameters
Input (64, 64, 3) 0
Conv2D (62, 62, 32) 896
MaxPooling2D (31, 31, 32) 0
Conv2D (29, 29, 64) 18,496
MaxPooling2D (14, 14, 64) 0
Conv2D (12, 12, 128) 73,856
MaxPooling2D (6, 6, 128) 0
GlobalAveragePooling2D (128,) 0
Reshape (1, 1, 128) 0
Conv2D (Attention) (1, 1, 128) 16,512
Multiply (6, 6, 128) 0
Flatten (4608,) 0
Dense (256,) 1,179,904
Dropout (256,) 0
Dense (Output) (1,) 257

37. Step 5: Attack detection
1.Feature Extraction:
1. Modified CNN extracts high-level features from network traffic data
2. Attention mechanism focuses on the most relevant features
2.Attention Mechanism:
1. Highlights important patterns in the data
2. Improves model's ability to focus on potential attack indicators
3.Classification:
1. Categorizes network traffic into normal and various attack types
2. Utilizes sigmoid output for binary-class classification
4.Anomaly Detection:
1. Identifies unusual patterns that deviate from normal behavior
2. Effective in detecting novel attacks

38. ❑Evaluation Metrics
➢Accuracy = (TP + TN) / (TP + TN + FP + FN)
➢Precision = TP / (TP + FP)
➢Recall = TP / (TP + FN)
➢F1-Score = (2 * Precision * Recall ) / (Precision + Recall)

39. Performance Analysis
XGBoost
(Tabular)
1D-
CNN(Tabular)
2D-CNN(Image
data)
Modified
CNN(Image
data)
Accuracy (%) 80 70 78 76
Precision (%) 85 81 85 80
Recall (%) 80 70 78 74
F1-Score (%) 80 69 77 76
TPR (%) 80 70 78 80

40. Limitation
➢Proposed model is not observed on real time data
➢No any hyperparameter optimization technique is used
➢Limited resources to train the model
➢Multi class classification is not implemented

41. Future Direction
➢Data Augmentation
➢Transformer based Architecture
➢Other datasets can be explored
➢Implementation on Realtime dataset

42. Conclusion
The proposed model shows the beneficial effects of the attention
mechanism and multi-output learning strategy to detect normal and
attack cyberattack using modified CNN in network intrusion detection
system

43. References
[1] Andresini, G., Appice, A., Caforio, F. P., Malerba, D., & Vessio, G. (2022).
ROULETTE: A neural attention multi-output model for explainable network
intrusion detection. Expert Systems with Applications, 201, 117144.
[2] Zoppi, T., Gazzini, S., & Ceccarelli, A. (2024). Anomaly-based error and
intrusion detection in tabular data: No DNN outperforms tree-based
classifiers. Future Generation Computer Systems, 160, 951-965.
[3] Huang, H., Li, T., Ding, Y., Li, B., & Liu, A. (2023). An artificial immunity
based intrusion detection system for unknown cyberattacks. Applied Soft
Computing, 148, 110875.