Skip to main content
SearchLoginLogin or Signup

Enhancing Network Security with a Deep Learning-Based Intrusion Detection System for 5G Networks

The paper focuses on the development and evaluation of a deep learning-based intrusion detection system for 5G networks, which aims to address some of the main critical network security concerns.

Published onOct 26, 2023
Enhancing Network Security with a Deep Learning-Based Intrusion Detection System for 5G Networks
·

Abstract

As the telecommunications industry continues to advance, the demand for high-speed and all-encompassing mobile networks, such as 5G, is increasing. To fully realize the potential of these networks and ensure their security and sustainability, extensive research is required. This research includes the development of technological enablers, such as a virtualized intrusion detection system, to enhance network security and facilitate network development. This paper focuses on the development and evaluation of a deep learning-based intrusion detection system for 5G networks, which aims to address these critical network security concerns. The deep learning-based intrusion detection system presented in this paper leverages cutting-edge machine learning algorithms to identify and mitigate security threats in 5G networks. Through a combination of data collection, feature engineering, and training, the system can detect and classify various types of intrusion attempts, including malware attacks and network anomalies. The results of the evaluation show that the system achieves high levels of accuracy and precision in detecting intrusions, thus providing a robust security framework for 5G networks. Overall, this paper provides valuable insights into the design, implementation, and evaluation of a deep learning-based intrusion detection system, which has the potential to greatly enhance the security and sustainability of 5G networks.

Keywords: Intrusion Detection System, Machine Learning algorithms, NSL-KDD dataset, ANN, feature selection

Introduction

Mobile networks have transformed and advanced considerably over the past decades, due to an ever-evolving society and demand for high-speed services – which in- crease efficiency in both the business and everyday context. An unprecedented level of requirements is being posed onto such networks – all coming down to high expectations in terms of reliability, availability, efficiency and throughput. Given industrial evolvement and limitations to the existing technology, there is an increasing demand for advanced mobile networks, representing a firm foundation for all fields of cyber activity to come. This fact drives research among telecom operators and standardization organizations, which is to yield a convergent 5th generation mobile network. This shall be enabled by supporting technologies such as massive MIMO, NFV and SDN [1].

All enablers for 5G consider a highly virtualized environment, where network

functions would be containerized and executed in the cloud. Supporting applications running on top of those containers would offer a plethora of network services. One such service is intrusion detection, which should ensure that all incoming traffic is properly inspected such as not to cause harm to the overall system [2, 3].

The paper at hand outlines research motivated by previous approaches to intrusion detection - traditional (rule based, anomaly detection) and artificial intelligence. Given that artificial intelligence methods have shown to detect intrusions more efficiently and at a higher accuracy than traditional approaches, it is evident that further improvements should go into this direction [4, 5].

As deep learning has shown to outperform machine learning based systems, there is every reason to employ it in intrusion detection as well.

With previous research already conducted in this field, it is at task to find out whether the use case of intrusion detection proves to better be handled by deep learning, using stacked denoising auto-encoders as a feature extraction mechanism.

Assuming success in implementing a well-trained Deep Neural Network with stacked auto-encoders, higher accuracy in detecting intrusion is expected.

The paper contains 7 sections. Following a summary and background description, Section 2 gives a brief explanation on [4] in the field. Section 3 clearly states the research question and hypothesis. Section 4 discusses the re- search methodology (the dataset and implementation components). The results obtained are discussed and analyzed in Section 5. The paper concludes in Section 6 with suggestions on future work.

Theoretical framework and literature study

The task of building a network intrusion detection system has been approached over various algorithms and techniques. The ones considered here use the same open NSL-KDD dataset, to test the performance of the models and for result comparison with the scientific community. In [4] for example, an autoencoder was built in the first layer of the network to extract the most meaningful features and reduce the dimension of the data. After that, the processed input was fed into a standard artificial neural network (ANN) for classification. Our research builds on the future work of this paper, utilizing both the training and testing NSL-KDD data. The model may be improved by focusing on the autoencoder, which can be brought to another level using a stacked autoencoder. Generally speaking, most of the work done in this field can be divided into two cases - using only training, or using both training and testing data.

Training data for both training and testing

The work found in [6] used a J48 decision tree classifier, and only the training set. The feature set was reduced to 22. Contrary to this, the approach in [7] used 2-level classification with the full feature set of 41. Using PCA for feature set reduction, and SVM for classification, a high level of accuracy was achieved. Reducing the feature set demonstrated higher accuracy, but lower performance.

Training data for training, testing data for testing

Various implementations have gone into using fuzzy classification [8], unsupervised clustering [9] or a k-point algorithm [10], demonstrating that accuracy is lower when utilizing both train and test data, than forming a training and testing dataset from the train data only.

Research questions, hypotheses

Having assumed that Stacked Denoising Autoencoders can be a feature extraction method which yields better intrusion detection classification, it is at task to implement a model either supporting or invalidating the premise.

Research Methodology

Due to the scope of this paper, only secondary data was used throughout research. The implementation is based on existing algorithms, with results given in both raw and plotted form. The quantitative approach taken is mainly due to lack of time and resources.

Figure 1

Data flow diagram based on machine learning algorithms for intrusion detection.

Data Flow Diagram

Figure 1 shows the process of training and testing a machine learning model to detect intrusions. The data flow begins with the NSL-KDD dataset, which is a collection of network traffic data that has been labeled with different types of intrusions. The data is then normalized to remove any anomalies, and the features of the data are selected. The selected features are then used to train a machine learning model, such as a support vector machine or a neural network. The trained model is then tested on a separate dataset of network traffic data, and the results of the test are used to evaluate the performance of the model.

The specific steps in the data flow diagram are as follows:

  1. The NSL-KDD dataset is loaded into the system.

  2. The data is normalized to remove any anomalies.

  3. The features of the data are selected.

  4. The selected features are used to train a machine learning model.

  5. The trained model is tested on a separate dataset of network traffic data.

  6. The results of the test are used to evaluate the performance of the model.

The data flow diagram shows the steps involved in training and testing a machine learning model to detect intrusions. This process is essential for building an intrusion detection system that can effectively identify and prevent security threats.

Here are some additional details about the data flow diagram:

  • The NSL-KDD dataset is a well-known dataset for intrusion detection research. It contains over 4 million network traffic records, which have been labeled with different types of intrusions.

  • The features of the data that are selected for the machine learning model are based on the following criteria:

    • They should be relevant to the task of intrusion detection.

    • They should be relatively easy to extract from network traffic data.

    • They should have a high degree of discriminatory power.

  • The machine learning model that is used in the data flow diagram is a support vector machine. Support vector machines are a type of supervised learning algorithm that are often used for classification tasks.

  • The testing dataset is used to evaluate the performance of the machine learning model. The results of the test are used to determine how well the model can generalize to unseen data.

Dataset

The NSL-KDD dataset [11] served in both training and testing the network. To do so, it had to first undergo preparation, in order to ensure appropriate training data - and eventually accuracy. The reason for using this dataset is that it is a trace of intrusion traffic obtained in the Knowledge Discovery and Data Mining Tools Competition (with improvements) - thereby reflecting well what the developed ANN may be faced with in real-world environments. The dataset includes normal traffic, as well as one originating from different types of attacks. Contrary to the “old” KDD dataset, this one has been cleaned from redundant records, which might bias classification towards a specific type of attack. Table 1 provides a summary of the five classes present in the NSL-KDD dataset used for training and testing artificial neural networks in intrusion detection systems. The five classes are Normal, DoS, Probe, R2L, and U2R, and each represents a different type of network intrusion[12].

Table 1: NSL-KDD Dataset: Classes and Types of Attacks

Table 1

Class

Description

Brief Explanation

Attack Types

Normal

Normal network connection

A benign network connection that does not contain any attacks or suspicious activity.

  • N/A

DoS

Denial-of-service attack

An attack that seeks to prevent legitimate users from accessing a network, server, or application by overwhelming it with traffic or other types of requests.

  • Back

  • Land

  • Neptune

  • Pod

  • Smurf

  • Teardrop

  • others.

Probe

Surveillance and probing attack

An attack that seeks to gather information about a network or system for the purpose of identifying vulnerabilities and weaknesses that could be exploited in a future attack.

  • Satan

  • Ipsweep

  • Nmap

  • Portswee

  • others.

R2L

Unauthorized access from a remote machine

An attack that originates from a remote machine and attempts to gain unauthorized access to a local network or system.

  • FTP_write

  • Guess_passwd

  • Warezclient

  • Warezmaster

  • Imap

  • Multihop

  • Phf:

  • Spy

  • others.

U2R

Unauthorized access to local superuser (root) privileges

An attack that seeks to gain unauthorized access to the root account of a local machine, thereby granting the attacker complete control over the system.

  • Buffer_overflow

  • Load module

  • Perl

  • Rootkit

  • others.

The NSL-KDD dataset is a benchmark dataset widely used in research on intrusion detection systems (IDS). It is a modified version of the KDD Cup 1999 dataset, which includes traffic data from a simulated network environment with several types of attacks. The NSL-KDD dataset contains 41 features or attributes for each record, which are based on the characteristics of network traffic flows, including the source and destination IP addresses and port numbers, the protocol type, and other related information. The dataset also includes labels for each record, indicating whether it represents normal traffic or one of several different types of attacks. The dataset contains a total of 148,517 records, including 67,343 training records and 77,214 test records, which have been preprocessed to remove redundant and irrelevant features to improve the accuracy of machine learning algorithms[13].

Stacked Denoising Auto-encoders

Autoencoders in general take raw data as input, pass it through a hidden layer, and then try to reconstruct it at the output. Minimizing the difference between “output” (predicted input) and input yields to output accuracy. This approach can point out significant data features, which can then be used to train a model. A stacked autoencoder contains several hidden layers. Noise can be added to the input before passing it to the hidden layers as shown in the Figure 2, minimizing the difference between the predicted and original input yields features with even higher significance [10]. The implementation made in this research minimizes the RMSE (Root Mean Square Error) loss function.

Examples of noise include:

  • Salt and pepper noise - a fraction of the input elements (chosen at random for each sample) is set to either the minimum or maximum possible value

  • Masking noise - a fraction of the input elements is set to 0 (i.e. artificially introducing blanks)

Denoising is only possible due to the dependencies between dimensions in a distribution.

The task of feature extraction was consequently handled by the stacked denoising auto-encoder, ensuring that only relevant features are considered for classification. The encoded input is passed into the soft-max regression network for classification. Although only two classes are considered at the output, scalability is ensured.

Given that the network supports N output classes. After training and tuning of the best parameters using cross validation, the final model is fed with testing data, and evaluated in terms of accuracy and f1.

Figure 2

Stacked auto-encoder

Results and Analysis

Implementation:

The development went through the following phases:

  • Visualization and data preprocessing.

  • Implementing a stacked denoising auto-encoder.

  • Using a simple soft-max regression for the classification task.

  • Finding the best parameters using k-fold cross-validation on the train set.

  • Testing the classifier using the given test set.

As discussed above the dataset is composed of a train and test set, but in order to simulate a real environment the two samples are completely different from each other. This leads to a high accuracy using k-fold cross-validation (or hold out) on the train set, but poor results on the test set. For facing this problem, different approaches have been used - here focus was given to a particular deep method (stacked denoising auto-encoders) suggested in [4], where good results were obtained on the test set applying sparse auto-encoders for extracting the most meaningful features and using the encoded representation of the input as feed for the soft-max regression classifier.

A first visualization of the dataset characteristics was done finding out the already explained properties in Section 4. The dataset is balanced and for this reason there was no need to use any kind of over or under sampling method.

The second step was to transform the categorical features using one-hot encoding [5] and then scaling all of them using a standard scalar (removing mean and scaling to unit variance), which resulted in 122 overall features.

After the first preprocessing phase the soft-max regression algorithm was implemented. Using k-fold cross-validation an idea about the accuracy on the train set was obtained. As mentioned, even with simple methods it is easy to obtain high accuracy on the train set (hold out, k-fold cross-validation). For this reason no trust in the first results was given and the implementation of the feature extractor was continued.

The built network uses 3 fully connected layers with respectively 60, 30, 60 hid- den units. The encoded input results in just 30 features, which are fed into the soft-max regression network for final classification. The learning is done separately; first the auto-encoder learns a representation of the input minimizing the difference between the decoded input and the original input - then using the encoded representation the soft-max regression network iterates the learning using

the input representation. The classifier in this case is simple, since a major part of the work is contained in the auto-encoder to learn a good and effective representation of the input. For this reason, no tuning of this network’s parameters was done

- the same parameters as in [4] were used (upon consultation with the authors). The stacked denoising auto-encoder parameters however were tuned using 5 fold cross-validation on 80% of the trainset. In this case the amount of parameters was not too large and a normal machine could handle computation. After finding the best parameters the model was tested on the test set, reaching a higher accuracy than [4] - due to a more robust feature extraction method.

Metrics

To certify the performance and robustness of the technique all the main classification metrics were used:

  • Accuracy: correctly classified samples over the total number of samples.

  • Precision (P): number of true positives (TP) samples divided by the number of true positives (TP) and false positives (FP) classified samples.

P = (T PT P ) (1)

  • Recall (R): number of true positives samples divided by the number of true positives and false negatives (FN) classified samples.

R = (T PT P ) (2)

  • F-Measure (F): harmonic mean of precision and recall and represents a balance between them.

2 * P * R (P + R) (3)

Performance Evaluation

The figure shows the frequency of attack class distribution in a network. The four types of attacks are:

  • Normal: This represents normal traffic that is not malicious.

  • DoS: This stands for denial-of-service attack, which is an attempt to make a system or network unavailable to its intended users.

  • Probe: This refers to an attempt to gather information about a system or network.

  • R2L: This stands for remote-to-local, which is an attempt to gain unauthorized access to a system from a remote location.

  • U2R: This stands for user-to-root, which is an attempt to gain unauthorized access to root privileges on a system.

Figure 3 shows that the most common type of attack is DoS, followed by Probe, R2L, and U2R. This is consistent with other studies that have shown that DoS attacks are the most common type of attack. The random forest algorithm is a good choice for network intrusion detection because it can learn from a large amount of data and identify patterns that are indicative of an attack. However, the random forest algorithm is computationally intensive, which means that it can take a long time to train. The program that is being developed will use the random forest algorithm to detect intrusions. The program will also learn from its own data, which means that it will become better at detecting attacks over time. This will help to ensure that the network is protected from a wide variety of attacks.

Figure 3

the frequency of attack class distribution in IDS

Figure 4 shows a data flow diagram for an intrusion detection system. The features in the image are the different attributes of network traffic that are used to detect intrusions. The importance of each feature is determined by its ability to distinguish between normal traffic and malicious traffic.

Some of the most important features in the image include:

  • Source bytes: This feature represents the number of bytes that are sent from the source host. This feature can be used to identify attacks that involve sending a large amount of data, such as denial-of-service attacks.

  • Destination host: This feature represents the host that is receiving the data. This feature can be used to identify attacks that are targeted at specific hosts, such as attacks that attempt to gain unauthorized access to a host.

  • Service: This feature represents the service that is being used. This feature can be used to identify attacks that target specific services, such as attacks that attempt to exploit vulnerabilities in a web server.

  • Flag: This feature represents the flags that are set in the network packet. This feature can be used to identify attacks that involve manipulating the flags in a network packet, such as attacks that attempt to spoof the source address of a packet.

The other features in the image are also important, but they are not as important as the features listed above. The importance of each feature will vary depending on the type of attack that is being detected. The data flow diagram shows how the features are used to detect intrusions. The features are first extracted from the network traffic data. The features are then used to train a machine learning model. The machine learning model is used to classify the network traffic data as either normal or malicious. The machine learning model is trained on a dataset of labeled network traffic data. The labeled network traffic data is data that has been classified as either normal or malicious. The machine learning model learns to identify the patterns that are associated with normal and malicious traffic.

The machine learning model is then used to classify new network traffic data. The machine learning model will classify the new network traffic data as either normal or malicious. If the machine learning model classifies the new network traffic data as malicious, then an alert will be generated.

The alert will be sent to a security analyst. The security analyst will investigate the alert to determine if there is a real threat. If there is a real threat, then the security analyst will take action to mitigate the threat.

Figure 4

data flow diagram for an intrusion detection system

The heat map in Figure 5 shows the correlation between different features of network traffic. The features are represented by the rows and columns of the heat map. The darker the color, the stronger the correlation between the two features.

The heat map shows that there are several features that are highly correlated with each other. For example, the features "source bytes" and "destination bytes" are highly correlated, as are the features "service" and "flag." This means that these features tend to occur together in network traffic. The heat map can be used to identify features that are likely to be important for detecting intrusions. For example, if two features are highly correlated, then an attack that affects one of the features is likely to affect the other feature as well. This means that if an intrusion detection system can detect an attack on one of the features, then it is likely to be able to detect the attack on the other feature as well.

Figure 5

Heat map showing the correlation between different features of network traffic.

The heat map can also be used to identify features that are not correlated with each other. These features are less likely to be important for detecting intrusions, as they are not likely to occur together in network traffic. Overall, the heat map is a useful tool for understanding the relationships between different features of network traffic. This understanding can be used to improve the accuracy of intrusion detection systems.

Figure 5: Heat map between different features in IDS

As mentioned in the previous sections the algorithm was tested on the binary classification task of detecting normal and infected packets. The performance was measured using 5-fold cross-validation on the training data and then using the entire test set for the final accuracy.

With 5-fold cross-validation on the train set the model gives high accuracy for all the metrics (95% - 98%). While training on the entire train and testing using the test set the performance was lower compared to the previous values. All the metrics, in the best case, had around 88% - 92% of accuracy, which can anyway be considered as a good final result shown in Figure 6. The problem which must be spotted regards the variance in the results, with both sparse and stacked denoising auto-encoders we found out that the results on the test set can not be considered stable. Due to the fact that there are many random variables (e.g., noise fraction, weight initialization) and the learning is split in two phases, this brings to an high instability in the model. Regardless from this point of view, the results outreached the [4] and gave a final good model.

Figure 6

F-Measure, Precision, Recall, and Accuracy scores on both train and test data

  • Precision, Recall, and F1-Score Analysis:

The precision, recall, and F1-score are shown in figure 7, 8 and 9 respectively which are very important metrics to evaluate the performance of a classifier, especially in imbalanced datasets like the IDS dataset.

  1. Naive Bayes Classifier: The Naive Bayes classifier achieved a precision of 0.82, indicating that 82% of the instances classified as "DoS" were indeed "DoS" instances. The recall was 0.95, implying that the model correctly identified 95% of the actual "DoS" instances. The F1-score, which considers both precision and recall, was 0.87. The overall accuracy was 85.1%, indicating a reasonably good performance of the classifier.

  2. Decision Tree Classifier: The Decision Tree classifier exhibited excellent precision and recall of 0.82 and 0.92, respectively, leading to an F1-score of 0.87. As observed from the confusion matrix, the classifier achieved perfect accuracy of 84.4%, correctly classifying all instances of both classes.

  3. K-Neighbors Classifier: The K-Neighbors classifier had a precision of 0.70, suggesting that 70% of the instances classified as "DoS" were actual "DoS" instances. The recall was 0.94, indicating that the model correctly identified 94% of the actual "DoS" instances. The F1-score was 0.80, showing a reasonable balance between precision and recall. The overall accuracy was 73.7%, indicating an acceptable performance, although the model has a higher number of misclassifications.

  4. Logistic Regression: The Logistic Regression classifier achieved a precision of 0.83, indicating that 83% of the instances classified as "DoS" were indeed "DoS" instances. The recall was 0.79, implying that the model correctly identified 79% of the actual "DoS" instances. The F1-score was 0.81, representing a good balance between precision and recall. The overall accuracy was 78.8%, indicating a satisfactory performance of the classifier.

In summary, the Decision Tree classifier outperformed the other models in terms of accuracy, precision, recall, and F1-score, with a perfect accuracy of 84.4%. The Naive Bayes classifier also demonstrated reasonably good performance, achieving an accuracy of 85.1% and a balanced F1-score of 0.87. However, the K-Neighbors and Logistic Regression classifiers showed lower accuracy and slightly imbalanced precision-recall trade-offs. It is essential to consider the specific requirements of the application while choosing the most suitable classifier for the IDS task.

Figure 7

Precision for each Classification of the IDS

Figure 8

Recall for each Classification of the IDS

Figure 9

F1-Score for each Classification of the IDS

The confusion matrix shown in the image is a summary of the results of an intrusion detection system (IDS) that was trained on the NSL-KDD dataset. The NSL-KDD dataset is a collection of network traffic data that includes both normal and attack traffic. The IDS was trained to distinguish between normal and attack traffic, and the confusion matrix shows how well it performed.

Figure 10 a and b are described the confusion matrix which has four quadrants, each of which represents a different type of prediction. The top left quadrant (True Positives, TP) shows the number of instances where the IDS correctly identified an attack. The top right quadrant (False Positives, FP) shows the number of instances where the IDS incorrectly identified normal traffic as an attack. The bottom left quadrant (False Negatives, FN) shows the number of instances where the IDS incorrectly identified an attack as normal traffic. The bottom right quadrant (True Negatives, TN) shows the number of instances where the IDS correctly identified normal traffic as normal traffic.

The overall accuracy of the IDS can be calculated by dividing the number of TP and TN instances by the total number of instances. The accuracy of the IDS can also be calculated for each individual type of prediction (TP, FP, FN, TN).

The confusion matrix can be used to evaluate the performance of an IDS and to identify areas where the IDS can be improved. For example, if the IDS has a high number of FP instances, then it may be too sensitive and is incorrectly identifying normal traffic as attacks. This can lead to unnecessary disruptions to the network. Conversely, if the IDS has a high number of FN instances, then it may not be sensitive enough and is missing actual attacks. This can lead to security breaches.

Figure 10

(a) Test Data

Figure 11

(b) Train Data

The confusion matrix is a valuable tool for understanding the performance of an IDS and for improving its accuracy.

  • Confusion Matrix Analysis for Classifiers:

The confusion matrices for the different classifiers used in the Intrusion Detection System (IDS) are shown in figure 11. Each matrix is a 2x2 table that provides insight into the performance of the classifiers in predicting the classes correctly. The rows represent the actual classes, and the columns represent the predicted classes.

  1. Naive Bayes Classifier: The Naive Bayes classifier achieved an overall accuracy of 85.1% on the test data. From the confusion matrix, we can observe that it correctly classified 5367 instances of the "Normal" class (true negatives) and 9242 instances of the "DoS" class (true positives). However, it misclassified 2091 instances of the "Normal" class as "DoS" (false positives) and 469 instances of the "DoS" class as "Normal" (false negatives).

  2. Decision Tree Classifier: The Decision Tree classifier performed exceptionally well, achieving an accuracy of 84.4% on the test data. It correctly classified all the instances of both classes ("Normal" and "DoS"), resulting in zero false positives and false negatives. The model successfully identified all "Normal" (true negatives) and "DoS" (true positives) instances.

  3. K-Neighbors Classifier: The K-Neighbors classifier achieved an accuracy of 73.7% on the test data. It correctly identified 9083 instances of the "DoS" class (true positives) but misclassified 3887 instances of the "Normal" class as "DoS" (false positives) and 628 instances of the "DoS" class as "Normal" (false negatives). The model had a relatively high number of misclassifications.

  4. Logistic Regression: The Logistic Regression classifier attained an accuracy of 78.8% on the test data. It correctly classified 7709 instances of the "DoS" class (true positives) and 5826 instances of the "Normal" class (true negatives). However, it misclassified 1632 instances of the "Normal" class as "DoS" (false positives) and 2002 instances of the "DoS" class as "Normal" (false negatives).

Figure 12

confusion matrix for all classifiers used in IDS

The ROC curve shows the trade-off between the true positive rate (TPR) and the false positive rate (FPR) for an intrusion detection system (IDS). The TPR is the percentage of actual attacks that are correctly identified, and the FPR is the percentage of normal traffic that is incorrectly identified as an attack.

Figure 12 shows the ROC curves for four different classifiers: naive Bayes, decision tree, K-nearest neighbors, and logistic regression. The ROC curve is a graphical representation of the performance of a binary classifier. It plots the true positive rate (TPR) against the false positive rate (FPR). The TPR is the percentage of true positives that are correctly classified, and the FPR is the percentage of false positives that are incorrectly classified.

The closer the ROC curve is to the top-left corner, the better the classifier performs. In this case, all four classifiers have ROC curves that are very close to the top-left corner, which indicates that they all perform well. However, the decision tree classifier has the highest AUC (area under the curve), which means that it is the best classifier overall. The blue line in the graph represents the expected value of the ROC curve for a random classifier. The closer the ROC curve is to the blue line, the worse the classifier performs. In this case, all four classifiers perform better than a random classifier.

Overall, the results of Figure 12 suggest that all four classifiers perform well. However, the decision tree classifier is the best classifier overall.

Here are some additional details about the figure:

  • The x-axis of the graph shows the false positive rate.

  • The y-axis of the graph shows the true positive rate.

  • The AUC (area under the curve) is a measure of the overall performance of the classifier.

  • The blue line represents the expected value of the ROC curve for a random classifier.

Figure 13

ROC curve for Different types of classifiers

Figure 13 shows the error rate for intrusion detection systems (IDS) with different classifiers. The error rate is the percentage of intrusions that are not detected by the classifier. The lower the error rate, the better the classifier is at detecting intrusions.

The graph shows that the decision tree classifier has the lowest error rate, followed by the K-nearest neighbors’ classifier and the logistic regression classifier. The naive Bayes classifier has the highest error rate.

The error rate for each classifier varies depending on the type of intrusion. For example, the decision tree classifier has a lower error rate for detecting DoS attacks than for detecting port scans.

Overall, the results of Figure 13 suggest that the decision tree classifier is the best classifier for IDS. However, it is important to note that the results may vary depending on the dataset used to train the classifiers.

Here are some additional details about the figure:

  • The x-axis of the graph shows the different classifiers.

  • The y-axis of the graph shows the error rate for each classifier.

  • The error rate is calculated as the number of intrusions that are not detected by the classifier divided by the total number of intrusions.

  • The graph shows the error rate for five different types of intrusions: DoS attacks, port scans, buffer overflows, rootkits, and worms.

Figure 14

Error rate analysis for each classifiers IDS.

Conclusion

An efficient and powerful mobile network shall not only bring about improvements in the business context, but also ensure greater environmental protection through novel technology, thereby ensuring sustainability. As explained above, crucial enablers of 5G are applications running on top of containerized network functions, among which intrusion detection represents one with top priority.

Considerable research is therefore going into this direction, including the one de- scribed in this paper. After a thorough examination of reference [4] in this field, the most functional approach has been chosen to build upon. Given that deep neural networks have shown high accuracy in detecting intrusion, a classifier from this domain was developed and fed with well-prepared data for training. The classifier chosen is an artificial neural network, with a stacked denoising auto-encoder in the first layers. The ROC curve and AUC values for the train and test data suggest that the IDS is a reliable tool for detecting intrusions. However, the IDS may not be as effective at detecting intrusions on new data that is not included in the train dataset. To improve the performance of the IDS on new data, it may be necessary to increase the size of the train dataset, or to use a different machine learning algorithm that is less prone to overfitting. for feature extraction. The encoded input is passed through the soft-max regression simple classifier to reach the wanted results.

Using this solution, the previous results and performances reached using sparse auto-encoders [4] as feature extractor were outreached. The results are comparable, and the difference is not significant. As mentioned above the main problem in this model regards the variance in the results. To avoid this issue a further tuning of the parameters as well as a different optimizer can bring to a more stable solution regardless from the feature extraction technique (sparse [4] or stacked auto-encoders). Another solution could also be to change the classifier, opting for a more general and stable one (Random Forest). Although traffic analysis might be associated with ethical considerations (as in “observing” data without user consent), it is a critical precondition for ensuring security.

References

  1. Syed Hussain Ali Kazmi, Faizan Qamar, Rosilah Hassan, Kashif Nisar, Bhawani Shankar Chowdhry, Survey on Joint Paradigm of 5G and SDN Emerging Mobile Technologies: Architecture, Security, Challenges and Research Directions, Wireless Personal Communications, 10.1007/s11277-023-10402-7, 130, 4, (2753-2800), (2023).

  2. Redana, S. (Ed.), Bulakci, Ö. (Ed.), Zafeiropoulos, A., Gavras, A., Tzanakaki, A., Albanese, A., Kousaridas, A., Weit, A., Sayadi, B., Jou, B. T., Bernardos, C. J., Benzaid, C., Mannweiler, C., Camps-Mur, D., Breitgand, D., Estevez, D. G., Navratil, D., Mi, D., Lopez, D., ... Zhang, Y. (2019). 5G PPP Architecture Working Group: View on 5G Architecture. European Commission. https://5g-ppp.eu/wp-content/uploads/2019/07/5G-PPP-5G-Architecture-White-Paper_v3.0_PublicConsultation.pdf

  3. BONDRE, Shweta; SHARMA, Ashish; BONDRE, Vipin. 5G Technologies, Architecture and Protocols. Evolving Networking Technologies: Developments and Future Directions, 2023, 1-19.

  4. A. Javaid, Q. Niyaz, W. Sun, and M. Alam, “A deep learning approach for net- work intrusion detection system,” in Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), pp. 21–26, ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2016.

  5. T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho, “Deep learning approach for network intrusion detection in software defined net- working,” in Wireless Networks and Mobile Communications (WINCOM), 2016 International Conference on, pp. 258–263, IEEE, 2016.

  6. VENKATESAN, Srinath. Design an Intrusion Detection System based on Feature Selection Using ML Algorithms. Mathematical Statistician and Engineering Applications, 2023, 72.1: 702-710.

  7. Soni, Shradha. "Survey on Machine learning Techniques used for Information Security." Proceedings of The International Conference on Emerging Trends in Artificial Intelligence and Smart Systems, THEETAS 2022, 16-17 April 2022, Jabalpur, India. 2022.

  8. Chawla, Ashima, et al. "Towards interpretable anomaly detection: Unsupervised deep neural network approach using feedback loop." NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium.

  9. P. Gogoi, M. H. Bhuyan, D. Bhattacharyya, and J. K. Kalita, “Packet and flow based network intrusion dataset,” Contemporary Computing, pp. 322– 334, 2012.

  10. GOKHALE, Madhuri; MOHANTY, Sraban Kumar; OJHA, Aparajita. A stacked autoencoder based gene selection and cancer classification framework. Biomedical Signal Processing and Control, 2022, 78: 103999.

  11. “NSL-KDD | Datasets | Canadian Institute for Cybersecurity.” http://www. unb.ca/cic/datasets/nsl.html. [Online; accessed 2023-6-29].

  12. L. Dhanabal and S. Shantharajah, “A study on nsl-kdd dataset for intrusion detection system based on classification algorithms,” International Journal of Advanced Research in Computer and Communication Engineering, vol. 4, no. 6, pp. 446–452, 2015.

  13. NGUEAJIO, Mikel K., et al. Intrusion detection systems using support vector machines on the kddcup’99 and nsl-kdd datasets: A comprehensive survey. In: Proceedings of SAI Intelligent Systems Conference. Cham: Springer International Publishing, 2022. p. 609-629

Authors Biography

Mohamed H.Moharam

Figure 15


Dr. Mohamed Hussein was born in Egypt. He received the B.Sc. degree in Electronics and Communication Engineering from the Misr University of science and technology in 2009, and received his M.Sc. degree from Arab Academy For science and technology and maritime in 2013. He received the Ph.D. degree in waveform candidates and massive MIMO technology in 5G cellular systems from Ain Shams University Egypt, in 2019. His research interests include design and analysis of Physical layer in all 5G waveform candidates and its application in wireless communication system, machine learning and artificial intelligence. He is currently a Full-Time Assistant Professor with MUST university.

Comments
0
comment
No comments here
Why not start the discussion?