The importance of time: modelling network intrusions with long short-term memory recurrent neural networks

Abstract

We claim that modelling network traffic, as a time series with a supervised learning approach. using known genuine and malicious behaviour, improves intrusion detection. To substantiate this, we trained long short-term memory (LSTM) recurrent neural networks with the training data provided by the DARPA KDD Cup 99 challenge. After preprocessing all features. to improve information gain, we applied a number of intuitive steps to extract salient features, which resulted in the creation of a number of minimal feature sets that could be used for detecting attack classes. The preprocessed KDD Cup 99 data was then used to test the perfomance of five very common and well-known classifiers: Decision trees. naive Bayes. Bayesian networks. feedforward natural network, and support vector machines. Our results show a performance comparable to the winning entries of the KDD Cup 99 challenge. Finally. we applied the LSTM recurrent neural network classifier to the preprocessed data using the minimal feature sets. Our results show that the LSTM classifier provides superior performance in compc1 rison to other strong static classifiers trained. This is due to the fact that, LSTM network learns to look back in time and correlate consecutive collection records. For the first time ever we have demonstrated the usefulness of LSTM networks to intrusion detection.