Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Multidomain transformer-based deep learning for early detection of network intrusion

Jinxin Liu, Murat Simsek, Michele Nogueira, Burak Kantarci

TL;DR

The paper tackles the latency inherent in traditional NIDS by enabling intrusion detection from partial network flows. It introduces TS-NFM to cast per-flow packets as a multivariate time series and MDT to fuse time- and frequency-domain cues via a 2D FFT-enhanced Transformer with MD-MHA, yielding fast, early detections. Key contributions include the SCVIC-TS-2022 dataset, the TS-NFM feature extractor, and the MDT framework that achieves macro F1 of $84.1\%$ on SCVIC-TS-2022, with notable improvements over Transformer baselines and across ECG and Wafer datasets. This approach demonstrates the potential for substantially earlier and still accurate intrusion responses, with practical impact for real-time network defense and broader time-series intrusion detection tasks.

Abstract

Timely response of Network Intrusion Detection Systems (NIDS) is constrained by the flow generation process which requires accumulation of network packets. This paper introduces Multivariate Time Series (MTS) early detection into NIDS to identify malicious flows prior to their arrival at target systems. With this in mind, we first propose a novel feature extractor, Time Series Network Flow Meter (TS-NFM), that represents network flow as MTS with explainable features, and a new benchmark dataset is created using TS-NFM and the meta-data of CICIDS2017, called SCVIC-TS-2022. Additionally, a new deep learning-based early detection model called Multi-Domain Transformer (MDT) is proposed, which incorporates the frequency domain into Transformer. This work further proposes a Multi-Domain Multi-Head Attention (MD-MHA) mechanism to improve the ability of MDT to extract better features. Based on the experimental results, the proposed methodology improves the earliness of the conventional NIDS (i.e., percentage of packets that are used for classification) by 5x10^4 times and duration-based earliness (i.e., percentage of duration of the classified packets of a flow) by a factor of 60, resulting in a 84.1% macro F1 score (31% higher than Transformer) on SCVIC-TS-2022. Additionally, the proposed MDT outperforms the state-of-the-art early detection methods by 5% and 6% on ECG and Wafer datasets, respectively.

Multidomain transformer-based deep learning for early detection of network intrusion

TL;DR

The paper tackles the latency inherent in traditional NIDS by enabling intrusion detection from partial network flows. It introduces TS-NFM to cast per-flow packets as a multivariate time series and MDT to fuse time- and frequency-domain cues via a 2D FFT-enhanced Transformer with MD-MHA, yielding fast, early detections. Key contributions include the SCVIC-TS-2022 dataset, the TS-NFM feature extractor, and the MDT framework that achieves macro F1 of on SCVIC-TS-2022, with notable improvements over Transformer baselines and across ECG and Wafer datasets. This approach demonstrates the potential for substantially earlier and still accurate intrusion responses, with practical impact for real-time network defense and broader time-series intrusion detection tasks.

Abstract

Timely response of Network Intrusion Detection Systems (NIDS) is constrained by the flow generation process which requires accumulation of network packets. This paper introduces Multivariate Time Series (MTS) early detection into NIDS to identify malicious flows prior to their arrival at target systems. With this in mind, we first propose a novel feature extractor, Time Series Network Flow Meter (TS-NFM), that represents network flow as MTS with explainable features, and a new benchmark dataset is created using TS-NFM and the meta-data of CICIDS2017, called SCVIC-TS-2022. Additionally, a new deep learning-based early detection model called Multi-Domain Transformer (MDT) is proposed, which incorporates the frequency domain into Transformer. This work further proposes a Multi-Domain Multi-Head Attention (MD-MHA) mechanism to improve the ability of MDT to extract better features. Based on the experimental results, the proposed methodology improves the earliness of the conventional NIDS (i.e., percentage of packets that are used for classification) by 5x10^4 times and duration-based earliness (i.e., percentage of duration of the classified packets of a flow) by a factor of 60, resulting in a 84.1% macro F1 score (31% higher than Transformer) on SCVIC-TS-2022. Additionally, the proposed MDT outperforms the state-of-the-art early detection methods by 5% and 6% on ECG and Wafer datasets, respectively.
Paper Structure (15 sections, 2 equations, 7 figures, 3 tables)

This paper contains 15 sections, 2 equations, 7 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Machine Learning-based NIDSs
  4. Early Detection on Time Series Data
  5. Network Intrusion Early Detection System
  6. Problem Definition
  7. Time Series Network Flow Meter
  8. Multi-Domain Transformer
  9. Experimental Results
  10. Datasets
  11. SCVIC-TS-2022
  12. ECG
  13. Wafer
  14. Experimental Results
  15. Conclusion

Figures (7)

  • Figure 1: An Illustrative Comparison of a Conventional NIDS and an Early Detection IDS
  • Figure 2: Time Series Representation of Network Flow Meter Features
  • Figure 3: MDTransformer Architecture
  • Figure 4: Multi-Domain Multi-Head Attention (MD-MHA). Comparing with the vanilla attention, we obtain the attention score from both time domain and frequency domain to obtain more information.
  • Figure 5: MDT Using ML Classifier
  • ...and 2 more figures