Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Genos: General In-Network Unsupervised Intrusion Detection by Rule Extraction

Ruoyu Li, Qing Li, Yu Zhang, Dan Zhao, Xi Xiao, Yong Jiang

TL;DR

Genos tackles the need for high throughput, interpretable, unsupervised in-network intrusion detection by extracting axis aligned rules from any A-NIDS model and deploying them on programmable switches. Its divide-and-conquer rule extraction via a Score Clustering Tree and Decision Boundary Estimation enables faithful replication of the source model while supporting incremental updates that affect only subspaces. The framework comprises three control-plane modules Model Compiler, Model Interpreter, and Model Debugger, plus a data plane feature extractor implemented on a Tofino switch, achieving about 100 Gbps line rate with low latency. Experimental results on CIC-IDS and TON-IoT show high fidelity to source models, strong detection performance, effective interpretability, and efficient incremental updates, with a public code release for reproducibility.

Abstract

Anomaly-based network intrusion detection systems (A-NIDS) use unsupervised models to detect unforeseen attacks. However, existing A-NIDS solutions suffer from low throughput, lack of interpretability, and high maintenance costs. Recent in-network intelligence (INI) exploits programmable switches to offer line-rate deployment of NIDS. Nevertheless, current in-network NIDS are either model-specific or only apply to supervised models. In this paper, we propose Genos, a general in-network framework for unsupervised A-NIDS by rule extraction, which consists of a Model Compiler, a Model Interpreter, and a Model Debugger. Specifically, observing benign data are multimodal and usually located in multiple subspaces in the feature space, we utilize a divide-and-conquer approach for model-agnostic rule extraction. In the Model Compiler, we first propose a tree-based clustering algorithm to partition the feature space into subspaces, then design a decision boundary estimation mechanism to approximate the source model in each subspace. The Model Interpreter interprets predictions by important attributes to aid network operators in understanding the predictions. The Model Debugger conducts incremental updating to rectify errors by only fine-tuning rules on affected subspaces, thus reducing maintenance costs. We implement a prototype using physical hardware, and experiments demonstrate its superior performance of 100 Gbps throughput, great interpretability, and trivial updating overhead.

Genos: General In-Network Unsupervised Intrusion Detection by Rule Extraction

TL;DR

Genos tackles the need for high throughput, interpretable, unsupervised in-network intrusion detection by extracting axis aligned rules from any A-NIDS model and deploying them on programmable switches. Its divide-and-conquer rule extraction via a Score Clustering Tree and Decision Boundary Estimation enables faithful replication of the source model while supporting incremental updates that affect only subspaces. The framework comprises three control-plane modules Model Compiler, Model Interpreter, and Model Debugger, plus a data plane feature extractor implemented on a Tofino switch, achieving about 100 Gbps line rate with low latency. Experimental results on CIC-IDS and TON-IoT show high fidelity to source models, strong detection performance, effective interpretability, and efficient incremental updates, with a public code release for reproducibility.

Abstract

Anomaly-based network intrusion detection systems (A-NIDS) use unsupervised models to detect unforeseen attacks. However, existing A-NIDS solutions suffer from low throughput, lack of interpretability, and high maintenance costs. Recent in-network intelligence (INI) exploits programmable switches to offer line-rate deployment of NIDS. Nevertheless, current in-network NIDS are either model-specific or only apply to supervised models. In this paper, we propose Genos, a general in-network framework for unsupervised A-NIDS by rule extraction, which consists of a Model Compiler, a Model Interpreter, and a Model Debugger. Specifically, observing benign data are multimodal and usually located in multiple subspaces in the feature space, we utilize a divide-and-conquer approach for model-agnostic rule extraction. In the Model Compiler, we first propose a tree-based clustering algorithm to partition the feature space into subspaces, then design a decision boundary estimation mechanism to approximate the source model in each subspace. The Model Interpreter interprets predictions by important attributes to aid network operators in understanding the predictions. The Model Debugger conducts incremental updating to rectify errors by only fine-tuning rules on affected subspaces, thus reducing maintenance costs. We implement a prototype using physical hardware, and experiments demonstrate its superior performance of 100 Gbps throughput, great interpretability, and trivial updating overhead.
Paper Structure (24 sections, 11 equations, 11 figures, 4 tables, 2 algorithms)

This paper contains 24 sections, 11 equations, 11 figures, 4 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. Anomaly-based Network Intrusion Detection (A-NIDS)
  4. P4 Switch and In-Network Intelligence
  5. Challenges of General INI for A-NIDS
  6. Overview
  7. Framework Design
  8. Model Compiler
  9. Design Goal
  10. Rule Extraction
  11. Translation to P4 Table
  12. Model Interpreter
  13. Model Debugger
  14. Data Plane Implementation
  15. Evaluation
  16. ...and 9 more sections

Figures (11)

  • Figure 1: Rules that extract A-NIDS using knowledge distillation (KD) and only benign data suffer huge accuracy loss.
  • Figure 2: Updating false positives with only 0.24% of data causes changes in tree structure and splitting criteria.
  • Figure 3: Overview of Genos.
  • Figure 4: Illustration of Model Debugger to fix false positives.
  • Figure 5: Comparison of rule extraction performance on four A-NIDS models using two traffic datasets.
  • ...and 6 more figures