Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Multi-agent Reinforcement Learning-based Network Intrusion Detection System

Amine Tellache, Amdjed Mokhtari, Abdelaziz Amara Korba, Yacine Ghamri-Doudane

TL;DR

The paper tackles the challenge of evolving network threats and severe class imbalance in intrusion detection by introducing a two-level multi-agent reinforcement learning system. It employs $N$ independent L1 agents, each specialized for a specific attack, plus a central decider, and enhances the DQN with a weighted mean square loss and cost-sensitive learning to address imbalance. On CIC-IDS-2017, the approach achieves about $99\%$ accuracy with a low false positive rate of $0.16\%$ and an AUC around $0.92$, while demonstrating evolvability to new/evolving attacks. The architecture is modular and extensible, enabling incremental updates for new attack types and potentially enabling decentralized cyber threat intelligence sharing in future work.

Abstract

Intrusion Detection Systems (IDS) play a crucial role in ensuring the security of computer networks. Machine learning has emerged as a popular approach for intrusion detection due to its ability to analyze and detect patterns in large volumes of data. However, current ML-based IDS solutions often struggle to keep pace with the ever-changing nature of attack patterns and the emergence of new attack types. Additionally, these solutions face challenges related to class imbalance, where the number of instances belonging to different classes (normal and intrusions) is significantly imbalanced, which hinders their ability to effectively detect minor classes. In this paper, we propose a novel multi-agent reinforcement learning (RL) architecture, enabling automatic, efficient, and robust network intrusion detection. To enhance the capabilities of the proposed model, we have improved the DQN algorithm by implementing the weighted mean square loss function and employing cost-sensitive learning techniques. Our solution introduces a resilient architecture designed to accommodate the addition of new attacks and effectively adapt to changes in existing attack patterns. Experimental results realized using CIC-IDS-2017 dataset, demonstrate that our approach can effectively handle the class imbalance problem and provide a fine grained classification of attacks with a very low false positive rate. In comparison to the current state-of-the-art works, our solution demonstrates a significant superiority in both detection rate and false positive rate.

Multi-agent Reinforcement Learning-based Network Intrusion Detection System

TL;DR

The paper tackles the challenge of evolving network threats and severe class imbalance in intrusion detection by introducing a two-level multi-agent reinforcement learning system. It employs independent L1 agents, each specialized for a specific attack, plus a central decider, and enhances the DQN with a weighted mean square loss and cost-sensitive learning to address imbalance. On CIC-IDS-2017, the approach achieves about accuracy with a low false positive rate of and an AUC around , while demonstrating evolvability to new/evolving attacks. The architecture is modular and extensible, enabling incremental updates for new attack types and potentially enabling decentralized cyber threat intelligence sharing in future work.

Abstract

Intrusion Detection Systems (IDS) play a crucial role in ensuring the security of computer networks. Machine learning has emerged as a popular approach for intrusion detection due to its ability to analyze and detect patterns in large volumes of data. However, current ML-based IDS solutions often struggle to keep pace with the ever-changing nature of attack patterns and the emergence of new attack types. Additionally, these solutions face challenges related to class imbalance, where the number of instances belonging to different classes (normal and intrusions) is significantly imbalanced, which hinders their ability to effectively detect minor classes. In this paper, we propose a novel multi-agent reinforcement learning (RL) architecture, enabling automatic, efficient, and robust network intrusion detection. To enhance the capabilities of the proposed model, we have improved the DQN algorithm by implementing the weighted mean square loss function and employing cost-sensitive learning techniques. Our solution introduces a resilient architecture designed to accommodate the addition of new attacks and effectively adapt to changes in existing attack patterns. Experimental results realized using CIC-IDS-2017 dataset, demonstrate that our approach can effectively handle the class imbalance problem and provide a fine grained classification of attacks with a very low false positive rate. In comparison to the current state-of-the-art works, our solution demonstrates a significant superiority in both detection rate and false positive rate.
Paper Structure (13 sections, 7 equations, 4 figures, 5 tables, 2 algorithms)

This paper contains 13 sections, 7 equations, 4 figures, 5 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Q-learning & Deep Q-learning
  4. Multi-agent reinforcement learning
  5. Related Work
  6. Proposed Intrusion Detection System
  7. Overview of the proposed appraoch
  8. Model description
  9. Experiments And Evaluation Results
  10. Dataset Preprocessing
  11. Performance evaluation of the proposed model
  12. Performances comparison with the state-of-the-art works
  13. Conclusion

Figures (4)

  • Figure 1: Proposed multi-agent reinforcement learning IDS architecture
  • Figure 2: ROC Curve - CIC-IDS-2017
  • Figure 3: Confusion matrix
  • Figure 4: Comparison of our proposed model with other machine learning models