Pelican: A Deep Residual Network for Network Intrusion Detection
This work addresses the challenge of reducing false alarms in network intrusion detection for improved security, representing an incremental improvement over existing ML-based methods.
The paper tackles the problem of high false alarm rates in machine learning-based network intrusion detection systems by proposing Pelican, a deep residual network, which achieves high attack detection performance with significantly lower false alarm rates on NSL-KDD and UNSW-NB15 datasets.
One challenge for building a secure network communication environment is how to effectively detect and prevent malicious network behaviours. The abnormal network activities threaten users' privacy and potentially damage the function and infrastructure of the whole network. To address this problem, the network intrusion detection system (NIDS) has been used. By continuously monitoring network activities, the system can timely identify attacks and prompt counter-attack actions. NIDS has been evolving over years. The current-generation NIDS incorporates machine learning (ML) as the core technology in order to improve the detection performance on novel attacks. However, the high detection rate achieved by a traditional ML-based detection method is often accompanied by large false-alarms, which greatly affects its overall performance. In this paper, we propose a deep neural network, Pelican, that is built upon specially-designed residual blocks. We evaluated Pelican on two network traffic datasets, NSL-KDD and UNSW-NB15. Our experiments show that Pelican can achieve a high attack detection performance while keeping a much low false alarm rate when compared with a set of up-to-date machine learning based designs.