Hide/Show Apps

A Deep reinforcement learning approach to network intrusion detection

Gülmez, Halim Görkem
Intrusion detection is one of the most important problems in today’s world. Every daynew attacks are being used in order to breach the security of systems and signature-based security systems fail to detect these zero-day attacks. An anomaly-basedintrusion detection system, particularly one that utilizes a machine learning approach,is needed to effectively handle these kinds of attacks. With the advancements in bigdata technologies, storing and handling data became easier, therefore big dataanalytics has become an indispensable tool for various tasks. In this thesis, we proposea framework for detecting intrusions in network systems using big data analytics inreal time. The framework is built on Apache Spark, which runs anomaly detectionalgorithms on streaming data after it has been trained offline with the normal behaviorof the system. Two different machine learning solutions have been implementedseparately for comparison: long short-term memory recurrent neural networks anddeep reinforcement learning. Reinforcement learning is built on state and action pairswith associated positive or negative awards. For the solution in this thesis, alerts onattacks and non-alerts on normal behavior are positively rewarded to train learningagents. Reinforcement learning is combined and improved with neural networks byusing them for Q-learning. A variety of intrusion detection datasets from the literatureare used for experimentation, including NSL-KDD, UNSW-NB15 and CICIDS2017. The deep reinforcement learning solution is emphasized as the better solution basedon the experiment results.