Recurrent Neural Networks for Enhancement of Signature-based Network Intrusion Detection Systems
share
Security of information passing through the Internet is threatened by today's most advanced malware ranging from orchestrated botnets to much simpler polymorphic worms. These threads, as examples of zero-day attacks, are able to change their behavior several times at the early phases of their existence to bypass the network intrusion detection systems (NIDS). It is known that even well- designed, and frequently-updated signature-based NIDS cannot detect the zero-day treats due to the lack of an adequate signature database, adaptive to intelligent attacks on the Internet. On the other hand, applying traditional machine learning methods could not narrow this gap. More importantly, having an NIDS, it should be tested on malicious traffic dataset that not only represents known attacks, but also can to some extent reflect the characteristics of unknown, zero-day attacks. Generating such traffic is identified in the literature as one of the main obstacles for evaluating the effectiveness of NIDS. To address these issues, we apply Recurrent Neural Networks (RNNs) known as powerful tools in finding complex patterns and generating similar ones. In this regard, we first examine whether it is possible to generate new, unseen mutants of a polymorphic worm. Our results demonstrate that our synthetic mutants exhibit the same characteristics as the original mutants, i.e., known mutants fed into the RNN. Besides, we assess the ability of RNNs to generate synthetic signatures from the most advanced malware. We claim that by adding the RNN-generated, synthetic signatures to the set of the signatures of a signature-based NIDS it is possible to improve the malware detection rate of that. To support this and evaluate the feasibility of our approach, we conduct extensive experiments and provide exhaustive discussion on our experimental results.
READ FULL TEXT