Applying long short-term memory recurrent neural networks to intrusion detection

Abstract

We claim that modelling network trac as a time series with a supervised learning approach, using known genuine and malicious behaviour, improves intrusion detection. To substantiate this, we trained long short-term memory (LSTM) recurrent neural networks with the training data provided by the DARPA / KDD Cup ’99 challenge. To identify suitable LSTM-RNN network parameters and structure we experimented with various network topologies. We found networks with four memory blocks containing two cells each oer a good compromise between computational cost and detection performance. We applied forget gates and shortcut connections respectively. A learning rate of 0.1 and up to 1,000 epochs showed good results. We tested the performance on all features and on extracted minimal feature sets respectively. We evaluated dierent feature sets for the detection of all attacks within one network and also to train networks specialised on individual attack classes. Our results show that the LSTM classier provides superior performance in comparison to results previously published results of strong static classiers. With 93.82% accuracy and 22.13 cost, LSTM outperforms the winning entries of the KDD Cup ’99 challenge by far. This is due to the fact that LSTM learns to look back in time and correlate consecutive connection records. For the rst time ever, we have demonstrated the usefulness of LSTM networks to intrusion detection.