Training LSTM RNN models for network flow data classification for attack intention recognition systems

Abstract: The classification of network attack data, and prediction of the next likely set of network traffic flows is of particular interest to the cyber security domain, as it forms the basis for the timely response to cyber attacks as they progress. This work presents an overview of the main Attack Intention Recognition (AIR) approaches and techniques proposed over the last few years and proceeds to propose a system for classifying and distinguishing different types of network attacks using LSTM-RNN models. A set of LSTM-RNN models for detecting and distinguishing brute force, denial of service, ping scan, port scan, normal and suspicious network flow data, were trained for application to a real-time AIR algorithm using the CIDDS-001 dataset. The selected models are good enough to be applied to the overall AIR algorithm. The Brute Force model gave 86% accuracy, DOS 71% accuracy, Ping Scan 93% accuracy, Port Scan 71% accuracy. The performance of the selected models are comparable to those models oultined in the literature review and in a few cases seem to perform better. This work highlights that single layer LSTM-RNNs with no more than 150 hidden units are able to accurately classify flows given only the first 5% ofan attack. As the accuracy in this regard is greater than 70%, the selected models are good enough to be applied to the overall AIR algorithm. The report finally discusses suggestions for future work on developing the algorithm.